@saltcorn/server 1.1.1 → 1.1.2-beta.1

package/routes/pageedit.js

@@ -477,9 +477,9 @@ router.post(
   "/edit-properties",
   isAdminOrHasConfigMinRole("min_role_edit_pages"),
   error_catcher(async (req, res) => {
-    const form = await pagePropertiesForm(req, !req.body.id);
+    const form = await pagePropertiesForm(req, !(req.body || {}).id);
     form.hidden("id");
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       res.sendWrap(
         req.__(`Page attributes`),
@@ -688,9 +688,9 @@ router.post(
     if (!page) {
       req.flash("error", req.__(`Page %s not found`, pagename));
       res.redirect(redirectTarget);
-    } else if (req.body.layout) {
+    } else if ((req.body || {}).layout) {
       await Page.update(page.id, {
-        layout: decodeURIComponent(req.body.layout),
+        layout: decodeURIComponent((req.body || {}).layout),
       });
       Trigger.emitEvent("AppChange", `Page ${page.name}`, req.user, {
         entity_type: "Page",
@@ -698,12 +698,12 @@ router.post(
       });
       req.flash("success", req.__(`Page %s saved`, pagename));
       res.redirect(redirectTarget);
-    } else if (req.body.code) {
+    } else if ((req.body || {}).code) {
       try {
         if (!page.html_file) throw new Error(req.__("File not found"));
         const file = await File.findOne(page.html_file);
         if (!file) throw new Error(req.__("File not found"));
-        await fsp.writeFile(file.location, req.body.code);
+        await fsp.writeFile(file.location, (req.body || {}).code);
         Trigger.emitEvent("AppChange", `Page ${page.name}`, req.user, {
           entity_type: "Page",
           entity_name: page.name,
@@ -722,7 +722,7 @@ router.post(
         else res.json({ error: error.message });
       }
     } else {
-      getState().log(2, `POST /edit/${pagename}: '${req.body}'`);
+      getState().log(2, `POST /edit/${pagename}: '${req.body || {}}'`);
       req.flash("error", req.__(`Error processing page`));
       res.redirect(redirectTarget);
     }
@@ -742,8 +742,8 @@ router.post(
   error_catcher(async (req, res) => {
     const { id } = req.params;
 
-    if (id && req.body.layout) {
-      await Page.update(+id, { layout: req.body.layout });
+    if (id && (req.body || {}).layout) {
+      await Page.update(+id, { layout: (req.body || {}).layout });
       const page = await Page.findOne({ id });
       Trigger.emitEvent("AppChange", `Page ${page.name}`, req.user, {
         entity_type: "Page",
@@ -794,7 +794,7 @@ router.post(
     const pageGroups = await PageGroup.find({}, { orderBy: "name" });
     const roles = await User.get_roles();
     const form = getRootPageForm(pages, pageGroups, roles, req);
-    const valres = form.validate(req.body);
+    const valres = form.validate(req.body || {});
     if (valres.success) {
       const home_page_by_role =
         getState().getConfigCopy("home_page_by_role", {}) || {};

