panda-cms 0.10.0 → 0.10.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5d7ab51a41583d6af2b9c03249894b81eb3301e8a88068bf512fea5ba10891a
-  data.tar.gz: 9cbbd69b5b6e6ce229fef244135e7abb1e12580be401524b054e94ff227280cc
+  metadata.gz: 64a39a57fd00f6001e7992e634d5aef7b0536e7bfc4295399ea23737c10b0d83
+  data.tar.gz: 1b6d908a7f04e2f35ac7402b0c687160e71ac11e939a47f4193e1b4083947019
 SHA512:
-  metadata.gz: 84f46d5e374a05e046047e7e7751371f4b90d2e86a137df179c02e6e89c08169048e64c18ef38b0b78ab5137c22f55d0777451ab49bb32ab3aa3c67745b6aaed
-  data.tar.gz: 0b6ad4481db935ed61ca57d087582e8b370fe2ecb6b0e15dadeaa53042a834dbecaf9cd7d0122830788e10b071cce66290d0abd6a0b4649adf23465140854069
+  metadata.gz: eb5a888a0e743db6524e89c35de782c4fa51ed3e0c903dfa0e80b989764bdc3e59e8f90a4cb4837cfe35b286e4edba56451442fb3338a49165c5bbe9bb81b75f
+  data.tar.gz: f987d4e8feaf6ae5fdf6c217c591c52382cd04f67e9e7d78f1d4f3e6834e1f978a549ade07b6fbee13e7d42b98f6f7e1245ce68b5502562f548c2461dd4ade1c

data/README.md

@@ -32,16 +32,6 @@ The easiest way for you to get started is to visit http://localhost:3000/admin a
 
 When you're ready to configure further, you can set your own configuration in `config/initializers/panda.rb`. Make sure to configure your authentication providers and update the domain restriction!
 
-## Panda CMS Pro
-
-Commercial features such as structured **Collections** live in the `panda-cms-pro` gem. Once the pro gem is installed you can:
-
-- Model repeatable content with collections and items.
-- Loop over entries inside layouts using helpers like `panda_cms_collection_items("trustees")`.
-- Keep the feature hidden in open-source installs thanks to `Panda::CMS::Features`.
-
-See `docs/collections.md` for the editor workflow and template examples, and `docs/private-gem-server.md` for hosting the private gem server.
-
 ### Existing applications
 
 Add the following to `Gemfile`:
@@ -124,6 +114,7 @@ The CMS automatically loads Core's compiled stylesheet:
 ```
 
 Core's Rack middleware serves this file from the gem, so:
+
 - ✅ No CSS copying or compilation needed
 - ✅ Styles update automatically when Core updates
 - ✅ Consistent design across all Panda gems
@@ -136,7 +127,7 @@ For CSS compilation (when contributing to styling), see [Panda Core Asset Compil
 
 This is a non-exhuastive list (there will be many more):
 
-* To date, this has only been tested with Rails 7.1, 7.2 and 8.0
+* To date, this has only been tested with Rails 7.1, 7.2 and 8
 * There may be conflicts if you're not using Tailwind CSS on the frontend. Please report this.
 
 ## Contributing

data/app/components/panda/cms/code_component.rb

@@ -14,10 +14,12 @@ module Panda
       prop :editable, _Boolean, default: true
 
       def view_template
-        if @editable_state
-          render_editable_view
+        # Russian doll caching: Cache component output at block_content level
+        # Only cache in non-editable mode (public-facing pages)
+        if should_cache?
+          raw cache_component_output
         else
-          raw(@code_content.to_s.html_safe)
+          render_content
         end
       rescue => e
         handle_error(e)
@@ -36,9 +38,9 @@ module Panda
         block = find_block
         return false if block.nil?
 
-        block_content = find_block_content(block)
-        @code_content = block_content&.content.to_s
-        @block_content_id = block_content&.id
+        @block_content_obj = find_block_content(block)
+        @code_content = @block_content_obj&.content.to_s
+        @block_content_id = @block_content_obj&.id
       end
 
       def find_block
@@ -123,8 +125,11 @@ module Panda
       end
 
       def is_embedded?
-        # TODO: Check security on this - embed_id should match something?
-        view_context.request.params[:embed_id].present?
