Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-01-23 01:36:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Merge branch 'devel'

Browse source
This commit is contained in:
Lauri Ojansivu 2018-06-12 22:21:23 +03:00
commit 93e7c8aecf
10 changed files with 231 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

18
CHANGELOG.md
View file

@ -1,10 +1,22 @@
# Upcoming Wekan release
# v1.04 2018-06-12 Wekan release
This release adds the following new features:
* [Add Khmer language](https://github.com/wekan/wekan/commit/2156e458690d0dc34a761a48fd7fa3b54af79031).
* [Add Khmer language](https://github.com/wekan/wekan/commit/2156e458690d0dc34a761a48fd7fa3b54af79031);
* [Modify card covers/mini-cards so that: 1) received date is shown unless there is a start date
2) due date is shown, unless there is an end date](https://github.com/wekan/wekan/pull/1685);
* [Change label text colour to black for specific label colours for better
visibility](https://github.com/wekan/wekan/pull/1689).
Thanks to GitHub user xet7 for contributions.
and fixes the following bugs:
* [SECURITY FIX: Do not publish all of people collection. This bug has probably been present
since addition of Admin Panel](https://github.com/wekan/wekan/commit/dda49d2f07f9c50d5d57acfd5c7eee6492f93b33);
* [Modify card covers/mini-cards so that: 1) received date is shown unless there is a start date
2) due date is shown, unless there is an end date](https://github.com/wekan/wekan/pull/1685).
Thanks to GitHub users rjevnikar and xet7 for their contributions.
Thanks to Adrian Genaid for security fix, he's now added to [Hall of Fame](https://wekan.github.io/hall-of-fame/).
Thanks to translators.
# v1.03 2018-06-08 Wekan release

