apostrophe 3.61.0 → 3.62.0

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # Changelog
 
+## 3.62.0 (2024-01-25)
+
+### Adds
+
+* Adds support for `type` query parameter for page autocomplete. This allows to filter the results by page type. Example: `/api/v1/@apostrophecms/page?autocomplete=something&type=my-page-type`.
+* Add testing for the `float` schema field query builder.
+* Add testing for the `integer` schema field query builder.
+* Add support for link HTML attributes in the rich text widget via configurable fields `linkFields`, extendable on a project level (same as it's done for `fields`). Add an `htmlAttribute` property to the standard fields that map directly to an HTML attribute, except `href` (see special case below), and set it accordingly, even if it is the same as the field name. Setting `htmlAttribute: 'href'` is not allowed and will throw a schema validation exception (on application boot).
+* Adds support in `can` and `criteria` methods for `create` and `delete`.
+* Changes support for image upload from `canEdit` to `canCreate`.
+* The media manager is compatible with per-doc permissions granted via the `@apostrophecms-pro/advanced-permission` module.
+
+### Fixes
+
+* Fix the `launder` and `finalize` methods of the `float` schema field query builder.
+* Fix the `launder` and `finalize` methods of the `integer` schema field query builder.
+* A user who has permission to `publish` a particular page should always be allowed to insert it into the
+published version of the site even if they could not otherwise insert a child of the published
+parent.
+
+## 3.61.1 (2023-01-08)
+
+### Fixes
+
+* Pinned Vue dependency to 2.7.15. Released on December 24th, Vue 2.7.16 broke the rich text toolbar in Apostrophe.
+
 ## 3.61.0 (2023-12-21)
 
 ### Adds

package/modules/@apostrophecms/doc/index.js

@@ -857,8 +857,8 @@ module.exports = {
       // Called by an `@apostrophecms/doc-type:insert` event handler to confirm that the user
       // has the appropriate permissions for the doc's type and content.
       testInsertPermissions(req, doc, options) {
-        if (!(options.permissions === false)) {
-          if (!self.apos.permission.can(req, 'edit', doc)) {
+        if (options.permissions !== false) {
+          if (!self.apos.permission.can(req, 'create', doc)) {
             throw self.apos.error('forbidden');
           }
         }

package/modules/@apostrophecms/doc-type/index.js

@@ -19,7 +19,9 @@ module.exports = {
     relationshipSuggestionIcon: 'text-box-icon',
     relationshipSuggestionFields: [ 'slug' ]
   },
-  cascades: [ 'fields' ],
+  // Adding permissions for advanced permissions to allow modules to use it without
+  // being forced to check if the module is used with advanced permissions or not.
+  cascades: [ 'fields', 'permissions' ],
   fields(self) {
     return {
       add: {
@@ -1499,8 +1501,10 @@ module.exports = {
           label,
           pluralLabel,
           relatedDocument: self.options.relatedDocument,
+          canCreate: self.apos.permission.can(req, 'create', self.name, 'draft'),
           canEdit: self.apos.permission.can(req, 'edit', self.name, 'draft'),
-          canPublish: self.apos.permission.can(req, 'publish', self.name)
+          canPublish: self.apos.permission.can(req, 'publish', self.name),
+          canArchive: self.apos.permission.can(req, 'delete', self.name)
         };
         browserOptions.canLocalize = browserOptions.canEdit &&
           self.options.localized &&
@@ -1868,8 +1872,10 @@ module.exports = {
           after(results) {
             // In all cases we mark the docs with ._edit and ._publish if
             // the req is permitted to do those things
+            self.apos.permission.annotate(query.req, 'create', results);
             self.apos.permission.annotate(query.req, 'edit', results);
             self.apos.permission.annotate(query.req, 'publish', results);
+            self.apos.permission.annotate(query.req, 'delete', results);
           }
         },
 

package/modules/@apostrophecms/doc-type/ui/apos/components/AposDocEditor.vue

@@ -19,6 +19,7 @@
         :current="docFields.data"
         :published="published"
         :show-edit="false"
+        :can-delete-draft="moduleOptions.canDeleteDraft"
         @close="close"
       />
       <AposButton
@@ -195,8 +196,13 @@ export default {
 
       return this.moduleOptions.canPublish;
     },
+    canCreate() {
+      return this.original &&
+        !this.original._id &&
+        this.moduleOptions.canCreate;
+    },
     saveDisabled() {
-      if (!this.canEdit) {
+      if (!this.canCreate && !this.canEdit) {
         return true;
       }
       if (this.restoreOnly) {

