spree_admin 5.4.3 → 5.5.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a5af2b78a13b13f570093bfe92c6d6c6b3ade67ec72e294fbf0f1ffd9c121d6
-  data.tar.gz: 6dfa405d89717625d66b270fe16f7343bb8ec532f8ba673ee856361eb3682e92
+  metadata.gz: cf50ce30e9bb9efb5d77bfc984d87f921c997520125e78b375c375d391999aec
+  data.tar.gz: 8bbc5de5e700786db47adc040e6e048901503bb9572d382302336d33a7531866
 SHA512:
-  metadata.gz: 9172a34304882f931b1bf56502ffd09121ca3497d8e3b24b5520dc03cf6cebf5a70c6e284615098dc4c70462f153aa204899911f152902e75317b5130760222d
-  data.tar.gz: 91f7065af97ecddea447d6add3cd60ab8d36ceb6590ced8ca3e74bbe65a26eeded78625209b38e5b5ad9f26e43605bdc05fb594664f0d1aad1fbe51af22f17b9
+  metadata.gz: 3dd8c8013f072e443fb99b2c70450f005904f0d738870dcf6182e4edd39810fb462e6869eea08cc0ebc235d2d55895750469eaff710b4958fd86880952108aff
+  data.tar.gz: d032bec7f6a7f7eee57054a1b4af6e36e19fca1b80ef276c9a95eb71d6451151c629e05446426893cf1fae120b52a97e9863eafc2644ef2b1a2ac65475030d59

data/app/controllers/concerns/spree/admin/auth_rate_limiting.rb

@@ -0,0 +1,58 @@
+module Spree
+  module Admin
+    module AuthRateLimiting
+      extend ActiveSupport::Concern
+
+      class_methods do
+        # @param limit_preference [Symbol] e.g. :rate_limit_login / :rate_limit_password_reset
+        # @param redirect_to [Proc] evaluated in controller context to the path to bounce
+        #   back to when rate limited, e.g. `-> { new_session_path(resource_name) }`.
+        # @return [void]
+        def auth_rate_limit(limit_preference, redirect_to:)
+          limit  = Spree::Admin::RuntimeConfig[limit_preference] || 5
+          window = (Spree::Admin::RuntimeConfig[:rate_limit_window] || 60).seconds
+          prefix = limit_preference.to_s # unique namespace per controller/action
+
+          # By IP — always present; backstops blank-email floods.
+          rate_limit(
+            to: limit,
+            within: window,
+            by: -> { "#{prefix}-ip:#{request.remote_ip}" },
+            with: -> { admin_auth_rate_limit_response(redirect_to) },
+            store: Rails.cache,
+            only: :create
+          )
+
+          # By submitted email (case-insensitive). Falls back to per-IP bucketing when
+          # the email is blank, so blank submissions don't all share one global bucket.
+          rate_limit(
+            to: limit,
+            within: window,
+            by: lambda {
+              email = admin_auth_rate_limit_email
+              email.present? ? "#{prefix}-email:#{email}" : "#{prefix}-email-ip:#{request.remote_ip}"
+            },
+            with: -> { admin_auth_rate_limit_response(redirect_to) },
+            store: Rails.cache,
+            only: :create
+          )
+        end
+      end
+
+      private
+
+      # Email is read via Devise's `resource_params` so it works regardless of the
+      # configured admin user class / resource param key.
+      def admin_auth_rate_limit_email
+        resource_params[:email].to_s.strip.downcase.presence
+      rescue StandardError
+        nil
+      end
+
+      def admin_auth_rate_limit_response(redirect_path)
+        flash[:alert] = I18n.t('devise.failure.too_many_attempts')
+        redirect_to instance_exec(&redirect_path)
+      end
+    end
+  end
+end

data/app/controllers/spree/admin/assets_controller.rb

@@ -38,8 +38,14 @@ module Spree
 
       private
 
+      # Includes :variant_ids so the variant-assignment checkboxes mass-assign
+      # straight into Spree::Asset#variant_ids= — the model resolves prefixed
+      # ids and rejects cross-product variants.
       def permitted_resource_params
-        params.require(:asset).permit(Spree::PermittedAttributes.asset_attributes)
+        params.require(:asset).permit(
+          *Spree::PermittedAttributes.asset_attributes,
+          variant_ids: []
+        )
       end
 
       def create_turbo_stream_enabled?