129
SECURITY.md Normal file
View file

@ -0,0 +1,129 @@
Security is very important to us. If discover any issue regarding security, please disclose
the information responsibly by sending an email to security (at) wekan.team and not by
creating a GitHub issue. We will respond swiftly to fix verifiable security issues.
We thank you with a place at our hall of fame page, that is
at https://wekan.github.io/hall-of-fame . Others have just posted public GitHub issue,
so they are not at that hall-of-fame page.
## How should reports be formatted?
```
Name: %name
Twitter: %twitter
Bug type: %bugtype
Domain: %domain
Severity: %severity
URL: %url
PoC: %poc
CVSS (optional): %cvss
CWSS (optional): %cwss
```
## Who can participate in the program
Anyone who reports a unique security issue in scope and does not disclose it to
a third party before we have patched and updated may be upon their approval
added to the Wekan Hall of Fame.
## Which domains are in scope?
No any public domains, because all those are donated to Wekan Open Source project,
and we don't have any permissions to do security scans on those donated servers.
Please don't perform research that could impact other users. Secondly, please keep
the reports short and succinct. If we fail to understand the logics of your bug, we will tell you.
You can [Install Wekan](https://github.com/wekan/wekan/releases) to your own computer
and scan it's vulnerabilities there.
## About Wekan versions
There is only 2 versions of Wekan: Standalone Wekan, and Sandstorm Wekan.
### Standalone Wekan Security
Standalone Wekan includes all non-Sandstorm platforms. Some Standalone Wekan platforms
like Snap and Docker have their own specific sandboxing etc features.
Standalone Wekan by default does not load any files from Internet, like fonts, CSS, etc.
This also means all Standalone Wekan functionality works in offline local networks.
Wekan is used by companies that have [thousands of users](https://github.com/wekan/wekan/wiki/AWS) and at healthcare.
Wekan uses xss package for input fields like cards, as you can see from
[package.json](https://github.com/wekan/wekan/blob/devel/package.json). Other used versions can be seen from
[Meteor versions file](https://github.com/wekan/wekan/blob/devel/.meteor/versions).
Forms can include markdown links, html, image tags etc like you see at https://wekan.github.io .
It's possible to add attachments to cards, and markdown/html links to files.
Wekan attachments are not accessible without logging in. Import from Trello works by copying
Trello export JSON to Wekan Trello import page, and in Trello JSON file there is direct links to all publicly
accessible Trello attachment files, that Standalone Wekan downloads directly to Wekan MongoDB database in
[CollectionFS](https://github.com/wekan/wekan/pull/875) format. When Wekan board is exported in
Wekan JSON format, all board attachments are included in Wekan JSON file as base64 encoded text.
That Wekan JSON format file can be imported to Sandstorm Wekan with all the attachments, when we get
latest Wekan version working on Sandstorm, only couple of bugs are left before that. In Sandstorm it's not
possible yet to import from Trello with attachments, because Wekan does not implement Sandstorm-compatible
access to outside of Wekan grain.
Standalone Wekan only has password auth currently, there is work in progress to add
[oauth2](https://github.com/wekan/wekan/pull/1578), [Openid](https://github.com/wekan/wekan/issues/538),
[LDAP](https://github.com/wekan/wekan/issues/119) etc. If you need more login security for Standalone Wekan now,
it's possible add additional [Google Auth proxybouncer](https://github.com/wekan/wekan/wiki/Let's-Encrypt-and-Google-Auth) in front of password auth, and then use Google Authenticator for Google Auth. Standalone Wekan does have [brute force protection with eluck:accounts-lockout and browser-policy clickjacking protection](https://github.com/wekan/wekan/blob/devel/CHANGELOG.md#v080-2018-04-04-wekan-release). You can also optionally use some [WAF](https://en.wikipedia.org/wiki/Web_application_firewall)
like for example [AWS WAF](https://aws.amazon.com/waf/).
[All Wekan Platforms](https://github.com/wekan/wekan/wiki/Platforms)
### Sandstorm Wekan Security
On Sandstorm platform using environment variable Standalone Wekan features like Admin Panel etc are
turned off, because Sandstorm platform provides SSO for all apps running on Sandstorm.
[Sandstorm](https://sandstorm.io) is separate Open Source platform that has been
[security audited](https://sandstorm.io/news/2017-03-02-security-review) and found bugs fixed.
Sandstorm also has passwordless login, LDAP, SAML, Google etc auth options already.
At Sandstorm code is read-only and signed by app maintainers, only grain content can be modified.
Wekan at Sandstorm runs in sandboxed grain, it does not have access elsewhere without user-visible
PowerBox request or opening randomly-generated API key URL.
Also read [Sandstorm Security Practices](https://docs.sandstorm.io/en/latest/using/security-practices/) and
[Sandstorm Security non-events](https://docs.sandstorm.io/en/latest/using/security-non-events/).
For Sandstorm specific security issues you can contact [kentonv](https://github.com/kentonv) by email.
## What Wekan bugs are eligible?
Any typical web security bugs. If any of the previously mentioned is somehow problematic and
a security issue, we'd like to know about it, and also how to fix it:
- Cross-site Scripting
- Open redirect
- Cross-site request forgery
- File inclusion
- Authentication bypass
- Server-side code execution
## What Wekan bugs are NOT eligible?
Typical already known or "no impact" bugs such as:
- Brute force password guessign. Currently there is
[brute force protection with eluck:accounts-lockout](https://github.com/wekan/wekan/blob/devel/CHANGELOG.md#v080-2018-04-04-wekan-release).
- Security issues related to that Wekan uses Meteor 1.6.0.1 related packages, and upgrading to newer
Meteor 1.6.1 is complicated process that requires lots of changes to many dependency packages.
Upgrading [has been tried many times, spending a lot of time](https://github.com/meteor/meteor/issues/9609)
but there still is issues. Helping with package upgrades is very welcome.
- [Wekan API old tokens not replaced correctly](https://github.com/wekan/wekan/issues/1437)
- Missing Cookie flags on non-session cookies or 3rd party cookies
- Logout CSRF
- Social engineering
- Denial of service
- SSL BEAST/CRIME/etc. Wekan does not have SSL built-in, it uses Caddy/Nginx/Apache etc at front.
Integrated Caddy support is updated often.
- Email spoofing, SPF, DMARC & DKIM. Wekan does not include email server.
Wekan is Open Source with MIT license, and free to use also for commercial use.
We welcome all fixes to improve security by email to security (at) wekan.team .
## Bonus Points
If your Responsible Security Disclosure includes code for fixing security issue,
you get bonus points, as seen on [Hall of Fame](https://wekan.github.io/hall-of-fame).

