@saltcorn/server 0.7.4 → 0.8.0-beta.1

package/auth/admin.js

@@ -5,9 +5,6 @@
  * @subcategory auth
  */
 // todo refactor to few modules + rename to be in sync with router url
-/**
- * @type {module:express-promise-router}
- */
 const Router = require("express-promise-router");
 const { contract, is } = require("contractis");
 
@@ -24,10 +21,10 @@ const {
   settingsDropdown,
   post_dropdown_item,
 } = require("@saltcorn/markup");
-const { isAdmin, setTenant, error_catcher } = require("../routes/utils");
+const { isAdmin, error_catcher } = require("../routes/utils");
 const { send_reset_email } = require("./resetpw");
 const { getState } = require("@saltcorn/data/db/state");
-const { a, div, text, span, code, h5, i, p } = require("@saltcorn/markup/tags");
+const { a, div, span, code, h5, i, p } = require("@saltcorn/markup/tags");
 const Table = require("@saltcorn/data/models/table");
 const {
   send_users_page,
@@ -38,7 +35,9 @@ const {
   is_hsts_tld,
 } = require("../markup/admin");
 const { send_verification_email } = require("@saltcorn/data/models/email");
-
+const {
+  expressionValidator,
+} = require("@saltcorn/data/models/expression");
 /**
  * @type {object}
  * @const
@@ -177,33 +176,33 @@ const user_dropdown = (user, req, can_reset) =>
       req
     ),
     can_reset &&
-      post_dropdown_item(
-        `/useradmin/reset-password/${user.id}`,
-        '<i class="fas fa-envelope"></i>&nbsp;' +
-          req.__("Send password reset email"),
-        req
-      ),
+    post_dropdown_item(
+      `/useradmin/reset-password/${user.id}`,
+      '<i class="fas fa-envelope"></i>&nbsp;' +
+      req.__("Send password reset email"),
+      req
+    ),
     can_reset &&
-      !user.verified_on &&
-      getState().getConfig("verification_view", "") &&
-      post_dropdown_item(
-        `/useradmin/send-verification/${user.id}`,
-        '<i class="fas fa-envelope"></i>&nbsp;' +
-          req.__("Send verification email"),
-        req
-      ),
+    !user.verified_on &&
+    getState().getConfig("verification_view", "") &&
+    post_dropdown_item(
+      `/useradmin/send-verification/${user.id}`,
+      '<i class="fas fa-envelope"></i>&nbsp;' +
+      req.__("Send verification email"),
+      req
+    ),
     user.disabled &&
-      post_dropdown_item(
-        `/useradmin/enable/${user.id}`,
-        '<i class="fas fa-play"></i>&nbsp;' + req.__("Enable"),
-        req
-      ),
+    post_dropdown_item(
+      `/useradmin/enable/${user.id}`,
+      '<i class="fas fa-play"></i>&nbsp;' + req.__("Enable"),
+      req
+    ),
     !user.disabled &&
-      post_dropdown_item(
-        `/useradmin/disable/${user.id}`,
-        '<i class="fas fa-pause"></i>&nbsp;' + req.__("Disable"),
-        req
-      ),
+    post_dropdown_item(
+      `/useradmin/disable/${user.id}`,
+      '<i class="fas fa-pause"></i>&nbsp;' + req.__("Disable"),
+      req
+    ),
     div({ class: "dropdown-divider" }),
     post_dropdown_item(
       `/useradmin/delete/${user.id}`,
@@ -215,6 +214,7 @@ const user_dropdown = (user, req, can_reset) =>
   ]);
 