package/routes/plugins.js

@@ -839,7 +839,7 @@ router.post(
     flow.action = `/plugins/configure/${encodeURIComponent(plugin.name)}`;
     flow.autoSave = true;
     flow.saveURL = `/plugins/saveconfig/${encodeURIComponent(plugin.name)}`;
-    const wfres = await flow.run(req.body);
+    const wfres = await flow.run(req.body || {});
     if (wfres.renderForm) {
       if (module.layout) {
         wfres.renderForm.additionalButtons = [
@@ -893,7 +893,7 @@ router.post(
       module = getState().plugins[getState().plugin_module_names[plugin.name]];
     }
     const flow = module.configuration_workflow();
-    const step = await flow.singleStepForm(req.body, req);
+    const step = await flow.singleStepForm(req.body || {}, req);
     if (step?.renderForm) {
       if (step.renderForm.hasErrors || step.savingErrors)
         res.status(400).send(step.savingErrors || "Error");
@@ -1003,7 +1003,7 @@ router.post(
       ...(plugin.configuration || {}),
       ...(user._attributes?.layout?.config || {}),
     });
-    const valResult = form.validate(req.body);
+    const valResult = form.validate(req.body || {});
     if (form.hasErrors) {
       req.flash("warning", req.__("An error occurred"));
       return res.sendWrap(
@@ -1056,7 +1056,7 @@ router.post(
       ...(plugin.configuration || {}),
       ...(user._attributes?.layout?.config || {}),
     });
-    const valResult = form.validate(req.body);
+    const valResult = form.validate(req.body || {});
     if (form.hasErrors) {
       return res.status(400).json({ error: req.__("An error occured") });
     }
@@ -1154,10 +1154,10 @@ router.get(
  * @function
  */
 router.get(
-  "/public/:plugin/*",
+  "/public/:plugin/*filepath",
   error_catcher(async (req, res) => {
     const { plugin } = req.params;
-    const filepath = req.params[0];
+    const filepath = path.join(...req.params.filepath);
     const hasVersion = plugin.includes("@");
     const location =
       getState().plugin_locations[hasVersion ? plugin.split("@")[0] : plugin];
@@ -1167,7 +1167,10 @@ router.get(
         .replace(/^(\.\.(\/|\\|$))+/, "");
       const fullpath = path.join(location, "public", safeFile);
       if (fs.existsSync(fullpath))
-        res.sendFile(fullpath, { maxAge: hasVersion ? "100d" : "1d" });
+        res.sendFile(fullpath, {
+          maxAge: hasVersion ? "100d" : "1d",
+          dotfiles: "allow",
+        });
       else {
         getState().log(6, `Plugin serve public: file not found ${fullpath}`);
         res.status(404).send(req.__("Not found"));
@@ -1428,7 +1431,7 @@ router.post(
   "/",
   isAdmin,
   error_catcher(async (req, res) => {
-    const plugin = new Plugin(req.body);
+    const plugin = new Plugin(req.body || {});
     const schema = db.getTenantSchema();
     const tenants_install_git = getRootState().getConfig(
       "tenants_install_git",
@@ -1505,7 +1508,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const { name } = req.params;
-    const { version } = req.body;
+    const { version } = req.body || {};
     const tenants_unsafe_plugins = getRootState().getConfig(
       "tenants_unsafe_plugins",
       false

package/routes/registry.js

@@ -340,7 +340,7 @@ router.post(
     const { etype, ename, q } = req.query;
     const qlink = q ? `&q=${encodeURIComponent(q)}` : "";
 
-    const entVal = JSON.parse(req.body.regval);
+    const entVal = JSON.parse((req.body || {}).regval);
     let pack = {
       plugins: [],
       tables: [],

package/routes/search.js

@@ -136,7 +136,7 @@ router.post(
     const views = await View.find({}, { orderBy: "name" });
     const tables = await Table.find();
     const form = searchConfigForm(tables, views, req);
-    const result = form.validate(req.body);
+    const result = form.validate(req.body || {});
 
     if (result.success) {
       const dbversion = await db.getVersion(true);

