@saltcorn/server 1.0.0-rc.1 → 1.0.0-rc.10

package/auth/routes.js

@@ -1133,7 +1133,10 @@ router.post(
     }
     if (getState().get2FApolicy(req.user) === "Mandatory") {
       res.redirect("/auth/twofa/setup/totp");
-    } else if (req.body.dest && is_relative_url(req.body.dest)) {
+    } else if (
+      req.body.dest &&
+      is_relative_url(decodeURIComponent(req.body.dest))
+    ) {
       res.redirect(decodeURIComponent(req.body.dest));
     } else res.redirect("/");
   })

package/help/index.js

@@ -13,7 +13,8 @@ const { getState } = require("@saltcorn/data/db/state");
 const { oneOf } = require("@saltcorn/types/generators");
 const get_md_file = async (topic) => {
   try {
-    const fp = path.join(__dirname, `${File.normalise(topic)}.tmd`);
+    const fp = File.normalise_in_base(__dirname, `${topic}.tmd`);
+    if (!fp) return false;
     const fileBuf = await fs.readFile(fp);
     return fileBuf.toString();
   } catch (e) {

package/load_plugins.js

@@ -231,6 +231,7 @@ const loadAndSaveNewPlugin = async (
   const loadMsgs = [];
   const loader = new PluginInstaller(plugin, {
     scVersion: packagejson.version,
+    envVars: { PUPPETEER_SKIP_DOWNLOAD: "1" },
   });
   const { version, plugin_module, location, loadedWithReload, msgs } =
     await loader.install(force);

package/locales/en.json

@@ -1476,5 +1476,6 @@
 	"clean node_modules": "clean node_modules",
 	"After delete": "After delete",
 	"Search only on exact match, not substring match. Useful for large tables": "Search only on exact match, not substring match. Useful for large tables",
-	"Please select an entry point.": "Please select an entry point."
+	"Please select an entry point.": "Please select an entry point.",
+	"Group by": "Group by"
 }

package/package.json

@@ -1,20 +1,20 @@
 {
   "name": "@saltcorn/server",
-  "version": "1.0.0-rc.1",
+  "version": "1.0.0-rc.10",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
     "@aws-sdk/client-s3": "^3.451.0",
-    "@saltcorn/base-plugin": "1.0.0-rc.1",
-    "@saltcorn/builder": "1.0.0-rc.1",
-    "@saltcorn/data": "1.0.0-rc.1",
-    "@saltcorn/admin-models": "1.0.0-rc.1",
-    "@saltcorn/filemanager": "1.0.0-rc.1",
-    "@saltcorn/markup": "1.0.0-rc.1",
-    "@saltcorn/plugins-loader": "1.0.0-rc.1",
-    "@saltcorn/sbadmin2": "1.0.0-rc.1",
+    "@saltcorn/base-plugin": "1.0.0-rc.10",
+    "@saltcorn/builder": "1.0.0-rc.10",
+    "@saltcorn/data": "1.0.0-rc.10",
+    "@saltcorn/admin-models": "1.0.0-rc.10",
+    "@saltcorn/filemanager": "1.0.0-rc.10",
+    "@saltcorn/markup": "1.0.0-rc.10",
+    "@saltcorn/plugins-loader": "1.0.0-rc.10",
+    "@saltcorn/sbadmin2": "1.0.0-rc.10",
     "@socket.io/cluster-adapter": "^0.2.1",
     "@socket.io/sticky": "^1.0.1",
     "adm-zip": "0.5.10",

package/public/gridedit.js

@@ -87,7 +87,9 @@ function isoDateFormatter(cell, formatterParams, onRendered) {
   if (formatterParams && formatterParams.format)
     return dayjs(val).format(formatterParams.format);
 
