@saltcorn/server 1.1.1 → 1.1.2-beta.1

package/routes/api.js

@@ -30,6 +30,7 @@ const Trigger = require("@saltcorn/data/models/trigger");
 const File = require("@saltcorn/data/models/file");
 //const load_plugins = require("../load_plugins");
 const passport = require("passport");
+const path = require("path");
 
 const {
   readState,
@@ -164,7 +165,7 @@ router.post(
         ) {
           const queries = view.queries(false, req);
           if (Object.prototype.hasOwnProperty.call(queries, queryName)) {
-            const { args } = req.body;
+            const { args } = req.body || {};
             const resp = await queries[queryName](...args, true);
             res.json({ success: resp, alerts: getFlashes(req) });
           } else {
@@ -192,7 +193,7 @@ router.post(
 );
 
 router.get(
-  "/serve-files/*",
+  "/serve-files/*serve_path",
   //passport.authenticate("api-bearer", { session: false }),
   error_catcher(async (req, res, next) => {
     await passport.authenticate(
@@ -201,7 +202,7 @@ router.get(
       async function (err, user, info) {
         const role = req?.user?.role_id || user?.role_id || 100;
         const user_id = req?.user?.id || user?.id;
-        const serve_path = req.params[0];
+        const serve_path = path.join(...req.params.serve_path);
         const file = await File.findOne(serve_path);
         if (
           file &&
@@ -214,7 +215,7 @@ router.get(
           res.set("Cache-Control", `${cacheability}, max-age=${maxAge}`);
           if (file.s3_store)
             res.status(404).json({ error: req.__("Not found") });
-          else res.sendFile(file.location);
+          else res.sendFile(file.location, { dotfiles: "allow" });
         } else {
           res.status(404).json({ error: req.__("Not found") });
         }
@@ -466,7 +467,7 @@ router.all(
         if (accessAllowed(req, user, trigger)) {
           try {
             let resp;
-            const row = req.method === "GET" ? req.query : req.body;
+            const row = req.method === "GET" ? req.query : req.body || {};
             if (trigger.action === "Workflow") {
               resp = await trigger.runWithoutRow({
                 req,
@@ -479,7 +480,7 @@ router.all(
               const action = getState().actions[trigger.action];
               resp = await action.run({
                 configuration: trigger.configuration,
-                body: req.body,
+                body: req.body || {},
                 row,
                 req,
                 user: user || req.user,
@@ -533,7 +534,7 @@ router.post(
       { session: false },
       async function (err, user, info) {
         if (accessAllowedWrite(req, user, table)) {
-          const { _versions, ...row } = req.body;
+          const { _versions, ...row } = req.body || {};
           const fields = table.getFields();
           readState(row, fields, req);
           const errors = await prepare_insert_row(row, fields);
@@ -588,7 +589,7 @@ router.post(
             if (id === "undefined") {
               const pk_name = table.pk_name;
               //const fields = table.getFields();
-              const row = req.body;
+              const row = req.body || {};
               //readState(row, fields);
               await table.deleteRows(
                 { [pk_name]: row[pk_name] },
@@ -635,7 +636,7 @@ router.post(
       { session: false },
       async function (err, user, info) {
         if (accessAllowedWrite(req, user, table)) {
-          const { _versions, ...row } = req.body;
+          const { _versions, ...row } = req.body || {};
           const fields = table.getFields();
           readState(row, fields, req);
           const errors = await prepare_update_row(table, row, id);
@@ -692,7 +693,7 @@ router.delete(
             if (id === "undefined") {
               const pk_name = table.pk_name;
               //const fields = table.getFields();
-              const row = req.body;
+              const row = req.body || {};
               //readState(row, fields);
               await table.deleteRows(
                 { [pk_name]: row[pk_name] },

package/routes/config.js

@@ -48,8 +48,12 @@ router.post(
     const validKeyName = (k) =>
       k !== "_csrf" && k !== "constructor" && k !== "__proto__";
 