 /**
+ * Users List (HTTP Get)
  * @name get
  * @function
  * @memberof module:auth/admin~auth/adminRouter
@@ -225,8 +225,8 @@ router.get(
   error_catcher(async (req, res) => {
     const users = await User.find({}, { orderBy: "id" });
     const roles = await User.get_roles();
-    var roleMap = {};
-    roles.forEach((r) => {
+    let roleMap = {};
+    roles.forEach(r => {
       roleMap[r.id] = r.role;
     });
     const can_reset = getState().getConfig("smtp_host", "") !== "";
@@ -257,8 +257,8 @@ router.get(
                 key: (r) =>
                   !!r.verified_on
                     ? i({
-                        class: "fas fa-check-circle text-success",
-                      })
+                      class: "fas fa-check-circle text-success",
+                    })
                     : "",
               },
               { label: req.__("Role"), key: (r) => roleMap[r.role_id] },
@@ -303,37 +303,67 @@ router.get(
 );
 
 /**
- *
+ * Authentication Setting Form
+ * @param {object} req
+ * @returns {Form}
+ */
+const auth_settings_form = async (req) =>
+    await config_fields_form({
+        req,
+        field_names: [
+            "allow_signup",
+            "login_menu",
+            "allow_forgot",
+            "new_user_form",
+            "login_form",
+            "signup_form",
+            "user_settings_form",
+            "verification_view",
+            "elevate_verified",
+            "email_mask",
+        ],
+        action: "/useradmin/settings",
+        submitLabel: req.__("Save"),
+    });
+
+/**
+ * HTTP Settings Form
+ * @param {object} req
+ * @returns {Form}
+ */
+const http_settings_form = async (req) =>
+    await config_fields_form({
+        req,
+        field_names: [
+            "timeout",
+            "cookie_duration",
+            "cookie_duration_remember",
+            "cookie_sessions",
+            "custom_http_headers",
+        ],
+        action: "/useradmin/http",
+        submitLabel: req.__("Save"),
+    });
+
+
+/**
+ * Permissions Setting Form
  * @param {object} req
  * @returns {Form}
  */
-const user_settings_form = (req) =>
-  config_fields_form({
-    req,
-    field_names: [
-      "allow_signup",
-      "login_menu",
-      "new_user_form",
-      "login_form",
-      "signup_form",
-      "user_settings_form",
-      "verification_view",
-      "elevate_verified",
-      "min_role_upload",
-      "min_role_apikeygen",
-      "timeout",
-      "email_mask",
-      "allow_forgot",
-      "cookie_duration",
-      "cookie_duration_remember",
-      "cookie_sessions",
-      "custom_http_headers",
-    ],
-    action: "/useradmin/settings",
-    submitLabel: req.__("Save"),
-  });
+const permissions_settings_form = async (req) =>
+    await config_fields_form({
+        req,
+        field_names: [
+            "min_role_upload",
+            "min_role_apikeygen",
+        ],
+        action: "/useradmin/permissions",
+        submitLabel: req.__("Save"),
+    });
 
 /**
+ * HTTP GET for /useradmin/settings
  * @name get/settings
  * @function
  * @memberof module:auth/admin~auth/adminRouter
@@ -342,7 +372,7 @@ router.get(
   "/settings",
   isAdmin,
   error_catcher(async (req, res) => {
-    const form = await user_settings_form(req);
+    const form = await auth_settings_form(req);
     send_users_page({
       res,
       req,
@@ -357,6 +387,7 @@ router.get(
 );
 
 /**
+ * HTTP POST for /useradmin/settings
  * @name post/settings
  * @function
  * @memberof module:auth/admin~auth/adminRouter
@@ -365,7 +396,7 @@ router.post(
   "/settings",
   isAdmin,
   error_catcher(async (req, res) => {
-    const form = await user_settings_form(req);
+    const form = await auth_settings_form(req);
     form.validate(req.body);
     if (form.hasErrors) {
       send_users_page({
@@ -380,7 +411,7 @@ router.post(
       });
     } else {
       await save_config_from_form(form);
-      req.flash("success", req.__("User settings updated"));
+      req.flash("success", req.__("Authentication settings updated"));
       if (!req.xhr) res.redirect("/useradmin/settings");
       else res.json({ success: "ok" });
     }
@@ -388,6 +419,119 @@ router.post(
 );
 
