@saltcorn/server 0.8.3-alpha.1 → 0.8.3-beta.0

package/auth/admin.js

@@ -354,6 +354,7 @@ const permissions_settings_form = async (req) =>
     field_names: [
       "min_role_upload",
       "min_role_apikeygen",
+      "min_role_search",
       //hidden            "exttables_min_role_read",
     ],
     action: "/useradmin/permissions",
@@ -1101,7 +1102,7 @@ router.post(
     const { id } = req.params;
     const u = await User.findOne({ id });
     if (u) {
-      u.relogin(req);
+      await u.relogin(req);
       req.flash(
         "success",
         req.__(

package/auth/routes.js

@@ -17,6 +17,7 @@ const {
   loggedIn,
   csrfField,
   setTenant,
+  is_relative_url,
 } = require("../routes/utils.js");
 const { getState } = require("@saltcorn/data/db/state");
 const { send_reset_email } = require("./resetpw");
@@ -323,18 +324,21 @@ router.get("/logout", async (req, res, next) => {
     await user.updateLastMobileLogin(null);
     res.json({ success: true });
   } else if (req.logout) {
-    req.logout();
-    if (req.session.destroy)
-      req.session.destroy((err) => {
-        if (err) return next(err);
-        req.logout();
-        res.redirect("/auth/login");
-      });
-    else {
-      req.logout();
-      req.session = null;
-      res.redirect("/auth/login");
-    }
+    req.logout(function (err) {
+      if (req.session.destroy)
+        req.session.destroy((err) => {
+          if (err) return next(err);
+          req.logout(() => {
+            res.redirect("/auth/login");
+          });
+        });
+      else {
+        req.logout(function (err) {
+          req.session = null;
+          res.redirect("/auth/login");
+        });
+      }
+    });
   }
 });
 
@@ -392,7 +396,7 @@ router.get(
     else if (result) {
       req.flash("success", req.__("Email verified"));
       const u = await User.findForSession({ email });
-      if (u) u.relogin(req);
+      if (u) await u.relogin(req);
     }
     res.redirect("/");
   })
@@ -1075,7 +1079,7 @@ router.post(
     }
     if (getState().get2FApolicy(req.user) === "Mandatory") {
       res.redirect("/auth/twofa/setup/totp");
-    } else if (req.body.dest) {
+    } else if (req.body.dest && is_relative_url(req.body.dest)) {
       res.redirect(decodeURIComponent(req.body.dest));
     } else res.redirect("/");
   })
@@ -1129,7 +1133,6 @@ router.post(
   error_catcher(async (req, res, next) => {
     const { method } = req.params;
     const auth = getState().auth_methods[method];
-    console.log(method, auth);
     if (auth) {
       passport.authenticate(method, auth.parameters)(
         req,
@@ -1446,15 +1449,15 @@ router.get(
   error_catcher(async (req, res) => {
     const user = await User.findOne({ id: req.user.id });
     if (!user) {
-      req.logout();
-      req.flash("danger", req.__("Must be logged in first"));
-      res.redirect("/auth/login");
-      return;
-    }
-    res.sendWrap(
-      req.__("User settings") || "User settings",
-      await userSettings({ req, res, pwform: changPwForm(req), user })
-    );
+      req.logout(() => {
+        req.flash("danger", req.__("Must be logged in first"));
+        res.redirect("/auth/login");
+      });
+    } else
+      res.sendWrap(
+        req.__("User settings") || "User settings",
+        await userSettings({ req, res, pwform: changPwForm(req), user })
+      );
   })
 );
 
@@ -1616,7 +1619,7 @@ router.all(
       const user = await User.findForSession({ id: req.user.id });
       await user.set_to_verified();
       req.flash("success", req.__("User verified"));
-      user.relogin(req);
+      await user.relogin(req);
     }
     if (wfres.verified === false) {
       req.flash("danger", req.__("User verification failed"));
@@ -1843,7 +1846,7 @@ router.post(
   }),
   error_catcher(async (req, res) => {
     const user = await User.findForSession({ id: req.user.pending_user.id });
-    user.relogin(req);
+    await user.relogin(req);
     Trigger.emitEvent("Login", null, user);
     res.redirect("/");
   })

package/auth/testhelp.js

@@ -65,6 +65,29 @@ const toSucceed =
     }
   };
 
