AlchemyCMS · tvdeyen · Oct 10, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 3, 2025
diff --git a/.github/workflows/brakeman-analysis.yml b/.github/workflows/brakeman-analysis.yml
@@ -25,13 +25,13 @@ jobs:
      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: "3.2"
+          ruby-version: "3.4"

      - name: Setup Brakeman
        env:
-          BRAKEMAN_VERSION: "6.2.1" # SARIF support is provided in Brakeman version 4.10+
+          BRAKEMAN_VERSION: "7.1.0" # SARIF support is provided in Brakeman version 4.10+
        run: |
-          gem install brakeman --version $BRAKEMAN_VERSION
+          gem install brakeman --version $BRAKEMAN_VERSION --no-document

      # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
      - name: Scan

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,6 +20,7 @@ jobs:
          - "3.4"
        rails:
          - "7.2"
+          - "8.0"
        database:
          - mysql
          - postgresql
@@ -86,7 +87,7 @@ jobs:
        run: bundle exec rspec
      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@v5
-        if: matrix.rails == '7.2' && matrix.ruby == '3.4'
+        if: matrix.rails == '8.0' && matrix.ruby == '3.4'
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: AlchemyCMS/alchemy-devise
@@ -106,7 +107,7 @@ jobs:
      - name: Install Ruby and gems
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: "3.1"
+          ruby-version: "3.4"
          bundler-cache: true
      - name: Lint Ruby files
        run: bundle exec standardrb
diff --git a/Gemfile b/Gemfile
@@ -3,7 +3,7 @@ source "https://rubygems.org"
 alchemy_branch = ENV.fetch("ALCHEMY_BRANCH", "main")
 gem "alchemy_cms", github: "AlchemyCMS/alchemy_cms", branch: alchemy_branch

-rails_version = ENV.fetch("RAILS_VERSION", "7.2")
+rails_version = ENV.fetch("RAILS_VERSION", "8.0")
 gem "rails", "~> #{rails_version}.0"
 gem "listen", "~> 3.8"
 gem "puma", "~> 7.0"

diff --git a/app/assets/builds/alchemy-devise.css b/app/assets/builds/alchemy-devise.css
diff --git a/app/assets/stylesheets/alchemy-devise/login.scss b/app/assets/stylesheets/alchemy-devise/login.scss
@@ -27,6 +27,7 @@ body.passwords {
  transform: translate(-50%, -50%);

  alchemy-message {
+    width: 300px;
    margin-left: var(--form-left-column-width);
  }

@@ -46,6 +47,18 @@ body.passwords {
    margin-left: var(--form-left-column-width);
    padding-left: var(--spacing-0);

+    &.align-right {
+      justify-content: end;
+    }
+
+    > label {
+      text-align: start;
+
+      input[type="checkbox"] {
+        margin: 0 var(--spacing-0) 0 0;
+      }
+    }
+
    > a {
      display: inline-flex;
      align-items: center;

diff --git a/app/controllers/alchemy/admin/users_controller.rb b/app/controllers/alchemy/admin/users_controller.rb
@@ -98,7 +98,7 @@ def signup_admin_or_redirect
          deliver_welcome_mail
          redirect_to admin_pages_path
        else
-          render :signup
+          render :signup, status: :unprocessable_entity
        end
      end


diff --git a/app/models/alchemy/user.rb b/app/models/alchemy/user.rb
@@ -25,7 +25,7 @@ class User < ActiveRecord::Base

    has_many :folded_pages

-    validates_uniqueness_of :login
+    validates :login, uniqueness: {case_sensitive: false}, presence: :login_required?
    validates_presence_of :alchemy_roles

    # Unlock all locked pages before destroy.
@@ -140,6 +140,14 @@ def fullname(options = {})
    alias_method :name, :fullname
    alias_method :alchemy_display_name, :fullname

+    def email_required?
+      ::Devise.authentication_keys.include?(:email)
+    end
+
+    def login_required?
+      ::Devise.authentication_keys.include?(:login)
+    end
+
    # Returns true if the last request not longer ago then the logged_in_time_out
    def logged_in?
      raise "Can not determine the records login state because there is no last_request_at column" if !respond_to?(:last_request_at)

diff --git a/app/views/alchemy/admin/passwords/edit.html.erb b/app/views/alchemy/admin/passwords/edit.html.erb
@@ -18,8 +18,10 @@
 <% end %>
  <%= alchemy_form_for resource, as: resource_name, url: admin_update_password_path, method: 'patch' do |f| %>
    <%= f.hidden_field :reset_password_token %>
-    <%= f.input :password, autofocus: true, label: Alchemy.t("New password") %>
-    <%= f.input :password_confirmation, label: Alchemy.t("Confirm new password") %>
+    <%= f.input :password, autofocus: true, label: Alchemy.t("New password"),
+      required: true, input_html: {autocomplete: "new-password"} %>
+    <%= f.input :password_confirmation, label: Alchemy.t("Confirm new password"),
+      required: true, input_html: {autocomplete: "new-password"} %>
    <div class="submit">
      <%= link_to alchemy.admin_login_path do %>
        <%= render_icon("arrow-left-s", size: "1x") %>

