Merge branch 'devel'

2025-04-22 04:57:07 -04:00 · 2018-08-14 15:19:53 +03:00 · 2018-08-14 15:19:53 +03:00 · ac12aa7ede
commit ac12aa7ede
parent 034981cd3d cec5f45459
13 changed files with 612 additions and 512 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,17 @@
+# v1.30 2018-08-14 Wekan release
+
+This release add the following new features:
+
+- [When Content Policy is enabled, allow one URL to have iframe that embeds Wekan](https://github.com/wekan/wekan/commit/b9929dc68297539a94d21950995e26e06745a263);
+- [Add option to turn off Content Policy](https://github.com/wekan/wekan/commit/b9929dc68297539a94d21950995e26e06745a263);
+- [Allow always in Wekan markdown `<img src="any-image-url-here">`](https://github.com/wekan/wekan/commit/b9929dc68297539a94d21950995e26e06745a263).
+
+and fixes the following bugs:
+
+- [Fix Import from Trello error 400](https://github.com/wekan/wekan/commit/2f557ae3a558c654cc6f3befff22f5ee4ea6c3d9).
+
+Thanks to GitHub user xet7 for contributions.
+
 # v1.29 2018-08-12 Wekan release

 This release fixes the following bugs:
--- a/5
+++ b/5
@ -15,6 +15,8 @@ ARG MATOMO_ADDRESS
 ARG MATOMO_SITE_ID
 ARG MATOMO_DO_NOT_TRACK
 ARG MATOMO_WITH_USERNAME
+ARG BROWSER_POLICY_ENABLED
+ARG TRUSTED_URL

 # Set the environment variables (defaults where required)
 # DOES NOT WORK: paxctl fix for alpine linux: https://github.com/wekan/wekan/issues/1303
@ -33,7 +35,8 @@ ENV MATOMO_ADDRESS ${MATOMO_ADDRESS:-}
 ENV MATOMO_SITE_ID ${MATOMO_SITE_ID:-}
 ENV MATOMO_DO_NOT_TRACK ${MATOMO_DO_NOT_TRACK:-false}
 ENV MATOMO_WITH_USERNAME ${MATOMO_WITH_USERNAME:-true}
-
+ENV BROWSER_POLICY_ENABLED ${BROWSER_POLICY_ENABLED:-true}
+ENV TRUSTED_URL ${TRUSTED_URL:-}

 # Copy the app to the image
 COPY ${SRC_PATH} /home/wekan/app
--- a/client/lib/filter.js
+++ b/client/lib/filter.js
--- a/config/models.js
+++ b/config/models.js
@ -0,0 +1,4 @@
+module.exports.models = {
+  connection: 'mongodb',
+  migrate: 'safe',
+};
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -49,6 +49,12 @@ services:
      # - MATOMO_DO_NOT_TRACK='false'
      # The option that allows matomo to retrieve the username:
      # - MATOMO_WITH_USERNAME='true'
+      # Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.
+      # Setting this to false is not recommended, it also disables all other browser policy protections
+      # and allows all iframing etc. See wekan/server/policy.js
+      - BROWSER_POLICY_ENABLED=true
+      # When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside.
+      - TRUSTED_URL=
    depends_on:
      - wekandb