 /**
+ * HTTP GET for /useradmin/http
+ * @name get/settings
+ * @function
+ * @memberof module:auth/admin~auth/adminRouter
+ */
+router.get(
+    "/http",
+    isAdmin,
+    error_catcher(async (req, res) => {
+        const form = await http_settings_form(req);
+        send_users_page({
+            res,
+            req,
+            active_sub: "HTTP",
+            contents: {
+                type: "card",
+                title: req.__("HTTP settings"),
+                contents: [renderForm(form, req.csrfToken())],
+            },
+        });
+    })
+);
+
+/**
+ * HTTP POST for /useradmin/http
+ * @name post/settings
+ * @function
+ * @memberof module:auth/admin~auth/adminRouter
+ */
+router.post(
+    "/http",
+    isAdmin,
+    error_catcher(async (req, res) => {
+        const form = await http_settings_form(req);
+        form.validate(req.body);
+        if (form.hasErrors) {
+            send_users_page({
+                res,
+                req,
+                active_sub: "HTTP",
+                contents: {
+                    type: "card",
+                    title: req.__("HTTP settings"),
+                    contents: [renderForm(form, req.csrfToken())],
+                },
+            });
+        } else {
+            await save_config_from_form(form);
+            req.flash("success", req.__("HTTP settings updated"));
+            if (!req.xhr) res.redirect("/useradmin/http");
+            else res.json({ success: "ok" });
+        }
+    })
+);
+
+/**
+ * HTTP GET for /useradmin/permissions
+ * @name get/settings
+ * @function
+ * @memberof module:auth/admin~auth/adminRouter
+ */
+router.get(
+    "/permissions",
+    isAdmin,
+    error_catcher(async (req, res) => {
+        const form = await permissions_settings_form(req);
+        send_users_page({
+            res,
+            req,
+            active_sub: "Permissions",
+            contents: {
+                type: "card",
+                title: req.__("Permissions settings"),
+                contents: [renderForm(form, req.csrfToken())],
+            },
+        });
+    })
+);
+
+/**
+ * HTTP POST for /useradmin/permissions
+ * @name post/settings
+ * @function
+ * @memberof module:auth/admin~auth/adminRouter
+ */
+router.post(
+    "/permissions",
+    isAdmin,
+    error_catcher(async (req, res) => {
+        const form = await permissions_settings_form(req);
+        form.validate(req.body);
+        if (form.hasErrors) {
+            send_users_page({
+                res,
+                req,
+                active_sub: "Permissions",
+                contents: {
+                    type: "card",
+                    title: req.__("Permissions settings"),
+                    contents: [renderForm(form, req.csrfToken())],
+                },
+            });
+        } else {
+            await save_config_from_form(form);
+            req.flash("success", req.__("Permissions settings updated"));
+            if (!req.xhr) res.redirect("/useradmin/permissions");
+            else res.json({ success: "ok" });
+        }
+    })
+);
+
+/**
+ * HTTP GET for /useradmin/ssl
  * @name get/ssl
  * @function
  * @memberof module:auth/admin~auth/adminRouter
@@ -421,15 +565,15 @@ router.get(
         above: [
           ...(letsencrypt && has_custom
             ? [
-                {
-                  type: "card",
-                  contents: p(
-                    req.__(
-                      "You have enabled both Let's Encrypt certificates and custom SSL certificates. Let's Encrypt takes priority and the custom certificates will be ignored."
-                    )
-                  ),
-                },
-              ]
+              {
+                type: "card",
+                contents: p(
+                  req.__(
+                    "You have enabled both Let's Encrypt certificates and custom SSL certificates. Let's Encrypt takes priority and the custom certificates will be ignored."
+                  )
+                ),
+              },
+            ]
             : []),
           {
             type: "card",
@@ -450,33 +594,33 @@ router.get(
               ),
               letsencrypt
                 ? post_btn(
-                    "/config/delete/letsencrypt",
-                    req.__("Disable LetsEncrypt HTTPS"),
-                    req.csrfToken(),
-                    { btnClass: "btn-danger", req }
-                  )
+                  "/config/delete/letsencrypt",
+                  req.__("Disable LetsEncrypt HTTPS"),
+                  req.csrfToken(),
+                  { btnClass: "btn-danger", req }
+                )
                 : post_btn(
-                    "/admin/enable-letsencrypt",
-                    req.__("Enable LetsEncrypt HTTPS"),
-                    req.csrfToken(),
-                    { confirm: true, req }
-                  ),
+                  "/admin/enable-letsencrypt",
+                  req.__("Enable LetsEncrypt HTTPS"),
+                  req.csrfToken(),
+                  { confirm: true, req }
+                ),
               !letsencrypt &&
-                show_warning &&
-                !has_custom &&
-                div(
-                  { class: "mt-3 alert alert-danger" },
-                  p(
-                    req.__(
-                      "The address you are using to reach Saltcorn does not match the Base URL."
-                    )
-                  ),
-                  p(
-                    req.__(
-                      "The DNS A records (for * and @, or a subdomain) should point to this server's IP address before enabling LetsEncrypt"
-                    )
+              show_warning &&
+              !has_custom &&
+              div(
+                { class: "mt-3 alert alert-danger" },
+                p(
+                  req.__(
+                    "The address you are using to reach Saltcorn does not match the Base URL."
                   )
                 ),
+                p(
+                  req.__(
+                    "The DNS A records (for * and @, or a subdomain) should point to this server's IP address before enabling LetsEncrypt"
+                  )
+                )
+              ),
             ],
           },
           {
@@ -508,17 +652,19 @@ router.get(
 );
 