package/routes/sync.js

@@ -118,7 +118,7 @@ router.post(
   "/load_changes",
   error_catcher(async (req, res) => {
     const result = {};
-    const { syncInfos, loadUntil } = req.body;
+    const { syncInfos, loadUntil } = req.body || {};
     if (!loadUntil) {
       getState().log(2, `POST /load_changes: loadUntil is missing`);
       return res.status(400).json({ error: "loadUntil is missing" });
@@ -202,7 +202,7 @@ const getDelRows = async (tblName, syncFrom, syncUntil, client) => {
 router.post(
   "/deletes",
   error_catcher(async (req, res) => {
-    const { syncInfos, syncTimestamp } = req.body;
+    const { syncInfos, syncTimestamp } = req.body || {};
     const client = await db.getClient();
     try {
       await client.query(`BEGIN`);
@@ -238,7 +238,7 @@ router.post(
 router.post(
   "/offline_changes",
   error_catcher(async (req, res) => {
-    const { changes, syncTimestamp } = req.body;
+    const { changes, syncTimestamp } = req.body || {};
     const rootFolder = await File.rootFolder();
     try {
       const syncDirName = `${syncTimestamp}_${req.user?.email || "public"}`;
@@ -334,7 +334,7 @@ router.get(
 router.post(
   "/clean_sync_dir",
   error_catcher(async (req, res) => {
-    const { dir_name } = req.body;
+    const { dir_name } = req.body || {};
     try {
       const rootFolder = await File.rootFolder();
       const syncDir = File.normalise_in_base(

package/routes/tables.js

@@ -51,7 +51,7 @@ const {
   pre,
   button,
 } = require("@saltcorn/markup/tags");
-const stringify = require("csv-stringify");
+const { stringify } = require("csv-stringify");
 const TableConstraint = require("@saltcorn/data/models/table_constraints");
 const fs = require("fs").promises;
 const {
@@ -359,7 +359,7 @@ router.post(
   error_catcher(async (req, res) => {
     const tbls = await discoverable_tables();
     const form = discoverForm(tbls, req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     const tableNames = tbls
       .filter((t) => form.values[t.table_name])
       .map((t) => t.table_name);
@@ -437,8 +437,8 @@ router.post(
   setTenant,
   isAdminOrHasConfigMinRole("min_role_edit_tables"),
   error_catcher(async (req, res) => {
-    if (req.body.name && req.files && req.files.file) {
-      const name = req.body.name;
+    if ((req.body || {}).name && req.files && req.files.file) {
+      const name = (req.body || {}).name;
       const alltables = await Table.find({});
       const existing_tables = [
         "users",
@@ -645,8 +645,8 @@ router.get(
               div(
                 {
                   id: "erd-wrapper",
-                  style: "height: calc(100vh - 250px);",
-                  class: "overflow-scroll position-relative",
+                  style:
+                    "height: calc(100vh - 250px); overflow: hidden !important;",
                 },
                 screenshotPanel(),
                 pre(
@@ -1169,7 +1169,7 @@ router.post(
   "/",
   isAdminOrHasConfigMinRole("min_role_edit_tables"),
   error_catcher(async (req, res) => {
-    const v = req.body;
+    const v = req.body || {};
     if (typeof v.id === "undefined" && typeof v.external === "undefined") {
       // insert
       v.name = v.name.trim();
@@ -1634,21 +1634,14 @@ const constraintForm = (req, table, fields, type) => {
     case "Index":
       const fieldopts = fields.map((f) => ({ label: f.label, name: f.name }));
       const hasIncludeFts = fields.filter((f) => f.attributes?.include_fts);
-      if (!db.isSQLite && !hasIncludeFts.length)
+      if (!db.isSQLite)
         fieldopts.push({ label: "Full-text search", name: "_fts" });
       return new Form({
         action: `/table/add-constraint/${table.id}/${type}`,
-        blurb:
-          req.__(
-            "Choose the field to be indexed. This make searching the table faster."
-          ) +
-          " " +
-          (hasIncludeFts.length
-            ? req.__(
-                `Full-text search index is not available as the table contains Key fields (%s) with the "Include in full-text search" option enabled. Disable this before creating a Full-text search index`,
-                hasIncludeFts.map((f) => f.name).join(",")
-              )
-            : ""),
+        blurb: req.__(
+          "Choose the field to be indexed. This make searching the table faster."
+        ),
+
         fields: [
           {
             type: "String",
@@ -1657,6 +1650,11 @@ const constraintForm = (req, table, fields, type) => {
             required: true,
             attributes: {
               options: fieldopts,
+              explainers: hasIncludeFts
+                ? {
+                    _fts: "Full text search index is not compatible with Key fields with the 'Include in Full text search' option. A new field will be created for your search context",
+                  }
+                : {},
             },
           },
         ],
@@ -1729,7 +1727,7 @@ router.post(
     }
     const fields = table.getFields();
     const form = constraintForm(req, table, fields, type);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) req.flash("error", req.__("An error occurred"));
     else {
       let configuration = {};
@@ -1820,7 +1818,7 @@ router.post(
     const table = Table.findOne({ id });
     const form = renameForm(table.id, req);
 
