panda-cms 0.8.2 → 0.10.2

data/app/controllers/panda/cms/admin/menus_controller.rb

@@ -4,7 +4,8 @@ module Panda
   module CMS
     module Admin
       class MenusController < ::Panda::CMS::Admin::BaseController
-        before_action :set_initial_breadcrumb, only: %i[index]
+        before_action :set_initial_breadcrumb, only: %i[index new edit]
+        before_action :set_menu, only: %i[edit update destroy]
 
         # Lists all menus which can be managed by the administrator
         # @type GET
@@ -14,10 +15,53 @@ module Panda
           render :index, locals: {menus: menus}
         end
 
+        # @type GET
+        def new
+          menu = Panda::CMS::Menu.new
+          add_breadcrumb "New Menu", new_admin_cms_menu_path
+          render :new, locals: {menu: menu}
+        end
+
+        # @type POST
+        def create
+          menu = Panda::CMS::Menu.new(menu_params)
+
+          if menu.save
+            redirect_to admin_cms_menus_path, notice: "Menu was successfully created."
+          else
+            render :new, locals: {menu: menu}, status: :unprocessable_entity
+          end
+        end
+
+        # @type GET
+        def edit
+          add_breadcrumb @menu.name, edit_admin_cms_menu_path(@menu)
+          render :edit
+        end
+
+        # @type PATCH/PUT
+        def update
+          if @menu.update(menu_params)
+            redirect_to admin_cms_menus_path, notice: "Menu was successfully updated."
+          else
+            render :edit, status: :unprocessable_entity
+          end
+        end
+
+        # @type DELETE
+        def destroy
+          @menu.destroy
+          redirect_to admin_cms_menus_path, notice: "Menu was successfully deleted."
+        end
+
         private
 
-        def menu
-          @menu ||= Panda::CMS::Menu.find(params[:id])
+        def set_menu
+          @menu = Panda::CMS::Menu.find(params[:id])
+        end
+
+        def menu_params
+          params.require(:menu).permit(:name, :kind, :start_page_id, menu_items_attributes: [:id, :text, :external_url, :panda_cms_page_id, :_destroy])
         end
 
         def set_initial_breadcrumb

data/app/controllers/panda/cms/admin/pages_controller.rb

@@ -25,6 +25,11 @@ module Panda
         # Loads the page editor
         # @type GET
         def edit
+          # Add all ancestor pages to breadcrumbs (excluding homepage at depth 0)
+          page.ancestors.select { |anc| anc.depth > 0 }.each do |ancestor|
+            add_breadcrumb ancestor.title, edit_admin_cms_page_path(ancestor)
+          end
+
           add_breadcrumb page.title, edit_admin_cms_page_path(page)
 
           render :edit, locals: {page: page, template: page.template}
@@ -61,7 +66,7 @@ module Panda
               flash: {success: "This page was successfully updated!"}
           else
             flash[:error] = "There was an error updating the page."
-            render :edit, status: :unprocessable_entity
+            render :edit, locals: {page: page, template: page.template}, status: :unprocessable_entity
           end
         end
 
@@ -94,7 +99,11 @@ module Panda
         # @type private
         # @return ActionController::StrongParameters
         def page_params
-          params.require(:page).permit(:title, :path, :panda_cms_template_id, :parent_id, :status)
+          params.require(:page).permit(
+            :title, :path, :panda_cms_template_id, :parent_id, :status, :page_type,
+            :seo_title, :seo_description, :seo_keywords, :seo_index_mode, :canonical_url,
+            :og_title, :og_description, :og_type, :og_image, :inherit_seo
+          )
         end
       end
     end

data/app/controllers/panda/cms/admin/posts_controller.rb

@@ -119,7 +119,9 @@ module Panda
             :status,
             :published_at,
             :author_id,
-            :content
+            :content,
+            :seo_title, :seo_description, :seo_keywords, :seo_index_mode, :canonical_url,
+            :og_title, :og_description, :og_type, :og_image
           )
         end
 

data/app/controllers/panda/cms/form_submissions_controller.rb

@@ -3,23 +3,146 @@
 module Panda
   module CMS
     class FormSubmissionsController < ApplicationController
-      invisible_captcha only: [:create]
+      # Spam protection - invisible honeypot field
+      invisible_captcha only: [:create], on_spam: :log_spam
 
