@saltcorn/server 0.9.0 → 0.9.1-beta.1

package/auth/admin.js

@@ -376,6 +376,8 @@ const http_settings_form = async (req) =>
       //"cookie_sessions",
       "public_cache_maxage",
       "custom_http_headers",
+      "body_limit",
+      "url_encoded_limit",
     ],
     action: "/useradmin/http",
     submitLabel: req.__("Save"),

package/auth/testhelp.js

@@ -215,6 +215,18 @@ const succeedJsonWith = (pred) => (res) => {
   }
 };
 
+const succeedJsonWithWholeBody = (pred) => (res) => {
+  if (res.statusCode !== 200) {
+    console.log(res.text);
+    throw new Error(`Expected status 200, received ${res.statusCode}`);
+  }
+
+  if (!pred(res.body)) {
+    console.log(res.body);
+    throw new Error(`Not satisfied`);
+  }
+};
+
 /**
  *
  * @param {number} code
@@ -260,6 +272,7 @@ module.exports = {
   notAuthorized,
   respondJsonWith,
   toSucceedWithImage,
+  succeedJsonWithWholeBody,
   resToLoginCookie,
   itShouldIncludeTextForAdmin,
 };

package/help/API actions.tmd

@@ -0,0 +1,12 @@
+This trigger can be run with by making an HTTP request to
+
+{{scState.getConfig("base_url","").replace(/\/$/, "")}}/api/action/{{ query.name }}
+
+If you make a POST request, the POST body is expected to be JSON and its value 
+is accessible using the `row` variable (e.g. in a `run_js_code`)
+
+If you make a GET request, the query string values 
+are accessible as a JSON object using the `row` variable (e.g. in a `run_js_code`).
+
+If you return a value from the action, it will be available in the `data`
+subfield of the JSON body in the HTTP response

package/help/Event types.tmd

@@ -0,0 +1,71 @@
+The event type for triggers determines when the chosen action should be run. 
+The different event types options come from a variety of the types and sources.
+
+These events also form the basis of the event log. Use the log settings to enable or disable 
+recording of the occurrence of events.
+
+## Database events
+
+These conditions are triggered by changes to rows in tables. Together with the event type 
+a specific table is chosen. The individual conditions are:
+
+**Insert**: run the action when a new row is inserted in the table. This is a good choice
+when a table itself represents actions to be carried out; for instance a table of 
+outbound emails would have a trigger with When = Insert and Action = send_email
+
+**Update**: run this action when changes are made to an existing row. The old row can 
+be accessed with the `old_row` variable.
+
+**Delete**: run this action when a row is deleted
+
+## Periodic events
+
+These triggers are run periodically at different times.
+
+**Weekly**: run this once a week.
+
+**Daily**: run this once a day.
+
+**Hourly**: run this once an hour.
+
+**Often**: run this every 5 minutes.
+
+## User-based events
+
+**PageLoad**: run this whenever a page or view is loaded. If you set up the event log to 
+record these events you can use this as a basis for an analytics system.
+
+**Login**: run this whenever a user log in successfully
+
+**LoginFailed**: run this whenever a user login failed
+
+**UserVerified**: run this when a user is verified, if an appropriate module for 
+user verification is enabled.
+
+## System-based events
+
+**Error**: run this whenever an error occurs
+
+**Startup**: run this whenever this saltcorn process initializes. 
+
+## Other events
+
+**Never**: this trigger is never run on its own. However triggers that are marked as never
+can be chosen as the target action for a button in the UI. Use this if you have a complex 
+configuration for an action that needs to be run in response to a button click, or if you
+have a configuration that needs to be reused between two different buttons in two different 
+views. You can also use this to switch off a trigger that is running on a different event 
+type without deleting it.
+
+**API call**: this trigger can be run in response to an inbound API call. To see the URL 
+and further help, click the help icon next to the "API call" label in the trigger list.
+
+## Custom events
+
+You can create your own event type which can then be triggered with an emit_event action 
+or the `emitEvent` call in a run js code action
+
+## Events supplied by modules
+
+Modules can provide new event types. For instance the mqtt module provides an event 
+type based on receiving new messages.