-    for (const [k, v] of Object.entries(req.body)) {
-      if (!state.isFixedConfig(k) && typeof v !== "undefined" && validKeyName(k)) {
+    for (const [k, v] of Object.entries(req.body || {})) {
+      if (
+        !state.isFixedConfig(k) &&
+        typeof v !== "undefined" &&
+        validKeyName(k)
+      ) {
         //TODO read value from type
         await state.setConfig(k, v);
       }
@@ -64,7 +68,7 @@ router.post(
         ? boolcheck
         : [boolcheck];
     for (const k of boolchecks) {
-      if (typeof req.body[k] === "undefined" && validKeyName(k))
+      if (typeof (req.body || {})[k] === "undefined" && validKeyName(k))
         await state.setConfig(k, false);
     }
     res.json({ success: "ok" });

package/routes/crashlog.js

@@ -104,8 +104,8 @@ router.post(
   "/",
   error_catcher(async (req, res) => {
     const err = {
-      stack: req.body.stack,
-      message: `[JS] ${req.body.message}`,
+      stack: (req.body || {}).stack,
+      message: `[JS] ${(req.body || {}).message}`,
     };
     await Crash.create(err, req);
     res.json({});

package/routes/eventlog.js

@@ -298,7 +298,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const form = await customEventForm(req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       send_events_page({
         res,
@@ -329,7 +329,7 @@ router.post(
  * @function
  */
 router.post(
-  "/custom/delete/:name?",
+  "/custom/delete{/:name}",
   isAdmin,
   error_catcher(async (req, res) => {
     let { name } = req.params;
@@ -356,7 +356,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const form = await logSettingsForm(req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       send_events_page({
         res,

package/routes/fields.js

@@ -902,7 +902,7 @@ router.post(
   isAdminOrHasConfigMinRole("min_role_edit_tables"),
   error_catcher(async (req, res) => {
     const wf = fieldFlow(req);
-    const wfres = await wf.run(req.body, req);
+    const wfres = await wf.run(req.body || {}, req);
     if (wfres.renderForm) {
       const table = Table.findOne({ id: wfres.context.table_id });
       res.sendWrap(req.__(`Field attributes`), {
@@ -953,7 +953,7 @@ router.post(
     "min_role_inspect_tables",
   ]),
   error_catcher(async (req, res) => {
-    let { formula, tablename, stored } = req.body;
+    let { formula, tablename, stored } = req.body || {};
     if (stored === "false") stored = false;
 
     const table = Table.findOne({ name: tablename });
@@ -1017,7 +1017,7 @@ router.post(
     );
 
     const fields = table.getFields();
-    let row = { ...req.body };
+    let row = { ...(req.body || {}) };
     if (row && Object.keys(row).length > 0) readState(row, fields);
 
     //need to get join fields from ownership into row
@@ -1280,7 +1280,7 @@ router.post(
       value = row && row[fieldName];
     }
 
-    const configuration = req.body.configuration;
+    const configuration = (req.body || {}).configuration;
     if (!field) {
       res.send("");
       return;
@@ -1379,7 +1379,7 @@ router.post(
       agg_fieldview,
       agg_field,
       _columndef,
-    } = req.body;
+    } = req.body || {};
     const table = Table.findOne({ name: tableName });
     if (agg_outcome_type && agg_fieldview) {
       const type = getState().types[agg_outcome_type];

package/routes/files.js

@@ -221,11 +221,11 @@ router.get(
  * @function
  */
 router.get(
-  "/download/*",
+  "/download/*serve_path",
   error_catcher(async (req, res) => {
     const role = req.user && req.user.id ? req.user.role_id : 100;
     const user_id = req.user && req.user.id;
-    const serve_path = req.params[0];
+    const serve_path = path.join(...req.params.serve_path);
     const file = await File.findOne(serve_path);
 
     if (
@@ -234,7 +234,7 @@ router.get(
     ) {
       res.type(file.mimetype);
       if (file.s3_store) s3storage.serveObject(file, res, true);
-      else res.download(file.location, file.filename);
+      else res.download(file.location, file.filename, { dotfiles: "allow" });
     } else {
       res
         .status(404)
@@ -250,8 +250,8 @@ router.post(
   error_catcher(async (req, res) => {
     const role = req.user && req.user.id ? req.user.role_id : 100;
     const user_id = req.user && req.user.id;
-    const files = req.body.files;
-    const location = req.body.location;
+    const files = (req.body || {}).files;
+    const location = (req.body || {}).location;
     const zip = new Zip();
 