-      def create
-        vars = params.except(:authenticity_token, :controller, :action, :id)
+      # Rate limiting to prevent spam
+      before_action :check_rate_limit, only: [:create]
 
+      def create
         form = Panda::CMS::Form.find(params[:id])
-        form_submission = Panda::CMS::FormSubmission.create(form_id: params[:id], data: vars.to_unsafe_h)
-        form.update(submission_count: form.submission_count + 1)
 
-        Panda::CMS::FormMailer.notification_email(form: form, form_submission: form_submission).deliver_now
+        # Additional spam checks
+        if looks_like_spam?(params)
+          log_spam_attempt(form, "content")
+          redirect_to_fallback(form, spam: true)
+          return
+        end
+
+        # Timing-based spam detection (honeypot timing)
+        if submitted_too_quickly?(params)
+          log_spam_attempt(form, "timing")
+          redirect_to_fallback(form, spam: true)
+          return
+        end
+
+        # Clean parameters - exclude system params and honeypot field
+        vars = params.except(:authenticity_token, :controller, :action, :id, :_form_timestamp, :spinner)
+
+        # Create submission
+        form_submission = Panda::CMS::FormSubmission.create!(
+          form_id: form.id,
+          data: vars.to_unsafe_h,
+          ip_address: request.remote_ip,
+          user_agent: request.user_agent
+        )
+
+        # Update submission count
+        form.increment!(:submission_count)
+
+        # Send notification email (in background if possible)
+        begin
+          Panda::CMS::FormMailer.notification_email(form: form, form_submission: form_submission).deliver_now
+        rescue => e
+          Rails.logger&.error "Failed to send form notification email: #{e.message}"
+          # Don't fail the submission if email fails
+        end
+
+        redirect_to_fallback(form, success: true)
+      rescue ActiveRecord::RecordInvalid => e
+        Rails.logger&.error "Form submission validation failed: #{e.message}"
+        redirect_to_fallback(form, error: true)
+      end
+
+      private
+
+      # Check for basic spam indicators
+      def looks_like_spam?(params)
+        # Check for too many URLs in message fields
+        message_fields = params.values.select { |v| v.is_a?(String) && v.length > 20 }
+        message_fields.any? { |field| field.scan(/https?:\/\//).length > 3 }
+      end
+
+      # Timing-based spam detection
+      # Rejects submissions that are too fast (< 3 seconds) or too stale (> 24 hours)
+      def submitted_too_quickly?(params)
+        return false unless params[:_form_timestamp].present?
+
+        begin
+          form_loaded_at = Time.zone.at(params[:_form_timestamp].to_i)
+          time_elapsed = Time.current - form_loaded_at
+
+          # Too fast - likely a bot (< 3 seconds)
+          if time_elapsed < 3.seconds
+            Rails.logger&.warn "Form submitted too quickly: #{time_elapsed.round(2)}s from IP: #{request.remote_ip}"
+            return true
+          end
+
+          # Too stale - form held too long without interaction (> 24 hours)
+          if time_elapsed > 24.hours
+            Rails.logger&.warn "Form submission too old: #{(time_elapsed / 1.hour).round(1)}h from IP: #{request.remote_ip}"
+            return true
+          end
+
+          false
+        rescue ArgumentError, TypeError => e
+          Rails.logger&.warn "Invalid form timestamp from IP #{request.remote_ip}: #{e.message}"
+          # Don't reject on invalid timestamp - might be legitimate user with modified form
+          false
+        end
+      end
+
+      # Rate limiting - max 3 submissions per IP per 5 minutes
+      def check_rate_limit
+        cache_key = "form_submission_rate_limit:#{request.remote_ip}"
+        count = Rails.cache.read(cache_key) || 0
+
+        if count >= 3
+          Rails.logger&.warn "Rate limit exceeded for IP: #{request.remote_ip}"
+          render plain: "Too many requests. Please try again later.", status: :too_many_requests
+          return
+        end
+
+        Rails.cache.write(cache_key, count + 1, expires_in: 5.minutes)
+      end
+
+      # Log spam attempt with reason
+      def log_spam_attempt(form, reason)
+        Rails.logger&.warn "Spam detected (#{reason}) for form #{form.id} from IP: #{request.remote_ip}"
+      end
+
+      # Callback for invisible_captcha spam detection
+      def log_spam
+        Rails.logger&.warn "Invisible captcha triggered from IP: #{request.remote_ip}"
+      end
+
+      # Safe redirect that works in engine context
+      def redirect_to_fallback(form, success: false, spam: false, error: false)
+        fallback = "/"
 