package/locales/en.json

@@ -1268,5 +1268,14 @@
 	"Pack file": "Pack file",
 	"Upload a pack file": "Upload a pack file",
 	"No menu": "No menu",
-	"Omit the menu from this page": "Omit the menu from this page"
+	"Omit the menu from this page": "Omit the menu from this page",
+	"%s finished without a result": "%s finished without a result",
+	"Body size limit (Kb)": "Body size limit (Kb)",
+	"Maximum request body size in kilobytes": "Maximum request body size in kilobytes",
+	"URL encoded size limit (Kb)": "URL encoded size limit (Kb)",
+	"Maximum URL encoded request size in kilobytes": "Maximum URL encoded request size in kilobytes",
+	"HTML file": "HTML file",
+	"HTML file to use as page content": "HTML file to use as page content",
+	"Offline mode: cannot load file": "Offline mode: cannot load file",
+	"None - use drag and drop builder": "None - use drag and drop builder"
 }

package/locales/fr.json

@@ -286,5 +286,11 @@
 	"Users and security": "Users and security",
 	"Site structure": "Site structure",
 	"Events": "Events",
-	"Are you sure?": "Are you sure?"
+	"Are you sure?": "Are you sure?",
+	"API token": "API token",
+	"No API token issued": "No API token issued",
+	"Generate": "Generate",
+	"Two-factor authentication": "Two-factor authentication",
+	"Two-factor authentication is disabled": "Two-factor authentication is disabled",
+	"Enable 2FA": "Enable 2FA"
 }

package/package.json

@@ -1,18 +1,18 @@
 {
   "name": "@saltcorn/server",
-  "version": "0.9.0",
+  "version": "0.9.1-beta.1",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
-    "@saltcorn/base-plugin": "0.9.0",
-    "@saltcorn/builder": "0.9.0",
-    "@saltcorn/data": "0.9.0",
-    "@saltcorn/admin-models": "0.9.0",
-    "@saltcorn/filemanager": "0.9.0",
-    "@saltcorn/markup": "0.9.0",
-    "@saltcorn/sbadmin2": "0.9.0",
+    "@saltcorn/base-plugin": "0.9.1-beta.1",
+    "@saltcorn/builder": "0.9.1-beta.1",
+    "@saltcorn/data": "0.9.1-beta.1",
+    "@saltcorn/admin-models": "0.9.1-beta.1",
+    "@saltcorn/filemanager": "0.9.1-beta.1",
+    "@saltcorn/markup": "0.9.1-beta.1",
+    "@saltcorn/sbadmin2": "0.9.1-beta.1",
     "@socket.io/cluster-adapter": "^0.2.1",
     "@socket.io/sticky": "^1.0.1",
     "adm-zip": "0.5.10",

package/public/saltcorn-common.js

@@ -154,7 +154,8 @@ function apply_showif() {
       e.empty();
       e.prop("data-fetch-options-current-set", qs);
       const toAppend = [];
-      if (!dynwhere.required) toAppend.push(`<option></option>`);
+      if (!dynwhere.required)
+        toAppend.push({ label: dynwhere.neutral_label || "" });
       let currentDataOption = undefined;
       const dataOptions = [];
       //console.log(success);
@@ -173,12 +174,28 @@ function apply_showif() {
         const selected = `${current}` === `${r[dynwhere.refname]}`;
         dataOptions.push({ text: label, value });
         if (selected) currentDataOption = value;
-        const html = `<option ${
-          selected ? "selected" : ""
-        } value="${value}">${label}</option>`;
-        toAppend.push(html);
+        toAppend.push({ selected, value, label });
       });
-      e.html(toAppend.join(""));
+      toAppend.sort((a, b) =>
+        a.label === dynwhere.neutral_label
+          ? -1
+          : b.label === dynwhere.neutral_label
+          ? 1
+          : (a.label?.toLowerCase?.() || a.label) >
+            (b.label?.toLowerCase?.() || b.label)
+          ? 1
+          : -1
+      );
+      e.html(
+        toAppend
+          .map(
+            ({ label, value, selected }) =>
+              `<option${selected ? ` selected` : ""}${
+                value ? ` value="${value}"` : ""
+              }>${label || ""}</option>`
+          )
+          .join("")
+      );
 
