@saltcorn/server 0.7.1-beta.2 → 0.7.2-beta.0

package/package.json

@@ -1,17 +1,17 @@
 {
   "name": "@saltcorn/server",
-  "version": "0.7.1-beta.2",
+  "version": "0.7.2-beta.0",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
-    "@saltcorn/base-plugin": "0.7.1-beta.2",
-    "@saltcorn/builder": "0.7.1-beta.2",
-    "@saltcorn/data": "0.7.1-beta.2",
-    "@saltcorn/admin-models": "0.7.1-beta.2",
-    "@saltcorn/markup": "0.7.1-beta.2",
-    "@saltcorn/sbadmin2": "0.7.1-beta.2",
+    "@saltcorn/base-plugin": "0.7.2-beta.0",
+    "@saltcorn/builder": "0.7.2-beta.0",
+    "@saltcorn/data": "0.7.2-beta.0",
+    "@saltcorn/admin-models": "0.7.2-beta.0",
+    "@saltcorn/markup": "0.7.2-beta.0",
+    "@saltcorn/sbadmin2": "0.7.2-beta.0",
     "@socket.io/cluster-adapter": "^0.1.0",
     "@socket.io/sticky": "^1.0.1",
     "aws-sdk": "^2.1037.0",
@@ -46,6 +46,7 @@
     "pg": "^8.2.1",
     "pluralize": "^8.0.0",
     "qrcode": "1.5.0",
+    "sharp": "0.30.3",
     "socket.io": "4.2.0",
     "thirty-two": "1.0.2",
     "tmp-promise": "^3.0.2",
@@ -57,7 +58,8 @@
   },
   "repository": "github:saltcorn/saltcorn",
   "devDependencies": {
-    "jest": "^25.1.0",
+    "jest": "26.6.3",
+    "jest-environment-jsdom": "^26.6.2",
     "supertest": "^4.0.2"
   },
   "scripts": {

package/public/jquery-menu-editor.min.js

@@ -117,6 +117,7 @@ function MenuEditor(e, t) {
             (n.prev("div").children(".sortableListsOpener").first().remove(),
             n.remove()),
           MenuEditor.updateButtons(s);
+          l.onUpdate();
       }
     }),
     $(document).on("click", ".btnEdit", function (e) {
@@ -145,11 +146,13 @@ function MenuEditor(e, t) {
       e.preventDefault();
       var t = $(this).closest("li");
       t.prev("li").before(t), MenuEditor.updateButtons(s);
+      l.onUpdate();
     }),
     s.on("click", ".btnDown", function (e) {
       e.preventDefault();
       var t = $(this).closest("li");
       t.next("li").after(t), MenuEditor.updateButtons(s);
+      l.onUpdate();
     }),
     s.on("click", ".btnOut", function (e) {
       e.preventDefault();
@@ -161,6 +164,7 @@ function MenuEditor(e, t) {
           t.remove()),
         MenuEditor.updateButtons(s),
         s.updateLevels();
+        l.onUpdate();
     }),
     s.on("click", ".btnIn", function (e) {
       e.preventDefault();
@@ -174,6 +178,7 @@ function MenuEditor(e, t) {
           l.append(n), n.append(t), l.addClass("sortableListsOpen"), f(l);
         }
       MenuEditor.updateButtons(s), s.updateLevels();
+      l.onUpdate();
     }),
     (this.setForm = function (e) {
       i = e;

package/public/saltcorn.css

@@ -224,3 +224,12 @@ footer.bs-mobile-nav-footer {
 .form-group {
   margin-bottom: 1rem;
 }
+
+.containerbgimage {
+  position: absolute;
+  top: 0;
+  left: 0;
+  width: 100%;
+  height: 100%;
+  z-index: -1;
+}