diff --git a/app/views/alchemy/admin/passwords/new.html.erb b/app/views/alchemy/admin/passwords/new.html.erb
@@ -19,7 +19,11 @@
  <%= alchemy_form_for :user, url: admin_reset_password_path, html: {method: 'post'} do |f| %>
    <%= f.input :email,
      autofocus: true,
-      input_html: {value: params[:email]} %>
+      required: true,
+      input_html: {
+        autocomplete: "email",
+        value: params[:email]
+      } %>
    <div class="submit">
      <%= link_to alchemy.admin_login_path do %>
        <%= render_icon("arrow-left-s", size: "1x") %>

diff --git a/app/views/alchemy/admin/user_sessions/new.html.erb b/app/views/alchemy/admin/user_sessions/new.html.erb
@@ -11,8 +11,9 @@
    <p><%= Alchemy.t('welcome_please_identify_notice') %></p>
  <% end %>
  <%= alchemy_form_for :user, url: {action: 'create'}, id: 'login', data: { turbo: false } do |f| %>
-    <%= f.input Devise.authentication_keys.first, autofocus: true %>
-    <%= f.input :password %>
+    <%= f.input Devise.authentication_keys.first, autofocus: true, required: true,
+      input_html: {autocomplete: Devise.authentication_keys.first == :email ? "email" : "username"} %>
+    <%= f.input :password, required: true, input_html: {autocomplete: "current-password"} %>
    <div class="submit">
      <%= link_to Alchemy.t('Forgot your password?'), admin_new_password_path %>
      <button type="submit"><%= Alchemy.t(:login) %></button>

diff --git a/app/views/alchemy/admin/users/_fields.html.erb b/app/views/alchemy/admin/users/_fields.html.erb
@@ -1,13 +1,15 @@
-<%= f.input :firstname %>
-<%= f.input :lastname %>
-<%= f.input :login, autofocus: true %>
-<%= f.input :email %>
-<%= f.input :language,
-  collection: translations_for_select,
-  include_blank: false,
-  input_html: {class: 'alchemy_selectbox'} %>
-<%= f.input :password %>
-<%= f.input :password_confirmation %>
+<%= f.input :firstname, input_html: {autocomplete: "given-name"} %>
+<%= f.input :lastname, input_html: {autocomplete: "family-name"} %>
+<%= f.input :login, autofocus: true, required: @user.login_required?, input_html: {autocomplete: "username"} %>
+<%= f.input :email, required: @user.email_required?, input_html: {autocomplete: "email"} %>
+<% if Alchemy::I18n.available_locales.many? %>
+  <div class="input select">
+    <%= f.label(:language) %>
+    <%= render Alchemy::Admin::LocaleSelect.new(f.field_name(:language)) %>
+  </div>
+<% end %>
+<%= f.input :password, required: while_signup?, input_html: {autocomplete: "new-password"} %>
+<%= f.input :password_confirmation, required: while_signup?, input_html: {autocomplete: "new-password"} %>
 <% if can_update_role? %>
  <%= f.input :alchemy_roles,
    collection: @user_roles,
@@ -27,4 +29,8 @@
  </div>
 <% end %>
 <%= f.input :send_credentials, as: 'boolean' %>
-<%= f.submit Alchemy.t(:save) %>
+<div class="submit align-right">
+  <button type="submit">
+    <%= Alchemy.t(:save) %>
+  </button>
+</div>
diff --git a/app/views/alchemy/admin/users/_resource_table.html.erb b/app/views/alchemy/admin/users/_resource_table.html.erb
@@ -8,7 +8,7 @@
        alchemy.edit_admin_user_path(user), {
          title: Alchemy.t(:edit_user),
          overflow: true,
-          size: "430x560"
+          size: "430x500"
        },
        title: Alchemy.t(:edit_user) %>
    <% else %>
@@ -28,7 +28,7 @@
    <%= user.human_roles_string %>
  <% end %>
  <% table.delete_button tooltip: Alchemy.t(:delete_user), confirm_message: Alchemy.t(:confirm_to_delete_user) %>
-  <% table.edit_button tooltip: Alchemy.t(:edit_user), dialog_size: "430x560" %>
+  <% table.edit_button tooltip: Alchemy.t(:edit_user), dialog_size: "430x500" %>
 <% end %>

