github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-22 21:17:18 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'lib-change' of https://github.com/PDIS/wekan into

Browse source 
PDIS-lib-change
This commit is contained in:
Lauri Ojansivu 2020-05-24 03:13:53 +03:00
commit 055b528532
24 changed files with 823 additions and 442 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.meteor/packages
View file

@ -98,3 +98,4 @@ percolate:synced-cron
easylogic:summernote
cfs:filesystem
ostrio:cookies
ostrio:files

1
.meteor/versions
View file

@ -134,6 +134,7 @@ observe-sequence@1.0.16
ongoworks:speakingurl@1.1.0
ordered-dict@1.1.0
ostrio:cookies@2.6.0
ostrio:files@1.14.2
peerlibrary:assert@0.3.0
peerlibrary:base-component@0.16.0
peerlibrary:blaze-components@0.15.1

7
client/components/activities/activities.js
View file

@ -152,17 +152,18 @@ BlazeComponent.extendComponent({
attachmentLink() {
const attachment = this.currentData().activity.attachment();
const link = attachment.link('original', '/');
// trying to display url before file is stored generates js errors
return (
(attachment &&
attachment.url({ download: true }) &&
link &&
Blaze.toHTML(
HTML.A(
{
href: attachment.url({ download: true }),
href: link,
target: '_blank',
},
attachment.name(),
attachment.name,
),
)) ||
this.currentData().activity.attachmentName

13
client/components/cards/attachments.jade
View file

@ -18,12 +18,19 @@ template(name="attachmentDeletePopup")
p {{_ "attachment-delete-pop"}}
button.js-confirm.negate.full(type="submit") {{_ 'delete'}}
template(name="uploadingPopup")
.uploading-info
span.upload-percentage {{progress}}%
.upload-progress-frame
.upload-progress-bar(style="width: {{progress}}%;")
span.upload-size {{fileSize}}
template(name="attachmentsGalery")
.attachments-galery
each attachments
.attachment-item
a.attachment-thumbnail.swipebox(href="{{url}}" title="{{name}}")
if isUploaded
a.attachment-thumbnail.swipebox(href="{{url}}" download="{{name}}" title="{{name}}")
if isUploaded
if isImage
img.attachment-thumbnail-img(src="{{url}}")
else
@ -33,7 +40,7 @@ template(name="attachmentsGalery")
p.attachment-details
= name
span.attachment-details-actions
a.js-download(href="{{url download=true}}")
a.js-download(href="{{url download=true}}" download="{{name}}")
i.fa.fa-download
| {{_ 'download'}}
if currentUser.isBoardMember

103
client/components/cards/attachments.js
View file

@ -13,10 +13,10 @@ Template.attachmentsGalery.events({
event.stopPropagation();
},
'click .js-add-cover'() {
Cards.findOne(this.cardId).setCover(this._id);
Cards.findOne(this.meta.cardId).setCover(this._id);
},
'click .js-remove-cover'() {
Cards.findOne(this.cardId).unsetCover();
Cards.findOne(this.meta.cardId).unsetCover();
},
'click .js-preview-image'(event) {
Popup.open('previewAttachedImage').call(this, event);
@ -45,22 +45,63 @@ Template.attachmentsGalery.events({
},
});
Template.attachmentsGalery.helpers({
url() {
return Attachments.link(this, 'original', '/');
},
isUploaded() {
return !this.meta.uploading;
},
isImage() {
return !!this.isImage;
},
});
Template.previewAttachedImagePopup.events({
'click .js-large-image-clicked'() {
Popup.close();
},
});
Template.previewAttachedImagePopup.helpers({
url() {
return Attachments.link(this, 'original', '/');
}
});
// For uploading popup
let uploadFileSize = new ReactiveVar('');
let uploadProgress = new ReactiveVar(0);
Template.cardAttachmentsPopup.events({
'change .js-attach-file'(event) {
'change .js-attach-file'(event, instance) {
const card = this;
const processFile = f => {
Utils.processUploadedAttachment(card, f, attachment => {
if (attachment && attachment._id && attachment.isImage()) {
card.setCover(attachment._id);
const callbacks = {
onBeforeUpload: (err, fileData) => {
Popup.open('uploading')(this.clickEvent);
uploadFileSize.set('...');
uploadProgress.set(0);
return true;
},
onUploaded: (err, attachment) => {
if (attachment && attachment._id && attachment.isImage) {
card.setCover(attachment._id);
}
Popup.close();
},
onStart: (error, fileData) => {
uploadFileSize.set(formatBytes(fileData.size));
},
onError: (err, fileObj) => {
console.log('Error!', err);
},
onProgress: (progress, fileData) => {
uploadProgress.set(progress);
}
Popup.close();
});
};
const processFile = f => {
Utils.processUploadedAttachment(card, f, callbacks);
};
FS.Utility.eachFile(event, f => {
@ -100,12 +141,22 @@ Template.cardAttachmentsPopup.events({
});
},
'click .js-computer-upload'(event, templateInstance) {
this.clickEvent = event;
templateInstance.find('.js-attach-file').click();
event.preventDefault();
},
'click .js-upload-clipboard-image': Popup.open('previewClipboardImage'),
});
Template.uploadingPopup.helpers({
fileSize: () => {
return uploadFileSize.get();
},
progress: () => {
return uploadProgress.get();
}
});
const MAX_IMAGE_PIXEL = Utils.MAX_IMAGE_PIXEL;
const COMPRESS_RATIO = Utils.IMAGE_COMPRESS_RATIO;
let pastedResults = null;
@ -149,20 +200,26 @@ Template.previewClipboardImagePopup.events({
if (results && results.file) {
window.oPasted = pastedResults;
const card = this;
const file = new FS.File(results.file);
const settings = {
file: results.file,
streams: 'dynamic',
chunkSize: 'dynamic',
};
if (!results.name) {
// if no filename, it's from clipboard. then we give it a name, with ext name from MIME type
if (typeof results.file.type === 'string') {
file.name(results.file.type.replace('image/', 'clipboard.'));
settings.fileName =
new Date().getTime() + results.file.type.replace('.+/', '');
}
}
file.updatedAt(new Date());
file.boardId = card.boardId;
file.cardId = card._id;
file.userId = Meteor.userId();
const attachment = Attachments.insert(file);
settings.meta = {};
settings.meta.updatedAt = new Date().getTime();
settings.meta.boardId = card.boardId;
settings.meta.cardId = card._id;
settings.meta.userId = Meteor.userId();
const attachment = Attachments.insert(settings);
if (attachment && attachment._id && attachment.isImage()) {
if (attachment && attachment._id && attachment.isImage) {
card.setCover(attachment._id);
}
@ -172,3 +229,15 @@ Template.previewClipboardImagePopup.events({
}
},
});
function formatBytes(bytes, decimals = 2) {
if (bytes === 0) return '0 Bytes';
const k = 1024;
const dm = decimals < 0 ? 0 : decimals;
const sizes = ['Bytes', 'KB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB', 'YB'];
const i = Math.floor(Math.log(bytes) / Math.log(k));
return parseFloat((bytes / Math.pow(k, i)).toFixed(dm)) + ' ' + sizes[i];
}

