npm - @saltcorn/server - Versions diffs - 1.1.2-beta.10 → 1.1.2-beta.12 - Mend

@saltcorn/server 1.1.2-beta.10 → 1.1.2-beta.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -15,6 +15,14 @@
 * Upgrade a large number of dependencies (express, typescript, oclif, pg, webpack, typescript, axios, mjml, svelte). Node.js 18+ is require for this release.
+### Security
+* View roles are now strictly enforced, including when views are embedded.
+### Fixes
+* Much work on primary keys not called "id"
 ## 1.1.1 - Released 2 February 2025
 * Full-text search improvements:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@saltcorn/server",
-  "version": "1.1.2-beta.10",
+  "version": "1.1.2-beta.12",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
@@ -8,14 +8,14 @@
   "dependencies": {
     "@aws-sdk/client-s3": "^3.735.0",
     "@dr.pogodin/csurf": "^1.14.1",
-    "@saltcorn/base-plugin": "1.1.2-beta.10",
-    "@saltcorn/builder": "1.1.2-beta.10",
-    "@saltcorn/data": "1.1.2-beta.10",
-    "@saltcorn/admin-models": "1.1.2-beta.10",
-    "@saltcorn/filemanager": "1.1.2-beta.10",
-    "@saltcorn/markup": "1.1.2-beta.10",
-    "@saltcorn/plugins-loader": "1.1.2-beta.10",
-    "@saltcorn/sbadmin2": "1.1.2-beta.10",
+    "@saltcorn/base-plugin": "1.1.2-beta.12",
+    "@saltcorn/builder": "1.1.2-beta.12",
+    "@saltcorn/data": "1.1.2-beta.12",
+    "@saltcorn/admin-models": "1.1.2-beta.12",
+    "@saltcorn/filemanager": "1.1.2-beta.12",
+    "@saltcorn/markup": "1.1.2-beta.12",
+    "@saltcorn/plugins-loader": "1.1.2-beta.12",
+    "@saltcorn/sbadmin2": "1.1.2-beta.12",
     "@socket.io/cluster-adapter": "^0.2.1",
     "@socket.io/sticky": "^1.0.1",
     "adm-zip": "0.5.16",

package/routes/actions.js CHANGED Viewed

@@ -653,7 +653,7 @@ const getWorkflowStepForm = async (
               ...(field.showIf || {}),
             },
           };
-        if (cfgFld.input_type === "code") cfgFld.input_type = "textarea";
+        //if (cfgFld.input_type === "code") cfgFld.input_type = "textarea";
         actionConfigFields.push(cfgFld);
       }
     } catch {}
@@ -1854,7 +1854,6 @@ interactive workflows for not logged in
 actions can declare which variables they inject into scope
 show unconnected steps
-why is code not initialising
 drag and drop edges
 */

