Merge branch 'master' of https://github.com/wekan/wekan

author: Romulus Urakagi Tsai <urakagi@gmail.com> 2019-08-12 01:43:21 +0000
committer: Romulus Urakagi Tsai <urakagi@gmail.com> 2019-08-12 01:43:21 +0000
commit: efdab37f3faeb125a9b8d31969762932bbbc0c4b (patch)
tree: 5fdb667b151819325e340a23c7250bd2bb638137 /models
parent: 4f4e0a21f80019048aad6b7a679899c048cb3865 (diff)
parent: db1cf5bb64f10317742361637d239f08bec141b8 (diff)
download: wekan-efdab37f3faeb125a9b8d31969762932bbbc0c4b.tar.gz
wekan-efdab37f3faeb125a9b8d31969762932bbbc0c4b.tar.bz2
wekan-efdab37f3faeb125a9b8d31969762932bbbc0c4b.zip
2 files changed, 201 insertions, 26 deletions
diff --git a/models/attachments.js b/models/attachments.js
index 0616c79f..9b8ec04f 100644
--- a/models/attachments.js
+++ b/models/attachments.js
@@ -1,27 +1,178 @@
-Attachments = new FS.Collection('attachments', {
-  stores: [
+const localFSStore = process.env.ATTACHMENTS_STORE_PATH;
+const storeName = 'attachments';
+const defaultStoreOptions = {
+  beforeWrite: fileObj => {
+    if (!fileObj.isImage()) {
+      return {
+        type: 'application/octet-stream',
+      };
+    }
+    return {};
+  },
+};
+let store;
+if (localFSStore) {
+  // have to reinvent methods from FS.Store.GridFS and FS.Store.FileSystem
+  const fs = Npm.require('fs');
+  const path = Npm.require('path');
+  const mongodb = Npm.require('mongodb');
+  const Grid = Npm.require('gridfs-stream');
+  // calulate the absolute path here, because FS.Store.FileSystem didn't expose the aboslutepath or FS.Store didn't expose api calls :(
+  let pathname = localFSStore;
+  /*eslint camelcase: ["error", {allow: ["__meteor_bootstrap__"]}] */
+
+  if (!pathname && __meteor_bootstrap__ && __meteor_bootstrap__.serverDir) {
+    pathname = path.join(
+      __meteor_bootstrap__.serverDir,
+      `../../../cfs/files/${storeName}`,
+    );
+  }
+
+  if (!pathname)
+    throw new Error('FS.Store.FileSystem unable to determine path');
+
+  // Check if we have '~/foo/bar'
+  if (pathname.split(path.sep)[0] === '~') {
+    const homepath =
+      process.env.HOME || process.env.HOMEPATH || process.env.USERPROFILE;
+    if (homepath) {
+      pathname = pathname.replace('~', homepath);
+    } else {
+      throw new Error('FS.Store.FileSystem unable to resolve "~" in path');
+    }
+  }
+
+  // Set absolute path
+  const absolutePath = path.resolve(pathname);
+
+  const _FStore = new FS.Store.FileSystem(storeName, {
+    path: localFSStore,
+    ...defaultStoreOptions,
+  });
+  const GStore = {
+    fileKey(fileObj) {
+      const key = {
+        _id: null,
+        filename: null,
+      };
+
+      // If we're passed a fileObj, we retrieve the _id and filename from it.
+      if (fileObj) {
+        const info = fileObj._getInfo(storeName, {
+          updateFileRecordFirst: false,
+        });
+        key._id = info.key || null;
+        key.filename =
+          info.name ||
+          fileObj.name({ updateFileRecordFirst: false }) ||
+          `${fileObj.collectionName}-${fileObj._id}`;
+      }
+
+      // If key._id is null at this point, createWriteStream will let GridFS generate a new ID
+      return key;
+    },
+    db: undefined,
+    mongoOptions: { useNewUrlParser: true },
+    mongoUrl: process.env.MONGO_URL,
+    init() {
+      this._init(err => {
+        this.inited = !err;
+      });
+    },
+    _init(callback) {
+      const self = this;
+      mongodb.MongoClient.connect(self.mongoUrl, self.mongoOptions, function(
+        err,
+        db,
+      ) {
+        if (err) {
+          return callback(err);
+        }
+        self.db = db;
+        return callback(null);
+      });
+      return;
+    },
+    createReadStream(fileKey, options) {
+      const self = this;
+      if (!self.inited) {
+        self.init();
+        return undefined;
+      }
+      options = options || {};
+
+      // Init GridFS
+      const gfs = new Grid(self.db, mongodb);
+
+      // Set the default streamning settings
+      const settings = {
+        _id: new mongodb.ObjectID(fileKey._id),
+        root: `cfs_gridfs.${storeName}`,
+      };
+
+      // Check if this should be a partial read
+      if (
+        typeof options.start !== 'undefined' &&
+        typeof options.end !== 'undefined'
+      ) {
+        // Add partial info
+        settings.range = {
+          startPos: options.start,
+          endPos: options.end,
+        };
+      }
+      return gfs.createReadStream(settings);
+    },
+  };
+  GStore.init();
+  const CRS = 'createReadStream';
+  const _CRS = `_${CRS}`;
+  const FStore = _FStore._transform;
+  FStore[_CRS] = FStore[CRS].bind(FStore);
+  FStore[CRS] = function(fileObj, options) {
+    let stream;
+    try {
+      const localFile = path.join(
+        absolutePath,
+        FStore.storage.fileKey(fileObj),
+      );
+      const state = fs.statSync(localFile);
+      if (state) {
+        stream = FStore[_CRS](fileObj, options);
+      }
+    } catch (e) {
+      // file is not there, try GridFS ?
+      stream = undefined;
+    }
+    if (stream) return stream;
+    else {
+      try {
+        const stream = GStore[CRS](GStore.fileKey(fileObj), options);
+        return stream;
+      } catch (e) {
+        return undefined;
+      }
+    }
+  }.bind(FStore);
+  store = _FStore;
+} else {
+  store = new FS.Store.GridFS(localFSStore ? `G${storeName}` : storeName, {
     // XXX Add a new store for cover thumbnails so we don't load big images in
     // the general board view
-    new FS.Store.GridFS('attachments', {
-      // If the uploaded document is not an image we need to enforce browser
-      // download instead of execution. This is particularly important for HTML
-      // files that the browser will just execute if we don't serve them with the
-      // appropriate `application/octet-stream` MIME header which can lead to user
-      // data leaks. I imagine other formats (like PDF) can also be attack vectors.
-      // See https://github.com/wekan/wekan/issues/99
-      // XXX Should we use `beforeWrite` option of CollectionFS instead of
-      // collection-hooks?
-      // We should use `beforeWrite`.
-      beforeWrite: fileObj => {
-        if (!fileObj.isImage()) {
-          return {
-            type: 'application/octet-stream',
-          };
-        }
-        return {};
-      },
-    }),
-  ],
+    // If the uploaded document is not an image we need to enforce browser
+    // download instead of execution. This is particularly important for HTML
+    // files that the browser will just execute if we don't serve them with the
+    // appropriate `application/octet-stream` MIME header which can lead to user
+    // data leaks. I imagine other formats (like PDF) can also be attack vectors.
+    // See https://github.com/wekan/wekan/issues/99
+    // XXX Should we use `beforeWrite` option of CollectionFS instead of
+    // collection-hooks?
+    // We should use `beforeWrite`.
+    ...defaultStoreOptions,
+  });
+}
+Attachments = new FS.Collection('attachments', {
+  stores: [store],
 });
 