11
client/components/cards/attachments.styl
View file

@ -64,6 +64,17 @@
border: 1px solid black
box-shadow: 0 1px 2px rgba(0,0,0,.2)
.uploading-info
.upload-progress-frame
background-color: grey;
border: 1px solid;
height: 22px;
.upload-progress-bar
background-color: blue;
height: 20px;
padding: 1px;
@media screen and (max-width: 800px)
.attachments-galery
flex-direction

2
client/components/cards/minicard.jade
View file

@ -11,7 +11,7 @@ template(name="minicard")
.handle
.fa.fa-arrows
if cover
.minicard-cover(style="background-image: url('{{cover.url}}');")
.minicard-cover(style="background-image: url('{{coverUrl}}');")
if labels
.minicard-labels
each labels

3
client/components/cards/minicard.js
View file

@ -52,4 +52,7 @@ Template.minicard.helpers({
return false;
}
},
coverUrl() {
return Attachments.findOne(this.coverId).link('original', '/');
},
});

50
client/components/main/editor.js
View file

@ -152,33 +152,31 @@ Template.editor.onRendered(() => {
const processData = function(fileObj) {
Utils.processUploadedAttachment(
currentCard,
fileObj,
attachment => {
if (
attachment &&
attachment._id &&
attachment.isImage()
) {
attachment.one('uploaded', function() {
const maxTry = 3;
const checkItvl = 500;
let retry = 0;
const checkUrl = function() {
// even though uploaded event fired, attachment.url() is still null somehow //TODO
const url = attachment.url();
if (url) {
insertImage(
`${location.protocol}//${location.host}${url}`,
);
} else {
retry++;
if (retry < maxTry) {
setTimeout(checkUrl, checkItvl);
fileObj,
{ onUploaded:
attachment => {
if (attachment && attachment._id && attachment.isImage) {
attachment.one('uploaded', function() {
const maxTry = 3;
const checkItvl = 500;
let retry = 0;
const checkUrl = function() {
// even though uploaded event fired, attachment.url() is still null somehow //TODO
const url = Attachments.link(attachment, 'original', '/');
if (url) {
insertImage(
`${location.protocol}//${location.host}${url}`,
);
} else {
retry++;
if (retry < maxTry) {
setTimeout(checkUrl, checkItvl);
}
}
}
};
checkUrl();
});
};
checkUrl();
});
}
}
},
);

2
client/lib/popup.js
View file

@ -49,7 +49,7 @@ window.Popup = new (class {
// has one. This allows us to position a sub-popup exactly at the same
// position than its parent.
let openerElement;
if (clickFromPopup(evt)) {
if (clickFromPopup(evt) && self._getTopStack()) {
openerElement = self._getTopStack().openerElement;
} else {
self._stack = [];

44
client/lib/utils.js
View file

@ -61,30 +61,38 @@ Utils = {
},
MAX_IMAGE_PIXEL: Meteor.settings.public.MAX_IMAGE_PIXEL,
COMPRESS_RATIO: Meteor.settings.public.IMAGE_COMPRESS_RATIO,
processUploadedAttachment(card, fileObj, callback) {
const next = attachment => {
if (typeof callback === 'function') {
callback(attachment);
}
};
processUploadedAttachment(card, fileObj, callbacks) {
if (!card) {
return next();
return onUploaded();
}
const file = new FS.File(fileObj);
let settings = {
file: fileObj,
streams: 'dynamic',
chunkSize: 'dynamic',
};
settings.meta = {
uploading: true
};
if (card.isLinkedCard()) {
file.boardId = Cards.findOne(card.linkedId).boardId;
file.cardId = card.linkedId;
settings.meta.boardId = Cards.findOne(card.linkedId).boardId;
settings.meta.cardId = card.linkedId;
} else {
file.boardId = card.boardId;
file.swimlaneId = card.swimlaneId;
file.listId = card.listId;
file.cardId = card._id;
settings.meta.boardId = card.boardId;
settings.meta.swimlaneId = card.swimlaneId;
settings.meta.listId = card.listId;
settings.meta.cardId = card._id;
}
file.userId = Meteor.userId();
if (file.original) {
file.original.name = fileObj.name;
settings.meta.userId = Meteor.userId();
if (typeof callbacks === 'function') {
settings.onEnd = callbacks;
} else {
for (const key in callbacks) {
if (key.substring(0, 2) === 'on') {
settings[key] = callbacks[key];
}
}
}
return next(Attachments.insert(file));
Attachments.insert(settings);
},
shrinkImage(options) {
// shrink image to certain size

