wekan/models/export.js

/* global JsonRoutes */
if (Meteor.isServer) {
  // todo XXX once we have a real API in place, move that route there
  // todo XXX also  share the route definition between the client and the server
  // so that we could use something like
  // `ApiRoutes.path('boards/export', boardId)``
  // on the client instead of copy/pasting the route path manually between the
  // client and the server.
  /**
   * @operation export
   * @tag Boards
   *
   * @summary This route is used to export the board.
   *
   * @description If user is already logged-in, pass loginToken as param
   * "authToken": '/api/boards/:boardId/export?authToken=:token'
   *
   * See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/
   * for detailed explanations
   *
   * @param {string} boardId the ID of the board we are exporting
   * @param {string} authToken the loginToken
   */
  JsonRoutes.add('get', '/api/boards/:boardId/export', function(req, res) {
    const boardId = req.params.boardId;
    let user = null;

    const loginToken = req.query.authToken;
    if (loginToken) {
      const hashToken = Accounts._hashLoginToken(loginToken);
      user = Meteor.users.findOne({
        'services.resume.loginTokens.hashedToken': hashToken,
      });
    } else if (!Meteor.settings.public.sandstorm) {
      Authentication.checkUserId(req.userId);
      user = Users.findOne({ _id: req.userId, isAdmin: true });
    }

    const exporter = new Exporter(boardId);
    if (exporter.canExport(user)) {
      JsonRoutes.sendResult(res, {
        code: 200,
        data: exporter.build(),
      });
    } else {
      // we could send an explicit error message, but on the other hand the only
      // way to get there is by hacking the UI so let's keep it raw.
      JsonRoutes.sendResult(res, 403);
    }
  });
}

export class Exporter {
  constructor(boardId) {
    this._boardId = boardId;
  }

  build() {
    const byBoard = { boardId: this._boardId };
    const byBoardNoLinked = { boardId: this._boardId, linkedId: {$in: ['', null] } };
    // we do not want to retrieve boardId in related elements
    const noBoardId = {
      fields: {
        boardId: 0,
      },
    };
    const result = {
      _format: 'wekan-board-1.0.0',
    };
    _.extend(result, Boards.findOne(this._boardId, {
      fields: {
        stars: 0,
      },
    }));
    result.lists = Lists.find(byBoard, noBoardId).fetch();
    result.cards = Cards.find(byBoardNoLinked, noBoardId).fetch();
    result.swimlanes = Swimlanes.find(byBoard, noBoardId).fetch();
    result.customFields = CustomFields.find({boardIds: {$in: [this.boardId]}}, {fields: {boardId: 0}}).fetch();
    result.comments = CardComments.find(byBoard, noBoardId).fetch();
    result.activities = Activities.find(byBoard, noBoardId).fetch();
    result.rules = Rules.find(byBoard, noBoardId).fetch();
    result.checklists = [];
    result.checklistItems = [];
    result.subtaskItems = [];
    result.triggers = [];
    result.actions = [];
    result.cards.forEach((card) => {
      result.checklists.push(...Checklists.find({
        cardId: card._id,
      }).fetch());
      result.checklistItems.push(...ChecklistItems.find({
        cardId: card._id,
      }).fetch());
      result.subtaskItems.push(...Cards.find({
        parentid: card._id,
      }).fetch());
    });
    result.rules.forEach((rule) => {
      result.triggers.push(...Triggers.find({
        _id: rule.triggerId,
      }, noBoardId).fetch());
      result.actions.push(...Actions.find({
        _id: rule.actionId,
      }, noBoardId).fetch());
    });

    // [Old] for attachments we only export IDs and absolute url to original doc
    // [New] Encode attachment to base64
    const getBase64Data = function(doc, callback) {
      let buffer = new Buffer(0);
      // callback has the form function (err, res) {}
      const readStream = doc.createReadStream();
      readStream.on('data', function(chunk) {
        buffer = Buffer.concat([buffer, chunk]);
      });
      readStream.on('error', function(err) {
        callback(err, null);
      });
      readStream.on('end', function() {
        // done
        callback(null, buffer.toString('base64'));
      });
    };
    const getBase64DataSync = Meteor.wrapAsync(getBase64Data);
    result.attachments = Attachments.find(byBoard).fetch().map((attachment) => {
      return {
        _id: attachment._id,
        cardId: attachment.cardId,
        // url: FlowRouter.url(attachment.url()),
        file: getBase64DataSync(attachment),
        name: attachment.original.name,
        type: attachment.original.type,
      };
    });