+        # Security: Verify embed_id matches the current page being edited
+        # This prevents unauthorized editing by ensuring the embed_id in the URL
+        # matches the actual page ID from Current.page
+        view_context.params[:embed_id].present? &&
+          Current.page&.id.to_s == view_context.params[:embed_id].to_s
       end
 
       def handle_error(error)
@@ -141,6 +146,38 @@ module Panda
         end
       end
 
+      def render_content
+        if @editable_state
+          render_editable_view
+        else
+          raw(@code_content.to_s.html_safe)
+        end
+      end
+
+      def should_cache?
+        !@editable_state &&
+          Panda::CMS.config.performance.dig(:fragment_caching, :enabled) != false &&
+          @block_content_obj.present?
+      end
+
+      def cache_component_output
+        cache_key = cache_key_for_component
+        expires_in = Panda::CMS.config.performance.dig(:fragment_caching, :expires_in) || 1.hour
+
+        Rails.cache.fetch(cache_key, expires_in: expires_in) do
+          render_content_to_string
+        end.html_safe
+      end
+
+      def cache_key_for_component
+        "panda_cms/code_component/#{@block_content_obj.cache_key_with_version}/#{@key}"
+      end
+
+      def render_content_to_string
+        # For code component, we just return the raw HTML content
+        @code_content.to_s
+      end
+
       class BlockError < StandardError; end
     end
   end

data/app/components/panda/cms/menu_component.rb

@@ -44,9 +44,15 @@ module Panda
         @menu = Panda::CMS::Menu.find_by(name: @name)
         return unless @menu
 
-        menu_items = @menu.menu_items
-        menu_items = menu_items.where("depth <= ?", @menu.depth) if @menu.depth
-        menu_items = menu_items.order(:lft)
+        # Fragment caching: Cache menu_items query results
+        # Cache key includes menu's updated_at to auto-invalidate on changes
+        cache_key = "panda_cms_menu/#{@menu.name}/#{@menu.id}/#{@menu.updated_at.to_i}/items"
+
+        menu_items = Rails.cache.fetch(cache_key, expires_in: 1.hour) do
+          items = @menu.menu_items
+          items = items.where("depth <= ?", @menu.depth) if @menu.depth
+          items.order(:lft).to_a  # Convert to array for caching
+        end
 
         @processed_menu_items = menu_items.map do |menu_item|
           add_css_classes_to_item(menu_item)

data/app/components/panda/cms/page_menu_component.rb

@@ -36,7 +36,15 @@ module Panda
         menu = @start_page&.page_menu
         return if menu.nil?
 
-        @menu_item = menu.menu_items.order(:lft)&.first
+        # Fragment caching: Cache menu items for this page menu
+        # Cache key includes menu's updated_at to auto-invalidate on changes
+        cache_key = "panda_cms_page_menu/#{menu.id}/#{menu.updated_at.to_i}/items"
+
+        cached_items = Rails.cache.fetch(cache_key, expires_in: 1.hour) do
+          menu.menu_items.order(:lft).to_a
+        end
+
+        @menu_item = cached_items.first
 
         # Set default styles if not already set
         @styles[:indent_with] ||= "pl-2" if @styles

data/app/components/panda/cms/rich_text_component.rb

@@ -18,6 +18,16 @@ module Panda
       attr_accessor :content, :block_content_id
 
       def view_template
+        # Russian doll caching: Cache component output at block_content level
+        # Only cache in non-editable mode (public-facing pages)
+        if should_cache?