2
i18n/zh-TW.i18n.json
View file

@ -747,7 +747,7 @@
"error-ldap-login": "嘗試登入時出現錯誤",
"display-authentication-method": "顯示認證方式",
"default-authentication-method": "預設認證方式",
"duplicate-board": "重複的看板",
"duplicate-board": "複製看板",
"people-number": "人數是:",
"swimlaneDeletePopup-title": "是否刪除泳道?",
"swimlane-delete-pop": "所有動作將從活動來源中刪除,您將無法恢復泳道。此操作無法還原。",

2
models/activities.js
View file

@ -217,7 +217,7 @@ if (Meteor.isServer) {
}
if (activity.attachmentId) {
const attachment = activity.attachment();
params.attachment = attachment.original.name;
params.attachment = attachment.name;
params.attachmentId = attachment._id;
}
if (activity.checklistId) {

354
models/attachments.js
View file

@ -1,263 +1,127 @@
const localFSStore = process.env.ATTACHMENTS_STORE_PATH;
const storeName = 'attachments';
const defaultStoreOptions = {
beforeWrite: fileObj => {
if (!fileObj.isImage()) {
return {
type: 'application/octet-stream',
};
}
return {};
},
};
let store;
if (localFSStore) {
// have to reinvent methods from FS.Store.GridFS and FS.Store.FileSystem
const fs = Npm.require('fs');
const path = Npm.require('path');
const mongodb = Npm.require('mongodb');
const Grid = Npm.require('gridfs-stream');
// calulate the absolute path here, because FS.Store.FileSystem didn't expose the aboslutepath or FS.Store didn't expose api calls :(
let pathname = localFSStore;
/*eslint camelcase: ["error", {allow: ["__meteor_bootstrap__"]}] */
import { FilesCollection } from 'meteor/ostrio:files';
const fs = require('fs');
if (!pathname && __meteor_bootstrap__ && __meteor_bootstrap__.serverDir) {
pathname = path.join(
__meteor_bootstrap__.serverDir,
`../../../cfs/files/${storeName}`,
);
}
const collectionName = 'attachments2';
if (!pathname)
throw new Error('FS.Store.FileSystem unable to determine path');
// Check if we have '~/foo/bar'
if (pathname.split(path.sep)[0] === '~') {
const homepath =
process.env.HOME || process.env.HOMEPATH || process.env.USERPROFILE;
if (homepath) {
pathname = pathname.replace('~', homepath);
} else {
throw new Error('FS.Store.FileSystem unable to resolve "~" in path');
}
}
// Set absolute path
const absolutePath = path.resolve(pathname);
const _FStore = new FS.Store.FileSystem(storeName, {
path: localFSStore,
...defaultStoreOptions,
});
const GStore = {
fileKey(fileObj) {
const key = {
_id: null,
filename: null,
};
// If we're passed a fileObj, we retrieve the _id and filename from it.
if (fileObj) {
const info = fileObj._getInfo(storeName, {
updateFileRecordFirst: false,
});
key._id = info.key || null;
key.filename =
info.name ||
fileObj.name({ updateFileRecordFirst: false }) ||
`${fileObj.collectionName}-${fileObj._id}`;
}
// If key._id is null at this point, createWriteStream will let GridFS generate a new ID
return key;
},
db: undefined,
mongoOptions: { useNewUrlParser: true },
mongoUrl: process.env.MONGO_URL,
init() {
this._init(err => {
this.inited = !err;
});
},
_init(callback) {
const self = this;
mongodb.MongoClient.connect(self.mongoUrl, self.mongoOptions, function(
err,
db,
) {
if (err) {
return callback(err);
}
self.db = db;
return callback(null);
});
return;
},
createReadStream(fileKey, options) {
const self = this;
if (!self.inited) {
self.init();
return undefined;
}
options = options || {};
// Init GridFS
const gfs = new Grid(self.db, mongodb);
// Set the default streamning settings
const settings = {
_id: new mongodb.ObjectID(fileKey._id),
root: `cfs_gridfs.${storeName}`,
};
// Check if this should be a partial read
if (
typeof options.start !== 'undefined' &&
typeof options.end !== 'undefined'
) {
// Add partial info
settings.range = {
startPos: options.start,
endPos: options.end,
};
}
return gfs.createReadStream(settings);
},
};
GStore.init();
const CRS = 'createReadStream';
const _CRS = `_${CRS}`;
const FStore = _FStore._transform;
FStore[_CRS] = FStore[CRS].bind(FStore);
FStore[CRS] = function(fileObj, options) {
let stream;
try {
const localFile = path.join(
absolutePath,
FStore.storage.fileKey(fileObj),
);
const state = fs.statSync(localFile);
if (state) {
stream = FStore[_CRS](fileObj, options);
}
} catch (e) {
// file is not there, try GridFS ?
stream = undefined;
}
if (stream) return stream;
else {
try {
const stream = GStore[CRS](GStore.fileKey(fileObj), options);
return stream;
} catch (e) {
return undefined;
}
}
}.bind(FStore);
store = _FStore;
} else {
store = new FS.Store.GridFS(localFSStore ? `G${storeName}` : storeName, {
// XXX Add a new store for cover thumbnails so we don't load big images in
// the general board view
// If the uploaded document is not an image we need to enforce browser
// download instead of execution. This is particularly important for HTML
// files that the browser will just execute if we don't serve them with the
// appropriate `application/octet-stream` MIME header which can lead to user
// data leaks. I imagine other formats (like PDF) can also be attack vectors.
// See https://github.com/wekan/wekan/issues/99
// XXX Should we use `beforeWrite` option of CollectionFS instead of
// collection-hooks?
// We should use `beforeWrite`.
...defaultStoreOptions,
});
}
Attachments = new FS.Collection('attachments', {
stores: [store],
Attachments = new FilesCollection({
storagePath: storagePath(),
debug: false,
// allowClientCode: true,
collectionName: 'attachments2',
