apostrophe 2.221.2 → 2.223.0

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## 2.223.0 (2022-11-28)
+
+### Adds
+
+* Allows to exclude certain groups of users from seeing a piece or a page in `Permissions` tab.
+
+### Fixes
+
+* Handles joins in array fields correctly under high concurrent load. Previously it was possible for joins in array fields to fail to load under certain conditions.
+
+## 2.222.0 (2022-07-20)
+
+## Adds
+
+* `testModule: true` is now compatible with `mocha` 10.x as well as previously supported versions of `mocha`. Thanks to [Amin Shazrin](https://github.com/ammein) for this contribution.
+
+## Fixes
+
+* `sanitize-html` dependency bumped to ensure a potential denial-of-service vector is closed.
+
 ## 2.221.2 (2022-07-06)
 
 ## Fixes

package/index.js

@@ -256,7 +256,7 @@ module.exports = function(options) {
     while (m.parent) {
       // The test file is the root as far as we are concerned,
       // not mocha itself
-      if (m.parent.filename.match(/\/node_modules\/mocha\//)) {
+      if (m.parent.filename.match(new RegExp(`${path.sep}node_modules${path.sep}mocha${path.sep}`))) {
         return m;
       }
       m = m.parent;
@@ -415,20 +415,18 @@ module.exports = function(options) {
     // and throws an exception if we don't
     function findTestModule() {
       var m = module;
-      var nodeModuleRegex;
-      if (process.platform === "win32") {
-        nodeModuleRegex = /node_modules\\mocha/;
-      } else {
-        nodeModuleRegex = /node_modules\/mocha/;
+      var nodeModuleRegex = new RegExp("node_modules" + path.sep + "mocha");
+      if (!require.main.filename.match(nodeModuleRegex)) {
+        throw new Error('mocha does not seem to be running, is this really a test?');
       }
       while (m) {
         if (m.parent && m.parent.filename.match(nodeModuleRegex)) {
           return m;
+        } else if (!m.parent) {
+          // Mocha v10 doesn't inject mocha paths inside `module`, therefore, we only detect the parent until the last parent. But we can get Mocha running using `require.main` - Amin
+          return m;
         }
         m = m.parent;
-        if (!m) {
-          throw new Error('mocha does not seem to be running, is this really a test?');
-        }
       }
     }
   }

package/lib/modules/apostrophe-doc-type-manager/index.js

@@ -59,6 +59,12 @@ module.exports = {
             value: 'certainUsers',
             label: 'Certain People',
             showFields: [ '_viewGroups', '_viewUsers' ]
+          },
+          {
+            value: 'excludeCertainUsers',
+            label: 'Exclude Certain People',
+            help: 'Selected group members will not be allowed to view the document. Please note that it will still require a logged-in user to view it, logged-out users will be excluded.',
+            showFields: [ '_excludeViewGroups' ]
           }
         ]
       },
@@ -80,6 +86,15 @@ module.exports = {
         sortable: false,
         editDocs: false
       },
+      {
+        name: '_excludeViewGroups',
+        type: 'joinByArray',
+        withType: 'apostrophe-group',
+        label: 'These Groups cannot View',
+        idsField: 'excludeViewGroupsIds',
+        sortable: false,
+        editDocs: false
+      },
       {
         name: '_editUsers',
         type: 'joinByArray',

package/lib/modules/apostrophe-docs/lib/api.js

@@ -336,6 +336,7 @@ module.exports = function(self, options) {
     var fields = {
       viewGroupsIds: 'view',
       viewUsersIds: 'view',
+      excludeViewGroupsIds: 'exclude-view',
       editGroupsIds: 'edit',
       editUsersIds: 'edit'
     };
@@ -947,7 +948,7 @@ module.exports = function(self, options) {
   // etc.
 
   self.docUnversionedFields = function(req, doc, fields) {
-    fields.push('slug', 'docPermissions', 'viewUserIds', 'viewGroupIds', 'editUserIds', 'editGroupIds', 'loginRequired');
+    fields.push('slug', 'docPermissions', 'viewUserIds', 'viewGroupIds', 'excludeViewGroupIds', 'editUserIds', 'editGroupIds', 'loginRequired');
   };
 
