From 0b24271594f6418dfcd67fc0e73589b43148772f Mon Sep 17 00:00:00 2001
From: Thomas von Deyen <thomas@vondeyen.com>
Date: Thu, 1 Jul 2021 12:35:24 +0200
Subject: [PATCH] Do not leak all pages for guest users in API controller

CanCanCan does not respect any scope set before `accessible_by`.
We need to make sure the additional scopes get called afterwards.
---
 app/controllers/alchemy/api/pages_controller.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/controllers/alchemy/api/pages_controller.rb b/app/controllers/alchemy/api/pages_controller.rb
index eea42991bf..a133cfe7b0 100644
--- a/app/controllers/alchemy/api/pages_controller.rb
+++ b/app/controllers/alchemy/api/pages_controller.rb
@@ -7,10 +7,12 @@ class Api::PagesController < Api::BaseController
     # Returns all pages as json object
     #
     def index
-      @pages = Language.current&.pages.presence || Alchemy::Page.none
       # Fix for cancancan not able to merge multiple AR scopes for logged in users
       if cannot? :edit_content, Alchemy::Page
-        @pages = @pages.accessible_by(current_ability, :index)
+        @pages = Alchemy::Page.accessible_by(current_ability, :index)
+        @pages = @pages.where(language: Language.current)
+      else
+        @pages = Language.current&.pages.presence || Alchemy::Page.none
       end
       @pages = @pages.includes(*page_includes)
       @pages = @pages.ransack(params[:q]).result