apostrophe 4.27.1 → 4.28.0

package/modules/@apostrophecms/attachment/index.js

@@ -124,6 +124,9 @@ module.exports = {
     await self.db.createIndex({ archivedDocIds: 1 });
     self.addLegacyMigrations();
     self.addSvgSanitizationMigration();
+
+    // Lazy cache for types whose schema contains attachment fields.
+    self.typesWithAttachmentFields = new Map();
   },
 
   tasks(self) {
@@ -633,6 +636,15 @@ module.exports = {
         if (!attachment) {
           return self.getMissingAttachmentUrl();
         }
+        // file module supports these, optionally
+        // (performance tradeoff). It's not enough to
+        // pass the prettyUrl: true option to this method,
+        // and that's not necessary. Setting it to false is
+        // an internal option for determining the real URL
+        // behind the pretty URL.
+        if (attachment._prettyUrl && (options.prettyUrl !== false)) {
+          return attachment._prettyUrl;
+        }
         let path = '/attachments/' + attachment._id + '-' + attachment.name;
         if (!options.uploadfsPath) {
           path = self.uploadfs.getUrl() + path;
@@ -882,6 +894,264 @@ module.exports = {
           }
         }
       },
+      // Check whether a schema array (recursively through
+      // array and object sub-schemas) contains at least one
+      // field with `type: 'attachment'`.
+      schemaHasAttachmentField(schema) {
+        if (!Array.isArray(schema)) {
+          return false;
+        }
+        for (const field of schema) {
+          if (field.type === 'attachment') {
+            return true;
+          }
+          if (
+            (field.type === 'array' || field.type === 'object') &&
+            field.schema
+          ) {
+            if (self.schemaHasAttachmentField(field.schema)) {
+              return true;
+            }
+          }
+        }
+        return false;
+      },
+
+      // Return a Set of doc type names whose module schema
+      // contains at least one `type: 'attachment'` field.
+      // Result is lazy cached.
+      hasAttachmentFields(type) {
+        if (self.typesWithAttachmentFields.has(type)) {
+          return self.typesWithAttachmentFields.get(type);
+        }
+        const module = self.apos.modules[type];
+        if (!module?.schema) {
+          self.typesWithAttachmentFields.set(type, false);
+        } else {
+          self.typesWithAttachmentFields.set(
+            type,
+            self.schemaHasAttachmentField(module.schema)
+          );
+        }
+        return self.typesWithAttachmentFields.get(type);
+      },
+
+      // Check whether a relationship field's `withType`
+      // (which may be a virtual type like
+      // `@apostrophecms/any-page-type`) resolves to a type
+      // that has attachment fields.
+      relationshipHasAttachmentFields(withType) {
+        if (self.hasAttachmentFields(withType)) {
+          return true;
+        }
+        if (
+          withType === '@apostrophecms/any-page-type' ||
+          withType === '@apostrophecms/page'
+        ) {
+          const cacheKey = '@apostrophecms/any-page-type';
+          if (!self.typesWithAttachmentFields.has(cacheKey)) {
+            self.typesWithAttachmentFields.set(
+              cacheKey,
+              self.apos
+                .instancesOf('@apostrophecms/page-type')
+                .some(module => self.hasAttachmentFields(module.__meta.name))
+            );
+            self.typesWithAttachmentFields.set(
+              '@apostrophecms/page',
+              self.typesWithAttachmentFields.get(cacheKey)
+            );
+          }
+          return self.typesWithAttachmentFields.get(cacheKey);
+        }
+        return false;
+      },
+
+      // Collect the full `_id` values (e.g. `abc:en:published`)
+      // of docs that are referenced via relationship fields
+      // from the given `doc` and belong to types whose schema
+      // contains at least one `type: 'attachment'` field.
+      //
+      // These IDs can be matched against the `docIds` array
+      // stored on each attachment record, allowing a "used"
+      // scope that only includes attachments actively referenced
+      // by published content.
+      //
+      // Returns an array of full `_id` strings. The method is
+      // synchronous because it only inspects the in-memory
+      // document data — no database queries are needed.
+      collectUsedDocIds(req, doc) {
+        const docIds = new Set();
+        if (self.hasAttachmentFields(doc.type)) {
+          docIds.add(doc.aposDocId);
+        }
+        const locale = req.locale || self.apos.i18n?.defaultLocale || 'en';
+        const mode = req.mode || 'published';
+
+        self.collectDocAttachmentRefIds(doc, docIds);
+
+        // Convert aposDocId values to full _id format
+        return [ ...docIds ].map(
+          aposDocId => `${aposDocId}:${locale}:${mode}`
+        );
+      },
+
+      // Given a single document (raw MongoDB data), walk its
+      // schema recursively and collect `idsStorage` values from
+      // relationship fields that point to types with attachment
+      // fields.  Also handles the special case of rich-text
+      // widget inline images (`imageIds`) and widgets whose own
+      // schema contains a direct `type: 'attachment'` field.
+      //
+      // Found IDs are added to the `target` Set
+      // (aposDocId values, locale-agnostic).
+      collectDocAttachmentRefIds(doc, target) {
+        const handlers = {
