alchemy_cms 8.2.2 → 8.2.4

data/app/controllers/alchemy/admin/attachments_controller.rb

@@ -39,6 +39,15 @@ module Alchemy
           .page(params[:page] || 1)
           .per(items_per_page)
 
+        # Preload deletable ids for the current page in a single query so the
+        # view can decide which delete buttons to enable without calling
+        # +deletable?+ (a two-query check) per row. We pass the already-loaded
+        # ids (via +map(&:id)+) rather than the relation itself, because passing
+        # a paginated relation produces +IN (SELECT ... LIMIT n)+, which older
+        # MariaDB versions reject.
+        @deletable_attachment_ids =
+          Attachment.where(id: @attachments.map(&:id)).deletable.pluck(:id).to_set
+
         if in_overlay?
           archive_overlay
         end

data/app/controllers/alchemy/admin/pictures_controller.rb

@@ -8,6 +8,8 @@ module Alchemy
       include CurrentLanguage
       include PictureDescriptionsFormHelper
 
+      before_action :load_pictures, only: :index
+
       before_action :load_resource,
         only: [:edit, :update, :url, :destroy]
 
@@ -19,6 +21,12 @@ module Alchemy
         @picture = Picture.find(params[:id])
       end
 
+      # Preload deletable ids for the current page (index) or the current
+      # resource (update, which re-renders the +_picture+ partial via a
+      # turbo stream). One query replaces the per-row +deletable?+ check
+      # that would otherwise fire for every picture the view renders.
+      before_action :load_deletable_picture_ids, only: [:index, :update]
+
       add_alchemy_filter :by_file_format, type: :select, options: ->(query) do
         Alchemy::Picture.file_formats(query.result)
       end
@@ -30,8 +38,6 @@ module Alchemy
       helper_method :picture_offset
 
       def index
-        @pictures = filtered_pictures(page: params[:page])
-
         if in_overlay?
           archive_overlay
         end
@@ -159,6 +165,21 @@ module Alchemy
 
       private
 
+      def load_pictures
+        @pictures = filtered_pictures(page: params[:page])
+      end
+
+      # Preload deletable ids in a single query so the view can decide which
+      # delete buttons to enable without calling +deletable?+ (a two-query
+      # check) per row. We pass already-loaded ids (via +map(&:id)+) rather
+      # than the relation itself, because passing a paginated relation
+      # produces +IN (SELECT ... LIMIT n)+, which older MariaDB versions
+      # reject.
+      def load_deletable_picture_ids
+        ids = @pictures ? @pictures.map(&:id) : [@picture.id]
+        @deletable_picture_ids = Picture.where(id: ids).deletable.pluck(:id).to_set
+      end
+
       def picture_offset
         ((params[:page] || 1).to_i - 1) * items_per_page
       end

data/app/javascript/alchemy_admin/components/remote_select.js

@@ -14,6 +14,12 @@ export class RemoteSelect extends AlchemyHTMLElement {
     url: { default: "" }
   }
 
+  // Select2 manages its own DOM after initialization, so attribute changes
+  // must not trigger the default re-render which would destroy the widget.
+  static get observedAttributes() {
+    return []
+  }
+
   async connected() {
     await setupSelectLocale()
 
@@ -34,6 +40,11 @@ export class RemoteSelect extends AlchemyHTMLElement {
    * @param {Event} event
    */
   onChange(event) {
+    // Update selection attribute so re-attaching the select2 component to
+    // the same input (e.g. after dragndrop) does not reset the selection.
+    if (event.added) {
+      this.setAttribute("selection", JSON.stringify(event.added))
+    }
     this.dispatchCustomEvent("RemoteSelect.Change", {
       removed: event.removed,
       added: event.added

data/app/models/alchemy/attachment.rb

@@ -42,6 +42,25 @@ module Alchemy
     scope :recent, -> { where("#{table_name}.created_at > ?", Time.current - 24.hours).order(:created_at) }
     scope :without_tag, -> { left_outer_joins(:taggings).where(gutentag_taggings: {id: nil}) }
 
+    # Override +Alchemy::RelatableResource#deletable+ to also exclude
+    # attachments referenced from +/attachment/:id/download+ URLs inside
+    # ingredient values (e.g. Richtext markup, Link ingredients, raw Html).
+    # Those URLs are written by the file tab of the link dialog and are
+    # not tracked via the polymorphic +related_object+ association, so the
+    # base scope cannot see them.
+    #
+    # Extracts referenced attachment IDs from ingredient values via Ruby
+    # regex to stay database-agnostic.
+    scope :deletable, -> do
+      referenced_ids = Alchemy::Ingredient
+        .where("value LIKE '%/attachment/%/download%'")
+        .pluck(:value)
+        .flat_map { |v| v.scan(%r{/attachment/(\d+)/download}).flatten.map(&:to_i) }
+
+      scope = where("#{table_name}.id NOT IN (#{RelatableResource::RELATED_INGREDIENTS_SUBQUERY})", type: name)
+      referenced_ids.any? ? scope.where.not(id: referenced_ids) : scope
+    end
+
     # We need to define this method here to have it available in the validations below.
     class << self
       # The class used to generate URLs for attachments
@@ -112,6 +131,13 @@ module Alchemy
       CGI.escape(file_name.gsub(/\.#{extension}$/, "").tr(".", " "))
     end
 