data/app/controllers/spree/admin/channels_controller.rb

@@ -0,0 +1,13 @@
+module Spree
+  module Admin
+    class ChannelsController < ResourceController
+      include Spree::Admin::SettingsConcern
+
+      private
+
+      def permitted_resource_params
+        params.require(:channel).permit(permitted_channel_attributes)
+      end
+    end
+  end
+end

data/app/controllers/spree/admin/products_controller.rb

@@ -21,7 +21,7 @@ module Spree
       new_action.before :build_master_stock_items
       edit_action.before :build_master_prices
       edit_action.before :build_master_stock_items
-      create.after :assign_master_images
+      create.after :assign_session_uploaded_assets
       update.before :skip_updating_status
       update.before :update_status
       update.before :remove_empty_params
@@ -185,7 +185,7 @@ module Spree
           @product_variant_ids[variant.human_name] = variant.id.to_s
           @product_variant_prefix_ids[variant.human_name] = variant.to_param
 
-          image = variant.primary_media
+          image = variant.primary_media || @product.primary_media
           if image.present? && image.attached? && image.variable?
             @product_variant_images[variant.human_name] = helpers.spree_image_url(image, variant: :mini)
           end
@@ -287,15 +287,15 @@ module Spree
         {}
       end
 
-      def assign_master_images
-        return unless @product.master.persisted?
-
-        uploaded_assets = session_uploaded_assets('Spree::Variant')
+      def assign_session_uploaded_assets
+        uploaded_assets = session_uploaded_assets('Spree::Product')
 
         return if uploaded_assets.empty?
 
-        uploaded_assets.update_all(viewable_id: @product.master.id, viewable_type: 'Spree::Variant', updated_at: Time.current)
-        clear_session_for_uploaded_assets('Spree::Variant')
+        uploaded_assets.update_all(viewable_id: @product.id, viewable_type: 'Spree::Product', updated_at: Time.current)
+        @product.update_thumbnail!
+
+        clear_session_for_uploaded_assets('Spree::Product')
       end
 
       def check_slug_availability

data/app/controllers/spree/admin/user_passwords_controller.rb

@@ -1,8 +1,12 @@
 module Spree
   module Admin
     class UserPasswordsController < defined?(Devise::PasswordsController) ? Devise::PasswordsController : Spree::Admin::BaseController
+      include Spree::Admin::AuthRateLimiting
+
       layout 'spree/minimal'
 
+      auth_rate_limit :rate_limit_password_reset, redirect_to: -> { new_password_path(resource_name) }
+
       def create
         self.resource = resource_class.send_reset_password_instructions(resource_params)
         yield resource if block_given?

data/app/controllers/spree/admin/user_sessions_controller.rb

@@ -1,8 +1,12 @@
 module Spree
   module Admin
     class UserSessionsController < defined?(Devise::SessionsController) ? Devise::SessionsController : Spree::Admin::BaseController
+      include Spree::Admin::AuthRateLimiting
+
       layout 'spree/minimal'
 
+      auth_rate_limit :rate_limit_login, redirect_to: -> { new_session_path(resource_name) }
+
       # We need to overwrite this action because `return_to` url may be in a different domain
       # So we need to pass `allow_other_host` option to `redirect_to` method
       def create

data/app/helpers/spree/admin/assets_helper.rb

@@ -3,7 +3,11 @@ module Spree
     module AssetsHelper
       def media_form_assets(viewable, viewable_type)
         if viewable&.persisted?
-          viewable.images
+          # Product#images delegates to the master variant (legacy alias), so
+          # 5.5+ product-level uploads wouldn't show. gallery_media returns
+          # product-level media when present and falls back to legacy
+          # variant-pinned images during the transition.
+          viewable.respond_to?(:gallery_media) ? viewable.gallery_media : viewable.images
         elsif session_uploaded_assets(viewable_type).any?
           Spree::Asset.accessible_by(current_ability, :manage).where(id: session_uploaded_assets(viewable_type))
         else