package/public/saltcorn.js

@@ -329,17 +329,36 @@ function enable_codemirror(f) {
 }
 
 //https://stackoverflow.com/a/6021027
-function updateQueryStringParameter(uri, key, value) {
+function updateQueryStringParameter(uri1, key, value) {
+  let hash = "";
+  let uri = uri1;
+  if (uri && uri.includes("#")) {
+    let uris = uri1.split("#");
+    hash = "#" + uris[1];
+    uri = uris[0];
+  }
+
   var re = new RegExp("([?&])" + key + "=.*?(&|$)", "i");
   var separator = uri.indexOf("?") !== -1 ? "&" : "?";
   if (uri.match(re)) {
-    return uri.replace(re, "$1" + key + "=" + encodeURIComponent(value) + "$2");
+    return (
+      uri.replace(re, "$1" + key + "=" + encodeURIComponent(value) + "$2") +
+      hash
+    );
   } else {
-    return uri + separator + key + "=" + encodeURIComponent(value);
+    return uri + separator + key + "=" + encodeURIComponent(value) + hash;
   }
 }
 
-function removeQueryStringParameter(uri, key) {
+function removeQueryStringParameter(uri1, key) {
+  let hash = "";
+  let uri = uri1;
+  if (uri && uri.includes("#")) {
+    let uris = uri1.split("#");
+    hash = "#" + uris[1];
+    uri = uris[0];
+  }
+
   var re = new RegExp("([?&])" + key + "=.*?(&|$)", "i");
   var separator = uri.indexOf("?") !== -1 ? "&" : "?";
   if (uri.match(re)) {
@@ -347,7 +366,7 @@ function removeQueryStringParameter(uri, key) {
   }
   if (uri[uri.length - 1] === "?" || uri[uri.length - 1] === "&")
     uri = uri.substring(0, uri.length - 1);
-  return uri;
+  return uri + hash;
 }
 
 function select_id(id) {
@@ -548,6 +567,10 @@ function ajax_modal(url, opts = {}) {
       </div>
     </div>
   </div>`);
+  } else if ($("#scmodal").hasClass("show")) {
+    var myModalEl = document.getElementById("scmodal");
+    var modal = bootstrap.Modal.getInstance(myModalEl);
+    modal.dispose();
   }
   if (opts.submitReload === false) $("#scmodal").addClass("no-submit-reload");
   else $("#scmodal").removeClass("no-submit-reload");
@@ -595,6 +618,47 @@ function saveAndContinue(e, k) {
   return false;
 }
 
+function applyViewConfig(e, url) {
+  var form = $(e).closest("form");
+  var form_data = form.serializeArray();
+  const cfg = {};
+  form_data.forEach((item) => {
+    cfg[item.name] = item.value;
+  });
+  $.ajax(url, {
+    type: "POST",
+    dataType: "json",
+    contentType: "application/json",
+    headers: {
+      "CSRF-Token": _sc_globalCsrf,
+    },
+    data: JSON.stringify(cfg),
+    error: function (request) {},
+  });
+
+  return false;
+}
+
+const repeaterCopyValuesToForm = (form, editor) => {
+  const vs = JSON.parse(editor.getString());
+  //console.log(vs)
+  const setVal = (k, ix, v) => {
+    const $e = form.find(`input[name="${k}_${ix}"]`);
+    if ($e.length) $e.val(v);
+    else
+      form.append(
+        `<input type="hidden" name="${k}_${ix}" value="${v}"></input>`
+      );
+  };
+  vs.forEach((v, ix) => {
+    Object.entries(v).forEach(([k, v]) => {
+      //console.log(ix, k, typeof v, v)
+      if (typeof v === "boolean") setVal(k, ix, v ? "on" : "");
+      else setVal(k, ix, v);
+    });
+  });
+};
+
 function ajaxSubmitForm(e) {
   var form = $(e).closest("form");
   var url = form.attr("action");
@@ -811,13 +875,13 @@ const columnSummary = (col) => {
   if (!col) return "Unknown";
   switch (col.type) {
     case "Field":
-      return `Field ${col.field_name} ${col.fieldview}`;
+      return `Field ${col.field_name} ${col.fieldview || ""}`;
     case "Link":
       return `Link ${col.link_text}`;
     case "JoinField":
       return `Join ${col.join_field}`;
     case "ViewLink":
-      return `View ${col.view_label || col.view.split(":")[1] || ""}`;
+      return `View link ${col.view_label || col.view.split(":")[1] || ""}`;
     case "Action":
       return `Action ${col.action_label || col.action_name}`;
     case "Aggregation":

