spina 2.10.0 → 2.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bd9893ef78c55c7d8a448cce6e8bc04fe22d3f48cde3f07bbef32c03d9aaf00e
-  data.tar.gz: bc9fd36b1599b808d0313fabb1508506e4cf9e9e4f26908f645f906db3c5c79a
+  metadata.gz: 68c17b8a615a45c86dce79d2e4b32a5f7bc4fdbf8f71d94fbdc2f530a68baa48
+  data.tar.gz: a85f8e9b3a922c1b3de5866d37bab8bdae583c264e35894baa7871b95aa2eaf5
 SHA512:
-  metadata.gz: 6c71bf70aa732fe118cdac86c234a99d88adfd0bf2669551a5f94c6847401ca87d0ebabc5afe522749d95d6c9e5f79c1abec95916080f735e5e29d36461c042c
-  data.tar.gz: 8d2da67450bc5c70cfd73c61dadca688ccbacb6b971d465559cca95c9cc2969a02c6f8e84e7dd02e794329a08f94e7fcff31f48382ce93ad64ac84c75333e480
+  metadata.gz: be079dbe9d681c2d2912946c01127d40ffe84fd28c600be31be1a0a3d56aa0e7591f4ab8423943490aa52f5f70adc04d8eac73df8bd827397ea536e5fb53fce1
+  data.tar.gz: fdbb328aba58cbdc660869b2745d6469cbb10a9e40576a3b09205862e4deef8e6ca5f717bb7171039915010c4227e2998a2c1bb86907b194f5844e68a4925dd4

data/app/components/spina/pages/actions_component.html.erb

@@ -32,6 +32,13 @@
         <% if !@page.custom_page? %>
           <%= link_to t('spina.pages.change_view_template') + "...", helpers.spina.edit_template_admin_page_path(@page), class: "block px-4 py-2 text-sm font-medium leading-5 text-gray-700 hover:bg-gray-100 hover:text-gray-900 focus:outline-none focus:bg-gray-100 focus:text-gray-900", data: {turbo_frame: "modal", action: "reveal#hide"} %>
         <% end %>
+        
+        <% if @locale.to_sym != I18n.locale.to_sym %>
+          <% @page.translations.where(locale: @locale).each do |translation| %>
+            <%= button_to t("spina.page_translations.delete", translation: @locale.upcase), helpers.spina.admin_page_translation_path(translation), method: :delete, class: "block w-full text-left px-4 py-2 text-sm leading-5 font-medium text-red-500 cursor-pointer bg-white hover:bg-red-100 hover:bg-opacity-50 hover:text-red-500 focus:outline-none focus:bg-gray-100 focus:text-gray-900", form: {data: {controller: "confirm", confirm_message: t('spina.page_translations.delete_confirmation', subject: @locale.upcase)}} %>
+          <% end %>
+        <% end %>
+        
         <% if @page.deletable? %>
           <%= button_to t('spina.pages.delete'), helpers.spina.admin_page_path(@page), method: :delete, class: "block w-full text-left px-4 py-2 text-sm leading-5 font-medium text-red-500 cursor-pointer bg-white hover:bg-red-100 hover:bg-opacity-50 hover:text-red-500 focus:outline-none focus:bg-gray-100 focus:text-gray-900", form: {data: {controller: "confirm", confirm_message: t('spina.pages.delete_confirmation', subject: @page.title)}} %>
         <% else %>

data/app/components/spina/pages/translations_component.rb

@@ -24,7 +24,7 @@ module Spina
       private
   
         def spina_locales
-          Spina.config.locales.map(&:to_sym)
+          Spina.locales.map(&:to_sym)
         end
   
     end

data/app/components/spina/user_interface/translations_component.rb

@@ -18,7 +18,7 @@ module Spina
       private
   
         def spina_locales
-          Spina.config.locales.map(&:to_sym)
+          Spina.locales.map(&:to_sym)
         end
   
     end

data/app/controllers/spina/admin/page_translations_controller.rb

@@ -0,0 +1,14 @@
+module Spina
+  module Admin
+    class PageTranslationsController < AdminController
+      
+      def destroy
+        @translation = Spina::Page::Translation.find(params[:id])
+        @translation.destroy
+        flash[:info] = t("spina.page_translations.deleted")
+        redirect_to spina.edit_admin_page_path(@translation.translated_model), status: :see_other
+      end
+      
+    end
+  end
+end

