@saltcorn/server 0.9.6-beta.17 → 0.9.6-beta.19

package/app.js

@@ -50,6 +50,7 @@ const locales = Object.keys(available_languages);
 const i18n = new I18n({
   locales,
   directory: path.join(__dirname, "locales"),
+  mustacheConfig: { disable: true },
 });
 // jwt config
 const jwt_secret = db.connectObj.jwt_secret;
@@ -171,9 +172,13 @@ const getApp = async (opts = {}) => {
     const tenants = await getAllTenants();
     await init_multi_tenant(loadAllPlugins, opts.disableMigrate, tenants);
   }
+  const pruneSessionInterval = +getState().getConfig(
+    "prune_session_interval",
+    900
+  );
   //
   // todo ability to configure session_secret Age
-  app.use(getSessionStore());
+  app.use(getSessionStore(pruneSessionInterval));
 
   app.use(passport.initialize());
   app.use(passport.authenticate(["jwt", "session"]));

package/auth/admin.js

@@ -388,6 +388,7 @@ const http_settings_form = async (req) =>
       "cross_domain_iframe",
       "body_limit",
       "url_encoded_limit",
+      ...(!db.isSQLite ? ["prune_session_interval"] : []),
     ],
     action: "/useradmin/http",
     submitLabel: req.__("Save"),

package/help/Field label.tmd

@@ -0,0 +1,11 @@
+A table holds data organised by rows and columns, which you can visualise in a 
+two-dimensional grid. The rows hold the different cases, about which you have similar data.
+Each column is called a Field, and every field must have a label (and a type). 
+
+The field label allows you to recognize the meaning of the values in the column in a 
+human-readable name. In a spreadsheet with a lot of data, it is often used as the header for 
+each column.
+
+In Saltcorn, you can use spaces in field labels. Because we also need a valid identifier to use
+in formulae, a variable name is generated from the label by replacing spaces with underscores and
+converting all uppercase characters to lowercase. 

package/help/Field types.tmd

@@ -0,0 +1,39 @@
+Every field in a table stores values of a specific type. The type limits which
+values this field can take in each row. For instance, if a field has a type `Integer`
+then it cannot take the value `"Simon"` but the value `17` is admissible. 
+
+When building your table, you must therefore think carefully about not only which fields
+to include but also what the types are. Sometimes this is easy - you know that names 
+should be stored as as `String` type. But at other times you need to think ahead a bit 
+and think carefully about what data your table will hold
+
+Some types are more general than others. The `String` type and the `JSON` 
+type (from the json module) can hold values that can be represented by more specific types.
+For instance the number 17 can be stored in a string field where it will be represented by the 
+string `"17"`. You should always try to use the most specific type available. This will give 
+you access to user interface elements that are richer and more appropriate for the data in the 
+given field. For example, you could use `String` to store dates, but then you will not 
+be able to use an interactive date picker or to display dates in flexible formats.
+
+Most field types have some additional parameters that will be configured on the next screen.
+`Integer` types have minimum and maximum values and strings can be restricted to a set of 
+options or by a regular expression. This allows you to further narrow what data it is admissible
+in your table.
+
+These types are available in your current installation:
+
+{{# const tys = Object.values(scState.types) }}
+{{# for (const ty of tys) { }} 
+* {{ ty.name }}{{ty.description ? `: ${ty.description}` : ""}}
+{{# } }}
+
+Further types can be installed from moduels in the [Module store](/plugins)
+
+In addition, a field can have types File and Key to a table.
+
+A File field holds a reference to a file in the Saltcorn file system. This is stored by the,
+path to the file and if the file moves, the reference may become invalid.
+
+A field that is a Key to another table is a reference to a row in that table. This is also known 
+as a foreign key and is used to link data between tables and to create the relational structure 
+of your application.

