@saltcorn/server 1.0.0-beta.9 → 1.0.0-rc.10

package/routes/admin.js

@@ -309,13 +309,13 @@ router.get(
     backupForm.values.auto_backup_expire_days = getState().getConfig(
       "auto_backup_expire_days"
     );
-    backupForm.values.backup_with_event_log = getState().getConfig(
+    aBackupFilePrefixForm.values.backup_with_event_log = getState().getConfig(
       "backup_with_event_log"
     );
-    backupForm.values.backup_with_system_zip = getState().getConfig(
+    aBackupFilePrefixForm.values.backup_with_system_zip = getState().getConfig(
       "backup_with_system_zip"
     );
-    backupForm.values.backup_system_zip_level = getState().getConfig(
+    aBackupFilePrefixForm.values.backup_system_zip_level = getState().getConfig(
       "backup_system_zip_level"
     );
     //
@@ -378,7 +378,9 @@ router.get(
             : { type: "blank", contents: "" },
           {
             type: "card",
-            title: req.__("Snapshots"),
+            title:
+              req.__("Snapshots") +
+              `<a href="javascript:ajax_modal('/admin/help/Snapshots?')"><i class="fas fa-question-circle ms-1"></i></a>`,
             titleAjaxIndicator: true,
             contents: div(
               p(
@@ -673,7 +675,10 @@ router.get(
     const backup_file_prefix = getState().getConfig("backup_file_prefix");
     if (
       !isRoot ||
-      !(filename.startsWith(backup_file_prefix) && filename.endsWith(".zip"))
+      !(
+        path.resolve(filename).startsWith(backup_file_prefix) &&
+        filename.endsWith(".zip")
+      )
     ) {
       res.redirect("/admin/backup");
       return;
@@ -708,6 +713,33 @@ const backupFilePrefixForm = (req) =>
         sublabel: req.__("Include table history in backup"),
         default: true,
       },
+      {
+        type: "Bool",
+        label: req.__("Include Event Logs"),
+        sublabel: req.__("Backup with event logs"),
+        name: "backup_with_event_log",
+      },
+      {
+        type: "Bool",
+        label: req.__("Use system zip"),
+        sublabel: req.__(
+          "Recommended. Executable <code>zip</code> must be installed"
+        ),
+        name: "backup_with_system_zip",
+      },
+      {
+        type: "Integer",
+        label: req.__("Zip compression level"),
+        sublabel: req.__("1=Fast, larger file, 9=Slow, smaller files"),
+        name: "backup_system_zip_level",
+        attributes: {
+          min: 1,
+          max: 9,
+        },
+        showIf: {
+          backup_with_system_zip: true,
+        },
+      },
     ],
   });
 
@@ -835,40 +867,6 @@ const autoBackupForm = (req) => {
             },
           ]
         : []),
-      {
-        type: "Bool",
-        label: req.__("Include Event Logs"),
-        sublabel: req.__("Backup with event logs"),
-        name: "backup_with_event_log",
-        showIf: {
-          auto_backup_frequency: ["Daily", "Weekly"],
-        },
-      },
-      {
-        type: "Bool",
-        label: req.__("Use system zip"),
-        sublabel: req.__(
-          "Recommended. Executable <code>zip</code> must be installed"
-        ),
-        name: "backup_with_system_zip",
-        showIf: {
-          auto_backup_frequency: ["Daily", "Weekly"],
-        },
-      },
-      {
-        type: "Integer",
-        label: req.__("Zip compression level"),
-        sublabel: req.__("1=Fast, larger file, 9=Slow, smaller files"),
-        name: "backup_system_zip_level",
-        attributes: {
-          min: 1,
-          max: 9,
-        },
-        showIf: {
-          auto_backup_frequency: ["Daily", "Weekly"],
-          backup_with_system_zip: true,
-        },
-      },
     ],
   });
 };
@@ -1270,6 +1268,50 @@ const pullCordovaBuilder = (req, res) => {
   });
 };
 