+          raw cache_component_output
+        else
+          render_content
+        end
+      end
+
+      def render_content
         div(class: "panda-cms-content", **element_attrs) do
           if @editable_state
             # Empty div for EditorJS to initialize into
@@ -199,23 +209,21 @@ module Panda
         attrs = {class: "panda-cms-content"}
 
         if @editable_state
-          attrs.merge!(
-            id: "editor-#{@block_content_id}",
-            data: {
-              "editable-previous-data": @encoded_data,
-              "editable-content": @encoded_data,
-              "editable-initialized": "false",
-              "editable-version": "2.28.2",
-              "editable-autosave": "false",
-              "editable-tools": '{"paragraph":true,"header":true,"list":true,"quote":true,"table":true}',
-              "editable-kind": "rich_text",
-              "editable-block-content-id": @block_content_id,
-              "editable-page-id": Current.page.id,
-              controller: "editor-js",
-              "editor-js-initialized-value": "false",
-              "editor-js-content-value": @encoded_data
-            }
-          )
+          attrs[:id] = "editor-#{@block_content_id}"
+          attrs[:data] = {
+            "editable-previous-data": @encoded_data,
+            "editable-content": @encoded_data,
+            "editable-initialized": "false",
+            "editable-version": "2.28.2",
+            "editable-autosave": "false",
+            "editable-tools": '{"paragraph":true,"header":true,"list":true,"quote":true,"table":true}',
+            "editable-kind": "rich_text",
+            "editable-block-content-id": @block_content_id,
+            "editable-page-id": Current.page.id,
+            controller: "editor-js",
+            "editor-js-initialized-value": "false",
+            "editor-js-content-value": @encoded_data
+          }
         end
 
         attrs
@@ -247,6 +255,30 @@ module Panda
 
         nil
       end
+
+      def should_cache?
+        !@editable_state &&
+          Panda::CMS.config.performance.dig(:fragment_caching, :enabled) != false &&
+          @block_content.present?
+      end
+
+      def cache_component_output
+        cache_key = cache_key_for_component
+        expires_in = Panda::CMS.config.performance.dig(:fragment_caching, :expires_in) || 1.hour
+
+        Rails.cache.fetch(cache_key, expires_in: expires_in) do
+          render_content_to_string
+        end.html_safe
+      end
+
+      def cache_key_for_component
+        "panda_cms/rich_text_component/#{@block_content.cache_key_with_version}/#{@key}"
+      end
+
+      def render_content_to_string
+        # Render the component HTML to a string for caching
+        helpers.content_tag(:div, @rendered_content.html_safe, class: "panda-cms-content", **element_attrs)
+      end
     end
   end
 end

data/app/components/panda/cms/text_component.rb

@@ -18,7 +18,13 @@ module Panda
       def view_template
         return unless @content
 
-        span(**element_attrs) { raw(@content.html_safe) }
+        # Russian doll caching: Cache component output at block_content level
+        # Only cache in non-editable mode (public-facing pages)
+        if should_cache?
+          raw cache_component_output
+        else
+          render_content
+        end
       rescue => e
         handle_error(e)
       end
@@ -35,11 +41,11 @@ module Panda
         block = find_block
         return false if block.nil?
 
-        block_content = find_block_content(block)
-        @plain_text = block_content&.content.to_s
+        find_block_content(block)
+        @plain_text = @block_content_obj&.content.to_s
 
         if @editable_state
-          setup_editable_content(block_content)
+          setup_editable_content(@block_content_obj)
         else
           @content = prepare_content_for_display(@plain_text)
         end
@@ -54,7 +60,7 @@ module Panda
       end
 
       def find_block_content(block)
-        block.block_contents.find_by(panda_cms_page_id: Current.page.id)
+        @block_content_obj = block.block_contents.find_by(panda_cms_page_id: Current.page.id)
       end
 
       def setup_editable_content(block_content)
@@ -66,14 +72,12 @@ module Panda
         attrs = @attrs.merge(id: element_id)
 
         if @editable_state
-          attrs.merge!(
-            contenteditable: "plaintext-only",
-            data: {
-              "editable-kind": "plain_text",
-              "editable-page-id": Current.page.id,
-              "editable-block-content-id": @block_content_id
-            }
-          )
+          attrs[:contenteditable] = "plaintext-only"
+          attrs[:data] = {
+            "editable-kind": "plain_text",
+            "editable-page-id": Current.page.id,
+            "editable-block-content-id": @block_content_id
+          }
         end
 
         attrs
@@ -92,13 +96,41 @@ module Panda
         view_context.params[:embed_id].present? && view_context.params[:embed_id] == Current.page.id
       end
 
-      def handle_error(error)
+      def handle_error(_error)
         if !Rails.env.production? || defined?(Sentry)
           raise Panda::CMS::MissingBlockError, "Block with key #{@key} not found for page #{Current.page.title}"
         end
 
         false
       end
+
+      def should_cache?
