@kalisio/kdk 2.6.1 → 2.6.2

package/core/api/hooks/hooks.users.js

@@ -13,17 +13,31 @@ const verifyHooks = authManagement.hooks
 const debug = makeDebug('kdk:core:users:hooks')
 
 // Helper functions to be used in iff hooks
-export function disallowRegistration (hook) {
-  return _.get(hook.app.get('authentication'), 'disallowRegistration')
+export function disallowRegistration (context) {
+  return _.get(context.app.get('authentication'), 'disallowRegistration')
 }
-export function allowLocalAuthentication (hook) {
-  return _.get(hook.app.get('authentication'), 'authStrategies', []).includes('local')
+
+export function allowLocalAuthentication (context) {
+  return _.get(context.app.get('authentication'), 'authStrategies', []).includes('local')
 }
-export function isNotMe (hook) {
-  const userId = _.get(hook.params, 'user._id', '')
-  const item = getItems(hook)
-  const targetId = _.get(item, '_id', '')
-  return userId.toString() !== targetId.toString()
+
+export function isNotMe (context) {
+  const userId = _.toString(_.get(context.params, 'user._id'))
+  if (_.isEmpty(userId)) throw new Forbidden('Not authenticated')
+  // Before hook
+  if (context.type === 'before') {
+    if (context.method === 'find') {
+      context.params.query = {
+        ...context.params.query,
+        _id: userId
+      }
+      return context
+    }
+    return _.toString(context.id) !== userId
+  }
+  // After hook
+  const item = getItems(context)
+  return _.toString(item._id) !== userId
 }
 
 export function enforcePasswordPolicy (options = {}) {

package/core/client/components/form/KTextareaField.vue

@@ -47,6 +47,7 @@
 <script>
 import _ from 'lodash'
 import { baseField } from '../../mixins'
+import { Document } from '../../document.js'
 import KTextArea from '../KTextArea.vue'
 
 export default {
@@ -112,6 +113,11 @@ export default {
   methods: {
     emptyModel () {
       return ''
+    },
+    fill (value) {
+      // Sanitize data, this prevent XSS if the content is directly edited through the API or in DB
+      this.model = Document.sanitizeHtml(value)
+      this.error = ''
     }
   }
 }

package/core/client/composables/errors.js

@@ -12,14 +12,14 @@ export function useErrors () {
   const Route = useRoute()
 
   // Functions
-  function showError (error) {
+  function showError (error, options = { html: true }) {
     // Check if this error is a quiet one or not
     if (error.ignore) {
       // In this case simply log
       logger.error(error)
       return
     }
-    const notification = { type: 'negative', message: error.message || error.error_message || error.error, html: true }
+    const notification = { type: 'negative', message: error.message || error.error_message || error.error, html: options.html }
     // Check if user can retry to avoid this error
     if (error.retryHandler) {
       notification.actions = [{
@@ -34,12 +34,14 @@ export function useErrors () {
   function showRouteError (route) {
     // We handle error on any page with query string
     if (route.query && (route.query.error_message || route.query.error)) {
-      showError(route.query)
+      // Avoid XSS in this case as a user can use the query paramter
+      showError(route.query, { html: false })
     }
     // OAuth login is using token set as route param like 'access_token=jwt'.
     // However in case of error it will be like 'error=message' instead.
     else if (route.params && route.params.token && route.params.token.startsWith('error=')) {
-      showError({ message: route.params.token.split('=')[1] })
+      // Avoid XSS in this case as a user can use the query paramter
+      showError({ message: route.params.token.split('=')[1] }, { html: false })
     }
   }
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@kalisio/kdk",
   "description": "Kalisio Development Kit",
-  "version": "2.6.1",
+  "version": "2.6.2",
   "homepage": "https://github.com/kalisio/kdk",
   "type": "module",
   "keywords": [