+/**
+ *
+ * @param {number} expCode
+ * @returns {void}
+ * @throws {Error}
+ */
+const toSucceedWithImage =
+  ({ expCode = 200, lengthIs }) =>
+  (res) => {
+    if (res.statusCode !== expCode) {
+      console.log(res.text);
+      throw new Error(`Expected status ${expCode}, received ${res.statusCode}`);
+    }
+    if (res.type.split("/")[0] !== "image") {
+      throw new Error(`Expected response type image/*, received ${res.type}`);
+    }
+    if (lengthIs && !lengthIs(res.body.length)) {
+      throw new Error(
+        `Image response not accepted. Length not satisfied. Received ${res.body.length} bytes`
+      );
+    }
+  };
+
 /**
  *
  * @param {number} txt
@@ -209,4 +232,6 @@ module.exports = {
   succeedJsonWith,
   notAuthorized,
   respondJsonWith,
+  toSucceedWithImage,
+  resToLoginCookie,
 };

package/load_plugins.js

@@ -56,13 +56,17 @@ const defaultManager = new PluginManager({
  * @param force - force flag
  */
 const loadPlugin = async (plugin, force) => {
-  // load pluging
+  // load plugin
   const res = await requirePlugin(plugin, force);
+  const configuration =
+    typeof plugin.configuration === "string"
+      ? JSON.parse(plugin.configuration)
+      : plugin.configuration;
   // register plugin
   getState().registerPlugin(
     res.plugin_module.plugin_name || plugin.name,
     res.plugin_module,
-    plugin.configuration,
+    configuration,
     res.location,
     res.name
   );