     for (const fileNm of files) {
@@ -280,11 +280,11 @@ router.post(
  * @function
  */
 router.get(
-  "/serve/*",
+  "/serve/*serve_path",
   error_catcher(async (req, res) => {
     const role = req.user && req.user.id ? req.user.role_id : 100;
     const user_id = req.user && req.user.id;
-    const serve_path = req.params[0];
+    const serve_path = path.join(...req.params.serve_path);
     //let file;
     //if (typeof strictParseInt(id) !== "undefined")
     const file = await File.findOne(serve_path);
@@ -298,7 +298,7 @@ router.get(
       const maxAge = getState().getConfig("files_cache_maxage", 86400);
       res.set("Cache-Control", `${cacheability}, max-age=${maxAge}`);
       if (file.s3_store) s3storage.serveObject(file, res, false);
-      else res.sendFile(file.location);
+      else res.sendFile(file.location, { dotfiles: "allow" });
     } else {
       getState().log(
         5,
@@ -320,12 +320,12 @@ router.get(
  * @function
  */
 router.get(
-  "/resize/:width_str/:height_str/*",
+  "/resize/:width_str/:height_str/*serve_path",
   error_catcher(async (req, res) => {
     const role = req.user && req.user.id ? req.user.role_id : 100;
     const user_id = req.user && req.user.id;
     const { width_str, height_str } = req.params;
-    const serve_path = req.params[0];
+    const serve_path = path.join(...req.params.serve_path);
 
     const file = await File.findOne(serve_path);
 
@@ -343,7 +343,7 @@ router.get(
         const height =
           height_str && height_str !== "0" ? strictParseInt(height_str) : null;
         if (!width) {
-          res.sendFile(file.location);
+          res.sendFile(file.location, { dotfiles: "allow" });
           return;
         }
         const basenm = path.join(
@@ -359,7 +359,7 @@ router.get(
             toFileName: fnm,
           });
         }
-        res.sendFile(fnm);
+        res.sendFile(fnm, { dotfiles: "allow" });
       }
     } else {
       res
@@ -376,12 +376,12 @@ router.get(
  * @function
  */
 router.post(
-  "/setrole/*",
+  "/setrole/*serve_path",
   isAdmin,
   error_catcher(async (req, res) => {
-    const serve_path = req.params[0];
+    const serve_path = path.join(...req.params.serve_path);
     const file = await File.findOne(serve_path);
-    const role = req.body.role;
+    const role = (req.body || {}).role;
     const roles = await User.get_roles();
     const roleRow = roles.find((r) => r.id === +role);
 
@@ -396,12 +396,12 @@ router.post(
 );
 
 router.post(
-  "/move/*",
+  "/move/*serve_path",
   isAdmin,
   error_catcher(async (req, res) => {
-    const serve_path = req.params[0];
+    const serve_path = path.join(...req.params.serve_path);
     const file = await File.findOne(serve_path);
-    const new_path = req.body.new_path;
+    const new_path = (req.body || {}).new_path;
 
     if (file) {
       await file.move_to_dir(new_path);
@@ -423,11 +423,11 @@ router.post(
  * @function
  */
 router.post(
-  "/setname/*",
+  "/setname/*serve_path",
   isAdmin,
   error_catcher(async (req, res) => {
-    const serve_path = req.params[0];
-    const filename = req.body.value;
+    const serve_path = path.join(...req.params.serve_path);
+    const filename = (req.body || {}).value;
 
     const file = await File.findOne(serve_path);
     await file.rename(filename);
@@ -443,11 +443,11 @@ router.post(
  * @function
  */
 router.post(
-  "/unzip/*",
+  "/unzip/*serve_path",
   isAdmin,
   error_catcher(async (req, res) => {
-    const serve_path = req.params[0];
-    const filename = req.body.value;
+    const serve_path = path.join(...req.params.serve_path);
+    const filename = (req.body || {}).value;
 
     const file = await File.findOne(serve_path);
     const dir = path.dirname(file.location);
@@ -460,7 +460,7 @@ router.post(
   "/new-folder",
   isAdmin,
   error_catcher(async (req, res) => {
-    const { name, folder } = req.body;
+    const { name, folder } = req.body || {};
     await File.new_folder(name, folder);
 
