Do not leak all pages for guest users in API controller

CanCanCan does not respect any scope set before `accessible_by`.
We need to make sure the additional scopes get called afterwards.

app/controllers/alchemy/api/pages_controller.rb

@@ -7,10 +7,12 @@ class Api::PagesController < Api::BaseController
  # Returns all pages as json object
  #
  def index
- @pages = Language.current&.pages.presence || Alchemy::Page.none
  # Fix for cancancan not able to merge multiple AR scopes for logged in users
  if cannot? :edit_content, Alchemy::Page
  @pages = @pages.accessible_by(current_ability, :index)
+ @pages = @pages.where(language: Language.current)
+ else
+ @pages = Language.current&.pages.presence || Alchemy::Page.none
  end
  @pages = @pages.includes(*page_includes)
  @pages = @pages.ransack(params[:q]).result