alchemy_cms 8.0.11 → 8.0.13

data/app/assets/builds/alchemy/preview.min.js

@@ -1 +1 @@
-window.Alchemy=Alchemy||{},Object.assign(Alchemy,{ElementSelector:{styles:{reset:{outline:"","outline-offset":"",cursor:""},hover:{outline:"2px dashed #f0b437","outline-offset":"4px",cursor:"pointer"},selected:{outline:"2px dashed #90b9d0","outline-offset":"4px"}},init(){window.addEventListener("message",(e=>{switch(e.data.message){case"Alchemy.blurElements":this.blurElements();break;case"Alchemy.focusElement":this.focusElement(e.data);break;default:console.info("Received unknown message!",e.data)}})),this.elements=Array.from(document.querySelectorAll("[data-alchemy-element]")),this.elements.forEach((e=>{e.addEventListener("mouseover",(()=>{e.classList.contains("selected")||Object.assign(e.style,this.getStyle("hover"))})),e.addEventListener("mouseout",(()=>{e.classList.contains("selected")||Object.assign(e.style,this.getStyle("reset"))})),e.addEventListener("click",(t=>{t.stopPropagation(),t.preventDefault(),this.selectElement(e),this.focusElementEditor(e)}))}))},selectElement(e){this.blurElements(e),e.classList.add("selected"),Object.assign(e.style,this.getStyle("selected")),e.scrollIntoView({behavior:"smooth",block:"start"})},blurElements(e){this.elements.forEach((t=>{t!==e&&(t.classList.remove("selected"),Object.assign(t.style,this.getStyle("reset")))}))},focusElement(e){const t=this.getElement(e.element_id);return t?this.selectElement(t):console.warn("Could not focus element with id",e.element_id)},getElement(e){return this.elements.find((t=>t.dataset.alchemyElement===e.toString()))},focusElementEditor(e){const t=e.dataset.alchemyElement;window.parent.postMessage({message:"Alchemy.focusElementEditor",element_id:t},window.location.origin)},getStyle(e){return"reset"===e?this.styles.reset:this.styles[e]}}}),Alchemy.ElementSelector.init();
+window.Alchemy=Alchemy||{},Object.assign(Alchemy,{ElementSelector:{styles:{reset:{outline:"","outline-offset":"",cursor:""},hover:{outline:"2px dashed #f0b437","outline-offset":"4px",cursor:"pointer"},selected:{outline:"2px dashed #90b9d0","outline-offset":"4px"}},init(){window.addEventListener("message",(e=>{switch(e.data.message){case"Alchemy.blurElements":this.blurElements();break;case"Alchemy.focusElement":this.focusElement(e.data);break;default:console.info("Received unknown message!",e.data)}})),this.elements=Array.from(document.querySelectorAll("[data-alchemy-element]")),this.elements.forEach((e=>{e.addEventListener("mouseover",(()=>{e.classList.contains("selected")||Object.assign(e.style,this.getStyle("hover"))})),e.addEventListener("mouseout",(()=>{e.classList.contains("selected")||Object.assign(e.style,this.getStyle("reset"))})),e.addEventListener("click",(t=>{t.stopPropagation(),t.preventDefault(),this.selectElement(e),this.focusElementEditor(e)}))}))},selectElement(e){this.blurElements(e),e.classList.add("selected"),Object.assign(e.style,this.getStyle("selected")),e.scrollIntoView({behavior:"smooth",block:"start"})},blurElements(e){this.elements.forEach((t=>{t!==e&&(t.classList.remove("selected"),Object.assign(t.style,this.getStyle("reset")))}))},focusElement(e){const t=this.getElement(e.element_id);return t?this.selectElement(t):console.warn("Could not focus element with id",e.element_id)},getElement(e){return this.elements.find((t=>t.dataset.alchemyElement===e.toString()))},focusElementEditor(e){const t=e.dataset.alchemyElement;window.parent.postMessage({message:"Alchemy.focusElementEditor",element_id:t},window.location.origin)},getStyle(e){return"reset"===e?this.styles.reset:this.styles[e]}}}),Alchemy.ElementSelector.init(),window.parent.postMessage({message:"Alchemy.previewReady"},window.location.origin);

data/app/controllers/alchemy/admin/attachments_controller.rb

@@ -41,6 +41,15 @@ module Alchemy
           .page(params[:page] || 1)
           .per(items_per_page)
 