-        if (completion_path = form&.completion_path)
-          redirect_to completion_path
+        if spam
+          # Redirect to same page to appear successful (don't tell spammers)
+          redirect_back(fallback_location: fallback, allow_other_host: false)
+        elsif success && form.completion_path.present?
+          # Redirect to custom completion path
+          redirect_to form.completion_path, notice: "Thank you for your submission!"
+        elsif success
+          # Redirect back to referring page with success message
+          redirect_back(
+            fallback_location: fallback,
+            notice: "Thank you for your submission!",
+            allow_other_host: false
+          )
+        elsif error
+          # Redirect back with error message
+          redirect_back(
+            fallback_location: fallback,
+            alert: "There was an error submitting your form. Please try again.",
+            allow_other_host: false
+          )
         else
-          # TODO: This isn't a great fallback, we should do something nice here...
-          # Perhaps a simple JS alert when sent?
-          redirect_to "/"
+          # Default fallback
+          redirect_back(fallback_location: fallback, allow_other_host: false)
         end
       end
     end

data/app/controllers/panda/cms/pages_controller.rb

@@ -16,9 +16,9 @@ module Panda
 
       def show
         page = if @overrides&.dig(:page_path_match)
-          Panda::CMS::Page.find_by(path: @overrides[:page_path_match])
+          Panda::CMS::Page.includes(:template, :block_contents).find_by(path: @overrides[:page_path_match])
         else
-          Panda::CMS::Page.find_by(path: "/#{params[:path]}")
+          Panda::CMS::Page.includes(:template, :block_contents).find_by(path: "/#{params[:path]}")
         end
 
         Panda::CMS::Current.page = page || Panda::CMS::Page.find_by(path: "/404")
@@ -31,6 +31,11 @@ module Panda
           render file: "#{Rails.root}/public/404.html", layout: false, status: :not_found and return
         end
 
+        # HTTP caching: Send ETag and Last-Modified headers for efficient caching
+        # Use cached_last_updated_at which includes block content updates
+        # Returns 304 Not Modified if client's cached version is still valid
+        fresh_when(page, last_modified: page.last_updated_at, public: true)
+
         template_vars = {
           page: page,
           title: Panda::CMS::Current.page&.title || Panda::CMS.config.title

data/app/controllers/panda/cms/posts_controller.rb

@@ -7,6 +7,12 @@ module Panda
       # inside a /panda/cms/posts/... structure in the application
       def index
         @posts = Panda::CMS::Post.includes(:author).order(published_at: :desc)
+
+        # HTTP caching: Use the most recent post's updated_at for conditional requests
+        # Returns 304 Not Modified if no posts have changed since client's last request
+        latest_post_timestamp = @posts.maximum(:updated_at) || Time.current
+        fresh_when(etag: [@posts.to_a, latest_post_timestamp], last_modified: latest_post_timestamp, public: true)
+
         render inline: "", layout: Panda::CMS.config.posts[:layouts][:index]
       end
 
@@ -19,6 +25,11 @@ module Panda
           # For non-date URLs
           Panda::CMS::Post.find_by!(slug: "/#{params[:slug]}")
         end
+
+        # HTTP caching: Send ETag and Last-Modified headers for individual posts
+        # Returns 304 Not Modified if client's cached version is still valid
+        fresh_when(@post, last_modified: @post.updated_at, public: true)
+
         render inline: "", layout: Panda::CMS.config.posts[:layouts][:show]
       end
 
@@ -30,6 +41,11 @@ module Panda
           .includes(:author)
           .ordered
 