package/modules/@apostrophecms/doc-type/ui/apos/logic/AposDocContextMenu.js

@@ -48,6 +48,12 @@ export default {
         return true;
       }
     },
+    canDeleteDraft: {
+      type: Boolean,
+      default() {
+        return true;
+      }
+    },
     showCopy: {
       type: Boolean,
       default() {
@@ -245,7 +251,10 @@ export default {
       if (!this.context._id) {
         return false;
       }
-      if (!this.canEdit) {
+      if (!this.context.lastPublishedAt && !this.canDeleteDraft && !this.context._delete) {
+        return false;
+      }
+      if (this.context.lastPublishedAt && (!this.context.modified || !this.context._edit)) {
         return false;
       }
       return (
@@ -262,12 +271,12 @@ export default {
     },
     canArchive() {
       return (
-        this.canEdit &&
+        this.context._delete &&
         this.context._id &&
         !this.moduleOptions.singleton &&
         !this.context.archived &&
         !this.context.parked &&
-        ((this.moduleOptions.canPublish && this.context.lastPublishedAt) || !this.manuallyPublished)
+        (Boolean(this.canPublish && this.context.lastPublishedAt) || !this.manuallyPublished)
       );
     },
     canUnpublish() {

package/modules/@apostrophecms/image/ui/apos/components/AposMediaManager.vue

@@ -71,7 +71,6 @@
             :accept="accept"
             :items="items"
             :module-options="moduleOptions"
-            :can-edit="moduleOptions.canEdit"
             @edit="updateEditing"
             v-model="checked"
             @select="select"
@@ -106,7 +105,6 @@
           />
           <AposMediaManagerSelections
             :items="selected"
-            :can-edit="moduleOptions.canEdit"
             @clear="clearSelected" @edit="updateEditing"
             v-show="!editing"
           />
@@ -248,7 +246,8 @@ export default {
     async getMedia (options) {
       const qs = {
         ...this.filterValues,
-        page: this.currentPage
+        page: this.currentPage,
+        viewContext: this.relationshipField ? 'relationship' : 'manage'
       };
       const filtered = !!Object.keys(this.filterValues).length;
       if (this.moduleOptions && Array.isArray(this.moduleOptions.filters)) {
@@ -354,9 +353,7 @@ export default {
       this.editing = undefined;
     },
     async updateEditing(id) {
-      if (!this.moduleOptions.canEdit) {
-        return;
-      }
+      const item = this.items.find(item => item._id === id);
       // We only care about the current doc for this prompt,
       // we are not in danger of discarding a selection when
       // we switch images
@@ -371,7 +368,11 @@ export default {
           return false;
         }
       }
-      this.editing = this.items.find(item => item._id === id);
+      if (!item?._edit) {
+        this.editing = null;
+        return true;
+      }
+      this.editing = item;
       return true;
     },
     // select setters

package/modules/@apostrophecms/image/ui/apos/components/AposMediaManagerDisplay.vue

@@ -2,7 +2,7 @@
   <div class="apos-media-manager-display">
     <div class="apos-media-manager-display__grid">
       <AposMediaUploader
-        v-if="canEdit"
+        v-if="moduleOptions.canCreate"
         :disabled="maxReached"
         :action="moduleOptions.action"
         :accept="accept"
@@ -83,10 +83,6 @@ export default {
     event: 'change'
   },
   props: {
-    canEdit: {
-      type: Boolean,
-      default: false
-    },
     maxReached: {
       type: Boolean,
       default: false

package/modules/@apostrophecms/image/ui/apos/components/AposMediaManagerEditor.vue

@@ -171,7 +171,7 @@ export default {
           action: 'localize'
         });
       }
-      if (this.activeMedia._id && !this.restoreOnly) {
+      if (this.activeMedia._id && this.activeMedia._delete && !this.restoreOnly) {
         menu.push({
           label: 'apostrophe:archiveImage',
           action: 'archive',
@@ -209,7 +209,9 @@ export default {
       return dayjs(this.activeMedia.attachment.createdAt).format(this.$t('apostrophe:dayjsMediaCreatedDateFormat'));
     },
     isArchived() {
-      return this.media.archived;
+      // ?. necessary to avoid reference to null due to
+      // race condition when toggling selection off
+      return this.media?.archived;
     }
   },
   watch: {
@@ -248,6 +250,7 @@ export default {
       this[action]();
     },
     async updateActiveDoc(newMedia) {
+      newMedia = newMedia || {};
       this.showReplace = false;
       this.activeMedia = klona(newMedia);
       this.restoreOnly = !!this.activeMedia.archived;

package/modules/@apostrophecms/image/ui/apos/components/AposMediaManagerSelections.vue

