hfs 0.42.3 → 0.44.0

package/src/perm.js

@@ -41,7 +41,7 @@ function saveSrpInfo(account, salt, verifier) {
     account.srp = String(salt) + '|' + String(verifier);
 }
 exports.saveSrpInfo = saveSrpInfo;
-exports.allowClearTextLogin = (0, config_1.defineConfig)('allow_clear_text_login');
+exports.allowClearTextLogin = (0, config_1.defineConfig)('allow_clear_text_login', false);
 const srp6aNimbusRoutines = new tssrp6a_1.SRPRoutines(new tssrp6a_1.SRPParameters());
 async function updateAccount(account, changer) {
     const was = JSON.stringify(account);

package/src/plugins.js

@@ -231,7 +231,8 @@ async function rescan() {
         if (found.includes(id)) // not twice
             continue;
         found.push(id);
-        loadPlugin(id, f);
+        if (!plugins[id]) // already loaded
+            loadPlugin(id, f);
     }
     for (const [id, p] of Object.entries(foundDisabled)) {
         const a = availablePlugins[id];
@@ -322,17 +323,16 @@ function deleteModule(id) {
             for (const child of (0, misc_1.wantArray)((_a = cache[k]) === null || _a === void 0 ? void 0 : _a.children))
                 (0, misc_1.getOrSet)(requiredBy, child.id, () => []).push(k);
     const deleted = [];
-    recur(id);
-    function recur(id) {
-        let mod = cache[id];
+    (function deleteCache(id) {
+        const mod = cache[id];
         if (!mod)
             return;
         delete cache[id];
         deleted.push(id);
         for (const child of mod.children)
             if (!lodash_1.default.difference(requiredBy[child.id], deleted).length)
-                recur(child.id);
-    }
+                deleteCache(child.id);
+    })(id);
 }
 (0, misc_1.onProcessExit)(() => Promise.allSettled(mapPlugins(pl => pl.unload())));
 function parsePluginSource(id, source) {

package/src/serveFile.js

@@ -33,6 +33,8 @@ function serveFileNode(ctx, node) {
         }
     }
     ctx.vfsNode = node; // useful to tell service files from files shared by the user
+    if ('dl' in ctx.query) // please, download
+        ctx.attachment(name);
     return serveFile(ctx, source || '', mimeString);
 }
 exports.serveFileNode = serveFileNode;
@@ -41,8 +43,6 @@ async function serveFile(ctx, source, mime, content) {
     if (!source)
         return;
     const fn = path_1.default.basename(source);
-    if ('dl' in ctx.params) // please, download
-        ctx.attachment(fn);
     mime = mime !== null && mime !== void 0 ? mime : lodash_1.default.find(mimeCfg.get(), (v, k) => (0, misc_1.matches)(fn, k));
     if (mime === vfs_1.MIME_AUTO)
         mime = mime_types_1.default.lookup(source) || '';

