apostrophe 2.220.4 → 2.220.9

package/CHANGELOG.md

@@ -1,5 +1,42 @@
 # Changelog
 
+## 2.220.9 (2022-02-04)
+
+## Fixes
+
+* Worked around bug preventing proper translation of the "Selected" message in certain modal operations. Thanks to [stepanjakl](https://github.com/stepanjakl).
+
+## 2.220.8 (2022-01-20)
+
+## Fixes
+
+* Fixes overflowing issue in the editor modals when adding multiple options to an area. This used to cause a scroll to appear and the user had to scroll to see all the options.
+* In the editor modal if there was an area with multiple items added (enough to make the page scrollable) when the user wanted to add another item another scroll bar would appear besides the already existing one and the user had to scroll to see all the options.
+* Fixes i18n processing of a login throttling error message.
+
+## 2.220.7 (2021-10-13)
+
+## Fixes
+
+* Avoid 500 errors when `joinByOne` field is hidden and required.
+* Avoid errors at startup when formerly valid locales for the global doc are in the database, but not part of the current configuration.
+
+## 2.220.6 (2021-09-13)
+
+## Security
+
+* SVG files can contain XSS attack vectors. Fortunately, these cannot be exploited when the SVG file is used in an `img` tag or as a CSS background, which is normally the case for SVGs uploaded to Apostrophe. However, Apostrophe does provide a "View File" button in the media manager which could load the file in a way that could trigger XSS attacks in a carefully crafted SVG intentionally designed to phish Apostrophe admins. To mitigate this risk, starting with version 2.220.6 the "View File" button downloads the SVG file to the local computer as an attachment. This removes it from the domain of the website, so that any embedded JavaScript cannot be used to trigger actions in Apostrophe. However please note that it is your responsibility to avoid the use of inline `svg` with untrusted SVG files, or the use of `iframe`, `embed` or `object` tags with untrusted SVG files. If you have not enabled the `svgImages` option to `apostrophe-attachments`, then your site does not accept SVG uploads and this risk is not relevant to you.
+
+## Fixes
+
+* At least in a nightwatch regression testing context, `transitionend` events have been observed not to fire, resulting in unreliable test suites. A change has been made to accommodate this scenario with a fallback timer relating to indicating the current topmost modal.
+
+## 2.220.5 (2021-08-30)
+
+## Fixes
+
+* The template error page was returning a 200 status code. It now correctly returns a 500 status code.
+
 ## 2.220.4 (2021-08-03)
 
 ## Fixes

package/lib/modules/apostrophe-attachments/lib/routes.js

@@ -1,4 +1,6 @@
-var _ = require('@sailshq/lodash');
+const _ = require('@sailshq/lodash');
+const request = require('request');
+const path = require('path');
 
 module.exports = function(self, options) {
 
@@ -25,7 +27,8 @@ module.exports = function(self, options) {
         }
         return next(null, { file: file });
       });
-    });
+    }
+  );
 
   // Crop a previously uploaded image, based on the `id` POST parameter
   // and the `crop` POST parameter. `id` should refer to an existing
@@ -65,4 +68,21 @@ module.exports = function(self, options) {
     });
   });
 
+  // Provides a simple route to download a file as an attachment, rather than
+  // viewing it. Pipes it from the regular public URL to avoid acting as a
+  // bypass of permissions
+  self.apiRoute('get', 'download', async (req, res) => {
+    const _id = self.apos.launder.id(req.query._id);
+    const info = await self.db.findOne({
+      _id: _id
+    });
+    if (!info) {
+      return res.status(404).send('notfound');
+    }
+    const url = self.url(info, { size: 'original' });
+    res.setHeader('Content-Disposition', `attachment; filename="${path.basename(url)}"`);
+    res.setHeader('Content-Type', 'application/octet-stream');
+    const resolvedUrl = (new URL(url, req.absoluteUrl)).toString();
+    await request(resolvedUrl).pipe(res);
+  });
 };