       //TODO: also sort inserted HTML options
       dataOptions.sort((a, b) =>
@@ -568,8 +585,11 @@ function initialize_page() {
         $(this).find("span.current time").attr("datetime"); // ||
       //$(this).children("span.current").html();
     }
-    console.log({ type, current });
+    if (type === "Bool") {
+      current = current === "true";
+    }
     var is_key = type?.startsWith("Key:");
+    const resetHtml = this.outerHTML;
     const opts = encodeURIComponent(
       JSON.stringify({
         url,
@@ -580,6 +600,7 @@ function initialize_page() {
         type,
         is_key,
         schema,
+        resetHtml,
         ...(decimalPlaces ? { decimalPlaces } : {}),
       })
     );
@@ -632,7 +653,11 @@ function initialize_page() {
             : ""
         }
         <input type="${
-          type === "Integer" || type === "Float" ? "number" : "text"
+          type === "Integer" || type === "Float"
+            ? "number"
+            : type === "Bool"
+            ? "checkbox"
+            : "text"
         }" ${
           type === "Float"
             ? `step="${
@@ -643,7 +668,13 @@ function initialize_page() {
                   : "any"
               }"`
             : ""
-        } name="${key}" value="${escapeHtml(current)}">
+        } name="${key}" ${
+          type === "Bool"
+            ? current
+              ? "checked"
+              : ""
+            : `value="${escapeHtml(current)}"`
+        }>
       <button type="submit" class="btn btn-sm btn-primary">OK</button>
       <button onclick="cancel_inline_edit(event, '${opts}')" type="button" class="btn btn-sm btn-danger"><i class="fas fa-times"></i></button>
       </form>`
@@ -760,33 +791,7 @@ function cancel_inline_edit(e, opts1) {
   const isNode = typeof parent?.saltcorn?.data?.state === "undefined";
   var opts = JSON.parse(decodeURIComponent(opts1 || "") || "{}");
   var form = $(e.target).closest("form");
-  var json_fk_opt;
-  if (opts.schema) {
-    json_fk_opt = form.find(`option[value="${opts.current}"]`).text();
-  }
-  form.replaceWith(`<div 
-  data-inline-edit-field="${opts.key}" 
-  ${opts.ajax ? `data-inline-edit-ajax="true"` : ""}
-  ${opts.type ? `data-inline-edit-type="${opts.type}"` : ""}
-  ${opts.current ? `data-inline-edit-current="${opts.current}"` : ""}
-  ${
-    opts.current_label
-      ? `data-inline-edit-current-label="${opts.current_label}"`
-      : ""
-  }
-  ${
-    opts.schema
-      ? `data-inline-edit-schema="${encodeURIComponent(
-          JSON.stringify(opts.schema)
-        )}"`
-      : ""
-  }
-  data-inline-edit-dest-url="${opts.url}">
-    <span class="current">${
-      json_fk_opt || opts.current_label || opts.current
-    }</span>
-    <i class="editicon ${!isNode ? "visible" : ""} fas fa-edit ms-1"></i>
-  </div>`);
+  form.replaceWith(opts.resetHtml);
   initialize_page();
 }
 
@@ -794,7 +799,8 @@ function inline_submit_success(e, form, opts) {
   const isNode = typeof parent?.saltcorn?.data?.state === "undefined";
   const formDataArray = form.serializeArray();
   if (opts) {
-    let rawVal = formDataArray.find((f) => f.name == opts.key).value;
+    let fdEntry = formDataArray.find((f) => f.name == opts.key);
+    let rawVal = opts.type === "Bool" ? !!fdEntry : fdEntry.value;
     let val =
       opts.is_key || (opts.schema && opts.schema.type.startsWith("Key to "))
         ? form.find("select").find("option:selected").text()
@@ -829,9 +835,13 @@ function inline_submit_success(e, form, opts) {
 function inline_ajax_submit(e, opts1) {
   var opts = JSON.parse(decodeURIComponent(opts1 || "") || "{}");
   e.preventDefault();
+
   var form = $(e.target).closest("form");
   var form_data = form.serialize();
   var url = form.attr("action");
+  if (opts.type === "Bool" && !form_data.includes(`${opts.key}=on`)) {
+    form_data += `&${opts.key}=off`;
+  }
   $.ajax(url, {
     type: "POST",
     headers: {
@@ -1022,7 +1032,14 @@ function common_done(res, viewname, isWeb = true) {
   if (res.notify) handle(res.notify, notifyAlert);
   if (res.error)
     handle(res.error, (text) => notifyAlert({ type: "danger", text: text }));
-  if (res.eval_js) handle(res.eval_js, eval);
+
+  if (res.eval_js && res.row && res.field_names) {
+    const f = new Function(`row, {${res.field_names}}`, res.eval_js);
+    const evalres = f(res.row, res.row);
+    if (evalres) common_done(evalres, viewname, isWeb);
+  } else if (res.eval_js) {
+    handle(res.eval_js, eval);
+  }
 