+        # HTTP caching: Use the most recent post in this month for conditional requests
+        # Returns 304 Not Modified if no posts in this month have changed
+        latest_month_timestamp = @posts.maximum(:updated_at) || @month
+        fresh_when(etag: [@posts.to_a, @month], last_modified: latest_month_timestamp, public: true)
+
         render inline: "", layout: Panda::CMS.config.posts[:layouts][:by_month]
       end
     end

data/app/helpers/panda/cms/application_helper.rb

@@ -2,8 +2,7 @@ module Panda
   module CMS
     module ApplicationHelper
       #
-      # Helper method to render a ViewComponent
-      # @see ViewComponent::Rendering#render
+      # Helper method to render a component
       # @usage <%= component "example", title: "Hello World!" %>
       #
       def component(name, *, **, &)
@@ -33,7 +32,7 @@ module Panda
         if match == :starts_with
           return request.path.starts_with?(path)
         elsif match == :exact
-          return (request.path == path)
+          return request.path == path
         end
 
         false
@@ -44,9 +43,23 @@ module Panda
         link_to(name, options, html_options, &)
       end
 
+      def panda_cms_collection(slug, include_unpublished: false)
+        Panda::CMS::Features.require!(:collections)
+        Panda::CMS::Collections.fetch(slug, include_unpublished: include_unpublished)
+      end
+
+      def panda_cms_collection_items(slug, include_unpublished: false)
+        Panda::CMS::Features.require!(:collections)
+        Panda::CMS::Collections.items(slug, include_unpublished: include_unpublished)
+      end
+
+      def panda_cms_feature_enabled?(name)
+        Panda::CMS::Features.enabled?(name)
+      end
+
       def panda_cms_form_with(**options, &)
         options[:builder] = Panda::Core::FormBuilder
-        options[:class] = ["block visible p-6 bg-mid/5 rounded-lg border-mid border", options[:class]].compact.join(" ")
+        options[:class] = ["block visible px-4 sm:px-6 pt-4", options[:class]].compact.join(" ")
         form_with(**options, &)
       end
 

data/app/helpers/panda/cms/asset_helper.rb

@@ -24,40 +24,9 @@ module Panda
       end
 
       # Include only Panda CMS JavaScript
-      def panda_cms_javascript
-        js_url = Panda::CMS::AssetLoader.javascript_url
-        return "" unless js_url
-
-        if Panda::CMS::AssetLoader.use_github_assets?
-          # GitHub-hosted assets with integrity check
-          version = Panda::CMS::AssetLoader.send(:asset_version)
-          integrity = asset_integrity(version, "panda-cms-#{version}.js")
-
-          tag_options = {
-            src: js_url
-          }
-          # In CI environment, don't use defer to ensure immediate execution
-          tag_options[:defer] = true unless ENV["GITHUB_ACTIONS"] == "true"
-          # Standalone bundles should NOT use type: "module" - they're regular scripts
-          # Only use type: "module" for importmap/ES module assets
-          if !js_url.include?("panda-cms-assets")
-            tag_options[:type] = "module"
-          end
-          tag_options[:integrity] = integrity if integrity
-          tag_options[:crossorigin] = "anonymous" if integrity
-
-          content_tag(:script, "", tag_options)
-        elsif js_url.include?("panda-cms-assets")
-          # Development assets - check if it's a standalone bundle or importmap
-          defer_option = (ENV["GITHUB_ACTIONS"] == "true") ? {} : {defer: true}
-          javascript_include_tag(js_url, **defer_option)
-        # Standalone bundle - don't use type: "module"
-        else
-          # Importmap asset - use type: "module"
-          defer_option = (ENV["GITHUB_ACTIONS"] == "true") ? {} : {defer: true}
-          javascript_include_tag(js_url, type: "module", **defer_option)
-        end
-      end
+      #
+      # Delegates to Core's helper which automatically includes all registered modules.
+      alias_method :panda_cms_javascript, :panda_core_javascript
 
