alchemy_cms 7.3.3 → 7.3.5

data/app/assets/stylesheets/alchemy/admin/image_library.scss

@@ -1,8 +1,3 @@
-$picture-overlay-handle-width: 24px;
-$image-overlay-form-width: 350px - $picture-overlay-handle-width;
-$image-overlay-transition-duration: $transition-duration;
-$image-overlay-transition-easing: ease-in;
-
 .alchemy-image-overlay {
   &.open {
     background-color: rgba(0, 0, 0, 0.6);
@@ -17,10 +12,21 @@ $image-overlay-transition-easing: ease-in;
   max-width: 100%;
 }
 
+.alchemy-image-overlay-container {
+  --picture-overlay-handle-width: 24px;
+  --image-overlay-form-width: calc(350px - var(--picture-overlay-handle-width));
+  --image-overlay-transition-duration: 250ms;
+  --image-overlay-transition-easing: ease-in;
+
+  &.open {
+    overflow: hidden;
+  }
+}
+
 .alchemy-image-overlay-dialog {
   &.hide-form {
     .picture-details-overlay {
-      right: -$image-overlay-form-width;
+      right: calc(-1 * var(--image-overlay-form-width));
     }
 
     .zoomed-picture-background {
@@ -28,11 +34,11 @@ $image-overlay-transition-easing: ease-in;
     }
 
     .alchemy-image-overlay-close {
-      right: $picture-overlay-handle-width + var(--spacing-2);
+      right: calc(var(--picture-overlay-handle-width) + var(--spacing-2));
     }
 
     .next-picture {
-      right: $picture-overlay-handle-width;
+      right: var(--picture-overlay-handle-width);
     }
 
     .picture-overlay-handle {
@@ -64,17 +70,18 @@ $image-overlay-transition-easing: ease-in;
   height: 32px;
   top: var(--spacing-2);
   right: calc(
-    var(--spacing-2) + #{$picture-overlay-handle-width} + #{$image-overlay-form-width}
+    var(--spacing-2) + var(--picture-overlay-handle-width) +
+      var(--image-overlay-form-width)
   );
   cursor: pointer;
-  transition: right $image-overlay-transition-duration
-    $image-overlay-transition-easing;
+  transition: right var(--image-overlay-transition-duration)
+    var(--image-overlay-transition-easing);
 
   .icon {
     font-size: 2em;
     color: var(--color-grey_light);
     text-shadow: 0 0 4px var(--color-text);
-    transition: color $image-overlay-transition-duration linear;
+    transition: color var(--image-overlay-transition-duration) linear;
 
     &:hover {
       color: var(--color-white);
@@ -88,13 +95,13 @@ $image-overlay-transition-easing: ease-in;
   top: 0;
   background-color: var(--color-grey_light);
   box-shadow: -2px 0 4px -2px var(--color-text);
-  transition: right $image-overlay-transition-duration
-    $image-overlay-transition-easing;
+  transition: right var(--image-overlay-transition-duration)
+    var(--image-overlay-transition-easing);
 }
 
 .picture-details-overlay {
   right: 0;
-  width: $image-overlay-form-width;
+  width: var(--image-overlay-form-width);
   height: 100%;
   padding: var(--spacing-2) var(--spacing-4) var(--spacing-2) var(--spacing-1);
   overflow: auto;
@@ -117,9 +124,9 @@ $image-overlay-transition-easing: ease-in;
 }
 
 .picture-overlay-handle {
-  width: $picture-overlay-handle-width;
+  width: var(--picture-overlay-handle-width);
   height: 100%;
-  right: $image-overlay-form-width;
+  right: var(--image-overlay-form-width);
   cursor: pointer;
 
   .icon {
@@ -129,8 +136,8 @@ $image-overlay-transition-easing: ease-in;
     transform: translate(-50%, -50%);
     font-size: 1.2em;
     color: var(--color-icon);
-    transition: transform $image-overlay-transition-duration
-      $image-overlay-transition-easing;
+    transition: transform var(--image-overlay-transition-duration)
+      var(--image-overlay-transition-easing);
   }
 
   &:hover {
@@ -143,15 +150,16 @@ $image-overlay-transition-easing: ease-in;
   height: 100%;
   padding-top: var(--spacing-2);
   padding-right: calc(
-    #{$image-overlay-form-width} + var(--spacing-2) + #{$picture-overlay-handle-width}
+    var(--image-overlay-form-width) + var(--spacing-2) +
+      var(--picture-overlay-handle-width)
   );
   padding-bottom: var(--spacing-2);
   padding-left: var(--spacing-2);
   margin: 0 auto;
   text-align: center;
   cursor: pointer;
-  transition: padding-right $image-overlay-transition-duration
-    $image-overlay-transition-easing;
+  transition: padding-right var(--image-overlay-transition-duration)
+    var(--image-overlay-transition-easing);
 
   &:before {
     content: "";
@@ -233,7 +241,7 @@ $image-overlay-transition-easing: ease-in;
     justify-content: center;
     align-items: center;
     text-decoration: none;
-    transition: background-color $image-overlay-transition-duration linear;
+    transition: background-color var(--image-overlay-transition-duration) linear;
 
     .icon {
       width: 32px;
@@ -246,16 +254,20 @@ $image-overlay-transition-easing: ease-in;
       background-color: rgba(0, 0, 0, 0.3);
 
       .icon {
-        transition: fill $image-overlay-transition-duration linear;
+        transition: fill var(--image-overlay-transition-duration) linear;
       }
     }
   }
 
