inline_forms 8.1.11 → 8.1.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e33b151ebeda5706914feaf6ac97bd11b0b379ac8b03435cf9d948c40dbdd9b
-  data.tar.gz: 975d48a428e045905e0fd29acf6b2d136ec7cc5f4a7825db9c951eb0ab3bba3d
+  metadata.gz: 5ae9fa81e904412a8066f7b989cc62d751ecd2ec388e86280a9f29c40c71066c
+  data.tar.gz: a1ef139cf1a6ab1827a79dfe4b13b83cc106dbaf4618f3840a4f00c623139d30
 SHA512:
-  metadata.gz: 37d86c5be4e09df199b6d23b8ee91c2488bb98b178b352213dce075234152cc9ef03d119cd2ccd0eb41632d4e6ec5724918d6f2cfdbd70889ed5a0e4b7a959d1
-  data.tar.gz: 3b40a5c9b0de4707715d43d2186f3d1e4570b7c0cfa17f55f6aa7aa2c151b325bf91a670897ebc3379a1ba086081953f4a0d2f3806a3cd83a13c4fd6149443bb
+  metadata.gz: 87a7b60dbc16267a2b1415374747785df190d82fb00d9df751dd6b3c47e9f02a82e2d2127ff04784fe659d6709ffd64044952c013c11fc49af0bad47284a29c7
+  data.tar.gz: 4452500f6fa5b2e6f1010a61e3a5f30ba755b44de4861a09868787136a4f06aa4873d545b03e68af782d0239bd8d55289c60cbdce22fde565d26d4ccda24a28f

data/CHANGELOG.md

@@ -4,6 +4,26 @@ All notable changes to this project are documented in this file.
 
 ## [Unreleased]
 
+## [8.1.13] - 2026-05-28
+
+### Fixed
+
+- **Post-delete undo restored the wrong PaperTrail version.** `destroy` stored `@undo_version = @object.versions.last` *before* `destroy`, so the undo link targeted the latest **update** (e.g. a `plain_text_area` edit). `revert` then reified that update — the state *before* the edit — so fields like `body_plain_area` on "Empty demo" came back blank. `@undo_version` is now taken after destroy so undo always targets the `destroy` event snapshot.
+
+### Added
+
+- **Regression test** on `FormElementShowcase` "Empty demo": edit `body_plain_area`, delete, undo, assert text and undo URL use the destroy version.
+
+## [8.1.12] - 2026-05-28
+
+### Fixed
+
+- **`InlineFormsController#revert` and CanCan `check_authorization`.** `revert` is excluded from `load_and_authorize_resource`, but `authorize!` only ran on some branches — and after `return unless @parent`, so a nil PaperTrail `item` on a destroyed row (or any path that bailed out early) left `@_authorized` unset and raised `CanCan::AuthorizationNotPerformed`. Authorization now runs once at the top of the action via `revert_authorization_subject` (reified record, `ActionText::RichText` parent, live `item`, or an id-only stub for destroyed rows). The post-delete **undo** link in `row_destroyed.html.erb` now requests `turbo_stream` like the versions-panel Restore link, matching the `format.turbo_stream` response.
+
+### Added
+
+- **Regression test** `example_app_showcase_row_turbo_test.rb`: destroy + undo revert on `FormElementShowcase`.
+
 ## [8.1.11] - 2026-05-28
 
