Skip to content

Commit

Permalink
Merge pull request #2145 from AlchemyCMS/do-not-leak-all-pages-in-api
Browse files Browse the repository at this point in the history
  • Loading branch information
tvdeyen authored Jul 10, 2021
2 parents f3a9a2d + f8db000 commit bf8a9fb
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 30 deletions.
20 changes: 12 additions & 8 deletions app/controllers/alchemy/api/elements_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,25 @@ class Api::ElementsController < Api::BaseController
# If you want to only load a specific type of element pass ?named=an_element_name
#
def index
if params[:page_id].present?
@page = Page.find(params[:page_id])
@elements = @page.elements.not_nested
# Fix for cancancan not able to merge multiple AR scopes for logged in users
if cannot? :manage, Alchemy::Element
@elements = Alchemy::Element.accessible_by(current_ability, :index)
else
@elements = Element.not_nested.joins(:page_version).merge(PageVersion.published)
@elements = Alchemy::Element.all
end

# Fix for cancancan not able to merge multiple AR scopes for logged in users
if cannot? :manage, Alchemy::Element
@elements = @elements.accessible_by(current_ability, :index)
@elements = @elements.not_nested.joins(:page_version).merge(PageVersion.published)

if params[:page_id].present?
@elements = @elements.includes(:page).where(alchemy_pages: { id: params[:page_id] })
else
@elements = @elements.includes(*element_includes)
end

if params[:named].present?
@elements = @elements.named(params[:named])
end
@elements = @elements.includes(*element_includes).order(:position)
@elements = @elements.order(:position)

render json: @elements, adapter: :json, root: "elements"
end
Expand Down
6 changes: 4 additions & 2 deletions app/controllers/alchemy/api/pages_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@ class Api::PagesController < Api::BaseController
# Returns all pages as json object
#
def index
@pages = Language.current&.pages.presence || Alchemy::Page.none
# Fix for cancancan not able to merge multiple AR scopes for logged in users
if cannot? :edit_content, Alchemy::Page
@pages = @pages.accessible_by(current_ability, :index)
@pages = Alchemy::Page.accessible_by(current_ability, :index)
@pages = @pages.where(language: Language.current)
else
@pages = Language.current&.pages.presence || Alchemy::Page.none
end
@pages = @pages.includes(*page_includes)
@pages = @pages.ransack(params[:q]).result
Expand Down
32 changes: 12 additions & 20 deletions spec/features/admin/link_overlay_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,6 @@
let!(:article) do
create(:alchemy_element,
name: "article",
page: page1,
page_version: page1.draft_version,
autogenerate_contents: true)
end
Expand All @@ -60,29 +59,22 @@
click_link "Link text"
end

begin
within "#overlay_tab_internal_link" do
expect(page).to have_selector("#s2id_page_urlname")
select2_search(page2.name, from: "Page")
click_link "apply"
end

within "#element_#{article.id}" do
click_button "Save"
end

within "#flash_notices" do
expect(page).to have_content "Saved element."
end
within "#overlay_tab_internal_link" do
expect(page).to have_selector("#s2id_page_urlname")
select2_search(page2.name, from: "Page")
click_button "apply"
end

click_button_with_label "Publish page"
within "#element_#{article.id}" do
click_button "Save"
end

visit "/#{page1.urlname}"
within "#flash_notices" do
expect(page).to have_content "Saved element."
end

within_frame "alchemy_preview_window" do
expect(page).to have_link("Link me", href: "/#{page2.urlname}")
rescue Capybara::ElementNotFound => e
pending e.message
raise e
end
end
end
Expand Down

0 comments on commit bf8a9fb

Please sign in to comment.