Merge branch '5.x' into 6.x

jasonvarga · jasonvarga · commit 8b23d006aa5d · 2026-02-11T10:38:17.000-05:00
# Conflicts:
#	CHANGELOG.md
#	resources/js/components/entries/PublishForm.vue
#	resources/js/components/terms/PublishForm.vue
#	routes/cp.php
#	src/Http/Controllers/CP/Assets/FoldersController.php
diff --git a/resources/js/components/entries/PublishForm.vue b/resources/js/components/entries/PublishForm.vue
@@ -507,7 +507,7 @@ export default {
         },
 
         afterSaveOption() {
-            return this.getPreference('after_save');
+            return this.getPreference('after_save') ?? 'listing';
         },
 
         originOptions() {
@@ -591,8 +591,8 @@ export default {
                         this.redirectTo(this.createAnotherUrl);
                     }
 
-                    // If the user has opted to go to listing (default/null option), redirect them there.
-                    else if (!this.isInline && nextAction === null) {
+                    // If the user has opted to go to listing, redirect them there.
+                    else if (!this.isInline && nextAction === 'listing') {
                         this.redirectTo(this.listingUrl);
                     }
 
@@ -760,8 +760,8 @@ export default {
                 this.redirectTo(this.createAnotherUrl);
             }
 
-            // If the user has opted to go to listing (default/null option), redirect them there.
-            else if (!this.isInline && nextAction === null) {
+            // If the user has opted to go to listing, redirect them there.
+            else if (!this.isInline && nextAction === 'listing') {
                 this.redirectTo(this.listingUrl);
             }
 
diff --git a/resources/js/components/publish/SaveButtonOptions.vue b/resources/js/components/publish/SaveButtonOptions.vue
@@ -65,9 +65,7 @@ export default {
         setPreference(value) {
             if (value === this.$preferences.get(this.preferencesKey)) return;
 
-            value === 'listing'
-                ? this.$preferences.remove(this.preferencesKey)
-                : this.$preferences.set(this.preferencesKey, value);
+            this.$preferences.set(this.preferencesKey, value);
         },
     },
 };
diff --git a/resources/js/components/terms/PublishForm.vue b/resources/js/components/terms/PublishForm.vue
@@ -301,7 +301,7 @@ export default {
         },
 
         afterSaveOption() {
-            return this.getPreference('after_save');
+            return this.getPreference('after_save') ?? 'listing';
         },
 
         direction() {
@@ -368,8 +368,8 @@ export default {
                         this.redirectTo(this.createAnotherUrl);
                     }
 
-                    // If the user has opted to go to listing (default/null option), redirect them there.
-                    else if (!this.isInline && nextAction === null) {
+                    // If the user has opted to go to listing, redirect them there.
+                    else if (!this.isInline && nextAction === 'listing') {
                         this.redirectTo(this.listingUrl);
                     }
 
diff --git a/routes/cp.php b/routes/cp.php
@@ -251,7 +251,6 @@
 
     Route::resource('asset-containers', AssetContainersController::class)->except('index');
     Route::post('asset-containers/{asset_container}/folders', [FoldersController::class, 'store']);
-    Route::patch('asset-containers/{asset_container}/folders/{path}', [FoldersController::class, 'update'])->where('path', '.*');
     Route::post('assets/actions', [AssetActionController::class, 'run'])->name('assets.actions.run');
     Route::post('assets/actions/list', [AssetActionController::class, 'bulkActions'])->name('assets.actions.bulk');
     Route::get('assets/browse', [BrowserController::class, 'index'])->name('assets.browse.index');
diff --git a/src/Entries/Entry.php b/src/Entries/Entry.php
@@ -445,7 +445,7 @@ public function save()
 
         $this->taxonomize();
 
-        if ($this->isDirty('slug')) {
+        if ($this->shouldUpdateUris()) {
             optional(Collection::findByMount($this))->updateEntryUris();
             $this->updateChildPageUris();
         }
@@ -477,6 +477,21 @@ public function save()
         return true;
     }
 