package/routes/admin.js CHANGED Viewed

@@ -709,8 +709,8 @@ router.post(
       type === "trigger"
         ? `/actions`
         : /^[a-z]+$/g.test(type)
-        ? `/${type}edit`
-        : "/"
+          ? `/${type}edit`
+          : "/"
     );
   })
 );
@@ -1195,7 +1195,7 @@ router.get(
                     th({ valign: "top" }, req.__("Saltcorn version")),
                     td(
                       packagejson.version,
-                      isRoot
+                      isRoot && can_update
                         ? post_btn(
                             "/admin/upgrade",
                             req.__("Upgrade") + " (latest)",
@@ -1206,21 +1206,22 @@ router.get(
                             }
                           )
                         : isRoot && is_latest
-                        ? span(
-                            { class: "badge bg-primary ms-2" },
-                            req.__("Latest")
-                          ) +
-                          post_btn(
-                            "/admin/check-for-upgrade",
-                            req.__("Check updates"),
-                            req.csrfToken(),
-                            {
-                              btnClass: "btn-primary btn-sm px-1 py-0",
-                              formClass: "d-inline",
-                            }
-                          )
-                        : "",
-                      !git_commit &&
+                          ? span(
+                              { class: "badge bg-primary ms-2" },
+                              req.__("Latest")
+                            ) +
+                            post_btn(
+                              "/admin/check-for-upgrade",
+                              req.__("Check updates"),
+                              req.csrfToken(),
+                              {
+                                btnClass: "btn-primary btn-sm px-1 py-0",
+                                formClass: "d-inline",
+                              }
+                            )
+                          : "",
+                      isRoot &&
+                        !git_commit &&
                         a(
                           {
                             id: rndid,
@@ -1563,21 +1564,30 @@ const cleanNodeModules = async () => {
 };
 const doInstall = async (req, res, version, deepClean, runPull) => {
+  const state = getState();
+  let res_write = (s) => {
+    try {
+      res.write(s);
+      state.log(5, s);
+    } catch (e) {
+      console.error("Install write error: ", e?.message || e);
+    }
+  };
   if (db.getTenantSchema() !== db.connectObj.default_schema) {
     req.flash("error", req.__("Not possible for tenant"));
     res.redirect("/admin");
   } else {
-    res.write(
+    res_write(
       version === "latest"
         ? req.__("Starting upgrade, please wait...\n")
         : req.__("Installing %s, please wait...\n", version)
     );
     if (deepClean) {
-      res.write(req.__("Cleaning node_modules...\n"));
+      res_write(req.__("Cleaning node_modules...\n"));
       try {
         await cleanNodeModules();
       } catch (e) {
-        res.write(req.__("Error cleaning node_modules: %s\n", e.message));
+        res_write(req.__("Error cleaning node_modules: %s\n", e.message));
       }
     }
     const child = spawn(
@@ -1588,33 +1598,37 @@ const doInstall = async (req, res, version, deepClean, runPull) => {
       }
     );
     child.stdout.on("data", (data) => {
-      res.write(data);
+      res_write(data);
     });
     child.stderr?.on("data", (data) => {
-      res.write(data);
+      res_write(data);
     });
     child.on("exit", async function (code, signal) {
       if (code === 0) {
         if (deepClean) {
-          res.write(req.__("Installing sd-notify") + "\n");
+          res_write(req.__("Installing sd-notify") + "\n");
           const sdNotifyCode = await tryInstallSdNotify(req, res);
-          res.write(
+          res_write(
             req.__("sd-notify install done with code %s", sdNotifyCode) + "\n"
           );
         }
         if (runPull) {
-          res.write(
+          res_write(
             req.__("Pulling the capacitor-builder docker image...") + "\n"
           );
           const pullCode = await pullCapacitorBuilder(req, res, version);
-          res.write(req.__("Pull done with code %s", pullCode) + "\n");
+          res_write(req.__("Pull done with code %s", pullCode) + "\n");
           if (pullCode === 0) {
-            res.write(req.__("Pruning docker...") + "\n");
+            res_write(req.__("Pruning docker...") + "\n");
             const pruneCode = await pruneDocker(req, res);
-            res.write(req.__("Prune done with code %s", pruneCode) + "\n");
+            res_write(req.__("Prune done with code %s", pruneCode) + "\n");
           }
         }
       }
+      setTimeout(() => {
+        getState().processSend("RestartServer");
+        process.exit(0);
+      }, 200);
       res.end(
         version === "latest"
           ? req.__(
@@ -1624,10 +1638,6 @@ const doInstall = async (req, res, version, deepClean, runPull) => {
               `Install done with code ${code}.\n\nPress the BACK button in your browser, then RELOAD the page.`
             )
       );
-      setTimeout(() => {
-        getState().processSend("RestartServer");
-        process.exit(0);
-      }, 100);
     });
   }
 };
@@ -1974,9 +1984,8 @@ router.get(
     const filename = `${moment(start).format("YYYYMMDDHHmm")}.html`;
     await File.new_folder("configuration_checks");
     const go = async () => {
-      const { passes, errors, pass, warnings } = await runConfigurationCheck(
-        req
-      );
+      const { passes, errors, pass, warnings } =
+        await runConfigurationCheck(req);
       const end = new Date();
       const secs = Math.round((end.getTime() - start.getTime()) / 1000);
@@ -3250,8 +3259,8 @@ router.get(
       mode === "prepare"
         ? "_prepare_step"
         : mode === "finish"
-        ? "_finish_step"
-        : "";
+          ? "_finish_step"
+          : "";
     res.json({
       finished: await checkFiles(out_dir_name, [
         `logs${stepDesc}.txt`,
@@ -3326,8 +3335,8 @@ router.get(
       mode === "prepare"
         ? "_prepare_step"
         : mode === "finish"
-        ? "_finish_step"
-        : "";
+          ? "_finish_step"
+          : "";
     const resultMsg = files.find(
       (file) => file.filename === `logs${stepDesc}.txt`
     )
@@ -3786,6 +3795,9 @@ router.post(
     }
     if (form.values.triggers) {
       await db.deleteWhere("_sc_tag_entries", { not: { trigger_id: null } });
+      await db.deleteWhere("_sc_workflow_trace");
+      await db.deleteWhere("_sc_workflow_runs");
+      await db.deleteWhere("_sc_workflow_steps");
       await db.deleteWhere("_sc_triggers");
       await getState().refresh_triggers();
     }

package/routes/delete.js CHANGED Viewed

@@ -35,9 +35,11 @@ router.post(
     // todo check that works after where change
     const table = Table.findOne({ name: tableName });
     const role = req.user && req.user.id ? req.user.role_id : 100;
+    const where = { [table.pk_name]: id };
     try {
       if (role <= table.min_role_write)
-        await table.deleteRows({ id }, req.user || { role_id: 100 });
+        await table.deleteRows(where, req.user || { role_id: 100 });
       else if (
         (table.ownership_field_id || table.ownership_formula) &&
         req.user
@@ -47,7 +49,7 @@ router.post(
           { forUser: req.user, forPublic: !req.user }
         );
         if (row && table.is_owner(req.user, row))
-          await table.deleteRows({ id }, req.user || { role_id: 100 });
+          await table.deleteRows(where, req.user || { role_id: 100 });
         else req.flash("error", req.__("Not authorized"));
       } else
         req.flash(