+  .next-picture {
+    transition-property: background-color, right;
+  }
+
   .icon {
     --icon-size: 4em;
     fill: var(--color-grey_light);
     filter: drop-shadow(0 0 4px var(--color-icon));
-    transition: all $image-overlay-transition-duration linear;
+    transition: all var(--image-overlay-transition-duration) linear;
     vertical-align: middle;
   }
 
@@ -265,7 +277,9 @@ $image-overlay-transition-easing: ease-in;
   }
 
   .next-picture {
-    right: $image-overlay-form-width + $picture-overlay-handle-width;
+    right: calc(
+      var(--image-overlay-form-width) + var(--picture-overlay-handle-width)
+    );
     @include border-left-radius($default-border-radius);
   }
 }

data/app/controllers/alchemy/admin/base_controller.rb

@@ -31,6 +31,27 @@ module Alchemy
 
       private
 
+      def safe_redirect_path(path = params[:redirect_to], fallback: admin_path)
+        if is_safe_redirect_path?(path)
+          path
+        elsif is_safe_redirect_path?(fallback)
+          fallback
+        else
+          admin_path
+        end
+      end
+
+      def is_safe_redirect_path?(path)
+        mount_path = alchemy.root_path
+        path.to_s.match? %r{^#{mount_path}admin/}
+      end
+
+      def relative_referer_path(referer = request.referer)
+        return unless referer
+
+        URI(referer).path
+      end
+
       # Disable layout rendering for xhr requests.
       def set_layout
         (request.xhr? || turbo_frame_request?) ? false : "alchemy/admin"
@@ -105,15 +126,18 @@ module Alchemy
         end
       end
 
-      # Does redirects for html and js requests
+      # Does redirects for html, turbo_stream and js requests
+      #
+      # Makes sure that the redirect path is safe.
       #
       def do_redirect_to(url_or_path)
+        redirect_path = safe_redirect_path(url_or_path)
         respond_to do |format|
           format.js {
-            @redirect_url = url_or_path
+            @redirect_url = redirect_path
             render :redirect
           }
-          format.html { redirect_to url_or_path }
+          format.html { redirect_to redirect_path }
         end
       end
 

data/app/controllers/alchemy/admin/languages_controller.rb

@@ -40,7 +40,7 @@ module Alchemy
       def switch
         @language = set_alchemy_language(params[:language_id])
         session[:alchemy_language_id] = @language.id
-        do_redirect_to request.referer || alchemy.admin_dashboard_path
+        do_redirect_to relative_referer_path || alchemy.admin_dashboard_path
       end
 
       private

data/app/controllers/alchemy/admin/pages_controller.rb

@@ -189,11 +189,7 @@ module Alchemy
       end
 
       def unlock_redirect_path
-        if params[:redirect_to].to_s.match?(/\A\/admin\/(layout_)?pages/)
-          params[:redirect_to]
-        else
-          admin_pages_path
-        end
+        safe_redirect_path(fallback: admin_pages_path)
       end
 
       # Sets the page public and updates the published_at attribute that is used as cache_key

data/app/controllers/alchemy/admin/resources_controller.rb

@@ -78,7 +78,7 @@ module Alchemy
           flash[:error] = resource_instance_variable.errors.full_messages.join(", ")
         end
         flash_notice_for_resource_action
-        do_redirect_to resource_url_proxy.url_for(search_filter_params.merge(action: "index"))
+        do_redirect_to resource_url_proxy.url_for(search_filter_params.merge(action: "index", only_path: true))
       end
 
       def resource_handler

data/app/models/concerns/alchemy/picture_thumbnails.rb

@@ -102,11 +102,10 @@ module Alchemy
 
     # Show image cropping link for ingredient
     def allow_image_cropping?
-      settings[:crop] && picture &&
-        picture.can_be_cropped_to?(
-          settings[:size],
-          settings[:upsample]
-        ) && !!picture.image_file
+      settings[:crop] && picture&.can_be_cropped_to?(
+        settings[:size],
+        settings[:upsample]
+      ) && !!picture.image_file
     end
 
     private

data/app/views/alchemy/_menubar.html.erb

@@ -111,7 +111,7 @@
       </div>
     </template>
 
-    <script type="module">
+    <script type="module" data-turbo-eval="false">
       class Menubar extends HTMLElement {
         constructor() {
           super()

data/lib/alchemy/resource.rb

@@ -188,11 +188,21 @@ module Alchemy
       end
     end
 
+    # Returns a sorted array of attributes.
+    #
+    # Attribute called "name" comes first.
+    # Attribute called "updated_at" comes last.
+    # Boolean type attributes come after non-boolean attributes but before "updated_at".
+    #
     def sorted_attributes
-      @_sorted_attributes ||= attributes
-        .sort_by { |attr| (attr[:name] == "name") ? 0 : 1 }
-        .sort_by! { |attr| (attr[:type] == :boolean) ? 1 : 0 }
-        .sort_by! { |attr| (attr[:name] == "updated_at") ? 1 : 0 }
+      @_sorted_attributes ||= attributes.sort_by! do |attr|
+        [
+          (attr[:name] == "name") ? 0 : 1,
+          (attr[:name] == "updated_at") ? 3 : 2,
+          (attr[:type] == :boolean) ? 2 : 1,
+          attr[:name]
+        ]
+      end
     end
 
     def editable_attributes

data/lib/alchemy/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Alchemy
-  VERSION = "7.3.3"
+  VERSION = "7.3.5"
 
   def self.version
     VERSION