summaryrefslogtreecommitdiffstats
path: root/models
diff options
context:
space:
mode:
Diffstat (limited to 'models')
-rw-r--r--models/activities.js8
-rw-r--r--models/attachments.js195
-rw-r--r--models/boards.js5
-rw-r--r--models/customFields.js3
-rw-r--r--models/users.js16
5 files changed, 193 insertions, 34 deletions
diff --git a/models/activities.js b/models/activities.js
index 168effd0..3ecd5c8c 100644
--- a/models/activities.js
+++ b/models/activities.js
@@ -110,7 +110,9 @@ if (Meteor.isServer) {
if (activity.userId) {
// No need send notification to user of activity
// participants = _.union(participants, [activity.userId]);
- params.user = activity.user().getName();
+ const user = activity.user();
+ params.user = user.getName();
+ params.userEmails = user.emails;
params.userId = activity.userId;
}
if (activity.boardId) {
@@ -172,7 +174,7 @@ if (Meteor.isServer) {
const comment = activity.comment();
params.comment = comment.text;
if (board) {
- const atUser = /(?:^|\s+)@(\S+)(?:\s+|$)/g;
+ const atUser = /(?:^|>|\b|\s)@(\S+)(?:\s|$|<|\b)/g;
const comment = params.comment;
if (comment.match(atUser)) {
const commenter = params.user;
@@ -184,6 +186,8 @@ if (Meteor.isServer) {
}
const user = Users.findOne(username) || Users.findOne({ username });
const uid = user && user._id;
+ params.atUsername = username;
+ params.atEmails = user.emails;
if (board.hasMember(uid)) {
title = 'act-atUserComment';
watchers = _.union(watchers, [uid]);
diff --git a/models/attachments.js b/models/attachments.js
index 0616c79f..9b8ec04f 100644
--- a/models/attachments.js
+++ b/models/attachments.js
@@ -1,27 +1,178 @@
-Attachments = new FS.Collection('attachments', {
- stores: [
+const localFSStore = process.env.ATTACHMENTS_STORE_PATH;
+const storeName = 'attachments';
+const defaultStoreOptions = {
+ beforeWrite: fileObj => {
+ if (!fileObj.isImage()) {
+ return {
+ type: 'application/octet-stream',
+ };
+ }
+ return {};
+ },
+};
+let store;
+if (localFSStore) {
+ // have to reinvent methods from FS.Store.GridFS and FS.Store.FileSystem
+ const fs = Npm.require('fs');
+ const path = Npm.require('path');
+ const mongodb = Npm.require('mongodb');
+ const Grid = Npm.require('gridfs-stream');
+ // calulate the absolute path here, because FS.Store.FileSystem didn't expose the aboslutepath or FS.Store didn't expose api calls :(
+ let pathname = localFSStore;
+ /*eslint camelcase: ["error", {allow: ["__meteor_bootstrap__"]}] */
+
+ if (!pathname && __meteor_bootstrap__ && __meteor_bootstrap__.serverDir) {
+ pathname = path.join(
+ __meteor_bootstrap__.serverDir,
+ `../../../cfs/files/${storeName}`,
+ );
+ }
+
+ if (!pathname)
+ throw new Error('FS.Store.FileSystem unable to determine path');
+
+ // Check if we have '~/foo/bar'
+ if (pathname.split(path.sep)[0] === '~') {
+ const homepath =
+ process.env.HOME || process.env.HOMEPATH || process.env.USERPROFILE;
+ if (homepath) {
+ pathname = pathname.replace('~', homepath);
+ } else {
+ throw new Error('FS.Store.FileSystem unable to resolve "~" in path');
+ }
+ }
+
+ // Set absolute path
+ const absolutePath = path.resolve(pathname);
+
+ const _FStore = new FS.Store.FileSystem(storeName, {
+ path: localFSStore,
+ ...defaultStoreOptions,
+ });
+ const GStore = {
+ fileKey(fileObj) {
+ const key = {
+ _id: null,
+ filename: null,
+ };
+
+ // If we're passed a fileObj, we retrieve the _id and filename from it.
+ if (fileObj) {
+ const info = fileObj._getInfo(storeName, {
+ updateFileRecordFirst: false,
+ });
+ key._id = info.key || null;
+ key.filename =
+ info.name ||
+ fileObj.name({ updateFileRecordFirst: false }) ||
+ `${fileObj.collectionName}-${fileObj._id}`;
+ }
+
+ // If key._id is null at this point, createWriteStream will let GridFS generate a new ID
+ return key;
+ },
+ db: undefined,
+ mongoOptions: { useNewUrlParser: true },
+ mongoUrl: process.env.MONGO_URL,
+ init() {
+ this._init(err => {
+ this.inited = !err;
+ });
+ },
+ _init(callback) {
+ const self = this;
+ mongodb.MongoClient.connect(self.mongoUrl, self.mongoOptions, function(
+ err,
+ db,
+ ) {
+ if (err) {
+ return callback(err);
+ }
+ self.db = db;
+ return callback(null);
+ });
+ return;
+ },
+ createReadStream(fileKey, options) {
+ const self = this;
+ if (!self.inited) {
+ self.init();
+ return undefined;
+ }
+ options = options || {};
+
+ // Init GridFS
+ const gfs = new Grid(self.db, mongodb);
+
+ // Set the default streamning settings
+ const settings = {
+ _id: new mongodb.ObjectID(fileKey._id),
+ root: `cfs_gridfs.${storeName}`,
+ };
+
+ // Check if this should be a partial read
+ if (
+ typeof options.start !== 'undefined' &&
+ typeof options.end !== 'undefined'
+ ) {
+ // Add partial info
+ settings.range = {
+ startPos: options.start,
+ endPos: options.end,
+ };
+ }
+ return gfs.createReadStream(settings);
+ },
+ };
+ GStore.init();
+ const CRS = 'createReadStream';
+ const _CRS = `_${CRS}`;
+ const FStore = _FStore._transform;
+ FStore[_CRS] = FStore[CRS].bind(FStore);
+ FStore[CRS] = function(fileObj, options) {
+ let stream;
+ try {
+ const localFile = path.join(
+ absolutePath,
+ FStore.storage.fileKey(fileObj),
+ );
+ const state = fs.statSync(localFile);
+ if (state) {
+ stream = FStore[_CRS](fileObj, options);
+ }
+ } catch (e) {
+ // file is not there, try GridFS ?