-  return new Date(val).toLocaleDateString(window.detected_locale || "en");
+  return new Date(val).toLocaleDateString(window.detected_locale || "en", {
+    timeZone: "UTC",
+  });
 }
 function colorFormatter(cell, formatterParams, onRendered) {
   const val = cell.getValue();

package/public/saltcorn-builder.css

@@ -525,10 +525,3 @@ div.componets-and-library-accordion {
 .toolbox-card:nth-child(2) {
   margin-bottom: 0px;
 }
-#builder-main-canvas {
-  height: calc(100dvh - 50px) !important;
-  min-height: 600px;
-}
-#builder-main-canvas.h-100 {
-  height: 100% !important;
-}

package/public/saltcorn-common.js

@@ -1352,7 +1352,7 @@ function buildToast(txt, type, spin) {
       role="alert"
       aria-live="assertive"
       aria-atomic="true"
-      style="min-width: 350px; max-width: 50vw; width: auto; z-index: 999; ${
+      style="min-width: 350px; max-width: 50vw; width: auto; z-index: 9999; ${
         !isNode ? "transform: translateX(-50%);" : ""
       }" 
     >

package/public/saltcorn.js

@@ -350,16 +350,18 @@ function expand_thumbnail(img_id, filename) {
 }
 
 function ajax_modal(url, opts = {}) {
-  ensure_modal_exists_and_closed();
-  $("#scmodal").removeClass("no-submit-reload");
-  $("#scmodal").attr("data-on-close-reload-view", opts.reload_view || null);
-
-  if (opts.submitReload === false) $("#scmodal").addClass("no-submit-reload");
   $.ajax(url, {
     headers: {
       SaltcornModalRequest: "true",
     },
     success: function (res, textStatus, request) {
+      ensure_modal_exists_and_closed();
+      $("#scmodal").removeClass("no-submit-reload");
+      $("#scmodal").attr("data-on-close-reload-view", opts.reload_view || null);
+
+      if (opts.submitReload === false)
+        $("#scmodal").addClass("no-submit-reload");
+
       var title = request.getResponseHeader("Page-Title");
       var width = request.getResponseHeader("SaltcornModalWidth");
       var minwidth = request.getResponseHeader("SaltcornModalMinWidth");
@@ -430,6 +432,20 @@ function saveAndContinue(e, k, event) {
   )
     return;
   var form = $(e).closest("form");
+  let focusedEl = null;
+  if (!event || !event.srcElement) {
+    const el = form.find("select[sc-received-focus]")[0];
+    if (el) {
+      el.removeAttribute("sc-received-focus");
+      if (el.getAttribute("previous-val") === el.value) return;
+    }
+  } else if (
+    event.srcElement.tagName === "SELECT" &&
+    event.srcElement.getAttribute("previous-val") !== undefined
+  ) {
+    focusedEl = event.srcElement;
+  }
+
   const valres = form[0].reportValidity();
   if (!valres) return;
   submitWithEmptyAction(form[0]);
@@ -452,6 +468,7 @@ function saveAndContinue(e, k, event) {
         reloadEmbeddedEditOwnViews(form, res.id);
       }
       common_done(res, form.attr("data-viewname"));
+      if (focusedEl) focusedEl.setAttribute("previous-val", focusedEl.value);
     },
     error: function (request) {
       var ct = request.getResponseHeader("content-type") || "";

package/routes/actions.js

@@ -755,7 +755,7 @@ router.post(
       req.flash("success", req.__("Action configuration saved"));
       res.redirect(
         req.query.on_done_redirect &&
-          is_relative_url(req.query.on_done_redirect)
+          is_relative_url("/" + req.query.on_done_redirect)
           ? `/${req.query.on_done_redirect}`
           : "/actions/"
       );

package/routes/api.js

@@ -27,6 +27,7 @@ const Table = require("@saltcorn/data/models/table");
 const View = require("@saltcorn/data/models/view");
 //const Field = require("@saltcorn/data/models/field");
 const Trigger = require("@saltcorn/data/models/trigger");
+const File = require("@saltcorn/data/models/file");
 //const load_plugins = require("../load_plugins");
 const passport = require("passport");
 