--- a/i18n/de.i18n.json
+++ b/i18n/de.i18n.json
@ -109,7 +109,7 @@
    "bucket-example": "z.B. \"Löffelliste\"",
    "cancel": "Abbrechen",
    "card-archived": "Diese Karte wurde in den Papierkorb verschoben",
-    "board-archived": "This board is moved to Recycle Bin.",
+    "board-archived": "Dieses Board wurde in den Papierkorb verschoben.",
    "card-comments-title": "Diese Karte hat %s Kommentar(e).",
    "card-delete-notice": "Löschen kann nicht rückgängig gemacht werden. Alle Aktionen, die dieser Karte zugeordnet sind, werden ebenfalls gelöscht.",
    "card-delete-pop": "Alle Aktionen werden aus dem Aktivitätsfeed entfernt und die Karte kann nicht wiedereröffnet werden. Die Aktion kann nicht rückgängig gemacht werden.",
@ -136,9 +136,9 @@
    "cards": "Karten",
    "cards-count": "Karten",
    "casSignIn": "Mit CAS anmelden",
-    "cardType-card": "Card",
-    "cardType-linkedCard": "Linked Card",
-    "cardType-linkedBoard": "Linked Board",
+    "cardType-card": "Karte",
+    "cardType-linkedCard": "Verknüpfte Karte",
+    "cardType-linkedBoard": "Verknüpftes Board",
    "change": "Ändern",
    "change-avatar": "Profilbild ändern",
    "change-password": "Passwort ändern",
@ -175,8 +175,8 @@
    "confirm-subtask-delete-dialog": "Wollen Sie die Teilaufgabe wirklich löschen?",
    "confirm-checklist-delete-dialog": "Wollen Sie die Checkliste wirklich löschen?",
    "copy-card-link-to-clipboard": "Kopiere Link zur Karte in die Zwischenablage",
-    "linkCardPopup-title": "Link Card",
-    "searchCardPopup-title": "Search Card",
+    "linkCardPopup-title": "Karte verknüpfen",
+    "searchCardPopup-title": "Karte suchen",
    "copyCardPopup-title": "Karte kopieren",
    "copyChecklistToManyCardsPopup-title": "Checklistenvorlage in mehrere Karten kopieren",
    "copyChecklistToManyCardsPopup-instructions": "Titel und Beschreibungen der Zielkarten im folgenden JSON-Format",
@ -267,7 +267,7 @@
    "headerBarCreateBoardPopup-title": "Board erstellen",
    "home": "Home",
    "import": "Importieren",
-    "link": "Link",
+    "link": "Verknüpfung",
    "import-board": "Board importieren",
    "import-board-c": "Board importieren",
    "import-board-title-trello": "Board von Trello importieren",
--- a/i18n/zh-CN.i18n.json
+++ b/i18n/zh-CN.i18n.json
@ -109,7 +109,7 @@
    "bucket-example": "例如 “目标清单”",
    "cancel": "取消",
    "card-archived": "此卡片已经被移入回收站。",
-    "board-archived": "This board is moved to Recycle Bin.",
+    "board-archived": "将看板移动到回收站",
    "card-comments-title": "该卡片有 %s 条评论",
    "card-delete-notice": "彻底删除的操作不可恢复，你将会丢失该卡片相关的所有操作记录。",
    "card-delete-pop": "所有的活动将从活动摘要中被移除且您将无法重新打开该卡片。此操作无法撤销。",
@ -136,9 +136,9 @@
    "cards": "卡片",
    "cards-count": "卡片",
    "casSignIn": "用CAS登录",
-    "cardType-card": "Card",
-    "cardType-linkedCard": "Linked Card",
-    "cardType-linkedBoard": "Linked Board",
+    "cardType-card": "卡片",
+    "cardType-linkedCard": "已链接卡片",
+    "cardType-linkedBoard": "已链接看板",
    "change": "变更",
    "change-avatar": "更改头像",
    "change-password": "更改密码",
@ -175,8 +175,8 @@
    "confirm-subtask-delete-dialog": "确定要删除子任务吗？",
    "confirm-checklist-delete-dialog": "确定要删除清单吗？",
    "copy-card-link-to-clipboard": "复制卡片链接到剪贴板",
-    "linkCardPopup-title": "Link Card",
-    "searchCardPopup-title": "Search Card",
+    "linkCardPopup-title": "链接卡片",
+    "searchCardPopup-title": "搜索卡片",
    "copyCardPopup-title": "复制卡片",
    "copyChecklistToManyCardsPopup-title": "复制清单模板至多个卡片",
    "copyChecklistToManyCardsPopup-instructions": "以JSON格式表示目标卡片的标题和描述",
@ -267,7 +267,7 @@
    "headerBarCreateBoardPopup-title": "创建看板",
    "home": "首页",
    "import": "导入",
-    "link": "Link",
+    "link": "链接",
    "import-board": "导入看板",
    "import-board-c": "导入看板",
    "import-board-title-trello": "从Trello导入看板",
--- a/models/cards.js
+++ b/models/cards.js
@ -6,6 +6,8 @@ Cards = new Mongo.Collection('cards');
 Cards.attachSchema(new SimpleSchema({
  title: {
    type: String,
+    optional: true,
+    defaultValue: '',
  },
  archived: {
    type: Boolean,
@ -22,6 +24,8 @@ Cards.attachSchema(new SimpleSchema({
  },
  listId: {
    type: String,
+    optional: true,
+    defaultValue: '',
  },
  swimlaneId: {
    type: String,
@ -31,10 +35,14 @@ Cards.attachSchema(new SimpleSchema({
  // difficult to manage and less efficient.
  boardId: {
    type: String,
+    optional: true,
+    defaultValue: '',
  },
  coverId: {
    type: String,
    optional: true,
+    defaultValue: '',
+
  },
  createdAt: {
    type: Date,
@ -49,15 +57,19 @@ Cards.attachSchema(new SimpleSchema({
  customFields: {
    type: [Object],
    optional: true,
+    defaultValue: [],
  },
  'customFields.$': {
    type: new SimpleSchema({
      _id: {
        type: String,
+        optional: true,
+        defaultValue: '',
      },
      value: {
        type: Match.OneOf(String, Number, Boolean, Date),
        optional: true,
+        defaultValue: '',
      },
    }),
  },
@ -70,22 +82,28 @@ Cards.attachSchema(new SimpleSchema({
  description: {
    type: String,
    optional: true,
+    defaultValue: '',
  },
  requestedBy: {
    type: String,
    optional: true,
+    defaultValue: '',
+
  },
  assignedBy: {
    type: String,
    optional: true,
+    defaultValue: '',
  },
  labelIds: {
    type: [String],
    optional: true,
+    defaultValue: '',
  },
  members: {
    type: [String],
    optional: true,
+    defaultValue: [],
  },
  receivedAt: {
    type: Date,
@ -107,6 +125,7 @@ Cards.attachSchema(new SimpleSchema({
    type: Number,
    decimal: true,
    optional: true,
+    defaultValue: 0,
  },
  isOvertime: {
    type: Boolean,
@ -126,6 +145,7 @@ Cards.attachSchema(new SimpleSchema({
  sort: {
    type: Number,
    decimal: true,
+    defaultValue: '',
  },
  subtaskSort: {
    type: Number,
@ -135,10 +155,12 @@ Cards.attachSchema(new SimpleSchema({
  },
  type: {
    type: String,
+    defaultValue: '',
  },
  linkedId: {
    type: String,
    optional: true,
+    defaultValue: '',
  },
 }));

