alchemy_cms 7.4.14 → 7.4.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +9 -0
  3. data/Gemfile +1 -0
  4. data/app/controllers/alchemy/api/pages_controller.rb +2 -0
  5. data/app/serializers/alchemy/page_tree_serializer.rb +17 -1
  6. data/app/views/alchemy/admin/pictures/_form.html.erb +1 -1
  7. data/lib/alchemy/version.rb +1 -1
  8. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 077c54f0dbbd27c0de4c42ba39eb7c3aa79309c6dfff2f22db2c4dbbd6c4ba77
4
- data.tar.gz: 3e07a946b0692a2b93e9d175fe33c1933604228c60f541d753e37849eab452b1
3
+ metadata.gz: 820ced84f65c22ce14dcf2d399bb78fb7463bc311d56ebec29b9106d9b168eb8
4
+ data.tar.gz: 6760e300fe2497a33e1a657cb6792dcd535343ddedb6897831f18569a6ea2b49
5
5
  SHA512:
6
- metadata.gz: bfaaa49962d68073188b6d2a384babc691e087d7ba5554f0362809f273ac61a72ee6ca9b3aad8e14551847f7a046ef6328def9e506aaee909e3a910f0a9aebfa
7
- data.tar.gz: 0acfea518110808170b2d3d3d01ec03f0e1eddf7ff52a5ab3331572471b0618087e84dafb66f0393bb43e6c15f54f549b1a312f0bdb26ff9002d5d72fcbeb543
6
+ metadata.gz: 2862492de3c1bc9c3e4bf30a7a6127af4dcd8eb11f02914806469f0c22de6936b8b2ba5cda736737f98de0ec7c950e0d3042dec785befe69018130bd118e6767
7
+ data.tar.gz: 73f531a006df56e276c378765346e537f216f7a4ed7ca641e3520ac12f5bf56cdc980a27c1872ce581c6dd50d3bc323a2bdb76baeca0742ce1c5456afabb7805
data/CHANGELOG.md CHANGED
@@ -1,5 +1,14 @@
1
1
  # Changelog
2
2
 
3
+ ## 7.4.15 (2026-06-18)
4
+
5
+ ## What's Changed
6
+ * [7.4] Fix double form submission in picture overlay by @tvdeyen in https://github.com/AlchemyCMS/alchemy_cms/pull/3825
7
+ * [7.4] fix(api): authorize nested pages endpoint against restricted content by @tvdeyen in https://github.com/AlchemyCMS/alchemy_cms/pull/3983
8
+
9
+
10
+ **Full Changelog**: https://github.com/AlchemyCMS/alchemy_cms/compare/v7.4.14...v7.4.15
11
+
3
12
  ## 7.4.14 (2026-03-26)
4
13
 
5
14
  ## What's Changed
data/Gemfile CHANGED
@@ -16,6 +16,7 @@ end
16
16
  gem "pg", "~> 1.0" if ENV["DB"] == "postgresql"
17
17
 
18
18
  gem "alchemy_i18n", git: "https://github.com/AlchemyCMS/alchemy_i18n.git", branch: "4.2-stable"
19
+ gem "i18n", "< 1.15" # >= 1.15 needs Ruby 3.2, but we still support Ruby 3.1
19
20
 
20
21
  group :development, :test do
21
22
  gem "execjs", "~> 2.9.1"
data/app/controllers/alchemy/api/pages_controller.rb CHANGED
@@ -28,6 +28,8 @@ module Alchemy
28
28
  def nested
29
29
  @page = Page.find_by(id: params[:page_id]) || Language.current_root_page
30
30
 
31
+ authorize! :show, @page
32
+
31
33
  render json: PageTreeSerializer.new(
32
34
  @page,
33
35
  ability: current_ability,
data/app/serializers/alchemy/page_tree_serializer.rb CHANGED
@@ -9,7 +9,21 @@ module Alchemy
9
9
  def pages
10
10
  tree = []
11
11
  path = [{id: object.parent_id, children: tree}]
12
- page_list = object.self_and_descendants.includes(:public_version, {language: :site})
12
+ page_list = object.self_and_descendants
13
+ .accessible_by(opts[:ability], :read)
14
+ .includes(:public_version, {language: :site})
15
+ .to_a
16
+ # Drop pages whose parent was filtered out by the ability, so a
17
+ # restricted or unpublished branch does not leak its accessible
18
+ # descendants. self_and_descendants is ordered pre-order, so a parent
19
+ # always precedes its children and a single pass is sufficient.
20
+ kept_ids = Set.new([object.id])
21
+ page_list = page_list.select do |page|
22
+ next true if page.id == object.id
23
+ kept_ids.include?(page.parent_id).tap do |kept|
24
+ kept_ids << page.id if kept
25
+ end
26
+ end
13
27
  base_level = object.level - 1
14
28
  # Load folded pages in advance
15
29
  folded_user_pages = FoldedPage.folded_for_user(opts[:user]).pluck(:page_id)
@@ -83,6 +97,8 @@ module Alchemy
83
97
  end
84
98
 
85
99
  def page_elements(page)
100
+ return Alchemy::Element.none unless opts[:ability].can?(:read, page)
101
+
86
102
  elements = page.public_version&.elements || Alchemy::Element.none
87
103
  if opts[:elements] == "true"
88
104
  elements
data/app/views/alchemy/admin/pictures/_form.html.erb CHANGED
@@ -1,5 +1,5 @@
1
1
  <%= turbo_frame_tag(@picture) do %>
2
- <%= alchemy_form_for [alchemy, :admin, @picture] do |f| %>
2
+ <%= alchemy_form_for [alchemy, :admin, @picture], remote: false do |f| %>
3
3
  <%= f.input :name %>
4
4
  <%= render "alchemy/admin/pictures/picture_description_field", f: f %>
5
5
  <%= render Alchemy::Admin::TagsAutocomplete.new(additional_class: "input") do %>
data/lib/alchemy/version.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Alchemy
4
- VERSION = "7.4.14"
4
+ VERSION = "7.4.15"
5
5
 
6
6
  def self.version
7
7
  VERSION
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: alchemy_cms
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.4.14
4
+ version: 7.4.15
5
5
  platform: ruby
6
6
  authors:
7
7
  - Thomas von Deyen
@@ -1409,7 +1409,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
1409
1409
  version: '0'
1410
1410
  requirements:
1411
1411
  - ImageMagick (libmagick), v6.6 or greater.
1412
- rubygems_version: 4.0.6
1412
+ rubygems_version: 4.0.10
1413
1413
  specification_version: 4
1414
1414
  summary: A powerful, userfriendly and flexible CMS for Rails
1415
1415
  test_files: []