     res.json({ success: "ok" });
@@ -477,7 +477,7 @@ router.post(
   "/upload",
   setTenant,
   error_catcher(async (req, res) => {
-    let { folder, sortBy, sortDesc } = req.body;
+    let { folder, sortBy, sortDesc } = req.body || {};
     let jsonResp = {};
     const min_role_upload = getState().getConfig("min_role_upload", 1);
     const role = req.user && req.user.id ? req.user.role_id : 100;
@@ -489,7 +489,8 @@ router.post(
       if (!req.xhr) req.flash("warning", req.__("No file found"));
       else jsonResp = { error: "No file found" };
     } else {
-      const min_role_read = req.body ? req.body.min_role_read || 1 : 1;
+      const min_role_read =
+        req.body || {} ? (req.body || {}).min_role_read || 1 : 1;
       const f = await File.from_req_files(
         req.files.file,
         req.user.id,
@@ -533,10 +534,10 @@ router.post(
  * @function
  */
 router.post(
-  "/delete/*",
+  "/delete/*serve_path",
   isAdmin,
   error_catcher(async (req, res) => {
-    const serve_path = req.params[0];
+    const serve_path = path.join(...req.params.serve_path);
     const { redirect } = req.query;
     const f = await File.findOne(serve_path);
     if (!f) {
@@ -625,7 +626,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const form = await storage_form(req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       send_files_page({
         res,
@@ -702,7 +703,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const form = await files_settings_form(req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       send_files_page({
         res,

package/routes/infoarch.js

@@ -252,8 +252,9 @@ router.post(
       return;
     }
     const cfgStrings = getState().getConfigCopy("localizer_strings");
-    if (cfgStrings[lang]) cfgStrings[lang][defstring] = text(req.body.value);
-    else cfgStrings[lang] = { [defstring]: text(req.body.value) };
+    if (cfgStrings[lang])
+      cfgStrings[lang][defstring] = text((req.body || {}).value);
+    else cfgStrings[lang] = { [defstring]: text((req.body || {}).value) };
     await getState().setConfig("localizer_strings", cfgStrings);
     res.redirect(`/site-structure/localizer/edit/${lang}`);
   })
@@ -270,7 +271,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const form = languageForm(req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors)
       send_infoarch_page({
         res,

package/routes/library.js

@@ -31,7 +31,7 @@ router.post(
   "/savefrombuilder",
   isAdmin,
   error_catcher(async (req, res) => {
-    await Library.create(req.body);
+    await Library.create(req.body || {});
     res.json({ success: "ok" });
   })
 );

package/routes/menu.js

@@ -579,7 +579,7 @@ router.post(
   "/",
   isAdminOrHasConfigMinRole("min_role_edit_menu"),
   error_catcher(async (req, res) => {
-    const new_menu = req.body;
+    const new_menu = req.body || {};
     const menu_items = jQMEtoMenu(new_menu);
     await save_menu_items(menu_items);
     Trigger.emitEvent("AppChange", `Menu`, req.user, {});

package/routes/models.js

@@ -88,7 +88,7 @@ router.post(
     const { table_id } = req.params;
     const table = await Table.findOne({ id: table_id });
     const form = newModelForm(table, req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       res.sendWrap(req.__(`New model`), renderForm(form, req.csrfToken()));
     } else {
@@ -204,7 +204,7 @@ router.post(
       return;
     }
     const workflow = get_model_workflow(model, req);
-    const wfres = await workflow.run(req.body, req);
+    const wfres = await workflow.run(req.body || {}, req);
     respondWorkflow(model, table, workflow, wfres, req, res);
   })
 );
@@ -394,7 +394,7 @@ router.post(
     const model = await Model.findOne({ id });
     const table = Table.findOne({ id: model.table_id });
     const form = model_train_form(model, table, req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       res.sendWrap(req.__(`Train model`), renderForm(form, req.csrfToken()));
     } else {
@@ -435,7 +435,7 @@ router.post(
   error_catcher(async (req, res) => {
     const { id } = req.params;
     const model_instance = await ModelInstance.findOne({ id });
-    await model_instance.make_default(!req.body.enabled);
+    await model_instance.make_default(!(req.body || {}).enabled);
     res.redirect(`/models/show/${model_instance.model_id}`);
   })
 );

