Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-23 19:00:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

- Fix critical and moderate security vulnerabilities reported at 2020-02-26 with

Browse source 
responsible disclosure by [Dejan Zelic](https://twitter.com/dejandayoff),
  Justin Benjamin and others at [Offensive Security](https://twitter.com/offsectraining),
  that follow standard 90 days before public disclosure.
  Thanks to xet7.
- Fix webhook error that prevented some card etc deleting from web UI of board.
  Thanks to xet7.
- Add some more Font Awesome icons.
  Thanks to xet7.
- Remove autofocus from many form input boxes so that they would not cause warnings.
  Thanks to xet7.
This commit is contained in:
Lauri Ojansivu 2020-03-01 20:59:53 +02:00
parent fc35c234a7
commit aac7c380c8
6 changed files with 368 additions and 338 deletions
Download patch file Download diff file Expand all files Collapse all files

4
client/components/settings/peopleBody.jade
View file

@ -110,7 +110,7 @@ template(name="editUserPopup")
label.hide.userId(type="text" value=user._id)
label
| {{_ 'fullname'}}
input.js-profile-fullname(type="text" value=user.profile.fullname autofocus)
input.js-profile-fullname(type="text" value=user.profile.fullname)
label
| {{_ 'username'}}
span.error.hide.username-taken
@ -159,7 +159,7 @@ template(name="newUserPopup")
//label.hide.userId(type="text" value=user._id)
label
| {{_ 'fullname'}}
input.js-profile-fullname(type="text" value="" autofocus)
input.js-profile-fullname(type="text" value="")
label
| {{_ 'username'}}
span.error.hide.username-taken

9
client/components/sidebar/sidebar.jade
View file

@ -245,7 +245,7 @@ template(name="outgoingWebhooksPopup")
b  
.materialCheckBox(class="{{#unless enabled}}is-checked{{/unless}}")
input.js-outgoing-webhooks-title(placeholder="{{_ 'webhook-title'}}" type="text" name="title" value=title)
input.js-outgoing-webhooks-url(type="text" name="url" value=url autofocus)
input.js-outgoing-webhooks-url(type="text" name="url" value=url)
input.js-outgoing-webhooks-token(placeholder="{{_ 'webhook-token' }}" type="text" value=token name="token")
select.js-outgoing-webhooks-type(name="type")
each _type in types
@ -257,7 +257,7 @@ template(name="outgoingWebhooksPopup")
input(type="hidden" value=_id name="id")
input.primary.wide(type="submit" value="{{_ 'save'}}")
form.integration-form
input.js-outgoing-webhooks-title(placeholder="{{_ 'webhook-title'}}" type="text" name="title" autofocus)
input.js-outgoing-webhooks-title(placeholder="{{_ 'webhook-title'}}" type="text" name="title")
input.js-outgoing-webhooks-url(placeholder="{{_ 'URL' }}" type="text" name="url")
input.js-outgoing-webhooks-token(placeholder="{{_ 'webhook-token' }}" type="text" name="token")
select.js-outgoing-webhooks-type(name="type")
@ -267,7 +267,10 @@ template(name="outgoingWebhooksPopup")
template(name="boardMenuPopup")
ul.pop-over-list
li: a.js-custom-fields {{_ 'custom-fields'}}
li
a.js-custom-fields
i.fa.fa-list-alt
| {{_ 'custom-fields'}}
li
a.js-open-archives
i.fa.fa-archive

7
models/activities.js
View file

@ -108,7 +108,7 @@ if (Meteor.isServer) {
let participants = [];
let watchers = [];
let title = 'act-activity-notify';
let board = null;
const board = Boards.findOne(activity.boardId);
const description = `act-${activity.activityType}`;
const params = {
activityId: activity._id,
@ -122,8 +122,11 @@ if (Meteor.isServer) {
params.userId = activity.userId;
}
if (activity.boardId) {
board = activity.board();
if (board.title.length > 0) {
params.board = board.title;
} else {
params.board = '';
}
title = 'act-withBoardTitle';
params.url = board.absoluteUrl();
params.boardId = activity.boardId;

