webspresso 0.0.74 → 0.0.75

package/plugins/admin-panel/core/api-extensions.js

@@ -25,10 +25,21 @@ function buildFilteredQuery(repo, filters, options = {}) {
   }
   
   for (const [column, filter] of Object.entries(filters)) {
-    if (!filter || (filter.value === '' && !filter.from && !filter.to)) continue;
-    
+    if (!filter) continue;
+
     const op = filter.op || filter.operator || 'contains';
-    
+
+    if (op === 'is_null') {
+      query = query.whereNull(column);
+      continue;
+    }
+    if (op === 'is_not_null') {
+      query = query.whereNotNull(column);
+      continue;
+    }
+
+    if (filter.value === '' && !filter.from && !filter.to) continue;
+
     switch (op) {
       case 'contains':
         query = query.where(column, 'like', `%${filter.value}%`);
@@ -86,6 +97,60 @@ async function getAllMatchingIds(repo, filters, primaryKey = 'id', options = {})
   return records.map(r => r[primaryKey]);
 }
 
+const BULK_TEMPORAL_TYPES = new Set(['date', 'datetime', 'timestamp']);
+
+/**
+ * Bulk field update: coerce date / datetime / timestamp body values to Date (or null).
+ * @param {object} columnMeta - ORM column metadata
+ * @param {unknown} raw
+ * @param {string} fieldName
+ * @returns {{ value: Date|null }|{ error: string }}
+ */
+function coerceBulkTemporalValue(columnMeta, raw, fieldName) {
+  const nullable = !!columnMeta.nullable;
+  const empty =
+    raw === null ||
+    raw === undefined ||
+    (typeof raw === 'string' && raw.trim() === '');
+
+  if (empty) {
+    if (nullable) return { value: null };
+    return { error: `Field "${fieldName}" requires a value` };
+  }
+
+  if (columnMeta.type === 'date') {
+    if (typeof raw !== 'string') return { error: `Invalid date value for "${fieldName}"` };
+    const s = raw.trim();
+    if (!/^\d{4}-\d{2}-\d{2}$/.test(s)) {
+      return { error: `Date must be YYYY-MM-DD for "${fieldName}"` };
+    }
+    const d = new Date(`${s}T12:00:00.000Z`);
+    if (Number.isNaN(d.getTime())) return { error: `Invalid date for "${fieldName}"` };
+    return { value: d };
+  }
+
+  if (columnMeta.type === 'datetime' || columnMeta.type === 'timestamp') {
+    if (typeof raw !== 'string') return { error: `Invalid datetime value for "${fieldName}"` };
+    const s = raw.trim();
+    let d;
+    if (/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}$/.test(s)) {
+      d = new Date(s);
+    } else if (/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/.test(s)) {
+      d = new Date(s);
+    } else if (/^\d{4}-\d{2}-\d{2}$/.test(s)) {
+      d = new Date(`${s}T00:00:00`);
+    } else {
+      d = new Date(s);
+    }
+    if (Number.isNaN(d.getTime())) {
+      return { error: `Invalid datetime for "${fieldName}"` };
+    }
+    return { value: d };
+  }
+
+  return { error: `Field "${fieldName}" is not a temporal type` };
+}
+
 /**
  * Create extension API handlers
  * @param {Object} options - Options
@@ -258,7 +323,7 @@ function createExtensionApiHandlers(options) {
   }
 
   /**
-   * Bulk update field values (for enum/boolean fields)
+   * Bulk update field values (enum, boolean, date, datetime, timestamp)
    * Supports both specific IDs and selectAll mode with filters
    */
   async function bulkUpdateFieldHandler(req, res) {
@@ -283,13 +348,18 @@ function createExtensionApiHandlers(options) {
         return res.status(400).json({ error: `Field "${field}" not found in model` });
       }
 