package/locales/da.json

@@ -558,5 +558,130 @@
 	"List options": "List options",
 	"Modules": "Modules",
 	"File not found": "File not found",
-	"Welcome, %s!": "Welcome, %s!"
+	"Welcome, %s!": "Welcome, %s!",
+	"CSV upload": "CSV upload",
+	"Upload file(s)": "Upload file(s)",
+	"API token": "API token",
+	"No API token issued": "No API token issued",
+	"Generate": "Generate",
+	"Two-factor authentication": "Two-factor authentication",
+	"Two-factor authentication is disabled": "Two-factor authentication is disabled",
+	"Enable TWA": "Enable TWA",
+	"Pattern": "Pattern",
+	"You have views with a role to access lower than the table role to read, with no table ownership. This may cause a denial of access. Users need to have table read access to any data displayed.": "You have views with a role to access lower than the table role to read, with no table ownership. This may cause a denial of access. Users need to have table read access to any data displayed.",
+	"Views potentially affected": "Views potentially affected",
+	"History": "History",
+	"External": "External",
+	"Discover tables that are already in the Database, but not known to Saltcorn": "Discover tables that are already in the Database, but not known to Saltcorn",
+	"Forget table": "Forget table",
+	"Ownership field": "Ownership field",
+	"The user referred to in this field will be the owner of the row": "The user referred to in this field will be the owner of the row",
+	"None": "None",
+	"Ownership formula": "Ownership formula",
+	"User is treated as owner if true. In scope: ": "User is treated as owner if true. In scope: ",
+	"User group": "User group",
+	"Add relations to this table in dropdown options for ownership field": "Add relations to this table in dropdown options for ownership field",
+	"User must have this role or higher to read rows from the table, unless they are the owner": "User must have this role or higher to read rows from the table, unless they are the owner",
+	"User must have this role or higher to edit or create new rows in the table, unless they are the owner": "User must have this role or higher to edit or create new rows in the table, unless they are the owner",
+	"Edit properties": "Edit properties",
+	"Preset %s": "Preset %s",
+	"%s configuration": "%s configuration",
+	"Module Store endpoint": "Module Store endpoint",
+	"The endpoint of plugins store.": "The endpoint of plugins store.",
+	"Packs Store endpoint": "Packs Store endpoint",
+	"The endpoint of packs store.": "The endpoint of packs store.",
+	"Mobile app": "Mobile app",
+	"Backup now": "Backup now",
+	"Frequency": "Frequency",
+	"Destination": "Destination",
+	"Directory": "Directory",
+	"Expiration in days": "Expiration in days",
+	"Delete old backup files in this directory after the set number of days": "Delete old backup files in this directory after the set number of days",
+	"Snapshot now": "Snapshot now",
+	"Periodic snapshots enabled": "Periodic snapshots enabled",
+	"Snapshot will be made every hour if there are changes": "Snapshot will be made every hour if there are changes",
+	"Manual backup": "Manual backup",
+	"Automated backup": "Automated backup",
+	"Restore/download automated backups »": "Restore/download automated backups »",
+	"Snapshots": "Snapshots",
+	"Snapshots store your application structure and definition, without the table data. Individual views and pages can be restored from snapshots from the <a href='/viewedit'>view</a> or <a href='/pageedit'>pages</a> overviews (\"Restore\" from individual page or view dropdowns).": "Snapshots store your application structure and definition, without the table data. Individual views and pages can be restored from snapshots from the <a href='/viewedit'>view</a> or <a href='/pageedit'>pages</a> overviews (\"Restore\" from individual page or view dropdowns).",
+	"List/download snapshots &raquo;": "List/download snapshots &raquo;",
+	"Configuration check": "Configuration check",
+	"Check for updates": "Check for updates",
+	"Database type": "Database type",
+	"Database host": "Database host",
+	"Database port": "Database port",
+	"Database name": "Database name",
+	"Database user": "Database user",
+	"Database schema": "Database schema",
+	"Build mobile app": "Build mobile app",
+	"Entry point": "Entry point",
+	"Platform": "Platform",
+	"docker": "docker",
+	"android": "android",
+	"iOS": "iOS",
+	"App file": "App file",
+	"Server URL": "Server URL",
+	"Log client errors": "Log client errors",
+	"Record all client errors in the crash log": "Record all client errors in the crash log",
+	"System logging verbosity": "System logging verbosity",
+	"NPM packages in code": "NPM packages in code",
+	"Comma-separated list of packages which will be available in JavaScript actions": "Comma-separated list of packages which will be available in JavaScript actions",
+	"Development settings": "Development settings",
+	"Module store": "Module store",
+	"Upgrading modules...": "Upgrading modules...",
+	"Upgrade installed modules": "Upgrade installed modules",
+	"Add another module": "Add another module",
+	"Module": "Module",
+	"Become user": "Become user",
+	"Send password reset email": "Send password reset email",
+	"Login and Signup": "Login and Signup",
+	"Table access": "Table access",
+	"HTTP": "HTTP",
+	"Permissions": "Permissions",
+	"2FA policy": "2FA policy",
+	"Cookie duration (hours)": "Cookie duration (hours)",
+	"Set to 0 for expiration at the end of browser session": "Set to 0 for expiration at the end of browser session",
+	"Cookie duration (hours) when remember ticked": "Cookie duration (hours) when remember ticked",
+	"Public cache TTL (minutes)": "Public cache TTL (minutes)",
+	"Cache-control max-age for public views and pages. 0 to disable": "Cache-control max-age for public views and pages. 0 to disable",
+	"HTTP settings": "HTTP settings",
+	"Role to generate API keys": "Role to generate API keys",
+	"User should have this role or higher to generate API keys in their user settings": "User should have this role or higher to generate API keys in their user settings",
+	"Role for search": "Role for search",
+	"Min role to access search page": "Min role to access search page",
+	"Permissions settings": "Permissions settings",
+	"Update": "Update",
+	"Add": "Add",
+	"Recalculate dynamic": "Recalculate dynamic",
+	"Order field": "Order field",
+	"Section field": "Section field",
+	"Optional. String type with options, each of which will become a menu section": "Optional. String type with options, each of which will become a menu section",
+	"Label formula": "Label formula",
+	"URL formula": "URL formula",
+	"Include formula": "Include formula",
+	"If specified, only include in menu rows that evaluate to true": "If specified, only include in menu rows that evaluate to true",
+	"Location": "Location",
+	"Not all themes support all locations": "Not all themes support all locations",
+	"Library": "Library",
+	"Tags": "Tags",
+	"Diagram": "Diagram",
+	"Library: component assemblies that can be used in the builder": "Library: component assemblies that can be used in the builder",
+	"Creator email": "Creator email",
+	"Created": "Created",
+	"Create tenant warning text": "Create tenant warning text",
+	"Provide your own create warning text if need": "Provide your own create warning text if need",
+	"New tenant template": "New tenant template",
+	"Copy site structure for new tenants from this tenant": "Copy site structure for new tenants from this tenant",
+	"Tagname": "Tagname",
+	"Create tag": "Create tag",
+	"Application diagram": "Application diagram",
+	"Trigger": "Trigger",
+	"All entities": "All entities",
+	"no tags": "no tags",
+	"Add tag": "Add tag",
+	"Pages are the web pages of your application built with a drag-and-drop builder. They have static content, and by embedding views, dynamic content.": "Pages are the web pages of your application built with a drag-and-drop builder. They have static content, and by embedding views, dynamic content.",
+	"Triggers run actions in response to events.": "Triggers run actions in response to events.",
+	"No triggers": "No triggers",
+	"Code": "Code"
 }