package/help/Ownership field.tmd

@@ -0,0 +1,76 @@
+The ability to read or write to tables is normally limited by the settings 
+for "Minimum role to read" and "Minimum role to write", which is compared 
+to the user's role.
+
+In some cases you want some users wo be able to read and write to some but 
+not to all rows. Some examples are:
+
+* On a blog, Users should be able to create comments and to edit comments they have made.
+  But you do not want users to be able to edit another user's comments.
+
+* In a todo list, Users should be able to create and edit new items for themselves but 
+  they should not be able to read or edit items for other users. 
+
+* In a project management app, you may only want you supposed to be able to see and 
+  contribute to projects they have been assigned to.
+
+Saltcorn contains an authorization system that can be very simple (limit everything by role),
+more flexible (rows have a user field and if you are that user, you can edit a row)
+to very complex (featuring many-to-many relationships, where the user field can be on a 
+different table; and inheritance, where authorization schemes propagate through relationship).
+
+### Role-based authorization
+
+In Saltcorn, every user has a role and the roles have a strictly hierachical ordering, 
+which you [can edit](/roleadmin). By 
+using the "Minimum role to read" and "Minimum role to write" settings for the table, you 
+can create a role cutoff limit for access. See the help topics for those settings for details.
+
+### Simple user field ownership
+
+In the simplest deviation from role-based authorization, you can grant access to edit 
+a row to users that match a Key to users field on the row. To use this, you should:
+
+1. Set the "Minimum role to read" and "Minimum role to write" to a role that would stop the 
+   user from accessing the row. 
+
+2. Create a field with type Key to users. This field should ideally not be labelled `User` or `user`, 
+   as this variable name will clash with access to logged-in user object in formulae.
+
+3. Make sure this is filled in when the user creates the row.
+   For instance in an Edit view under the "Fixed and blocked fields" settings, in the 
+   Preset for this field pick the LoggedIn preset.
+
+4. Pick this field as the Ownership field from the dropdown in the table settings.
+
+This is an additional access grant
+in addition to that given by the minimum roles to read and write. If your user does *not* 
+match the designated field, The decision to grant access reverts to the role-based settings. 
+You therefore cannot use ownership to limit access, only to grant additional access.
+
+### Authorization by inheritance
+
+If the table has a relationship (that is, has a field with Key type) with another table which
+has an ownership field (or ownership formula), it can instead inherit the onwership from that 
+table - essentially, take the ownership of the row the Key is pointing to. 
+
+For instance, you have a project management app with a Projects table that has an `owner` Key to users 
+field and this is set as the ownership field; and a Tasks table with a Key to Projects field. 
+In this case "Inherit Projects" is available as an option in the Ownership field dropdown.
+If you pick it and reload the page, you will See that it is in fact implemented as an ownership 
+formula which is created for you.
+
+### Authorization by user groups
+
+If you need to grant access to tables based not on user fields on this table (ownership field) 
+or on tables it has keys to (inheritance), you can declare a table to be a user group. 
+The user group should be a table that has a key to users, and may also have a key to this table. 
+Use this to grant ownership rights to a row to more than one user. For instance, if more than one 
+user is working on a project, you can declare that all users assigned to this project are owners. See 
+the help topic for the User group option.
+
+### Authorisation by formula
+
+You can also grant access to edit the row if an arbitrary formula is true. This can be used
+For very flexible authorisation schemes. Choose formula in the ownership field drop down and then see 
+help for the Ownership formula.