package/src/serveGuiFiles.js

@@ -41,6 +41,7 @@ const valtio_1 = require("valtio");
 const customHtml_1 = require("./customHtml");
 const lodash_1 = __importDefault(require("lodash"));
 const config_1 = require("./config");
+const lang_1 = require("./lang");
 // in case of dev env we have our static files within the 'dist' folder'
 const DEV_STATIC = process.env.DEV ? 'dist/' : '';
 function serveStatic(uri) {
@@ -68,8 +69,6 @@ function serveStatic(uri) {
             return (0, serveFile_1.serveFile)(ctx, fullPath, 'auto', content);
         // we don't cache the index as it's small and may prevent plugins change to apply
         ctx.body = await treatIndex(ctx, uri, String(content));
-        ctx.type = 'html';
-        ctx.set('Cache-Control', 'no-store, no-cache, must-revalidate');
     };
 }
 function shouldServeApp(ctx) {
@@ -84,10 +83,10 @@ function adjustBundlerLinks(ctx, uri, data) {
 async function treatIndex(ctx, filesUri, body) {
     const session = await (0, api_auth_1.refresh_session)({}, ctx);
     ctx.set('etag', '');
+    ctx.set('Cache-Control', 'no-store, no-cache, must-revalidate');
+    ctx.type = 'html';
     const isFrontend = filesUri === const_1.FRONTEND_URI;
     const pub = ctx.state.revProxyPath + const_1.PLUGINS_PUB_URI;
-    const css = (0, plugins_1.mapPlugins)((plug, k) => { var _a; return (_a = (isFrontend ? plug.frontend_css : null)) === null || _a === void 0 ? void 0 : _a.map(f => pub + k + '/' + f); }).flat().filter(Boolean);
-    const js = (0, plugins_1.mapPlugins)((plug, k) => { var _a; return (_a = (isFrontend ? plug.frontend_js : null)) === null || _a === void 0 ? void 0 : _a.map(f => pub + k + '/' + f); }).flat().filter(Boolean);
     // expose plugins' configs that are declared with 'frontend' attribute
     const plugins = Object.fromEntries((0, misc_1.onlyTruthy)((0, plugins_1.mapPlugins)((pl, name) => {
         var _a, _b;
@@ -99,9 +98,10 @@ async function treatIndex(ctx, filesUri, body) {
         configs = ((_b = (_a = (0, plugins_1.getPluginInfo)(name)).onFrontendConfig) === null || _b === void 0 ? void 0 : _b.call(_a, configs)) || configs;
         return !lodash_1.default.isEmpty(configs) && [name, configs];
     })));
+    const lang = await (0, lang_1.getLangData)(ctx);
     let ret = body
         .replace(/((?:src|href) *= *['"])\/?(?![a-z]+:\/\/)/g, '$1' + ctx.state.revProxyPath + filesUri)
-        .replace('</head>', () => `
+        .replace('<body>', () => `<body>
             ${!isFrontend ? '' : `
                 <title>${adminApis_1.title.get()}</title>
                 <link rel="icon" href="${adminApis_1.favicon.get() ? '/favicon.ico' : 'data:;'}" />
@@ -115,18 +115,31 @@ async function treatIndex(ctx, filesUri, body) {
         plugins,
         prefixUrl: ctx.state.revProxyPath,
         customHtml: lodash_1.default.omit(Object.fromEntries(customHtml_1.customHtmlState.sections), ['top', 'bottom']),
-        fileMenuOnLink: fileMenuOnLink.get()
-    }, null, 4)}
+        fileMenuOnLink: fileMenuOnLink.get(),
+        lang
+    }, null, 4)
+        .replace(/<(\/script)/g, '<"+"$1') /*avoid breaking our script container*/}
             document.documentElement.setAttribute('ver', '${const_1.VERSION.split('-')[0] /*for style selectors*/}')
+            HFS.getPluginKey = () => document.currentScript?.getAttribute('plugin')
+                || console.error("this function must be called at the very top of your file")
+            HFS.getPluginConfig = () => HFS.plugins[HFS.getPluginKey()]
             </script>
             <style>
             :root {
                 ${lodash_1.default.map(plugins, (configs, pluginName) => lodash_1.default.map(configs, (v, k) => `--${pluginName}-${k}: ${serializeCss(v)};`).join('\n')).join('')}
             }
             </style>
-            ${css.map(uri => `<link rel='stylesheet' type='text/css' href='${uri}'/>`).join('\n')}
-            ${js.map(uri => `<script defer src='${uri}'></script>`).join('\n')}
-        </head>`);
+            ${!isFrontend ? '' : (0, plugins_1.mapPlugins)((plug, k) => {
+        var _a;
+        return (_a = plug.frontend_css) === null || _a === void 0 ? void 0 : _a.map(f => `<link rel='stylesheet' type='text/css' href='${pub + k + '/' + f}' plugin=${JSON.stringify(k)}/>`);
+    })
+        .flat().filter(Boolean).join('\n')}
+            ${!isFrontend ? '' : (0, plugins_1.mapPlugins)((plug, k) => {
+        var _a;
+        return (_a = plug.frontend_js) === null || _a === void 0 ? void 0 : _a.map(f => `<script defer plugin=${JSON.stringify(k)} src='${pub + k + '/' + f}'></script>`);
+    })
+        .flat().filter(Boolean).join('\n')}
+        `);
     if (isFrontend)
         ret = ret
             .replace('<body>', '<body>' + (0, customHtml_1.getSection)('top'))