+          relationship: (field, contextDoc) => {
+            if (self.relationshipHasAttachmentFields(field.withType)) {
+              for (const id of (contextDoc[field.idsStorage] || [])) {
+                target.add(id);
+              }
+            }
+          },
+          // Rich-text widgets store inline image references in
+          // `imageIds` outside of any schema relationship field.
+          // Widgets whose own schema has a direct `type: 'attachment'`
+          // field (e.g. a custom widget storing a file directly) also
+          // need to include the parent doc's ID.
+          widget: (field, widget) => {
+            if (self.hasAttachmentFields(widget.type)) {
+              target.add(doc.aposDocId);
+            }
+            if (
+              widget.type === '@apostrophecms/rich-text' &&
+              Array.isArray(widget.imageIds)
+            ) {
+              for (const id of widget.imageIds) {
+                target.add(id);
+              }
+            }
+          }
+        };
+        self.apos.doc.walkByMetaType(doc, handlers);
+      },
+
+      // Return metadata for attachments suitable for a static build.
+      // Uses batch-of-100 pattern for memory efficiency (see self.each()).
+      //
+      // Options (all optional):
+      //
+      // `docIds`: array of full locale-qualified document `_id`s.
+      //   When provided, only attachments whose `docIds` array
+      //   intersects with the given list are returned ("used"
+      //   scope).  When not provided (undefined), all non-archived
+      //   attachments are returned ("all" scope).
+      //
+      // Archived attachments are always excluded.
+      //
+      // `sizes`: array of size names to include (e.g. `['full',
+      //   'one-half']`).  When provided, only these sizes are
+      //   emitted.  Ignored for non-sized attachments (SVG, office
+      //   files) which always get a single entry with `path` only.
+      //
+      // `skipSizes`: array of size names to exclude.  Applied
+      //   after `sizes` (or after the full size list when `sizes`
+      //   is not given).  Common use: `['original']` to skip the
+      //   potentially very large original upload.
+      //
+      // Cropped variants, when present on the attachment record,
+      // are also subject to `sizes` and `skipSizes` filtering.
+      //
+      // Returns an array of objects:
+      //
+      // ```js
+      // {
+      //   _id: 'abc123',
+      //   urls: [
+      //     // Sized attachments include a `size` property:
+      //     { size: 'full', path: '/attachments/abc-photo.full.jpg' },
+      //     { size: 'one-half', path: '/attachments/abc-photo.one-half.jpg' },
+      //     // crop variants (same sizes):
+      //     { size: 'full', path: '/attachments/abc-photo.10.20.300.400.full.jpg' },
+      //     ...
+      //     // Non-sized attachments (SVG, office docs) have `path` only:
+      //     { path: '/attachments/def-document.pdf' },
+      //   ]
+      // }
+      // ```
+      //
+      // `path` is an uploadfs-relative path (no host prefix).
+      async getStaticMetadata({
+        docIds, sizes, skipSizes
+      } = {}) {
+        const criteria = {
+          archived: { $ne: true }
+        };
+        if (Array.isArray(docIds)) {
+          criteria.docIds = { $in: docIds };
+        }
+
+        const allSizeNames = self.imageSizes.map((s) => s.name)
+          .concat([ 'original' ]);
+        let effectiveSizes;
+        if (Array.isArray(sizes) && sizes.length) {
+          effectiveSizes = sizes.filter((s) => allSizeNames.includes(s));
+        } else {
+          effectiveSizes = [ ...allSizeNames ];
+        }
+        if (Array.isArray(skipSizes) && skipSizes.length) {
+          effectiveSizes = effectiveSizes.filter(
+            (s) => !skipSizes.includes(s)
+          );
+        }
+
+        const results = [];
+
+        await self.each(criteria, async (attachment) => {
+          const urls = [];
+          const isSized = self.isSized(attachment);
+
+          if (isSized) {
+            // Sized image: emit one entry per requested size
+            for (const size of effectiveSizes) {
+              urls.push({
+                size,
+                path: self.url(attachment, {
+                  uploadfsPath: true,
+                  crop: false,
+                  size
+                })
+              });
+            }
+            // Crop variants — respect the same size constraints
+            for (const crop of (attachment.crops || [])) {
+              for (const size of effectiveSizes) {
+                urls.push({
+                  size,
+                  path: self.url(attachment, {
+                    uploadfsPath: true,
+                    crop,
+                    size
+                  })
+                });
+              }
+            }
+          } else {
+            // Non-sized (SVG, office docs): path only, no size property
+            urls.push({
+              path: self.url(attachment, { uploadfsPath: true })
+            });
+          }
+
+          if (urls.length) {
+            results.push({
+              _id: attachment._id,
+              urls
+            });
+          }
+        });
+
+        return results;
+      },
       // Returns true if, based on the provided attachment object,
       // a valid focal point has been specified. Useful to avoid
       // the default of `background-position: center center` if