+    private function shouldUpdateUris(): bool
+    {
+        if (! $this->route()) {
+            return false;
+        }
+
+        $antlersRoute = preg_replace_callback('/{\s*([a-zA-Z0-9_\-]+)\s*}/', function ($match) {
+            return "{{ {$match[1]} }}";
+        }, $this->route());
+
+        return collect(Antlers::identifiers($antlersRoute))
+            ->filter(fn (string $identifier) => $this->isDirty($identifier))
+            ->isNotEmpty();
+    }
+
     private function updateChildPageUris()
     {
         $collection = $this->collection();
diff --git a/src/Http/Controllers/CP/Assets/PdfController.php b/src/Http/Controllers/CP/Assets/PdfController.php
@@ -15,9 +15,11 @@ class PdfController extends Controller
      */
     public function show($encodedAssetId)
     {
-        if (! $contents = $this->asset($encodedAssetId)->contents()) {
-            abort(500);
-        }
+        $asset = $this->asset($encodedAssetId);
+
+        abort_if(! $contents = $asset->contents(), 500);
+
+        $this->authorize('view', $asset);
 
         return response($contents)->header('Content-Type', 'application/pdf');
     }
diff --git a/src/Http/Controllers/CP/Assets/SvgController.php b/src/Http/Controllers/CP/Assets/SvgController.php
@@ -17,9 +17,9 @@ public function show($asset)
     {
         $asset = $this->asset($asset);
 
-        if (! $contents = $asset->disk()->get($asset->path())) {
-            abort(500);
-        }
+        abort_if(! $contents = $asset->disk()->get($asset->path()), 500);
+
+        $this->authorize('view', $asset);
 
         return response($contents)->header('Content-Type', 'image/svg+xml');
     }
diff --git a/src/Http/Controllers/CP/Assets/ThumbnailController.php b/src/Http/Controllers/CP/Assets/ThumbnailController.php
@@ -65,6 +65,8 @@ public function show($asset, $size = null, $orientation = null)
         $this->orientation = $orientation;
         $this->asset = $this->asset($asset);
 