data/app/helpers/spree/admin/base_helper.rb

@@ -36,14 +36,6 @@ module Spree
         @settings_area.present?
       end
 
-      def settings_active?
-        Spree::Deprecation.warn('settings_active? is deprecated and will be removed in Spree 5.5. Please use settings_area? instead')
-        @settings_active || %w[admin_users audits custom_domains exports invitations oauth_applications
-                               payment_methods refund_reasons reimbursement_types return_authorization_reasons roles
-                               shipping_categories shipping_methods stock_locations store_credit_categories
-                               stores tax_categories tax_rates webhooks webhooks_subscribers zones policies metafield_definitions].include?(controller_name) || settings_area?
-      end
-
       # @return [Array<String>] the available countries for checkout
       def available_countries_iso
         @available_countries_iso ||= current_store.countries_available_for_checkout.pluck(:iso)

data/app/helpers/spree/admin/channels_helper.rb

@@ -0,0 +1,14 @@
+module Spree
+  module Admin
+    module ChannelsHelper
+      # Registered +Spree::OrderRouting::Strategy::Base+ subclasses presented in
+      # the channel edit form, sourced from +Spree.order_routing.strategies+ so the
+      # picker can never drift from what the model accepts. A blank value clears the
+      # channel-level override and falls back to
+      # +Store#preferred_order_routing_strategy+.
+      def channel_order_routing_strategy_options
+        Spree.order_routing.strategies.map { |strategy| [strategy.display_name, strategy.to_s] }
+      end
+    end
+  end
+end

data/app/helpers/spree/admin/json_preview_helper.rb

@@ -69,6 +69,11 @@ module Spree
           return Spree.api.public_send(method_name)
         end
 
+        if namespace == 'Spree::Api::V3::Admin'
+          method_name = "admin_#{class_name.underscore}_serializer"
+          return Spree.api.public_send(method_name) if Spree.api.respond_to?(method_name)
+        end
+
         # Fall back to direct constant lookup
         serializer_class_name = "#{namespace}::#{class_name}Serializer"
         serializer_class_name.safe_constantize

data/app/helpers/spree/admin/orders_helper.rb

@@ -1,24 +1,6 @@
 module Spree
   module Admin
     module OrdersHelper
-      TaxLine = Struct.new(:label, :display_amount, :item, :for_shipment, keyword_init: true) do
-        def name
-          Spree::Deprecation.warn("TaxLine is deprecated and will be removed in Spree 5.5")
-          item_name = item.name
-          item_name += " #{Spree.t(:shipment).downcase}" if for_shipment
-
-          "#{label} (#{item_name})"
-        end
-      end
-
-      def order_summary_tax_lines_additional(order)
-        Spree::Deprecation.warn("order_summary_tax_lines_additional is deprecated and will be removed in Spree 5.5")
-        line_item_taxes = order.line_item_adjustments.tax.map { |tax_adjustment| map_to_tax_line(tax_adjustment) }
-        shipment_taxes = order.shipment_adjustments.tax.map { |tax_adjustment| map_to_tax_line(tax_adjustment, for_shipment: true) }
-
-        line_item_taxes + shipment_taxes
-      end
-
       def order_payment_state(order, options = {})
         return if order.payment_state.blank?
 
@@ -140,17 +122,6 @@ module Spree
           '' => 'Transaction failed because wrong CVV2 number was entered or no CVV2 number was entered'
         }
       end
-
-      private
-
-      def map_to_tax_line(tax_adjustment, for_shipment: false)
-        TaxLine.new(
-          label: tax_adjustment.label,
-          display_amount: tax_adjustment.display_amount,
-          item: tax_adjustment.adjustable,
-          for_shipment: for_shipment
-        )
-      end
     end
   end
 end