9
client/components/cards/cardDate.js
View file

@ -279,11 +279,14 @@ class CardDueDate extends CardDate {
classes() {
let classes = 'due-date' + ' ';
if (this.now.get().diff(this.date.get(), 'days') >= 2)
if ((this.now.get().diff(this.date.get(), 'days') >= 2) &&
(this.date.get().isBefore(this.data().endAt)))
classes += 'long-overdue';
else if (this.now.get().diff(this.date.get(), 'minute') >= 0)
else if ((this.now.get().diff(this.date.get(), 'minute') >= 0) &&
(this.date.get().isBefore(this.data().endAt)))
classes += 'due';
else if (this.now.get().diff(this.date.get(), 'days') >= -1)
else if ((this.now.get().diff(this.date.get(), 'days') >= -1) &&
(this.date.get().isBefore(this.data().endAt)))
classes += 'almost-due';
return classes;
}

12
client/components/cards/labels.styl
View file

@ -3,7 +3,7 @@
// XXX Use .board-widget-labels as a flexbox container
.card-label
border-radius: 4px
color: white
color: white //Default white text, in select cases, changed to black to improve contrast between label colour and text
display: inline-block
font-weight: 700
font-size: 13px
@ -48,9 +48,11 @@
.card-label-yellow
background-color: #fad900
color: #000000 //Black text for better visibility
.card-label-orange
background-color: #ff9f19
color: #000000 //Black text for better visibility
.card-label-red
background-color: #eb4646
@ -63,6 +65,7 @@
.card-label-pink
background-color: #ff78cb
color: #000000 //Black text for better visibility
.card-label-sky
background-color: #00c2e0
@ -72,18 +75,22 @@
.card-label-lime
background-color: #51e898
color: #000000 //Black text for better visibility
.card-label-silver
background-color: #c0c0c0
color: #000000 //Black text for better visibility
.card-label-peachpuff
background-color: #ffdab9
color: #000000 //Black text for better visibility
.card-label-crimson
background-color: #dc143c
.card-label-plum
background-color: #dda0dd
color: #000000 //Black text for better visibility
.card-label-darkgreen
background-color: #006400
@ -96,6 +103,7 @@
.card-label-gold
background-color: #ffd700
color: #000000 //Black text for better visibility
.card-label-navy
background-color: #000080
@ -108,9 +116,11 @@
.card-label-paleturquoise
background-color: #afeeee
color: #000000 //Black text for better visibility
.card-label-mistyrose
background-color: #ffe4e1
color: #000000 //Black text for better visibility
.card-label-indigo
background-color: #4b0082

12
client/components/cards/minicard.jade
View file

@ -10,12 +10,22 @@ template(name="minicard")
+viewer
= title
.dates
if receivedAt
unless startAt
unless dueAt
unless endAt
.date
+miniCardReceivedDate
if startAt
.date
+minicardStartDate
if dueAt
unless endAt
.date
+minicardDueDate
if endAt
.date
+minicardDueDate
+minicardEndDate
if spentTime
.date
+cardSpentTime

6
i18n/de.i18n.json
View file

@ -469,10 +469,10 @@
"card-end-on": "Endet am",
"editCardReceivedDatePopup-title": "Empfangsdatum ändern",
"editCardEndDatePopup-title": "Enddatum ändern",
"assigned-by": "Zugeteilt von",
"assigned-by": "Zugewiesen von",
"requested-by": "Angefordert von",
"board-delete-notice": "Löschen ist dauerhaft. Du verlierst alle Listen, Karten und Aktionen, welche mit diesem Board verbunden sind.",
"delete-board-confirm-popup": "Alle Listen, Karten, Beschriftungen und Akivitäten werden gelöscht, das Board kann nicht wiederhergestellt werden! Es gibt kein Rückgängig.",
"board-delete-notice": "Löschen kann nicht rückgängig gemacht werden. Sie werden alle Listen, Karten und Aktionen, die mit diesem Board verbunden sind, verlieren.",
"delete-board-confirm-popup": "Alle Listen, Karten, Labels und Akivitäten werden gelöscht und Sie können die Inhalte des Boards nicht wiederherstellen! Die Aktion kann nicht rückgängig gemacht werden.",
"boardDeletePopup-title": "Board löschen?",
"delete-board": "Board löschen"
}