+    # Override +Alchemy::RelatableResource#deletable?+ to also consider
+    # +/attachment/:id/download+ links inside ingredient values (e.g.
+    # Richtext markup, Link ingredients, raw Html).
+    def deletable?
+      super && !referenced_in_ingredient_value?
+    end
+
     # Checks if the attachment is restricted, because it is attached on restricted pages only
     def restricted?
       related_pages.any? && related_pages.not_restricted.blank?
@@ -178,6 +204,12 @@ module Alchemy
       end
     end
 
+    def referenced_in_ingredient_value?
+      Alchemy::Ingredient
+        .where("value LIKE ?", "%/attachment/#{id}/download%")
+        .exists?
+    end
+
     def set_name
       self.name ||= Alchemy.storage_adapter.file_basename(self).humanize
     end

data/app/models/alchemy/page.rb

@@ -615,7 +615,17 @@ module Alchemy
     end
 
     def check_descendants_for_menu_nodes
-      pages_with_nodes = descendants.joins(:nodes).reorder("alchemy_pages.lft").distinct
+      # awesome_nested_set's before_destroy runs first and closes the gap left
+      # by this page, shifting the following siblings' lft/rgt leftward. For a
+      # leaf the next sibling then lands exactly on this page's lft, so the
+      # inclusive comparison the `descendants` helper uses (lft >= self.lft)
+      # would match it. Restrict to true descendants with strict bounds. Build
+      # on nested_set_scope so the acts_as_nested_set scope stays in sync.
+      pages_with_nodes = nested_set_scope
+        .where("alchemy_pages.lft > ? AND alchemy_pages.rgt < ?", lft, rgt)
+        .joins(:nodes)
+        .reorder("alchemy_pages.lft")
+        .distinct
       if pages_with_nodes.exists?
         errors.add(:descendants, :still_attached_to_nodes, page_names: pages_with_nodes.map(&:name).to_sentence)
         throw :abort

data/app/models/alchemy/page_version.rb

@@ -29,32 +29,6 @@ module Alchemy
 
     before_destroy :delete_elements
 
-    # Determines if this version is public
-    #
-    # Takes the two timestamps +public_on+ and +public_until+
-    # and returns true if the time given (+Time.current+ per default)
-    # is in this timespan.
-    #
-    # @param time [DateTime] (Time.current)
-    # @returns Boolean
-    def public?(time = Current.preview_time)
-      already_public_for?(time) && still_public_for?(time)
-    end
-
-    # Determines if this version is already public for given time
-    # @param time [DateTime] (Current.preview_time)
-    # @returns Boolean
-    def already_public_for?(time = Current.preview_time)
-      !public_on.nil? && public_on <= time
-    end
-
-    # Determines if this version is still public for given time
-    # @param time [DateTime] (Current.preview_time)
-    # @returns Boolean
-    def still_public_for?(time = Current.preview_time)
-      public_until.nil? || public_until >= time
-    end
-
     def element_repository
       ElementsRepository.new(elements)
     end

data/app/models/concerns/alchemy/publishable.rb

@@ -46,7 +46,7 @@ module Alchemy
     #
     # @returns Boolean
     def publishable?
-      !public_on.nil? && still_public_for?
+      !public_on.nil? && still_public_for?(at: Time.current)
     end
 
     # Determines if this record is already public for given time

data/app/models/concerns/alchemy/relatable_resource.rb

@@ -2,6 +2,19 @@ module Alchemy
   module RelatableResource
     extend ActiveSupport::Concern
 
+    # SQL subquery selecting +related_object_id+ values for ingredients that
+    # reference a given polymorphic type. Intended to be composed into a
+    # +NOT IN (...)+ clause by +deletable+ and any overrides in including
+    # classes. Takes one named bind :type - the polymorphic type name,
+    # typically the class name of the including model
+    # (e.g. +"Alchemy::Attachment"+).
+    RELATED_INGREDIENTS_SUBQUERY = <<~SQL.squish
+      SELECT related_object_id
+      FROM alchemy_ingredients
+      WHERE related_object_id IS NOT NULL
+        AND related_object_type = :type
+    SQL
+
     class_methods do
       # Preload associations for element editor display
       #
@@ -18,10 +31,7 @@ module Alchemy
 
     included do
       scope :deletable, -> do
-        where(
-          "#{table_name}.id NOT IN (SELECT related_object_id FROM alchemy_ingredients WHERE related_object_id IS NOT NULL AND related_object_type = ?)",
-          name
-        )
+        where("#{table_name}.id NOT IN (#{RELATED_INGREDIENTS_SUBQUERY})", type: name)
       end
 
       has_many :related_ingredients,

data/app/services/alchemy/element_preloader.rb

@@ -61,7 +61,7 @@ module Alchemy
 
       elements_by_id.each_value do |element|
         children = elements_by_parent[element.id] || []
-        children = children.sort_by(&:position)
+        children = children.sort_by { |c| c.position.to_i }
 