onAfterUpload: onAttachmentUploaded,
onBeforeRemove: onAttachmentRemoving
});
if (Meteor.isServer) {
Meteor.startup(() => {
Attachments.files._ensureIndex({ cardId: 1 });
Attachments.collection._ensureIndex({ cardId: 1 });
});
// TODO: Permission related
Attachments.allow({
insert(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
insert() {
return false;
},
update(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
update() {
return true;
},
remove(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
// We authorize the attachment download either:
// - if the board is public, everyone (even unconnected) can download it
// - if the board is private, only board members can download it
download(userId, doc) {
const board = Boards.findOne(doc.boardId);
if (board.isPublic()) {
return true;
} else {
return board.hasMember(userId);
}
},
fetch: ['boardId'],
});
}
// XXX Enforce a schema for the Attachments CollectionFS
if (Meteor.isServer) {
Attachments.files.after.insert((userId, doc) => {
// If the attachment doesn't have a source field
// or its source is different than import
if (!doc.source || doc.source !== 'import') {
// Add activity about adding the attachment
Activities.insert({
userId,
type: 'card',
activityType: 'addAttachment',
attachmentId: doc._id,
// this preserves the name so that notifications can be meaningful after
// this file is removed
attachmentName: doc.original.name,
boardId: doc.boardId,
cardId: doc.cardId,
listId: doc.listId,
swimlaneId: doc.swimlaneId,
});
} else {
// Don't add activity about adding the attachment as the activity
// be imported and delete source field
Attachments.update(
{
_id: doc._id,
},
{
$unset: {
source: '',
},
},
);
remove() {
return true;
}
});
Attachments.files.before.remove((userId, doc) => {
Activities.insert({
userId,
type: 'card',
activityType: 'deleteAttachment',
attachmentId: doc._id,
// this preserves the name so that notifications can be meaningful after
// this file is removed
attachmentName: doc.original.name,
boardId: doc.boardId,
cardId: doc.cardId,
listId: doc.listId,
swimlaneId: doc.swimlaneId,
});
Meteor.methods({
cloneAttachment(file, overrides) {
check(file, Object);
check(overrides, Match.Maybe(Object));
const path = file.path;
const opts = {
fileName: file.name,
type: file.type,
meta: file.meta,
userId: file.userId
};
for (let key in overrides) {
if (key === 'meta') {
for (let metaKey in overrides.meta) {
opts.meta[metaKey] = overrides.meta[metaKey];
}
} else {
opts[key] = overrides[key];
}
}
const buffer = fs.readFileSync(path);
Attachments.write(buffer, opts, (err, fileRef) => {
if (err) {
console.log('Error when cloning record', err);
}
});
return true;
}
});
Meteor.publish(collectionName, function() {
return Attachments.find().cursor;
});
} else {
Meteor.subscribe(collectionName);
}
function storagePath(defaultPath) {
const storePath = process.env.ATTACHMENTS_STORE_PATH;
return storePath ? storePath : defaultPath;
}
function onAttachmentUploaded(fileRef) {
Attachments.update({_id:fileRef._id}, {$set: {"meta.uploading": false}});
if (!fileRef.meta.source || fileRef.meta.source !== 'import') {
// Add activity about adding the attachment
Activities.insert({
userId: fileRef.userId,
type: 'card',
activityType: 'addAttachment',
attachmentId: fileRef._id,
// this preserves the name so that notifications can be meaningful after
// this file is removed
attachmentName: fileRef.name,
boardId: fileRef.meta.boardId,
cardId: fileRef.meta.cardId,
listId: fileRef.meta.listId,
swimlaneId: fileRef.meta.swimlaneId,
});
} else {
// Don't add activity about adding the attachment as the activity
// be imported and delete source field
Attachments.collection.update(
{
_id: fileRef._id,
},
{
$unset: {
'meta.source': '',
},
},
);
}
}
function onAttachmentRemoving(cursor) {
const file = cursor.get()[0];
const meta = file.meta;
Activities.insert({
userId: this.userId,
type: 'card',
activityType: 'deleteAttachment',
attachmentId: file._id,
// this preserves the name so that notifications can be meaningful after
// this file is removed
attachmentName: file.name,
boardId: meta.boardId,
cardId: meta.cardId,
listId: meta.listId,
swimlaneId: meta.swimlaneId,
});
return true;
}
export default Attachments;

21
models/cards.js
View file

@ -412,10 +412,14 @@ Cards.helpers({
const _id = Cards.insert(this);
// Copy attachments
oldCard.attachments().forEach(att => {
att.cardId = _id;
delete att._id;
return Attachments.insert(att);
oldCard.attachments().forEach((file) => {
Meteor.call('cloneAttachment', file,
{
meta: {
cardId: _id
}
}
);
});
// copy checklists
@ -518,14 +522,15 @@ Cards.helpers({
attachments() {
if (this.isLinkedCard()) {
return Attachments.find(
{ cardId: this.linkedId },
{ 'meta.cardId': this.linkedId },
{ sort: { uploadedAt: -1 } },
);
} else {
return Attachments.find(
{ cardId: this._id },
let ret = Attachments.find(
{ 'meta.cardId': this._id },
{ sort: { uploadedAt: -1 } },
);
return ret;
}
},
@ -533,7 +538,7 @@ Cards.helpers({
const cover = Attachments.findOne(this.coverId);
// if we return a cover before it is fully stored, we will get errors when we try to display it
// todo XXX we could return a default "upload pending" image in the meantime?
return cover && cover.url() && cover;
return cover && cover.link();
},
checklists() {