data/app/helpers/spree/admin/publishing_helper.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Spree
+  module Admin
+    # Helpers for the product Publishing card in the Rails admin. Mirrors the
+    # SPA's publishing card (see packages/dashboard/src/components/spree/products/publishing-card.tsx):
+    # per-channel status is gated by product status — Draft/Archived products
+    # render every publication as +not_available+ regardless of window.
+    module PublishingHelper
+      # @param product_status [String] the product's status (draft/active/archived)
+      # @param publication [Spree::ProductPublication]
+      # @return [Symbol] one of :live, :scheduled, :hidden, :not_available
+      def publication_schedule_status(product_status, publication)
+        return :not_available unless product_status == 'active'
+
+        now = Time.current
+        return :hidden if publication.unpublished_at && publication.unpublished_at <= now
+        return :scheduled if publication.published_at && publication.published_at > now
+
+        :live
+      end
+
+      # Renders a colored dot + status label for a publication row.
+      def publication_status_badge(product_status, publication)
+        status = publication_schedule_status(product_status, publication)
+        dot_class = case status
+                    when :live then 'bg-success'
+                    when :scheduled then 'bg-warning'
+                    else 'bg-secondary'
+                    end
+
+        label = Spree.t("admin.publishing.status_#{status}")
+
+        content_tag(:span, class: 'd-inline-flex align-items-center gap-1 text-muted small') do
+          content_tag(:span, '', class: "publication-dot rounded-circle #{dot_class}",
+                                 style: 'display:inline-block; width:0.5rem; height:0.5rem;') +
+            content_tag(:span, label)
+        end
+      end
+
+      # One-line summary of the publication window in the store's timezone.
+      def publication_caption(product_status, publication, store)
+        status = publication_schedule_status(product_status, publication)
+        tz = ActiveSupport::TimeZone[store.preferred_timezone] || Time.zone
+
+        case status
+        when :not_available
+          Spree.t('admin.publishing.caption_not_available',
+                  product_status: Spree.t("admin.products.status_options.#{product_status}", default: product_status.to_s.humanize))
+        when :hidden
+          Spree.t('admin.publishing.caption_unpublished',
+                  date: l(publication.unpublished_at.in_time_zone(tz), format: :short))
+        when :scheduled
+          if publication.unpublished_at
+            Spree.t('admin.publishing.caption_window',
+                    start: l(publication.published_at.in_time_zone(tz), format: :short),
+                    end:   l(publication.unpublished_at.in_time_zone(tz), format: :short))
+          else
+            Spree.t('admin.publishing.caption_scheduled',
+                    date: l(publication.published_at.in_time_zone(tz), format: :short))
+          end
+        else # :live
+          if publication.unpublished_at
+            Spree.t('admin.publishing.caption_hidden_after',
+                    date: l(publication.unpublished_at.in_time_zone(tz), format: :short))
+          else
+            Spree.t('admin.publishing.caption_live')
+          end
+        end
+      end
+    end
+  end
+end

data/app/helpers/spree/admin/turbo_helper.rb

@@ -1,24 +1,6 @@
 module Spree
   module Admin
     module TurboHelper
-      def turbo_close_modal(modal_id = nil)
-        Spree::Deprecation.warn('turbo_close_modal is deprecated and will be removed in Spree 5.5. Use turbo_close_dialog instead.')
-
-        modal_id ||= 'modal'
-
-        turbo_stream.replace :modal_scripts do
-          turbo_frame_tag :modal_scripts do
-            javascript_tag do
-              raw <<~JS
-                if (document.querySelector('##{modal_id}')) {
-                  window.$("##{modal_id}").modal('hide');
-                }
-              JS
-            end
-          end
-        end
-      end
-
       def turbo_close_dialog
         turbo_stream.replace 'main-dialog' do
           render 'spree/admin/shared/dialog'

data/app/helpers/spree/admin/webhook_endpoints_helper.rb

@@ -93,6 +93,7 @@ module Spree
       def custom_webhook_events
         %w[
           customer.password_reset_requested
+          newsletter_subscriber.subscription_requested
           order.completed
           order.paid
           order.canceled

data/app/javascript/spree/admin/application.js

@@ -68,6 +68,7 @@ import OrderBillingAddressController from 'spree/admin/controllers/order_billing
 import PageBuilderController from 'spree/admin/controllers/page_builder_controller'
 import PasswordToggle from 'spree/admin/controllers/password_toggle_controller'
 import ProductFormController from 'spree/admin/controllers/product_form_controller'
+import ProductPublishingController from 'spree/admin/controllers/product_publishing_controller'
 import QueryBuilderController from 'spree/admin/controllers/query_builder_controller'
 import RangeInputController from 'spree/admin/controllers/range_input_controller'
 import TableController from 'spree/admin/controllers/table_controller'
@@ -140,6 +141,7 @@ application.register('page-builder', PageBuilderController)
 application.register('password-toggle', PasswordToggle)
 application.register('password-visibility', PasswordVisibility)
 application.register('product-form', ProductFormController)
+application.register('product-publishing', ProductPublishingController)
 application.register('query-builder', QueryBuilderController)
 application.register('range-input', RangeInputController)
 application.register('table', TableController)