package/locales/en.json

@@ -1086,5 +1086,12 @@
 	"Views potentially affected": "Views potentially affected",
 	"Empty view": "Empty view",
 	"A view that will be shown only if there are no tables rows to show": "A view that will be shown only if there are no tables rows to show",
-	"Calculated field will be stored in Database": "Calculated field will be stored in Database"
+	"Calculated field will be stored in Database": "Calculated field will be stored in Database",
+	"Set Email": "Set Email",
+	"Please enter your email address": "Please enter your email address",
+	"Role for search": "Role for search",
+	"Min role to access search page": "Min role to access search page",
+	"Update": "Update",
+	"Add": "Add",
+	"Recalculate dynamic": "Recalculate dynamic"
 }

package/locales/ru.json

@@ -968,5 +968,10 @@
 	"Defines how long to wait for data before aborting file upload. Set to 0 if you want to turn off timeout checks. ": "Определяет максимальный допустимый интервал времени ожидания загрузки данных файла. 0 отключает проверку. ",
 	"User group": "Группа пользователей",
 	"Add relations to this table in dropdown options for ownership field": "Добавить связь с этой таблицей в выбор опций для поля Владельца ",
-	"Calculated field will be stored in Database": "Вычисляемое будет сохранено в базе данных"
+	"Calculated field will be stored in Database": "Вычисляемое будет сохранено в базе данных",
+	"Save indicator": "Индикатор сохранения",
+	"%s configuration": "%s конфигурация",
+	"Show only matches in table:": "Показывать только совпадения в таблице:",
+	"Role for search": "Роль для поиска",
+	"Min role to access search page": "Минимальная роль для доступа к странице поиска"
 }

package/package.json

@@ -1,18 +1,18 @@
 {
   "name": "@saltcorn/server",
-  "version": "0.8.3-alpha.1",
+  "version": "0.8.3-beta.0",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
-    "@saltcorn/base-plugin": "0.8.3-alpha.1",
-    "@saltcorn/builder": "0.8.3-alpha.1",
-    "@saltcorn/data": "0.8.3-alpha.1",
-    "@saltcorn/admin-models": "0.8.3-alpha.1",
-    "@saltcorn/filemanager": "0.8.3-alpha.1",
-    "@saltcorn/markup": "0.8.3-alpha.1",
-    "@saltcorn/sbadmin2": "0.8.3-alpha.1",
+    "@saltcorn/base-plugin": "0.8.3-beta.0",
+    "@saltcorn/builder": "0.8.3-beta.0",
+    "@saltcorn/data": "0.8.3-beta.0",
+    "@saltcorn/admin-models": "0.8.3-beta.0",
+    "@saltcorn/filemanager": "0.8.3-beta.0",
+    "@saltcorn/markup": "0.8.3-beta.0",
+    "@saltcorn/sbadmin2": "0.8.3-beta.0",
     "@socket.io/cluster-adapter": "^0.1.0",
     "@socket.io/sticky": "^1.0.1",
     "aws-sdk": "^2.1037.0",
@@ -35,22 +35,22 @@
     "i18n": "^0.14.0",
     "jsonwebtoken": "^9.0.0",
     "live-plugin-manager": "^0.16.0",
-    "moment": "^2.27.0",
-    "multer": "^1.4.3",
+    "moment": "^2.29.4",
+    "multer": "1.4.5-lts.1",
     "multer-s3": "^2.10.0",
-    "node-fetch": "2.6.2",
+    "node-fetch": "2.6.9",
     "node-watch": "^0.7.2",
     "notp": "2.0.3",
-    "passport": "^0.4.1",
+    "passport": "^0.6.0",
     "passport-custom": "^1.1.1",
     "passport-http-bearer": "^1.0.1",
     "passport-jwt": "4.0.1",
     "passport-totp": "0.0.2",
     "pg": "^8.2.1",
     "pluralize": "^8.0.0",
-    "qrcode": "1.5.0",
-    "resize-with-sharp-or-jimp": "0.1.5",
-    "socket.io": "4.2.0",
+    "qrcode": "1.5.1",
+    "resize-with-sharp-or-jimp": "0.1.6",
+    "socket.io": "4.6.0",
     "thirty-two": "1.0.2",
     "tmp-promise": "^3.0.2",
     "uuid": "^8.2.0",
@@ -64,7 +64,7 @@
   "devDependencies": {
     "jest": "26.6.3",
     "jest-environment-jsdom": "^26.6.2",
-    "supertest": "^4.0.2"
+    "supertest": "^6.3.3"
   },
   "scripts": {
     "dev": "nodemon index.js",