package/routes/fields.js

@@ -629,10 +629,14 @@ router.post(
  */
 router.post(
   "/show-calculated/:tableName/:fieldName/:fieldview",
-  isAdmin,
   error_catcher(async (req, res) => {
     const { tableName, fieldName, fieldview } = req.params;
     const table = await Table.findOne({ name: tableName });
+    const role = req.user && req.user.id ? req.user.role_id : 10;
+    if (role > table.min_role_read) {
+      res.status(401).send("");
+      return;
+    }
     const fields = await table.getFields();
     const row = { ...req.body };
     readState(row, fields);
@@ -643,6 +647,10 @@ router.post(
       if (kpath.length === 2 && row[kpath[0]]) {
         const field = fields.find((f) => f.name === kpath[0]);
         const reftable = await Table.findOne({ name: field.reftable_name });
+        if (role > reftable.min_role_read) {
+          res.status(401).send("");
+          return;
+        }
         const targetField = (await reftable.getFields()).find(
           (f) => f.name === kpath[1]
         );
@@ -671,6 +679,10 @@ router.post(
           if (field.is_fkey) {
             const reftable = await Table.findOne({ name: field.reftable_name });
             if (!oldRow[ref]) break;
+            if (role > reftable.min_role_read) {
+              res.status(401).send("");
+              return;
+            }
             const q = { [reftable.pk_name]: oldRow[ref] };
             oldRow = await reftable.getRow(q);
             oldTable = reftable;

package/routes/files.js

@@ -9,6 +9,7 @@ const File = require("@saltcorn/data/models/file");
 const User = require("@saltcorn/data/models/user");
 const { getState } = require("@saltcorn/data/db/state");
 const s3storage = require("../s3storage");
+const sharp = require("sharp");
 
 const {
   mkTable,
@@ -43,6 +44,8 @@ const {
   config_fields_form,
   save_config_from_form,
 } = require("../markup/admin");
+const fsp = require("fs").promises;
+const fs = require("fs");
 
 /**
  * @type {object}
@@ -187,6 +190,54 @@ router.get(
   })
 );
 
+/**
+ * @name get/resize/:id
+ * @function
+ * @memberof module:routes/files~filesRouter
+ * @function
+ */
+router.get(
+  "/resize/:id/:width_str",
+  error_catcher(async (req, res) => {
+    const role = req.user && req.user.id ? req.user.role_id : 10;
+    const user_id = req.user && req.user.id;
+    const { id, width_str } = req.params;
+    let file;
+    if (typeof strictParseInt(id) !== "undefined")
+      file = await File.findOne({ id });
+    else file = await File.findOne({ filename: id });
+
+    if (!file) {
+      res
+        .status(404)
+        .sendWrap(req.__("Not found"), h1(req.__("File not found")));
+      return;
+    }
+    if (role <= file.min_role_read || (user_id && user_id === file.user_id)) {
+      res.type(file.mimetype);
+      const cacheability = file.min_role_read === 10 ? "public" : "private";
+      res.set("Cache-Control", `${cacheability}, max-age=86400`);
+      //TODO s3
+      if (file.s3_store) s3storage.serveObject(file, res, false);
+      else {
+        const width = strictParseInt(width_str);
+        if (!width) {
+          res.sendFile(file.location);
+          return;
+        }
+        const fnm = `${file.location}_w${width}`;
+        if (!fs.existsSync(fnm)) {
+          await sharp(file.location).resize({ width }).toFile(fnm);
+        }
+        res.sendFile(fnm);
+      }
+    } else {
+      req.flash("warning", req.__("Not authorized"));
+      res.redirect("/");
+    }
+  })
+);
+
 /**
  * @name post/setrole/:id
  * @function

package/routes/plugins.js

@@ -149,6 +149,7 @@ const local_has_theme = (name) => {
  */
 const get_store_items = async () => {
   const installed_plugins = await Plugin.find({});
+  const isRoot = db.getTenantSchema() === db.connectObj.default_schema;
 