    // we also have to export some user data - as the other elements only
    // include id but we have to be careful:
    // 1- only exports users that are linked somehow to that board
    // 2- do not export any sensitive information
    const users = {};
    result.members.forEach((member) => {
      users[member.userId] = true;
    });
    result.lists.forEach((list) => {
      users[list.userId] = true;
    });
    result.cards.forEach((card) => {
      users[card.userId] = true;
      if (card.members) {
        card.members.forEach((memberId) => {
          users[memberId] = true;
        });
      }
    });
    result.comments.forEach((comment) => {
      users[comment.userId] = true;
    });
    result.activities.forEach((activity) => {
      users[activity.userId] = true;
    });
    result.checklists.forEach((checklist) => {
      users[checklist.userId] = true;
    });
    const byUserIds = {
      _id: {
        $in: Object.getOwnPropertyNames(users),
      },
    };
    // we use whitelist to be sure we do not expose inadvertently
    // some secret fields that gets added to User later.
    const userFields = {
      fields: {
        _id: 1,
        username: 1,
        'profile.fullname': 1,
        'profile.initials': 1,
        'profile.avatarUrl': 1,
      },
    };
    result.users = Users.find(byUserIds, userFields).fetch().map((user) => {
      // user avatar is stored as a relative url, we export absolute
      if ((user.profile || {}).avatarUrl) {
        user.profile.avatarUrl = FlowRouter.url(user.profile.avatarUrl);
      }
      return user;
    });
    return result;
  }

  canExport(user) {
    const board = Boards.findOne(this._boardId);
    return board && board.isVisibleBy(user);
  }
}
Export Wekan now server-based with proper auth 2015-12-16 21:54:35 +01:00			`/* global JsonRoutes */`
REST API - Meteor 1.4 - first step issue 2017-04-27 20:49:24 +03:00			`if (Meteor.isServer) {`
Improved doc on server-side export route 2015-12-17 13:11:33 +01:00			`// todo XXX once we have a real API in place, move that route there`
Export: improved API routes - use an explicit "boards" domain: /api/boards/:boardId - pass authToken as a request parameter: /api/boards/:boardId?authToken=:token - in the future, same route can be used with authToken set in the Authenticate: header easily 2015-12-17 23:57:28 +01:00			`// todo XXX also share the route definition between the client and the server`
Favor FlowRouter.url over Meteor.absoluteUrl It hides the leading slash treatment as an hidden implementation detail. 2016-01-05 13:37:15 +01:00			`// so that we could use something like`
			// `ApiRoutes.path('boards/export', boardId)``
			`// on the client instead of copy/pasting the route path manually between the`
			`// client and the server.`
Restore export API Commit 477d71e0b90d1 was based on an older version of export.js, which means it reverted a few changes that were made previously. Fixes #2328 2019-05-14 09:37:04 +02:00			`/**`
			`* @operation export`
			`* @tag Boards`
			`*`
			`* @summary This route is used to export the board.`
			`*`
			`* @description If user is already logged-in, pass loginToken as param`
			`* "authToken": '/api/boards/:boardId/export?authToken=:token'`
Improved doc on server-side export route 2015-12-17 13:11:33 +01:00			`*`
			`* See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/`
			`* for detailed explanations`
Restore export API Commit 477d71e0b90d1 was based on an older version of export.js, which means it reverted a few changes that were made previously. Fixes #2328 2019-05-14 09:37:04 +02:00			`*`
			`* @param {string} boardId the ID of the board we are exporting`
			`* @param {string} authToken the loginToken`
Improved doc on server-side export route 2015-12-17 13:11:33 +01:00			`*/`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`JsonRoutes.add('get', '/api/boards/:boardId/export', function(req, res) {`
Reenable the export feature Fixes #1055 2017-06-12 09:30:03 +02:00			`const boardId = req.params.boardId;`
			`let user = null;`
Restore export API Commit 477d71e0b90d1 was based on an older version of export.js, which means it reverted a few changes that were made previously. Fixes #2328 2019-05-14 09:37:04 +02:00
Reenable the export feature Fixes #1055 2017-06-12 09:30:03 +02:00			`const loginToken = req.query.authToken;`
			`if (loginToken) {`
			`const hashToken = Accounts._hashLoginToken(loginToken);`
			`user = Meteor.users.findOne({`
			`'services.resume.loginTokens.hashedToken': hashToken,`
			`});`
Restore export API Commit 477d71e0b90d1 was based on an older version of export.js, which means it reverted a few changes that were made previously. Fixes #2328 2019-05-14 09:37:04 +02:00			`} else if (!Meteor.settings.public.sandstorm) {`
			`Authentication.checkUserId(req.userId);`
			`user = Users.findOne({ _id: req.userId, isAdmin: true });`
Reenable the export feature Fixes #1055 2017-06-12 09:30:03 +02:00			`}`
Export Wekan now server-based with proper auth 2015-12-16 21:54:35 +01:00
Reenable the export feature Fixes #1055 2017-06-12 09:30:03 +02:00			`const exporter = new Exporter(boardId);`
Fix lint errors. Thanks to xet7 ! 2019-04-06 09:00:13 +03:00			`if (exporter.canExport(user)) {`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`JsonRoutes.sendResult(res, {`
			`code: 200,`
Fix lint errors. 2018-09-16 01:50:36 +03:00			`data: exporter.build(),`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`});`
Reenable the export feature Fixes #1055 2017-06-12 09:30:03 +02:00			`} else {`
			`// we could send an explicit error message, but on the other hand the only`
			`// way to get there is by hacking the UI so let's keep it raw.`
			`JsonRoutes.sendResult(res, 403);`
			`}`
			`});`
Export Wekan now server-based with proper auth 2015-12-16 21:54:35 +01:00			`}`
board export now checks authentication 2015-12-13 20:02:34 +01:00
Fixes 2019-02-12 23:40:12 +01:00			`export class Exporter {`
export board to Wekan JSON 2015-12-09 00:35:45 +01:00			`constructor(boardId) {`
			`this._boardId = boardId;`
			`}`