package/src/update.js

@@ -10,9 +10,8 @@ const misc_1 = require("./misc");
 const fs_1 = require("fs");
 const plugins_1 = require("./plugins");
 const promises_1 = require("fs/promises");
-const HFS_REPO = 'rejetto/hfs';
 async function getUpdate() {
-    const [latest] = await (0, github_1.getRepoInfo)(HFS_REPO + '/releases?per_page=1');
+    const [latest] = await (0, github_1.getRepoInfo)(const_1.HFS_REPO + '/releases?per_page=1');
     if (latest.name === const_1.VERSION)
         throw "you already have the latest version: " + const_1.VERSION;
     return latest;

package/src/upload.js

@@ -15,14 +15,13 @@ const util_os_1 = require("./util-os");
 const connections_1 = require("./connections");
 const throttler_1 = require("./throttler");
 const lodash_1 = __importDefault(require("lodash"));
-exports.deleteUnfinishedUploadsAfter = (0, config_1.defineConfig)('delete_unfinished_uploads_after');
+exports.deleteUnfinishedUploadsAfter = (0, config_1.defineConfig)('delete_unfinished_uploads_after', 86400);
 exports.minAvailableMb = (0, config_1.defineConfig)('min_available_mb', 100);
 const dontOverwriteUploading = (0, config_1.defineConfig)('dont_overwrite_uploading', false);
 const waitingToBeDeleted = {};
 function uploadWriter(base, path, ctx) {
-    const res = (0, vfs_1.statusCodeForMissingPerm)(base, 'can_upload', ctx);
-    if (res)
-        return fail(res);
+    if ((0, vfs_1.statusCodeForMissingPerm)(base, 'can_upload', ctx))
+        return fail();
     const fullPath = (0, path_1.join)(base.source, path);
     const dir = (0, path_1.dirname)(fullPath);
     const min = exports.minAvailableMb.get() * (1 << 20);
@@ -36,7 +35,7 @@ function uploadWriter(base, path, ctx) {
                 return fail(const_1.HTTP_PAYLOAD_TOO_LARGE);
         }
         catch (e) {
-            console.warn("can't check disk size", e.message || String(e));
+            console.warn("can't check disk size:", e.message || String(e));
         }
     fs_1.default.mkdirSync(dir, { recursive: true });
     const keepName = (0, path_1.basename)(fullPath).slice(-200);
@@ -122,7 +121,8 @@ function uploadWriter(base, path, ctx) {
         delete waitingToBeDeleted[path];
     }
     function fail(status) {
-        ctx.status = status;
+        if (status)
+            ctx.status = status;
         (0, frontEndApis_1.notifyClient)(ctx, 'upload.status', { [path]: ctx.status }); // allow browsers to detect failure while still sending body
     }
 }

package/src/util-http.js

@@ -20,13 +20,15 @@ function httpsString(url, options = {}) {
 exports.httpsString = httpsString;
 function httpsStream(url, options = {}) {
     return new Promise((resolve, reject) => {
-        node_https_1.default.request(url, options, res => {
+        const req = node_https_1.default.request(url, options, res => {
             if (!res.statusCode || res.statusCode >= 400)
-                throw res;
+                return reject(new Error(String(res.statusCode), { cause: res }));
             if (res.statusCode === const_1.HTTP_TEMPORARY_REDIRECT && res.headers.location)
                 return resolve(httpsStream(res.headers.location, options));
             resolve(res);
-        }).on('error', reject).end();
+        }).on('error', e => {
+            reject(req.res || e);
+        }).end();
     });
 }
 exports.httpsStream = httpsStream;