+ stream = undefined;
+ }
+ if (stream) return stream;
+ else {
+ try {
+ const stream = GStore[CRS](GStore.fileKey(fileObj), options);
+ return stream;
+ } catch (e) {
+ return undefined;
+ }
+ }
+ }.bind(FStore);
+ store = _FStore;
+} else {
+ store = new FS.Store.GridFS(localFSStore ? `G${storeName}` : storeName, {
// XXX Add a new store for cover thumbnails so we don't load big images in
// the general board view
- new FS.Store.GridFS('attachments', {
- // If the uploaded document is not an image we need to enforce browser
- // download instead of execution. This is particularly important for HTML
- // files that the browser will just execute if we don't serve them with the
- // appropriate `application/octet-stream` MIME header which can lead to user
- // data leaks. I imagine other formats (like PDF) can also be attack vectors.
- // See https://github.com/wekan/wekan/issues/99
- // XXX Should we use `beforeWrite` option of CollectionFS instead of
- // collection-hooks?
- // We should use `beforeWrite`.
- beforeWrite: fileObj => {
- if (!fileObj.isImage()) {
- return {
- type: 'application/octet-stream',
- };
- }
- return {};
- },
- }),
- ],
+ // If the uploaded document is not an image we need to enforce browser
+ // download instead of execution. This is particularly important for HTML
+ // files that the browser will just execute if we don't serve them with the
+ // appropriate `application/octet-stream` MIME header which can lead to user
+ // data leaks. I imagine other formats (like PDF) can also be attack vectors.
+ // See https://github.com/wekan/wekan/issues/99
+ // XXX Should we use `beforeWrite` option of CollectionFS instead of
+ // collection-hooks?
+ // We should use `beforeWrite`.
+ ...defaultStoreOptions,
+ });
+}
+Attachments = new FS.Collection('attachments', {
+ stores: [store],
});
if (Meteor.isServer) {
diff --git a/models/boards.js b/models/boards.js
index 2117ff7c..b5f8b01b 100644
--- a/models/boards.js
+++ b/models/boards.js
@@ -407,10 +407,7 @@ Boards.helpers({
},
lists() {
- return Lists.find(
- { boardId: this._id, archived: false },
- { sort: { sort: 1 } },
- );
+ return Lists.find({ boardId: this._id }, { sort: { sort: 1 } });
},
nullSortLists() {
diff --git a/models/customFields.js b/models/customFields.js
index a5eb8906..6b5697c1 100644
--- a/models/customFields.js
+++ b/models/customFields.js
@@ -302,6 +302,7 @@ if (Meteor.isServer) {
) {
Authentication.checkUserId(req.userId);
const paramBoardId = req.params.boardId;
+ const board = Boards.findOne({ _id: paramBoardId });
const id = CustomFields.direct.insert({
name: req.body.name,
type: req.body.type,
@@ -309,7 +310,7 @@ if (Meteor.isServer) {
showOnCard: req.body.showOnCard,
automaticallyOnCard: req.body.automaticallyOnCard,
showLabelOnMiniCard: req.body.showLabelOnMiniCard,
- boardIds: { $in: [paramBoardId] },
+ boardIds: [board._id],
});
const customField = CustomFields.findOne({
diff --git a/models/users.js b/models/users.js
index 46e56ad6..55d85e07 100644
--- a/models/users.js
+++ b/models/users.js
@@ -258,9 +258,14 @@ Users.attachSchema(
);
Users.allow({
- update(userId) {
- const user = Users.findOne(userId);
- return user && Meteor.user().isAdmin;
+ update(userId, doc) {
+ const user = Users.findOne({ _id: userId });
+ if ((user && user.isAdmin) || (Meteor.user() && Meteor.user().isAdmin))
+ return true;
+ if (!user) {
+ return false;
+ }
+ return doc._id === userId;
},
remove(userId, doc) {
const adminsNumber = Users.find({ isAdmin: true }).count();
@@ -610,8 +615,9 @@ if (Meteor.isServer) {
board &&
board.members &&
_.contains(_.pluck(board.members, 'userId'), inviter._id) &&
- _.where(board.members, { userId: inviter._id })[0].isActive &&
- _.where(board.members, { userId: inviter._id })[0].isAdmin;
+ _.where(board.members, { userId: inviter._id })[0].isActive;
+ // GitHub issue 2060
+ //_.where(board.members, { userId: inviter._id })[0].isAdmin;
if (!allowInvite) throw new Meteor.Error('error-board-notAMember');
this.unblock();
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-07-22 13:47:33 +0000