 if (Meteor.isServer) {
diff --git a/models/users.js b/models/users.js
index 08f833b9..870e8fe9 100644
--- a/models/users.js
+++ b/models/users.js
@@ -109,7 +109,14 @@ Users.attachSchema(
     },
     'profile.hiddenSystemMessages': {
       /**
-       * does the user wants to hide system messages?
+       * does the user want to hide system messages?
+       */
+      type: Boolean,
+      optional: true,
+    },
+    'profile.hiddenMinicardLabelText': {
+      /**
+       * does the user want to hide minicard label texts?
        */
       type: Boolean,
       optional: true,
@@ -253,7 +260,7 @@ Users.attachSchema(
 Users.allow({
   update(userId) {
     const user = Users.findOne(userId);
-    return user && Meteor.user().isAdmin;
+    return user; // && Meteor.user().isAdmin; // GitHub issue #2590
   },
   remove(userId, doc) {
     const adminsNumber = Users.find({ isAdmin: true }).count();
@@ -359,6 +366,11 @@ Users.helpers({
     return profile.hiddenSystemMessages || false;
   },
 
+  hasHiddenMinicardLabelText() {
+    const profile = this.profile || {};
+    return profile.hiddenMinicardLabelText || false;
+  },
+
   getEmailBuffer() {
     const { emailBuffer = [] } = this.profile || {};
     return emailBuffer;
@@ -462,6 +474,14 @@ Users.mutations({
     };
   },
 
+  toggleLabelText(value = false) {
+    return {
+      $set: {
+        'profile.hiddenMinicardLabelText': !value,
+      },
+    };
+  },
+
   addNotification(activityId) {
     return {
       $addToSet: {
@@ -525,6 +545,10 @@ Meteor.methods({
     const user = Meteor.user();
     user.toggleSystem(user.hasHiddenSystemMessages());
   },
+  toggleMinicardLabelText() {
+    const user = Meteor.user();
+    user.toggleLabelText(user.hasHiddenMinicardLabelText());
+  },
   changeLimitToShowCardsCount(limit) {
     check(limit, Number);
     Meteor.user().setShowCardsCountAt(limit);
@@ -946,8 +970,8 @@ if (Meteor.isServer) {
 if (Meteor.isServer) {
   // Middleware which checks that API is enabled.
   JsonRoutes.Middleware.use(function(req, res, next) {
-    const api = req.url.search('api');
-    if ((api === 1 && process.env.WITH_API === 'true') || api === -1) {
+    const api = req.url.startsWith('/api');
+    if ((api === true && process.env.WITH_API === 'true') || api === false) {
       return next();
     } else {
       res.writeHead(301, { Location: '/' });
author	Romulus Urakagi Tsai <urakagi@gmail.com>	2019-08-12 01:43:21 +0000
committer	Romulus Urakagi Tsai <urakagi@gmail.com>	2019-08-12 01:43:21 +0000
commit	efdab37f3faeb125a9b8d31969762932bbbc0c4b (patch)
tree	5fdb667b151819325e340a23c7250bd2bb638137 /models
parent	4f4e0a21f80019048aad6b7a679899c048cb3865 (diff)
parent	db1cf5bb64f10317742361637d239f08bec141b8 (diff)
download	wekan-efdab37f3faeb125a9b8d31969762932bbbc0c4b.tar.gz wekan-efdab37f3faeb125a9b8d31969762932bbbc0c4b.tar.bz2 wekan-efdab37f3faeb125a9b8d31969762932bbbc0c4b.zip