@@ -189,6 +190,39 @@ router.post(
     )(req, res, next);
   })
 );
+
+router.get(
+  "/serve-files/*",
+  //passport.authenticate("api-bearer", { session: false }),
+  error_catcher(async (req, res, next) => {
+    await passport.authenticate(
+      "api-bearer",
+      { session: false },
+      async function (err, user, info) {
+        const role = req?.user?.role_id || user?.role_id || 100;
+        const user_id = req?.user?.id || user?.id;
+        const serve_path = req.params[0];
+        const file = await File.findOne(serve_path);
+        if (
+          file &&
+          (role <= file.min_role_read || (user_id && user_id === file.user_id))
+        ) {
+          res.type(file.mimetype);
+          const cacheability =
+            file.min_role_read === 100 ? "public" : "private";
+          const maxAge = getState().getConfig("files_cache_maxage", 86400);
+          res.set("Cache-Control", `${cacheability}, max-age=${maxAge}`);
+          if (file.s3_store)
+            res.status(404).json({ error: req.__("Not found") });
+          else res.sendFile(file.location);
+        } else {
+          res.status(404).json({ error: req.__("Not found") });
+        }
+      }
+    )(req, res, next);
+  })
+);
+
 /**
  *
  */
@@ -294,11 +328,12 @@ router.get(
           } else {
             const tbl_fields = table.getFields();
             readState(req_query, tbl_fields, req);
-            const qstate = await stateFieldsToWhere({
+            const qstate = stateFieldsToWhere({
               fields: tbl_fields,
               approximate: !!approximate,
               state: req_query,
               table,
+              prefix: "a.",
             });
             const joinFields = {};
             const derefs = Array.isArray(dereference)

package/routes/delete.js

@@ -38,7 +38,10 @@ router.post(
     try {
       if (role <= table.min_role_write)
         await table.deleteRows({ id }, req.user || { role_id: 100 });
-      else if (table.ownership_field_id && req.user) {
+      else if (
+        (table.ownership_field_id || table.ownership_formula) &&
+        req.user
+      ) {
         const row = await table.getRow(
           { id },
           { forUser: req.user, forPublic: !req.user }

package/routes/files.js

@@ -94,11 +94,15 @@ router.get(
     const { dir, no_subdirs } = req.query;
     const noSubdirs = no_subdirs === "true";
     const safeDir = File.normalise(dir || "/");
-    const absFolder = path.join(
+    const absFolder = File.normalise_in_base(
       db.connectObj.file_store,
       db.getTenantSchema(),
-      safeDir
+      dir || "/"
     );
+    if (absFolder === null) {
+      res.json({ error: "Invalid path" });
+      return;
+    }
     const dirOnDisk = await File.from_file_on_disk(
       path.basename(absFolder),
       path.dirname(absFolder)
@@ -594,6 +598,9 @@ router.get(
   isAdmin,
   error_catcher(async (req, res) => {
     const form = await storage_form(req);
+    form.blurb = [
+      `<div class="alert alert-warning">S3 storage options may not work for this release. Enabling S3 storage is not recommended</div>`,
+    ];
     send_files_page({
       res,
       req,

package/routes/list.js

@@ -411,7 +411,7 @@ router.get(
                   ajax_indicator(false);
                   //if (item._versions) item._versions = +item._versions + 1;
                   //data.resolve(fixKeys(item));
-                  if(resp.success &&typeof resp.success ==="number" && !row.id) {
+                  if(resp.success &&(typeof resp.success ==="number" || typeof resp.success ==="string") && !row.id) {
                     window.tabulator_table.updateRow(cell.getRow(), {id: resp.success});
                   }
 

package/routes/pageedit.js

@@ -648,7 +648,8 @@ router.post(
     const { pagename } = req.params;
 
     let redirectTarget =
-      req.query.on_done_redirect && is_relative_url(req.query.on_done_redirect)
+      req.query.on_done_redirect &&
+      is_relative_url("/" + req.query.on_done_redirect)
         ? `/${req.query.on_done_redirect}`
         : "/pageedit";
     const page = await Page.findOne({ name: pagename });

package/routes/plugins.js

@@ -899,12 +899,13 @@ router.post(
         };
         await plugin.upsert();
         await load_plugins.loadPlugin(plugin);
+
+        getState().processSend({
+          refresh_plugin_cfg: plugin.name,
+          tenant: db.getTenantSchema(),
+        });
+        res.json({ success: "ok" });
       }
-      getState().processSend({
-        refresh_plugin_cfg: plugin.name,
-        tenant: db.getTenantSchema(),
-      });
-      res.json({ success: "ok" });
     }
   })
 );