   if (res.reload_page) {
     (isWeb ? location : parent).reload(); //TODO notify to cookie if reload or goto

package/public/saltcorn.js

@@ -397,16 +397,7 @@ function saveAndContinue(e, k) {
     error: function (request) {
       var ct = request.getResponseHeader("content-type") || "";
       if (ct.startsWith && ct.startsWith("application/json")) {
-        var errorArea = form.parent().find(".full-form-error");
-        if (errorArea.length) {
-          errorArea.text(request.responseJSON.error);
-        } else {
-          form
-            .parent()
-            .append(
-              `<p class="text-danger full-form-error">${request.responseJSON.error}</p>`
-            );
-        }
+        notifyAlert({ type: "danger", text: request.responseJSON.error });
       } else {
         $("#page-inner-content").html(request.responseText);
         initialize_page();
@@ -572,6 +563,20 @@ function ajax_post_btn(e, reload_on_done, reload_delay) {
 
   return false;
 }
+
+function api_action_call(name, body) {
+  $.ajax(`/api/action/${name}`, {
+    type: "POST",
+    headers: {
+      "CSRF-Token": _sc_globalCsrf,
+    },
+    data: body,
+    success: function (res) {
+      common_done(res.data);
+    },
+  });
+}
+
 function make_unique_field(
   id,
   table_id,

package/routes/actions.js

@@ -171,6 +171,7 @@ const triggerForm = async (req, trigger) => {
         required: true,
         options: Trigger.when_options.map((t) => ({ value: t, label: t })),
         sublabel: req.__("Event type which runs the trigger"),
+        help: { topic: "Event types" },
         attributes: {
           explainers: {
             Often: req.__("Every 5 minutes"),

package/routes/api.js

@@ -332,7 +332,7 @@ router.get(
  * @function
  * @memberof module:routes/api~apiRouter
  */
-router.post(
+router.all(
   "/action/:actionname/",
   error_catcher(async (req, res, next) => {
     const { actionname } = req.params;
@@ -361,7 +361,7 @@ router.post(
             const resp = await action.run({
               configuration: trigger.configuration,
               body: req.body,
-              row: req.body,
+              row: req.method === "GET" ? req.query : req.body,
               req,
               user: user || req.user,
             });

package/routes/common_lists.js

@@ -9,7 +9,7 @@ const {
   post_dropdown_item,
 } = require("@saltcorn/markup");
 const { get_base_url } = require("./utils.js");
-const { h4, p, div, a, input, text } = require("@saltcorn/markup/tags");
+const { h4, p, div, a, i, input, text } = require("@saltcorn/markup/tags");
 
 /**
  * @param {string} col
@@ -344,7 +344,11 @@ const getPageList = (rows, roles, req, { tagId, domId, showList } = {}) => {
       },
       {
         label: req.__("Edit"),
-        key: (r) => link(`/pageedit/edit/${r.name}`, req.__("Edit")),
+        key: (r) =>
+          link(
+            `/pageedit/${!r.html_file ? "edit" : "edit-properties"}/${r.name}`,
+            req.__(!r.html_file ? "Edit" : "Edit properties")
+          ),
       },
       !tagId
         ? {
@@ -385,10 +389,16 @@ const getTriggerList = (triggers, req, { tagId, domId, showList } = {}) => {
       },
       {
         label: req.__("When"),
-        key: (a) =>
-          a.when_trigger === "API call"
-            ? `API: ${base_url}api/action/${a.name}`
-            : a.when_trigger,
+        key: (act) =>
+          act.when_trigger +
+          (act.when_trigger === "API call"
+            ? a(
+                {
+                  href: `javascript:ajax_modal('/admin/help/API%20actions?name=${act.name}')`,
+                },
+                i({ class: "fas fa-question-circle ms-1" })
+              )
+            : ""),
       },
       {
         label: req.__("Test run"),