60
i18n/zh-CN.i18n.json
View file

@ -7,7 +7,7 @@
"act-addComment": "在 __card__ 发布评论: __comment__",
"act-createBoard": "创建看板 __board__",
"act-createCard": "添加卡片 __card__ 至列表 __list__",
"act-createCustomField": "created custom field __customField__",
"act-createCustomField": "创建了自定义字段 __customField__",
"act-createList": "添加列表 __list__ 至看板 __board__",
"act-addBoardMember": "添加成员 __member__ 至看板 __board__",
"act-archivedBoard": "__board__ 已被移入回收站 ",
@ -31,7 +31,7 @@
"activity-archived": "%s 已被移入回收站",
"activity-attached": "添加附件 %s 至 %s",
"activity-created": "创建 %s",
"activity-customfield-created": "created custom field %s",
"activity-customfield-created": "创建了自定义字段 %s",
"activity-excluded": "排除 %s 从 %s",
"activity-imported": "导入 %s 至 %s 从 %s 中",
"activity-imported-board": "已导入 %s 从 %s 中",
@ -113,7 +113,7 @@
"card-due-on": "期限",
"card-spent": "耗时",
"card-edit-attachments": "编辑附件",
"card-edit-custom-fields": "Edit custom fields",
"card-edit-custom-fields": "编辑自定义字段",
"card-edit-labels": "编辑标签",
"card-edit-members": "编辑成员",
"card-labels-title": "更改该卡片上的标签",
@ -121,8 +121,8 @@
"card-start": "开始",
"card-start-on": "始于",
"cardAttachmentsPopup-title": "附件来源",
"cardCustomField-datePopup-title": "Change date",
"cardCustomFieldsPopup-title": "Edit custom fields",
"cardCustomField-datePopup-title": "修改日期",
"cardCustomFieldsPopup-title": "编辑自定义字段",
"cardDeletePopup-title": "彻底删除卡片?",
"cardDetailsActionsPopup-title": "卡片操作",
"cardLabelsPopup-title": "标签",
@ -172,25 +172,25 @@
"createBoardPopup-title": "创建看板",
"chooseBoardSourcePopup-title": "导入看板",
"createLabelPopup-title": "创建标签",
"createCustomField": "Create Field",
"createCustomFieldPopup-title": "Create Field",
"createCustomField": "创建字段",
"createCustomFieldPopup-title": "创建字段",
"current": "当前",
"custom-field-delete-pop": "There is no undo. This will remove this custom field from all cards and destroy its history.",
"custom-field-checkbox": "Checkbox",
"custom-field-delete-pop": "没有撤销,此动作将从所有卡片中移除自定义字段并销毁历史。",
"custom-field-checkbox": "选择框",
"custom-field-date": "日期",
"custom-field-dropdown": "Dropdown List",
"custom-field-dropdown-none": "(none)",
"custom-field-dropdown-options": "List Options",
"custom-field-dropdown-options-placeholder": "Press enter to add more options",
"custom-field-dropdown-unknown": "(unknown)",
"custom-field-number": "Number",
"custom-field-text": "Text",
"custom-fields": "Custom Fields",
"custom-field-dropdown": "下拉列表",
"custom-field-dropdown-none": "()",
"custom-field-dropdown-options": "列表选项",
"custom-field-dropdown-options-placeholder": "回车可以加入更多选项",
"custom-field-dropdown-unknown": "(未知)",
"custom-field-number": "数字",
"custom-field-text": "文本",
"custom-fields": "自定义字段",
"date": "日期",
"decline": "拒绝",
"default-avatar": "默认头像",
"delete": "删除",
"deleteCustomFieldPopup-title": "Delete Custom Field?",
"deleteCustomFieldPopup-title": "删除自定义字段?",
"deleteLabelPopup-title": "删除标签?",
"description": "描述",
"disambiguateMultiLabelPopup-title": "标签消歧 [?]",
@ -205,7 +205,7 @@
"soft-wip-limit": "软在制品限制",
"editCardStartDatePopup-title": "修改起始日期",
"editCardDueDatePopup-title": "修改截止日期",
"editCustomFieldPopup-title": "Edit Field",
"editCustomFieldPopup-title": "编辑字段",
"editCardSpentTimePopup-title": "修改耗时",
"editLabelPopup-title": "更改标签",
"editNotificationPopup-title": "编辑通知",
@ -242,12 +242,12 @@
"filter-clear": "清空过滤器",
"filter-no-label": "无标签",
"filter-no-member": "无成员",
"filter-no-custom-fields": "No Custom Fields",
"filter-no-custom-fields": "无自定义字段",
"filter-on": "过滤器启用",
"filter-on-desc": "你正在过滤该看板上的卡片,点此编辑过滤。",
"filter-to-selection": "要选择的过滤器",
"advanced-filter-label": "Advanced Filter",
"advanced-filter-description": "Advanced Filter allows to write a string containing following operators: == != <= >= && || ( ) A space is used as a separator between the Operators. You can filter for all Custom Fields by typing their names and values. For Example: Field1 == Value1. Note: If fields or values contains spaces, you need to encapsulate them into single quotes. For Example: 'Field 1' == 'Value 1'. Also you can combine multiple conditions. For Example: F1 == V1 || F1 = V2. Normally all operators are interpreted from left to right. You can change the order by placing brackets. For Example: F1 == V1 and ( F2 == V2 || F2 == V3 )",
"advanced-filter-label": "高级过滤器",
"advanced-filter-description": "高级过滤器可以使用包含如下操作符的字符串进行过滤:== != <= >= && || ( ) 。操作符之间用空格隔开。输入字段名和数值就可以过滤所有自定义字段。例如Field1 == Value1. 注意如果字段名或数值包含空格,需要用单引号。例如: 'Field 1' == 'Value 1'。支持组合使用多个条件,例如: F1 == V1 || F1 = V2。通常以从左到右的顺序进行判断。可以通过括号修改顺序,例如:F1 == V1 and ( F2 == V2 || F2 == V3 )",
"fullname": "全称",
"header-logo-title": "返回您的看板页",
"hide-system-messages": "隐藏系统消息",
@ -389,7 +389,7 @@
"title": "标题",
"tracking": "跟踪",
"tracking-info": "当任何包含您(作为创建者或成员)的卡片发生变更时,您将得到通知。",
"type": "Type",
"type": "类型",
"unassign-member": "取消分配成员",
"unsaved-description": "存在未保存的描述",
"unwatch": "取消关注",
@ -454,7 +454,7 @@
"hours": "小时",
"minutes": "分钟",
"seconds": "秒",
"show-field-on-card": "Show this field on card",
"show-field-on-card": "在卡片上显示此字段",
"yes": "是",
"no": "否",
"accounts": "账号",
@ -469,10 +469,10 @@
"card-end-on": "终止于",
"editCardReceivedDatePopup-title": "修改接收日期",
"editCardEndDatePopup-title": "修改终止日期",
"assigned-by": "Assigned By",
"requested-by": "Requested By",
"board-delete-notice": "Deleting is permanent. You will lose all lists, cards and actions associated with this board.",
"delete-board-confirm-popup": "All lists, cards, labels, and activities will be deleted and you won't be able to recover the board contents. There is no undo.",
"boardDeletePopup-title": "Delete Board?",
"delete-board": "Delete Board"
"assigned-by": "分配人",
"requested-by": "需求人",
"board-delete-notice": "删除时永久操作,将会丢失此看板上的所有列表、卡片和动作。",
"delete-board-confirm-popup": "所有列表、卡片、标签和活动都回被删除,将无法恢复看板内容。不支持撤销。",
"boardDeletePopup-title": "删除看板?",
"delete-board": "删除看板"
}

