alchemy_cms 7.2.7 → 7.2.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 670e0b2cd72ba2921ac426032c27d0cb6b04a43e9fe4ae89ea0c7e56f6278f6a
-  data.tar.gz: 161e0a7b47c9b769730158642d1aa534d0ac7ed3d0b0a15e52b59b8dc7d2866e
+  metadata.gz: ca577f0e46713ddcda567834a14df89269d469c463d40b9ef45a94cb75c51d5c
+  data.tar.gz: 7f2697e309ebf31067618f09c84f6b41811bc3ea3764047e2d9cbb4a69c9e5d3
 SHA512:
-  metadata.gz: f81138adc31691f995fe4ce4dde485cad775f97c29435f797d8884bac65a14f111332b4d34efedd1e392166a0de1935d9ddf09509ba8cfd5963e5977a39211b5
-  data.tar.gz: 14d5924f88dc2df9a6edd60af8b68ec8a35a6fd8e5d543b98b629bb8e822c3889756dde244ca48b8d12b5eba9d0916fec6caad1e5d43b3e4ef370b63cd8f0e5e
+  metadata.gz: f4060445469483578207a2e432bf9b63c4729e47eeb21ea6cc43a1019f677b2e699b531dcf3d56515c8ec599185e5ce2859d87ac12410cc7b600ffee344e1f1a
+  data.tar.gz: 364bd7003f899d43e2f3ee5023f62f8c49be6c572af6c2730f98ca612345e56f5656423ae0b950513c19028734fed908a398a4e5e52cdacfb198c0d7cd0de9cf

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## 7.2.9 (2025-03-17)
+
+- [7.2-stable] Fix link dialog for links with url scheme mailto [#3205](https://github.com/AlchemyCMS/alchemy_cms/pull/3205) ([alchemycms-bot](https://github.com/alchemycms-bot))
+- [7.2-stable] CI: Use own script to check changes files [#3201](https://github.com/AlchemyCMS/alchemy_cms/pull/3201) ([tvdeyen](https://github.com/tvdeyen))
+- [7.2-stable] Add rel="noopener noreferrer" to external links [#3184](https://github.com/AlchemyCMS/alchemy_cms/pull/3184) ([alchemycms-bot](https://github.com/alchemycms-bot))
+
+## 7.2.8 (2025-01-24)
+
+- [7.2-stable] fix attribute sorting across Ruby versions [#3162](https://github.com/AlchemyCMS/alchemy_cms/pull/3162) ([alchemycms-bot](https://github.com/alchemycms-bot))
+- [7.2-stable] fix missing logger issue in github actions [#3157](https://github.com/AlchemyCMS/alchemy_cms/pull/3157) ([alchemycms-bot](https://github.com/alchemycms-bot))
+- [7.2-stable] CI: Set workflow permissions [#3142](https://github.com/AlchemyCMS/alchemy_cms/pull/3142) ([tvdeyen](https://github.com/tvdeyen))
+- [7.2-stable] Use safe redirect paths in admin redirects [#3136](https://github.com/AlchemyCMS/alchemy_cms/pull/3136) ([tvdeyen](https://github.com/tvdeyen))
+- [7.2-stable] CI: Run actions on ubuntu-22.04 [#3125](https://github.com/AlchemyCMS/alchemy_cms/pull/3125) ([tvdeyen](https://github.com/tvdeyen))
+- Fix tinymce fullscreen mode [#3101](https://github.com/AlchemyCMS/alchemy_cms/pull/3101) ([tvdeyen](https://github.com/tvdeyen))
+
 ## 7.2.7 (2024-10-15)
 
 - [7.2-stable] Fix filtering associated models by id [#3069](https://github.com/AlchemyCMS/alchemy_cms/pull/3069) ([tvdeyen](https://github.com/tvdeyen))

data/Gemfile

@@ -32,6 +32,13 @@ group :development, :test do
     if rails_version == "7.1"
       gem "actioncable", "~> #{rails_version}.0"
     end
+
+    # concurrent-ruby v1.3.5 has removed the dependency on logger,
+    # effecting Rails 6.1 up to including 7.0.
+    # https://github.com/rails/rails/pull/54264
+    if ("6.1".to_f.."7.0".to_f).cover?(rails_version.to_f)
+      gem "concurrent-ruby", "< 1.3.5"
+    end
   else
     gem "launchy"
     gem "annotate"
@@ -59,3 +66,5 @@ end
 gem "web-console", "~> 4.2", group: :development
 
 gem "rails_live_reload", "~> 0.3.5"
+
+gem "gem-release", "~> 2.2"