package/routes/homepage.js

@@ -21,7 +21,7 @@ const { get_latest_npm_version } = require("@saltcorn/data/models/config");
 const packagejson = require("../package.json");
 const Trigger = require("@saltcorn/data/models/trigger");
 const { fileUploadForm } = require("../markup/forms");
-const { get_base_url } = require("./utils.js");
+const { get_base_url, sendHtmlFile } = require("./utils.js");
 
 /**
  * Tables List
@@ -262,10 +262,16 @@ const actionsTab = async (req, triggers) => {
             },
             {
               label: req.__("When"),
-              key: (a) =>
-                a.when_trigger === "API call"
-                  ? `API: ${base_url}api/action/${a.name}`
-                  : a.when_trigger,
+              key: (act) =>
+                act.when_trigger +
+                (act.when_trigger === "API call"
+                  ? a(
+                      {
+                        href: `javascript:ajax_modal('/admin/help/API%20actions?name=${act.name}')`,
+                      },
+                      i({ class: "fas fa-question-circle ms-1" })
+                    )
+                  : ""),
             },
           ],
           triggers
@@ -474,15 +480,16 @@ const get_config_response = async (role_id, res, req) => {
 
     if (db_page) {
       const contents = await db_page.run(req.query, { res, req });
-
-      res.sendWrap(
-        {
-          title: db_page.title,
-          description: db_page.description,
-          bodyClass: "page_" + db.sqlsanitize(homeCfg),
-        },
-        contents
-      );
+      if (contents.html_file) await sendHtmlFile(req, res, contents.html_file);
+      else
+        res.sendWrap(
+          {
+            title: db_page.title,
+            description: db_page.description,
+            bodyClass: "page_" + db.sqlsanitize(homeCfg),
+          },
+          contents
+        );
     } else res.redirect(homeCfg);
     return true;
   }

package/routes/page.js

@@ -8,11 +8,13 @@ const Router = require("express-promise-router");
 
 const Page = require("@saltcorn/data/models/page");
 const Trigger = require("@saltcorn/data/models/trigger");
+const File = require("@saltcorn/data/models/file");
 const { getState } = require("@saltcorn/data/db/state");
 const {
   error_catcher,
   scan_for_page_title,
   isAdmin,
+  sendHtmlFile,
 } = require("../routes/utils.js");
 const { add_edit_bar } = require("../markup/admin.js");
 const { traverseSync } = require("@saltcorn/data/models/layout");
@@ -56,21 +58,23 @@ router.get(
         name: pagename,
         render_time: ms,
       });
-      res.sendWrap(
-        {
-          title,
-          description: db_page.description,
-          bodyClass: "page_" + db.sqlsanitize(pagename),
-          no_menu: db_page.attributes?.no_menu,
-        } || `${pagename} page`,
-        add_edit_bar({
-          role,
-          title: db_page.name,
-          what: req.__("Page"),
-          url: `/pageedit/edit/${encodeURIComponent(db_page.name)}`,
-          contents,
-        })
-      );
+      if (contents.html_file) await sendHtmlFile(req, res, contents.html_file);
+      else
+        res.sendWrap(
+          {
+            title,
+            description: db_page.description,
+            bodyClass: "page_" + db.sqlsanitize(pagename),
+            no_menu: db_page.attributes?.no_menu,
+          } || `${pagename} page`,
+          add_edit_bar({
+            role,
+            title: db_page.name,
+            what: req.__("Page"),
+            url: `/pageedit/edit/${encodeURIComponent(db_page.name)}`,
+            contents,
+          })
+        );
     } else {
       if (db_page && !req.user) {
         res.redirect(`/auth/login?dest=${encodeURIComponent(req.originalUrl)}`);

package/routes/pageedit.js

@@ -27,6 +27,7 @@ const {
   addOnDoneRedirect,
   is_relative_url,
 } = require("./utils.js");
+const { asyncMap } = require("@saltcorn/data/utils");
 const {
   mkTable,
   renderForm,
@@ -39,6 +40,7 @@ const {
 } = require("@saltcorn/markup");
 const { getActionConfigFields } = require("@saltcorn/data/plugin-helper");
 const Library = require("@saltcorn/data/models/library");
+const path = require("path");
 