package/routes/actions.js

@@ -5,7 +5,12 @@
  * @subcategory routes
  */
 const Router = require("express-promise-router");
-const { isAdmin, error_catcher, addOnDoneRedirect } = require("./utils.js");
+const {
+  isAdmin,
+  error_catcher,
+  addOnDoneRedirect,
+  is_relative_url,
+} = require("./utils.js");
 const { getState } = require("@saltcorn/data/db/state");
 const Trigger = require("@saltcorn/data/models/trigger");
 const { getTriggerList } = require("./common_lists");
@@ -524,7 +529,8 @@ router.post(
       }
       req.flash("success", "Action configuration saved");
       res.redirect(
-        req.query.on_done_redirect
+        req.query.on_done_redirect &&
+          is_relative_url(req.query.on_done_redirect)
           ? `/${req.query.on_done_redirect}`
           : "/actions/"
       );

package/routes/admin.js

@@ -603,7 +603,7 @@ router.post(
         snap.created
       ).fromNow()}`
     );
-    res.redirect(`/${type}edit`);
+    res.redirect(/^[a-z]+$/g.test(type) ? `/${type}edit` : "/");
   })
 );
 router.get(
@@ -1820,18 +1820,21 @@ router.post(
       await db.deleteWhere("users");
       await db.deleteWhere("_sc_roles", { not: { id: { in: [1, 4, 8, 10] } } });
       if (db.reset_sequence) await db.reset_sequence("users");
-      req.logout();
-      if (req.session.destroy)
-        req.session.destroy((err) => {
-          req.logout();
-        });
-      else {
-        req.logout();
-        req.session = null;
-      }
-      // todo make configurable - redirect to create first user
-      // redirect to create first user
-      res.redirect(`/auth/create_first_user`);
+      req.logout(function (err) {
+        if (req.session.destroy)
+          req.session.destroy((err) => {
+            req.logout(() => {
+              res.redirect(`/auth/create_first_user`);
+            });
+          });
+        else {
+          req.logout(() => {
+            req.session = null; // todo make configurable - redirect to create first user
+            // redirect to create first user
+            res.redirect(`/auth/create_first_user`);
+          });
+        }
+      });
     } else {
       req.flash(
         "success",

package/routes/api.js

@@ -147,7 +147,7 @@ router.post(
           (await view.authorise_get({ req, ...view })) // TODO set query to state
         ) {
           const queries = view.queries(false, req);
-          if (queries[queryName]) {
+          if (Object.prototype.hasOwnProperty.call(queries, queryName)) {
             const { args } = req.body;
             const resp = await queries[queryName](...args, true);
             res.json({ success: resp, alerts: getFlashes(req) });

package/routes/delete.js

@@ -6,7 +6,7 @@
 
 const Router = require("express-promise-router");
 
-const { error_catcher } = require("./utils.js");
+const { error_catcher, is_relative_url } = require("./utils.js");
 const Table = require("@saltcorn/data/models/table");
 
 /**
@@ -52,6 +52,9 @@ router.post(
       req.flash("error", e.message);
     }
     if (req.xhr) res.send("OK");
-    else res.redirect(redirect || `/list/${table.name}`);
+    else
+      res.redirect(
+        (is_relative_url(redirect) && redirect) || `/list/${table.name}`
+      );
   })
 );

package/routes/edit.js

@@ -6,7 +6,7 @@
 
 const Router = require("express-promise-router");
 