-      // Validate field type - only allow enum and boolean
       const enumValues = columnMeta.enumValues || columnMeta.enum;
       const isEnum = enumValues && Array.isArray(enumValues);
       const isBoolean = columnMeta.type === 'boolean';
-
-      if (!isEnum && !isBoolean) {
-        return res.status(400).json({ error: `Field "${field}" is not an enum or boolean type` });
+      const isTemporal =
+        BULK_TEMPORAL_TYPES.has(columnMeta.type) &&
+        columnMeta.auto !== 'create' &&
+        columnMeta.auto !== 'update';
+
+      if (!isEnum && !isBoolean && !isTemporal) {
+        return res.status(400).json({
+          error: `Field "${field}" is not bulk-updatable (allowed: enum, boolean, date, datetime, timestamp)`,
+        });
       }
 
       // Validate value for enum fields
@@ -297,10 +367,15 @@ function createExtensionApiHandlers(options) {
         return res.status(400).json({ error: `Invalid value "${value}" for enum field "${field}"` });
       }
 
-      // Coerce boolean value
       let updateValue = value;
       if (isBoolean) {
         updateValue = value === true || value === 'true' || value === 1 || value === '1';
+      } else if (isTemporal) {
+        const coerced = coerceBulkTemporalValue(columnMeta, value, field);
+        if (coerced.error) {
+          return res.status(400).json({ error: coerced.error });
+        }
+        updateValue = coerced.value;
       }
 
       // Get repository and determine IDs
@@ -351,7 +426,7 @@ function createExtensionApiHandlers(options) {
   }
 
   /**
-   * Get bulk-updatable fields for a model (enum and boolean fields)
+   * Get bulk-updatable fields for a model (enum, boolean, date, datetime, timestamp)
    */
   function bulkFieldsHandler(req, res) {
     try {
@@ -364,14 +439,21 @@ function createExtensionApiHandlers(options) {
         return res.status(404).json({ error: 'Model not found or not enabled' });
       }
 
+      const hiddenSet = new Set(model.hidden || []);
       const bulkFields = [];
 
       // model.columns is a Map<string, ColumnMeta> - values are already metadata objects
       for (const [fieldName, columnMeta] of model.columns.entries()) {
+        if (hiddenSet.has(fieldName)) continue;
+
         // Check for enum - schema uses 'enumValues' property
         const enumValues = columnMeta.enumValues || columnMeta.enum;
         const isEnum = enumValues && Array.isArray(enumValues);
         const isBoolean = columnMeta.type === 'boolean';
+        const isTemporal =
+          BULK_TEMPORAL_TYPES.has(columnMeta.type) &&
+          columnMeta.auto !== 'create' &&
+          columnMeta.auto !== 'update';
 
         if (isEnum) {
           bulkFields.push({
@@ -390,6 +472,13 @@ function createExtensionApiHandlers(options) {
               { value: false, label: 'False' },
             ],
           });
+        } else if (isTemporal) {
+          bulkFields.push({
+            name: fieldName,
+            type: columnMeta.type,
+            label: columnMeta.label || fieldName,
+            nullable: !!columnMeta.nullable,
+          });
         }
       }
 
@@ -660,4 +749,5 @@ module.exports = {
   createExtensionApiHandlers,
   buildFilteredQuery,
   getAllMatchingIds,
+  coerceBulkTemporalValue,
 };

package/plugins/admin-panel/index.js

@@ -31,6 +31,7 @@ const { registerModule } = require('./core/admin-module');
  * @param {Object} [options.userManagement.fields] - Field mappings
  * @param {Function} [options.configure] - Configuration callback (registry) => void
  * @param {string} [options.uploadUrl] - POST URL for file uploads (overrides app.get('webspresso.uploadPath') from uploadPlugin)
+ * @param {boolean} [options.richTextSanitize=true] - Sanitize HTML for admin rich-text fields on create/update (set false only if you accept XSS risk)
  * @returns {Object} Plugin definition
  */
 function adminPanelPlugin(options = {}) {
@@ -43,6 +44,7 @@ function adminPanelPlugin(options = {}) {
     userManagement: userMgmtConfig,
     configure,
     uploadUrl: uploadUrlOption,
+    richTextSanitize = true,
   } = options;
 