 /**
  * @type {object}
@@ -58,6 +60,20 @@ module.exports = router;
 const pagePropertiesForm = async (req, isNew) => {
   const roles = await User.get_roles();
   const pages = (await Page.find()).map((p) => p.name);
+  const htmlFiles = await File.find(
+    {
+      mime_super: "text",
+      mime_sub: "html",
+    },
+    { recursive: true }
+  );
+  const htmlOptions = await asyncMap(htmlFiles, async (f) => {
+    return {
+      label: path.join(f.current_folder, f.filename),
+      value: File.absPathToServePath(f.location),
+    };
+  });
+
   const form = new Form({
     action: addOnDoneRedirect("/pageedit/edit-properties", req),
     fields: [
@@ -92,6 +108,24 @@ const pagePropertiesForm = async (req, isNew) => {
         input_type: "select",
         options: roles.map((r) => ({ value: r.id, label: r.role })),
       },
+      ...(htmlOptions.length > 0
+        ? [
+            {
+              name: "html_file",
+              label: req.__("HTML file"),
+              sublabel: req.__("HTML file to use as page content"),
+              input_type: "select",
+
+              options: [
+                {
+                  label: req.__("None - use drag and drop builder"),
+                  value: "",
+                },
+                ...htmlOptions,
+              ],
+            },
+          ]
+        : []),
       {
         name: "no_menu",
         label: req.__("No menu"),
@@ -289,7 +323,7 @@ const wrap = (contents, noCard, req, page) => ({
       crumbs: [
         { text: req.__("Pages"), href: "/pageedit" },
         page
-          ? { href: `/pageedit/edit/${page.name}`, text: page.name }
+          ? { href: `/page/${page.name}`, text: page.name }
           : { text: req.__("New") },
       ],
     },
@@ -367,17 +401,30 @@ router.post(
         wrap(renderForm(form, req.csrfToken()), false, req)
       );
     } else {
-      const { id, columns, no_menu, ...pageRow } = form.values;
+      const { id, columns, no_menu, html_file, ...pageRow } = form.values;
       pageRow.min_role = +pageRow.min_role;
       pageRow.attributes = { no_menu };
+      if (html_file) {
+        pageRow.layout = {
+          html_file: html_file,
+        };
+      }
       if (+id) {
+        const dbPage = Page.findOne({ id: id });
+        if (dbPage.layout?.html_file && !html_file) {
+          pageRow.layout = {};
+        }
         await Page.update(+id, pageRow);
         res.redirect(`/pageedit/`);
       } else {
-        if (!pageRow.fixed_states) pageRow.fixed_states = {};
         if (!pageRow.layout) pageRow.layout = {};
+        if (!pageRow.fixed_states) pageRow.fixed_states = {};
         await Page.create(pageRow);
-        res.redirect(addOnDoneRedirect(`/pageedit/edit/${pageRow.name}`, req));
+        if (!html_file)
+          res.redirect(
+            addOnDoneRedirect(`/pageedit/edit/${pageRow.name}`, req)
+          );
+        else res.redirect(`/pageedit/`);
       }
     }
   })

package/routes/utils.js

@@ -18,6 +18,7 @@ const cookieSession = require("cookie-session");
 const is = require("contractis/is");
 const { validateHeaderName, validateHeaderValue } = require("http");
 const Crash = require("@saltcorn/data/models/crash");
+const File = require("@saltcorn/data/models/file");
 const si = require("systeminformation");
 const {
   config_fields_form,
@@ -25,6 +26,8 @@ const {
   check_if_restart_required,
   flash_restart,
 } = require("../markup/admin.js");
+const path = require("path");
+
 const get_sys_info = async () => {
   const disks = await si.fsSize();
   let size = 0;
@@ -380,6 +383,38 @@ const admin_config_route = ({
   );
 };
 