package/routes/list.js CHANGED Viewed

@@ -282,6 +282,7 @@ router.get(
       cellClick: "__delete_tabulator_row",
     });
     const isDark = getState().getLightDarkMode(req.user) === "dark";
+    const pkNm = table.pk_name
     res.sendWrap(
       {
         title: req.__(`%s data table`, table.name),
@@ -428,7 +429,7 @@ router.get(
                 ajax_indicator(true);
                 $.ajax({
                   type: "POST",
-                  url: "/api/${table.name}/" + (row.id||""),
+                  url: "/api/${table.name}/" + (row.${pkNm}||""),
                   data: row,
                   headers: {
                     "CSRF-Token": _sc_globalCsrf,
@@ -438,8 +439,8 @@ router.get(
                   ajax_indicator(false);
                   //if (item._versions) item._versions = +item._versions + 1;
                   //data.resolve(fixKeys(item));
-                  if(resp.success &&(typeof resp.success ==="number" || typeof resp.success ==="string") && !row.id) {
-                    window.tabulator_table.updateRow(cell.getRow(), {id: resp.success});
+                  if(resp.success &&(typeof resp.success ==="number" || typeof resp.success ==="string") && !row.${pkNm}) {
+                    window.tabulator_table.updateRow(cell.getRow(), {${pkNm}: resp.success});
                   }
                 }).fail(function (resp) {

package/routes/pageedit.js CHANGED Viewed

@@ -289,7 +289,7 @@ const getRootPageForm = (pages, pageGroups, roles, req) => {
           input_type: "select",
           options: [
             "",
-            ...pages.map((p) => p.name),
+            ...pages.filter((p) => p.min_role >= r.id).map((p) => p.name),
             ...pageGroups.map((g) => ({
               label: `${g.name} (group)`,
               value: g.name,

package/routes/tables.js CHANGED Viewed

@@ -50,6 +50,7 @@ const {
   code,
   pre,
   button,
+  text_attr,
 } = require("@saltcorn/markup/tags");
 const { stringify } = require("csv-stringify");
 const TableConstraint = require("@saltcorn/data/models/table_constraints");
@@ -696,7 +697,14 @@ const typeBadges = (f, req) => {
   if (f.primary_key) s += badge("warning", req.__("Primary key"));
   if (f.required) s += badge("primary", req.__("Required"));
   if (f.is_unique) s += badge("success", req.__("Unique"));
-  if (f.calculated) s += badge("info", req.__("Calculated"));
+  if (f.calculated)
+    s += badge(
+      "info",
+      req.__("Calculated"),
+      f.expression && f.expression !== "__aggregation"
+        ? text_attr(f.expression)
+        : undefined
+    );
   if (f.stored) s += badge("warning", req.__("Stored"));
   return s;
 };
@@ -978,8 +986,8 @@ router.get(
               table.name === "users"
                 ? `/useradmin/`
                 : fields.length === 1
-                ? `javascript:;` // Fix problem with edition of table with only one column ID / Primary Key
-                : `/list/${encodeURIComponent(table.name)}`,
+                  ? `javascript:;` // Fix problem with edition of table with only one column ID / Primary Key
+                  : `/list/${encodeURIComponent(table.name)}`,
           },
           i({ class: "fas fa-2x fa-edit" }),
           "<br/>",
@@ -1459,7 +1467,10 @@ router.get(
       res.redirect(`/table/${table.id}`);
       return;
     }
-    const rows = await table.getRows({}, { orderBy: "id", forUser: req.user });
+    const rows = await table.getRows(
+      {},
+      { orderBy: table.pk_name, forUser: req.user }
+    );
     res.setHeader("Content-Type", "text/csv");
     res.setHeader("Content-Disposition", `attachment; filename="${name}.csv"`);
     res.setHeader("Cache-Control", "no-cache");
@@ -1535,12 +1546,12 @@ router.get(
                     r.type === "Unique"
                       ? r.configuration.fields.join(", ")
                       : r.type === "Index" && r.configuration?.field === "_fts"
-                      ? "Full text search"
-                      : r.type === "Index"
-                      ? r.configuration.field
-                      : r.type === "Formula"
-                      ? r.configuration.formula
-                      : "",
+                        ? "Full text search"
+                        : r.type === "Index"
+                          ? r.configuration.field
+                          : r.type === "Formula"
+                            ? r.configuration.formula
+                            : "",
                 },
                 {
                   label: req.__("Delete"),
@@ -2011,6 +2022,7 @@ router.post(
       if (parse_res.error) req.flash("error", parse_res.error);
       else req.flash("success", parse_res.success);
     } catch (e) {
+      console.error("CSV upload error", e);
       req.flash("error", e.message);
     }
     await fs.unlink(f.location);

package/tests/admin.test.js CHANGED Viewed

@@ -647,6 +647,9 @@ describe("clear all page", () => {
       .send("users=on")
       .send("config=on")
       .send("plugins=on")
+      .send("triggers=on")
+      .send("library=on")
+      .send("eventlog=on")
       .expect(toRedirect("/auth/create_first_user"));
   });
   it("restores backup after clear all", async () => {