package/src/vfs.js

@@ -4,7 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.walkNode = exports.statusCodeForMissingPerm = exports.hasPermission = exports.nodeIsDirectory = exports.getNodeName = exports.saveVfs = exports.vfs = exports.urlToNode = exports.isSameFilenameAs = exports.MIME_AUTO = exports.defaultPerms = void 0;
+exports.parentMaskApplier = exports.masksCouldGivePermission = exports.walkNode = exports.statusCodeForMissingPerm = exports.hasPermission = exports.nodeIsDirectory = exports.getNodeName = exports.saveVfs = exports.vfs = exports.urlToNode = exports.applyParentToChild = exports.isSameFilenameAs = exports.MIME_AUTO = exports.PERM_KEYS = exports.defaultPerms = exports.WHO_ANY_ACCOUNT = exports.WHO_NO_ONE = exports.WHO_ANYONE = void 0;
 const promises_1 = __importDefault(require("fs/promises"));
 const path_1 = require("path");
 const misc_1 = require("./misc");
@@ -13,21 +13,25 @@ const config_1 = require("./config");
 const const_1 = require("./const");
 const events_1 = __importDefault(require("./events"));
 const perm_1 = require("./perm");
-const WHO_ANYONE = true;
-const WHO_NO_ONE = false;
-const WHO_ANY_ACCOUNT = '*';
+exports.WHO_ANYONE = true;
+exports.WHO_NO_ONE = false;
+exports.WHO_ANY_ACCOUNT = '*';
 exports.defaultPerms = {
-    can_see: WHO_ANYONE,
-    can_read: WHO_ANYONE,
-    can_list: WHO_ANYONE,
-    can_upload: WHO_NO_ONE,
-    can_delete: WHO_NO_ONE,
+    can_see: 'can_read',
+    can_read: exports.WHO_ANYONE,
+    can_list: 'can_read',
+    can_upload: exports.WHO_NO_ONE,
+    can_delete: exports.WHO_NO_ONE,
 };
+exports.PERM_KEYS = (0, misc_1.typedKeys)(exports.defaultPerms);
 exports.MIME_AUTO = 'auto';
 function inheritFromParent(parent, child) {
     var _a, _b, _c;
-    for (const k of (0, misc_1.typedKeys)(exports.defaultPerms))
-        (_a = child[k]) !== null && _a !== void 0 ? _a : (child[k] = parent[k]);
+    for (const k of (0, misc_1.typedKeys)(exports.defaultPerms)) {
+        const v = parent[k];
+        if (v !== undefined) // small optimization: don't expand the object
+            (_a = child[k]) !== null && _a !== void 0 ? _a : (child[k] = v);
+    }
     if (typeof parent.mime === 'object' && typeof child.mime === 'object')
         lodash_1.default.defaults(child.mime, parent.mime);
     else
@@ -40,6 +44,20 @@ function isSameFilenameAs(name) {
     return (other) => lc === (typeof other === 'string' ? other : getNodeName(other)).toLowerCase();
 }
 exports.isSameFilenameAs = isSameFilenameAs;
+function applyParentToChild(child, parent, name) {
+    const ret = {
+        ...child,
+        original: child,
+        isTemp: true,
+        parent,
+    };
+    name || (name = child ? getNodeName(child) : '');
+    inheritMasks(ret, parent, name);
+    parentMaskApplier(parent)(ret, name);
+    inheritFromParent(parent, ret);
+    return ret;
+}
+exports.applyParentToChild = applyParentToChild;
 async function urlToNode(url, ctx, parent = exports.vfs, getRest) {
     var _a;
     let initialSlashes = 0;
@@ -57,19 +75,11 @@ async function urlToNode(url, ctx, parent = exports.vfs, getRest) {
     }
     // does the tree node have a child that goes by this name?
     const child = (_a = parent.children) === null || _a === void 0 ? void 0 : _a.find(isSameFilenameAs(name));
-    const ret = {
-        ...child,
-        original: child,
-        isTemp: true,
-    };
-    inheritMasks(ret, parent, name);
-    applyMasks(ret, parent, name);
-    inheritFromParent(parent, ret);
+    if (!child && !parent.source)
+        return; // on tree or on disk
+    const ret = applyParentToChild(child, parent, name);
     if (child) // yes
         return urlToNode(rest, ctx, ret, getRest);
-    // not in the tree, we can see consider continuing on the disk
-    if (!parent.source)
-        return; // but then we need the current node to be linked to the disk, otherwise, we give up
     let onDisk = name;
     if (parent.rename) { // reverse the mapping
         for (const [from, to] of Object.entries(parent.rename))
@@ -124,27 +134,47 @@ async function nodeIsDirectory(node) {
 }
 exports.nodeIsDirectory = nodeIsDirectory;
 function hasPermission(node, perm, ctx) {
-    var _a;
