@saltcorn/server 1.0.0-beta.9 → 1.0.0-rc.2

package/app.js

@@ -306,13 +306,7 @@ const getApp = async (opts = {}) => {
             ? new Date(u.last_mobile_login).valueOf()
             : u.last_mobile_login) <= jwt_payload.iat
         ) {
-          return done(null, {
-            email: u.email,
-            id: u.id,
-            role_id: u.role_id,
-            language: u.language,
-            tenant: db.getTenantSchema(),
-          });
+          return done(null, u.session_object);
         } else {
           return done(null, { role_id: 100 });
         }
@@ -447,6 +441,9 @@ Sitemap: ${base}sitemap.xml
   app.get("*", function (req, res) {
     res.status(404).sendWrap(req.__("Not found"), h1(req.__("Page not found")));
   });
+
+  //prevent prototype pollution
+  delete Object.prototype.__proto__;
   return app;
 };
 module.exports = getApp;

package/auth/admin.js

@@ -365,6 +365,7 @@ const auth_settings_form = async (req) =>
       "signup_role",
       "elevate_verified",
       "email_mask",
+      "plain_password_triggers",
     ],
     action: "/useradmin/settings",
     submitLabel: req.__("Save"),

package/auth/routes.js

@@ -1133,7 +1133,10 @@ router.post(
     }
     if (getState().get2FApolicy(req.user) === "Mandatory") {
       res.redirect("/auth/twofa/setup/totp");
-    } else if (req.body.dest && is_relative_url(req.body.dest)) {
+    } else if (
+      req.body.dest &&
+      is_relative_url(decodeURIComponent(req.body.dest))
+    ) {
       res.redirect(decodeURIComponent(req.body.dest));
     } else res.redirect("/");
   })

package/help/Aggregation where formula.tmd

@@ -0,0 +1,11 @@
+The where formula allows you to restrict the rows included in the aggregations. 
+
+The formula should take the form of a JavaScript boolean expression such as
+`a === b` or `x>y && w==1` when is based on the row values in the rows in the target table for 
+inclusion in the aggregation. For instance, if you are displaying aggregations about 
+a row from a Projects table, and a Task table has a key to projects field and a Boolean
+field called `completed`, you may want to show the number of not-completed tasks for the Project.
+In this case use the where expression `completed == false`.
+
+You cannot here use view state or values from the row about which you are displaying aggregations. However, 
+if a user is logged in, the `user` variable can be used to access user fields, such as `user.id`.

package/help/Calculated fields.tmd

@@ -0,0 +1,28 @@
+A calculated field is a column that holds values that are not entered 
+or changed directly but are instead calculated automatically from other 
+values in that row of from rows in other tables related by a key field. 
+
+There are two types of calculated field values:
+
+*Not stored*: calculated fields that are not stored in the database are 
+recalculated every time the row is accessed. They are defined by a 
+JavaScript expression where the values of the other fields are in scope.
+They are suitable for quick calculations that depend only on other values 
+in the same row. Because they are recalculated they are guaranteed to be 
+up to date. Non-stored fields cannot access data in related rows by join 
+fields or aggregations and cannot use asynchronous functions provided by
+modules. They can use synchronous functions.
+
+*Stored*: the values of stored fields are stored in the database table. 
+They are more flexible in the way they can be defined. Stored fields can 
+be defined either by a JavaScript expression or by an aggregation. When 
+defined by a JavaScript expression, join fields can be accessed by the 
+dot notation. Stored fields may also use both synchronous and asynchronous f
+unctions provided by modules. Asynchronous functions can in principle do 
+input/output including calling APIs. This expression will be evaluated 
+every time the row changes.
+
+Stored fields that are defined by an aggregation are automatically updated 
+when one of the child rows is updated. Stored fields that are based on 
+JavaScript expressions involving join felds are not automatically updated. 
+You need to run the recalculate stored fields action to update them 