-const { error_catcher } = require("./utils.js");
+const { error_catcher, is_relative_url } = require("./utils.js");
 const Table = require("@saltcorn/data/models/table");
 
 /**
@@ -32,15 +32,23 @@ router.post(
     const { redirect } = req.query;
     // todo check that works after where change
     const table = await Table.findOne({ name: tableName });
-    const role = req.user && req.user.id ? req.user.role_id : 10;
-    if (role <= table.min_role_write) await table.toggleBool(+id, field_name);
-    else
-      req.flash(
-        "error",
-        req.__("Not allowed to write to table %s", table.name)
+
+    const row = await table.getRow(
+      { [table.pk_name]: id },
+      { forUser: req.user, forPublic: !req.user }
+    );
+    if (row)
+      await table.updateRow(
+        { [field_name]: !row[field_name] },
+        id,
+        req.user || { role_id: 10 }
       );
+
     if (req.xhr) res.send("OK");
     else if (req.get("referer")) res.redirect(req.get("referer"));
-    else res.redirect(redirect || `/list/${table.name}`);
+    else
+      res.redirect(
+        (is_relative_url(redirect) && redirect) || `/list/${table.name}`
+      );
   })
 );

package/routes/fields.js

@@ -137,9 +137,7 @@ const fieldForm = async (req, fkey_opts, existing_names, id, hasData) => {
       new Field({
         label: req.__("Stored"),
         name: "stored",
-        sublabel: req.__(
-            "Calculated field will be stored in Database"
-        ),
+        sublabel: req.__("Calculated field will be stored in Database"),
         type: "Bool",
         disabled: !!id,
         showIf: { calculated: true },
@@ -927,16 +925,25 @@ router.post(
       res.send("");
       return;
     }
+    const firefox = /firefox/i.test(req.headers["user-agent"]);
     const fv = fieldviews[fieldview];
     if (!fv && field.type === "Key" && fieldview === "select")
-      res.send(`<input readonly class="form-control form-select"></input>`);
+      res.send(
+        `<input ${
+          firefox ? "readonly" : "disabled"
+        } class="form-control form-select"></input>`
+      );
     else if (!fv) res.send("");
     else if (fv.isEdit || fv.isFilter)
       res.send(
         fv.run(
           field.name,
           undefined,
-          { readonly: true, ...configuration, ...(field.attributes || {}) },
+          {
+            ...(firefox ? { readonly: true } : { disabled: true }),
+            ...configuration,
+            ...(field.attributes || {}),
+          },
           "",
           false,
           field

package/routes/pageedit.js

@@ -21,7 +21,12 @@ const { add_to_menu } = require("@saltcorn/admin-models/models/pack");
 const db = require("@saltcorn/data/db");
 const { getPageList } = require("./common_lists");
 
-const { isAdmin, error_catcher, addOnDoneRedirect } = require("./utils.js");
+const {
+  isAdmin,
+  error_catcher,
+  addOnDoneRedirect,
+  is_relative_url,
+} = require("./utils.js");
 const {
   mkTable,
   renderForm,
@@ -422,9 +427,10 @@ router.post(
   error_catcher(async (req, res) => {
     const { pagename } = req.params;
 
-    let redirectTarget = req.query.on_done_redirect
-      ? `/${req.query.on_done_redirect}`
-      : "/pageedit";
+    let redirectTarget =
+      req.query.on_done_redirect && is_relative_url(req.query.on_done_redirect)
+        ? `/${req.query.on_done_redirect}`
+        : "/pageedit";
     const page = await Page.findOne({ name: pagename });
     if (!page) {
       req.flash("error", req.__(`Page %s not found`, pagename));

package/routes/search.js

@@ -28,16 +28,17 @@ const router = new Router();
 module.exports = router;
 
 /**
+ * Search Configuration form
  * @param {object[]} tables
  * @param {object[]} views
  * @param {object} req
  * @returns {Forms}
  */
 const searchConfigForm = (tables, views, req) => {
-  var fields = [];
-  var tbls_noviews = [];
+  let fields = [];
+  let tbls_noviews = [];
   for (const t of tables) {
-    var ok_views = views.filter(
+    const ok_views = views.filter(
       (v) =>
         v.table_id === t.id && v.viewtemplateObj && v.viewtemplateObj.runMany
     );
@@ -70,6 +71,7 @@ const searchConfigForm = (tables, views, req) => {
 };
 