-    return (node.source || perm !== 'can_upload') // Upload possible only if we know where to store. First check node.source because is supposedly faster.
-        && matchWho((_a = node[perm]) !== null && _a !== void 0 ? _a : exports.defaultPerms[perm], ctx);
+    return !statusCodeForMissingPerm(node, perm, ctx, false);
 }
 exports.hasPermission = hasPermission;
-function statusCodeForMissingPerm(node, perm, ctx) {
-    if (hasPermission(node, perm, ctx))
-        return false;
-    return ctx.status = node[perm] === false ? const_1.HTTP_FORBIDDEN : const_1.HTTP_UNAUTHORIZED;
+function statusCodeForMissingPerm(node, perm, ctx, assign = true) {
+    const ret = getCode();
+    if (ret && assign)
+        ctx.status = ret;
+    return ret;
+    function getCode() {
+        var _a;
+        if (!node.source && perm === 'can_upload') // Upload possible only if we know where to store. First check node.source because is supposedly faster.
+            return const_1.HTTP_FORBIDDEN;
+        // calculate value of permission resolving references to other permissions, avoiding infinite loop
+        let who;
+        let max = exports.PERM_KEYS.length;
+        do {
+            who = (_a = node[perm]) !== null && _a !== void 0 ? _a : exports.defaultPerms[perm];
+            if (!max-- || typeof who !== 'string' || who === exports.WHO_ANY_ACCOUNT)
+                break;
+            perm = who;
+        } while (1);
+        if (Array.isArray(who)) {
+            const arr = who; // shut up ts
+            // check if I or any ancestor match `who`, but cache ancestors' usernames inside context state
+            const some = (0, misc_1.getOrSet)(ctx.state, 'usernames', () => (0, perm_1.getCurrentUsernameExpanded)(ctx))
+                .some((u) => arr.includes(u));
+            return some ? 0 : const_1.HTTP_UNAUTHORIZED;
+        }
+        return typeof who === 'boolean' ? (who ? 0 : const_1.HTTP_FORBIDDEN)
+            : who === exports.WHO_ANY_ACCOUNT ? (ctx.state.account ? 0 : const_1.HTTP_UNAUTHORIZED)
+                : (() => { throw Error('invalid permission: ' + who); })();
+    }
 }
 exports.statusCodeForMissingPerm = statusCodeForMissingPerm;
 // it's responsibility of the caller to verify you have list permission on parent, as callers have different needs.
 // Too many parameters: consider object, but benchmark against degraded recursion on huge folders.
 async function* walkNode(parent, ctx, depth = 0, prefixPath = '', requiredPerm) {
     var _a;
-    if (requiredPerm && ctx
-        && !hasPermission(parent, requiredPerm, ctx)
-        && !masksCouldGivePermission(parent.masks))
-        return; // no permission, no reason to continue
     const { children, source } = parent;
     const took = prefixPath ? undefined : new Set();
+    const maskApplier = parentMaskApplier(parent);
     if (children)
         for (const child of children) {
             const nodeName = getNodeName(child);
@@ -162,6 +192,10 @@ async function* walkNode(parent, ctx, depth = 0, prefixPath = '', requiredPerm)
         }
     if (!source)
         return;
+    if (requiredPerm && ctx // no permission, no reason to continue (at least for dynamic elements)
+        && !hasPermission(parent, requiredPerm, ctx)
+        && !masksCouldGivePermission(parent.masks, requiredPerm))
+        return;
     try {
         let lastDir = prefixPath.slice(0, -1) || '.';
         const map = new Map();
@@ -196,46 +230,58 @@ async function* walkNode(parent, ctx, depth = 0, prefixPath = '', requiredPerm)
     // item will be changed, so be sure to pass a temp node
     function canSee(item) {
         // we basename for depth>0 where we already have the rest of the path in the parent's url, and would be duplicated
-        applyMasks(item, parent, (0, path_1.basename)(getNodeName(item)));
+        maskApplier(item, (0, path_1.basename)(getNodeName(item)));
         inheritFromParent(parent, item);
         if (ctx && !hasPermission(item, 'can_see', ctx))
             return;
         item.isTemp = true;
         return item;
     }
-    function masksCouldGivePermission(masks) {
-        if (!masks)
-            return false;
-        for (const [, props] of Object.entries(masks)) {