   const instore = await Plugin.store_plugins_available();
   const packs_available = await fetch_available_packs();
@@ -156,15 +157,18 @@ const get_store_items = async () => {
   const schema = db.getTenantSchema();
   const installed_plugin_names = installed_plugins.map((p) => p.name);
   const store_plugin_names = instore.map((p) => p.name);
-  const plugins_item = instore.map((plugin) => ({
-    name: plugin.name,
-    installed: installed_plugin_names.includes(plugin.name),
-    plugin: true,
-    description: plugin.description,
-    documentation_link: plugin.documentation_link,
-    has_theme: plugin.has_theme,
-    has_auth: plugin.has_auth,
-  }));
+  const plugins_item = instore
+    .map((plugin) => ({
+      name: plugin.name,
+      installed: installed_plugin_names.includes(plugin.name),
+      plugin: true,
+      description: plugin.description,
+      documentation_link: plugin.documentation_link,
+      has_theme: plugin.has_theme,
+      has_auth: plugin.has_auth,
+      unsafe: plugin.unsafe,
+    }))
+    .filter((p) => !p.unsafe || isRoot);
   const local_logins = installed_plugins
     .filter((p) => !store_plugin_names.includes(p.name) && p.name !== "base")
     .map((plugin) => ({
@@ -648,16 +652,16 @@ router.get(
   error_catcher(async (req, res) => {
     const { plugin } = req.params;
     const filepath = req.params[0];
+    const hasVersion = plugin.includes("@");
     const location =
-      getState().plugin_locations[
-        plugin.includes("@") ? plugin.split("@")[0] : plugin
-      ];
+      getState().plugin_locations[hasVersion ? plugin.split("@")[0] : plugin];
     if (location) {
       const safeFile = path
         .normalize(filepath)
         .replace(/^(\.\.(\/|\\|$))+/, "");
       const fullpath = path.join(location, "public", safeFile);
-      if (fs.existsSync(fullpath)) res.sendFile(fullpath, { maxAge: "1d" });
+      if (fs.existsSync(fullpath))
+        res.sendFile(fullpath, { maxAge: hasVersion ? "100d" : "1d" });
       else res.status(404).send(req.__("Not found"));
     } else {
       res.status(404).send(req.__("Not found"));
@@ -961,6 +965,15 @@ router.post(
       res.redirect(`/plugins`);
       return;
     }
+    const isRoot = db.getTenantSchema() === db.connectObj.default_schema;
+    if (!isRoot && plugin.unsafe) {
+      req.flash(
+        "error",
+        req.__("Cannot install unsafe plugins on subdomain tenants")
+      );
+      res.redirect(`/plugins`);
+      return;
+    }
     delete plugin.id;
     await load_plugins.loadAndSaveNewPlugin(plugin);
     const plugin_module = getState().plugins[name];

package/routes/viewedit.js

@@ -582,8 +582,11 @@ router.get(
       return;
     }
     const configFlow = await view.get_config_flow(req);
+    const hasConfig =
+      view.configuration && Object.keys(view.configuration).length > 0;
     const wfres = await configFlow.run(
       {
+        id: hasConfig ? view.id : undefined,
         table_id: view.table_id,
         exttable_name: view.exttable_name,
         viewname: name,
@@ -704,6 +707,48 @@ router.post(
   })
 );
 
+/**
+ * @name post/saveconfig/:id
+ * @function
+ * @memberof module:routes/viewedit~vieweditRouter
+ * @function
+ */
+router.post(
+  "/saveconfig/:viewname",
+  isAdmin,
+  error_catcher(async (req, res) => {
+    const { viewname } = req.params;
+
+    if (viewname && req.body) {
+      const view = await View.findOne({ name: viewname });
+      const configFlow = await view.get_config_flow(req);
+      const step = await configFlow.singleStepForm(req.body, req);
+      if (step?.renderForm) {
+        if (!step.renderForm.hasErrors) {
+          let newcfg;
+          if (step.contextField)
+            newcfg = {
+              ...view.configuration,
+              [step.contextField]: {
+                ...view.configuration?.[step.contextField],
+                ...step.renderForm.values,
+              },
+            };
+          else newcfg = { ...view.configuration, ...step.renderForm.values };
+          await View.update({ configuration: newcfg }, view.id);
+          res.json({ success: "ok" });
+        } else {
+          res.json({ error: step.renderForm.errorSummary });
+        }
+      } else {
+        res.json({ error: "no form" });
+      }
+    } else {
+      res.json({ error: "no view" });
+    }
+  })
+);
+
 /**
  * @name post/setrole/:id
  * @function