   // Lock the given doc id to a given `contextId`, such

package/lib/modules/apostrophe-pages/lib/api.js

@@ -227,7 +227,7 @@ module.exports = function(self, options) {
 
     var admin = req.user && req.user._permissions.admin;
 
-    var allowed = [ 'view' ];
+    var allowed = [ 'view', 'exclude-view' ];
     if (admin) {
       allowed.push('edit');
     }
@@ -313,6 +313,7 @@ module.exports = function(self, options) {
         'loginRequired',
         'viewUsersIds',
         'viewGroupsIds',
+        'excludeViewGroupsIds',
         'editUsersIds',
         'editGroupsIds',
         'docPermissions'

package/lib/modules/apostrophe-permissions/lib/strategiesApi.js

@@ -58,6 +58,12 @@ module.exports = function(self, options) {
           if (req.user && _.intersection(self.userPermissionNames(req.user, 'edit'), object.docPermissions).length) {
             return true;
           }
+
+          // Case #5: object is restricted to exclude certain people
+          if (req.user && object.published && (object.loginRequired === 'excludeCertainUsers') && _.intersection(self.userPermissionNames(req.user, 'exclude-view'), object.docPermissions).length === 0) {
+            return true;
+          }
+
         } else {
           // Not view permissions
 
@@ -95,7 +101,6 @@ module.exports = function(self, options) {
             }
 
             // Case #3: doc is restricted to certain people
-
             clauses.push({
               published: true,
               loginRequired: 'certainUsers',
@@ -121,6 +126,13 @@ module.exports = function(self, options) {
                 }
               ]
             });
+
+            // Case #5: doc is restricted to exclude certain people
+            clauses.push({
+              published: true,
+              loginRequired: 'excludeCertainUsers',
+              docPermissions: { $nin: self.userPermissionNames(req.user, 'exclude-view') }
+            });
           }
         } else {
           // Not view permissions

package/lib/modules/apostrophe-schemas/index.js

@@ -698,9 +698,11 @@ module.exports = {
       var joins = [];
 
       function findJoins(schema, arrays) {
+        // Shallow clone at the end to ensure our _dotPath and _arrays
+        // properties are unique to this request
         var _joins = _.filter(schema, function(field) {
           return !!self.fieldTypes[field.type].join;
-        });
+        }).map(join => _.clone(join));
         _.each(_joins, function(join) {
           if (!arrays.length) {
             join._dotPath = join.name;
@@ -2736,7 +2738,7 @@ module.exports = {
     // Return all standard field names currently associated with permissions editing,
     // for consistency in arrangeFields, batch permissions schemas, etc.
     self.getPermissionsFieldNames = function() {
-      return [ 'loginRequired', '_viewUsers', '_viewGroups', '_editUsers', '_editGroups', 'applyToSubpages' ];
+      return [ 'loginRequired', '_viewUsers', '_viewGroups', '_excludeViewGroups', '_editUsers', '_editGroups', 'applyToSubpages' ];
     };
 
   }

package/lib/modules/apostrophe-users/index.js

@@ -803,6 +803,7 @@ module.exports = {
         var fields = {
           'viewUsersIds': [],
           'viewGroupsIds': [],
+          'excludeViewGroupsIds': [],
           'editUsersIds': [],
           'editGroupsIds': []
         };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "2.221.2",
+  "version": "2.223.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
@@ -72,7 +72,7 @@
     "request-promise": "^4.2.4",
     "resolve": "^1.20.0",
     "rimraf": "^2.7.1",
-    "sanitize-html": "^2.4.0",
+    "sanitize-html": "^2.7.1",
     "server-destroy": "^1.0.1",
     "sluggo": "^0.2.0",
     "syntax-error": "^1.3.0",