package/routes/notifications.js

@@ -170,7 +170,7 @@ router.post(
   error_catcher(async (req, res) => {
     const user = await User.findOne({ id: req.user.id });
     const form = notificationSettingsForm();
-    form.validate(req.body);
+    form.validate(req.body || {});
     const _attributes = { ...user._attributes, ...form.values };
     await user.update({ _attributes });
     res.json({ success: "ok" });
@@ -216,14 +216,17 @@ router.post(
         } else res.json({ error: msg });
       } else {
         Trigger.emitEvent("ReceiveMobileShareData", null, req.user, {
-          row: req.body,
+          row: req.body || {},
         });
         if (!req.smr) {
           req.flash(
             "success",
             req.__(
               "Shared: %s",
-              req.body.title || req.body.text || req.body.url || ""
+              (req.body || {}).title ||
+                (req.body || {}).text ||
+                (req.body || {}).url ||
+                ""
             )
           );
           res.status(303).redirect("/");
@@ -234,7 +237,7 @@ router.post(
 );
 
 router.get(
-  "/manifest.json:opt_cache_bust?",
+  "/manifest.json{:opt_cache_bust}",
   error_catcher(async (req, res) => {
     const { pretty } = req.query;
     const state = getState();

package/routes/packs.js

@@ -223,7 +223,7 @@ router.post(
       model_instances: [],
       event_logs: [],
     };
-    for (const k of Object.keys(req.body)) {
+    for (const k of Object.keys(req.body || {})) {
       const [type, name, ...rest] = k.split(".");
       switch (type) {
         case "table":
@@ -392,11 +392,11 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     var pack, error;
-    const source = req.body.source || "from_text";
+    const source = (req.body || {}).source || "from_text";
     try {
       switch (source) {
         case "from_text":
-          pack = JSON.parse(req.body.pack);
+          pack = JSON.parse((req.body || {}).pack);
           break;
         case "from_file":
           if (req.files?.pack_file?.tempFilePath)
@@ -424,7 +424,7 @@ router.post(
     }
     if (error) {
       const form = install_pack_form(req);
-      form.values = { pack: req.body.pack };
+      form.values = { pack: (req.body || {}).pack };
       req.flash("error", error);
       res.sendWrap(req.__(`Install Pack`), {
         above: [

package/routes/page_group.js

@@ -234,7 +234,7 @@ router.post(
       if (cfg[v]) return req.__("Device already exists");
     };
     const form = deviceForm(req, validator);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       send_infoarch_page({
         res,
@@ -316,7 +316,7 @@ router.post(
     const form = deviceForm(req, validator, device);
     const deviceCfg = cfg[device];
     form.values = { device, ...deviceCfg };
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       send_infoarch_page({
         res,
@@ -351,7 +351,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const form = pageGroupSettingsForm(req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       send_infoarch_page({
         res,

package/routes/page_groupedit.js

@@ -392,9 +392,9 @@ router.post(
   "/edit-properties",
   isAdmin,
   error_catcher(async (req, res) => {
-    const form = await groupPropsForm(req, !req.body.id);
+    const form = await groupPropsForm(req, !(req.body || {}).id);
     form.hidden("id");
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       if (!req.xhr) {
         // from new
@@ -457,7 +457,7 @@ router.post(
       res.redirect(`/page_groupedit/${page_groupname}`);
     }
     const form = await addMemberForm(group, req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       res.sendWrap(
         req.__(`%s add-member`, group.name),
@@ -554,7 +554,7 @@ router.post(
     const group = PageGroup.findOne({ id: member.page_group_id });
     const form = await editMemberForm(member, req);
     form.hidden("id");
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       res.sendWrap(
         req.__(`%s edit-member`, member.name || member.id),
@@ -678,7 +678,7 @@ router.post(
       req.flash(
         "success",
         req.__(
-          "Page %s added to menu. Adjust access permissions in <a href=\"/menu\">Settings &raquo; Menu</a>",
+          'Page %s added to menu. Adjust access permissions in <a href="/menu">Settings &raquo; Menu</a>',
           group.name
         )
       );