			`build() {`
REST API - Meteor 1.4 - first step issue 2017-04-27 20:49:24 +03:00			`const byBoard = { boardId: this._boardId };`
fix cards export 6eeb708e4d2eb82f (Fix cards export and add customFields export.) is incomplete as it allows to export newer cards inserted in the db after the linkedId has been set, but not older cards present in an earlier version of wekan. Allow both null and empty value to be retrieved to match all cards. related #1873 2018-10-23 18:00:56 +02:00			`const byBoardNoLinked = { boardId: this._boardId, linkedId: {$in: ['', null] } };`
Export wekan: do not export board.stars 2015-12-16 16:30:48 +01:00			`// we do not want to retrieve boardId in related elements`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`const noBoardId = {`
			`fields: {`
Fix lint errors. 2018-09-16 01:50:36 +03:00			`boardId: 0,`
			`},`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`};`
Export: include attachments 2015-12-17 11:58:55 +01:00			`const result = {`
			`_format: 'wekan-board-1.0.0',`
			`};`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`_.extend(result, Boards.findOne(this._boardId, {`
			`fields: {`
Fix lint errors. 2018-09-16 01:50:36 +03:00			`stars: 0,`
			`},`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`}));`
Export wekan: do not export board.stars 2015-12-16 16:30:48 +01:00			`result.lists = Lists.find(byBoard, noBoardId).fetch();`
Refactor imported -> linked in models 2018-05-02 14:20:55 -03:00			`result.cards = Cards.find(byBoardNoLinked, noBoardId).fetch();`
Fix import wekan board with swimlanes 2018-02-02 23:04:54 -03:00			`result.swimlanes = Swimlanes.find(byBoard, noBoardId).fetch();`
Migrate customFields 2019-03-08 23:39:33 +01:00			`result.customFields = CustomFields.find({boardIds: {$in: [this.boardId]}}, {fields: {boardId: 0}}).fetch();`
Export wekan: do not export board.stars 2015-12-16 16:30:48 +01:00			`result.comments = CardComments.find(byBoard, noBoardId).fetch();`
			`result.activities = Activities.find(byBoard, noBoardId).fetch();`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`result.rules = Rules.find(byBoard, noBoardId).fetch();`
Export checklists 2017-07-20 00:24:21 +01:00			`result.checklists = [];`
Fix Wekan import / Export for ChecklistItems 2018-04-28 22:17:56 +02:00			`result.checklistItems = [];`
Initial implementation for subtasks 2018-06-18 23:25:56 +03:00			`result.subtaskItems = [];`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`result.triggers = [];`
			`result.actions = [];`
Export checklists 2017-07-20 00:24:21 +01:00			`result.cards.forEach((card) => {`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`result.checklists.push(...Checklists.find({`
Fix lint errors. 2018-09-16 01:50:36 +03:00			`cardId: card._id,`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`}).fetch());`
			`result.checklistItems.push(...ChecklistItems.find({`
Fix lint errors. 2018-09-16 01:50:36 +03:00			`cardId: card._id,`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`}).fetch());`
			`result.subtaskItems.push(...Cards.find({`
Fix lint errors. 2018-09-16 01:50:36 +03:00			`parentid: card._id,`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`}).fetch());`
			`});`
			`result.rules.forEach((rule) => {`
			`result.triggers.push(...Triggers.find({`
Fix lint errors. 2018-09-16 01:50:36 +03:00			`_id: rule.triggerId,`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`}, noBoardId).fetch());`
			`result.actions.push(...Actions.find({`
Fix lint errors. 2018-09-16 01:50:36 +03:00			`_id: rule.actionId,`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`}, noBoardId).fetch());`
Export checklists 2017-07-20 00:24:21 +01:00			`});`
Fix Wekan import / Export for ChecklistItems 2018-04-28 22:17:56 +02:00
Export and import attachents as base64 encoded files 2017-07-15 22:10:46 +01:00			`// [Old] for attachments we only export IDs and absolute url to original doc`
			`// [New] Encode attachment to base64`
			`const getBase64Data = function(doc, callback) {`
			`let buffer = new Buffer(0);`
			`// callback has the form function (err, res) {}`