2
package.json
View file

@ -1,6 +1,6 @@
{
"name": "wekan",
"version": "1.03.0",
"version": "1.04.0",
"description": "The open-source Trello-like kanban",
"private": true,
"scripts": {

4
sandstorm-pkgdef.capnp
View file

@ -22,10 +22,10 @@ const pkgdef :Spk.PackageDefinition = (
appTitle = (defaultText = "Wekan"),
# The name of the app as it is displayed to the user.
appVersion = 88,
appVersion = 89,
# Increment this for every release.
appMarketingVersion = (defaultText = "1.03.0~2018-06-08"),
appMarketingVersion = (defaultText = "1.04.0~2018-06-12"),
# Human-readable presentation of the app version.
minUpgradableAppVersion = 0,

28
server/publications/people.js
View file

@ -1,7 +1,25 @@
Meteor.publish('people', (limit) => {
Meteor.publish('people', function(limit) {
check(limit, Number);
return Users.find({}, {
limit,
sort: {createdAt: -1},
});
if (!Match.test(this.userId, String)) {
return [];
}
const user = Users.findOne(this.userId);
if (user && user.isAdmin) {
return Users.find({}, {
limit,
sort: {createdAt: -1},
fields: {
'username': 1,
'profile.fullname': 1,
'isAdmin': 1,
'emails': 1,
'createdAt': 1,
'loginDisabled': 1,
},
});
} else {
return [];
}
});