+        !@editable_state &&
+          Panda::CMS.config.performance.dig(:fragment_caching, :enabled) != false &&
+          @block_content_obj.present?
+      end
+
+      def cache_component_output
+        cache_key = cache_key_for_component
+        expires_in = Panda::CMS.config.performance.dig(:fragment_caching, :expires_in) || 1.hour
+
+        Rails.cache.fetch(cache_key, expires_in: expires_in) do
+          render_content_to_string
+        end.html_safe
+      end
+
+      def cache_key_for_component
+        "panda_cms/text_component/#{@block_content_obj.cache_key_with_version}/#{@key}"
+      end
+
+      def render_content
+        span(**element_attrs) { raw(@content.html_safe) }
+      end
+
+      def render_content_to_string
+        # Phlex doesn't have a direct way to capture output, so we render directly
+        helpers.content_tag(:span, @content.html_safe, **element_attrs)
+      end
     end
   end
 end

data/app/controllers/panda/cms/admin/menus_controller.rb

@@ -36,7 +36,7 @@ module Panda
         # @type GET
         def edit
           add_breadcrumb @menu.name, edit_admin_cms_menu_path(@menu)
-          render :edit, locals: {menu: @menu}
+          render :edit
         end
 
         # @type PATCH/PUT
@@ -44,7 +44,7 @@ module Panda
           if @menu.update(menu_params)
             redirect_to admin_cms_menus_path, notice: "Menu was successfully updated."
           else
-            render :edit, locals: {menu: @menu}, status: :unprocessable_entity
+            render :edit, status: :unprocessable_entity
           end
         end
 

data/app/controllers/panda/cms/admin/pages_controller.rb

@@ -66,7 +66,7 @@ module Panda
               flash: {success: "This page was successfully updated!"}
           else
             flash[:error] = "There was an error updating the page."
-            render :edit, status: :unprocessable_entity
+            render :edit, locals: {page: page, template: page.template}, status: :unprocessable_entity
           end
         end
 
@@ -99,7 +99,11 @@ module Panda
         # @type private
         # @return ActionController::StrongParameters
         def page_params
-          params.require(:page).permit(:title, :path, :panda_cms_template_id, :parent_id, :status, :page_type)
+          params.require(:page).permit(
+            :title, :path, :panda_cms_template_id, :parent_id, :status, :page_type,
+            :seo_title, :seo_description, :seo_keywords, :seo_index_mode, :canonical_url,
+            :og_title, :og_description, :og_type, :og_image, :inherit_seo
+          )
         end
       end
     end

data/app/controllers/panda/cms/admin/posts_controller.rb

@@ -119,7 +119,9 @@ module Panda
             :status,
             :published_at,
             :author_id,
-            :content
+            :content,
+            :seo_title, :seo_description, :seo_keywords, :seo_index_mode, :canonical_url,
+            :og_title, :og_description, :og_type, :og_image
           )
         end
 

data/app/controllers/panda/cms/form_submissions_controller.rb

@@ -3,23 +3,146 @@
 module Panda
   module CMS
     class FormSubmissionsController < ApplicationController
-      invisible_captcha only: [:create]
+      # Spam protection - invisible honeypot field
+      invisible_captcha only: [:create], on_spam: :log_spam
 
-      def create
-        vars = params.except(:authenticity_token, :controller, :action, :id)
+      # Rate limiting to prevent spam
+      before_action :check_rate_limit, only: [:create]
 
+      def create
         form = Panda::CMS::Form.find(params[:id])
-        form_submission = Panda::CMS::FormSubmission.create(form_id: params[:id], data: vars.to_unsafe_h)
-        form.update(submission_count: form.submission_count + 1)
 
-        Panda::CMS::FormMailer.notification_email(form: form, form_submission: form_submission).deliver_now
+        # Additional spam checks
+        if looks_like_spam?(params)
+          log_spam_attempt(form, "content")
+          redirect_to_fallback(form, spam: true)
+          return
+        end
+
+        # Timing-based spam detection (honeypot timing)
+        if submitted_too_quickly?(params)
+          log_spam_attempt(form, "timing")