+        $this->authorize('view', $this->asset);
+
         if ($placeholder = $this->getPlaceholderResponse()) {
             return $placeholder;
         }
diff --git a/tests/Feature/Assets/ImageThumbnailTest.php b/tests/Feature/Assets/ImageThumbnailTest.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace Feature\Assets;
+
+use Illuminate\Http\UploadedFile;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\AssetContainer;
+use Statamic\Facades\User;
+use Tests\FakesRoles;
+use Tests\PreventSavingStacheItemsToDisk;
+use Tests\TestCase;
+
+class ImageThumbnailTest extends TestCase
+{
+    use FakesRoles;
+    use PreventSavingStacheItemsToDisk;
+
+    private $tempDir;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        config(['filesystems.disks.test' => [
+            'driver' => 'local',
+            'root' => $this->tempDir = __DIR__.'/tmp',
+        ]]);
+    }
+
+    public function tearDown(): void
+    {
+        app('files')->deleteDirectory($this->tempDir);
+
+        parent::tearDown();
+    }
+
+    #[Test]
+    public function it_returns_thumbnail()
+    {
+        $container = AssetContainer::make('test')->disk('test')->save();
+        $container
+            ->makeAsset('one.png')
+            ->upload(UploadedFile::fake()->image('one.png'));
+
+        $this->setTestRoles(['test' => ['access cp', 'view test assets']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $this
+            ->actingAs($user)
+            ->getJson('/cp/thumbnails/'.base64_encode('test::one.png'))
+            ->assertSuccessful();
+    }
+
+    #[Test]
+    public function it_404s_when_the_asset_doesnt_exist()
+    {
+        $container = AssetContainer::make('test')->disk('test')->save();
+
+        $this->setTestRoles(['test' => ['access cp', 'view test assets']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $this
+            ->actingAs($user)
+            ->getJson('/cp/thumbnails/'.base64_encode('test::unknown.png'))
+            ->assertNotFound();
+    }
+
+    #[Test]
+    public function it_denies_access_without_permission_to_view_asset()
+    {
+        $container = AssetContainer::make('test')->disk('test')->save();
+        $container
+            ->makeAsset('one.png')
+            ->upload(UploadedFile::fake()->image('one.png'));
+
+        $this->setTestRoles(['test' => ['access cp']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $this
+            ->actingAs($user)
+            ->getJson('/cp/thumbnails/'.base64_encode('test::one.png'))
+            ->assertForbidden();
+    }
+}
diff --git a/tests/Feature/Assets/PdfThumbnailTest.php b/tests/Feature/Assets/PdfThumbnailTest.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace Feature\Assets;
+
+use Illuminate\Http\UploadedFile;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\AssetContainer;
+use Statamic\Facades\User;
+use Tests\FakesRoles;
+use Tests\PreventSavingStacheItemsToDisk;
+use Tests\TestCase;
+
+class PdfThumbnailTest extends TestCase
+{
+    use FakesRoles;
+    use PreventSavingStacheItemsToDisk;
+
+    private $tempDir;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        config(['filesystems.disks.test' => [
+            'driver' => 'local',
+            'root' => $this->tempDir = __DIR__.'/tmp',
+        ]]);
+    }
+
+    public function tearDown(): void
+    {
+        app('files')->deleteDirectory($this->tempDir);
+
+        parent::tearDown();
+    }
+
+    #[Test]
+    public function it_returns_thumbnail()
+    {
+        $container = AssetContainer::make('test')->disk('test')->save();
+        $container
+            ->makeAsset('one.pdf')
+            ->upload(UploadedFile::fake()->createWithContent('one.pdf', ' '));
+
+        $this->setTestRoles(['test' => ['access cp', 'view test assets']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $this
+            ->actingAs($user)
+            ->getJson('/cp/pdfs/'.base64_encode('test::one.pdf'))
+            ->assertSuccessful();
+    }
+
+    #[Test]
+    public function it_404s_when_the_asset_doesnt_exist()
+    {
+        $container = AssetContainer::make('test')->disk('test')->save();
+
+        $this->setTestRoles(['test' => ['access cp', 'view test assets']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $this
+            ->actingAs($user)
+            ->getJson('/cp/pdfs/'.base64_encode('test::unknown.pdf'))
+            ->assertNotFound();
+    }
+
+    #[Test]
+    public function it_denies_access_without_permission_to_view_asset()
+    {
+        $container = AssetContainer::make('test')->disk('test')->save();
+        $container
+            ->makeAsset('one.pdf')
+            ->upload(UploadedFile::fake()->createWithContent('one.pdf', ' '));
+
+        $this->setTestRoles(['test' => ['access cp']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $this
+            ->actingAs($user)
+            ->getJson('/cp/pdfs/'.base64_encode('test::one.pdf'))
+            ->assertForbidden();
+    }
+}
diff --git a/tests/Feature/Assets/SvgThumbnailTest.php b/tests/Feature/Assets/SvgThumbnailTest.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace Feature\Assets;
