zet-lib 5.0.2 → 5.0.3

package/lib/zAppRouter.js

@@ -1609,24 +1609,34 @@ router.get("/addapproval-models", async (req, res) => {
 //post dropzone widget
 router.post("/zdropzone", async (req, res) => {
   try {
-    let userId = res.locals.userId;
-    if (userId) {
-      let dir = path.join(dirRoot, "public", "zdropzone", userId);
-      if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true });
-      }
-      let filename = req.files.file.name;
-      req.files.file.mv(path.join(dir, filename), function (err) {
-        if (err) {
-          return res.status(500).send(err + "");
-        }
-      });
+    const userId = res.locals.userId;
+    if (!userId) {
+      return res.status(401).send("Unauthorized");
     }
-    res.json("ok");
+
+    const file = req?.files?.file;
+    if (!file || !file.name) {
+      return res.status(400).send("No file uploaded");
+    }
+
+    const dir = path.join(dirRoot, "public", "zdropzone", `${userId}`);
+    await fs.promises.mkdir(dir, { recursive: true });
+
+    // Prevent path traversal; keep only the base name.
+    const originalName = path.basename(file.name);
+    const uniquePrefix = `${Date.now()}_${Math.random().toString(16).slice(2, 10)}_`;
+    const savedName = `${uniquePrefix}${originalName}`;
+    const destPath = path.join(dir, savedName);
+
+    await new Promise((resolve, reject) => {
+      file.mv(destPath, (err) => (err ? reject(err) : resolve()));
+    });
+
+    // Return the stored filename so client can reference it uniquely
+    res.json({ ok: true, fileName: savedName, originalName });
   } catch (e) {
     console.log(e);
-    res.status(500);
-    res.send(e + "");
+    res.status(500).send(e + "");
   }
 });
 

package/lib/zRoute.js

@@ -4538,6 +4538,18 @@ zRoute.generateJS = (req, res, MYMODEL, relations, zForms = "", data = {}) => {
     addRemoveLinks: !0,
     maxFilesize: 30,
     headers: {"X-CSRF-TOKEN": $('meta[name="csrf-token"]').attr("content")},
+    success: function(file, response) {
+        const type = window.location.href.split("/").pop();
+        if(response && response.fileName) {
+            // Persist server-side unique name on the file object so remove uses it too
+            file.name = response.fileName;
+            if(file.upload) file.upload.filename = response.fileName;
+            ajaxPost("/zdropzone-attributes",{file:response.fileName,'category':'add',field:"${item}",table:"${MYMODEL.table}", type:type},() => {})
+        } else {
+            // fallback to original
+            ajaxPost("/zdropzone-attributes",{file:file.name,'category':'add',field:"${item}",table:"${MYMODEL.table}", type:type},() => {})
+        }
+    },
     removedfile: function(file) {
         const type = window.location.href.split("/").pop();
         ajaxPost("/zdropzone-remove",{file:file.name, cname:"dropzone__ZUSER___ID__${MYMODEL.table}__${item}__"+type},(data) => {
@@ -4547,9 +4559,6 @@ zRoute.generateJS = (req, res, MYMODEL, relations, zForms = "", data = {}) => {
     init: function() {
         let dz = this;
         const type = window.location.href.split("/").pop();
-        dz.on("addedfile", function(file) {
-            ajaxPost("/zdropzone-attributes",{file:file.name,'category':'add',field:"${item}",table:"${MYMODEL.table}", type:type},() => {})
-        });
         dz.on("removedfile", function(file) {
             ajaxPost("/zdropzone-attributes",{file:file.name,'category':'remove',field:"${item}",table:"${MYMODEL.table}", type:type},() => {});
             $("div#${item}").find(".dz-message").remove();
@@ -6715,4 +6724,4 @@ zRoute.tableBody = (
     }
     return html;
 };
-module.exports = zRoute;
+module.exports = zRoute;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zet-lib",
-  "version": "5.0.2",
+  "version": "5.0.3",
   "description": "zet is a library that part of zet generator.",
   "engines": {
     "node": ">=18"