 /**
+ * SSL Setting form
  * @param {object} req
  * @returns {Form}
  */
-const ssl_form = (req) =>
-  config_fields_form({
-    req,
-    field_names: ["custom_ssl_certificate", "custom_ssl_private_key"],
-    action: "/useradmin/ssl/custom",
-  });
+const ssl_form = async (req) =>
+    await config_fields_form({
+        req,
+        field_names: ["custom_ssl_certificate", "custom_ssl_private_key"],
+        action: "/useradmin/ssl/custom",
+    });
 
 /**
+ * HTTP GET for /useradmin/ssl/custom
  * @name get/ssl/custom
  * @function
  * @memberof module:auth/admin~auth/adminRouter
@@ -543,6 +689,7 @@ router.get(
 );
 
 /**
+ * HTTP POST for /useradmin/ssl/custom
  * @name post/ssl/custom
  * @function
  * @memberof module:auth/admin~auth/adminRouter
@@ -570,8 +717,8 @@ router.post(
       req.flash(
         "success",
         req.__("Custom SSL enabled. Restart for changes to take effect.") +
-          " " +
-          a({ href: "/admin/system" }, req.__("Restart here"))
+        " " +
+        a({ href: "/admin/system" }, req.__("Restart here"))
       );
       if (!req.xhr) {
         res.redirect("/useradmin/ssl");
@@ -580,6 +727,104 @@ router.post(
   })
 );
 