data/app/models/concerns/spina/translated_content.rb

@@ -6,7 +6,7 @@ module Spina
 
     included do  
       # Store each locale's content in [locale]_content as an array of parts
-      Spina.config.locales.each do |locale|
+      Spina.locales.each do |locale|
         attr_json "#{locale}_content".to_sym, AttrJson::Type::SpinaPartsModel.new, array: true, default: -> { [] }
         attr_json_setter_monkeypatch "#{locale}_content".to_sym
         attr_json_accepts_nested_attributes_for "#{locale}_content".to_sym

data/app/models/spina/account.rb

@@ -15,15 +15,25 @@ module Spina
       name
     end
 
+    # Spina previously stored account preferences with symbols as keys.
+    # Because of CVE-2022-32224 we're changing that to strings instead.
+    # This fallback ensures backwards compatibility, but in the long run this
+    # should be refactored to use a simple JSONB-column with Postgres.
     def self.serialized_attr_accessor(*args)
       args.each do |method_name|
         define_method method_name do
+          if self.preferences.try(:[], method_name.to_sym).present?
+            ActiveSupport::Deprecation.warn("#{method_name} is stored as a symbol. Please set and save it again using #{method_name}= on your Spina::Account model to store it as a string. You can do this from the UI by saving your account preferences.")
+          end
+          
+          self.preferences.try(:[], method_name.to_s) || 
           self.preferences.try(:[], method_name.to_sym)
         end
 
         define_method "#{method_name}=" do |value|
           self.preferences ||= {}
-          self.preferences[method_name.to_sym] = value
+          self.preferences.except!(method_name.to_sym)
+          self.preferences[method_name.to_s] = value
         end
       end
     end

data/app/models/spina/page.rb

@@ -17,16 +17,16 @@ module Spina
     has_many :navigations, through: :navigation_items
 
     # Pages can belong to a resource
-    belongs_to :resource, optional: true
+    belongs_to :resource, optional: true, touch: true
 
-    scope :main, -> { where(resource_id: nil) }    
+    scope :main, -> { where(resource_id: nil) }
     scope :regular_pages, ->  { main }
     scope :resource_pages, -> { where.not(resource: nil) }
     scope :active, -> { where(active: true) }
     scope :sorted, -> { order(:position) }
     scope :live, -> { active.where(draft: false) }
     scope :in_menu, -> { where(show_in_menu: true) }
-    
+
     before_create :set_default_position
 
     # Copy resource from parent
@@ -57,7 +57,7 @@ module Spina
     def slug
       url_title.to_s.to_slug.transliterate(*Spina.config.transliterations).normalize.to_s
     end
-    
+
     def homepage?
       name == 'homepage'
     end
@@ -81,11 +81,11 @@ module Spina
     def next_sibling
       siblings.where('position > ?', position).sorted.first
     end
-    
+
     def set_materialized_path
       self.old_path = materialized_path
       self.materialized_path = localized_materialized_path
-      
+
       # Append counter to duplicate materialized_path
       i = 0
       while duplicate_materialized_path?
@@ -104,7 +104,7 @@ module Spina
     end
 
     private
-    
+
       def set_default_position
         self.position ||= self.class.maximum(:position).to_i.next
       end
@@ -136,7 +136,7 @@ module Spina
         path_fragments.append(slug) unless homepage?
         path_fragments.compact.map(&:parameterize).join('/')
       end
-      
+
       def duplicate_materialized_path?
         self.class.where.not(id: id).i18n.where(materialized_path: materialized_path).exists?
       end

data/app/views/spina/sitemaps/show.xml.builder

@@ -7,7 +7,7 @@ xml.urlset "xmlns" => "http://www.google.com/schemas/sitemap/0.9", "xmlns:xhtml"
 
       # Translations
       page.translations.each do |translation|
-        if translation.locale.in? Spina.config.locales.map(&:to_s)
+        if translation.locale.in? Spina.locales.map(&:to_s)
           Mobility.with_locale(translation.locale) do
             xml.xhtml(:link, rel: "alternate", hreflang: translation.locale, href: "#{request.protocol}#{request.host}#{page.materialized_path}")
           end

data/config/initializers/yaml_column_permitted_classes.rb

@@ -0,0 +1,16 @@
+# CVE-2022-32224 RAILS
+# 
+# There was a bug in Rails allowing YAML-serialized data to be vulnerable to RCE.
+# Spina uses the serialize method to store various preferences stored using symbols.
+# We've now changed this so preferences are stored with strings as keys instead of
+# symbols, but in order to not break existing projects we're adding 'Symbol' to the 
+# list of permitted classes.
+# This can be removed in the future.
+# 
+# More information:
+# https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
+
+if ActiveRecord.respond_to?(:yaml_column_permitted_classes)
+  Rails.application.config.active_record.yaml_column_permitted_classes ||= []
+  Rails.application.config.active_record.yaml_column_permitted_classes += [Symbol]
+end