   // Validate required options
@@ -204,6 +206,7 @@ function adminPanelPlugin(options = {}) {
         AdminUser,
         hashPassword: (password, rounds) => bcrypt.hash(password, rounds),
         comparePassword: (password, hash) => bcrypt.compare(password, hash),
+        richTextSanitize,
       });
 
       const extensionHandlers = createExtensionApiHandlers({

package/plugins/admin-panel/lib/is-rich-text-empty.js

@@ -0,0 +1,23 @@
+/** Strip simple HTML-ish tags repeatedly (mitigates incomplete single-pass sanitization). */
+function stripHtmlLikeTagsRepeated(value) {
+  let s = String(value);
+  let prev;
+  do {
+    prev = s;
+    s = s.replace(/<[^>]*>/g, '');
+  } while (s !== prev);
+  return s;
+}
+
+/**
+ * Whether rich-text content is empty after removing tags / Quill placeholders.
+ * @param {string} value
+ */
+function isRichTextEmpty(value) {
+  if (!value) return true;
+  const stripped = stripHtmlLikeTagsRepeated(String(value)).trim();
+  const v = String(value).trim();
+  return stripped === '' || v === '<p><br></p>' || v === '<p></p>';
+}
+
+module.exports = { isRichTextEmpty, stripHtmlLikeTagsRepeated };

package/plugins/admin-panel/lib/sanitize-rich-html.js

@@ -0,0 +1,106 @@
+/**
+ * Server-side HTML sanitization for admin panel Quill/rich-text fields.
+ * Intended for XSS mitigation before persistence — not a substitute for safe templating on public pages.
+ */
+
+'use strict';
+
+const sanitizeHtml = require('sanitize-html');
+
+const RICH_TEXT_SANITIZE_OPTIONS = {
+  allowedTags: [
+    'p',
+    'br',
+    'strong',
+    'b',
+    'em',
+    'i',
+    'u',
+    's',
+    'strike',
+    'del',
+    'h1',
+    'h2',
+    'h3',
+    'h4',
+    'h5',
+    'h6',
+    'blockquote',
+    'ul',
+    'ol',
+    'li',
+    'a',
+    'span',
+    'pre',
+    'code',
+  ],
+  allowedAttributes: {
+    a: ['href', 'target', 'rel'],
+    span: ['class'],
+    p: ['class'],
+    ol: ['class'],
+    ul: ['class'],
+    li: ['class'],
+    blockquote: ['class'],
+    pre: ['class'],
+    code: ['class'],
+    h1: ['class'],
+    h2: ['class'],
+    h3: ['class'],
+    h4: ['class'],
+    h5: ['class'],
+    h6: ['class'],
+  },
+  allowedClasses: {
+    span: [/^ql-/],
+    p: [/^ql-/],
+    ol: [/^ql-/],
+    ul: [/^ql-/],
+    li: [/^ql-/],
+    blockquote: [/^ql-/],
+    pre: [/^ql-/],
+    code: [/^language-/, /^lang-/, /^ql-/],
+    h1: [/^ql-/],
+    h2: [/^ql-/],
+    h3: [/^ql-/],
+    h4: [/^ql-/],
+    h5: [/^ql-/],
+    h6: [/^ql-/],
+  },
+  allowedSchemesByTag: {
+    a: ['http', 'https', 'mailto', 'tel'],
+  },
+  allowedSchemes: ['http', 'https', 'mailto', 'tel'],
+  allowProtocolRelative: true,
+  transformTags: {
+    a(tagName, attribs) {
+      const href = (attribs.href || '').trim();
+      if (/^javascript:/i.test(href) || /^vbscript:/i.test(href) || /^data:/i.test(href)) {
+        delete attribs.href;
+      }
+      if (attribs.target === '_blank') {
+        attribs.rel = 'noopener noreferrer';
+      }
+      return { tagName, attribs };
+    },
+  },
+};
+
+/**
+ * @param {unknown} input
+ * @returns {unknown}
+ */
+function sanitizeRichHtml(input) {
+  if (input === null || input === undefined) {
+    return input;
+  }
+  if (typeof input !== 'string') {
+    return input;
+  }
+  return sanitizeHtml(input, RICH_TEXT_SANITIZE_OPTIONS);
+}
+
+module.exports = {
+  sanitizeRichHtml,
+  RICH_TEXT_SANITIZE_OPTIONS,
+};

