@saltcorn/server 0.8.5-beta.3 → 0.8.5-beta.4

package/routes/admin.js

@@ -1321,12 +1321,16 @@ router.get(
   "/configuration-check",
   isAdmin,
   error_catcher(async (req, res) => {
-    const filename = `${moment().format("YYYYMMDDHHmm")}.html`;
+    const start = new Date();
+    const filename = `${moment(start).format("YYYYMMDDHHmm")}.html`;
     await File.new_folder("configuration_checks");
     const go = async () => {
       const { passes, errors, pass, warnings } = await runConfigurationCheck(
         req
       );
+      const end = new Date();
+      const secs = Math.round((end.getTime() - start.getTime()) / 1000);
+
       const mkError = (err) =>
         div(
           { class: "alert alert-danger", role: "alert" },
@@ -1355,6 +1359,11 @@ router.get(
           h3("Passes"),
 
           pre(code(passes.join("\n")))
+        ) +
+        p(
+          `Configuration check completed in ${
+            secs > 60 ? `${Math.floor(secs / 60)}m ${secs % 60}s` : secs + "s"
+          }`
         );
       await File.from_contents(
         filename,
@@ -1964,8 +1973,9 @@ router.post(
  * @returns {Promise<Form>} form
  */
 const dev_form = async (req) => {
-  const role_to_create_tenant = +getRootState().getConfig(
-    "role_to_create_tenant"
+  const tenants_set_npm_modules = getRootState().getConfig(
+    "tenants_set_npm_modules",
+    false
   );
   const isRoot = db.getTenantSchema() === db.connectObj.default_schema;
 
@@ -1976,9 +1986,7 @@ const dev_form = async (req) => {
       "log_sql",
       "log_client_errors",
       "log_level",
-      ...(isRoot || role_to_create_tenant < 10
-        ? ["npm_available_js_code"]
-        : []),
+      ...(isRoot || tenants_set_npm_modules ? ["npm_available_js_code"] : []),
     ],
     action: "/admin/dev",
   });

package/routes/api.js

@@ -31,6 +31,7 @@ const {
   readState,
   strictParseInt,
 } = require("@saltcorn/data/plugin-helper");
+const Crash = require("@saltcorn/data/models/crash");
 
 /**
  * @type {object}
@@ -66,7 +67,7 @@ const limitFields = (fields) => (r) => {
  * @param {Table} table
  * @returns {boolean}
  */
-function accessAllowedRead(req, user, table) {
+function accessAllowedRead(req, user, table, allow_ownership) {
   const role =
     req.user && req.user.id
       ? req.user.role_id
@@ -74,7 +75,12 @@ function accessAllowedRead(req, user, table) {
       ? user.role_id
       : 10;
 
-  return role <= table.min_role_read;
+  return (
+    role <= table.min_role_read ||
+    ((req.user?.id || user?.id) &&
+      allow_ownership &&
+      (table.ownership_field_id || table.ownership_formula))
+  );
 }
 
 /**
@@ -92,7 +98,11 @@ function accessAllowedWrite(req, user, table) {
       ? user.role_id
       : 10;
 