data/config/locales/en.yml

@@ -281,6 +281,10 @@ en:
       show_in_menu: invisible
       skip_to_first_child: forward to first child page
       sorting_saved: Sorting saved
+    page_translations:
+      delete: Delete translation (%{translation})
+      delete_confirmation: Are you sure you want to delete this translation <strong>(%{subject})</strong>?
+      deleted: Translation deleted
     permanently_delete: Permanently delete
     photos:
       cannot_be_created: 'Image could not be processed:'

data/config/locales/nl.yml

@@ -254,6 +254,10 @@ nl:
       show_in_menu: onzichtbaar
       skip_to_first_child: doorsturen naar 1<sup>e</sup> subpagina
       sorting_saved: Volgorde opgeslagen
+    page_translations:
+      delete: Verwijder vertaling (%{translation})
+      delete_confirmation: Weet je zeker dat je deze vertaling <strong>(%{subject})</strong> wilt verwijderen?
+      deleted: Vertaling verwijderd
     permanently_delete: Definitief verwijderen
     photos:
       cannot_be_created: 'Foto kon niet worden verwerkt:'

data/config/routes.rb

@@ -53,6 +53,7 @@ Spina::Engine.routes.draw do
 
       post :sort, on: :collection
     end
+    resources :page_translations, only: [:destroy]
     resources :parent_pages
     resource :layout, controller: :layout, only: [:edit, :update]
 
@@ -92,8 +93,8 @@ Spina::Engine.routes.draw do
     root to: "pages#homepage"
 
     # Pages
-    get '/:locale/*id' => 'pages#show', constraints: {locale: /#{Spina.config.locales.join('|')}/ }
-    get '/:locale/' => 'pages#homepage', constraints: {locale: /#{Spina.config.locales.join('|')}/ }
+    get '/:locale/*id' => 'pages#show', constraints: {locale: /#{Spina.locales.join('|')}/ }
+    get '/:locale/' => 'pages#homepage', constraints: {locale: /#{Spina.locales.join('|')}/ }
     get '/*id' => 'pages#show', as: "page", controller: 'pages', constraints: -> (request) {
       request.path.exclude?(ActiveStorage.routes_prefix) &&
       !(Rails.env.development? && request.path.starts_with?('/rails/'))

data/lib/generators/spina/templates/app/assets/config/spina/tailwind.config.js.tt

@@ -1,7 +1,7 @@
 module.exports = {
   content: [
     <%= Spina.config.tailwind_content.map{|path|"'#{path}'"}.join(",\n") %>
-  ],  
+  ],
   theme: {
     fontFamily: {
       body: ['Metropolis'],
@@ -18,8 +18,6 @@ module.exports = {
     }
   },
   plugins: [
-    require('@tailwindcss/forms'),
-    require('@tailwindcss/aspect-ratio'),
-    require('@tailwindcss/typography'),
+    <%= Spina.config.tailwind_plugins.map {|plugin|"require('#{plugin}')"}.join(",\n\t") %>
   ]
 }

data/lib/generators/spina/templates/app/views/demo/shared/_languages.html.erb

@@ -1,5 +1,5 @@
-<% if Spina.config.locales.size > 1 %>
+<% if Spina.locales.size > 1 %>
   <div id="languages">
-    <%= Spina.config.locales.map{|l| link_to_unless(l == I18n.locale, l.upcase, root_url(params: {locale: l}))}.join(' / ').html_safe %>
+    <%= Spina.locales.map{|l| link_to_unless(l == I18n.locale, l.upcase, root_url(params: {locale: l}))}.join(' / ').html_safe %>
   </div>
 <% end %>

data/lib/generators/spina/templates/config/initializers/spina.rb

@@ -2,7 +2,8 @@ Spina.configure do |config|
   # Locales
   # ===============
   # All locales your content should be available in.
-  # config.locales = [I18n.default_locale]
+  # Defaults to I18n.default_locale
+  # config.locales = [:en, :nl]
 