+          redirect_to_fallback(form, spam: true)
+          return
+        end
+
+        # Clean parameters - exclude system params and honeypot field
+        vars = params.except(:authenticity_token, :controller, :action, :id, :_form_timestamp, :spinner)
+
+        # Create submission
+        form_submission = Panda::CMS::FormSubmission.create!(
+          form_id: form.id,
+          data: vars.to_unsafe_h,
+          ip_address: request.remote_ip,
+          user_agent: request.user_agent
+        )
+
+        # Update submission count
+        form.increment!(:submission_count)
+
+        # Send notification email (in background if possible)
+        begin
+          Panda::CMS::FormMailer.notification_email(form: form, form_submission: form_submission).deliver_now
+        rescue => e
+          Rails.logger&.error "Failed to send form notification email: #{e.message}"
+          # Don't fail the submission if email fails
+        end
+
+        redirect_to_fallback(form, success: true)
+      rescue ActiveRecord::RecordInvalid => e
+        Rails.logger&.error "Form submission validation failed: #{e.message}"
+        redirect_to_fallback(form, error: true)
+      end
+
+      private
+
+      # Check for basic spam indicators
+      def looks_like_spam?(params)
+        # Check for too many URLs in message fields
+        message_fields = params.values.select { |v| v.is_a?(String) && v.length > 20 }
+        message_fields.any? { |field| field.scan(/https?:\/\//).length > 3 }
+      end
+
+      # Timing-based spam detection
+      # Rejects submissions that are too fast (< 3 seconds) or too stale (> 24 hours)
+      def submitted_too_quickly?(params)
+        return false unless params[:_form_timestamp].present?
+
+        begin
+          form_loaded_at = Time.zone.at(params[:_form_timestamp].to_i)
+          time_elapsed = Time.current - form_loaded_at
+
+          # Too fast - likely a bot (< 3 seconds)
+          if time_elapsed < 3.seconds
+            Rails.logger&.warn "Form submitted too quickly: #{time_elapsed.round(2)}s from IP: #{request.remote_ip}"
+            return true
+          end
+
+          # Too stale - form held too long without interaction (> 24 hours)
+          if time_elapsed > 24.hours
+            Rails.logger&.warn "Form submission too old: #{(time_elapsed / 1.hour).round(1)}h from IP: #{request.remote_ip}"
+            return true
+          end
+
+          false
+        rescue ArgumentError, TypeError => e
+          Rails.logger&.warn "Invalid form timestamp from IP #{request.remote_ip}: #{e.message}"
+          # Don't reject on invalid timestamp - might be legitimate user with modified form
+          false
+        end
+      end
+
+      # Rate limiting - max 3 submissions per IP per 5 minutes
+      def check_rate_limit
+        cache_key = "form_submission_rate_limit:#{request.remote_ip}"
+        count = Rails.cache.read(cache_key) || 0
+
+        if count >= 3
+          Rails.logger&.warn "Rate limit exceeded for IP: #{request.remote_ip}"
+          render plain: "Too many requests. Please try again later.", status: :too_many_requests
+          return
+        end
+
+        Rails.cache.write(cache_key, count + 1, expires_in: 5.minutes)
+      end
+
+      # Log spam attempt with reason
+      def log_spam_attempt(form, reason)
+        Rails.logger&.warn "Spam detected (#{reason}) for form #{form.id} from IP: #{request.remote_ip}"
+      end
+
+      # Callback for invisible_captcha spam detection
+      def log_spam
+        Rails.logger&.warn "Invisible captcha triggered from IP: #{request.remote_ip}"
+      end
+
+      # Safe redirect that works in engine context
+      def redirect_to_fallback(form, success: false, spam: false, error: false)
+        fallback = "/"
 
-        if (completion_path = form&.completion_path)
-          redirect_to completion_path
+        if spam
+          # Redirect to same page to appear successful (don't tell spammers)
+          redirect_back(fallback_location: fallback, allow_other_host: false)
+        elsif success && form.completion_path.present?
+          # Redirect to custom completion path
+          redirect_to form.completion_path, notice: "Thank you for your submission!"