data/app/javascript/spree/admin/controllers/product_form_controller.js

@@ -4,10 +4,6 @@ export default class extends Controller {
   static targets = [
     'trackInventoryCheckbox',
     'quantityForm',
-    'availableOn',
-    'makeActiveAt',
-    'discontinueOn',
-    'status',
     'pricesForm'
   ]
 
@@ -26,28 +22,6 @@ export default class extends Controller {
     this.togglePricesFormVisibility()
   }
 
-  switchAvailabilityDatesFields(event) {
-    let status = event.target.value
-    if (status === 'draft') {
-      this.show(this.availableOnTarget)
-      this.show(this.makeActiveAtTarget)
-    } else if (status === 'active') {
-      this.show(this.availableOnTarget)
-      this.hide(this.makeActiveAtTarget)
-    } else {
-      this.hide(this.availableOnTarget)
-      this.hide(this.makeActiveAtTarget)
-    }
-  }
-
-  show(element) {
-    element.classList.remove('hidden', 'd-none')
-  }
-
-  hide(element) {
-    element.classList.add('hidden')
-  }
-
   toggleQuantityFormVisibility() {
     if (this.hasQuantityFormTarget) {
       if (!this.hasVariantsValue && this.trackInventoryCheckboxTarget.checked) {

data/app/javascript/spree/admin/controllers/product_publishing_controller.js

@@ -0,0 +1,11 @@
+import { Controller } from '@hotwired/stimulus'
+
+// Toggles the "Manage" channel-checkbox panel on the product Publishing card.
+// Pairs with spree/admin/app/views/spree/admin/products/form/_publishing.html.erb.
+export default class extends Controller {
+  static targets = ['manage']
+
+  toggleManage() {
+    this.manageTarget.classList.toggle('d-none')
+  }
+}

data/app/javascript/spree/admin/controllers/slug_form_controller.js

@@ -6,9 +6,26 @@ export default class extends Controller {
     'url',
   ]
 
+  connect() {
+    this.urlTouched = this.hasUrlTarget && this.urlTarget.value.length > 0
+    if (this.hasUrlTarget) {
+      this.urlTarget.addEventListener('input', () => { this.urlTouched = true })
+    }
+  }
+
   updateUrlFromName() {
+    if (this.urlTouched) return
     const name = this.nameTarget.value
-    const url = name.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/(^-|-$)+/g, '')
+    // Mirrors ActiveSupport's +String#parameterize+: NFKD decompose, drop
+    // combining marks (accents), lowercase, hyphenate the rest. Keeps the
+    // legacy admin's auto-fill aligned with what +normalizes :code+ stores
+    // server-side — without NFKD, "Café" rendered "caf-" instead of "cafe".
+    const url = name
+      .normalize('NFKD')
+      .replace(/\p{M}/gu, '')
+      .toLowerCase()
+      .replace(/[^a-z0-9]+/g, '-')
+      .replace(/(^-|-$)+/g, '')
     this.urlTarget.value = url
   }
 }

data/app/presenters/spree/admin/order_summary_presenter.rb

@@ -13,6 +13,7 @@ module Spree
         [
           *metadata_rows,
           :separator,
+          channel_row,
           market_row,
           locale_row,
           currency_row,
@@ -73,6 +74,17 @@ module Spree
         rows
       end
 
+      def channel_row
+        return nil if order.channel.blank?
+
+        {
+          label: Spree.t(:channel),
+          value: order.channel.name,
+          id: 'channel',
+          link: Spree::Core::Engine.routes.url_helpers.edit_admin_channel_path(order.channel)
+        }
+      end
+
       def market_row
         return nil if order.market.blank?
 