+const tryInstallSdNotify = (req, res) => {
+  const child = spawn("npm", ["install", "-g", "sd-notify"], {
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+  return new Promise((resolve, reject) => {
+    child.stdout.on("data", (data) => {
+      res.write(data);
+    });
+    child.stderr?.on("data", (data) => {
+      res.write(data);
+    });
+    child.on("exit", function (code, signal) {
+      resolve(code);
+    });
+    child.on("error", (msg) => {
+      const message = msg.message ? msg.message : msg.code;
+      res.write(req.__("Error: ") + message + "\n");
+      resolve(msg.code);
+    });
+  });
+};
+
+const pruneDocker = (req, res) => {
+  const child = spawn("docker", ["image", "prune", "-f"], {
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+  return new Promise((resolve, reject) => {
+    child.stdout.on("data", (data) => {
+      res.write(data);
+    });
+    child.stderr?.on("data", (data) => {
+      res.write(data);
+    });
+    child.on("exit", function (code, signal) {
+      resolve(code);
+    });
+    child.on("error", (msg) => {
+      const message = msg.message ? msg.message : msg.code;
+      res.write(req.__("Error: ") + message + "\n");
+      resolve(msg.code);
+    });
+  });
+};
+
 /*
  * fetch available saltcorn versions and show a dialog to select one
  */
@@ -1285,6 +1327,7 @@ router.get(
         throw new Error(req.__("Unable to fetch versions"));
       const versions = Object.keys(pkgInfo.versions);
       if (versions.length === 0) throw new Error(req.__("No versions found"));
+      const tags = pkgInfo["dist-tags"] || {};
       res.set("Page-Title", req.__("%s versions", "Saltcorn"));
       let selected = packagejson.version;
       res.send(
@@ -1294,6 +1337,7 @@ router.get(
             method: "post",
           },
           input({ type: "hidden", name: "_csrf", value: req.csrfToken() }),
+          // version select
           div(
             { class: "form-group" },
             label(
@@ -1319,6 +1363,54 @@ router.get(
               )
             )
           ),
+          // tag select
+          div(
+            { class: "form-group" },
+            label(
+              {
+                for: "tag_select",
+                class: "form-label fw-bold",
+              },
+              req.__("Tags")
+            ),
+            select(
+              {
+                id: "tag_select",
+                class: "form-control form-select",
+              },
+              option({
+                id: "empty_opt",
+                value: "",
+                label: req.__("Select tag"),
+                selected: true,
+              }),
+              Object.keys(tags).map((tag) =>
+                option({
+                  id: `${tag}_opt`,
+                  value: tags[tag],
+                  label: `${tag} (${tags[tag]})`,
+                })
+              )
+            )
+          ),
+          // deep clean checkbox
+          div(
+            { class: "form-group" },
+            input({
+              id: "deep_clean",
+              class: "form-check-input",
+              type: "checkbox",
+              name: "deep_clean",
+              checked: false,
+            }),
+            label(
+              {
+                for: "deep_clean",
+                class: "form-label ms-2",
+              },
+              req.__("clean node_modules")
+            )
+          ),
           div(
             { class: "d-flex justify-content-end" },
             button(
@@ -1338,7 +1430,18 @@ router.get(
               req.__("Install")
             )
           )
-        )
+        ) +
+          script(
+            domReady(`
+document.getElementById('tag_select').addEventListener('change', () => {
+  const version = document.getElementById('tag_select').value;
+  if (version) document.getElementById('version_select').value = version;
+});
+document.getElementById('version_select').addEventListener('change', () => {
+  document.getElementById('tag_select').value = '';
+});
+`)
+          )
       );
     } catch (error) {
       getState().log(
@@ -1350,7 +1453,17 @@ router.get(
   })
 );
 