248
models/export.js
View file

@ -1,4 +1,3 @@
import { Exporter } from './exporter';
/* global JsonRoutes */
if (Meteor.isServer) {
// todo XXX once we have a real API in place, move that route there
@ -8,10 +7,10 @@ if (Meteor.isServer) {
// on the client instead of copy/pasting the route path manually between the
// client and the server.
/**
* @operation exportJson
* @operation export
* @tag Boards
*
* @summary This route is used to export the board to a json file format.
* @summary This route is used to export the board.
*
* @description If user is already logged-in, pass loginToken as param
* "authToken": '/api/boards/:boardId/export?authToken=:token'
@ -47,52 +46,199 @@ if (Meteor.isServer) {
JsonRoutes.sendResult(res, 403);
}
});
/**
* @operation exportCSV/TSV
* @tag Boards
*
* @summary This route is used to export the board to a CSV or TSV file format.
*
* @description If user is already logged-in, pass loginToken as param
*
* See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/
* for detailed explanations
*
* @param {string} boardId the ID of the board we are exporting
* @param {string} authToken the loginToken
* @param {string} delimiter delimiter to use while building export. Default is comma ','
*/
Picker.route('/api/boards/:boardId/export/csv', function(params, req, res) {
const boardId = params.boardId;
let user = null;
const loginToken = params.query.authToken;
if (loginToken) {
const hashToken = Accounts._hashLoginToken(loginToken);
user = Meteor.users.findOne({
'services.resume.loginTokens.hashedToken': hashToken,
});
} else if (!Meteor.settings.public.sandstorm) {
Authentication.checkUserId(req.userId);
user = Users.findOne({
_id: req.userId,
isAdmin: true,
});
}
const exporter = new Exporter(boardId);
if (exporter.canExport(user)) {
body = params.query.delimiter
? exporter.buildCsv(params.query.delimiter)
: exporter.buildCsv();
res.writeHead(200, {
'Content-Length': body[0].length,
'Content-Type': params.query.delimiter ? 'text/csv' : 'text/tsv',
});
res.write(body[0]);
res.end();
} else {
res.writeHead(403);
res.end('Permission Error');
}
});
}
// exporter maybe is broken since Gridfs introduced, add fs and path
export class Exporter {
constructor(boardId) {
this._boardId = boardId;
}
build() {
const fs = Npm.require('fs');
const os = Npm.require('os');
const path = Npm.require('path');
const byBoard = { boardId: this._boardId };
const byBoardNoLinked = {
boardId: this._boardId,
linkedId: { $in: ['', null] },
};
// we do not want to retrieve boardId in related elements
const noBoardId = {
fields: {
boardId: 0,
},
};
const result = {
_format: 'wekan-board-1.0.0',
};
_.extend(
result,
Boards.findOne(this._boardId, {
fields: {
stars: 0,
},
}),
);
result.lists = Lists.find(byBoard, noBoardId).fetch();
result.cards = Cards.find(byBoardNoLinked, noBoardId).fetch();
result.swimlanes = Swimlanes.find(byBoard, noBoardId).fetch();
result.customFields = CustomFields.find(
{ boardIds: { $in: [this.boardId] } },
{ fields: { boardId: 0 } },
).fetch();
result.comments = CardComments.find(byBoard, noBoardId).fetch();
result.activities = Activities.find(byBoard, noBoardId).fetch();
result.rules = Rules.find(byBoard, noBoardId).fetch();
result.checklists = [];
result.checklistItems = [];
result.subtaskItems = [];
result.triggers = [];
result.actions = [];
result.cards.forEach(card => {
result.checklists.push(
...Checklists.find({
cardId: card._id,
}).fetch(),
);
result.checklistItems.push(
...ChecklistItems.find({
cardId: card._id,
}).fetch(),
);
result.subtaskItems.push(
...Cards.find({
parentId: card._id,
}).fetch(),
);
});
result.rules.forEach(rule => {
result.triggers.push(
...Triggers.find(
{
_id: rule.triggerId,
},
noBoardId,
).fetch(),
);
result.actions.push(
...Actions.find(
{
_id: rule.actionId,
},
noBoardId,
).fetch(),
);
});
// [Old] for attachments we only export IDs and absolute url to original doc
// [New] Encode attachment to base64
const getBase64Data = function(doc, callback) {
let buffer = Buffer.allocUnsafe(0);
buffer.fill(0);
// callback has the form function (err, res) {}
const tmpFile = path.join(
os.tmpdir(),
`tmpexport${process.pid}${Math.random()}`,
);
const tmpWriteable = fs.createWriteStream(tmpFile);
const readStream = fs.createReadStream(doc.path);
readStream.on('data', function(chunk) {
buffer = Buffer.concat([buffer, chunk]);
});
readStream.on('error', function(err) {
callback(null, null);
});
readStream.on('end', function() {
// done
fs.unlink(tmpFile, () => {
//ignored
});
callback(null, buffer.toString('base64'));
});
readStream.pipe(tmpWriteable);
};
const getBase64DataSync = Meteor.wrapAsync(getBase64Data);
result.attachments = Attachments.find({ 'meta.boardId': byBoard.boardId })
.fetch()
.map(attachment => {
let filebase64 = null;
filebase64 = getBase64DataSync(attachment);
return {
_id: attachment._id,
cardId: attachment.meta.cardId,
//url: FlowRouter.url(attachment.url()),
file: filebase64,
name: attachment.name,
type: attachment.type,
};
});
// we also have to export some user data - as the other elements only
// include id but we have to be careful:
// 1- only exports users that are linked somehow to that board
// 2- do not export any sensitive information
const users = {};
result.members.forEach(member => {
users[member.userId] = true;
});
result.lists.forEach(list => {
users[list.userId] = true;
});
result.cards.forEach(card => {
users[card.userId] = true;
if (card.members) {
card.members.forEach(memberId => {
users[memberId] = true;
});
}
});
result.comments.forEach(comment => {
users[comment.userId] = true;
});
result.activities.forEach(activity => {
users[activity.userId] = true;
});
result.checklists.forEach(checklist => {
users[checklist.userId] = true;
});
const byUserIds = {
_id: {
$in: Object.getOwnPropertyNames(users),
},
};
// we use whitelist to be sure we do not expose inadvertently
// some secret fields that gets added to User later.
const userFields = {
fields: {
_id: 1,
username: 1,
'profile.fullname': 1,
'profile.initials': 1,
'profile.avatarUrl': 1,
},
};
result.users = Users.find(byUserIds, userFields)
.fetch()
.map(user => {
// user avatar is stored as a relative url, we export absolute
if ((user.profile || {}).avatarUrl) {
user.profile.avatarUrl = FlowRouter.url(user.profile.avatarUrl);
}
return user;
});
return result;
}
canExport(user) {
const board = Boards.findOne(this._boardId);
return board && board.isVisibleBy(user);
}
}