       # Include only Panda CMS CSS
       def panda_cms_stylesheet
@@ -106,39 +75,16 @@ module Panda
         version = Panda::CMS::VERSION
         js_url = Panda::CMS::AssetLoader.javascript_url
         css_url = Panda::CMS::AssetLoader.css_url
-        using_github = Panda::CMS::AssetLoader.use_github_assets?
-        compiled_available = Panda::CMS::AssetLoader.send(:compiled_assets_available?)
-
-        # Additional CI debugging
-        asset_file_exists = js_url && File.exist?(Rails.root.join("public#{js_url}"))
-        ci_env = ENV["GITHUB_ACTIONS"] == "true"
-
-        # Check what script tag will be generated
-        script_tag_preview = if using_github
-          tag_options = {src: js_url}
-          tag_options[:defer] = true unless ci_env
-          if !js_url.include?("panda-cms-assets")
-            tag_options[:type] = "module"
-          end
-          "Script tag: <script#{tag_options.map { |k, v| (v == true) ? " #{k}" : " #{k}=\"#{v}\"" }.join}></script>"
-        else
-          "Using development assets"
-        end
+        Panda::CMS::AssetLoader.use_github_assets?
 
         debug_info = [
           "<!-- Panda CMS Asset Debug Info -->",
           "<!-- Version: #{version} -->",
-          "<!-- Using GitHub assets: #{using_github} -->",
-          "<!-- Compiled assets available: #{compiled_available} -->",
+          "<!-- Using importmaps: true (no compilation) -->",
           "<!-- JavaScript URL: #{js_url} -->",
-          "<!-- CSS URL: #{css_url || "none"} -->",
+          "<!-- CSS URL: #{css_url || "CSS from panda-core"} -->",
           "<!-- Rails environment: #{Rails.env} -->",
-          "<!-- Asset file exists: #{asset_file_exists} -->",
-          "<!-- Rails root: #{Rails.root} -->",
-          "<!-- CI environment: #{ci_env} -->",
-          "<!-- #{script_tag_preview} -->",
-          "<!-- Params embed_id: #{params[:embed_id] if respond_to?(:params)} -->",
-          "<!-- Compiled at: #{Time.now.utc.iso8601} -->"
+          "<!-- Rails root: #{Rails.root} -->"
         ]
 
         debug_info.join("\n").html_safe
@@ -183,6 +129,13 @@ module Panda
         ].join("\n").html_safe
       end
 
+      # Returns asset HTML for injection into iframe
+      # Used by editor_iframe_controller to inject assets dynamically
+      # Returns the raw HTML string (not JSON-encoded)
+      def panda_cms_injectable_assets
+        panda_cms_complete_assets.to_s
+      end
+
       private
 
       def asset_integrity(version, filename)

data/app/helpers/panda/cms/forms_helper.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Panda
+  module CMS
+    module FormsHelper
+      # Generates a hidden timing field for spam protection
+      # This should be included in all forms that submit to Panda::CMS::FormSubmissionsController
+      #
+      # @example In your form
+      #   <%= form_with url: form_submissions_path(form.id), method: :post do |f| %>
+      #     <%= panda_cms_form_timestamp %>
+      #     <%= f.text_field :name %>
+      #     <%= f.submit "Submit" %>
+      #   <% end %>
+      #
+      # @return [String] HTML hidden input with current timestamp
+      def panda_cms_form_timestamp
+        hidden_field_tag "_form_timestamp", Time.current.to_i
+      end
+
+      # Generates a complete spam-protected form wrapper
+      # Includes timing protection and invisible captcha honeypot
+      #
+      # @param form [Panda::CMS::Form] The form model
+      # @param options [Hash] Additional options for form_with
+      # @yield [FormBuilder] The form builder
+      #
+      # @example
+      #   <%= panda_cms_protected_form(form) do |f| %>
+      #     <%= f.text_field :name %>
+      #     <%= f.email_field :email %>
+      #     <%= f.text_area :message %>
+      #     <%= f.submit "Send Message" %>
+      #   <% end %>
+      def panda_cms_protected_form(form, options = {}, &block)
+        default_options = {
+          url: "/forms/#{form.id}",
+          method: :post,
+          data: {turbo: false}
+        }
+
+        form_with(**default_options.merge(options)) do |f|
+          concat panda_cms_form_timestamp
+          concat invisible_captcha_field
+          yield f
+        end
+      end
+
+      # Generates the invisible captcha honeypot field
+      # This is a hidden field that bots typically fill out but humans don't
+      #
+      # @return [String] HTML for invisible captcha field
+      def invisible_captcha_field
+        # invisible_captcha gem automatically adds this, but we can add it manually if needed
+        # The field name "spinner" is configured in invisible_captcha initializer
+        text_field_tag :spinner, nil, style: "position: absolute; left: -9999px; width: 1px; height: 1px;", tabindex: -1, autocomplete: "off", aria_hidden: true
+      end
+    end
+  end
+end

