diff options
-rw-r--r-- | models/attachments.js | 158 | ||||
-rw-r--r-- | sandstorm.js | 10 | ||||
-rw-r--r-- | server/migrations.js | 12 |
3 files changed, 90 insertions, 90 deletions
diff --git a/models/attachments.js b/models/attachments.js index 5e5c4926..91dd0dbc 100644 --- a/models/attachments.js +++ b/models/attachments.js @@ -1,90 +1,90 @@ - Attachments = new FS.Collection('attachments', { - stores: [ +Attachments = new FS.Collection('attachments', { + stores: [ - // XXX Add a new store for cover thumbnails so we don't load big images in - // the general board view - new FS.Store.GridFS('attachments', { - // If the uploaded document is not an image we need to enforce browser - // download instead of execution. This is particularly important for HTML - // files that the browser will just execute if we don't serve them with the - // appropriate `application/octet-stream` MIME header which can lead to user - // data leaks. I imagine other formats (like PDF) can also be attack vectors. - // See https://github.com/wekan/wekan/issues/99 - // XXX Should we use `beforeWrite` option of CollectionFS instead of - // collection-hooks? - // We should use `beforeWrite`. - beforeWrite: (fileObj) => { - if (!fileObj.isImage()) { - return { - type: 'application/octet-stream', - }; - } - return {}; - }, - }), - ], - }); - - - if (Meteor.isServer) { - Attachments.allow({ - insert(userId, doc) { - return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); - }, - update(userId, doc) { - return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); - }, - remove(userId, doc) { - return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); - }, - // We authorize the attachment download either: - // - if the board is public, everyone (even unconnected) can download it - // - if the board is private, only board members can download it - download(userId, doc) { - const board = Boards.findOne(doc.boardId); - if (board.isPublic()) { - return true; - } else { - return board.hasMember(userId); + // XXX Add a new store for cover thumbnails so we don't load big images in + // the general board view + new FS.Store.GridFS('attachments', { + // If the uploaded document is not an image we need to enforce browser + // download instead of execution. This is particularly important for HTML + // files that the browser will just execute if we don't serve them with the + // appropriate `application/octet-stream` MIME header which can lead to user + // data leaks. I imagine other formats (like PDF) can also be attack vectors. + // See https://github.com/wekan/wekan/issues/99 + // XXX Should we use `beforeWrite` option of CollectionFS instead of + // collection-hooks? + // We should use `beforeWrite`. + beforeWrite: (fileObj) => { + if (!fileObj.isImage()) { + return { + type: 'application/octet-stream', + }; } + return {}; }, + }), + ], +}); - fetch: ['boardId'], - }); - } - - // XXX Enforce a schema for the Attachments CollectionFS - if (Meteor.isServer) { - Attachments.files.after.insert((userId, doc) => { - // If the attachment doesn't have a source field - // or its source is different than import - if (!doc.source || doc.source !== 'import') { - // Add activity about adding the attachment - Activities.insert({ - userId, - type: 'card', - activityType: 'addAttachment', - attachmentId: doc._id, - boardId: doc.boardId, - cardId: doc.cardId, - }); +if (Meteor.isServer) { + Attachments.allow({ + insert(userId, doc) { + return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); + }, + update(userId, doc) { + return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); + }, + remove(userId, doc) { + return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); + }, + // We authorize the attachment download either: + // - if the board is public, everyone (even unconnected) can download it + // - if the board is private, only board members can download it + download(userId, doc) { + const board = Boards.findOne(doc.boardId); + if (board.isPublic()) { + return true; } else { - // Don't add activity about adding the attachment as the activity - // be imported and delete source field - Attachments.update({ - _id: doc._id, - }, { - $unset: { - source: '', - }, - }); + return board.hasMember(userId); } - }); + }, + + fetch: ['boardId'], + }); +} - Attachments.files.after.remove((userId, doc) => { - Activities.remove({ +// XXX Enforce a schema for the Attachments CollectionFS + +if (Meteor.isServer) { + Attachments.files.after.insert((userId, doc) => { + // If the attachment doesn't have a source field + // or its source is different than import + if (!doc.source || doc.source !== 'import') { + // Add activity about adding the attachment + Activities.insert({ + userId, + type: 'card', + activityType: 'addAttachment', attachmentId: doc._id, + boardId: doc.boardId, + cardId: doc.cardId, }); + } else { + // Don't add activity about adding the attachment as the activity + // be imported and delete source field + Attachments.update({ + _id: doc._id, + }, { + $unset: { + source: '', + }, + }); + } + }); + + Attachments.files.after.remove((userId, doc) => { + Activities.remove({ + attachmentId: doc._id, }); - } + }); +} diff --git a/sandstorm.js b/sandstorm.js index 3ea85fef..d34bc015 100644 --- a/sandstorm.js +++ b/sandstorm.js @@ -75,7 +75,7 @@ if (isSandstorm && Meteor.isServer) { session.claimRequest(token).then((response) => { const identity = response.cap.castAs(Identity.Identity); const promises = [api.getIdentityId(identity), identity.getProfile(), - httpBridge.saveIdentity(identity)]; + httpBridge.saveIdentity(identity)]; return Promise.all(promises).then((responses) => { const identityId = responses[0].id.toString('hex').slice(0, 32); const profile = responses[1].profile; @@ -115,9 +115,9 @@ if (isSandstorm && Meteor.isServer) { const identity = response.identity; return identity.getProfile().then(() => { return { identity, - mentioned: !!user.mentioned, - subscribed: !!user.subscribed, - }; + mentioned: !!user.mentioned, + subscribed: !!user.subscribed, + }; }); }).catch(() => { // Ignore identities that fail to restore. Either they were added before we set @@ -132,7 +132,7 @@ if (isSandstorm && Meteor.isServer) { return session.activity(event); }).then(() => done(), - (e) => done(e)); + (e) => done(e)); })(); } diff --git a/server/migrations.js b/server/migrations.js index 0fdd1fe0..ba5ccd98 100644 --- a/server/migrations.js +++ b/server/migrations.js @@ -167,9 +167,9 @@ Migrations.add('add-swimlanes', () => { Cards.find({ boardId: board._id }).forEach((card) => { if (!card.hasOwnProperty('swimlaneId')) { Cards.direct.update( - { _id: card._id }, - { $set: { swimlaneId } }, - noValidate + { _id: card._id }, + { $set: { swimlaneId } }, + noValidate ); } }); @@ -180,9 +180,9 @@ Migrations.add('add-views', () => { Boards.find().forEach((board) => { if (!board.hasOwnProperty('view')) { Boards.direct.update( - { _id: board._id }, - { $set: { view: 'board-view-swimlanes' } }, - noValidate + { _id: board._id }, + { $set: { view: 'board-view-swimlanes' } }, + noValidate ); } }); |