1
models/trelloCreator.js
View file

@ -369,6 +369,7 @@ export class TrelloCreator {
// so we make it server only, and let UI catch up once it is done, forget about latency comp.
const self = this;
if (Meteor.isServer) {
// FIXME: Change to new model
file.attachData(att.url, function(error) {
file.boardId = boardId;
file.cardId = cardId;

2
models/wekanCreator.js
View file

@ -415,6 +415,7 @@ export class WekanCreator {
const self = this;
if (Meteor.isServer) {
if (att.url) {
// FIXME: Change to new file library
file.attachData(att.url, function(error) {
file.boardId = boardId;
file.cardId = cardId;
@ -440,6 +441,7 @@ export class WekanCreator {
}
});
} else if (att.file) {
// FIXME: Change to new file library
file.attachData(
Buffer.from(att.file, 'base64'),
{

8
package-lock.json generated
View file

@ -1744,6 +1744,14 @@
"integrity": "sha1-PYpcZog6FqMMqGQ+hR8Zuqd5eRc=",
"dev": true
},
"fibers": {
"version": "4.0.2",
"resolved": "https://registry.npmjs.org/fibers/-/fibers-4.0.2.tgz",
"integrity": "sha512-FhICi1K4WZh9D6NC18fh2ODF3EWy1z0gzIdV9P7+s2pRjfRBnCkMDJ6x3bV1DkVymKH8HGrQa/FNOBjYvnJ/tQ==",
"requires": {
"detect-libc": "^1.0.3"
}
},
"figures": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/figures/-/figures-2.0.0.tgz",

