alchemy_cms 8.2.1 → 8.2.3

data/app/controllers/alchemy/admin/attachments_controller.rb

@@ -39,6 +39,15 @@ module Alchemy
           .page(params[:page] || 1)
           .per(items_per_page)
 
+        # Preload deletable ids for the current page in a single query so the
+        # view can decide which delete buttons to enable without calling
+        # +deletable?+ (a two-query check) per row. We pass the already-loaded
+        # ids (via +map(&:id)+) rather than the relation itself, because passing
+        # a paginated relation produces +IN (SELECT ... LIMIT n)+, which older
+        # MariaDB versions reject.
+        @deletable_attachment_ids =
+          Attachment.where(id: @attachments.map(&:id)).deletable.pluck(:id).to_set
+
         if in_overlay?
           archive_overlay
         end

data/app/controllers/alchemy/admin/pictures_controller.rb

@@ -8,6 +8,8 @@ module Alchemy
       include CurrentLanguage
       include PictureDescriptionsFormHelper
 
+      before_action :load_pictures, only: :index
+
       before_action :load_resource,
         only: [:edit, :update, :url, :destroy]
 
@@ -19,6 +21,12 @@ module Alchemy
         @picture = Picture.find(params[:id])
       end
 
+      # Preload deletable ids for the current page (index) or the current
+      # resource (update, which re-renders the +_picture+ partial via a
+      # turbo stream). One query replaces the per-row +deletable?+ check
+      # that would otherwise fire for every picture the view renders.
+      before_action :load_deletable_picture_ids, only: [:index, :update]
+
       add_alchemy_filter :by_file_format, type: :select, options: ->(query) do
         Alchemy::Picture.file_formats(query.result)
       end
@@ -30,8 +38,6 @@ module Alchemy
       helper_method :picture_offset
 
       def index
-        @pictures = filtered_pictures(page: params[:page])
-
         if in_overlay?
           archive_overlay
         end
@@ -159,6 +165,21 @@ module Alchemy
 
       private
 
+      def load_pictures
+        @pictures = filtered_pictures(page: params[:page])
+      end
+
+      # Preload deletable ids in a single query so the view can decide which
+      # delete buttons to enable without calling +deletable?+ (a two-query
+      # check) per row. We pass already-loaded ids (via +map(&:id)+) rather
+      # than the relation itself, because passing a paginated relation
+      # produces +IN (SELECT ... LIMIT n)+, which older MariaDB versions
+      # reject.
+      def load_deletable_picture_ids
+        ids = @pictures ? @pictures.map(&:id) : [@picture.id]
+        @deletable_picture_ids = Picture.where(id: ids).deletable.pluck(:id).to_set
+      end
+
       def picture_offset
         ((params[:page] || 1).to_i - 1) * items_per_page
       end

data/app/javascript/alchemy_admin/components/picture_thumbnail.js

@@ -44,7 +44,6 @@ export default class PictureThumbnail extends HTMLElement {
     if (alt) {
       this.image.alt = alt
     }
-    this.image.loading = "lazy"
   }
 
   start(src) {

data/app/models/alchemy/attachment.rb

@@ -42,6 +42,33 @@ module Alchemy
     scope :recent, -> { where("#{table_name}.created_at > ?", Time.current - 24.hours).order(:created_at) }
     scope :without_tag, -> { left_outer_joins(:taggings).where(gutentag_taggings: {id: nil}) }
 
+    # Override +Alchemy::RelatableResource#deletable+ to also exclude
+    # attachments referenced from +/attachment/:id/download+ URLs inside
+    # ingredient values (e.g. Richtext markup, Link ingredients, raw Html).
+    # Those URLs are written by the file tab of the link dialog and are
+    # not tracked via the polymorphic +related_object+ association, so the
+    # base scope cannot see them.
+    #
+    # Uses a correlated +NOT EXISTS+ subquery that builds the per-row LIKE
+    # pattern with +Arel::Nodes::Concat+, which compiles to +||+ on
+    # SQLite/PostgreSQL and +CONCAT()+ on MySQL.
+    scope :deletable, -> do
+      ingredients = Alchemy::Ingredient.arel_table
+      pattern = Arel::Nodes::Concat.new(
+        Arel::Nodes::Concat.new(
+          Arel::Nodes.build_quoted("%/attachment/"),
+          arel_table[:id]
+        ),
+        Arel::Nodes.build_quoted("/download%")
+      )
+      referenced = ingredients
+        .project(1)
+        .where(ingredients[:value].matches(pattern))
+
+      where("#{table_name}.id NOT IN (#{RelatableResource::RELATED_INGREDIENTS_SUBQUERY})", type: name)
+        .where.not(referenced.exists)
+    end
+
     # We need to define this method here to have it available in the validations below.
     class << self
       # The class used to generate URLs for attachments
@@ -112,6 +139,13 @@ module Alchemy
       CGI.escape(file_name.gsub(/\.#{extension}$/, "").tr(".", " "))
     end
 
