github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-23 13:37:09 -04:00
Code Issues Projects Releases Packages Wiki Activity

Fix lint errors. Update changelog.

Browse source
This commit is contained in:
Lauri Ojansivu 2018-01-25 08:22:11 +02:00
parent 188341cf50
commit 7f4401f3a2
3 changed files with 95 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

9
CHANGELOG.md
View file

@ -1,3 +1,12 @@
# Upcoming Wekan release
This release adds the following new features:
* [Swimlanes](https://github.com/wekan/wekan/issues/955);
* Added new language: Igbo.
Thanks to GitHub users andresmanelli for contributions.
# v0.64 2018-01-22 Wekan release
This release adds the following new features:

167
models/attachments.js
View file

@ -1,87 +1,90 @@
try {
Attachments = new FS.Collection('attachments', {
stores: [
Attachments = new FS.Collection('attachments', {
stores: [
// XXX Add a new store for cover thumbnails so we don't load big images in
// the general board view
new FS.Store.GridFS('attachments', {
// If the uploaded document is not an image we need to enforce browser
// download instead of execution. This is particularly important for HTML
// files that the browser will just execute if we don't serve them with the
// appropriate `application/octet-stream` MIME header which can lead to user
// data leaks. I imagine other formats (like PDF) can also be attack vectors.
// See https://github.com/wekan/wekan/issues/99
// XXX Should we use `beforeWrite` option of CollectionFS instead of
// collection-hooks?
// We should use `beforeWrite`.
beforeWrite: (fileObj) => {
if (!fileObj.isImage()) {
return {
type: 'application/octet-stream',
};
}
return {};
},
}),
],
});
// XXX Add a new store for cover thumbnails so we don't load big images in
// the general board view
new FS.Store.GridFS('attachments', {
// If the uploaded document is not an image we need to enforce browser
// download instead of execution. This is particularly important for HTML
// files that the browser will just execute if we don't serve them with the
// appropriate `application/octet-stream` MIME header which can lead to user
// data leaks. I imagine other formats (like PDF) can also be attack vectors.
// See https://github.com/wekan/wekan/issues/99
// XXX Should we use `beforeWrite` option of CollectionFS instead of
// collection-hooks?
// We should use `beforeWrite`.
beforeWrite: (fileObj) => {
if (!fileObj.isImage()) {
return {
type: 'application/octet-stream',
};
}
return {};
if (Meteor.isServer) {
Attachments.allow({
insert(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
update(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
remove(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
// We authorize the attachment download either:
// - if the board is public, everyone (even unconnected) can download it
// - if the board is private, only board members can download it
download(userId, doc) {
const board = Boards.findOne(doc.boardId);
if (board.isPublic()) {
return true;
} else {
return board.hasMember(userId);
}
},
}),
],
});
} catch (err) { console.log(err); throw err; }
if (Meteor.isServer) {
Attachments.allow({
insert(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
update(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
remove(userId, doc) {
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
},
// We authorize the attachment download either:
// - if the board is public, everyone (even unconnected) can download it
// - if the board is private, only board members can download it
download(userId, doc) {
const board = Boards.findOne(doc.boardId);
if (board.isPublic()) {
return true;
} else {
return board.hasMember(userId);
}
},
fetch: ['boardId'],
});
}
// XXX Enforce a schema for the Attachments CollectionFS
if (Meteor.isServer) {
Attachments.files.after.insert((userId, doc) => {
// If the attachment doesn't have a source field
// or its source is different than import
if (!doc.source || doc.source !== 'import') {
// Add activity about adding the attachment
Activities.insert({
userId,
type: 'card',
activityType: 'addAttachment',
attachmentId: doc._id,
boardId: doc.boardId,
cardId: doc.cardId,
});
} else {
// Don't add activity about adding the attachment as the activity
// be imported and delete source field
Attachments.update( {_id: doc._id}, {$unset: { source : '' } } );
}
});
Attachments.files.after.remove((userId, doc) => {
Activities.remove({
attachmentId: doc._id,
fetch: ['boardId'],
});
});
}
}
// XXX Enforce a schema for the Attachments CollectionFS
if (Meteor.isServer) {
Attachments.files.after.insert((userId, doc) => {
// If the attachment doesn't have a source field
// or its source is different than import
if (!doc.source || doc.source !== 'import') {
// Add activity about adding the attachment
Activities.insert({
userId,
type: 'card',
activityType: 'addAttachment',
attachmentId: doc._id,
boardId: doc.boardId,
cardId: doc.cardId,
});
} else {
// Don't add activity about adding the attachment as the activity
// be imported and delete source field
Attachments.update({
_id: doc._id,
}, {
$unset: {
source: '',
},
});
}
});
Attachments.files.after.remove((userId, doc) => {
Activities.remove({
attachmentId: doc._id,
});
});
}

2
sandstorm.js
View file

@ -22,7 +22,7 @@ const sandstormBoard = {
if (isSandstorm && Meteor.isServer) {
const fs = require('fs');
const Capnp = require("/node_modules/capnp.js");
const Capnp = require('/node_modules/capnp.js');
const Package = Capnp.importSystem('sandstorm/package.capnp');
const Powerbox = Capnp.importSystem('sandstorm/powerbox.capnp');
const Identity = Capnp.importSystem('sandstorm/identity.capnp');