package/lib/modules/apostrophe-attachments/public/js/user.js

@@ -286,8 +286,13 @@ apos.define('apostrophe-attachments', {
       $existing.data('existing', info);
       $existing.data('field', field);
       $existing.attr('data-existing', info._id);
+      var $link = $existing.find('[data-link]');
       $existing.find('[data-name]').text(info.name);
-      $existing.find('[data-link]').attr('href', self.url(info, {size: 'original'}));
+      if (info.extension === 'svg') {
+        $link.attr('href', self.action + '/download?_id=' + info._id);
+      } else {
+        $link.attr('href', self.url(info, {size: 'original'}));
+      }
       $existing.alterClass('apos-extension-*', 'apos-extension-' + info.extension);
       var $preview = $existing.find('[data-preview]');
       if (info.group === 'images') {

package/lib/modules/apostrophe-doc-type-manager/lib/routes.js

@@ -63,7 +63,14 @@ module.exports = function(self, options) {
       convert: function(callback) {
         // For purposes of previewing, it's OK to ignore readOnly so we can tell which
         // inputs are plausible
-        return self.apos.schemas.convert(req, [ _.omit(field, 'readOnly') ], 'form', input, receptacle, callback);
+        return self.apos.schemas.convert(
+          req,
+          [_.omit(field, ['readOnly', 'required', 'min', 'max'])],
+          'form',
+          input,
+          receptacle,
+          callback
+        );
       },
       join: function(callback) {
         return self.apos.schemas.join(req, [ field ], receptacle, true, callback);

package/lib/modules/apostrophe-global/index.js

@@ -144,6 +144,8 @@ module.exports = {
     self.initGlobal = function(callback) {
       var req = self.apos.tasks.getReq();
       var existing;
+      const workflow = self.apos.modules['apostrophe-workflow'];
+      const locales = workflow && workflow.locales && Object.keys(workflow.locales);
       return async.series({
         // Early in pre-2.0 code there was no type property for the global page.
         // We can't use a standard migration to fix that because initGlobal
@@ -178,6 +180,10 @@ module.exports = {
               return callback(err);
             }
             existing = result;
+            if (workflow) {
+              // Do not react to documents whose locale no longer exists in the system
+              existing = existing.filter(doc => locales.includes(doc.workflowLocale));
+            }
             return callback();
           });
         },

package/lib/modules/apostrophe-login/index.js

@@ -455,7 +455,7 @@ module.exports = {
     }
 
     self.getThrottleLoginErr = function (req, minutes) {
-      return req.__ns_n(
+      return req.__ns(
         'apostrophe',
         'Too many login attempts. You may try again in %s minute(s).',
         minutes

package/lib/modules/apostrophe-modal/public/css/components/modal-tabs.less

@@ -47,7 +47,6 @@
     width: 75%;
     @media @apos-breakpoint-desktop-xl { width: 75%; }
     height: 100%;
-    overflow: auto;
     .apos-scrollbar;
   }
 

package/lib/modules/apostrophe-modal/public/js/modal.js

@@ -461,16 +461,18 @@ apos.define('apostrophe-modal', {
       setImmediate(function() {
         $wrapper.find('[data-modal-content]').removeClass('apos-modal-slide-current');
         var fired = false;
-        $content.one('webkitTransitionEnd otransitionend oTransitionEnd msTransitionEnd transitionend', function() {
+        $content.one('webkitTransitionEnd otransitionend oTransitionEnd msTransitionEnd transitionend', handler);
+        // Fallback because the transition has been observed to never happen, at least in nightwatch testing
+        setTimeout(handler, 1000);
+        $content.addClass('apos-modal-slide-current');
+        function handler() {
           if (fired) {
-            // Has been seen firing twice in nightwatch tests, in spite of `one`
             return;
           } else {
             fired = true;
           }
           self.indicateCurrentModal(true);
-        });
-        $content.addClass('apos-modal-slide-current');
+        }
       });
 