+    # Override +Alchemy::RelatableResource#deletable?+ to also consider
+    # +/attachment/:id/download+ links inside ingredient values (e.g.
+    # Richtext markup, Link ingredients, raw Html).
+    def deletable?
+      super && !referenced_in_ingredient_value?
+    end
+
     # Checks if the attachment is restricted, because it is attached on restricted pages only
     def restricted?
       related_pages.any? && related_pages.not_restricted.blank?
@@ -178,6 +212,12 @@ module Alchemy
       end
     end
 
+    def referenced_in_ingredient_value?
+      Alchemy::Ingredient
+        .where("value LIKE ?", "%/attachment/#{id}/download%")
+        .exists?
+    end
+
     def set_name
       self.name ||= Alchemy.storage_adapter.file_basename(self).humanize
     end

data/app/models/concerns/alchemy/relatable_resource.rb

@@ -2,6 +2,19 @@ module Alchemy
   module RelatableResource
     extend ActiveSupport::Concern
 
+    # SQL subquery selecting +related_object_id+ values for ingredients that
+    # reference a given polymorphic type. Intended to be composed into a
+    # +NOT IN (...)+ clause by +deletable+ and any overrides in including
+    # classes. Takes one named bind :type - the polymorphic type name,
+    # typically the class name of the including model
+    # (e.g. +"Alchemy::Attachment"+).
+    RELATED_INGREDIENTS_SUBQUERY = <<~SQL.squish
+      SELECT related_object_id
+      FROM alchemy_ingredients
+      WHERE related_object_id IS NOT NULL
+        AND related_object_type = :type
+    SQL
+
     class_methods do
       # Preload associations for element editor display
       #
@@ -18,10 +31,7 @@ module Alchemy
 
     included do
       scope :deletable, -> do
-        where(
-          "#{table_name}.id NOT IN (SELECT related_object_id FROM alchemy_ingredients WHERE related_object_id IS NOT NULL AND related_object_type = ?)",
-          name
-        )
+        where("#{table_name}.id NOT IN (#{RELATED_INGREDIENTS_SUBQUERY})", type: name)
       end
 
       has_many :related_ingredients,

data/app/stylesheets/alchemy/admin/archive.scss

@@ -75,8 +75,8 @@ alchemy-uploader {
   }
 
   img {
-    max-width: 100%;
-    max-height: 100%;
+    max-width: var(--picture-width);
+    max-height: var(--picture-height);
 
     &:not([src*="alchemy/missing-image"]) {
       background: var(--thumbnail-background);

data/app/stylesheets/alchemy/admin/images.scss

@@ -1,11 +1,11 @@
 alchemy-picture-thumbnail {
   &[loading] {
-    img {
+    > img {
       opacity: 0;
     }
   }
 
-  img {
+  > img {
     opacity: 1;
     transition: opacity var(--transition-duration);
   }

data/app/views/alchemy/admin/attachments/_files_list.html.erb

@@ -61,7 +61,7 @@
         file_attribute: 'file' %>
     <% end %>
     <% table.with_action(:destroy) do |attachment| %>
-      <% if attachment.deletable? %>
+      <% if @deletable_attachment_ids.include?(attachment.id) %>
         <sl-tooltip content="<%= Alchemy.t(:delete_file) %>">
           <%= link_to_confirm_dialog render_icon(:minus),
             Alchemy.t(:confirm_to_delete_file),

data/app/views/alchemy/admin/pictures/_filter_and_size_bar.html.erb

@@ -22,7 +22,7 @@
           search_filter_params.merge(
             size: "small",
             form_field_id: @form_field_id
-          )
+          ).to_h
         ),
         class: "icon_button"
       ) %>
@@ -34,7 +34,7 @@
           search_filter_params.merge(
             size: "medium",
             form_field_id: @form_field_id
-          )
+          ).to_h
         ),
         class: "icon_button"
       ) %>
@@ -46,7 +46,7 @@
           search_filter_params.merge(
             size: "large",
             form_field_id: @form_field_id
-          )
+          ).to_h
         ),
         class: "icon_button"
       ) %>

data/app/views/alchemy/admin/pictures/_picture.html.erb

@@ -2,7 +2,7 @@
   <span class="picture_tool select">
     <%= check_box_tag "picture_ids[]", picture.id %>
   </span>
-  <% if picture.deletable? && can?(:destroy, picture) %>
+  <% if @deletable_picture_ids.include?(picture.id) && can?(:destroy, picture) %>
   <div class="picture_tool delete">
     <sl-tooltip content="<%= Alchemy.t('Delete image') %>">
       <%= link_to_confirm_dialog(

data/app/views/alchemy/admin/pictures/_picture_to_assign.html.erb

@@ -10,7 +10,7 @@
         onclick: '$(self).attr("href", "#").off("click"); return false',
         method: 'put',
       ) do %>
-        <%= render Alchemy::Admin::PictureThumbnail.new(picture_to_assign) %>
+        <%= render Alchemy::Admin::PictureThumbnail.new(picture_to_assign, size: size) %>
       <% end %>
     </sl-tooltip>
   <% else %>

data/lib/alchemy/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Alchemy
-  VERSION = "8.2.1"
+  VERSION = "8.2.3"
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: alchemy_cms
 version: !ruby/object:Gem::Version
-  version: 8.2.1
+  version: 8.2.3
 platform: ruby
 authors:
 - Thomas von Deyen