package/modules/@apostrophecms/doc/index.js

@@ -53,7 +53,8 @@ module.exports = {
       // a 404 if you request a document you cannot edit.
       async getOne(req, _id) {
         _id = self.apos.i18n.inferIdLocaleAndMode(req, _id);
-        const doc = await self.find(req, { _id }).permission('edit').toObject();
+        const aposDocId = _id.split(':')[0];
+        const doc = await self.find(req, { $or: [ { _id }, { _id: aposDocId } ] }).permission('edit').toObject();
         if (!doc) {
           throw self.apos.error('notfound');
         }
@@ -1794,11 +1795,13 @@ module.exports = {
 
       // Iterate through the document fields and call the provided handlers
       // for each item of an array, object and relationship field type.
+      // Invoke the `widget` handler for widgets in areas if provided.
       walkByMetaType(doc, handlers) {
         const defaultHandlers = {
           arrayItem: () => {},
           object: () => {},
-          relationship: () => {}
+          relationship: () => {},
+          widget: null
         };
 
         handlers = {
@@ -1827,6 +1830,9 @@ module.exports = {
           for (const field of schema) {
             if (field.type === 'area' && doc[field.name] && doc[field.name].items) {
               for (const widget of doc[field.name].items) {
+                if (handlers.widget) {
+                  handlers.widget(field, widget);
+                }
                 self.walkByMetaType(widget, handlers);
               }
             } else if (field.type === 'array') {