-  return role <= table.min_role_write;
+  return (
+    role <= table.min_role_write ||
+    ((req.user?.id || user?.id) &&
+      (table.ownership_field_id || table.ownership_formula))
+  );
 }
 /**
  * Check that user has right to trigger call
@@ -126,6 +136,7 @@ router.post(
     const view = await View.findOne({ name: viewName });
     const db = require("@saltcorn/data/db");
     if (!view) {
+      getState().log(3, `API viewQuery ${view.name} not found`);
       res.status(404).json({
         error: req.__("View %s not found", viewName),
         view: viewName,
@@ -152,6 +163,10 @@ router.post(
             const resp = await queries[queryName](...args, true);
             res.json({ success: resp, alerts: getFlashes(req) });
           } else {
+            getState().log(
+              3,
+              `API viewQuery ${view.name} ${queryName} not found`
+            );
             res.status(404).json({
               error: req.__("Query %s not found", queryName),
               view: viewName,
@@ -163,6 +178,7 @@ router.post(
             });
           }
         } else {
+          getState().log(3, `API viewQuery ${view.name} not authorized`);
           res.status(401).json({ error: req.__("Not authorized") });
         }
       }
@@ -208,6 +224,10 @@ router.get(
           }
           res.json({ success: dvs });
         } else {
+          getState().log(
+            3,
+            `API distinct ${table.name}.${fieldName} not authorized`
+          );
           res.status(401).json({ error: req.__("Not authorized") });
         }
       }
@@ -234,6 +254,7 @@ router.get(
         : { name: tableName }
     );
     if (!table) {
+      getState().log(3, `API get ${tableName} table not found`);
       res.status(404).json({ error: req.__("Not found") });
       return;
     }
@@ -242,11 +263,13 @@ router.get(
       ["api-bearer", "jwt"],
       { session: false },
       async function (err, user, info) {
-        if (accessAllowedRead(req, user, table)) {
+        if (accessAllowedRead(req, user, table, true)) {
           let rows;
           if (versioncount === "on") {
             const joinOpts = {
               orderBy: "id",
+              forUser: req.user || user || { role_id: 10 },
+              forPublic: !(req.user || user),
               aggregations: {
                 _versions: {
                   table: table.name + "__history",
@@ -266,12 +289,22 @@ router.get(
               state: req_query,
               table,
             });
-            rows = await table.getRows(qstate);
+            rows = await table.getRows(qstate, {
+              forPublic: !(req.user || user),
+              forUser: req.user || user,
+            });
           } else {
-            rows = await table.getRows();
+            rows = await table.getRows(
+              {},
+              {
+                forPublic: !(req.user || user),
+                forUser: req.user || user,
+              }
+            );
           }
           res.json({ success: rows.map(limitFields(fields)) });
         } else {
+          getState().log(3, `API get ${table.name} not authorized`);
           res.status(401).json({ error: req.__("Not authorized") });
         }
       }
@@ -301,6 +334,7 @@ router.post(
     });
 
     if (!trigger) {
+      getState().log(3, `API action ${actionname} not found`);
       res.status(400).json({ error: req.__("Not found") });
       return;
     }
@@ -318,9 +352,11 @@ router.post(
             });
             res.json({ success: true, data: resp });
           } catch (e) {
+            Crash.create(e, req);
             res.status(400).json({ success: false, error: e.message });
           }
         } else {
+          getState().log(3, `API action ${actionname} not authorized`);
           res.status(401).json({ error: req.__("Not authorized") });
         }
       }
@@ -340,6 +376,7 @@ router.post(
     const { tableName } = req.params;
     const table = await Table.findOne({ name: tableName });
     if (!table) {
+      getState().log(3, `API POST ${tableName} not found`);
       res.status(404).json({ error: req.__("Not found") });
       return;
     }
@@ -378,6 +415,10 @@ router.post(
             }
           });
           if (hasErrors) {
+            getState().log(
+              2,
+              `API POST ${table.name} error: ${errors.join(", ")}`
+            );
             res.status(400).json({ error: errors.join(", ") });
             return;
           }
@@ -385,9 +426,12 @@ router.post(
             row,
             req.user || user || { role_id: 10 }
           );
-          if (ins_res.error) res.status(400).json(ins_res);
-          else res.json(ins_res);
+          if (ins_res.error) {
+            getState().log(2, `API POST ${table.name} error: ${ins_res.error}`);
+            res.status(400).json(ins_res);
+          } else res.json(ins_res);
         } else {
+          getState().log(3, `API POST ${table.name} not authorized`);
           res.status(401).json({ error: req.__("Not authorized") });
         }
       }
@@ -408,6 +452,7 @@ router.post(
     const { tableName, id } = req.params;
     const table = await Table.findOne({ name: tableName });
     if (!table) {
+      getState().log(3, `API POST ${tableName} not found`);
       res.status(404).json({ error: req.__("Not found") });
       return;
     }
@@ -445,6 +490,10 @@ router.post(
             }
           }
           if (hasErrors) {
+            getState().log(
+              2,
+              `API POST ${table.name} error: ${errors.join(", ")}`
+            );
             res.status(400).json({ error: errors.join(", ") });
             return;
           }
@@ -454,9 +503,12 @@ router.post(
             user || req.user || { role_id: 10 }
           );
 