--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "wekan",
-  "version": "1.29.0",
+  "version": "1.30.0",
  "description": "The open-source Trello-like kanban",
  "private": true,
  "scripts": {
--- a/sandstorm-pkgdef.capnp
+++ b/sandstorm-pkgdef.capnp
@ -22,10 +22,10 @@ const pkgdef :Spk.PackageDefinition = (
    appTitle = (defaultText = "Wekan"),
    # The name of the app as it is displayed to the user.

-    appVersion = 114,
+    appVersion = 115,
    # Increment this for every release.

-    appMarketingVersion = (defaultText = "1.29.0~2018-08-12"),
+    appMarketingVersion = (defaultText = "1.30.0~2018-08-14"),
    # Human-readable presentation of the app version.

    minUpgradableAppVersion = 0,
@ -242,6 +242,8 @@ const myCommand :Spk.Manifest.Command = (
    (key = "MATOMO_SITE_ID", value=""),
    (key = "MATOMO_DO_NOT_TRACK", value="false"),
    (key = "MATOMO_WITH_USERNAME", value="true"),
+    (key = "BROWSER_POLICY_ENABLED", value="true"),
+    (key = "TRUSTED_URL", value=""),
    (key = "SANDSTORM", value = "1"),
    (key = "METEOR_SETTINGS", value = "{\"public\": {\"sandstorm\": true}}")
  ]
--- a/server/policy.js
+++ b/server/policy.js
@ -1,9 +1,33 @@
 import { BrowserPolicy } from 'meteor/browser-policy-common';