-            const v = props[requiredPerm];
-            if (v && (!ctx || matchWho(v, ctx))) // without ctx we can't say, so it could
-                return true;
-            if (masksCouldGivePermission(props.masks))
-                return true;
-        }
-        return false;
-    }
 }
 exports.walkNode = walkNode;
-function applyMasks(item, parent, virtualBasename) {
-    const { masks } = parent;
-    if (!masks)
-        return;
-    for (const [k, v] of Object.entries(masks))
-        if (k.startsWith('**/') && (0, misc_1.matches)(virtualBasename, k.slice(3))
-            || !k.includes('/') && (0, misc_1.matches)(virtualBasename, k))
-            lodash_1.default.defaults(item, v);
+function masksCouldGivePermission(masks, perm) {
+    return masks !== undefined && Object.values(masks).some(props => props[perm] || masksCouldGivePermission(props.masks, perm));
+}
+exports.masksCouldGivePermission = masksCouldGivePermission;
+function parentMaskApplier(parent) {
+    const matchers = Object.entries(parent.masks || {}).map(([k, v]) => {
+        k = k.startsWith('**/') ? k.slice(3) : !k.includes('/') ? k : '';
+        if (!k)
+            return;
+        const m = (0, misc_1.makeMatcher)(k);
+        return [m, v];
+    });
+    return (item, virtualBasename) => {
+        if (virtualBasename === undefined)
+            virtualBasename = getNodeName(item);
+        for (const entry of matchers) {
+            if (!entry)
+                continue;
+            const [matcher, mods] = entry;
+            if (!matcher(virtualBasename))
+                continue;
+            if (item.masks)
+                item.masks = lodash_1.default.merge(lodash_1.default.cloneDeep(mods.masks), item.masks); // item.masks must take precedence
+            lodash_1.default.defaults(item, mods);
+        }
+    };
 }
+exports.parentMaskApplier = parentMaskApplier;
 function inheritMasks(item, parent, virtualBasename) {
     const { masks } = parent;
     if (!masks)
         return;
     const o = {};
-    for (const [k, v] of Object.entries(masks))
-        if (k.startsWith('**/'))
-            o[k.slice(3)] = v;
-        else if (k.startsWith(virtualBasename + '/'))
-            o[k.slice(virtualBasename.length + 1)] = v;
+    for (const [k, v] of Object.entries(masks)) {
+        const neg = k[0] === '!' && k[1] !== '(' ? '!' : '';
+        const withoutNeg = neg ? k.slice(1) : k;
+        if (withoutNeg.startsWith('**'))
+            o[k] = v;
+        else if (withoutNeg.startsWith('*/'))
+            o[neg + withoutNeg.slice(2)] = v;
+        else if (withoutNeg.startsWith(virtualBasename + '/'))
+            o[neg + withoutNeg.slice(virtualBasename.length + 1)] = v;
+    }
     if (Object.keys(o).length)
         item.masks = lodash_1.default.defaults(item.masks, o);
 }
@@ -247,24 +293,18 @@ function renameUnderPath(rename, path) {
     delete rename[''];
     return lodash_1.default.isEmpty(rename) ? undefined : rename;
 }
-function matchWho(who, ctx) {
-    return who === WHO_ANYONE
-        || who === WHO_ANY_ACCOUNT && Boolean(ctx.state.account)
-        || Array.isArray(who) // check if I or any ancestor match `who`, but cache ancestors' usernames inside context state
-            && (0, misc_1.getOrSet)(ctx.state, 'usernames', () => (0, perm_1.getCurrentUsernameExpanded)(ctx)).some((u) => who.includes(u));
-}
 events_1.default.on('accountRenamed', (from, to) => {
-    recur(exports.vfs);
-    saveVfs();
-    function recur(n) {
+    ;
+    (function renameInNode(n) {
         var _a;
-        for (const k of (0, misc_1.typedKeys)(exports.defaultPerms))
-            replace(n[k]);
+        for (const k of exports.PERM_KEYS)
+            renameInPerm(n[k]);
         if (n.masks)
-            Object.values(n.masks).forEach(recur);
-        (_a = n.children) === null || _a === void 0 ? void 0 : _a.forEach(recur);
-    }
-    function replace(a) {
+            Object.values(n.masks).forEach(renameInNode);
+        (_a = n.children) === null || _a === void 0 ? void 0 : _a.forEach(renameInNode);
+    })(exports.vfs);
+    saveVfs();
+    function renameInPerm(a) {
         if (!Array.isArray(a))
             return;
         for (let i = 0; i < a.length; i++)