-          if (ins_res.error) res.status(400).json(ins_res);
-          else res.json(ins_res);
+          if (ins_res.error) {
+            getState().log(2, `API POST ${table.name} error: ${ins_res.error}`);
+            res.status(400).json(ins_res);
+          } else res.json(ins_res);
         } else {
+          getState().log(3, `API POST ${table.name} not authorized`);
           res.status(401).json({ error: req.__("Not authorized") });
         }
       }
@@ -477,6 +529,7 @@ router.delete(
     const { tableName, id } = req.params;
     const table = await Table.findOne({ name: tableName });
     if (!table) {
+      getState().log(3, `API DELETE ${tableName} not found`);
       res.status(404).json({ error: req.__("Not found") });
       return;
     }
@@ -502,9 +555,11 @@ router.delete(
               );
             res.json({ success: true });
           } catch (e) {
+            getState().log(2, `API DELETE ${table.name} error: ${e.message}`);
             res.status(400).json({ error: e.message });
           }
         } else {
+          getState().log(3, `API DELETE ${table.name} not authorized`);
           res.status(401).json({ error: req.__("Not authorized") });
         }
       }

package/routes/fields.js

@@ -398,9 +398,16 @@ const fieldFlow = (req) =>
           ];
           const keyfields = orderedFields
             .filter((f) => !f.calculated || f.stored)
+            .sort((a, b) =>
+              a.type?.name === "String" && b.type?.name !== "String"
+                ? -1
+                : a.type?.name !== "String" && b.type?.name === "String"
+                ? 1
+                : 0
+            )
             .map((f) => ({
               value: f.name,
-              label: f.label,
+              label: `${f.label} [${f.type?.name || f.type}]`,
             }));
           const textfields = orderedFields
             .filter(
@@ -412,6 +419,9 @@ const fieldFlow = (req) =>
               new Field({
                 name: "summary_field",
                 label: req.__("Summary field"),
+                sublabel: req.__(
+                  "The field that will be shown to the user when choosing a value"
+                ),
                 input_type: "select",
                 options: keyfields,
               }),

package/routes/list.js

@@ -241,13 +241,16 @@ router.get(
     for (const f of fields) {
       if (f.type === "File") f.attributes = { select_file_where: {} };
       await f.fill_fkey_options();
+
+      if (f.type === "File") {
+        //add existing values in folders
+        const dvs = await f.distinct_values();
+        dvs.forEach((dv) => {
+          if (dv?.value?.includes("/")) f.options.push(dv);
+        });
+      }
     }
 
-    //console.log(fields);
-    // todo remove keyfields - unused
-    const keyfields = fields
-      .filter((f) => f.type === "Key" || f.type === "File")
-      .map((f) => ({ name: f.name, type: f.reftype }));
     const jsfields = arrangeIdFirst(fields).map((f) =>
       typeToGridType(f.type, f)
     );