+
+use Illuminate\Http\UploadedFile;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\AssetContainer;
+use Statamic\Facades\User;
+use Tests\FakesRoles;
+use Tests\PreventSavingStacheItemsToDisk;
+use Tests\TestCase;
+
+class SvgThumbnailTest extends TestCase
+{
+    use FakesRoles;
+    use PreventSavingStacheItemsToDisk;
+
+    private $tempDir;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        config(['filesystems.disks.test' => [
+            'driver' => 'local',
+            'root' => $this->tempDir = __DIR__.'/tmp',
+        ]]);
+    }
+
+    public function tearDown(): void
+    {
+        app('files')->deleteDirectory($this->tempDir);
+
+        parent::tearDown();
+    }
+
+    #[Test]
+    public function it_returns_thumbnail()
+    {
+        $container = AssetContainer::make('test')->disk('test')->save();
+        $container
+            ->makeAsset('one.png')
+            ->upload(UploadedFile::fake()->createWithContent('one.svg', '<svg></svg>'));
+
+        $this->setTestRoles(['test' => ['access cp', 'view test assets']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $this
+            ->actingAs($user)
+            ->getJson('/cp/svgs/'.base64_encode('test::one.svg'))
+            ->assertSuccessful();
+    }
+
+    #[Test]
+    public function it_404s_when_the_asset_doesnt_exist()
+    {
+        $container = AssetContainer::make('test')->disk('test')->save();
+
+        $this->setTestRoles(['test' => ['access cp', 'view test assets']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $this
+            ->actingAs($user)
+            ->getJson('/cp/svgs/'.base64_encode('test::unknown.svg'))
+            ->assertNotFound();
+    }
+
+    #[Test]
+    public function it_denies_access_without_permission_to_view_asset()
+    {
+        $container = AssetContainer::make('test')->disk('test')->save();
+        $container
+            ->makeAsset('one.svg')
+            ->upload(UploadedFile::fake()->createWithContent('one.svg', '<svg></svg>'));
+
+        $this->setTestRoles(['test' => ['access cp']]);
+        $user = User::make()->assignRole('test')->save();
+
+        $this
+            ->actingAs($user)
+            ->getJson('/cp/svgs/'.base64_encode('test::one.svg'))
+            ->assertForbidden();
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -507,7 +507,7 @@ export default {`
`507`	`507`	`},`
`508`	`508`
`509`	`509`	`afterSaveOption() {`
`510`		`- return this.getPreference('after_save');`
	`510`	`+ return this.getPreference('after_save') ?? 'listing';`
`511`	`511`	`},`
`512`	`512`
`513`	`513`	`originOptions() {`
`@@ -591,8 +591,8 @@ export default {`
`591`	`591`	`this.redirectTo(this.createAnotherUrl);`
`592`	`592`	`}`
`593`	`593`
`594`		`- // If the user has opted to go to listing (default/null option), redirect them there.`
`595`		`- else if (!this.isInline && nextAction === null) {`
	`594`	`+ // If the user has opted to go to listing, redirect them there.`
	`595`	`+ else if (!this.isInline && nextAction === 'listing') {`
`596`	`596`	`this.redirectTo(this.listingUrl);`
`597`	`597`	`}`
`598`	`598`
`@@ -760,8 +760,8 @@ export default {`
`760`	`760`	`this.redirectTo(this.createAnotherUrl);`
`761`	`761`	`}`
`762`	`762`
`763`		`- // If the user has opted to go to listing (default/null option), redirect them there.`
`764`		`- else if (!this.isInline && nextAction === null) {`
	`763`	`+ // If the user has opted to go to listing, redirect them there.`
	`764`	`+ else if (!this.isInline && nextAction === 'listing') {`
`765`	`765`	`this.redirectTo(this.listingUrl);`
`766`	`766`	`}`
`767`	`767`
Original file line number	Diff line number	Diff line change
`@@ -15,9 +15,11 @@ class PdfController extends Controller`
`15`	`15`	`*/`
`16`	`16`	`public function show($encodedAssetId)`
`17`	`17`	`{`
`18`		`- if (! $contents = $this->asset($encodedAssetId)->contents()) {`
`19`		`- abort(500);`
`20`		`- }`
	`18`	`+ $asset = $this->asset($encodedAssetId);`
	`19`	`+`
	`20`	`+ abort_if(! $contents = $asset->contents(), 500);`
	`21`	`+`
	`22`	`+ $this->authorize('view', $asset);`
`21`	`23`
`22`	`24`	`return response($contents)->header('Content-Type', 'application/pdf');`
`23`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,9 +17,9 @@ public function show($asset)`
`17`	`17`	`{`
`18`	`18`	`$asset = $this->asset($asset);`
`19`	`19`
`20`		`- if (! $contents = $asset->disk()->get($asset->path())) {`
`21`		`- abort(500);`
`22`		`- }`
	`20`	`+ abort_if(! $contents = $asset->disk()->get($asset->path()), 500);`
	`21`	`+`
	`22`	`+ $this->authorize('view', $asset);`
`23`	`23`
`24`	`24`	`return response($contents)->header('Content-Type', 'image/svg+xml');`
`25`	`25`	`}`
Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,8 @@ public function show($asset, $size = null, $orientation = null)`
`65`	`65`	`$this->orientation = $orientation;`
`66`	`66`	`$this->asset = $this->asset($asset);`
`67`	`67`
	`68`	`+ $this->authorize('view', $this->asset);`
	`69`	`+`
`68`	`70`	`if ($placeholder = $this->getPlaceholderResponse()) {`
`69`	`71`	`return $placeholder;`
`70`	`72`	`}`