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) req.flash("error", req.__("An error occurred"));
     else {
       await table.rename(form.values.name);
@@ -2188,7 +2186,7 @@ router.post(
       return;
     }
     const workflow = get_provider_workflow(table, req);
-    const wfres = await workflow.run(req.body, req);
+    const wfres = await workflow.run(req.body || {}, req);
     respondWorkflow(table, workflow, wfres, req, res);
   })
 );

package/routes/tag_entries.js

@@ -161,7 +161,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const { entry_type, tag_id } = req.params;
-    const { ids } = req.body;
+    const { ids } = req.body || {};
     if (!ids) {
       req.flash("error", req.__("Please select at least one item"));
       return res.redirect(`/tag-entries/add/${entry_type}/${tag_id}`);
@@ -218,7 +218,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     let { entry_type, object_id } = req.params;
-    let { tag_ids } = req.body;
+    let { tag_ids } = req.body || {};
     object_id = parseInt(object_id);
     tag_ids = tag_ids.map((id) => parseInt(id));
     const tags = (await Tag.find()).filter((tag) => tag_ids.includes(tag.id));

package/routes/tags.js

@@ -315,7 +315,7 @@ router.post(
   "/",
   isAdmin,
   error_catcher(async (req, res) => {
-    const { name } = req.body;
+    const { name } = req.body || {};
     const tag = await Tag.create({ name });
     req.flash("success", req.__(`Tag %s created`, name));
     res.redirect(`/tag/${tag.id}?show_list=tables`);

package/routes/tenant.js

@@ -265,7 +265,7 @@ router.post(
     const base_url = get_cfg_tenant_base_url(req);
     const form = tenant_form(req, base_url);
     // validate ui form
-    const valres = form.validate(req.body);
+    const valres = form.validate(req.body || {});
     if (valres.errors)
       res.sendWrap(
         req.__("Create application"),
@@ -548,7 +548,7 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const form = await tenant_settings_form(req);
-    form.validate(req.body);
+    form.validate(req.body || {});
     if (form.hasErrors) {
       send_infoarch_page({
         res,
@@ -872,11 +872,11 @@ router.post(
       return;
     }
     const { subdomain } = req.params;
-    const { base_url } = req.body;
+    const { base_url } = req.body || {};
     const saneDomain = domain_sanitize(subdomain);
 
     // save description
-    const { description } = req.body;
+    const { description } = req.body || {};
     await Tenant.update(saneDomain, { description: description });
 
     await db.runWithTenant(saneDomain, async () => {

package/routes/utils.js

@@ -446,7 +446,7 @@ const admin_config_route = ({
     isAdmin,
     error_catcher(async (req, res) => {
       const form = await getTheForm(req);
-      form.validate(req.body);
+      form.validate(req.body || {});
       if (form.hasErrors) {
         response(form, req, res);
       } else {
@@ -493,7 +493,7 @@ const sendHtmlFile = async (req, res, file) => {
       path.dirname(fullPath)
     );
     if (scFile && role <= scFile.min_role_read) {
-      res.sendFile(fullPath);
+      res.sendFile(fullPath, { dotfiles: "allow" });
     } else {
       return res
         .status(404)
@@ -517,7 +517,7 @@ const sendHtmlFile = async (req, res, file) => {
  */
 const setRole = async (req, res, model) => {
   const { id } = req.params;
-  const role = req.body.role;
+  const role = (req.body || {}).role;
   await model.update(+id, { min_role: role });
   const page = model.findOne({ id });
   const roles = await User.get_roles();