package/plugins/admin-panel/modules/dashboard.js

@@ -277,17 +277,18 @@ const WidgetRenderers = {
       if (data.error) {
         return m('div.text-sm.text-red-600.dark:text-red-400', data.error);
       }
+      const stat = (v) => (v == null ? '—' : v);
       return m('div.grid.grid-cols-2.gap-4', [
         m('div.text-center.p-3.bg-blue-50.dark:bg-blue-950/40.rounded-lg', [
           m('p.text-2xl.font-bold.text-blue-600.dark:text-blue-400', data.total),
           m('p.text-xs.text-gray-500.dark:text-slate-400', 'Total Users'),
         ]),
         m('div.text-center.p-3.bg-green-50.dark:bg-green-950/40.rounded-lg', [
-          m('p.text-2xl.font-bold.text-green-600.dark:text-green-400', data.active),
+          m('p.text-2xl.font-bold.text-green-600.dark:text-green-400', stat(data.active)),
           m('p.text-xs.text-gray-500.dark:text-slate-400', 'Active'),
         ]),
         m('div.text-center.p-3.bg-yellow-50.dark:bg-amber-950/40.rounded-lg', [
-          m('p.text-2xl.font-bold.text-yellow-600.dark:text-amber-400', data.admins),
+          m('p.text-2xl.font-bold.text-yellow-600.dark:text-amber-400', stat(data.admins)),
           m('p.text-xs.text-gray-500.dark:text-slate-400', 'Admins'),
         ]),
         m('div.text-center.p-3.bg-purple-50.dark:bg-purple-950/40.rounded-lg', [

package/plugins/admin-panel/modules/user-management.js

@@ -18,6 +18,29 @@ function truthyBooleanForDb(db) {
   return true;
 }
 
+/**
+ * True when the physical table has the column (handles schema vs migration drift).
+ */
+async function physicalColumnExists(db, table, column) {
+  if (!db?.knex?.schema || !table || !column) return false;
+  try {
+    return await db.knex.schema.hasColumn(table, column);
+  } catch {
+    return false;
+  }
+}
+
+/** `userManagement: { model: 'Member' }` is the public API; `modelName` is also accepted. */
+function resolveUserManagementModelName(config = {}) {
+  if (config.modelName != null && String(config.modelName).trim() !== '') {
+    return String(config.modelName).trim();
+  }
+  if (config.model != null && String(config.model).trim() !== '') {
+    return String(config.model).trim();
+  }
+  return 'User';
+}
+
 /**
  * Register user management in admin panel
  * @param {Object} options - Options
@@ -30,12 +53,13 @@ function registerUserManagement(options) {
   const { registry, db, auth, config = {} } = options;
   
   const {
-    modelName = 'User',
     fields = {},
     roles = ['user', 'admin'],
     passwordMinLength = 8,
   } = config;
 
+  const modelName = resolveUserManagementModelName(config);
+
   const fieldMap = {
     email: 'email',
     password: 'password',
@@ -104,14 +128,34 @@ function registerUserManagement(options) {
       try {
         const repo = db.getRepository(modelName);
         const model = repo.model;
+        const cols = model.columns;
+        const table = model.table;
         const total = await repo.count();
-        const activeEq = truthyBooleanForDb(db);
-        const active = await repo.query().where(fieldMap.active, activeEq).count();
-        const admins = await repo.count({ [fieldMap.role]: 'admin' });
+
+        const activeCol = fieldMap.active;
+        const hasActiveCol =
+          cols?.has(activeCol) && (await physicalColumnExists(db, table, activeCol));
+        let active = null;
+        let inactive = null;
+        if (hasActiveCol) {
+          const activeEq = truthyBooleanForDb(db);
+          active = await repo.query().where(activeCol, activeEq).count();
+          inactive = Math.max(0, total - active);
+        }
+
+        const roleCol = fieldMap.role;
+        let admins = null;
+        const hasRoleCol =
+          cols?.has(roleCol) && (await physicalColumnExists(db, table, roleCol));
+        if (hasRoleCol) {
+          admins = await repo.count({ [roleCol]: 'admin' });
+        }
 