+        # Preload deletable ids for the current page in a single query so the
+        # view can decide which delete buttons to enable without calling
+        # +deletable?+ (a two-query check) per row. We pass the already-loaded
+        # ids (via +map(&:id)+) rather than the relation itself, because passing
+        # a paginated relation produces +IN (SELECT ... LIMIT n)+, which older
+        # MariaDB versions reject.
+        @deletable_attachment_ids =
+          Attachment.where(id: @attachments.map(&:id)).deletable.pluck(:id).to_set
+
         if in_overlay?
           archive_overlay
         end

data/app/controllers/alchemy/admin/pictures_controller.rb

@@ -10,6 +10,8 @@ module Alchemy
 
       helper "alchemy/admin/tags"
 
+      before_action :load_pictures, only: :index
+
       before_action :load_resource,
         only: [:edit, :update, :url, :destroy]
 
@@ -21,6 +23,12 @@ module Alchemy
         @picture = Picture.find(params[:id])
       end
 
+      # Preload deletable ids for the current page (index) or the current
+      # resource (update, which re-renders the +_picture+ partial via a
+      # turbo stream). One query replaces the per-row +deletable?+ check
+      # that would otherwise fire for every picture the view renders.
+      before_action :load_deletable_picture_ids, only: [:index, :update]
+
       add_alchemy_filter :by_file_format, type: :select, options: ->(query) do
         Alchemy::Picture.file_formats(query.result)
       end
@@ -32,8 +40,6 @@ module Alchemy
       helper_method :picture_offset
 
       def index
-        @pictures = filtered_pictures(page: params[:page])
-
         if in_overlay?
           archive_overlay
         end
@@ -162,6 +168,21 @@ module Alchemy
 
       private
 
+      def load_pictures
+        @pictures = filtered_pictures(page: params[:page])
+      end
+
+      # Preload deletable ids in a single query so the view can decide which
+      # delete buttons to enable without calling +deletable?+ (a two-query
+      # check) per row. We pass already-loaded ids (via +map(&:id)+) rather
+      # than the relation itself, because passing a paginated relation
+      # produces +IN (SELECT ... LIMIT n)+, which older MariaDB versions
+      # reject.
+      def load_deletable_picture_ids
+        ids = @pictures ? @pictures.map(&:id) : [@picture.id]
+        @deletable_picture_ids = Picture.where(id: ids).deletable.pluck(:id).to_set
+      end
+
       def picture_offset
         ((params[:page] || 1).to_i - 1) * items_per_page
       end

data/app/models/alchemy/attachment.rb

@@ -40,6 +40,25 @@ module Alchemy
     scope :recent, -> { where("#{table_name}.created_at > ?", Time.current - 24.hours).order(:created_at) }
     scope :without_tag, -> { left_outer_joins(:taggings).where(gutentag_taggings: {id: nil}) }
 
+    # Override +Alchemy::RelatableResource#deletable+ to also exclude
+    # attachments referenced from +/attachment/:id/download+ URLs inside
+    # ingredient values (e.g. Richtext markup, Link ingredients, raw Html).
+    # Those URLs are written by the file tab of the link dialog and are
+    # not tracked via the polymorphic +related_object+ association, so the
+    # base scope cannot see them.
+    #
+    # Extracts referenced attachment IDs from ingredient values via Ruby
+    # regex to stay database-agnostic.
+    scope :deletable, -> do
+      referenced_ids = Alchemy::Ingredient
+        .where("value LIKE '%/attachment/%/download%'")
+        .pluck(:value)
+        .flat_map { |v| v.scan(%r{/attachment/(\d+)/download}).flatten.map(&:to_i) }
+
+      scope = where("#{table_name}.id NOT IN (#{RelatableResource::RELATED_INGREDIENTS_SUBQUERY})", type: name)
+      referenced_ids.any? ? scope.where.not(id: referenced_ids) : scope
+    end
+
     # We need to define this method here to have it available in the validations below.
     class << self
       # The class used to generate URLs for attachments
@@ -112,6 +131,13 @@ module Alchemy
       CGI.escape(file_name.gsub(/\.#{extension}$/, "").tr(".", " "))
     end
 