@@ -30,7 +30,7 @@
               {{ item.title }}
             </div>
             <AposButton
-              v-if="canEdit"
+              v-if="item._edit"
               label="apostrophe:edit"
               type="quiet"
               :modifiers="['no-motion']"
@@ -49,10 +49,6 @@
 <script>
 export default {
   props: {
-    canEdit: {
-      type: Boolean,
-      default: false
-    },
     items: {
       type: Array,
       required: true

package/modules/@apostrophecms/image/ui/apos/components/AposMediaUploader.vue

@@ -141,9 +141,11 @@ export default {
         for (const file of files) {
           try {
             const img = await this.insertImage(file, emptyDoc);
-            imageIds.push(img._id);
+            if (img?._id) {
+              imageIds.push(img._id);
+            }
           } catch (e) {
-            const msg = e.body && e.body.message ? e.body.message : this.$t('Upload error');
+            const msg = e.body && e.body.message ? e.body.message : this.$t('apostrophe:uploadError');
             await apos.notify(msg, {
               type: 'danger',
               icon: 'alert-circle-icon',

package/modules/@apostrophecms/page/index.js

@@ -122,6 +122,9 @@ module.exports = {
       // The user must have some page editing privileges to use it. The 10 best
       // matches are returned as an object with a `results` property containing the
       // array of pages.
+      // If ?type=x is present, only pages of that type are returned. This query
+      // parameter is only used in conjunction with ?autocomplete=x. It will be
+      // ignored otherwise.
       //
       // If querying for draft pages, you may add ?published=1 to attach a
       // `_publishedDoc` property to each draft that also exists in a published form.
@@ -139,11 +142,22 @@ module.exports = {
             if (!self.apos.permission.can(req, 'view', '@apostrophecms/any-page-type')) {
               throw self.apos.error('forbidden');
             }
+
+            const type = self.apos.launder.string(req.query.type);
+            if (type.length && !self.apos.permission.can(req, 'view', type)) {
+              throw self.apos.error('forbidden');
+            }
+
+            const query = self.getRestQuery(req).permission(false).limit(10).relationships(false)
+              .areas(false);
+            if (type.length) {
+              query.type(type);
+            }
+
             return {
               // For consistency with the pieces REST API we
               // use a results property when returning a flat list
-              results: await self.getRestQuery(req).permission(false).limit(10).relationships(false)
-                .areas(false).toArray()
+              results: await query.toArray()
             };
           }
 
@@ -275,7 +289,7 @@ module.exports = {
           // If we're looking for a fresh page instance and aren't saving yet,
           // simply get a new page doc and return it
           const parentPage = await self.findForEditing(req, self.getIdCriteria(targetId))
-            .permission('edit', '@apostrophecms/any-page-type').toObject();
+            .permission('create', '@apostrophecms/any-page-type').toObject();
           const newChild = self.newChild(parentPage);
           newChild._previewable = true;
           return newChild;
@@ -285,7 +299,7 @@ module.exports = {
           const targetPage = await self
             .findForEditing(req, self.getIdCriteria(targetId))
             .ancestors(true)
-            .permission('edit')
+            .permission('create')
             .toObject();
 