-const doInstall = async (req, res, version, runPull) => {
+const cleanNodeModules = async () => {
+  const topSaltcornDir = path.join(__dirname, "..", "..", "..", "..", "..");
+  if (path.basename(topSaltcornDir) === "@saltcorn")
+    await fs.promises.rm(topSaltcornDir, { recursive: true, force: true });
+  else
+    throw new Error(
+      `'${topSaltcornDir}' is not a Saltcorn installation directory`
+    );
+};
+
+const doInstall = async (req, res, version, deepClean, runPull) => {
   if (db.getTenantSchema() !== db.connectObj.default_schema) {
     req.flash("error", req.__("Not possible for tenant"));
     res.redirect("/admin");
@@ -1360,6 +1473,14 @@ const doInstall = async (req, res, version, runPull) => {
         ? req.__("Starting upgrade, please wait...\n")
         : req.__("Installing %s, please wait...\n", version)
     );
+    if (deepClean) {
+      res.write(req.__("Cleaning node_modules...\n"));
+      try {
+        await cleanNodeModules();
+      } catch (e) {
+        res.write(req.__("Error cleaning node_modules: %s\n", e.message));
+      }
+    }
     const child = spawn(
       "npm",
       ["install", "-g", `@saltcorn/cli@${version}`, "--unsafe"],
@@ -1374,10 +1495,26 @@ const doInstall = async (req, res, version, runPull) => {
       res.write(data);
     });
     child.on("exit", async function (code, signal) {
-      if (code === 0 && runPull) {
-        res.write(req.__("Pulling the cordova-builder docker image...") + "\n");
-        const pullCode = await pullCordovaBuilder(req, res);
-        res.write(req.__("Pull done with code %s", pullCode) + "\n");
+      if (code === 0) {
+        if (deepClean) {
+          res.write(req.__("Installing sd-notify") + "\n");
+          const sdNotifyCode = await tryInstallSdNotify(req, res);
+          res.write(
+            req.__("sd-notify install done with code %s", sdNotifyCode) + "\n"
+          );
+        }
+        if (runPull) {
+          res.write(
+            req.__("Pulling the cordova-builder docker image...") + "\n"
+          );
+          const pullCode = await pullCordovaBuilder(req, res);
+          res.write(req.__("Pull done with code %s", pullCode) + "\n");
+          if (pullCode === 0) {
+            res.write(req.__("Pruning docker...") + "\n");
+            const pruneCode = await pruneDocker(req, res);
+            res.write(req.__("Prune done with code %s", pruneCode) + "\n");
+          }
+        }
       }
       res.end(
         version === "latest"
@@ -1397,8 +1534,8 @@ const doInstall = async (req, res, version, runPull) => {
 };
 
 router.post("/install", isAdmin, async (req, res) => {
-  const { version } = req.body;
-  await doInstall(req, res, version, false);
+  const { version, deep_clean } = req.body;
+  await doInstall(req, res, version, deep_clean === "on", false);
 });
 
 /**
@@ -1411,7 +1548,7 @@ router.post(
   "/upgrade",
   isAdmin,
   error_catcher(async (req, res) => {
-    await doInstall(req, res, "latest", true);
+    await doInstall(req, res, "latest", false, true);
   })
 );
 /**
@@ -1749,9 +1886,10 @@ router.get(
     });
   })
 );
-const buildDialogScript = (cordovaBuilderAvailable) => {
-  return `<script>
+const buildDialogScript = (cordovaBuilderAvailable, isSbadmin2) =>
+  `<script>
   var cordovaBuilderAvailable = ${cordovaBuilderAvailable};
+  var isSbadmin2 = ${isSbadmin2};
   function showEntrySelect(type) {
     for( const currentType of ["view", "page", "pagegroup"]) {
       const tab = $('#' + currentType + 'NavLinkID');
@@ -1776,7 +1914,6 @@ const buildDialogScript = (cordovaBuilderAvailable) => {
     notifyAlert("Building the app, please wait.", true)
   }
   </script>`;
-};
 
 const imageAvailable = async () => {
   try {
@@ -1834,19 +1971,29 @@ router.get(
     const plugins = (await Plugin.find()).filter(
       (plugin) => ["base", "sbadmin2"].indexOf(plugin.name) < 0
     );
+    const pluginsReadyForMobile = plugins
+      .filter((plugin) => plugin.ready_for_mobile())
+      .map((plugin) => plugin.name);
     const builderSettings =
       getState().getConfig("mobile_builder_settings") || {};
     const dockerAvailable = await imageAvailable();
     const xcodeCheckRes = await checkXcodebuild();
     const xcodebuildAvailable = xcodeCheckRes.installed;
     const xcodebuildVersion = xcodeCheckRes.version;
+    const layout = getState().getLayout(req.user);
+    const isSbadmin2 = layout === getState().layouts.sbadmin2;
     send_admin_page({
       res,
       req,
       active_sub: "Mobile app",
       headers: [
         {
-          headerTag: buildDialogScript(dockerAvailable),
+          headerTag: buildDialogScript(dockerAvailable, isSbadmin2),
+        },
+        {
+          headerTag: `<script>var pluginsReadyForMobile = ${JSON.stringify(
+            pluginsReadyForMobile
+          )}</script>`,
         },
       ],
       contents: {
@@ -2884,17 +3031,66 @@ router.get(
   })
 );
 