package/routes/plugins.js

@@ -14,11 +14,18 @@ const {
   post_btn,
   post_delete_btn,
 } = require("@saltcorn/markup");
-const { getState, restart_tenant } = require("@saltcorn/data/db/state");
+const {
+  getState,
+  restart_tenant,
+  getRootState,
+} = require("@saltcorn/data/db/state");
 const Form = require("@saltcorn/data/models/form");
 const Field = require("@saltcorn/data/models/field");
 const Plugin = require("@saltcorn/data/models/plugin");
 const { fetch_available_packs } = require("@saltcorn/admin-models/models/pack");
+const {
+  upgrade_all_tenants_plugins,
+} = require("@saltcorn/admin-models/models/tenant");
 const { getConfig, setConfig } = require("@saltcorn/data/models/config");
 const db = require("@saltcorn/data/db");
 const {
@@ -150,7 +157,10 @@ const local_has_theme = (name) => {
 const get_store_items = async () => {
   const installed_plugins = await Plugin.find({});
   const isRoot = db.getTenantSchema() === db.connectObj.default_schema;
-
+  const tenants_unsafe_plugins = getRootState().getConfig(
+    "tenants_unsafe_plugins",
+    false
+  );
   const instore = await Plugin.store_plugins_available();
   const packs_available = await fetch_available_packs();
   const packs_installed = getState().getConfig("installed_packs", []);
@@ -168,7 +178,7 @@ const get_store_items = async () => {
       has_auth: plugin.has_auth,
       unsafe: plugin.unsafe,
     }))
-    .filter((p) => !p.unsafe || isRoot);
+    .filter((p) => !p.unsafe || isRoot || tenants_unsafe_plugins);
   const local_logins = installed_plugins
     .filter((p) => !store_plugin_names.includes(p.name) && p.name !== "base")
     .map((plugin) => ({
@@ -424,8 +434,12 @@ const filter_items_set = (items, query) => {
  * @param {object} req
  * @returns {div}
  */
-const store_actions_dropdown = (req) =>
-  div(
+const store_actions_dropdown = (req) => {
+  const tenants_install_git = getRootState().getConfig(
+    "tenants_install_git",
+    false
+  );
+  return div(
     { class: "dropdown" },
     button(
       {
@@ -460,7 +474,8 @@ const store_actions_dropdown = (req) =>
           '<i class="far fa-arrow-alt-circle-up"></i>&nbsp;' +
             req.__("Upgrade installed modules")
         ),
-      db.getTenantSchema() === db.connectObj.default_schema &&
+      (db.getTenantSchema() === db.connectObj.default_schema ||
+        tenants_install_git) &&
         a(
           {
             class: "dropdown-item",
@@ -488,6 +503,7 @@ const store_actions_dropdown = (req) =>
       //create pack
     )
   );
+};
 
 /**
  * @param {object[]} items
@@ -926,14 +942,22 @@ router.get(
   "/upgrade",
   isAdmin,
   error_catcher(async (req, res) => {
-    const installed_plugins = await Plugin.find({});
-    for (const plugin of installed_plugins) {
-      await plugin.upgrade_version((p, f) => load_plugins.loadPlugin(p, f));
+    const schema = db.getTenantSchema();
+    if (schema === db.connectObj.default_schema) {
+      await upgrade_all_tenants_plugins((p, f) =>
+        load_plugins.loadPlugin(p, f)
+      );
+      req.flash("success", req.__(`Modules up-to-date. Please restart server`));
+    } else {
+      const installed_plugins = await Plugin.find({});
+      for (const plugin of installed_plugins) {
+        await plugin.upgrade_version((p, f) => load_plugins.loadPlugin(p, f));
+      }
+      req.flash("success", req.__(`Modules up-to-date`));
+      await restart_tenant(loadAllPlugins);
+      process.send &&
+        process.send({ restart_tenant: true, tenant: db.getTenantSchema() });
     }
-    req.flash("success", req.__(`Modules up-to-date`));
-    await restart_tenant(loadAllPlugins);
-    process.send &&
-      process.send({ restart_tenant: true, tenant: db.getTenantSchema() });
     res.redirect(`/plugins`);
   })
 );
@@ -970,7 +994,11 @@ router.post(
   error_catcher(async (req, res) => {
     const plugin = new Plugin(req.body);
     const schema = db.getTenantSchema();
-    if (schema !== db.connectObj.default_schema) {
+    const tenants_install_git = getRootState().getConfig(
+      "tenants_install_git",
+      false
+    );
+    if (schema !== db.connectObj.default_schema && !tenants_install_git) {
       req.flash(
         "error",
         req.__(`Only store modules can be installed on tenant instances`)
@@ -1039,7 +1067,10 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const { name } = req.params;
-
+    const tenants_unsafe_plugins = getRootState().getConfig(
+      "tenants_unsafe_plugins",
+      false
+    );
     const plugin = await Plugin.store_by_name(decodeURIComponent(name));
     if (!plugin) {
       req.flash(
@@ -1050,7 +1081,7 @@ router.post(
       return;
     }
     const isRoot = db.getTenantSchema() === db.connectObj.default_schema;
-    if (!isRoot && plugin.unsafe) {
+    if (!isRoot && plugin.unsafe && !tenants_unsafe_plugins) {
       req.flash(
         "error",
         req.__("Cannot install unsafe modules on subdomain tenants")