61
models/users.js
View file

@ -620,8 +620,32 @@ Users.mutations({
});
Meteor.methods({
setListSortBy(value) {
check(value, String);
Meteor.user().setListSortBy(value);
},
toggleDesktopDragHandles() {
const user = Meteor.user();
user.toggleDesktopHandles(user.hasShowDesktopDragHandles());
},
toggleSystemMessages() {
const user = Meteor.user();
user.toggleSystem(user.hasHiddenSystemMessages());
},
toggleMinicardLabelText() {
const user = Meteor.user();
user.toggleLabelText(user.hasHiddenMinicardLabelText());
},
changeLimitToShowCardsCount(limit) {
check(limit, Number);
Meteor.user().setShowCardsCountAt(limit);
},
});
if (Meteor.isServer) {
Meteor.methods({
setCreateUser(fullname, username, password, isAdmin, isActive, email) {
if (Meteor.user().isAdmin) {
if (Meteor.user() && Meteor.user().isAdmin) {
check(fullname, String);
check(username, String);
check(password, String);
@ -649,6 +673,7 @@ Meteor.methods({
}
},
setUsername(username, userId) {
if (Meteor.user() && Meteor.user().isAdmin) {
check(username, String);
check(userId, String);
const nUsersWithUsername = Users.find({ username }).count();
@ -657,28 +682,10 @@ Meteor.methods({
} else {
Users.update(userId, { $set: { username } });
}
},
setListSortBy(value) {
check(value, String);
Meteor.user().setListSortBy(value);
},
toggleDesktopDragHandles() {
const user = Meteor.user();
user.toggleDesktopHandles(user.hasShowDesktopDragHandles());
},
toggleSystemMessages() {
const user = Meteor.user();
user.toggleSystem(user.hasHiddenSystemMessages());
},
toggleMinicardLabelText() {
const user = Meteor.user();
user.toggleLabelText(user.hasHiddenMinicardLabelText());
},
changeLimitToShowCardsCount(limit) {
check(limit, Number);
Meteor.user().setShowCardsCountAt(limit);
}
},
setEmail(email, userId) {
if (Meteor.user() && Meteor.user().isAdmin) {
if (Array.isArray(email)) {
email = email.shift();
}
@ -701,8 +708,10 @@ Meteor.methods({
},
});
}
}
},
setUsernameAndEmail(username, email, userId) {
if (Meteor.user() && Meteor.user().isAdmin) {
check(username, String);
if (Array.isArray(email)) {
email = email.shift();
@ -711,18 +720,17 @@ Meteor.methods({
check(userId, String);
Meteor.call('setUsername', username, userId);
Meteor.call('setEmail', email, userId);
}
},
setPassword(newPassword, userId) {
if (Meteor.user() && Meteor.user().isAdmin) {
check(userId, String);
check(newPassword, String);
if (Meteor.user().isAdmin) {
Accounts.setPassword(userId, newPassword);
}
}
},
});
if (Meteor.isServer) {
Meteor.methods({
// we accept userId, username, email
inviteUserToBoard(username, boardId) {
check(username, String);
@ -754,8 +762,9 @@ if (Meteor.isServer) {
throw new Meteor.Error('error-user-notAllowSelf');
} else {
if (posAt <= 0) throw new Meteor.Error('error-user-doesNotExist');
if (Settings.findOne().disableRegistration)
if (Settings.findOne({ disableRegistration: true })) {
throw new Meteor.Error('error-user-notCreated');
}
// Set in lowercase email before creating account
const email = username.toLowerCase();
username = email.substring(0, posAt);

29
server/notifications/outgoing.js
View file

@ -1,4 +1,5 @@
const postCatchError = Meteor.wrapAsync((url, options, resolve) => {
if (Meteor.isServer) {
const postCatchError = Meteor.wrapAsync((url, options, resolve) => {
HTTP.post(url, options, (err, res) => {
if (err) {
resolve(null, err.response);
@ -6,9 +7,9 @@ const postCatchError = Meteor.wrapAsync((url, options, resolve) => {
resolve(null, res);
}
});
});
});
const Lock = {
const Lock = {
_lock: {},
_timer: {},
echoDelay: 500, // echo should be happening much faster
@ -47,9 +48,9 @@ const Lock = {
unset(id) {
delete this._lock[id];
},
};
};
const webhooksAtbts = (process.env.WEBHOOKS_ATTRIBUTES &&
const webhooksAtbts = (process.env.WEBHOOKS_ATTRIBUTES &&
process.env.WEBHOOKS_ATTRIBUTES.split(',')) || [
'cardId',
'listId',
@ -60,8 +61,8 @@ const webhooksAtbts = (process.env.WEBHOOKS_ATTRIBUTES &&
'card',
'commentId',
'swimlaneId',
];
const responseFunc = data => {
];
const responseFunc = data => {
const paramCommentId = data.commentId;
const paramCardId = data.cardId;
const paramBoardId = data.boardId;
@ -97,9 +98,10 @@ const responseFunc = data => {
}
}
}
};
Meteor.methods({
};
Meteor.methods({
outgoingWebhooks(integration, description, params) {
if (Meteor.user()) {
check(integration, Object);
check(description, String);
check(params, Object);
@ -153,7 +155,11 @@ Meteor.methods({
headers,
data: is2way ? { description, ...clonedParams } : value,
};
if (!Integrations.findOne({ url: integration.url })) return;
const url = integration.url;
if (is2way) {
const cid = params.commentId;
const comment = params.comment;
@ -187,6 +193,7 @@ Meteor.methods({
} else {
throw new Meteor.Error('error-invalid-webhook-response');
}
//});
}
},
});
});
}

14
server/statistics.js
View file

@ -1,7 +1,9 @@
import { MongoInternals } from 'meteor/mongo';
Meteor.methods({
if (Meteor.isServer) {
Meteor.methods({
getStatistics() {
if (Meteor.user() && Meteor.user().isAdmin) {
const os = require('os');
const pjson = require('/package.json');
const statistics = {};
@ -50,7 +52,9 @@ Meteor.methods({
mongoOplogEnabled = oplogEnabled;
} catch (e) {
try {
const { version } = Promise.await(mongo.db.command({ buildinfo: 1 }));
const { version } = Promise.await(
mongo.db.command({ buildinfo: 1 }),
);
mongoVersion = version;
mongoStorageEngine = 'unknown';
} catch (e) {
@ -64,5 +68,9 @@ Meteor.methods({
mongoOplogEnabled,
};
return statistics;
} else {
return false;
}
},
});
});
}