 <%= paginate @users, theme: "alchemy" %>
diff --git a/app/views/alchemy/admin/users/_table.html.erb b/app/views/alchemy/admin/users/_table.html.erb
diff --git a/app/views/alchemy/admin/users/_user.html.erb b/app/views/alchemy/admin/users/_user.html.erb
diff --git a/app/views/alchemy/admin/users/index.html.erb b/app/views/alchemy/admin/users/index.html.erb
@@ -12,7 +12,7 @@
    tooltip_placement: "top-start",
    dialog_options: {
      title: Alchemy.t(:create_user),
-      size: "430x560"
+      size: "430x500"
    },
    if_permitted_to: [:create, Alchemy::User]
  ) %>
@@ -22,12 +22,7 @@
 <div id="archive_all" class="resources-table-wrapper">
 <% if @users.any? %>
  <%= render "alchemy/admin/resources/table_header" %>
-
-  <% if Alchemy::Admin.const_defined?(:Resource) %>
-    <%= render "resource_table" %>
-  <% else %>
-    <%= render "table" %>
-  <% end %>
+  <%= render "resource_table" %>

  <%= paginate @users, theme: 'alchemy' %>


diff --git a/app/views/alchemy/admin/users/signup.html.erb b/app/views/alchemy/admin/users/signup.html.erb
@@ -3,9 +3,11 @@
 <% end %>

 <div class="login_signup_box">
-  <%= image_tag 'alchemy/alchemy-logo.svg', id: 'logo' %>
+  <%= render "alchemy/admin/user_sessions/logo" %>
  <%= render_message do %>
-    <h1><%= Alchemy.t('Welcome to Alchemy') %></h1>
+    <p>
+      <strong><%= Alchemy.t('Welcome to Alchemy') %></strong>
+    </p>
    <p><%= Alchemy.t("Please Signup") %></p>
  <% end %>
  <%= alchemy_form_for [:admin, @user] do |f| %>

diff --git a/spec/controllers/admin/users_controller_spec.rb b/spec/controllers/admin/users_controller_spec.rb
@@ -75,6 +75,14 @@ module Alchemy
            post :create, params: {user: attributes_for(:alchemy_admin_user)}
          end
        end
+
+        context "with invalid params" do
+          it "re-renders form" do
+            post :create, params: {user: {firstname: "John"}}
+            expect(response).to render_template(:signup)
+            expect(response).to be_unprocessable
+          end
+        end
      end

      context "with send_credentials set to '1'" do
@@ -151,7 +159,7 @@ module Alchemy

        context "with invalid user" do
          it "does not send an email notification" do
-            post :update, params: {id: user.id, user: {send_credentials: "1", email: ""}}
+            post :update, params: {id: user.id, user: {send_credentials: "1", login: ""}}
            expect(ActionMailer::Base.deliveries).to be_empty
          end
        end

diff --git a/spec/dummy/bin/dev b/spec/dummy/bin/dev
@@ -1,8 +1,2 @@
-#!/usr/bin/env sh
-
-if ! gem list foreman -i --silent; then
-  echo "Installing foreman..."
-  gem install foreman
-fi
-
-exec foreman start -f Procfile.dev "$@"
+#!/usr/bin/env ruby
+exec "./bin/rails", "server", *ARGV
diff --git a/spec/dummy/bin/rubocop b/spec/dummy/bin/rubocop
@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+require "rubygems"
+require "bundler/setup"
+
+# explicit rubocop config increases performance slightly while avoiding config confusion.
+ARGV.unshift("--config", File.expand_path("../.rubocop.yml", __dir__))
+
+load Gem.bin_path("rubocop", "rubocop")
diff --git a/spec/dummy/bin/setup b/spec/dummy/bin/setup
@@ -1,11 +1,10 @@
 #!/usr/bin/env ruby
 require "fileutils"

-# path to your application root.
 APP_ROOT = File.expand_path("..", __dir__)

 def system!(*args)
-  system(*args) || abort("\n== Command #{args} failed ==")
+  system(*args, exception: true)
 end

 FileUtils.chdir APP_ROOT do
@@ -14,7 +13,6 @@ FileUtils.chdir APP_ROOT do
  # Add necessary setup steps to this file.

  puts "== Installing dependencies =="
-  system! "gem install bundler --conservative"
  system("bundle check") || system!("bundle install")

  # puts "\n== Copying sample files =="
@@ -28,6 +26,9 @@ FileUtils.chdir APP_ROOT do
  puts "\n== Removing old logs and tempfiles =="
  system! "bin/rails log:clear tmp:clear"

-  puts "\n== Restarting application server =="
-  system! "bin/rails restart"
+  unless ARGV.include?("--skip-server")
+    puts "\n== Starting development server =="
+    STDOUT.flush # flush the output before exec(2) so that it displays
+    exec "bin/dev"
+  end
 end