+        elsif success
+          # Redirect back to referring page with success message
+          redirect_back(
+            fallback_location: fallback,
+            notice: "Thank you for your submission!",
+            allow_other_host: false
+          )
+        elsif error
+          # Redirect back with error message
+          redirect_back(
+            fallback_location: fallback,
+            alert: "There was an error submitting your form. Please try again.",
+            allow_other_host: false
+          )
         else
-          # TODO: This isn't a great fallback, we should do something nice here...
-          # Perhaps a simple JS alert when sent?
-          redirect_to "/"
+          # Default fallback
+          redirect_back(fallback_location: fallback, allow_other_host: false)
         end
       end
     end

data/app/controllers/panda/cms/pages_controller.rb

@@ -16,9 +16,9 @@ module Panda
 
       def show
         page = if @overrides&.dig(:page_path_match)
-          Panda::CMS::Page.includes(:template).find_by(path: @overrides[:page_path_match])
+          Panda::CMS::Page.includes(:template, :block_contents).find_by(path: @overrides[:page_path_match])
         else
-          Panda::CMS::Page.includes(:template).find_by(path: "/#{params[:path]}")
+          Panda::CMS::Page.includes(:template, :block_contents).find_by(path: "/#{params[:path]}")
         end
 
         Panda::CMS::Current.page = page || Panda::CMS::Page.find_by(path: "/404")
@@ -31,6 +31,11 @@ module Panda
           render file: "#{Rails.root}/public/404.html", layout: false, status: :not_found and return
         end
 
+        # HTTP caching: Send ETag and Last-Modified headers for efficient caching
+        # Use cached_last_updated_at which includes block content updates
+        # Returns 304 Not Modified if client's cached version is still valid
+        fresh_when(page, last_modified: page.last_updated_at, public: true)
+
         template_vars = {
           page: page,
           title: Panda::CMS::Current.page&.title || Panda::CMS.config.title

data/app/controllers/panda/cms/posts_controller.rb

@@ -7,6 +7,12 @@ module Panda
       # inside a /panda/cms/posts/... structure in the application
       def index
         @posts = Panda::CMS::Post.includes(:author).order(published_at: :desc)
+
+        # HTTP caching: Use the most recent post's updated_at for conditional requests
+        # Returns 304 Not Modified if no posts have changed since client's last request
+        latest_post_timestamp = @posts.maximum(:updated_at) || Time.current
+        fresh_when(etag: [@posts.to_a, latest_post_timestamp], last_modified: latest_post_timestamp, public: true)
+
         render inline: "", layout: Panda::CMS.config.posts[:layouts][:index]
       end
 
@@ -19,6 +25,11 @@ module Panda
           # For non-date URLs
           Panda::CMS::Post.find_by!(slug: "/#{params[:slug]}")
         end
+
+        # HTTP caching: Send ETag and Last-Modified headers for individual posts
+        # Returns 304 Not Modified if client's cached version is still valid
+        fresh_when(@post, last_modified: @post.updated_at, public: true)
+
         render inline: "", layout: Panda::CMS.config.posts[:layouts][:show]
       end
 
@@ -30,6 +41,11 @@ module Panda
           .includes(:author)
           .ordered
 
+        # HTTP caching: Use the most recent post in this month for conditional requests
+        # Returns 304 Not Modified if no posts in this month have changed
+        latest_month_timestamp = @posts.maximum(:updated_at) || @month
+        fresh_when(etag: [@posts.to_a, @month], last_modified: latest_month_timestamp, public: true)
+
         render inline: "", layout: Panda::CMS.config.posts[:layouts][:by_month]
       end
     end

data/app/helpers/panda/cms/application_helper.rb

@@ -2,8 +2,7 @@ module Panda
   module CMS
     module ApplicationHelper
       #
-      # Helper method to render a ViewComponent
-      # @see ViewComponent::Rendering#render
+      # Helper method to render a component
       # @usage <%= component "example", title: "Hello World!" %>
       #
       def component(name, *, **, &)
@@ -60,7 +59,7 @@ module Panda
 
       def panda_cms_form_with(**options, &)
         options[:builder] = Panda::Core::FormBuilder
-        options[:class] = ["block visible p-6 bg-mid/5 rounded-lg border-mid border", options[:class]].compact.join(" ")
+        options[:class] = ["block visible px-4 sm:px-6 pt-4", options[:class]].compact.join(" ")
         form_with(**options, &)
       end