     };

package/lib/modules/apostrophe-modal/views/batch.html

@@ -8,7 +8,7 @@
       <select name="batch-operation" class="apos-field-input apos-field-input--small apos-field-input-select apos-manage-batch-operations-select">
         {% for operation in operations %}
           <option value="{{ operation.name }}">
-            {{ __ns('apostrophe', '%s Selected', operation.label) }} (0)
+            {{ __ns('apostrophe', ' %s Selected', operation.label) }} (0)
           </option>
         {% endfor %}
       </select>

package/lib/modules/apostrophe-schemas/index.js

@@ -2675,58 +2675,64 @@ module.exports = {
 
     self.validate = function(schema, options) {
       // Infinite recursion prevention
-      if (self.validatedSchemas[options.type + ':' + options.subtype]) {
-        return;
-      }
-      self.validatedSchemas[options.type + ':' + options.subtype] = true;
-      var unarranged = [];
+      const unarranged = [];
       _.each(schema, function(field) {
-        var fieldType = self.fieldTypes[field.type];
-        if (!fieldType) {
-          fail('Unknown schema field type.');
-        }
-        if (!field.name) {
-          fail('name property is missing.');
-        }
-        if ((!field.label) && (!field.contextual)) {
-          field.label = _.startCase(field.name.replace(/^_/, ''));
-        }
-        if (fieldType.validate) {
-          fieldType.validate(field, options, warn, fail, schema);
-        }
-        // If at least one field is in a non-default group and this one is in the
-        // default group, complain about halfassed grouping. The "Info" tab indicates
-        // insufficient UX consideration, unless it contains all the fields, which
-        // usually indicates a simple array schema that does not need any groups.
-        // Don't ding the developer for things that aren't their fault and are
-        // probably not that obnoxious in practice, like the withTags field of all
-        // pieces-pages, which is usually alone in the default group.
-        if (
-          field.group &&
-            (!field.contextual) &&
-            (field.name !== 'withTags') &&
-            (!field.type.match(/Reverse$/)) &&
-            (field.group.name === 'default') &&
-            (_.find(schema, function(field) {
-              return (field.group) && (field.group.name !== 'default');
-            }))) {
-          unarranged.push(field);
-        }
-        function fail(s) {
-          throw new Error(format(s));
-        }
-        function warn(s) {
-          self.apos.utils.warnDev(format(s));
-        }
-        function format(s) {
-          return '\n⚠️  ' + options.type + ' ' + options.subtype + ', field name ' + field.name + ':\n\n' + s + '\n';
+        const key = `${options.type}:${options.subtype}.${field.name}`;
+
+        if (!self.validatedSchemas[key]) {
+          self.validatedSchemas[key] = true;
+          self.validateField(field, options, schema, unarranged);
         }
       });
+
       if (unarranged.length) {
         self.apos.utils.warnDevOnce('unarranged-fields', '\n⚠️ ' + options.type + ' ' + options.subtype + ' contains unarranged field(s): ' + _.pluck(unarranged, 'name').join(', ') + '.\nArrange all of your fields with arrangeFields, using meaningful group labels.\nhttps://apos.dev/arrange-fields');
       }
     };
 