+/**
+ * Send HTML file to client without any menu
+ * @param {any} req
+ * @param {any} res
+ * @param {string} file
+ * @returns
+ */
+const sendHtmlFile = async (req, res, file) => {
+  const fullPath = path.join((await File.rootFolder()).location, file);
+  const role = req.user && req.user.id ? req.user.role_id : 100;
+  try {
+    const scFile = await File.from_file_on_disk(
+      path.basename(fullPath),
+      path.dirname(fullPath)
+    );
+    if (scFile && role <= scFile.min_role_read) {
+      res.sendFile(fullPath);
+    } else {
+      return res
+        .status(404)
+        .sendWrap(req.__("An error occurred"), req.__("File not found"));
+    }
+  } catch (e) {
+    return res
+      .status(404)
+      .sendWrap(
+        req.__("An error occurred"),
+        e.message || req.__("An error occurred")
+      );
+  }
+};
+
 module.exports = {
   sqlsanitize,
   csrfField,
@@ -396,4 +431,5 @@ module.exports = {
   is_relative_url,
   get_sys_info,
   admin_config_route,
+  sendHtmlFile,
 };

package/tests/api.test.js

@@ -1,6 +1,9 @@
 const request = require("supertest");
 const getApp = require("../app");
 const Table = require("@saltcorn/data/models/table");
+const Trigger = require("@saltcorn/data/models/trigger");
+
+const Field = require("@saltcorn/data/models/field");
 const {
   getStaffLoginCookie,
   getAdminLoginCookie,
@@ -9,6 +12,7 @@ const {
   succeedJsonWith,
   notAuthorized,
   toRedirect,
+  succeedJsonWithWholeBody,
 } = require("../auth/testhelp");
 const db = require("@saltcorn/data/db");
 const User = require("@saltcorn/data/models/user");
@@ -322,3 +326,66 @@ describe("API authentication", () => {
       .expect(succeedJsonWith((rows) => rows.length == 2));
   });
 });
+
+describe("API action", () => {
+  it("should set up trigger", async () => {
+    const table = await Table.create("triggercounter");
+    await Field.create({
+      table,
+      name: "thing",
+      label: "TheThing",
+      type: "String",
+    });
+    await Trigger.create({
+      action: "run_js_code",
+      when_trigger: "API call",
+      name: "mywebhook",
+      min_role: 100,
+      configuration: {
+        code: `
+        const table = Table.findOne({ name: "triggercounter" });
+        await table.insertRow({ thing: row?.thing || "no body" });
+        return {studio: 54}
+      `,
+      },
+    });
+  });
+  it("should POST to trigger", async () => {
+    const app = await getApp({ disableCsrf: true });
+    await request(app)
+      .post("/api/action/mywebhook")
+      .send({
+        thing: "inthebody",
+      })
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(succeedJsonWithWholeBody((resp) => resp?.data?.studio === 54));
+    const table = Table.findOne({ name: "triggercounter" });
+    const counts = await table.getRows({});
+    expect(counts.map((c) => c.thing)).toContain("inthebody");
+    expect(counts.map((c) => c.thing)).not.toContain("no body");
+  });
+  it("should GET with query to trigger", async () => {
+    const app = await getApp({ disableCsrf: true });
+    await request(app)
+      .get("/api/action/mywebhook?thing=inthequery")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(succeedJsonWithWholeBody((resp) => resp?.data?.studio === 54));
+    const table = Table.findOne({ name: "triggercounter" });
+    const counts = await table.getRows({});
+    expect(counts.map((c) => c.thing)).toContain("inthequery");
+    expect(counts.map((c) => c.thing)).not.toContain("no body");
+  });
+  it("should GET to trigger", async () => {
+    const app = await getApp({ disableCsrf: true });
+    await request(app)
+      .get("/api/action/mywebhook")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(succeedJsonWithWholeBody((resp) => resp?.data?.studio === 54));
+    const table = Table.findOne({ name: "triggercounter" });
+    const counts = await table.getRows({});
+    expect(counts.map((c) => c.thing)).toContain("no body");
+  });
+});