data/app/helpers/panda/cms/seo_helper.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Panda
+  module CMS
+    module SEOHelper
+      #
+      # Renders all SEO meta tags for a given page or post
+      #
+      # @param resource [Panda::CMS::Page, Panda::CMS::Post] The page or post to render meta tags for
+      # @return [String] HTML meta tags
+      # @visibility public
+      #
+      def render_seo_meta_tags(resource)
+        return "" if resource.blank?
+
+        tags = []
+
+        # Basic SEO tags
+        tags << tag.meta(name: "description", content: resource.effective_seo_description) if resource.effective_seo_description.present?
+        tags << tag.meta(name: "keywords", content: resource.seo_keywords) if resource.seo_keywords.present?
+        tags << tag.meta(name: "robots", content: resource.robots_meta_content)
+        tags << tag.link(rel: "canonical", href: canonical_url_for(resource))
+
+        # Open Graph tags
+        tags << tag.meta(property: "og:title", content: resource.effective_og_title)
+        tags << tag.meta(property: "og:description", content: resource.effective_og_description) if resource.effective_og_description.present?
+        tags << tag.meta(property: "og:type", content: resource.og_type)
+        tags << tag.meta(property: "og:url", content: canonical_url_for(resource))
+
+        # Open Graph image
+        if resource.og_image.attached?
+          og_image_url = url_for(resource.og_image.variant(:og_share))
+          tags << tag.meta(property: "og:image", content: og_image_url)
+          tags << tag.meta(property: "og:image:width", content: "1200")
+          tags << tag.meta(property: "og:image:height", content: "630")
+        end
+
+        # Twitter Card tags (with fallback to OG)
+        tags << tag.meta(name: "twitter:card", content: "summary_large_image")
+        tags << tag.meta(name: "twitter:title", content: resource.effective_og_title)
+        tags << tag.meta(name: "twitter:description", content: resource.effective_og_description) if resource.effective_og_description.present?
+
+        # Twitter image (same as OG)
+        if resource.og_image.attached?
+          tags << tag.meta(name: "twitter:image", content: url_for(resource.og_image.variant(:og_share)))
+        end
+
+        safe_join(tags, "\n")
+      end
+
+      #
+      # Renders just the page title with SEO optimization
+      #
+      # @param resource [Panda::CMS::Page, Panda::CMS::Post] The page or post
+      # @param separator [String] Separator between page title and site name
+      # @param site_name [String] The site name (optional)
+      # @return [String] Formatted page title
+      # @visibility public
+      #
+      def seo_title(resource, separator: " · ", site_name: nil)
+        parts = [resource.effective_seo_title]
+        parts << site_name if site_name.present?
+        safe_join(parts, separator)
+      end
+
+      private
+
+      #
+      # Generates the full canonical URL for a resource
+      #
+      # @param resource [Panda::CMS::Page, Panda::CMS::Post] The page or post
+      # @return [String] Full canonical URL
+      # @visibility private
+      #
+      def canonical_url_for(resource)
+        # If canonical_url is a full URL, use it as-is
+        return resource.canonical_url if resource.canonical_url&.match?(%r{\Ahttps?://})
+
+        # Otherwise, construct from the path
+        path = resource.effective_canonical_url
+        "#{request.protocol}#{request.host_with_port}#{path}"
+      end
+    end
+  end
+end

data/app/javascript/panda/cms/{application_panda_cms.js → application.js}

@@ -1,7 +1,11 @@
 import "@hotwired/turbo"
 console.debug("[Panda CMS] Controllers loading...");
-import "controllers"
+import "./controllers/index.js"
 console.debug("[Panda CMS] Controllers loaded...");
 
+// Mark that Panda CMS JavaScript has loaded
+window.pandaCmsLoaded = true
+console.debug("[Panda CMS] Ready!");
+
 // Editor resources are now handled by panda-editor gem
 // The panda-editor gem will load its own resources when needed