         # Manually set the association target
         element.association(:all_nested_elements).target = children

data/app/stylesheets/alchemy/admin/notices.scss

@@ -70,6 +70,15 @@ alchemy-message {
     font-size: var(--font-size_medium);
   }
 
+  h1,
+  h2,
+  h3,
+  p {
+    &:last-child {
+      margin-bottom: 0;
+    }
+  }
+
   a[href] {
     text-decoration-color: inherit;
     text-decoration-thickness: 1px;

data/app/views/alchemy/admin/attachments/_files_list.html.erb

@@ -61,7 +61,7 @@
         file_attribute: 'file' %>
     <% end %>
     <% table.with_action(:destroy) do |attachment| %>
-      <% if attachment.deletable? %>
+      <% if @deletable_attachment_ids.include?(attachment.id) %>
         <sl-tooltip content="<%= Alchemy.t(:delete_file) %>">
           <%= link_to_confirm_dialog render_icon(:minus),
             Alchemy.t(:confirm_to_delete_file),

data/app/views/alchemy/admin/pages/_table.html.erb

@@ -6,7 +6,7 @@
           <%= render_icon "file-edit", size: "xl" %>
         </sl-tooltip>
       <% else %>
-        <%= render_icon "file-edit", size: "xl" %>
+        <%= render_icon "file", size: "xl" %>
       <% end %>
     <% else %>
       <sl-tooltip class="like-hint-tooltip" content="<%= Alchemy.t("Your user role does not allow you to edit this page") %>" placement="bottom-start">

data/app/views/alchemy/admin/pictures/_picture.html.erb

@@ -2,7 +2,7 @@
   <span class="picture_tool select">
     <%= check_box_tag "picture_ids[]", picture.id %>
   </span>
-  <% if picture.deletable? && can?(:destroy, picture) %>
+  <% if @deletable_picture_ids.include?(picture.id) && can?(:destroy, picture) %>
   <div class="picture_tool delete">
     <sl-tooltip content="<%= Alchemy.t('Delete image') %>">
       <%= link_to_confirm_dialog(

data/db/migrate/20251106150010_convert_select_value_for_multiple.rb

@@ -1,11 +1,18 @@
 class ConvertSelectValueForMultiple < ActiveRecord::Migration[7.1]
   def up
     say_with_time "Converting Alchemy::Ingredients::Select values to multiple" do
-      update <<-SQL.squish
-        UPDATE alchemy_ingredients
-        SET value = '["' || value || '"]'
-        WHERE type = 'Alchemy::Ingredients::Select' AND value NOT LIKE '["%"]';
-      SQL
+      Alchemy::Ingredients::Select
+        .where.not("value LIKE ?", '["%')
+        .update_all(
+          Arel.sql(
+            case ActiveRecord::Base.connection.adapter_name
+            when /mysql|mariadb/i
+              "value = CONCAT('[\"', value, '\"]')"
+            else
+              "value = '[\"' || value || '\"]'"
+            end
+          )
+        )
     end
   end
 end

data/lib/alchemy/test_support/shared_publishable_examples.rb

@@ -212,4 +212,41 @@ RSpec.shared_examples_for "being publishable" do |factory_name|
       end
     end
   end
+
+  describe "#publishable?" do
+    context "when public_on is nil" do
+      let(:page_version) { build(factory_name, public_on: nil) }
+
+      it { expect(page_version.publishable?).to be(false) }
+    end
+
+    context "when public_on is set and public_until is nil" do
+      let(:page_version) { build(factory_name, public_on: Time.current) }
+
+      it { expect(page_version.publishable?).to be(true) }
+    end
+
+    context "when public_on is set and public_until is in the past" do
+      let(:page_version) do
+        build(factory_name,
+          public_on: Time.current - 2.days,
+          public_until: Time.current - 1.day)
+      end
+
+      it { expect(page_version.publishable?).to be(false) }
+    end
+
+    context "when Current.preview_time is set to a future time" do
+      let(:page_version) do
+        build(factory_name,
+          public_on: Time.current - 1.day,
+          public_until: Time.current + 1.day)
+      end
+
+      it "uses Time.current instead of the preview_time" do
+        Alchemy::Current.preview_time = Time.current + 1.week
+        expect(page_version.publishable?).to be(true)
+      end
+    end
+  end
 end

data/lib/alchemy/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Alchemy
-  VERSION = "8.2.2"
+  VERSION = "8.2.4"
 
   def self.version
     VERSION

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: alchemy_cms
 version: !ruby/object:Gem::Version
-  version: 8.2.2
+  version: 8.2.4
 platform: ruby
 authors:
 - Thomas von Deyen
@@ -1490,7 +1490,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - ImageMagick (libmagick), v6.6 or greater.
-rubygems_version: 4.0.6
+rubygems_version: 4.0.10
 specification_version: 4
 summary: A powerful, userfriendly and flexible CMS for Rails
 test_files: []