package/routes/tables.js

@@ -439,8 +439,7 @@ router.get(
         title: req.__("Tables"),
         headers: [
           {
-            script:
-              "https://unpkg.com/vis-network@9.1.2/standalone/umd/vis-network.min.js",
+            script: `/static_assets/${db.connectObj.version_tag}/vis-network.min.js`,
           },
         ],
       },

package/routes/tenant.js

@@ -426,6 +426,10 @@ const tenant_settings_form = (req) =>
       "create_tenant_warning",
       "create_tenant_warning_text",
       "tenant_template",
+      { section_header: "Tenant application capabilities" },
+      "tenants_install_git",
+      "tenants_set_npm_modules",
+      "tenants_unsafe_plugins",
     ],
     action: "/tenant/settings",
     submitLabel: req.__("Save"),

package/tests/api.test.js

@@ -19,7 +19,7 @@ beforeAll(async () => {
 afterAll(db.close);
 
 describe("API read", () => {
-  it("should get books for public", async () => {
+  it("should get books for public simple", async () => {
     const app = await getApp({ disableCsrf: true });
     await request(app)
       .get("/api/books/")
@@ -32,7 +32,7 @@ describe("API read", () => {
         )
       );
   });
-  it("should get books for public", async () => {
+  it("should get books for public fts", async () => {
     const app = await getApp({ disableCsrf: true });
     await request(app)
       .get("/api/books/?_fts=Herman")

package/tests/table.test.js

@@ -5,11 +5,13 @@ const Field = require("@saltcorn/data/models/field");
 const {
   getStaffLoginCookie,
   getAdminLoginCookie,
+  getUserLoginCookie,
   itShouldRedirectUnauthToLogin,
   toInclude,
   toNotInclude,
   toRedirect,
   resetToFixtures,
+  succeedJsonWith,
 } = require("../auth/testhelp");
 const db = require("@saltcorn/data/db");
 const User = require("@saltcorn/data/models/user");
@@ -262,7 +264,22 @@ describe("deletion to table with row ownership", () => {
     const row = await persons.insertRow({ name: "something", owner: user.id });
     expect(await persons.countRows()).toBe(1);
     const loginCookie = await getStaffLoginCookie();
+    const uloginCookie = await getUserLoginCookie();
     const app = await getApp({ disableCsrf: true });
+    await request(app).get("/api/owned").expect(401);
+    await request(app)
+      .get("/api/owned")
+      .set("Cookie", loginCookie)
+      .expect(
+        succeedJsonWith(
+          (rows) => rows.length == 1 && rows[0].name === "something"
+        )
+      );
+    await request(app)
+      .get("/api/owned")
+      .set("Cookie", uloginCookie)
+      .expect(succeedJsonWith((rows) => rows.length == 0));
+
     await request(app)
       .post("/delete/owned/" + row)
       .expect(toRedirect("/list/owned"));

package/wrapper.js

@@ -58,10 +58,22 @@ const get_menu = (req) => {
       ]
     : [
         ...(allow_signup
-          ? [{ link: "/auth/signup", label: req.__("Sign up") }]
+          ? [
+              {
+                link: "/auth/signup",
+                icon: "fas fa-user-plus",
+                label: req.__("Sign up"),
+              },
+            ]
           : []),
         ...(login_menu
-          ? [{ link: "/auth/login", label: req.__("Login") }]
+          ? [
+              {
+                link: "/auth/login",
+                icon: "fas fa-sign-in-alt",
+                label: req.__("Login"),
+              },
+            ]
           : []),
       ];
   // const schema = db.getTenantSchema();