+    # Override +Alchemy::RelatableResource#deletable?+ to also consider
+    # +/attachment/:id/download+ links inside ingredient values (e.g.
+    # Richtext markup, Link ingredients, raw Html).
+    def deletable?
+      super && !referenced_in_ingredient_value?
+    end
+
     # Checks if the attachment is restricted, because it is attached on restricted pages only
     def restricted?
       pages.any? && pages.not_restricted.blank?
@@ -178,6 +204,12 @@ module Alchemy
       end
     end
 
+    def referenced_in_ingredient_value?
+      Alchemy::Ingredient
+        .where("value LIKE ?", "%/attachment/#{id}/download%")
+        .exists?
+    end
+
     def set_name
       self.name ||= convert_to_humanized_name(file_name, extension)
     end

data/app/models/concerns/alchemy/relatable_resource.rb

@@ -2,12 +2,22 @@ module Alchemy
   module RelatableResource
     extend ActiveSupport::Concern
 
+    # SQL subquery selecting +related_object_id+ values for ingredients that
+    # reference a given polymorphic type. Intended to be composed into a
+    # +NOT IN (...)+ clause by +deletable+ and any overrides in including
+    # classes. Takes one named bind :type - the polymorphic type name,
+    # typically the class name of the including model
+    # (e.g. +"Alchemy::Attachment"+).
+    RELATED_INGREDIENTS_SUBQUERY = <<~SQL.squish
+      SELECT related_object_id
+      FROM alchemy_ingredients
+      WHERE related_object_id IS NOT NULL
+        AND related_object_type = :type
+    SQL
+
     included do
       scope :deletable, -> do
-        where(
-          "#{table_name}.id NOT IN (SELECT related_object_id FROM alchemy_ingredients WHERE related_object_id IS NOT NULL AND related_object_type = ?)",
-          name
-        )
+        where("#{table_name}.id NOT IN (#{RELATED_INGREDIENTS_SUBQUERY})", type: name)
       end
 
       has_many :related_ingredients,

data/app/stylesheets/alchemy/admin/notices.scss

@@ -74,6 +74,15 @@ alchemy-message {
     margin-top: 0;
   }
 
+  h1,
+  h2,
+  h3,
+  p {
+    &:last-child {
+      margin-bottom: 0;
+    }
+  }
+
   a[href] {
     text-decoration-color: inherit;
     text-decoration-thickness: 1px;

data/app/views/alchemy/admin/attachments/_files_list.html.erb

@@ -61,7 +61,7 @@
         file_attribute: 'file' %>
     <% end %>
     <% table.with_action(:destroy) do |attachment| %>
-      <% if attachment.deletable? %>
+      <% if @deletable_attachment_ids.include?(attachment.id) %>
         <sl-tooltip content="<%= Alchemy.t(:delete_file) %>">
           <%= link_to_confirm_dialog render_icon(:minus),
             Alchemy.t(:confirm_to_delete_file),

data/app/views/alchemy/admin/pages/_table.html.erb

@@ -6,7 +6,7 @@
           <%= render_icon "file-edit", size: "xl" %>
         </sl-tooltip>
       <% else %>
-        <%= render_icon "file-edit", size: "xl" %>
+        <%= render_icon "file", size: "xl" %>
       <% end %>
     <% else %>
       <sl-tooltip class="like-hint-tooltip" content="<%= Alchemy.t("Your user role does not allow you to edit this page") %>" placement="bottom-start">

data/app/views/alchemy/admin/pictures/_picture.html.erb

@@ -2,7 +2,7 @@
   <span class="picture_tool select">
     <%= check_box_tag "picture_ids[]", picture.id %>
   </span>
-  <% if picture.deletable? && can?(:destroy, picture) %>
+  <% if @deletable_picture_ids.include?(picture.id) && can?(:destroy, picture) %>
   <div class="picture_tool delete">
     <sl-tooltip content="<%= Alchemy.t('Delete image') %>">
       <%= link_to_confirm_dialog(

data/lib/alchemy/configuration.rb

@@ -67,6 +67,8 @@ module Alchemy
       ).to_h
     end
 
+    delegate :to_json, to: :to_h
+
     class << self
       def defined_configurations = []
 

data/lib/alchemy/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Alchemy
-  VERSION = "8.0.11"
+  VERSION = "8.0.13"
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: alchemy_cms
 version: !ruby/object:Gem::Version
-  version: 8.0.11
+  version: 8.0.13
 platform: ruby
 authors:
 - Thomas von Deyen