 ### Fixed

data/app/controllers/inline_forms_controller.rb

@@ -247,8 +247,10 @@ class InlineFormsController < ApplicationController
     @update_span = params[:update]
     @object = referenced_object
     if current_user.role? :superadmin
-      @undo_version = @object.versions.last
       @object.destroy
+      # Capture after destroy: `.last` before destroy was the latest *update*
+      # (e.g. a plain_text_area edit), so undo reified the pre-edit state.
+      @undo_version = @object.versions.last
       respond_to do |format|
         format.html { render_row_turbo_destroyed } if row_html_turbo_allowed?
       end
@@ -270,62 +272,91 @@ class InlineFormsController < ApplicationController
   #   below derive from `@parent` for both branches.
   def revert
     @update_span = params[:update]
-    if current_user.role? :superadmin
-      @version = PaperTrail::Version.find(params[:id])
-      @object = @version.reify
-      # PaperTrail::Version#reify returns nil for `create` events because
-      # there is no prior state to roll back to. The versions list view
-      # hides the Restore link for `create` rows, but guard here too in
-      # case a request was bookmarked or replayed: render close on the
-      # current parent without mutating anything.
-      if @object.nil?
-        # reify returns nil for `create` events (no prior state). For a
-        # rich_text create, reverting means "undo the creation" -> destroy
-        # the ActionText::RichText row so the parent's field reverts to
-        # empty (symmetric with reverting an update on a rich_text that
-        # was first saved empty). For a primary record we never offer
-        # Restore on `create` in the view; this branch only runs for
-        # replayed/bookmarked URLs and must remain a no-op response keyed
-        # off the parent.
-        item = @version.item
-        if defined?(ActionText::RichText) && item.is_a?(ActionText::RichText)
-          @rich_text_record = item
-          @parent = @rich_text_record.record
-          return unless @parent
-          authorize!(:revert, @parent) if cancan_enabled?
-          @rich_text_record.destroy
-          @parent.touch if @parent.respond_to?(:touch)
-        else
-          @parent = item
-          return unless @parent
-          authorize!(:revert, @parent) if cancan_enabled?
-        end
-        return unless row_html_turbo_allowed?
-        respond_to do |format|
-          format.turbo_stream { render_revert_turbo_streams }
-        end
-        return
-      end
-      if defined?(ActionText::RichText) && @object.is_a?(ActionText::RichText)
-        @rich_text_record = @object
+    @version = PaperTrail::Version.find(params[:id])
+    @parent = revert_authorization_subject(@version)
+    authorize!(:revert, @parent || @Klass) if cancan_enabled?
+    return head :forbidden unless current_user.role? :superadmin
+    return head :not_found unless @parent
+
+    @object = @version.reify(
+      has_many: true,
+      has_and_belongs_to_many: true,
+      belongs_to: true
+    )
+    # PaperTrail::Version#reify returns nil for `create` events because
+    # there is no prior state to roll back to. The versions list view
+    # hides the Restore link for `create` rows, but guard here too in
+    # case a request was bookmarked or replayed: render close on the
+    # current parent without mutating anything.
+    if @object.nil?
+      # reify returns nil for `create` events (no prior state). For a
+      # rich_text create, reverting means "undo the creation" -> destroy
+      # the ActionText::RichText row so the parent's field reverts to
+      # empty (symmetric with reverting an update on a rich_text that
+      # was first saved empty). For a primary record we never offer
+      # Restore on `create` in the view; this branch only runs for
+      # replayed/bookmarked URLs and must remain a no-op response keyed
+      # off the parent.
+      item = @version.item
+      if defined?(ActionText::RichText) && item.is_a?(ActionText::RichText)
+        @rich_text_record = item
         @parent = @rich_text_record.record
-        @rich_text_record.save!
+        return head :not_found unless @parent
+        @rich_text_record.destroy
         @parent.touch if @parent.respond_to?(:touch)
       else
-        @parent = @object
-        @parent.save!
-      end
-      authorize!(:revert, @parent) if cancan_enabled?
-      return unless row_html_turbo_allowed?
-
-      respond_to do |format|
-        format.turbo_stream { render_revert_turbo_streams }
+        @parent = item || @parent
+        return head :not_found unless @parent
       end
+      return render_revert_response if row_html_turbo_allowed?
+      return
+    end
+    if defined?(ActionText::RichText) && @object.is_a?(ActionText::RichText)
+      @rich_text_record = @object
+      @parent = @rich_text_record.record
+      return head :not_found unless @parent
+      @rich_text_record.save!
+      @parent.touch if @parent.respond_to?(:touch)
+    else
+      @parent = @object
+      @parent.save!
     end
+    render_revert_response if row_html_turbo_allowed?
   end
 
   private
 
+  # +revert+ is excluded from +load_and_authorize_resource+; +authorize!+ runs in the
+  # action. +check_authorization+ on ApplicationController still requires that flag.
+  def revert_authorization_subject(version)
+    reified = version.reify(
+      has_many: true,
+      has_and_belongs_to_many: true,
+      belongs_to: true
+    )
+    if defined?(ActionText::RichText) && reified.is_a?(ActionText::RichText)
+      return reified.record
+    end
+    return reified if reified
+
+    item = version.item
+    if defined?(ActionText::RichText) && item.is_a?(ActionText::RichText)
+      return item.record
+    end
+    return item if item
+
+    klass = version.item_type.safe_constantize
+    return nil unless klass && version.item_id
+
+    klass.new(id: version.item_id)
+  end
+
+  def render_revert_response
+    respond_to do |format|
+      format.turbo_stream { render_revert_turbo_streams }
+    end
+  end
+
   # Versions list lives in +<turbo-frame id="…_versions">+; POST +restore+ would otherwise
   # send +Turbo-Frame: …_versions+ while +row_close+ only returns the row frame. Stream
   # replaces both the row and the versions panel in one response.

data/app/views/inline_forms/row_destroyed.html.erb

@@ -3,7 +3,7 @@
     <div class="small-12 column">
       <%= link_to t("inline_forms.view.undo"),
             send("revert_#{@Klass.to_s.underscore}_path", @undo_version, update: @update_span),
-            inline_forms_turbo_link_data(@update_span, method: :post).merge(class: "button") %>
+            inline_forms_turbo_link_data(@update_span, method: :post, turbo_stream: true).merge(class: "button") %>
     </div>
   </div>
 </turbo-frame>

data/lib/inline_forms/version.rb

@@ -1,4 +1,4 @@
 # -*- encoding : utf-8 -*-
 module InlineForms
-  VERSION = "8.1.11"
+  VERSION = "8.1.13"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: inline_forms
 version: !ruby/object:Gem::Version
-  version: 8.1.11
+  version: 8.1.13
 platform: ruby
 authors:
 - Ace Suares