package/help/Date format.tmd

@@ -0,0 +1,55 @@
+You can define how a date value should be shown by specifying a date format string
+which supports a range of formatting options. The formatting is provided by the 
+[Day.js](https://day.js.org/docs/en/display/format) library with the 
+[AdvancedFormat](https://day.js.org/docs/en/plugin/advanced-format) extension. Those links
+give the full definition for the available format options.
+
+When a date is rendered with a format string, certain specific character sequences are
+substituted for parts of the date value. Any unrecognized characters are repeated verbatim
+in the output and you can used that for separator charcters such as hyphens (-) or slashes (/).
+
+For example, the timepoint 11.15am on Friday, 4 October 2024 is rendered, according to the 
+format string:
+
+{{# const d = new Date('2024-10-04T11:15:00.000')}}
+
+| Format string       | Output       |
+| ------------------- | ------------ |
+| YYYY-MM-DD          | {{ moment(d).format("YYYY-MM-DD")}} |
+| H:mm on dddd, D MMMM YYYY | {{ moment(d).format("H:mm on dddd, D MMMM YYYY")}} |
+
+The full list of supported format sequences are:
+
+| Format | Output | Description |
+| --- | --- | --- |
+| `YY` | 18  | Two-digit year |
+| `YYYY` | 2018 | Four-digit year |
+| `M` | 1-12 | The month, beginning at 1 |
+| `MM` | 01-12 | The month, 2-digits |
+| `MMM` | Jan-Dec | The abbreviated month name |
+| `MMMM` | January-December | The full month name |
+| `D` | 1-31 | The day of the month |
+| `DD` | 01-31 | The day of the month, 2-digits |
+| `d` | 0-6 | The day of the week, with Sunday as 0 |
+| `dd` | Su-Sa | The min name of the day of the week |
+| `ddd` | Sun-Sat | The short name of the day of the week |
+| `dddd` | Sunday-Saturday | The name of the day of the week |
+| `H` | 0-23 | The hour |
+| `HH` | 00-23 | The hour, 2-digits |
+| `h` | 1-12 | The hour, 12-hour clock |
+| `hh` | 01-12 | The hour, 12-hour clock, 2-digits |
+| `m` | 0-59 | The minute |
+| `mm` | 00-59 | The minute, 2-digits |
+| `s` | 0-59 | The second |
+| `ss` | 00-59 | The second, 2-digits |
+| `SSS` | 000-999 | The millisecond, 3-digits |
+| `Z` | +05:00 | The offset from UTC, ±HH:mm |
+| `ZZ` | +0500 | The offset from UTC, ±HHmm |
+| `A` | AM PM |     |
+| `a` | am pm |     |
+| `Q` | 1-4 | Quarter |
+| `Do` | 1st 2nd ... 31st | Day of Month with ordinal |
+| `k` | 1-24 | The hour, beginning at 1 |
+| `kk` | 01-24 | The hour, 2-digits, beginning at 1 |
+| `X` | 1360013296 | Unix Timestamp in second |
+| `x` | 1360013296123 | Unix Timestamp in millisecond |

package/help/Protected fields.tmd

@@ -0,0 +1,4 @@
+Mmark a field as protected in order to set a minimum role required
+to write to this field. This will be checked in addition to the role
+required to write to the whole table; it will also stop changing the 
+field value even if the user is the owner of the row.

package/help/Snapshots.tmd

@@ -0,0 +1,19 @@
+A snapshot is a saved format of your application that includes all of 
+your application structure (table and fields definitions, views pages 
+and configuration settings) but excludes all of your data, that is, 
+table rows and files. A snapshot is the same format as a pack - a snapshot 
+is in fact merely a full pack of the application. (To create a partial 
+pack of the application, use tags or the pack export in the module store). 
+
+Snapshots have several possible uses:
+
+* If you have two different servers one for production and one for development 
+  then you can make changes to the development server and use a snapshot to 
+  move those changes to the production instance 
+
+* By enabling periodic snapshots Saltcorn allows you to restore versions of 
+  views, pages and triggers after you have made changes. This allows you to 
+  undo mistakes that you have made in building. 
+
+* If your application contains a large amount of data that can quickly be 
+  regenerated you may want to use snapshots instead of backups to save your application.