package/test/concurrent-array-joins.js

@@ -0,0 +1,98 @@
+const t = require('../test-lib/test.js');
+const assert = require('assert');
+let apos;
+
+describe('Concurrent Array Joins', function() {
+
+  this.timeout(t.timeout);
+
+  after(function(done) {
+    return t.destroy(apos, done);
+  });
+
+  // EXISTENCE
+
+  it('should be a property of the apos object', function(done) {
+    apos = require('../index.js')({
+      root: module,
+      shortName: 'test',
+
+      modules: {
+        'apostrophe-express': {
+          secret: 'xxx',
+          port: 7900
+        },
+        'test-people': {
+          extend: 'apostrophe-pieces',
+          name: 'test-person',
+          alias: 'persons',
+          addFields: [
+            {
+              name: 'hobbies',
+              type: 'array',
+              schema: [
+                {
+                  type: 'string',
+                  name: 'name'
+                },
+                {
+                  type: 'joinByOne',
+                  name: '_friend',
+                  withType: 'test-person'
+                }
+              ]
+            }
+          ]
+        }
+      },
+      afterInit: function(callback) {
+        assert(apos.docs);
+        apos.argv._ = [];
+        return callback(null);
+      },
+      afterListen: function(err) {
+        assert(!err);
+        done();
+      }
+    });
+  });
+
+  it('should be able to retrieve hobbies in parallel with all joins', async function() {
+    const req = apos.tasks.getReq();
+    const hobbyists = [];
+    for (let i = 0; (i < 10); i++) {
+      hobbyists.push(await apos.persons.insert(req, {
+        title: `Hobbyist ${i}`,
+        published: true
+      }));
+    }
+    for (let i = 0; (i < 10); i++) {
+      hobbyists[i].hobbies = [
+        {
+          name: `Hobby ${i}`,
+          friendId: hobbyists[9 - i]._id
+        }
+      ];
+      await apos.persons.update(req, hobbyists[i]);
+    }
+    const promises = [];
+    for (let i = 0; (i < 100); i++) {
+      promises.push(apos.persons.find(req).toArray());
+    }
+    const results = await Promise.all(promises);
+    assert.strictEqual(results.length, 100);
+    for (const result of results) {
+      // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/localeCompare
+      result.sort((a, b) => a.title.localeCompare(b.title));
+      assert.strictEqual(result.length, 10);
+      for (let i = 0; (i < 10); i++) {
+        const person = result[i];
+        assert.strictEqual(person.title, `Hobbyist ${i}`);
+        assert.strictEqual(person.hobbies.length, 1);
+        assert.strictEqual(person.hobbies[0].name, `Hobby ${i}`);
+        assert(person.hobbies[0]._friend);
+        assert.strictEqual(person.hobbies[0]._friend.title, `Hobbyist ${9 - i}`);
+      }
+    }
+  });
+});

package/test/permissions.js

@@ -86,6 +86,15 @@ describe('Permissions', function() {
     it('certainUsers will not let you slide past to an unpublished doc', function() {
       assert(!apos.permissions.can(req({ user: { _id: 1 } }), 'view-doc', { loginRequired: 'certainUsers', docPermissions: [ 'view-1' ] }));
     });
+    it('forbids view-doc for individual with group id', function() {
+      assert(!apos.permissions.can(req({ user: { _id: 1, groupIds: [ 1001, 1002 ] } }), 'view-doc', { published: true, loginRequired: 'excludeCertainUsers', docPermissions: [ 'exclude-view-1002' ] }));
+    });
+    it('permits view-doc for individual with wrong group id', function() {
+      assert(apos.permissions.can(req({ user: { _id: 2, groupIds: [ 1001, 1002 ] } }), 'view-doc', { published: true, loginRequired: 'excludeCertainUsers', docPermissions: [ 'exclude-view-1003' ] }));
+    });
+    it('excludeCertainUsers will not let you slide past to an unpublished doc', function() {
+      assert(!apos.permissions.can(req({ user: { _id: 1 } }), 'exclude-view-doc', { loginRequired: 'excludeCertainUsers', docPermissions: [ 'exclude-view-1' ] }));
+    });
     it('permits view-doc for unpublished doc for individual with group id for editing', function() {
       assert(apos.permissions.can(req({ user: { _id: 1, groupIds: [ 1001, 1002 ] } }), 'view-doc', { docPermissions: [ 'edit-1002' ] }));
     });

package/test/schemas.js

@@ -153,6 +153,7 @@ var realWorldCase = {
         "loginRequired",
         "_viewUsers",
         "_viewGroups",
+        "_excludeViewGroups",
         "_editUsers",
         "_editGroups"
       ],