         let recentUsers = 0;
         const createdCol = fieldMap.createdAt;
-        if (model.columns && model.columns.has(createdCol)) {
+        const hasCreatedCol =
+          cols?.has(createdCol) && (await physicalColumnExists(db, table, createdCol));
+        if (hasCreatedCol) {
           const weekAgo = new Date();
           weekAgo.setDate(weekAgo.getDate() - 7);
           recentUsers = await repo.query()
@@ -122,12 +166,19 @@ function registerUserManagement(options) {
         return {
           total,
           active,
-          inactive: Math.max(0, total - active),
+          inactive,
           admins,
           recentUsers,
         };
       } catch (e) {
-        return { total: 0, active: 0, inactive: 0, admins: 0, recentUsers: 0, error: e.message };
+        return {
+          total: 0,
+          active: null,
+          inactive: null,
+          admins: null,
+          recentUsers: 0,
+          error: e.message,
+        };
       }
     },
   });
@@ -255,10 +306,8 @@ function registerUserManagement(options) {
  */
 function createUserManagementApiHandlers(options) {
   const { db, config, auth } = options;
-  const {
-    modelName = 'User',
-    fields = {},
-  } = config;
+  const { fields = {} } = config;
+  const modelName = resolveUserManagementModelName(config);
 
   const fieldMap = {
     email: 'email',
@@ -275,6 +324,8 @@ function createUserManagementApiHandlers(options) {
   async function listUsers(req, res) {
     try {
       const repo = db.getRepository(modelName);
+      const model = repo.model;
+      const table = model.table;
       const page = parseInt(req.query.page) || 1;
       const perPage = parseInt(req.query.perPage) || 20;
       const search = req.query.search;
@@ -283,21 +334,40 @@ function createUserManagementApiHandlers(options) {
 
       let query = repo.query();
 
-      // Search
+      // Search (only columns that exist on the physical table)
       if (search) {
-        query = query.where(function() {
-          this.where(fieldMap.email, 'like', `%${search}%`)
-              .orWhere(fieldMap.name, 'like', `%${search}%`);
-        });
+        const hasEmail = await physicalColumnExists(db, table, fieldMap.email);
+        const hasName = await physicalColumnExists(db, table, fieldMap.name);
+        if (hasEmail || hasName) {
+          query = query.where(function () {
+            if (hasEmail && hasName) {
+              this.where(fieldMap.email, 'like', `%${search}%`).orWhere(
+                fieldMap.name,
+                'like',
+                `%${search}%`
+              );
+            } else if (hasEmail) {
+              this.where(fieldMap.email, 'like', `%${search}%`);
+            } else {
+              this.where(fieldMap.name, 'like', `%${search}%`);
+            }
+          });
+        }
       }
 
-      // Role filter
-      if (role) {
+      if (
+        role &&
+        model.columns?.has(fieldMap.role) &&
+        (await physicalColumnExists(db, table, fieldMap.role))
+      ) {
         query = query.where(fieldMap.role, role);
       }
 
-      // Active filter
-      if (active !== undefined) {
+      if (
+        active !== undefined &&
+        model.columns?.has(fieldMap.active) &&
+        (await physicalColumnExists(db, table, fieldMap.active))
+      ) {
         query = query.where(fieldMap.active, active === 'true');
       }
 

package/plugins/index.js

@@ -19,6 +19,8 @@ const ormCacheAdminPlugin = require('./orm-cache-admin');
 const { uploadPlugin, createLocalFileProvider } = require('./upload');
 /** Register after adminPanelPlugin (same db + adminPath) for session and routes. */
 const { dataExchangePlugin } = require('./data-exchange');
+const { redirectPlugin } = require('./redirect');
+const { rateLimitPlugin } = require('./rate-limit');
 
 module.exports = {
   sitemapPlugin,
@@ -37,5 +39,7 @@ module.exports = {
   uploadPlugin,
   createLocalFileProvider,
   dataExchangePlugin,
+  redirectPlugin,
+  rateLimitPlugin,
 };