           if (!targetPage) {
@@ -311,7 +325,10 @@ module.exports = {
             copyingId
           });
           await self.insert(req, targetPage._id, position, page, { lock: false });
-          return self.findOneForEditing(req, { _id: page._id }, { attachments: true });
+          return self.findOneForEditing(req, { _id: page._id }, {
+            attachments: true,
+            permission: false
+          });
         });
       },
       // Consider using `PATCH` instead unless you're sure you have 100% up to date
@@ -391,6 +408,10 @@ module.exports = {
         const page = await self.findOneForEditing(req, {
           _id
         });
+
+        if (!page) {
+          throw self.apos.error('notfound');
+        }
         return self.delete(req, page);
       },
       // Patch some properties of the page.
@@ -828,7 +849,8 @@ database.`);
         }
         browserOptions.name = self.__meta.name;
         browserOptions.canPublish = self.apos.permission.can(req, 'publish', '@apostrophecms/any-page-type');
-        browserOptions.quickCreate = self.options.quickCreate && self.apos.permission.can(req, 'edit', '@apostrophecms/any-page-type', 'draft');
+        browserOptions.canCreate = self.apos.permission.can(req, 'create', '@apostrophecms/any-page-type', 'draft');
+        browserOptions.quickCreate = self.options.quickCreate && self.apos.permission.can(req, 'create', '@apostrophecms/any-page-type', 'draft');
         browserOptions.localized = true;
         browserOptions.autopublish = false;
         // A list of all valid page types, including parked pages etc. This is
@@ -840,6 +862,8 @@ database.`);
           Object.keys(self.apos.i18n.locales).length > 1 &&
           Object.values(self.apos.i18n.locales).some(locale => locale._edit);
         browserOptions.utilityOperations = self.utilityOperations;
+        browserOptions.canDeleteDraft = self.apos.permission.can(req, 'delete', '@apostrophecms/any-page-type', 'draft');
+
         return browserOptions;
       },
       // Returns a query that finds pages the current user can edit
@@ -882,7 +906,7 @@ database.`);
           if ((position === 'before') || (position === 'after')) {
             parent = await self.findForEditing(req, {
               path: self.getParentPath(target)
-            }).children({
+            }, { permission: 'create' }).children({
               depth: 1,
               archived: null,
               orphan: null,
@@ -898,7 +922,7 @@ database.`);
             throw self.apos.error('notfound');
           }
           if (options.permissions !== false) {
-            if (!parent._edit) {
+            if (!parent._create) {
               throw self.apos.error('forbidden');
             }
           }
@@ -1095,7 +1119,7 @@ database.`);
             // Move outside tree
             throw self.apos.error('forbidden');
           }
-          if ((oldParent._id !== parent._id) && (parent.type !== '@apostrophecms/archive-page') && (!parent._edit)) {
+          if ((oldParent._id !== parent._id) && (parent.type !== '@apostrophecms/archive-page') && (!parent._create)) {
             throw self.apos.error('forbidden');
           }
           if (moved.lastPublishedAt && !parent.lastPublishedAt) {

package/modules/@apostrophecms/page/ui/apos/components/AposPagesManager.vue

@@ -32,7 +32,7 @@
         :button="moreMenuButton"
       />
       <AposButton
-        v-else type="primary"
+        v-else-if="canCreate" type="primary"
         label="apostrophe:newPage" @click="create()"
       />
       <AposButton
@@ -81,6 +81,7 @@
             :icons="icons"
             v-model="checked"
             :options="treeOptions"
+            :module-options="moduleOptions"
             @update="update"
           />
         </template>
@@ -98,6 +99,7 @@ export default {
   // Keep it for linting
   emits: [ 'archive', 'search', 'safe-close', 'modal-result' ]
 };
+// TODO: check when child page is created and with what perm
 </script>
 
 <style lang="scss" scoped>

package/modules/@apostrophecms/page/ui/apos/logic/AposPagesManager.js

@@ -128,6 +128,13 @@ export default {
     },
     pageSetMenuSelectionIsLive() {
       return this.pageSetMenuSelection === 'live';
+    },
+    canCreate() {
+      const page = this.pagesFlat.find(page => page.aposDocId === this.moduleOptions.page.aposDocId);
+      if (page) {
+        return page._create;
+      }
+      return this.moduleOptions.canCreate;
     }
   },
   watch: {

package/modules/@apostrophecms/page-type/index.js

@@ -104,7 +104,7 @@ module.exports = {
       },
       beforeMove: {
         checkPermissions(req, doc) {
-          if (doc.lastPublishedAt && !self.apos.permission.can(req, 'publish', '@apostrophecms/any-page-type')) {
+          if (doc.lastPublishedAt && !self.apos.permission.can(req, 'publish', doc)) {
             throw self.apos.error('forbidden', 'Contributors may only move unpublished pages.');
           }
         }
@@ -352,6 +352,11 @@ module.exports = {
       // Called for you when a page is published for the first time.
       // You don't need to invoke this.
       async insertPublishedOf(req, doc, published, options = {}) {
+        // Check publish permission up front because we won't check it
+        // in insert
+        if (!self.apos.permission.can(req, 'publish', doc)) {
+          throw self.apos.error('forbidden');
+        }
         const _req = req.clone({
           mode: 'published'
         });
@@ -363,7 +368,14 @@ module.exports = {
             lastTargetId.replace(':draft', ':published'),
             lastPosition,
             published,
-            options);
+            {
+              ...options,
+              // We already confirmed we are allowed to
+              // publish the draft, bypass checks that
+              // can get hung up on "create" permission
+              permissions: false
+            }
+          );
         } else {
           // Insert the home page
           Object.assign(published, {

