Do not leak all elements for guest user in API

CanCanCan does not respect any scope set before `accessible_by`.

We need to make sure the additional scopes get called afterwards.

app/controllers/alchemy/api/elements_controller.rb

@@ -9,17 +9,19 @@ class Api::ElementsController < Api::BaseController
     # If you want to only load a specific type of element pass ?named=an_element_name
     #
     def index
-      if params[:page_id].present?
-        @page = Page.find(params[:page_id])
-        @elements = @page.elements.not_nested
+      # Fix for cancancan not able to merge multiple AR scopes for logged in users
+      if cannot? :manage, Alchemy::Element
+        @elements = Alchemy::Element.accessible_by(current_ability, :index)
       else
-        @elements = Element.not_nested.joins(:page_version).merge(PageVersion.published)
+        @elements = Alchemy::Element.all
       end
 
-      # Fix for cancancan not able to merge multiple AR scopes for logged in users
-      if cannot? :manage, Alchemy::Element
-        @elements = @elements.accessible_by(current_ability, :index)
+      @elements = @elements.not_nested.joins(:page_version).merge(PageVersion.published)
+
+      if params[:page_id].present?
+        @elements = @elements.where(alchemy_pages: { id: params[:page_id] })
       end
+
       if params[:named].present?
         @elements = @elements.named(params[:named])
       end