package/routes/sync.js

@@ -335,16 +335,13 @@ router.post(
   "/clean_sync_dir",
   error_catcher(async (req, res) => {
     const { dir_name } = req.body;
-    const safe_dir_name = File.normalise(dir_name);
     try {
       const rootFolder = await File.rootFolder();
-      const syncDir = path.join(
-        rootFolder.location,
-        "mobile_app",
-        "sync",
-        safe_dir_name
+      const syncDir = File.normalise_in_base(
+        path.join(rootFolder.location, "mobile_app", "sync"),
+        dir_name
       );
-      await fs.rm(syncDir, { recursive: true, force: true });
+      if (syncDir) await fs.rm(syncDir, { recursive: true, force: true });
       res.status(200).send("");
     } catch (error) {
       getState().log(2, `POST /sync/clean_sync_dir: '${error.message}'`);

package/routes/viewedit.js

@@ -766,7 +766,8 @@ router.post(
       )
     );
     let redirectTarget =
-      req.query.on_done_redirect && is_relative_url(req.query.on_done_redirect)
+      req.query.on_done_redirect &&
+      is_relative_url("/" + req.query.on_done_redirect)
         ? `/${req.query.on_done_redirect}`
         : "/viewedit";
     res.redirect(redirectTarget);
@@ -791,7 +792,8 @@ router.post(
       req.__("View %s duplicated as %s", view.name, newview.name)
     );
     let redirectTarget =
-      req.query.on_done_redirect && is_relative_url(req.query.on_done_redirect)
+      req.query.on_done_redirect &&
+      is_relative_url("/" + req.query.on_done_redirect)
         ? `/${req.query.on_done_redirect}`
         : "/viewedit";
     res.redirect(redirectTarget);
@@ -812,7 +814,8 @@ router.post(
     await View.delete({ id });
     req.flash("success", req.__("View deleted"));
     let redirectTarget =
-      req.query.on_done_redirect && is_relative_url(req.query.on_done_redirect)
+      req.query.on_done_redirect &&
+      is_relative_url("/" + req.query.on_done_redirect)
         ? `/${req.query.on_done_redirect}`
         : "/viewedit";
     res.redirect(redirectTarget);
@@ -910,7 +913,7 @@ router.post(
       req.flash("success", message);
       let redirectTarget =
         req.query.on_done_redirect &&
-        is_relative_url(req.query.on_done_redirect)
+        is_relative_url("/" + req.query.on_done_redirect)
           ? `/${req.query.on_done_redirect}`
           : "/viewedit";
       res.redirect(redirectTarget);

package/tests/api.test.js

@@ -2,6 +2,8 @@ const request = require("supertest");
 const getApp = require("../app");
 const Table = require("@saltcorn/data/models/table");
 const Trigger = require("@saltcorn/data/models/trigger");
+const File = require("@saltcorn/data/models/file");
+const fs = require("fs").promises;
 
 const Field = require("@saltcorn/data/models/field");
 const {
@@ -19,6 +21,19 @@ const User = require("@saltcorn/data/models/user");
 
 beforeAll(async () => {
   await resetToFixtures();
+  await File.ensure_file_store();
+  await File.from_req_files(
+    {
+      mimetype: "image/png",
+      name: "rick1.png",
+      mv: async (fnm) => {
+        await fs.writeFile(fnm, "nevergonnagiveyouup");
+      },
+      size: 245752,
+    },
+    1,
+    80
+  );
 });
 afterAll(db.close);
 
@@ -352,6 +367,20 @@ describe("API authentication", () => {
 
       .expect(succeedJsonWith((rows) => rows.length == 2));
   });
+  it("should not show file to public", async () => {
+    const app = await getApp();
+    await request(app)
+      .get("/api/serve-files/rick1.png")
+      .expect(respondJsonWith(404, (b) => b.error === "Not found"));
+  });
+  it("should show file to user", async () => {
+    const app = await getApp();
+    const u = await User.findOne({ id: 1 });
+    await request(app)
+      .get("/api/serve-files/rick1.png")
+      .set("Authorization", "Bearer " + u.api_token)
+      .expect(200);
+  });
 });
 
 describe("API action", () => {