data/app/views/spree/admin/api_keys/_form.html.erb

@@ -24,3 +24,21 @@
     <% end %>
   </div>
 </div>
+
+<div class="card mb-6" id="api-key-scopes" data-secret-only data-show-when-key-type="secret">
+  <div class="card-header">
+    <h5 class="card-title"><%= Spree.t('admin.api_keys.scopes', default: 'Scopes') %></h5>
+    <p class="text-sm text-gray-500 mt-1">
+      <%= Spree.t('admin.api_keys.scopes_description', default: 'Required for secret keys. Pick the narrowest set of scopes your integration needs.') %>
+    </p>
+  </div>
+  <div class="card-body">
+    <% Spree::ApiKey::SCOPES.each do |scope| %>
+      <div class="custom-control form-checkbox mb-1">
+        <%= f.check_box :scopes, { multiple: true, class: 'custom-control-input', id: "api_key_scopes_#{scope}" }, scope, nil %>
+        <%= f.label "scopes_#{scope}", scope, class: 'custom-control-label font-mono text-sm' %>
+      </div>
+    <% end %>
+    <%= f.hidden_field :scopes, value: '', multiple: true %>
+  </div>
+</div>

data/app/views/spree/admin/assets/edit.html.erb

@@ -1,17 +1,72 @@
-<%= turbo_frame_tag :dialog do %>
-  <%= dialog_header(Spree.t(:edit) + ' ' + Spree.t(:image)) %>
+<%= turbo_frame_tag :drawer do %>
   <%= form_with model: @asset, url: spree.admin_asset_path(@asset), method: :put, scope: :asset do |f| %>
-    <div class="dialog-body pb-0" data-turbo-permanent id="asset-<%= @asset.key.parameterize %>">
-      <%= f.spree_file_field :attachment, width: 200, height: 200, can_delete: false, label: Spree.t(:image) %>
+    <%= drawer_header(Spree.t(:edit) + ' ' + Spree.t(:image)) %>
+
+    <div class="drawer-body">
+      <% if @asset.attachment.attached? %>
+        <% blob_url_opts = { host: request.host_with_port, protocol: (request.ssl? ? 'https' : 'http') } %>
+        <% download_url = Rails.application.routes.url_helpers.rails_blob_url(@asset.attachment.blob, **blob_url_opts, disposition: 'attachment') %>
+        <% original_url = Rails.application.routes.url_helpers.rails_blob_url(@asset.attachment.blob, **blob_url_opts) %>
+        <div class="mb-4 rounded-lg border bg-light overflow-hidden">
+          <a href="<%= original_url %>"
+             target="_blank"
+             rel="noopener"
+             title="<%= Spree.t(:view_full_size) %>"
+             style="display: block; position: relative; cursor: zoom-in;">
+            <%= spree_image_tag(@asset.attachment, variant: :large, alt: @asset.alt, class: 'w-full max-h-96 object-contain') %>
+            <span style="position: absolute; top: 8px; right: 8px; display: inline-flex; align-items: center; justify-content: center; width: 32px; height: 32px; border-radius: 6px; background: rgba(255,255,255,0.95); color: #4b5563; box-shadow: 0 1px 2px rgba(0,0,0,0.1); pointer-events: none;">
+              <%= icon('zoom-in', class: 'mr-0') %>
+            </span>
+          </a>
+        </div>
+        <div class="flex gap-2 mb-4">
+          <%= link_to original_url, target: '_blank', rel: 'noopener', class: 'btn btn-light btn-sm' do %>
+            <%= icon('external-link', class: 'mr-1') %><%= Spree.t(:view_full_size) %>
+          <% end %>
+          <%= link_to download_url, target: '_blank', rel: 'noopener', class: 'btn btn-light btn-sm' do %>
+            <%= icon('download', class: 'mr-1') %><%= Spree.t(:download) %>
+          <% end %>
+        </div>
+      <% else %>
+        <%= f.spree_file_field :attachment, width: 200, height: 200, can_delete: false, label: Spree.t(:image) %>
+      <% end %>
+
+      <%= f.spree_text_area :alt, label: Spree.t(:alt_text), rows: 3 %>
+
+      <%# Variant assignment shows only for product-level assets — variant-pinned assets
+          already live on a single variant via the polymorphic viewable, so the
+          join-table UI doesn't apply. Empty submission (no boxes ticked) clears
+          all links thanks to the hidden field below. %>
+      <% if @asset.viewable_type == 'Spree::Product' && @asset.viewable.present? && @asset.viewable.variants.any? %>
+        <% product = @asset.viewable %>
+        <% linked_ids = @asset.variant_media.pluck(:variant_id).to_set %>
+        <div class="mt-4 pt-4 border-t">
+          <label class="form-label"><%= Spree.t(:assigned_variants) %></label>
+          <p class="text-muted small mb-2">
+            <%= Spree.t(:assigned_variants_help) %>
+          </p>
+          <%= hidden_field_tag 'asset[variant_ids][]', '' %>
+          <div class="flex flex-col gap-1">
+            <% product.variants.each do |variant| %>
+              <% chip_id = "asset_variant_#{variant.id}" %>
+              <div class="custom-control form-checkbox rounded-lg hover:bg-gray-100 p-2 transition-colors duration-100 ease-linear">
+                <%= check_box_tag('asset[variant_ids][]', variant.to_param, linked_ids.include?(variant.id), id: chip_id, class: 'custom-control-input') %>
+                <%= label_tag chip_id, class: 'custom-control-label' do %>
+                  <%= variant.descriptive_name.presence || variant.sku %>
+                <% end %>
+              </div>
+            <% end %>
+          </div>
+        </div>
+      <% end %>
     </div>
-    <div class="dialog-body" style="min-height: 200px">
-      <%= f.spree_text_area :alt, label: Spree.t(:alt_text), rows: 4 %>
-    </div>
-    <div class="dialog-footer">
+
+    <div class="drawer-footer gap-3">
       <%= turbo_save_button_tag %>
+      <%= drawer_discard_button %>
       <%= link_to Spree.t('actions.destroy'), object_url(@asset),
           data: { turbo_method: :delete, turbo_confirm: Spree.t(:are_you_sure_delete), turbo_frame: '_top' },
           class: 'btn btn-danger ml-auto' if can?(:destroy, @asset) %>
     </div>
   <% end %>
-<% end %>
+<% end %>