package/help/Ownership formula.tmd

@@ -0,0 +1,75 @@
+An ownership formula on a table allows you to develop an extremely flexible
+Authorisation scheme. It is also the mechanism by which ownership inheritance 
+and ownership by user groups is implemented. If you pick one of these options
+in the Ownership field drop-down it will essentially generate the corresponding
+formula for you.
+
+The ownership formula is a JavaScript expression which should evaluate to a boolean 
+(true/false) value. If it evaluate to true (or a [truthy](https://developer.mozilla.org/en-US/docs/Glossary/Truthy) value), then the logged-in user is an owner and 
+can read and write the row. If it evaluate to false (or a [falsey](https://developer.mozilla.org/en-US/docs/Glossary/Falsy) value), 
+the user is not the owner. However, If they have a role equal or higher than that 
+required to read or write, they can still perform this operation. You cannot use the
+ownership formula to deny access to a user who satisfies the role condition.
+
+When evaluating the formula, the values in scope are as follows:
+
+#### Row fields
+
+All field values for the row being evaluated are in scope and can be addressed by 
+their variable name.
+
+#### Join fields on row keys
+
+For any fields on the current table that are Keys to another table, you can access the values 
+in the linked table by using the dot notation. For instance, if you have a field labelled 
+"Project" (variable name `project`) which is of type Key to Projects, and the Projects
+table has a `name` field, you can refer to this as `project.name`. However, if the Project field 
+is not required, this can trigger an error as accessing a subfield on a `null` variable is a
+JavaScript error. In that case, you can use [optional chaining](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Optional_chaining)
+(`project?.name`) which will evaluate to `null` if `project` is `null`.
+
+#### User object
+
+You can refer to the logged in user using the variable name user. 
+This is an object and you must use the dot to access user fields,
+e.g. user.id for the logged in users id. 
+
+The user object has other fields than the primary key identifier.
+For your login session the user object is:
+
+```
+{{JSON.stringify(user, null, 2)}}
+```
+
+#### User groups
+
+If any tables have been designated as user groups (that is, if they User group option has been 
+checked in the table settings) then a value will appear in the user object, which is the list 
+of an array of user group rows to which the user belongs. The name of that field is 
+`{table name}_by_{user field in user group}`.
+
+Normally you don't have to write theownership formula, you select it from the Ownership field 
+drop-down and the formula is generated for you.
+
+When changes are made to user group membership, the user needs to login and log out again before these 
+changes are reflected in the user object. If you are removing user group membership you may need to force 
+log out those users.
+
+## Examples
+
+User table has a `String` field named `department` which can take options "Finance", "HR",
+or "Warp drive engineering". To give ownership to the Expenses table to users in the Finance 
+department:
+
+`user.department === "Finance"`
+
+Same as above, but the Expenses table also has a `filled_by` field which is Key to user, and
+you want to give ownership to that user or any user in the Finance department:
+
+`user.department === "Finance" || user.id === filled_by`
+
+Similar to above, however department membership is not stored as User field but as in a table 
+named "User In Department" with a Key to user field labelled "Employee" and a string field "Name" for
+the department name.
+
+`user.UserinDepartment_by_employee.map(d=>d.name).includes("Finance") || user.id === filled_by`

package/help/Table roles.tmd

@@ -0,0 +1,20 @@
+You can restrict which users can read or write to this table by their role.
+
+Each user in Saltcorn has a role and the roles have a strictly hierachical ordering, 
+which you [can edit](/roleadmin). The ordering means that users in a role can access
+everything the users in the role "below" then can acceess, but the users in the role
+"above" have further access. 
+
+Assigning access by role is a quick way to give users more or less access based on how
+much you trust them.
+
+Using the settings for "Minimum role to read" and "Minimum role to write" you set the roles
+required to read and write to the table, respectively. Users also need to have the roles
+required for running views and pages.
+
+Restricting table access by role is the simplest form of authorisation in Saltcorn, 
+but it is often too limited. Row ownership is much more flexible; see the help topic for 
+Ownership field.
+
+Note that if the user has ownership of the row, they can read and write that row even if 
+they have a role below the minimum role to read and write, respectively.

package/help/User groups.tmd

@@ -0,0 +1,35 @@
+User groups are used to grant access to tables based on membership of groups 
+where each user can be a member of many groups and each group can have many 
+users.
+
+Any table that has a field of type Key to User can be designated a user group, by
+checking the User group option. This means that when a User group table has a row with
+a key to a user, that user is a member of a group. 
+
+The consequence of designating a table as a User group is that if there is also a Key from
+the user group table to another table, then the option of group membership appears in the 
+drop-down for the Ownership field option. 
+
+In addition, If a table is designated as a user group. a value indicating group membership
+appears in the user object. For this to appear, the variable has to be referenced in an 
+ownership formula. The name of this variable is 
+`{user group table name}_by_{key to user field name}`.
+
+When changes are made to user group membership, the user needs to login and log out again before these 
+changes are reflected in the user object. If you are removing user group membership you may need to force 
+log out those users.
+
+### Example
+
+In a project management application you have a "Projects" table and a "Tasks" table (with a 
+Key to project). Several people can work on the same project.
+
+You would like to restrict access to the project table such that only uses to work on the project have access.
+
+1. Create a "User Works On Project" table with a Key to projects field and a Key to user field called Participant.
+
+2. Designate the "User Works On Project" table as a user group by checking the user group box.
+
+3. In the project table settings, In the ownership field, there is now an option called "In User Works On Project by Participant", pick this option.
+
+4. Now add rows to the "User Works On Project" table. When the users logout and login again they will have the required access.

