alchemy_cms 8.1.12 → 8.1.14

data/app/controllers/alchemy/admin/pages_controller.rb

@@ -67,8 +67,8 @@ module Alchemy
       def tree
         @root_page = Alchemy::PageTreePreloader.new(
           page: @current_language.root_page,
-          user: current_alchemy_user,
-          admin_includes: true
+          ability: current_ability,
+          user: current_alchemy_user
         ).call
       end
 
@@ -180,8 +180,8 @@ module Alchemy
             if was_folded
               @page = PageTreePreloader.new(
                 page: @page,
-                user: current_alchemy_user,
-                admin_includes: true
+                ability: current_ability,
+                user: current_alchemy_user
               ).call
             else
               head 200

data/app/controllers/alchemy/api/pages_controller.rb

@@ -28,8 +28,14 @@ module Alchemy
     def nested
       @page = Page.find_by(id: params[:page_id]) || Language.current_root_page
 
-      # Preload the full tree from this page
-      preloaded_page = PageTreePreloader.new(page: @page, user: current_alchemy_user).call
+      authorize! :show, @page
+
+      # Preload the full tree from this page, scoped to what the user may see
+      preloaded_page = PageTreePreloader.new(
+        page: @page,
+        user: current_alchemy_user,
+        ability: current_ability
+      ).call
 
       render json: PageTreeSerializer.new(
         preloaded_page,

data/app/javascript/alchemy_admin/components/element_editor.js

@@ -250,7 +250,10 @@ export class ElementEditor extends HTMLElement {
    */
   setTitle(title) {
     const quote = this.querySelector(".element-header .preview_text_quote")
-    quote.textContent = title
+    // Fixed elements have no header, so there is no quote to update.
+    if (quote) {
+      quote.textContent = title
+    }
   }
 
   /**

data/app/javascript/alchemy_admin/components/remote_select.js

@@ -14,6 +14,12 @@ export class RemoteSelect extends AlchemyHTMLElement {
     url: { default: "" }
   }
 
+  // Select2 manages its own DOM after initialization, so attribute changes
+  // must not trigger the default re-render which would destroy the widget.
+  static get observedAttributes() {
+    return []
+  }
+
   async connected() {
     await setupSelectLocale()
 
@@ -34,6 +40,11 @@ export class RemoteSelect extends AlchemyHTMLElement {
    * @param {Event} event
    */
   onChange(event) {
+    // Update selection attribute so re-attaching the select2 component to
+    // the same input (e.g. after dragndrop) does not reset the selection.
+    if (event.added) {
+      this.setAttribute("selection", JSON.stringify(event.added))
+    }
     this.dispatchCustomEvent("RemoteSelect.Change", {
       removed: event.removed,
       added: event.added

data/app/serializers/alchemy/page_tree_serializer.rb

@@ -63,6 +63,12 @@ module Alchemy
     end
 
     def page_elements(page)
+      # Pages usually arrive wrapped in a PageTreePage delegator. Unwrap it so
+      # the ability matches the Alchemy::Page rules instead of the delegator
+      # class, while still supporting a plain Alchemy::Page being passed in.
+      authorized_page = page.try(:__getobj__) || page
+      return Alchemy::Element.none unless opts[:ability].can?(:read, authorized_page)
+
       elements = page.public_version&.elements || Alchemy::Element.none
       if opts[:elements] == "true"
         elements

data/app/services/alchemy/page_tree_preloader.rb

@@ -7,24 +7,24 @@ module Alchemy
   # It handles folded pages and preloads all necessary associations.
   #
   # @example Preload subtree from a specific page
-  #   preloader = Alchemy::PageTreePreloader.new(page: page, user: current_user)
+  #   preloader = Alchemy::PageTreePreloader.new(page: page, ability: current_ability, user: current_user)
   #   page_with_descendants = preloader.call
   #
   class PageTreePreloader
     # @param page [Page] Starting page for loading descendants
+    # @param ability [CanCan::Ability] Ability used to scope descendants to readable pages
     # @param user [User, nil] User for folding support
-    # @param admin_includes [Boolean] Whether to include admin-only associations like :locker
-    def initialize(page:, user: nil, admin_includes: false)
+    def initialize(page:, ability:, user: nil)
       @page = page
+      @ability = ability
       @user = user
-      @admin_includes = admin_includes
     end
 