+/**
+ * HTTP GET for /useradmin/table-access
+ * @name get/ssl/custom
+ * @function
+ * @memberof module:auth/admin~auth/adminRouter
+ */
+router.get(
+  "/table-access",
+  isAdmin,
+  error_catcher(async (req, res) => {
+    const tables = await Table.find()
+    const roleOptions = (await User.get_roles()).map((r) => ({
+      value: r.id,
+      label: r.role,
+    }));
+
+    const contents = []
+    for (const table of tables) {
+      if (table.external) continue
+      const fields = await table.getFields();
+      const userFields = fields
+        .filter((f) => f.reftable_name === "users")
+        .map((f) => ({ value: f.id, label: f.name }));
+      const form = new Form({
+        action: "/table",
+        noSubmitButton: true,
+        onChange: "saveAndContinue(this)",
+        fields: [
+          {
+            label: req.__("Ownership field"),
+            name: "ownership_field_id",
+            sublabel: req.__(
+              "The user referred to in this field will be the owner of the row"
+            ),
+            input_type: "select",
+            options: [
+              { value: "", label: req.__("None") },
+              ...userFields,
+              { value: "_formula", label: req.__("Formula") },
+            ],
+          },
+          {
+            name: "ownership_formula",
+            label: req.__("Ownership formula"),
+            validator: expressionValidator,
+            type: "String",
+            class: "validate-expression",
+            sublabel:
+              req.__("User is treated as owner if true. In scope: ") +
+              ["user", ...fields.map((f) => f.name)]
+                .map((fn) => code(fn))
+                .join(", "),
+            showIf: { ownership_field_id: "_formula" },
+          },
+          {
+            label: req.__("Minimum role to read"),
+            sublabel: req.__(
+              "User must have this role or higher to read rows from the table, unless they are the owner"
+            ),
+            name: "min_role_read",
+            input_type: "select",
+            options: roleOptions,
+            attributes: { asideNext: true }
+          },
+          {
+            label: req.__("Minimum role to write"),
+            name: "min_role_write",
+            input_type: "select",
+            sublabel: req.__(
+              "User must have this role or higher to edit or create new rows in the table, unless they are the owner"
+            ),
+            options: roleOptions,
+          },
+        ]
+      })
+      form.hidden("id", "name");
+      form.values = table
+      if (table.ownership_formula && !table.ownership_field_id)
+        form.values.ownership_field_id = "_formula";
+      contents.push(div(
+        h5(a({ href: `/table/${table.id}` }, table.name)),
+        renderForm(form, req.csrfToken())
+      ))
+    }
+    send_users_page({
+      res,
+      req,
+      active_sub: "Table access",
+      contents: {
+        type: "card",
+        title: req.__("Table access"),
+        contents
+      },
+    });
+  })
+);
+
+
 /**
  * @name get/:id
  * @function
@@ -613,9 +858,9 @@ router.get(
               div(
                 user.api_token
                   ? span(
-                      { class: "me-1" },
-                      req.__("API token for this user: ")
-                    ) + code(user.api_token)
+                    { class: "me-1" },
+                    req.__("API token for this user: ")
+                  ) + code(user.api_token)
                   : req.__("No API token issued")
               ),
               // button for reset or generate api token
@@ -629,16 +874,16 @@ router.get(
               ),
               // button for remove api token
               user.api_token &&
-                div(
-                  { class: "mt-4 ms-2 d-inline-block" },
-                  post_btn(
-                    `/useradmin/remove-api-token/${user.id}`,
-                    // TBD localization
-                    user.api_token ? req.__("Remove") : req.__("Generate"),
-                    req.csrfToken(),
-                    { req: req, confirm: true }
-                  )
-                ),
+              div(
+                { class: "mt-4 ms-2 d-inline-block" },
+                post_btn(
+                  `/useradmin/remove-api-token/${user.id}`,
+                  // TBD localization
+                  user.api_token ? req.__("Remove") : req.__("Generate"),
+                  req.csrfToken(),
+                  { req: req, confirm: true }
+                )
+              ),
             ],
           },
         ],
@@ -707,7 +952,7 @@ router.post(
         role_id: +role_id,
         ...rest,
       });
-      // refactored to catch user errors errors and stop processing if any errors
+      // refactored to catch user errors and stop processing if any errors
       if (u.error) {
         req.flash("error", u.error); // todo change to prompt near field like done for views
         // todo return to create user form
@@ -727,7 +972,7 @@ router.post(
 );
 
 /**
- * Reset password for yser
+ * Reset password for user
  * @name post/reset-password/:id
  * @function
  * @memberof module:auth/admin~auth/adminRouter
@@ -757,8 +1002,13 @@ router.post(
   error_catcher(async (req, res) => {
     const { id } = req.params;
     const u = await User.findOne({ id });
-    const result = await send_verification_email(u);
-    if (result.error) req.flash("danger", result.error);
+    // todo add test case
+    const result = await send_verification_email(u, req);
+    if (result.error)
+        req.flash(
+            "danger",
+            req.__(`Verification email sender error:`, result.error)
+        );
     else
       req.flash(
         "success",