   # Backend path
   # ===============

data/lib/spina/version.rb

@@ -1,3 +1,3 @@
 module Spina
-  VERSION = "2.10.0"
+  VERSION = "2.11.0"
 end

data/lib/spina.rb

@@ -22,17 +22,18 @@ module Spina
   config_accessor :api_key,
                   :api_path,
                   :authentication,
-                  :backend_path, 
+                  :backend_path,
                   :importmap,
                   :frontend_parent_controller,
                   :disable_frontend_routes,
                   :disable_decorator_load,
-                  :locales, 
+                  :locales,
                   :embedded_image_size,
                   :mailer_defaults,
                   :thumbnail_image_size,
                   :party_pooper,
                   :tailwind_content,
+                  :tailwind_plugins,
                   :queues,
                   :transliterations
 
@@ -50,17 +51,17 @@ module Spina
   self.locales = [I18n.default_locale]
   self.party_pooper = false
   self.transliterations = %i(latin)
-  
+
   # Queues for background jobs
   # - config.queues.page_updates
   self.queues = ActiveSupport::InheritableOptions.new
-  
+
   # An importmap specifically meant for Spina
   self.importmap = Importmap::Map.new
-    
+
   # Tailwind content
-  # In order for Tailwind to generate all of the CSS Spina needs, 
-  # it needs to know about every single file in your project 
+  # In order for Tailwind to generate all of the CSS Spina needs,
+  # it needs to know about every single file in your project
   # that contains any Tailwind class names.
   # Make sure to add your own glob patterns if you're extending
   # Spina's UI.
@@ -70,39 +71,41 @@ module Spina
                            "#{Spina::Engine.root}/app/assets/javascripts/**/*.js",
                            "#{Spina::Engine.root}/app/**/application.tailwind.css"]
 
+  self.tailwind_plugins = %w[@tailwindcss/forms @tailwindcss/aspect-ratio @tailwindcss/typography]
+
   # Images that are embedded in the Trix editor are resized to fit
   # You can optimize this for your website and go for a smaller (or larger) size
   # Default: 2000x2000px
   class << self
     alias_method :config_original, :config
-    
+
     def config
       config_obj = self.config_original
-      
+
       def config_obj.tailwind_purge_content
         ActiveSupport::Deprecation.warn("config.tailwind_purge_content has been renamed to config.tailwind_content")
         tailwind_content
       end
-      
+
       def config_obj.tailwind_purge_content=(paths)
         ActiveSupport::Deprecation.warn("config.tailwind_purge_content has been renamed to config.tailwind_content")
         tailwind_content = paths
       end
-      
+
       def config_obj.embedded_image_size=(image_size)
         if image_size.is_a? String
           ActiveSupport::Deprecation.warn("Spina embedded_image_size should be set to an array of arguments to be passed to the :resize_to_limit ImageProcessing macro. https://github.com/janko/image_processing/blob/master/doc/minimagick.md#resize_to_limit")
         end
-        
+
         self[:embedded_image_size] = image_size
       end
-      
+
       config_obj
     end
-    
+
     def mounted_at
       Spina::Engine.routes.find_script_name({})
     end
-    
+
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spina
 version: !ruby/object:Gem::Version
-  version: 2.10.0
+  version: 2.11.0
 platform: ruby
 authors:
 - Bram Jetten
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-06 00:00:00.000000000 Z
+date: 2022-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -948,6 +948,7 @@ files:
 - app/controllers/spina/admin/move_pages_controller.rb
 - app/controllers/spina/admin/navigation_items_controller.rb
 - app/controllers/spina/admin/navigations_controller.rb
+- app/controllers/spina/admin/page_translations_controller.rb
 - app/controllers/spina/admin/pages_controller.rb
 - app/controllers/spina/admin/parent_pages_controller.rb
 - app/controllers/spina/admin/password_resets_controller.rb
@@ -1096,6 +1097,7 @@ files:
 - app/views/spina/user_mailer/forgot_password.html.erb
 - app/views/spina/user_mailer/forgot_password.text.erb
 - config/initializers/importmap.rb
+- config/initializers/yaml_column_permitted_classes.rb
 - config/locales/TH.yml
 - config/locales/bg.yml
 - config/locales/de.yml
@@ -1177,7 +1179,7 @@ metadata:
   documentation_uri: https://www.spinacms.com/docs
   changelog_uri: https://github.com/SpinaCMS/Spina/blob/main/CHANGELOG.md
   source_code_uri: https://github.com/SpinaCMS/Spina
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -1192,8 +1194,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key:
+rubygems_version: 3.1.6
+signing_key: 
 specification_version: 4
 summary: Spina
 test_files: []