package/tests/clientjs.test.js

@@ -0,0 +1,55 @@
+/**
+ * @jest-environment jsdom
+ */
+const fs = require("fs");
+const path = require("path");
+
+const load_script = (fnm) => {
+  const srcFile = fs.readFileSync(path.join(__dirname, "..", "public", fnm), {
+    encoding: "utf-8",
+  });
+  const scriptEl = document.createElement("script");
+  scriptEl.textContent = srcFile;
+  document.body.appendChild(scriptEl);
+};
+
+load_script("jquery-3.6.0.min.js");
+load_script("saltcorn.js");
+
+test("updateQueryStringParameter", () => {
+  const element = document.createElement("div");
+  expect(element).not.toBeNull();
+  expect(updateQueryStringParameter("/foo", "age", 43)).toBe("/foo?age=43");
+  expect(updateQueryStringParameter("/foo?age=44", "age", 43)).toBe(
+    "/foo?age=43"
+  );
+  expect(updateQueryStringParameter("/foo?name=Bar", "age", 43)).toBe(
+    "/foo?name=Bar&age=43"
+  );
+  expect(removeQueryStringParameter("/foo?age=44", "age")).toBe("/foo");
+  expect(removeQueryStringParameter("/foo?name=Bar", "age")).toBe(
+    "/foo?name=Bar"
+  );
+  expect(removeQueryStringParameter("/foo?name=Bar&age=45", "age")).toBe(
+    "/foo?name=Bar"
+  );
+});
+
+test("updateQueryStringParameter hash", () => {
+  expect(updateQueryStringParameter("/foo#baz", "age", 43)).toBe(
+    "/foo?age=43#baz"
+  );
+  expect(updateQueryStringParameter("/foo?age=44#Baz", "age", 43)).toBe(
+    "/foo?age=43#Baz"
+  );
+  expect(updateQueryStringParameter("/foo?name=Bar#Zap", "age", 43)).toBe(
+    "/foo?name=Bar&age=43#Zap"
+  );
+  expect(removeQueryStringParameter("/foo?age=44#Baz", "age")).toBe("/foo#Baz");
+  expect(removeQueryStringParameter("/foo?name=Bar#Baz", "age")).toBe(
+    "/foo?name=Bar#Baz"
+  );
+  expect(removeQueryStringParameter("/foo?name=Bar&age=45#Baz", "age")).toBe(
+    "/foo?name=Bar#Baz"
+  );
+});

package/tests/plugins.test.js

@@ -90,7 +90,7 @@ describe("Plugin Endpoints", () => {
       .expect(toInclude("testfilecontents"));
     await request(app)
       .get(
-        "/plugins/pubdeps/sbadmin2/startbootstrap-sb-admin-2-bs5/4.1.5-beta.0/css/sb-admin-2.min.css"
+        "/plugins/pubdeps/sbadmin2/startbootstrap-sb-admin-2-bs5/4.1.5-beta.4/css/sb-admin-2.min.css"
       )
       .expect(toInclude("Start Bootstrap"));
 
@@ -100,7 +100,7 @@ describe("Plugin Endpoints", () => {
       .expect(toRedirect("/plugins"));
     await request(app)
       .get(
-        "/plugins/pubdeps/sbadmin2/startbootstrap-sb-admin-2-bs5/4.1.5-beta.0/css/sb-admin-2.min.css"
+        "/plugins/pubdeps/sbadmin2/startbootstrap-sb-admin-2-bs5/4.1.5-beta.4/css/sb-admin-2.min.css"
       )
       .expect(toInclude("Start Bootstrap"));
   });

package/tests/view.test.js

@@ -82,7 +82,7 @@ describe("edit view", () => {
       .post("/view/authoredit")
       .send("author=Chekov")
 
-      .expect(toRedirect("/"));
+      .expect(toRedirect("/view/authorlist"));
   });
 });