 /**
+ * Show config on GET
  * @name get/config
  * @function
  * @memberof module:routes/search~searchRouter
@@ -79,7 +81,7 @@ router.get(
   "/config",
   isAdmin,
   error_catcher(async (req, res) => {
-    var views = await View.find({}, { orderBy: "name" });
+    const views = await View.find({}, { orderBy: "name" });
     const tables = await Table.find();
     const form = searchConfigForm(tables, views, req);
     form.values = getState().getConfig("globalSearch");
@@ -98,6 +100,7 @@ router.get(
 );
 
 /**
+ * Execute config update
  * @name post/config
  * @function
  * @memberof module:routes/search~searchRouter
@@ -107,7 +110,7 @@ router.post(
   "/config",
   isAdmin,
   error_catcher(async (req, res) => {
-    var views = await View.find({}, { orderBy: "name" });
+    const views = await View.find({}, { orderBy: "name" });
     const tables = await Table.find();
     const form = searchConfigForm(tables, views, req);
     const result = form.validate(req.body);
@@ -132,6 +135,7 @@ router.post(
 );
 
 /**
+ * Search form
  * @returns {Form}
  */
 const searchForm = () =>
@@ -150,6 +154,7 @@ const searchForm = () =>
   });
 
 /**
+ * Run search
  * @param {object} opts
  * @param {*} opts.q
  * @param {*} opts._page
@@ -161,7 +166,9 @@ const searchForm = () =>
  */
 const runSearch = async ({ q, _page, table }, req, res) => {
   const role = (req.user || {}).role_id || 10;
+  // globalSearch contains list of pairs: table, view
   const cfg = getState().getConfig("globalSearch");
+  const page_size = getState().getConfig("search_page_size");
 
   if (!cfg) {
     req.flash("warning", req.__("Search not configured"));
@@ -169,7 +176,7 @@ const runSearch = async ({ q, _page, table }, req, res) => {
     return;
   }
   const current_page = parseInt(_page) || 1;
-  const offset = (current_page - 1) * 20;
+  const offset = (current_page - 1) * page_size;
   let resp = [];
   let tablesWithResults = [];
   let tablesConfigured = 0;
@@ -182,18 +189,19 @@ const runSearch = async ({ q, _page, table }, req, res) => {
       throw new InvalidConfiguration(
         `View ${viewName} selected as search results for ${tableName}: view not found`
       );
+    // search table using view
     const vresps = await view.runMany(
       { _fts: q },
-      { res, req, limit: 20, offset }
+      { res, req, limit: page_size, offset }
     );
     let paginate = "";
-    if (vresps.length === 20 || current_page > 1) {
+    if (vresps.length === page_size || current_page > 1) {
       paginate = pagination({
         current_page,
-        pages: current_page + (vresps.length === 20 ? 1 : 0),
-        trailing_ellipsis: vresps.length === 20,
+        pages: current_page + (vresps.length === page_size ? 1 : 0),
+        trailing_ellipsis: vresps.length === page_size,
         get_page_link: (n) =>
-          `javascript:gopage(${n}, 20, undefined, {table:'${tableName}'})`,
+          `javascript:gopage(${n}, ${page_size}, undefined, {table:'${tableName}'})`,
       });
     }
 
@@ -207,9 +215,11 @@ const runSearch = async ({ q, _page, table }, req, res) => {
     }
   }
 
+  // Prepare search form
   const form = searchForm();
   form.validate({ q });
 
+  // Prepare search result visualization
   const searchResult =
     resp.length === 0
       ? [{ type: "card", contents: req.__("Not found") }]
@@ -250,6 +260,7 @@ const runSearch = async ({ q, _page, table }, req, res) => {
 };
 
 /**
+ * Execute search or only show search form
  * @name get
  * @function
  * @memberof module:routes/search~searchRouter
@@ -258,6 +269,14 @@ const runSearch = async ({ q, _page, table }, req, res) => {
 router.get(
   "/",
   error_catcher(async (req, res) => {
+
+    const min_role = getState().getConfig("min_role_search");
+    const role = (req.user || {}).role_id || 10;
+    if(role>min_role){
+      res.redirect("/"); // silent redirect to home page
+      return;
+    }
+
     if (req.query && req.query.q) {
       await runSearch(req.query, req, res);
     } else {

package/routes/utils.js

@@ -295,6 +295,11 @@ const addOnDoneRedirect = (oldPath, req) => {
   return oldPath;
 };
 