package/help/Table history.tmd

@@ -0,0 +1,42 @@
+When version history on a database table is enabled in Saltcorn,
+changes to row values are recorded in a secondary, hidden table. 
+This allows you to restore previous versions of individual rows 
+and undelete deleted rows. 
+
+The downside to enabling version history on tables is that this 
+can lead to a lot of data being retained which may mean your 
+database disk requirements will grow. In addition it will impact 
+performance when making changes to rows. There should be no 
+performance impact on reading data from the database.
+
+Note that when the history is first enabled the existing rows in 
+the table are not copied into the history table in their present 
+state. Only when a change is made to a row (or a row is created) 
+is the new row copied into the history table. 
+
+Enabling version history gives the administrator access to the 
+version history in the administrator's data edit facility (Edit 
+button on the table page). Each row will show the number of versions 
+recorded and by clicking this you will see the list of versions. 
+Each version shows the value for each field, the user who made the 
+change, the time at which the change was made and an option to 
+restore. This is the only facility for interacting with the version
+history in core Saltcorn.
+
+The history-control module provides additional facilities for 
+interacting with the history. The history-control module provides:
+
+* Actions to undo and redo row changes that will move the current 
+  row backwards and forwards in the table history
+
+* A history field difference view pattern that allows users to 
+  compare different versions of a field value
+
+* A "History for database table" table provider that can be used to create a "virtual"
+  table based on the history of an existing table. This table will have 
+  all the fields of the original table and fields for the user making 
+  the change and the time of the change being made 
+
+* A restore_from_history action that can be used on a view of the table
+  history (on the provided table) to restore or undelete any version of 
+  a specific row

package/help/index.js

@@ -5,6 +5,7 @@ const _ = require("underscore");
 const fs = require("fs").promises;
 const MarkdownIt = require("markdown-it"),
   md = new MarkdownIt();
+const moment = require("moment");
 
 const { pre } = require("@saltcorn/markup/tags");
 const path = require("path");
@@ -33,6 +34,7 @@ const get_help_markup = async (topic, query, req) => {
       scState: getState(),
       query,
       oneOf,
+      moment,
     };
     const mdTemplate = await get_md_file(topic);
     if (!mdTemplate) return { markup: "Topic not found" };

package/load_plugins.js

@@ -12,6 +12,73 @@ const { isRoot } = require("@saltcorn/data/utils");
 const { eachTenant } = require("@saltcorn/admin-models/models/tenant");
 
 const PluginInstaller = require("@saltcorn/plugins-loader/plugin_installer");
+const npmFetch = require("npm-registry-fetch");
+const packagejson = require("./package.json");
+const {
+  supportedVersion,
+  resolveLatest,
+} = require("@saltcorn/plugins-loader/stable_versioning");
+
+const isFixedPlugin = (plugin) =>
+  plugin.location === "@saltcorn/sbadmin2" ||
+  plugin.location === "@saltcorn/base-plugin";
+
+/**
+ * return the cached engine infos or fetch them from npm and update the cache
+ * @param plugin plugin to load
+ */
+const getEngineInfos = async (plugin, forceFetch) => {
+  const rootState = getRootState();
+  const cached = rootState.getConfig("engines_cache", {}) || {};
+  if (cached[plugin.location] && !forceFetch) {
+    return cached[plugin.location];
+  } else {
+    getState().log(5, `Fetching versions for '${plugin.location}'`);
+    const pkgInfo = await npmFetch.json(
+      `https://registry.npmjs.org/${plugin.location}`
+    );
+    const versions = pkgInfo.versions;
+    const newCached = {};
+    for (const [k, v] of Object.entries(versions)) {
+      newCached[k] = v.engines?.saltcorn
+        ? { engines: { saltcorn: v.engines.saltcorn } }
+        : {};
+    }
+    cached[plugin.location] = newCached;
+    await rootState.setConfig("engines_cache", { ...cached });
+    return newCached;
+  }
+};
+
+/**
+ * checks the saltcorn engine property and changes the plugin version if necessary
+ * @param plugin plugin to load
+ */
+const ensurePluginSupport = async (plugin, forceFetch) => {
+  let versions = await getEngineInfos(plugin, forceFetch);
+  if (
+    plugin.version &&
+    plugin.version !== "latest" &&
+    !versions[plugin.version] &&
+    !forceFetch
+  ) {
+    versions = await getEngineInfos(plugin, true);
+  }
+  const supported = supportedVersion(
+    plugin.version || "latest",
+    versions,
+    packagejson.version
+  );
+  if (!supported)
+    throw new Error(
+      `Unable to find a supported version for '${plugin.location}'`
+    );
+  else if (
+    supported !== plugin.version ||
+    (plugin.version === "latest" && supported !== resolveLatest(versions))
+  )
+    plugin.version = supported;
+};
 