+    self.validateField = function(field, options, schema, unarranged) {
+      var fieldType = self.fieldTypes[field.type];
+      if (!fieldType) {
+        fail('Unknown schema field type.');
+      }
+      if (!field.name) {
+        fail('name property is missing.');
+      }
+      if ((!field.label) && (!field.contextual)) {
+        field.label = _.startCase(field.name.replace(/^_/, ''));
+      }
+      if (fieldType.validate) {
+        fieldType.validate(field, options, warn, fail, schema);
+      }
+      // If at least one field is in a non-default group and this one is in the
+      // default group, complain about halfassed grouping. The "Info" tab indicates
+      // insufficient UX consideration, unless it contains all the fields, which
+      // usually indicates a simple array schema that does not need any groups.
+      // Don't ding the developer for things that aren't their fault and are
+      // probably not that obnoxious in practice, like the withTags field of all
+      // pieces-pages, which is usually alone in the default group.
+      if (
+        field.group &&
+        (!field.contextual) &&
+        (field.name !== 'withTags') &&
+        (!field.type.match(/Reverse$/)) &&
+        (field.group.name === 'default') &&
+        (_.find(schema, function(field) {
+          return (field.group) && (field.group.name !== 'default');
+        }))) {
+        unarranged.push(field);
+      }
+      function fail(s) {
+        throw new Error(format(s));
+      }
+      function warn(s) {
+        self.apos.utils.warnDev(format(s));
+      }
+      function format(s) {
+        return '\n⚠️  ' + options.type + ' ' + options.subtype + ', field name ' + field.name + ':\n\n' + s + '\n';
+      }
+    };
+
     // Return all standard field names currently associated with permissions editing,
     // for consistency in arrangeFields, batch permissions schemas, etc.
     self.getPermissionsFieldNames = function() {

package/lib/modules/apostrophe-templates/index.js

@@ -721,7 +721,9 @@ module.exports = {
         self.apos.utils.error(':: ' + now + ': ' + type + ' error at ' + req.url);
         self.apos.utils.error('Current user: ' + (req.user ? req.user.username : 'none'));
         self.apos.utils.error(e);
-        req.statusCode = 500;
+        // It is too late for req.statusCode, which is processed
+        // before sendPage is invoked
+        req.res.statusCode = 500;
         return self.render(req, 'templateError');
       }
     };

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "apostrophe",
-  "version": "2.220.4",
+  "version": "2.220.9",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
-    "test": "npm run lint && npm run audit && mocha --timeout 50000",
-    "audit": "npm audit",
-    "lint": "eslint ."
+    "test": "npm run build-test-package-json && npm run lint && npm run audit && mocha --timeout 50000",
+    "audit": "npm audit --production",
+    "lint": "eslint .",
+    "build-test-package-json": "node ./test-lib/build-test-package-json.js"
   },
   "repository": {
     "type": "git",
@@ -32,13 +33,12 @@
     "body-parser": "^1.19.0",
     "cheerio": "^1.0.0-rc.10",
     "chokidar": "^3.5.1",
-    "cli-progress": "^2.1.1",
     "connect-flash": "^0.1.1",
     "connect-multiparty": "^2.2.0",
     "cookie-parser": "^1.4.5",
     "credential": "^2.0.0",
     "cuid": "^1.3.8",
-    "deep-get-set": "^0.1.1",
+    "deep-get-set": "^1.1.1",
     "diff": "^4.0.1",
     "emulate-mongo-2-driver": "^1.2.3",
     "express": "^4.17.1",
@@ -80,7 +80,7 @@
     "tinycolor2": "^1.4.1",
     "uglify-js": "^2.8.29",
     "underscore.string": "^3.3.5",
-    "uploadfs": "^1.17.2",
+    "uploadfs": "^1.18.4",
     "xregexp": "^2.0.0",
     "yargs": "^3.32.0"
   },

package/test/login-throttle.js

@@ -6,7 +6,7 @@ let apos;
 
 describe('Login', function() {
 
-  this.timeout(20000);
+  this.timeout(60000);
 
   after(function(done) {
     return t.destroy(apos, done);
@@ -92,6 +92,10 @@ describe('Login', function() {
   });
 
   it('third failure in a row should cause a lockout', async function() {
+    if (process.version.startsWith('v8.')) {
+      console.log('Skipping this test on node 8, a partially supported release\nwhere this noncritical test is not reliable');
+      return;
+    }
     const req = apos.tasks.getReq();
     const user = await apos.users.find(req, {
       username: 'LilithIyapo'