+//https://stackoverflow.com/a/38979205/19839414
+const is_relative_url = (url) => {
+  return typeof url === "string" && !url.includes(":/") && !url.includes("//");
+};
+
 module.exports = {
   sqlsanitize,
   csrfField,
@@ -308,4 +313,5 @@ module.exports = {
   setTenant,
   get_tenant_from_req,
   addOnDoneRedirect,
+  is_relative_url,
 };

package/tests/auth.test.js

@@ -12,6 +12,7 @@ const {
   toSucceed,
   resetToFixtures,
   toNotInclude,
+  resToLoginCookie,
 } = require("../auth/testhelp");
 const db = require("@saltcorn/data/db");
 const { getState } = require("@saltcorn/data/db/state");
@@ -99,14 +100,15 @@ describe("user settings", () => {
   it("should change language", async () => {
     const app = await getApp({ disableCsrf: true });
     const loginCookie = await getAdminLoginCookie();
-    await request(app)
+    const res = await request(app)
       .post("/auth/setlanguage")
       .set("Cookie", loginCookie)
       .send("locale=it")
       .expect(toRedirect("/auth/settings"));
+    const newCookie = resToLoginCookie(res);
     await request(app)
       .get("/auth/settings")
-      .set("Cookie", loginCookie)
+      .set("Cookie", newCookie)
       .expect(toInclude("Cambia password"));
   });
 });

package/tests/files.test.js

@@ -9,9 +9,11 @@ const {
   toSucceed,
   toNotInclude,
   resetToFixtures,
+  toSucceedWithImage,
 } = require("../auth/testhelp");
 const db = require("@saltcorn/data/db");
 const fs = require("fs").promises;
+const path = require("path");
 const File = require("@saltcorn/data/models/file");
 const Field = require("@saltcorn/data/models/field");
 const Table = require("@saltcorn/data/models/table");
@@ -20,14 +22,31 @@ const { table } = require("console");
 
 beforeAll(async () => {
   await resetToFixtures();
-  const mv = async (fnm) => {
-    await fs.writeFile(fnm, "nevergonnagiveyouup");
-  };
+  await File.ensure_file_store();
   await File.from_req_files(
-    { mimetype: "image/png", name: "rick.png", mv, size: 245752 },
+    {
+      mimetype: "image/png",
+      name: "rick.png",
+      mv: async (fnm) => {
+        await fs.writeFile(fnm, "nevergonnagiveyouup");
+      },
+      size: 245752,
+    },
     1,
     4
   );
+  await File.from_req_files(
+    {
+      mimetype: "image/png",
+      name: "large-image.png",
+      mv: async (fnm) => {
+        await fs.copyFile(path.join(__dirname, "assets/large-image.png"), fnm);
+      },
+      size: 219422,
+    },
+    1,
+    10
+  );
 });
 afterAll(db.close);
 
@@ -70,6 +89,28 @@ describe("files admin", () => {
     const app = await getApp({ disableCsrf: true });
     await request(app).get("/files/serve/rick.png").expect(404);
   });
+  it("serve public file", async () => {
+    const app = await getApp({ disableCsrf: true });
+    await request(app)
+      .get("/files/serve/large-image.png")
+      .expect(toSucceedWithImage({ lengthIs: (bs) => bs === 219422 }));
+  });
+  it("serve resized file", async () => {
+    const app = await getApp({ disableCsrf: true });
+    await request(app)
+      .get("/files/resize/200/100/large-image.png")
+      .expect(
+        toSucceedWithImage({ lengthIs: (bs) => bs < 100000 && bs > 2000 })
+      );
+  });
+  it("serve resized file without height", async () => {
+    const app = await getApp({ disableCsrf: true });
+    await request(app)
+      .get("/files/resize/200/0/large-image.png")
+      .expect(
+        toSucceedWithImage({ lengthIs: (bs) => bs < 100000 && bs > 2000 })
+      );
+  });
   it("not download file to public", async () => {
     const app = await getApp({ disableCsrf: true });
     await request(app).get("/files/download/rick.png").expect(404);