128
rebuild-wekan.bat
View file

@ -1,64 +1,64 @@
@ECHO OFF
REM NOTE: You can try this to install Meteor on Windows, it works:
REM https://github.com/zodern/windows-meteor-installer/
REM Installing Meteor with Chocolatey does not currently work.
REM NOTE: THIS .BAT DOES NOT WORK !!
REM Use instead this webpage instructions to build on Windows:
REM https://github.com/wekan/wekan/wiki/Install-Wekan-from-source-on-Windows
REM Please add fix PRs, like config of MongoDB etc.
md C:\repos
cd C:\repos
REM Install chocolatey
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"
choco install -y git curl python2 dotnet4.5.2 nano mongodb-3 mongoclient meteor
curl -O https://nodejs.org/dist/v12.16.3/node-v12.16.2-x64.msi
call node-v12.16.3-x64.msi
call npm config -g set msvs_version 2015
call meteor npm config -g set msvs_version 2015
call npm -g install npm
call npm -g install node-gyp
call npm -g install fibers
cd C:\repos
git clone https://github.com/wekan/wekan.git
cd wekan
git checkout edge
echo "Building Wekan."
REM del /S /F /Q packages
REM ## REPOS BELOW ARE INCLUDED TO WEKAN
REM md packages
REM cd packages
REM git clone --depth 1 -b master https://github.com/wekan/flow-router.git kadira-flow-router
REM git clone --depth 1 -b master https://github.com/meteor-useraccounts/core.git meteor-useraccounts-core
REM git clone --depth 1 -b master https://github.com/wekan/meteor-accounts-cas.git
REM git clone --depth 1 -b master https://github.com/wekan/wekan-ldap.git
REM git clone --depth 1 -b master https://github.com/wekan/wekan-scrollbar.git
REM git clone --depth 1 -b master https://github.com/wekan/meteor-accounts-oidc.git
REM git clone --depth 1 -b master --recurse-submodules https://github.com/wekan/markdown.git
REM move meteor-accounts-oidc/packages/switch_accounts-oidc wekan_accounts-oidc
REM move meteor-accounts-oidc/packages/switch_oidc wekan_oidc
REM del /S /F /Q meteor-accounts-oidc
REM sed -i 's/api\.versionsFrom/\/\/api.versionsFrom/' ~/repos/wekan/packages/meteor-useraccounts-core/package.js
cd ..
REM del /S /F /Q node_modules
call meteor npm install
REM del /S /F /Q .build
call meteor build .build --directory
copy fix-download-unicode\cfs_access-point.txt .build\bundle\programs\server\packages\cfs_access-point.js
REM ## Remove legacy webbroser bundle, so that Wekan works also at Android Firefox, iOS Safari, etc.
del /S /F /Q rm .build/bundle/programs/web.browser.legacy
REM ## Install some NPM packages
cd .build\bundle\programs\server
call meteor npm install
REM cd C:\repos\wekan\.meteor\local\build\programs\server
REM del node_modules
cd C:\repos\wekan
call start-wekan.bat
@ECHO OFF
REM NOTE: You can try this to install Meteor on Windows, it works:
REM https://github.com/zodern/windows-meteor-installer/
REM Installing Meteor with Chocolatey does not currently work.
REM NOTE: THIS .BAT DOES NOT WORK !!
REM Use instead this webpage instructions to build on Windows:
REM https://github.com/wekan/wekan/wiki/Install-Wekan-from-source-on-Windows
REM Please add fix PRs, like config of MongoDB etc.
md C:\repos
cd C:\repos
REM Install chocolatey
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"
choco install -y git curl python2 dotnet4.5.2 nano mongodb-3 mongoclient meteor
curl -O https://nodejs.org/dist/v12.16.3/node-v12.16.2-x64.msi
call node-v12.16.3-x64.msi
call npm config -g set msvs_version 2015
call meteor npm config -g set msvs_version 2015
call npm -g install npm
call npm -g install node-gyp
call npm -g install fibers
cd C:\repos
git clone https://github.com/wekan/wekan.git
cd wekan
git checkout edge
echo "Building Wekan."
REM del /S /F /Q packages
REM ## REPOS BELOW ARE INCLUDED TO WEKAN
REM md packages
REM cd packages
REM git clone --depth 1 -b master https://github.com/wekan/flow-router.git kadira-flow-router
REM git clone --depth 1 -b master https://github.com/meteor-useraccounts/core.git meteor-useraccounts-core
REM git clone --depth 1 -b master https://github.com/wekan/meteor-accounts-cas.git
REM git clone --depth 1 -b master https://github.com/wekan/wekan-ldap.git
REM git clone --depth 1 -b master https://github.com/wekan/wekan-scrollbar.git
REM git clone --depth 1 -b master https://github.com/wekan/meteor-accounts-oidc.git
REM git clone --depth 1 -b master --recurse-submodules https://github.com/wekan/markdown.git
REM move meteor-accounts-oidc/packages/switch_accounts-oidc wekan_accounts-oidc
REM move meteor-accounts-oidc/packages/switch_oidc wekan_oidc
REM del /S /F /Q meteor-accounts-oidc
REM sed -i 's/api\.versionsFrom/\/\/api.versionsFrom/' ~/repos/wekan/packages/meteor-useraccounts-core/package.js
cd ..
REM del /S /F /Q node_modules
call meteor npm install
REM del /S /F /Q .build
call meteor build .build --directory
copy fix-download-unicode\cfs_access-point.txt .build\bundle\programs\server\packages\cfs_access-point.js
REM ## Remove legacy webbroser bundle, so that Wekan works also at Android Firefox, iOS Safari, etc.
del /S /F /Q rm .build/bundle/programs/web.browser.legacy
REM ## Install some NPM packages
cd .build\bundle\programs\server
call meteor npm install
REM cd C:\repos\wekan\.meteor\local\build\programs\server
REM del node_modules
cd C:\repos\wekan
call start-wekan.bat

3
sandstorm-pkgdef.capnp
View file

@ -261,6 +261,7 @@ const myCommand :Spk.Manifest.Command = (
(key = "LDAP_ENABLE", value="false"),
(key = "PASSWORD_LOGIN_ENABLED", value="true"),
(key = "SANDSTORM", value="1"),
(key = "METEOR_SETTINGS", value = "{\"public\": {\"sandstorm\": true}}")
(key = "METEOR_SETTINGS", value = "{\"public\": {\"sandstorm\": true}}"),
(key = "ATTACHMENTS_STORE_PATH", value = "/var/attachments/")
]
);

45
server/migrations.js
View file

@ -80,7 +80,7 @@ Migrations.add('lowercase-board-permission', () => {
Migrations.add('change-attachments-type-for-non-images', () => {
const newTypeForNonImage = 'application/octet-stream';
Attachments.find().forEach(file => {
if (!file.isImage()) {
if (!file.isImage) {
Attachments.update(
file._id,
{
@ -1044,3 +1044,46 @@ Migrations.add('add-sort-field-to-boards', () => {
}
});
});
import { MongoInternals } from 'meteor/mongo';
Migrations.add('change-attachment-library', () => {
const fs = require('fs');
CFSAttachments.find().forEach(file => {
const bucket = new MongoInternals.NpmModule.GridFSBucket(MongoInternals.defaultRemoteCollectionDriver().mongo.db, {bucketName: 'cfs_gridfs.attachments'});
const gfsId = new MongoInternals.NpmModule.ObjectID(file.copies.attachments.key);
const reader = bucket.openDownloadStream(gfsId);
let store = Attachments.storagePath();
if (store.charAt(store.length - 1) === '/') {
store = store.substring(0, store.length - 1);
}
const path = `${store}/${file.name()}`;
const fd = fs.createWriteStream(path);
reader.pipe(fd);
reader.on('end', () => {
let opts = {
fileName: file.name(),
type: file.type(),
size: file.size(),
fileId: file._id,
meta: {
userId: file.userId,
boardId: file.boardId,
cardId: file.cardId
}
};
if (file.listId) {
opts.meta.listId = file.listId;
}
if (file.swimlaneId) {
opts.meta.swimlaneId = file.swimlaneId;
}
Attachments.addFile(path, opts, (err, fileRef) => {
if (err) {
console.log('error when migrating', file.name(), err);
}
});
});
});
});