package/routes/view.js

@@ -39,7 +39,7 @@ module.exports = router;
  * @function
  */
 router.get(
-  ["/:viewname", "/:viewname/*"],
+  ["/:viewname", "/:viewname/*slug"],
   error_catcher(async (req, res) => {
     const { viewname } = req.params;
     const query = { ...req.query };
@@ -60,7 +60,7 @@ router.get(
     }
     const tic = new Date();
 
-    view.rewrite_query_from_slug(query, req.params);
+    view.rewrite_query_from_slug(query, req.params.slug);
     if (
       role > view.min_role &&
       !(await view.authorise_get({ query, req, ...view }))
@@ -231,7 +231,7 @@ router.post(
 
       res.redirect("/");
     } else {
-      await view.runRoute(route, req.body, res, { res, req });
+      await view.runRoute(route, req.body || {}, res, { res, req });
     }
   })
 );
@@ -243,7 +243,7 @@ router.post(
  * @function
  */
 router.post(
-  ["/:viewname", "/:viewname/*"],
+  ["/:viewname", "/:viewname/*slug"],
   setTenant,
   error_catcher(async (req, res) => {
     const { viewname } = req.params;
@@ -263,11 +263,11 @@ router.post(
       res.redirect("/");
       return;
     }
-    view.rewrite_query_from_slug(query, req.params);
+    view.rewrite_query_from_slug(query, req.params.slug);
 
     if (
       role > view.min_role &&
-      !(await view.authorise_post({ body: req.body, req, ...view }))
+      !(await view.authorise_post({ body: req.body || {}, req, ...view }))
     ) {
       req.flash("danger", req.__("Not authorized"));
       state.log(2, `View ${viewname} POST not authorized`);
@@ -280,7 +280,7 @@ router.post(
         } does not supply a POST handler`
       );
     } else {
-      await view.runPost(query, req.body, { res, req });
+      await view.runPost(query, req.body || {}, { res, req });
     }
   })
 );

package/routes/viewedit.js

@@ -492,7 +492,7 @@ router.post(
     const roles = await User.get_roles();
     const pages = await Page.find();
     const form = await viewForm(req, tableOptions, roles, pages);
-    const result = form.validate(req.body);
+    const result = form.validate(req.body || {});
     const sendForm = (form) => {
       res.sendWrap(req.__(`Edit view`), {
         above: [
@@ -521,7 +521,7 @@ router.post(
       } else {
         const existing_view = await View.findOne({ name: result.success.name });
         if (existing_view)
-          if (+req.body.id !== existing_view.id) {
+          if (+(req.body || {}).id !== existing_view.id) {
             // may be need !== but doesnt work
             form.errors.name = req.__("A view with this name already exists");
             form.hasErrors = true;
@@ -544,8 +544,8 @@ router.post(
         }
         //const table = Table.findOne({ name: v.table_name });
         delete v.table_name;
-        if (req.body.id) {
-          await View.update(v, +req.body.id);
+        if ((req.body || {}).id) {
+          await View.update(v, +(req.body || {}).id);
         } else {
           const vt = getState().viewtemplates[v.viewtemplate];
           if (vt.initial_config) v.configuration = await vt.initial_config(v);
@@ -744,7 +744,7 @@ router.post(
         entity_name: view.name,
       });
     };
-    const wfres = await configFlow.run(req.body, req);
+    const wfres = await configFlow.run(req.body || {}, req);
 
     let table;
     if (view.table_id) table = Table.findOne({ id: view.table_id });
@@ -852,9 +852,9 @@ router.post(
   error_catcher(async (req, res) => {
     const { id } = req.params;
 