     # Preloads and returns the page tree
     #
     # @return [Array<Page>] Pages with preloaded children, or array with single page when using from:
     def call
-      pages = page.self_and_descendants
+      pages = page.self_and_descendants.accessible_by(ability, :read)
       folded_page_ids = load_folded_page_ids
       if folded_page_ids.any?
         pages = pages.where(
@@ -45,7 +45,7 @@ module Alchemy
 
     private
 
-    attr_reader :page, :user, :admin_includes
+    attr_reader :page, :user, :ability
 
     # Load folded page IDs for the user
     def load_folded_page_ids
@@ -93,7 +93,9 @@ module Alchemy
         },
         :public_version
       ]
-      associations.push(:locker) if admin_includes
+      # The admin sitemap (and the serializer's admin fields) render lock info,
+      # so only eager-load the locker when the user may administer pages.
+      associations.push(:locker) if ability.can?(:index, :alchemy_admin_pages)
       associations
     end
   end

data/app/views/alchemy/admin/layoutpages/_layoutpage.html.erb

@@ -8,7 +8,7 @@
         <%= render_icon "file-edit", size: "xl" %>
       </sl-tooltip>
     <% else %>
-      <%= render_icon "file-edit", size: "xl" %>
+      <%= render_icon "file", size: "xl" %>
     <% end %>
     </div>
     <div class="sitemap_sitename without-status">

data/db/migrate/20251106150010_convert_select_value_for_multiple.rb

@@ -1,11 +1,18 @@
 class ConvertSelectValueForMultiple < ActiveRecord::Migration[7.1]
   def up
     say_with_time "Converting Alchemy::Ingredients::Select values to multiple" do
-      update <<-SQL.squish
-        UPDATE alchemy_ingredients
-        SET value = '["' || value || '"]'
-        WHERE type = 'Alchemy::Ingredients::Select' AND value NOT LIKE '["%"]';
-      SQL
+      Alchemy::Ingredients::Select
+        .where.not("value LIKE ?", '["%')
+        .update_all(
+          Arel.sql(
+            case ActiveRecord::Base.connection.adapter_name
+            when /mysql|mariadb/i
+              "value = CONCAT('[\"', value, '\"]')"
+            else
+              "value = '[\"' || value || '\"]'"
+            end
+          )
+        )
     end
   end
 end

data/lib/alchemy/cache_digests/template_tracker.rb

@@ -18,8 +18,6 @@ module Alchemy
         when /^alchemy\/page_layouts\/_(\w+)/
           page_definition = PageDefinition.get($1)
           page_definition.elements.map { "alchemy/elements/_#{_1}" }
-        when /^alchemy\/elements\/_(\w+)/
-          ingredient_types($1).map { "alchemy/ingredients/_#{_1.underscore}_view" }.tap(&:uniq!)
         else
           ActionView::DependencyTracker::ERBTracker.call(@name, @template)
         end

data/lib/alchemy/configuration/collection_option.rb

@@ -66,7 +66,7 @@ module Alchemy
       end
 
       def get_item_class(item_type)
-        "Alchemy::Configuration::#{item_type.to_s.classify}Option".constantize
+        "Alchemy::Configuration::#{item_type.to_s.camelcase}Option".constantize
       end
     end
   end

data/lib/alchemy/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Alchemy
-  VERSION = "8.1.12"
+  VERSION = "8.1.14"
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: alchemy_cms
 version: !ruby/object:Gem::Version
-  version: 8.1.12
+  version: 8.1.14
 platform: ruby
 authors:
 - Thomas von Deyen
@@ -1458,7 +1458,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - ImageMagick (libmagick), v6.6 or greater.
-rubygems_version: 4.0.6
+rubygems_version: 4.0.10
 specification_version: 4
 summary: A powerful, userfriendly and flexible CMS for Rails
 test_files: []