data/app/views/spree/admin/channels/_form.html.erb

@@ -0,0 +1,19 @@
+<div class="card mb-6">
+  <div class="card-body" data-controller="slug-form">
+    <%= f.spree_text_field :name,
+                           autofocus: f.object.new_record?,
+                           required: true,
+                           data: { slug_form_target: :name, action: 'slug-form#updateUrlFromName' } %>
+    <%= f.spree_text_field :code,
+                           required: true,
+                           hint: Spree.t('admin.channels.code_hint'),
+                           data: { slug_form_target: :url } %>
+    <%= f.spree_check_box :active, label: Spree.t(:active) %>
+    <%= f.spree_check_box :default, label: Spree.t('admin.channels.default'), hint: Spree.t('admin.channels.default_hint') %>
+    <%= f.spree_select :preferred_order_routing_strategy,
+        options_for_select(channel_order_routing_strategy_options, f.object.preferred_order_routing_strategy),
+        { label: Spree.t('admin.channels.order_routing_strategy'),
+          help_bubble: Spree.t('admin.channels.order_routing_strategy_hint'),
+          include_blank: Spree.t('admin.channels.order_routing_strategy_inherit') } %>
+  </div>
+</div>

data/app/views/spree/admin/channels/edit.html.erb

@@ -0,0 +1 @@
+<%= render 'spree/admin/shared/edit_resource' %>

data/app/views/spree/admin/channels/index.html.erb

@@ -0,0 +1,12 @@
+<% content_for :page_title do %>
+  <%= Spree.t(:channels) %>
+<% end %>
+
+<% content_for :page_actions do %>
+  <%= render_admin_partials(:channels_actions_partials) %>
+  <%= link_to_with_icon 'plus', Spree.t(:new_channel), new_object_url, class: "btn btn-primary" if can? :create, Spree::Channel %>
+<% end %>
+
+<%= render_admin_partials(:channels_header_partials) %>
+
+<%= render_table @collection, :channels %>

data/app/views/spree/admin/channels/new.html.erb

@@ -0,0 +1 @@
+<%= render 'spree/admin/shared/new_resource' %>