package/modules/@apostrophecms/doc-type/index.js

@@ -553,6 +553,9 @@ module.exports = {
       // in an autocomplete menu. Default behavior is to
       // return only the `title`, `_id` and `slug` properties.
       // Removing any of these three is not recommended.
+      // `aposDocId` is required for building template filters when static
+      // url's are enabled, `type` is required for various features including
+      // permissions - do not remove these unless you know what you are doing.
       //
       // `query.field` will contain the schema field definition for
       // the relationship the user is attempting to match titles from.
@@ -564,6 +567,7 @@ module.exports = {
           title: 1,
           type: 1,
           _id: 1,
+          aposDocId: 1,
           _url: 1,
           slug: 1
         };
@@ -1648,7 +1652,80 @@ module.exports = {
           name: key,
           ...self.columns[key]
         }));
+      },
+
+      // Returns an object with `metadata` (array of URL metadata
+      // entries) and `attachmentDocIds` (array of full `_id` strings
+      // for docs referenced via relationships to types with
+      // attachment fields).
+      //
+      // When `options.attachments` is truthy, each document is also
+      // inspected for attachment references via
+      // `attachment.collectUsedDocIds()`, otherwise `attachmentDocIds`
+      // is returned as an empty array.
+      async getAllUrlMetadata(req, { attachments = false } = {}) {
+        const result = {
+          metadata: [],
+          attachmentDocIds: []
+        };
+        let skip = 0;
+        let docs = [];
+
+        do {
+          // Paginate through 100 at a time to avoid exhausting
+          // memory
+          docs = await self.getUrlMetadataQuery(req)
+            .skip(skip)
+            .limit(100)
+            .toArray();
+          await Promise.all(docs.map(async doc => {
+            result.metadata.push(...await self.getUrlMetadata(req, doc));
+            if (attachments) {
+              result.attachmentDocIds.push(
+                ...self.apos.attachment.collectUsedDocIds(req, doc)
+              );
+            }
+          }));
+          skip += docs.length;
+        } while (docs.length > 0);
+
+        return result;
+      },
+
+      // Used to build sitemaps and assist in static site builds. Extend to
+      // return all URLs that provide views of this document and
+      // should be included in sitemaps and static builds. You may
+      // use `async` when extending
+      getUrlMetadata(req, doc) {
+        if (!doc._url) {
+          return [];
+        }
+        return [
+          {
+            url: doc._url,
+            type: doc.type,
+            aposDocId: doc.aposDocId,
+            i18nId: doc.aposDocId,
+            _id: doc._id,
+            // For legacy reasons. Google 100% ignores this
+            changefreq: 'daily',
+            // For legacy reasons. Google 100% ignores this
+            priority: 1.0
+          }
+        ];
+      },
+
+      // Extend to change the query used when fetching documents of this type
+      // for purposes of building sitemaps and static sites. Should be efficient
+      // while still capturing enough information to generate all URLs for
+      // this particular type of document. By default no relationships are fetched
+      // and widget loaders for areas are not run
+      getUrlMetadataQuery(req) {
+        return self.find(req, {})
+          .relationships(false)
+          .areas(false);
       }
+
     };
   },
   extendMethods(self) {
@@ -2815,7 +2892,10 @@ module.exports = {
           const counts = query.get('distinctCounts');
           if (counts && ((typeof counts) === 'object')) {
             for (const result of results) {
-              result.count = counts[result.value];
+              // For relationship slug builders the value is a slug, but
+              // distinctCounts is keyed by aposDocId (from idsStorage).
+              // Fall back to aposDocId when the value key yields nothing.
+              result.count = counts[result.value] ?? counts[result.aposDocId];
             }
           }
           return results;

package/modules/@apostrophecms/doc-type/ui/apos/components/AposDocEditor.vue

@@ -4,6 +4,7 @@
     :modal="modal"
     :modal-title="modalTitle"
     :modal-data="modalData"
+    :graph-key="graphKey"
     @inactive="modal.active = false"
     @show-modal="modal.showModal = true"
     @esc="confirmAndCancel"
@@ -134,6 +135,7 @@
 
 <script>
 import { klona } from 'klona';
+import { computed } from 'vue';
 import { mapActions } from 'pinia';
 import AposModifiedMixin from 'Modules/@apostrophecms/ui/mixins/AposModifiedMixin';
 import AposModalTabsMixin from 'Modules/@apostrophecms/modal/mixins/AposModalTabsMixin';
@@ -144,6 +146,7 @@ import AposAdvisoryLockMixin from 'Modules/@apostrophecms/ui/mixins/AposAdvisory
 import AposDocErrorsMixin from 'Modules/@apostrophecms/modal/mixins/AposDocErrorsMixin';
 import { detectDocChange } from 'Modules/@apostrophecms/schema/lib/detectChange';
 import { useModalStore } from 'Modules/@apostrophecms/ui/stores/modal';
+import { useWidgetGraphStore } from 'Modules/@apostrophecms/ui/stores/widgetGraph.js';
 