package/test/package.json

@@ -0,0 +1,75 @@
+{
+  "//": "Automatically generated to satisfy moog-require, do not edit",
+  "dependencies": {
+    "@apostrophecms/nunjucks": "^2.5.4",
+    "@sailshq/lodash": "^3.10.4",
+    "async": "^1.5.2",
+    "bless": "^3.0.3",
+    "bluebird": "^3.7.1",
+    "body-parser": "^1.19.0",
+    "cheerio": "^1.0.0-rc.10",
+    "chokidar": "^3.5.1",
+    "cli-progress": "^2.1.1",
+    "connect-flash": "^0.1.1",
+    "connect-multiparty": "^2.2.0",
+    "cookie-parser": "^1.4.5",
+    "credential": "^2.0.0",
+    "cuid": "^1.3.8",
+    "deep-get-set": "^0.1.1",
+    "diff": "^4.0.1",
+    "emulate-mongo-2-driver": "^1.2.3",
+    "express": "^4.17.1",
+    "express-session": "^1.17.0",
+    "glob": "^5.0.15",
+    "he": "^0.5.0",
+    "heic-to-jpeg-middleware": "^2.0.0",
+    "html-to-plaintext": "^0.1.1",
+    "html-to-text": "^5.1.1",
+    "i18n": "^0.8.6",
+    "is-wsl": "^2.2.0",
+    "joinr": "^1.0.2",
+    "jpeg-exif": "^1.1.4",
+    "launder": "^1.5.0",
+    "less": "^3.13.1",
+    "less-middleware": "^3.1.0",
+    "minimatch": "^3.0.4",
+    "mkdirp": "^1.0.3",
+    "moment": "^2.29.1",
+    "moog-require": "^1.1.0",
+    "nodemailer": "^6.6.2",
+    "oembetter": "^1.0.1",
+    "passport": "^0.3.2",
+    "passport-local": "^1.0.0",
+    "passport-totp": "0.0.2",
+    "path-to-regexp": "^1.7.0",
+    "performance-now": "^2.1.0",
+    "qs": "^6.9.6",
+    "regexp-quote": "0.0.0",
+    "request": "^2.88.2",
+    "request-promise": "^4.2.4",
+    "resolve": "^1.20.0",
+    "rimraf": "^2.7.1",
+    "sanitize-html": "^2.4.0",
+    "server-destroy": "^1.0.1",
+    "sluggo": "^0.2.0",
+    "syntax-error": "^1.3.0",
+    "thirty-two": "^1.0.2",
+    "tinycolor2": "^1.4.1",
+    "uglify-js": "^2.8.29",
+    "underscore.string": "^3.3.5",
+    "uploadfs": "^1.17.2",
+    "xregexp": "^2.0.0",
+    "yargs": "^3.32.0",
+    "apostrophe": "^2.0.0"
+  },
+  "devDependencies": {
+    "eslint": "^6.5.1",
+    "eslint-config-apostrophe": "^2.0.2",
+    "eslint-config-standard": "^11.0.0",
+    "eslint-plugin-import": "^2.18.2",
+    "eslint-plugin-node": "^6.0.1",
+    "eslint-plugin-promise": "^3.8.0",
+    "eslint-plugin-standard": "^3.1.0",
+    "mocha": "^7.0.0"
+  }
+}

package/test-lib/build-test-package-json.js

@@ -0,0 +1,10 @@
+const fs = require('fs');
+const info = JSON.parse(fs.readFileSync('package.json'));
+
+info.dependencies = info.dependencies || {};
+info.dependencies.apostrophe = '^2.0.0';
+fs.writeFileSync('test/package.json', JSON.stringify({
+  "//": "Automatically generated to satisfy moog-require, do not edit",
+  dependencies: info.dependencies || {},
+  devDependencies: info.devDependencies || {}
+}, null, '  '));