			`const readStream = doc.createReadStream();`
			`readStream.on('data', function(chunk) {`
			`buffer = Buffer.concat([buffer, chunk]);`
			`});`
			`readStream.on('error', function(err) {`
			`callback(err, null);`
			`});`
			`readStream.on('end', function() {`
			`// done`
			`callback(null, buffer.toString('base64'));`
			`});`
			`};`
			`const getBase64DataSync = Meteor.wrapAsync(getBase64Data);`
Favor FlowRouter.url over Meteor.absoluteUrl It hides the leading slash treatment as an hidden implementation detail. 2016-01-05 13:37:15 +01:00			`result.attachments = Attachments.find(byBoard).fetch().map((attachment) => {`
			`return {`
			`_id: attachment._id,`
			`cardId: attachment.cardId,`
Export and import attachents as base64 encoded files 2017-07-15 22:10:46 +01:00			`// url: FlowRouter.url(attachment.url()),`
			`file: getBase64DataSync(attachment),`
			`name: attachment.original.name,`
			`type: attachment.original.type,`
Favor FlowRouter.url over Meteor.absoluteUrl It hides the leading slash treatment as an hidden implementation detail. 2016-01-05 13:37:15 +01:00			`};`
			`});`
export board to Wekan JSON 2015-12-09 00:35:45 +01:00
Favor FlowRouter.url over Meteor.absoluteUrl It hides the leading slash treatment as an hidden implementation detail. 2016-01-05 13:37:15 +01:00			`// we also have to export some user data - as the other elements only`
			`// include id but we have to be careful:`
export board to Wekan JSON 2015-12-09 00:35:45 +01:00			`// 1- only exports users that are linked somehow to that board`
			`// 2- do not export any sensitive information`
			`const users = {};`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`result.members.forEach((member) => {`
			`users[member.userId] = true;`
			`});`
			`result.lists.forEach((list) => {`
			`users[list.userId] = true;`
			`});`
export board to Wekan JSON 2015-12-09 00:35:45 +01:00			`result.cards.forEach((card) => {`
			`users[card.userId] = true;`
			`if (card.members) {`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`card.members.forEach((memberId) => {`
			`users[memberId] = true;`
			`});`
export board to Wekan JSON 2015-12-09 00:35:45 +01:00			`}`
			`});`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`result.comments.forEach((comment) => {`
			`users[comment.userId] = true;`
			`});`
			`result.activities.forEach((activity) => {`
			`users[activity.userId] = true;`
			`});`
			`result.checklists.forEach((checklist) => {`
			`users[checklist.userId] = true;`
			`});`
			`const byUserIds = {`
			`_id: {`
Fix lint errors. 2018-09-16 01:50:36 +03:00			`$in: Object.getOwnPropertyNames(users),`
			`},`
Export/Import done for rules 2018-09-14 19:20:24 +02:00			`};`
export board to Wekan JSON 2015-12-09 00:35:45 +01:00			`// we use whitelist to be sure we do not expose inadvertently`
			`// some secret fields that gets added to User later.`
REST API - Meteor 1.4 - first step issue 2017-04-27 20:49:24 +03:00			`const userFields = {`
			`fields: {`
			`_id: 1,`
			`username: 1,`
			`'profile.fullname': 1,`
			`'profile.initials': 1,`
			`'profile.avatarUrl': 1,`
			`},`
			`};`
Export: include attachments 2015-12-17 11:58:55 +01:00			`result.users = Users.find(byUserIds, userFields).fetch().map((user) => {`
			`// user avatar is stored as a relative url, we export absolute`
Fix missing profile checks. Thanks to justinr1234 ! 2019-05-09 14:32:38 +03:00			`if ((user.profile \|\| {}).avatarUrl) {`
Favor FlowRouter.url over Meteor.absoluteUrl It hides the leading slash treatment as an hidden implementation detail. 2016-01-05 13:37:15 +01:00			`user.profile.avatarUrl = FlowRouter.url(user.profile.avatarUrl);`
Export: include attachments 2015-12-17 11:58:55 +01:00			`}`
			`return user;`
			`});`
export board to Wekan JSON 2015-12-09 00:35:45 +01:00			`return result;`
			`}`
Export Wekan now server-based with proper auth 2015-12-16 21:54:35 +01:00
			`canExport(user) {`
			`const board = Boards.findOne(this._boardId);`
			`return board && board.isVisibleBy(user);`
			`}`
export board to Wekan JSON 2015-12-09 00:35:45 +01:00			`}`