 Meteor.startup(() => {
+
+  if ( process.env.BROWSER_POLICY_ENABLED === 'true' ) {
+    // Trusted URL that can embed Wekan in iFrame.
+    const trusted = process.env.TRUSTED_URL;
+    BrowserPolicy.framing.disallow();
+    BrowserPolicy.content.disallowInlineScripts();
+    BrowserPolicy.content.disallowEval();
+    BrowserPolicy.content.allowInlineStyles();
+    BrowserPolicy.content.allowFontDataUrl();
+    BrowserPolicy.framing.restrictToOrigin(trusted);
+    BrowserPolicy.content.allowScriptOrigin(trusted);
+  }
+  else {
+    // Disable browser policy and allow all framing and including.
+    // Use only at internal LAN, not at Internet.
+    BrowserPolicy.framing.allowAll();
+    BrowserPolicy.content.allowDataUrlForAll();
+  }
+
+  // Allow all images from anywhere
+  BrowserPolicy.content.allowImageOrigin('*');
+
+  // If Matomo URL is set, allow it.
  const matomoUrl = process.env.MATOMO_ADDRESS;
  if (matomoUrl){
    BrowserPolicy.content.allowScriptOrigin(matomoUrl);
    BrowserPolicy.content.allowImageOrigin(matomoUrl);
  }
+
 });
--- a/snap-src/bin/config
+++ b/snap-src/bin/config
@ -3,7 +3,7 @@
 # All supported keys are defined here together with descriptions and default values

 # list of supported keys
-keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME"
+keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL"

 # default values
 DESCRIPTION_MONGODB_BIND_UNIX_SOCKET="mongodb binding unix socket:\n"\
@ -67,3 +67,13 @@ KEY_MATOMO_DO_NOT_TRACK="matomo-do-not-track"
 DESCRIPTION_MATOMO_WITH_USERNAME="The option that allows matomo to retrieve the username"
 DEFAULT_MATOMO_WITH_USERNAME="false"
 KEY_MATOMO_WITH_USERNAME="matomo-with-username"
+
+DESCRIPTION_BROWSER_POLICY_ENABLED="Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.\n"\
+"\t\t\t Setting this to false is not recommended, it also disables all other browser policy protections\n"\
+"\t\t\t and allows all iframing etc. See wekan/server/policy.js"
+DEFAULT_BROWSER_POLICY_ENABLED="true"
+KEY_BROWSER_POLICY_ENABLED="browser-policy-enabled"
+
+DESCRIPTION_TRUSTED_URL="When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside."
+DEFAULT_TRUSTED_URL=""
+KEY_TRUSTED_URL="trusted-url"
--- a/snap-src/bin/wekan-help
+++ b/snap-src/bin/wekan-help
@ -32,6 +32,21 @@ echo -e "To enable the API of wekan:"
 echo -e "\t$ snap set $SNAP_NAME WITH_API='true'"
 echo -e "\t-Disable the API:"
 echo -e "\t$ snap set $SNAP_NAME WITH_API='false'"
+echo -e "\n"
+echo -e "Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside."
+echo -e "\t\t Setting this to false is not recommended, it also disables all other browser policy protections"
+echo -e "\t\t and allows all iframing etc. See wekan/server/policy.js"
+echo -e "To enable the Content Policy of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME CONTENT_POLICY_ENABLED='true'"
+echo -e "\t-Disable the Content Policy of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME CONTENT_POLICY_ENABLED='false'"
+echo -e "\n"
+echo -e "When browser policy is enabled, HTML code at this URL can have iframe that embeds Wekan inside."
+echo -e "To enable the Trusted URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME TRUSTED_URL='https://example.com'"
+echo -e "\t-Disable the Trusted URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME TRUSTED_URL=''"
+echo -e "\n"
 # parse config file for supported settings keys
 echo -e "wekan supports settings keys"
 echo -e "values can be changed by calling\n$ snap set $SNAP_NAME <key name>='<key value>'"