data/app/assets/stylesheets/alchemy/elements.scss

@@ -16,7 +16,7 @@
   }
 
   // Fix for Tinymce fullscreen window positioning issues (GH#1511)
-  .mce-fullscreen & {
+  .tox-fullscreen & {
     width: calc(100vw - #{$collapsed-main-menu-width - $default-border-width});
   }
 

data/app/components/alchemy/admin/link_dialog/internal_tab.rb

@@ -49,7 +49,8 @@ module Alchemy
         end
 
         def page_attributes
-          locale, urlname, _fragment = uri.path.match(PAGE_URL_PATTERN)&.captures
+          # uri.path might be nil if the protocol is mailto: or a similar scheme that cannot have paths
+          locale, urlname, _fragment = uri.path&.match(PAGE_URL_PATTERN)&.captures
 
           if locale && urlname.present?
             {language_code: locale, urlname: urlname}

data/app/components/alchemy/ingredients/link_view.rb

@@ -1,6 +1,8 @@
 module Alchemy
   module Ingredients
     class LinkView < BaseView
+      include LinkTarget
+
       attr_reader :link_text
 
       # @param ingredient [Alchemy::Ingredient]
@@ -12,7 +14,11 @@ module Alchemy
       end
 
       def call
-        link_to(link_text, value, {target: ingredient.link_target.presence}.merge(html_options)).html_safe
+        target = ingredient.link_target.presence
+        link_to(link_text, value, {
+          target: link_target_value(target),
+          rel: link_rel_value(target)
+        }.merge(html_options)).html_safe
       end
     end
   end

data/app/components/alchemy/ingredients/picture_view.rb

@@ -4,6 +4,8 @@ module Alchemy
   module Ingredients
     # Renders a picture ingredient view
     class PictureView < BaseView
+      include LinkTarget
+
       attr_reader :ingredient,
         :show_caption,
         :disable_link,
@@ -46,10 +48,11 @@ module Alchemy
         output = caption ? img_tag + caption : img_tag
 
         if is_linked?
+          target = ingredient.link_target.presence
           output = link_to(output, url_for(ingredient.link), {
             title: ingredient.link_title.presence,
-            target: (ingredient.link_target == "blank") ? "_blank" : nil,
-            data: {link_target: ingredient.link_target.presence}
+            rel: link_rel_value(target),
+            target: link_target_value(target)
           })
         end
 

data/app/components/alchemy/ingredients/text_view.rb

@@ -1,6 +1,8 @@
 module Alchemy
   module Ingredients
     class TextView < BaseView
+      include LinkTarget
+
       attr_reader :disable_link
 
       delegate :dom_id, :link, :link_title, :link_target,
@@ -21,7 +23,8 @@ module Alchemy
           link_to(value, url_for(link), {
             id: dom_id.presence,
             title: link_title,
-            target: link_target
+            target: link_target_value(link_target),
+            rel: link_rel_value(link_target)
           }.merge(html_options))
         end.html_safe
       end

data/app/components/concerns/alchemy/ingredients/link_target.rb

@@ -0,0 +1,18 @@
+module Alchemy
+  module Ingredients
+    module LinkTarget
+      BLANK_VALUE = "_blank"
+      REL_VALUE = "noopener noreferrer"
+
+      def link_rel_value(target)
+        if link_target_value(target) == BLANK_VALUE
+          REL_VALUE
+        end
+      end
+
+      def link_target_value(target)
+        (target == "blank") ? BLANK_VALUE : target
+      end
+    end
+  end
+end

data/app/controllers/alchemy/admin/base_controller.rb

@@ -31,6 +31,27 @@ module Alchemy
 
       private
 
+      def safe_redirect_path(path = params[:redirect_to], fallback: admin_path)
+        if is_safe_redirect_path?(path)
+          path
+        elsif is_safe_redirect_path?(fallback)
+          fallback
+        else
+          admin_path
+        end
+      end
+
+      def is_safe_redirect_path?(path)
+        mount_path = alchemy.root_path
+        path.to_s.match? %r{^#{mount_path}admin/}
+      end
+
+      def relative_referer_path(referer = request.referer)
+        return unless referer
+
+        URI(referer).path
+      end
+
       # Disable layout rendering for xhr requests.
       def set_layout
         (request.xhr? || turbo_frame_request?) ? false : "alchemy/admin"
@@ -106,13 +127,16 @@ module Alchemy
 