+const validateBuildDirName = (buildDirName) => {
+  // ensure characters
+  if (!/^[a-zA-Z0-9_-]+$/.test(buildDirName)) {
+    getState().log(
+      4,
+      `Invalid characters in build directory name '${buildDirName}'`
+    );
+    return false;
+  }
+  // ensure format is 'build_1234567890'
+  if (!/^build_\d+$/.test(buildDirName)) {
+    getState().log(4, `Invalid build directory name format '${buildDirName}'`);
+    return false;
+  }
+  return true;
+};
+
+const validateBuildDir = (buildDir, rootPath) => {
+  const resolvedBuildDir = path.resolve(buildDir);
+  if (!resolvedBuildDir.startsWith(path.join(rootPath, "mobile_app"))) {
+    getState().log(4, `Invalid build directory path '${buildDir}'`);
+    return false;
+  }
+  return true;
+};
+
 router.get(
   "/build-mobile-app/result",
   isAdmin,
   error_catcher(async (req, res) => {
     const { build_dir_name } = req.query;
+    if (!validateBuildDirName(build_dir_name)) {
+      return res.sendWrap(req.__(`Admin`), {
+        above: [
+          {
+            type: "card",
+            title: req.__("Build Result"),
+            contents: div(req.__("Invalid build directory name")),
+          },
+        ],
+      });
+    }
     const rootFolder = await File.rootFolder();
     const buildDir = path.join(
       rootFolder.location,
       "mobile_app",
       build_dir_name
     );
+    if (!validateBuildDir(buildDir, rootFolder.location)) {
+      return res.sendWrap(req.__(`Admin`), {
+        above: [
+          {
+            type: "card",
+            title: req.__("Build Result"),
+            contents: div(req.__("Invalid build directory path")),
+          },
+        ],
+      });
+    }
+
     const files = await Promise.all(
       fs
         .readdirSync(buildDir)
@@ -2947,6 +3143,11 @@ router.post(
     } = req.body;
     if (!includedPlugins) includedPlugins = [];
     if (!synchedTables) synchedTables = [];
+    if (!entryPoint) {
+      return res.json({
+        error: req.__("Please select an entry point."),
+      });
+    }
     if (!androidPlatform && !iOSPlatform) {
       return res.json({
         error: req.__("Please select at least one platform (android or iOS)."),
@@ -3093,8 +3294,8 @@ router.post(
   error_catcher(async (req, res) => {
     const state = getState();
     const child = spawn(
-      "docker",
-      ["image", "pull", "saltcorn/cordova-builder:latest"],
+      `${process.env.DOCKER_BIN ? `${process.env.DOCKER_BIN}/` : ""}docker`,
+      ["pull", "saltcorn/cordova-builder:latest"],
       {
         stdio: ["ignore", "pipe", "pipe"],
         cwd: ".",
@@ -3545,6 +3746,7 @@ router.get(
     send_admin_page({
       res,
       req,
+      page_title: req.__(`%s code page`, name),
       active_sub: "Development",
       sub2_page: req.__(`%s code page`, name),
       contents: {

package/routes/api.js

@@ -27,6 +27,7 @@ const Table = require("@saltcorn/data/models/table");
 const View = require("@saltcorn/data/models/view");
 //const Field = require("@saltcorn/data/models/field");
 const Trigger = require("@saltcorn/data/models/trigger");
+const File = require("@saltcorn/data/models/file");
 //const load_plugins = require("../load_plugins");
 const passport = require("passport");
 
@@ -189,6 +190,39 @@ router.post(
     )(req, res, next);
   })
 );
+
+router.get(
+  "/serve-files/*",
+  //passport.authenticate("api-bearer", { session: false }),
+  error_catcher(async (req, res, next) => {
+    await passport.authenticate(
+      "api-bearer",
+      { session: false },
+      async function (err, user, info) {
+        const role = req?.user?.role_id || user?.role_id || 100;
+        const user_id = req?.user?.id || user?.id;
+        const serve_path = req.params[0];
+        const file = await File.findOne(serve_path);
+        if (
+          file &&
+          (role <= file.min_role_read || (user_id && user_id === file.user_id))
+        ) {
+          res.type(file.mimetype);
+          const cacheability =
+            file.min_role_read === 100 ? "public" : "private";
+          const maxAge = getState().getConfig("files_cache_maxage", 86400);
+          res.set("Cache-Control", `${cacheability}, max-age=${maxAge}`);
+          if (file.s3_store)
+            res.status(404).json({ error: req.__("Not found") });
+          else res.sendFile(file.location);
+        } else {
+          res.status(404).json({ error: req.__("Not found") });
+        }
+      }
+    )(req, res, next);
+  })
+);
+
 /**
  *
  */
@@ -294,11 +328,12 @@ router.get(
           } else {
             const tbl_fields = table.getFields();
             readState(req_query, tbl_fields, req);
-            const qstate = await stateFieldsToWhere({
+            const qstate = stateFieldsToWhere({
               fields: tbl_fields,
               approximate: !!approximate,
               state: req_query,
               table,
+              prefix: "a.",
             });
             const joinFields = {};
             const derefs = Array.isArray(dereference)