package/tests/page.test.js

@@ -13,9 +13,42 @@ const {
 } = require("../auth/testhelp");
 const db = require("@saltcorn/data/db");
 const Page = require("@saltcorn/data/models/page");
+const File = require("@saltcorn/data/models/file");
+const { existsSync } = require("fs");
+const { join } = require("path");
+
+let htmlFile = null;
+
+const prepHtmlFiles = async () => {
+  const createFile = async (folder, name, content) => {
+    const scFolder = join(
+      db.connectObj.file_store,
+      db.getTenantSchema(),
+      folder
+    );
+    if (!existsSync(scFolder)) await File.new_folder(folder);
+    if (!existsSync(join(scFolder, name))) {
+      return await File.from_contents(
+        name,
+        "text/html",
+        `<html><head><title>Landing page</title></head><body><h1>${content}</h1></body></html>`,
+        1,
+        1,
+        folder
+      );
+    } else {
+      const file = await File.from_file_on_disk(name, scFolder);
+      file.location = File.absPathToServePath(file.location);
+      return file;
+    }
+  };
+  htmlFile = await createFile("/", "fixed_page.html", "Land here");
+  await createFile("/subfolder", "fixed_page2.html", "Or Land here");
+};
 
 beforeAll(async () => {
   await resetToFixtures();
+  await prepHtmlFiles();
 });
 afterAll(db.close);
 
@@ -36,9 +69,18 @@ describe("page create", () => {
     await request(app)
       .get("/pageedit/new")
       .set("Cookie", loginCookie)
-
       .expect(toInclude("A short name that will be in your URL"));
   });
+  it("shows new with html file selector", async () => {
+    const app = await getApp({ disableCsrf: true });
+    const loginCookie = await getAdminLoginCookie();
+    await request(app)
+      .get("/pageedit/new")
+      .set("Cookie", loginCookie)
+      .expect(toInclude("HTML file"))
+      .expect(toInclude("fixed_page.html"))
+      .expect(toInclude(join("subfolder", "fixed_page2.html")));
+  });
   it("fills basic details", async () => {
     const app = await getApp({ disableCsrf: true });
     const loginCookie = await getAdminLoginCookie();
@@ -48,6 +90,19 @@ describe("page create", () => {
       .set("Cookie", loginCookie)
       .expect(toRedirect("/pageedit/edit/whales"));
   });
+  it("fills details with html-file", async () => {
+    const app = await getApp({ disableCsrf: true });
+    const loginCookie = await getAdminLoginCookie();
+    await request(app)
+      .post("/pageedit/edit-properties")
+      .send(
+        `name=new_page_with_html_file&title=foo&description=bar&min_role=100&html_file=${encodeURIComponent(
+          htmlFile.location
+        )}`
+      )
+      .set("Cookie", loginCookie)
+      .expect(toRedirect("/pageedit/"));
+  });
   it("fills layout", async () => {
     const app = await getApp({ disableCsrf: true });
     const loginCookie = await getAdminLoginCookie();
@@ -68,6 +123,44 @@ describe("page create", () => {
       .set("Cookie", loginCookie)
       .expect(toInclude("Herman"));
   });
+
+  it("shows page with html file", async () => {
+    const app = await getApp({ disableCsrf: true });
+    const loginCookie = await getAdminLoginCookie();
+    await request(app)
+      .get("/page/new_page_with_html_file")
+      .set("Cookie", loginCookie)
+      .expect(toInclude("Land here"));
+  });
+
+  it("does not find the html file for staff or public", async () => {
+    const app = await getApp({ disableCsrf: true });
+    const loginCookie = await getStaffLoginCookie();
+    await request(app)
+      .get("/page/new_page_with_html_file")
+      .set("Cookie", loginCookie)
+      .expect(toInclude("not found", 404));
+    await request(app)
+      .get("/page/new_page_with_html_file")
+      .expect(toInclude("not found", 404));
+  });
+
+  it("finds the html file for staff (after update)", async () => {
+    const app = await getApp({ disableCsrf: true });
+    await request(app)
+      .post("/files/setrole/fixed_page.html")
+      .set("Cookie", await getAdminLoginCookie())
+      .send("role=40")
+      .expect(toRedirect("/files?dir=."));
+    const loginCookie = await getStaffLoginCookie();
+    await request(app)
+      .get("/page/new_page_with_html_file")
+      .set("Cookie", loginCookie)
+      .expect(toInclude("Land here"));
+    await request(app)
+      .get("/page/new_page_with_html_file")
+      .expect(toInclude("not found", 404));
+  });
 });
 
 describe("page action", () => {