212
server/old-attachments-migration.js Normal file
View file

@ -0,0 +1,212 @@
const localFSStore = process.env.ATTACHMENTS_STORE_PATH;
const storeName = 'attachments';
const defaultStoreOptions = {
beforeWrite: fileObj => {
if (!fileObj.isImage()) {
return {
type: 'application/octet-stream',
};
}
return {};
},
};
let store;
if (localFSStore) {
// have to reinvent methods from FS.Store.GridFS and FS.Store.FileSystem
const fs = Npm.require('fs');
const path = Npm.require('path');
const mongodb = Npm.require('mongodb');
const Grid = Npm.require('gridfs-stream');
// calulate the absolute path here, because FS.Store.FileSystem didn't expose the aboslutepath or FS.Store didn't expose api calls :(
let pathname = localFSStore;
/*eslint camelcase: ["error", {allow: ["__meteor_bootstrap__"]}] */
if (!pathname && __meteor_bootstrap__ && __meteor_bootstrap__.serverDir) {
pathname = path.join(
__meteor_bootstrap__.serverDir,
`../../../cfs/files/${storeName}`,
);
}
if (!pathname)
throw new Error('FS.Store.FileSystem unable to determine path');
// Check if we have '~/foo/bar'
if (pathname.split(path.sep)[0] === '~') {
const homepath =
process.env.HOME || process.env.HOMEPATH || process.env.USERPROFILE;
if (homepath) {
pathname = pathname.replace('~', homepath);
} else {
throw new Error('FS.Store.FileSystem unable to resolve "~" in path');
}
}
// Set absolute path
const absolutePath = path.resolve(pathname);
const _FStore = new FS.Store.FileSystem(storeName, {
path: localFSStore,
...defaultStoreOptions,
});
const GStore = {
fileKey(fileObj) {
const key = {
_id: null,
filename: null,
};
// If we're passed a fileObj, we retrieve the _id and filename from it.
if (fileObj) {
const info = fileObj._getInfo(storeName, {
updateFileRecordFirst: false,
});
key._id = info.key || null;
key.filename =
info.name ||
fileObj.name({ updateFileRecordFirst: false }) ||
`${fileObj.collectionName}-${fileObj._id}`;
}
// If key._id is null at this point, createWriteStream will let GridFS generate a new ID
return key;
},
db: undefined,
mongoOptions: { useNewUrlParser: true },
mongoUrl: process.env.MONGO_URL,
init() {
this._init(err => {
this.inited = !err;
});
},
_init(callback) {
const self = this;
mongodb.MongoClient.connect(self.mongoUrl, self.mongoOptions, function(
err,
db,
) {
if (err) {
return callback(err);
}
self.db = db;
return callback(null);
});
return;
},
createReadStream(fileKey, options) {
const self = this;
if (!self.inited) {
self.init();
return undefined;
}
options = options || {};
// Init GridFS
const gfs = new Grid(self.db, mongodb);
// Set the default streamning settings
const settings = {
_id: new mongodb.ObjectID(fileKey._id),
root: `cfs_gridfs.${storeName}`,
};
// Check if this should be a partial read
if (
typeof options.start !== 'undefined' &&
typeof options.end !== 'undefined'
) {
// Add partial info
settings.range = {
startPos: options.start,
endPos: options.end,
};
}
return gfs.createReadStream(settings);
},
};
GStore.init();
const CRS = 'createReadStream';
const _CRS = `_${CRS}`;
const FStore = _FStore._transform;
FStore[_CRS] = FStore[CRS].bind(FStore);
FStore[CRS] = function(fileObj, options) {
let stream;
try {
const localFile = path.join(
absolutePath,
FStore.storage.fileKey(fileObj),
);
const state = fs.statSync(localFile);
if (state) {
stream = FStore[_CRS](fileObj, options);
}
} catch (e) {
// file is not there, try GridFS ?
stream = undefined;
}
if (stream) return stream;
else {
try {
const stream = GStore[CRS](GStore.fileKey(fileObj), options);
return stream;
} catch (e) {
return undefined;
}
}
}.bind(FStore);
store = _FStore;
} else {
store = new FS.Store.GridFS(localFSStore ? `G${storeName}` : storeName, {
// XXX Add a new store for cover thumbnails so we don't load big images in
// the general board view
// If the uploaded document is not an image we need to enforce browser
// download instead of execution. This is particularly important for HTML
// files that the browser will just execute if we don't serve them with the
// appropriate `application/octet-stream` MIME header which can lead to user
// data leaks. I imagine other formats (like PDF) can also be attack vectors.
// See https://github.com/wekan/wekan/issues/99
// XXX Should we use `beforeWrite` option of CollectionFS instead of
// collection-hooks?
// We should use `beforeWrite`.
...defaultStoreOptions,
});
}
CFSAttachments = new FS.Collection('attachments', {
stores: [store],
});
if (Meteor.isServer) {
Meteor.startup(() => {
CFSAttachments.files._ensureIndex({ cardId: 1 });
});
CFSAttachments.allow({
insert(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
update(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
remove(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
// We authorize the attachment download either:
// - if the board is public, everyone (even unconnected) can download it
// - if the board is private, only board members can download it
download(userId, doc) {
if (Meteor.isServer) {
return true;
}
const board = Boards.findOne(doc.boardId);
if (board.isPublic()) {
return true;
} else {
return board.hasMember(userId);
}
},
fetch: ['boardId'],
});
}
export default CFSAttachments;

2
server/publications/boards.js
View file

@ -131,7 +131,7 @@ Meteor.publishRelations('board', function(boardId, isArchived) {
// Gather queries and send in bulk
const cardComments = this.join(CardComments);
cardComments.selector = _ids => ({ cardId: _ids });
const attachments = this.join(Attachments);
const attachments = this.join(Attachments.collection);
attachments.selector = _ids => ({ cardId: _ids });
const checklists = this.join(Checklists);
checklists.selector = _ids => ({ cardId: _ids });