package/locales/en.json

@@ -1448,5 +1448,10 @@
 	"Pulling the cordova-builder docker image...": "Pulling the cordova-builder docker image...",
 	"Check updates": "Check updates",
 	"Choose version": "Choose version",
-	"Unknown authentication method %s": "Unknown authentication method %s"
-}
+	"Unknown authentication method %s": "Unknown authentication method %s",
+	"Card rows": "Card rows",
+	"Each row in a card. Not supported by all themes": "Each row in a card. Not supported by all themes",
+	"Prune session interval (seconds)": "Prune session interval (seconds)",
+	"Interval in seconds to check for expred sessions in the postgres db. 0, empty or a negative number to disable": "Interval in seconds to check for expred sessions in the postgres db. 0, empty or a negative number to disable",
+	"Progressive Web Application is not enabled": "Progressive Web Application is not enabled"
+}

package/package.json

@@ -1,20 +1,20 @@
 {
   "name": "@saltcorn/server",
-  "version": "0.9.6-beta.17",
+  "version": "0.9.6-beta.19",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
     "@aws-sdk/client-s3": "^3.451.0",
-    "@saltcorn/base-plugin": "0.9.6-beta.17",
-    "@saltcorn/builder": "0.9.6-beta.17",
-    "@saltcorn/data": "0.9.6-beta.17",
-    "@saltcorn/admin-models": "0.9.6-beta.17",
-    "@saltcorn/filemanager": "0.9.6-beta.17",
-    "@saltcorn/markup": "0.9.6-beta.17",
-    "@saltcorn/plugins-loader": "0.9.6-beta.17",
-    "@saltcorn/sbadmin2": "0.9.6-beta.17",
+    "@saltcorn/base-plugin": "0.9.6-beta.19",
+    "@saltcorn/builder": "0.9.6-beta.19",
+    "@saltcorn/data": "0.9.6-beta.19",
+    "@saltcorn/admin-models": "0.9.6-beta.19",
+    "@saltcorn/filemanager": "0.9.6-beta.19",
+    "@saltcorn/markup": "0.9.6-beta.19",
+    "@saltcorn/plugins-loader": "0.9.6-beta.19",
+    "@saltcorn/sbadmin2": "0.9.6-beta.19",
     "@socket.io/cluster-adapter": "^0.2.1",
     "@socket.io/sticky": "^1.0.1",
     "adm-zip": "0.5.10",

package/public/log_viewer_utils.js

@@ -10,6 +10,9 @@ var logViewerHelpers = (() => {
     second: "2-digit",
   };
   let lostConnection = false;
+  let waitingForTestMessage = false;
+  let startedWaitingAt = null;
+  let waitTimeout = false;
 
   const logLevelColor = (level) => {
     switch (parseInt(level)) {
@@ -94,6 +97,17 @@ var logViewerHelpers = (() => {
     });
   };
 
+  const testMsgWaiter = (waiterStartedAt) => () => {
+    if (waitingForTestMessage && waiterStartedAt === startedWaitingAt) {
+      emptyAlerts();
+      waitTimeout = true;
+      notifyAlert({
+        type: "danger",
+        text: "You are connected but not receiving any messages",
+      });
+    }
+  };
+
   const handleConnect = (socket) => {
     socket.emit("join_log_room", (ack) => {
       if (ack) {
@@ -109,6 +123,10 @@ var logViewerHelpers = (() => {
               text: "You are connected again",
             });
           }
+          waitingForTestMessage = true;
+          waitTimeout = false;
+          startedWaitingAt = new Date().valueOf();
+          setTimeout(testMsgWaiter(startedWaitingAt), 5000);
         } else if (ack.status === "error" && ack.msg) {
           notifyAlert({
             type: "danger",
@@ -129,6 +147,19 @@ var logViewerHelpers = (() => {
     });
   };
 
+  const handleTestConnMsg = () => {
+    waitingForTestMessage = false;
+    startedWaitingAt = null;
+    if (waitTimeout) {
+      emptyAlerts();
+      notifyAlert({
+        type: "success",
+        text: "You are connected and receiving messages",
+      });
+      waitTimeout = false;
+    }
+  };
+
   return {
     init_log_socket: () => {
       let socket = null;
@@ -152,6 +183,7 @@ var logViewerHelpers = (() => {
       socket.on("connect", () => handleConnect(socket));
       socket.on("disconnect", handleDisconnect);
       socket.on("log_msg", handleLogMsg);
+      socket.on("test_conn_msg", handleTestConnMsg);
     },
     goToLogsPage: (n) => {
       currentPage = n;