 export default {
   name: 'AposDocEditor',
@@ -156,10 +159,11 @@ export default {
     AposArchiveMixin,
     AposDocErrorsMixin
   ],
-  provide () {
+  provide() {
     return {
       originalDoc: this.originalDoc,
-      liveOriginalDoc: this.docFields
+      liveOriginalDoc: this.docFields,
+      aposGraphKey: computed(() => this.graphKey)
     };
   },
   props: {
@@ -322,6 +326,11 @@ export default {
         type: this.$t(this.moduleOptions.label)
       };
     },
+    graphKey() {
+      return this.modalData?.id && this.currentId
+        ? `${this.modalData.id}:${this.currentId}`
+        : null;
+    },
     saveLabel() {
       if (this.restoreOnly) {
         return 'apostrophe:restore';
@@ -417,9 +426,16 @@ export default {
   },
   unmounted() {
     apos.bus.$off('content-changed', this.onContentChanged);
+    // Destroy the widget graph for this modal's editing context
+    if (this.graphKey) {
+      this.storeDestroyGraph(this.graphKey);
+    }
   },
   methods: {
     ...mapActions(useModalStore, [ 'updateModalData' ]),
+    ...mapActions(useWidgetGraphStore, {
+      storeDestroyGraph: 'destroyGraph'
+    }),
     async instantiateExistingDoc() {
       await this.loadDoc();
       this.evaluateConditions();

package/modules/@apostrophecms/express/index.js

@@ -272,6 +272,11 @@ module.exports = {
           return res.status(403).send('forbidden');
         }
         req.aposExternalFront = true;
+        if (req.headers['x-apos-static-base-url'] === '1') {
+          // Downstream code (page.getBaseUrl) checks this to decide
+          // which base URL to use for this request.
+          self.applyStaticBuildHeaders(req);
+        }
         res.redirect = function(...args) {
           // The external front end needs to issue the actual redirect,
           // not us
@@ -290,6 +295,20 @@ module.exports = {
         };
         return next();
       },
+      // Allow direct API calls (without externalFrontKey) to opt into
+      // static-build URL behavior by sending x-apos-static-base-url: 1.
+      // This is harmless — it only changes how URLs are built in the
+      // response, granting no elevated permissions.
+      staticBuildHeader: {
+        url: '/api/v1',
+        middleware(req, res, next) {
+          // Only act if not already set by externalFront middleware
+          if (!req.aposStaticBuild && req.headers['x-apos-static-base-url'] === '1') {
+            self.applyStaticBuildHeaders(req);
+          }
+          return next();
+        }
+      },
       attachUtilityMethods(req, res, next) {
         // We apply the super pattern variously to res.redirect,
         // make sure the original version is always available
@@ -385,7 +404,7 @@ module.exports = {
             // for the token to be usable to log in.
             $or: [
               { requirementsToVerify: { $exists: false } },
-              { requirementsToVerify: { $ne: [] } }
+              { requirementsToVerify: { $size: 0 } }
             ]
           });
           return bearer && bearer.userId;
@@ -460,6 +479,16 @@ module.exports = {
         }
       },
 
+      applyStaticBuildHeaders(req) {
+        if (req.aposStaticBuild) {
+          return;
+        }
+        req.aposStaticBuild = true;
+        if (self.apos.staticBaseUrl) {
+          req.staticBaseUrl = self.apos.staticBaseUrl;
+        }
+      },
+
       logAllRoutes() {
         const superUse = self.apos.app.use.bind(self.apos.app);
         const methods = [ 'get', 'post', 'put', 'delete', 'patch', 'options', 'head', 'all' ];

package/modules/@apostrophecms/file/index.js

@@ -1,5 +1,3 @@
-const _ = require('lodash');
-
 // A subclass of `@apostrophecms/piece-type`, `@apostrophecms/file` establishes
 // a library of uploaded files, which may be of any type acceptable to the
 // [@apostrophecms/attachment](../@apostrophecms/attachment/index.html) module.
@@ -8,6 +6,8 @@ const _ = require('lodash');
 // module provides a simple way to add downloadable PDFs and the like to a
 // website, and to manage a library of them for reuse.
 