package/src/zip.js

@@ -26,16 +26,16 @@ async function zipStreamFromFolder(node, ctx) {
     const filter = (0, misc_1.pattern2filter)(String(ctx.query.search || ''));
     const walker = !list ? (0, vfs_1.walkNode)(node, ctx, Infinity, '', 'can_read')
         : (async function* () {
-            for await (const el of list) {
-                const subNode = await (0, vfs_1.urlToNode)(el, ctx, node);
+            for await (const uri of list) {
+                const subNode = await (0, vfs_1.urlToNode)(uri, ctx, node);
                 if (!subNode)
                     continue;
                 if (await (0, vfs_1.nodeIsDirectory)(subNode)) { // a directory needs to walked
                     if ((0, vfs_1.hasPermission)(subNode, 'can_list', ctx))
-                        yield* (0, vfs_1.walkNode)(subNode, ctx, Infinity, el + '/', 'can_read');
+                        yield* (0, vfs_1.walkNode)(subNode, ctx, Infinity, uri + '/', 'can_read');
                     continue;
                 }
-                let folder = (0, path_1.dirname)(el);
+                let folder = (0, path_1.dirname)(decodeURIComponent(uri)); // decodeURI() won't account for %23=#
                 folder = folder === '.' ? '' : folder + '/';
                 yield { ...subNode, name: folder + (0, vfs_1.getNodeName)(subNode) }; // reflect relative path in archive, otherwise way may have name-clashes
             }