-    if (id && req.body) {
+    if (id && (req.body || {})) {
       const exview = await View.findOne({ id });
-      let newcfg = { ...exview.configuration, ...req.body };
+      let newcfg = { ...exview.configuration, ...(req.body || {}) };
       await View.update({ configuration: newcfg }, +id);
       Trigger.emitEvent("AppChange", `View ${exview.name}`, req.user, {
         entity_type: "View",
@@ -880,11 +880,11 @@ router.post(
   error_catcher(async (req, res) => {
     const { viewname } = req.params;
 
-    if (viewname && req.body) {
+    if (viewname && (req.body || {})) {
       const view = await View.findOne({ name: viewname });
       req.staticFieldViewConfig = true;
       const configFlow = await view.get_config_flow(req);
-      const step = await configFlow.singleStepForm(req.body, req);
+      const step = await configFlow.singleStepForm(req.body || {}, req);
       if (step?.renderForm) {
         if (!step.renderForm.hasErrors) {
           let newcfg;
@@ -926,7 +926,7 @@ router.post(
   isAdminOrHasConfigMinRole("min_role_edit_views"),
   error_catcher(async (req, res) => {
     const { id } = req.params;
-    const role = req.body.role;
+    const role = (req.body || {}).role;
     await View.update({ min_role: role }, +id);
     const view = await View.findOne({ id });
     Trigger.emitEvent("AppChange", `View ${view.name}`, req.user, {
@@ -955,7 +955,7 @@ router.post(
   "/test/inserter",
   isAdminOrHasConfigMinRole("min_role_edit_views"),
   error_catcher(async (req, res) => {
-    const view = await View.create(req.body);
+    const view = await View.create(req.body || {});
     res.json({ view });
   })
 );

package/s3storage.js

@@ -159,7 +159,7 @@ module.exports = {
         .send();
     } else {
       // Use legacy file download
-      res.download(file.location, file.filename);
+      res.download(file.location, file.filename, { dotfiles: "allow" });
     }
   },
 

package/tests/files.test.js

@@ -358,9 +358,19 @@ describe("visible_entries test", () => {
       .send(`role=${role}`)
       .expect(toRedirect("/files?dir=_sc_test_subfolder_one"));
   };
+  const setDirRole = async (role, entry) => {
+    const app = await getApp({ disableCsrf: true });
+    const adminCookie = await getAdminLoginCookie();
+    await request(app)
+      .post(`/files/setrole/${entry}`)
+      .set("Cookie", adminCookie)
+      .send(`role=${role}`)
+      .expect(toRedirect("/files?dir=."));
+  };
 
   it("shows allowed files", async () => {
     await setRole(100, path.join("_sc_test_subfolder_one", "foo_image.png"));
+    await setDirRole(100, "_sc_test_subfolder_one");
 
     const app = await getApp({ disableCsrf: true });
     const staffCookie = await getStaffLoginCookie();

package/tests/plugins.test.js

@@ -91,9 +91,7 @@ describe("Plugin Endpoints", () => {
       .get("/plugins/public/any-bootstrap-theme/test.txt")
       .expect(toInclude("testfilecontents"));
     await request(app)
-      .get(
-        "/plugins/public/sbadmin2@9.9.9/sb-admin-2.min.css"
-      )
+      .get("/plugins/public/sbadmin2@9.9.9/sb-admin-2.min.css")
       .expect(toInclude("Start Bootstrap"));
 
     await request(app)
@@ -101,9 +99,7 @@ describe("Plugin Endpoints", () => {
       .set("Cookie", loginCookie)
       .expect(toRedirect("/plugins"));
     await request(app)
-      .get(
-        "/plugins/public/sbadmin2@9.9.9/sb-admin-2.min.css"
-      )
+      .get("/plugins/public/sbadmin2@9.9.9/sb-admin-2.min.css")
       .expect(toInclude("Start Bootstrap"));
   });
   it("should install named without config", async () => {