+const streamProxy = require('../../../lib/stream-proxy.js');
+
 module.exports = {
   extend: '@apostrophecms/piece-type',
   options: {
@@ -26,7 +26,9 @@ module.exports = {
     // Files should by default be considered "related documents" when localizing
     // another document that references them
     relatedDocument: true,
-    relationshipSuggestionIcon: 'file-document-icon'
+    relationshipSuggestionIcon: 'file-document-icon',
+    prettyUrls: false,
+    prettyUrlDir: '/files'
   },
   fields: {
     remove: [ 'visibility' ],
@@ -92,10 +94,73 @@ module.exports = {
   },
   methods(self) {
     return {
+      // File docs are attachment containers themselves — their
+      // attachments are discovered via relationship walking from
+      // the content docs that reference them.  Iterating all
+      // published files here would make the "used" scope
+      // equivalent to "all", defeating scoped attachment builds.
+      async getAllUrlMetadata() {
+        return {
+          metadata: [],
+          attachmentDocIds: []
+        };
+      },
       addUrls(req, files) {
-        _.each(files, function (file) {
-          file._url = self.apos.attachment.url(file.attachment);
-        });
+        for (const file of files) {
+          // Watch out for projections with no attachment property
+          // (the slug-taken route does that)
+          if (self.options.prettyUrls && file.attachment) {
+            const { extension } = file.attachment;
+            const baseUrl = self.apos.url.getBaseUrl(req, { prefix: true });
+            file._url = `${baseUrl}${self.options.prettyUrlDir}/${file.slug.replace(self.options.slugPrefix || '', '')}.${extension}`;
+            file.attachment._prettyUrl = file._url;
+          } else {
+            file._url = self.apos.attachment.url(file.attachment);
+          }
+        }
+      }
+    };
+  },
+  routes(self) {
+    if (!self.options.prettyUrls) {
+      return;
+    }
+    return {
+      get: {
+        async [`${self.options.prettyUrlDir}/*`](req, res) {
+          try {
+            const matches = (req.params[0] || '').match(/^([^.]+)\.\w+$/);
+            if (!matches) {
+              return res.status(400).send('invalid');
+            }
+            const [ , slug ] = matches;
+            if (slug.includes('..') || slug.includes('/')) {
+              return res.status(403).send('forbidden');
+            }
+            const file = await self.find(req, {
+              slug: `${self.options.slugPrefix}${slug}`
+            }).toObject();
+            if (!file) {
+              return res.status(404).send('not found');
+            }
+
+            // Determine the normal, "ugly" URL and stream the
+            // response from it, passing on the most important
+            // headers. Supporting range requests, which PDF viewers
+            // like to use for pagination, was considered but
+            // the potential interacts with gzip encoding are complex
+            // and we currently do use it by default with s3 for PDFs.
+            // Viewers will still display the document after
+            // completing the download
+            const uglyUrl = self.apos.attachment.url(file.attachment, {
+              prettyUrl: false
+            });
+            return await streamProxy(req, uglyUrl, { error: self.apos.util.error });
+          } catch (e) {
+            self.apos.util.error('Error in pretty URL route:', e);
+            return res.status(500).send('error');
+          }
+        }
       }
     };
   }

package/modules/@apostrophecms/i18n/index.js

@@ -222,7 +222,26 @@ module.exports = {
             const doc = localizations.find(doc => doc.aposLocale.split(':')[0] === name);
             if (doc && self.apos.permission.can(req, 'view', doc)) {
               doc.available = true;
-              doc._url = `${self.apos.prefix}${manager.action}/${context._id}/locale/${name}`;
+              // WARNING: the `addUrls` call below has a serious
+              // performance impact (extra DB queries per locale).
+              // Keep this gated for static builds only.
+              if (self.apos.url.isExternalFront(req) && self.apos.url.options.static) {
+                // Static builds can't follow the API redirect route
+                // (there is no server to handle it), so compute the
+                // real URL using the same mechanisms the query builders
+                // would.
+                if (self.apos.page.isPage(doc)) {
+                  doc._url = `${localeReq.prefix}${doc.slug}`;
+                } else if (manager.addUrls) {
+                  await manager.addUrls(localeReq, [ doc ]);
+                }
+              }
+              // Fall back to the API redirect route when no real URL
+              // was resolved (e.g. traditional Nunjucks frontend, non static
+              // external frontend).
+              if (!doc._url) {
+                doc._url = `${self.apos.prefix}${manager.action}/${context._id}/locale/${name}`;
+              }
               if (doc._id === context._id) {
                 doc.current = true;
               }