       # Does redirects for html and js requests
       #
+      # Makes sure that the redirect path is safe.
+      #
       def do_redirect_to(url_or_path)
+        redirect_path = safe_redirect_path(url_or_path)
         respond_to do |format|
           format.js {
-            @redirect_url = url_or_path
+            @redirect_url = redirect_path
             render :redirect
           }
-          format.html { redirect_to url_or_path }
+          format.html { redirect_to redirect_path }
         end
       end
 

data/app/controllers/alchemy/admin/languages_controller.rb

@@ -40,7 +40,7 @@ module Alchemy
       def switch
         @language = set_alchemy_language(params[:language_id])
         session[:alchemy_language_id] = @language.id
-        do_redirect_to request.referer || alchemy.admin_dashboard_path
+        do_redirect_to relative_referer_path || alchemy.admin_dashboard_path
       end
 
       private

data/app/controllers/alchemy/admin/pages_controller.rb

@@ -189,11 +189,7 @@ module Alchemy
       end
 
       def unlock_redirect_path
-        if params[:redirect_to].to_s.match?(/\A\/admin\/(layout_)?pages/)
-          params[:redirect_to]
-        else
-          admin_pages_path
-        end
+        safe_redirect_path(fallback: admin_pages_path)
       end
 
       # Sets the page public and updates the published_at attribute that is used as cache_key

data/app/controllers/alchemy/admin/resources_controller.rb

@@ -78,7 +78,7 @@ module Alchemy
           flash[:error] = resource_instance_variable.errors.full_messages.join(", ")
         end
         flash_notice_for_resource_action
-        do_redirect_to resource_url_proxy.url_for(search_filter_params.merge(action: "index"))
+        do_redirect_to resource_url_proxy.url_for(search_filter_params.merge(action: "index", only_path: true))
       end
 
       def resource_handler

data/app/models/concerns/alchemy/picture_thumbnails.rb

@@ -102,11 +102,10 @@ module Alchemy
 
     # Show image cropping link for ingredient
     def allow_image_cropping?
-      settings[:crop] && picture &&
-        picture.can_be_cropped_to?(
-          settings[:size],
-          settings[:upsample]
-        ) && !!picture.image_file
+      settings[:crop] && picture&.can_be_cropped_to?(
+        settings[:size],
+        settings[:upsample]
+      ) && !!picture.image_file
     end
 
     private

data/lib/alchemy/resource.rb

@@ -188,11 +188,21 @@ module Alchemy
       end
     end
 
+    # Returns a sorted array of attributes.
+    #
+    # Attribute called "name" comes first.
+    # Attribute called "updated_at" comes last.
+    # Boolean type attributes come after non-boolean attributes but before "updated_at".
+    #
     def sorted_attributes
-      @_sorted_attributes ||= attributes
-        .sort_by { |attr| (attr[:name] == "name") ? 0 : 1 }
-        .sort_by! { |attr| (attr[:type] == :boolean) ? 1 : 0 }
-        .sort_by! { |attr| (attr[:name] == "updated_at") ? 1 : 0 }
+      @_sorted_attributes ||= attributes.sort_by! do |attr|
+        [
+          (attr[:name] == "name") ? 0 : 1,
+          (attr[:name] == "updated_at") ? 3 : 2,
+          (attr[:type] == :boolean) ? 2 : 1,
+          attr[:name]
+        ]
+      end
     end
 
     def editable_attributes

data/lib/alchemy/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Alchemy
-  VERSION = "7.2.7"
+  VERSION = "7.2.9"
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: alchemy_cms
 version: !ruby/object:Gem::Version
-  version: 7.2.7
+  version: 7.2.9
 platform: ruby
 authors:
 - Thomas von Deyen
@@ -10,10 +10,9 @@ authors:
 - Hendrik Mans
 - Carsten Fregin
 - Martin Meyerhoff
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-15 00:00:00.000000000 Z
+date: 2025-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionmailer
@@ -807,6 +806,7 @@ files:
 - app/components/alchemy/ingredients/select_view.rb
 - app/components/alchemy/ingredients/text_view.rb
 - app/components/alchemy/ingredients/video_view.rb
+- app/components/concerns/alchemy/ingredients/link_target.rb
 - app/controllers/alchemy/admin/attachments_controller.rb
 - app/controllers/alchemy/admin/base_controller.rb
 - app/controllers/alchemy/admin/clipboard_controller.rb
@@ -1432,8 +1432,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - ImageMagick (libmagick), v6.6 or greater.
-rubygems_version: 3.5.16
-signing_key:
+rubygems_version: 3.6.5
 specification_version: 4
 summary: A powerful, userfriendly and flexible CMS for Rails
 test_files: []