package/modules/@apostrophecms/permission/index.js

@@ -59,6 +59,7 @@ module.exports = {
         if (role === 'admin') {
           return true;
         }
+
         const type = docOrType && (docOrType.type || docOrType);
         const doc = (docOrType && docOrType._id) ? docOrType : null;
         const manager = type && self.apos.doc.getManager(type);
@@ -66,46 +67,73 @@ module.exports = {
           self.apos.util.warn('A permission.can() call was made with a type that has no manager:', type);
           return false;
         }
+
         if (action === 'view') {
-          if (manager && manager.options.viewRole && (ranks[role] < ranks[manager.options.viewRole])) {
-            return false;
-          } else if (((typeof docOrType) === 'object') && (docOrType.visibility !== 'public')) {
-            return (role === 'guest') || (role === 'contributor') || (role === 'editor');
-          } else {
-            return true;
-          }
-        } else if (action === 'view-draft') {
+          return canView();
+        }
+
+        if (action === 'view-draft') {
           // Checked at the middleware level to determine if req.mode should
           // be allowed to be set to draft at all
           return (role === 'contributor') || (role === 'editor');
-        } else if (action === 'edit') {
-          if (manager && manager.options.editRole && (ranks[role] < ranks[manager.options.editRole])) {
+        }
+
+        if ([ 'edit', 'create' ].includes(action)) {
+          return canEdit();
+        }
+
+        if (action === 'publish') {
+          return canPublish();
+        }
+
+        if (action === 'upload-attachment') {
+          return (role === 'contributor') || (role === 'editor');
+        }
+
+        if (action === 'delete') {
+          return canDelete();
+        }
+
+        throw self.apos.error('invalid', 'That action is not implemented');
+
+        function checkRoleConfig (permRole) {
+          return manager && manager.options[permRole] &&
+            (ranks[role] < ranks[manager.options[permRole]]);
+        }
+
+        function canView() {
+          if (checkRoleConfig('viewRole')) {
             return false;
-          } else if (mode === 'draft') {
-            return (role === 'contributor') || (role === 'editor');
-          } else {
-            return role === 'editor';
           }
-        } else if (action === 'publish') {
-          if (manager && manager.options.publishRole && (ranks[role] < ranks[manager.options.publishRole])) {
+          if ((typeof docOrType === 'object') && (docOrType.visibility !== 'public')) {
+            return (role === 'guest') || (role === 'contributor') || (role === 'editor');
+          }
+          return true;
+        }
+
+        function canEdit() {
+          if (checkRoleConfig('editRole')) {
             return false;
-          } else {
-            return role === 'editor';
           }
-        } else if (action === 'upload-attachment') {
-          if ((role === 'contributor') || (role === 'editor')) {
-            return true;
-          } else {
+          if (mode === 'draft') {
+            return (role === 'contributor') || (role === 'editor');
+          }
+          return role === 'editor';
+        }
+
+        function canPublish() {
+          if (checkRoleConfig('publishRole')) {
             return false;
           }
-        } else if (action === 'delete') {
-          if (doc && !doc.lastPublishedAt) {
-            return self.can(req, 'edit', doc);
-          } else {
-            return self.can(req, 'publish', doc);
+          return role === 'editor';
+        }
+
+        function canDelete() {
+          if (doc && (!doc.lastPublishedAt || doc.aposMode === 'draft')) {
+            return self.can(req, 'edit', doc, mode);
           }
-        } else {
-          throw self.apos.error('invalid', 'That action is not implemented');
+
+          return self.can(req, 'publish', docOrType, mode);
         }
       },
 
@@ -117,6 +145,7 @@ module.exports = {
         if (role === 'admin') {
           return {};
         }
+
         const restrictedViewTypes = Object.keys(self.apos.doc.managers).filter(name => ranks[self.apos.doc.getManager(name).options.viewRole] > ranks[role]);
         const restrictedEditTypes = Object.keys(self.apos.doc.managers).filter(name => ranks[self.apos.doc.getManager(name).options.editRole] > ranks[role]);
         const restrictedPublishTypes = Object.keys(self.apos.doc.managers).filter(name => ranks[self.apos.doc.getManager(name).options.publishRole] > ranks[role]);
@@ -175,7 +204,7 @@ module.exports = {
 
             return query;
           }
-        } else if (action === 'edit') {
+        } else if ([ 'edit', 'create', 'delete' ].includes(action)) {
           if (role === 'contributor') {
             return {
               aposMode: {
@@ -259,7 +288,7 @@ module.exports = {
           permissions.push({
             name: 'create',
             label: 'apostrophe:create',
-            value: self.can(req, 'edit', module.name)
+            value: self.can(req, 'create', module.name)
           });
         }
         permissions.push({