package/routes/delete.js

@@ -38,7 +38,10 @@ router.post(
     try {
       if (role <= table.min_role_write)
         await table.deleteRows({ id }, req.user || { role_id: 100 });
-      else if (table.ownership_field_id && req.user) {
+      else if (
+        (table.ownership_field_id || table.ownership_formula) &&
+        req.user
+      ) {
         const row = await table.getRow(
           { id },
           { forUser: req.user, forPublic: !req.user }

package/routes/eventlog.js

@@ -41,6 +41,7 @@ const {
   i,
   th,
   pre,
+  text,
 } = require("@saltcorn/markup/tags");
 const Table = require("@saltcorn/data/models/table");
 const { send_events_page } = require("../markup/admin.js");
@@ -442,7 +443,7 @@ router.get(
           ) +
           div(
             { class: "eventpayload" },
-            ev.payload ? pre(JSON.stringify(ev.payload, null, 2)) : ""
+            ev.payload ? pre(text(JSON.stringify(ev.payload, null, 2))) : ""
           ),
       },
     });

package/routes/fields.js

@@ -136,6 +136,9 @@ const fieldForm = async (req, fkey_opts, existing_names, id, hasData) => {
         sublabel: req.__("Calculated from other fields with a formula"),
         type: "Bool",
         disabled: !!id,
+        help: {
+          topic: "Calculated fields",
+        },
       }),
       new Field({
         label: req.__("Required"),
@@ -169,6 +172,9 @@ const fieldForm = async (req, fkey_opts, existing_names, id, hasData) => {
         type: "Bool",
         disabled: !!id,
         showIf: { calculated: true },
+        help: {
+          topic: "Calculated fields",
+        },
       }),
       new Field({
         label: req.__("Protected"),
@@ -176,6 +182,9 @@ const fieldForm = async (req, fkey_opts, existing_names, id, hasData) => {
         sublabel: req.__("Set role to access"),
         type: "Bool",
         showIf: { calculated: false },
+        help: {
+          topic: "Protected fields",
+        },
       }),
       {
         label: req.__("Minimum role to write"),
@@ -919,12 +928,19 @@ router.post(
   "/test-formula",
   isAdmin,
   error_catcher(async (req, res) => {
-    const { formula, tablename, stored } = req.body;
+    let { formula, tablename, stored } = req.body;
+    if (stored === "false") stored = false;
+
     const table = Table.findOne({ name: tablename });
     const fields = table.getFields();
     const freeVars = freeVariables(formula);
     const joinFields = {};
-    if (stored) add_free_variables_to_joinfields(freeVars, joinFields, fields);
+    add_free_variables_to_joinfields(freeVars, joinFields, fields);
+    if (!stored && Object.keys(joinFields).length > 0) {
+      return res
+        .status(400)
+        .send(`Joinfields only permitted in stored calculated fields`);
+    }
     const rows = await table.getJoinedRows({
       joinFields,
       orderBy: "RANDOM()",
@@ -950,9 +966,9 @@ router.post(
       );
     } catch (e) {
       console.error(e);
-      return res.send(
-        `Error on running on row with id=${rows[0].id}: ${e.message}`
-      );
+      return res
+        .status(400)
+        .send(`Error on running on row with id=${rows[0].id}: ${e.message}`);
     }
   })
 );

package/routes/files.js

@@ -94,11 +94,15 @@ router.get(
     const { dir, no_subdirs } = req.query;
     const noSubdirs = no_subdirs === "true";
     const safeDir = File.normalise(dir || "/");
-    const absFolder = path.join(
+    const absFolder = File.normalise_in_base(
       db.connectObj.file_store,
       db.getTenantSchema(),
-      safeDir
+      dir || "/"
     );
+    if (absFolder === null) {
+      res.json({ error: "Invalid path" });
+      return;
+    }
     const dirOnDisk = await File.from_file_on_disk(
       path.basename(absFolder),
       path.dirname(absFolder)
@@ -594,6 +598,9 @@ router.get(
   isAdmin,
   error_catcher(async (req, res) => {
     const form = await storage_form(req);
+    form.blurb = [
+      `<div class="alert alert-warning">S3 storage options may not work for this release. Enabling S3 storage is not recommended</div>`,
+    ];
     send_files_page({
       res,
       req,