 /**
  * Load one plugin
@@ -19,7 +86,16 @@ const PluginInstaller = require("@saltcorn/plugins-loader/plugin_installer");
  * @param plugin - plugin to load
  * @param force - force flag
  */
-const loadPlugin = async (plugin, force) => {
+const loadPlugin = async (plugin, force, forceFetch) => {
+  if (plugin.source === "npm" && !isFixedPlugin(plugin)) {
+    try {
+      await ensurePluginSupport(plugin, forceFetch);
+    } catch (e) {
+      console.log(
+        `Warning: Unable to find a supported version for '${plugin.location}' Continuing with the installed version`
+      );
+    }
+  }
   // load plugin
   const loader = new PluginInstaller(plugin);
   const res = await loader.install(force);
@@ -105,7 +181,7 @@ const loadAllPlugins = async (force) => {
     }
   }
   await getState().refreshUserLayouts();
-  await getState().refresh(true);
+  await getState().refresh(true, true);
   if (!isRoot()) reloadAuthFromRoot();
 };
 
@@ -151,11 +227,14 @@ const loadAndSaveNewPlugin = async (
       return;
     }
   }
-  const msgs = [];
-  const loader = new PluginInstaller(plugin);
-  const { version, plugin_module, location, loadedWithReload } =
+  if (plugin.source === "npm") await ensurePluginSupport(plugin);
+  const loadMsgs = [];
+  const loader = new PluginInstaller(plugin, {
+    scVersion: packagejson.version,
+  });
+  const { version, plugin_module, location, loadedWithReload, msgs } =
     await loader.install(force);
-
+  if (msgs) loadMsgs.push(...msgs);
   // install dependecies
   for (const loc of plugin_module.dependencies || []) {
     const existing = await Plugin.findOne({ location: loc });
@@ -201,7 +280,7 @@ const loadAndSaveNewPlugin = async (
     }
   }
   if (loadedWithReload || registeredWithReload) {
-    msgs.push(
+    loadMsgs.push(
       __(
         "The plugin was corrupted and had to be repaired. We recommend restarting your server.",
         plugin.name
@@ -228,7 +307,7 @@ const loadAndSaveNewPlugin = async (
       force: false, // okay ??
     });
   }
-  return msgs;
+  return loadMsgs;
 };
 
 module.exports = {
@@ -236,4 +315,6 @@ module.exports = {
   loadAllPlugins,
   loadPlugin,
   requirePlugin,
+  getEngineInfos,
+  ensurePluginSupport,
 };

package/locales/en.json

@@ -1464,5 +1464,17 @@
 	"Zip compression level": "Zip compression level",
 	"1=Fast, larger file, 9=Slow, smaller files": "1=Fast, larger file, 9=Slow, smaller files",
 	"Use system zip": "Use system zip",
-	"Recommended. Executable <code>zip</code> must be installed": "Recommended. Executable <code>zip</code> must be installed"
+	"Recommended. Executable <code>zip</code> must be installed": "Recommended. Executable <code>zip</code> must be installed",
+	"Time to run": "Time to run",
+	"Mobile": "Mobile",
+	"Plain password trigger row": "Plain password trigger row",
+	"Send plaintext password changes to Users table triggers (Insert, Update and Validate).": "Send plaintext password changes to Users table triggers (Insert, Update and Validate).",
+	"Minimum user role required to create a new tenant<div class=\"alert alert-danger fst-normal\" role=\"alert\" data-show-if=\"showIfFormulaInputs($('select[name=role_to_create_tenant]'), '+role_to_create_tenant>1')\">Giving non-trusted users access to create tenants is a security risk and not recommended.</div>": "Minimum user role required to create a new tenant<div class=\"alert alert-danger fst-normal\" role=\"alert\" data-show-if=\"showIfFormulaInputs($('select[name=role_to_create_tenant]'), '+role_to_create_tenant>1')\">Giving non-trusted users access to create tenants is a security risk and not recommended.</div>",
+	"Select tag": "Select tag",
+	"Invalid build directory path": "Invalid build directory path",
+	"Invalid build directory name": "Invalid build directory name",
+	"clean node_modules": "clean node_modules",
+	"After delete": "After delete",
+	"Search only on exact match, not substring match. Useful for large tables": "Search only on exact match, not substring match. Useful for large tables",
+	"Please select an entry point.": "Please select an entry point."
 }