version 1.39.0

huridocs · Sep 27, 2021 · 0718318 · 0718318
2 parents dc289e7 + a153316
commit 0718318
Show file tree

Hide file tree

Showing 200 changed files with 2,091 additions and 851 deletions.
diff --git a/app/api/activitylog/helpers.js b/app/api/activitylog/helpers.js
@@ -74,7 +74,7 @@ export const updatedFile = data => {
   if (data.toc) {
     name = 'ToC, ';
   } else {
-    name = data.pdfinfo ? 'Pdf info, ' : '';
+    name = '';
   }
   return `${name}${data.title}`;
 };

diff --git a/app/api/activitylog/specs/activitylogParser.spec.js b/app/api/activitylog/specs/activitylogParser.spec.js
@@ -957,24 +957,6 @@ describe('Activitylog Parser', () => {
             }
           );
         });
-        it('should beautify as UPDATE with file name for pdfinfo changes', async () => {
-          const body = {
-            _id: fileId,
-            pdfinfo: { 1: { chars: 0 } },
-          };
-          await testBeautified(
-            {
-              method: 'POST',
-              url: '/api/files',
-              body: JSON.stringify(body),
-            },
-            {
-              action: 'UPDATE',
-              description: 'Updated file',
-              name: 'Pdf info, My File',
-            }
-          );
-        });
         it('should not break if file is missing from the database.', async () => {
           const body = {
             _id: nonExistentId,

diff --git a/app/api/activitylog/specs/routes.spec.js b/app/api/activitylog/specs/routes.spec.js
@@ -53,7 +53,6 @@ describe('Activitylog routes', () => {
       currentUser = adminUser;
       const response = await request(app)
         .get('/api/activitylog')
-        .set('X-Requested-With', 'XMLHttpRequest')
         .query(qs.stringify({ method: ['POST'], before: 1628256165 }));
 
       expect(activitylog.get).toHaveBeenCalledWith({
@@ -68,7 +67,6 @@ describe('Activitylog routes', () => {
       currentUser = adminUser;
       await request(app)
         .get('/api/activitylog')
-        .set('X-Requested-With', 'XMLHttpRequest')
         .query({});
       expect(activitylog.get).toHaveBeenCalledWith({ method: undefined, time: undefined });
     });
@@ -93,7 +91,6 @@ describe('Activitylog routes', () => {
           currentUser = adminUser;
           const response = await request(app)
             .get('/api/activitylog')
-            .set('X-Requested-With', 'XMLHttpRequest')
             .query(qs.stringify({ ...validQuery, ...changedProperty }));
           expect(response.status).toBe(400);
           expect(activitylog.get).not.toHaveBeenCalled();

diff --git a/app/api/api.js b/app/api/api.js
@@ -1,9 +1,11 @@
 /* eslint-disable global-require */
 import activitylogMiddleware from './activitylog/activitylogMiddleware';
+import CSRFMiddleware from './auth/CSRFMiddleware';
 import languageMiddleware from './utils/languageMiddleware';
 
 export default (app, server) => {
   //common middlewares
+  app.use(CSRFMiddleware);
   app.use(languageMiddleware);
   app.use(activitylogMiddleware);
 

diff --git a/app/api/auth/CSRFMiddleware.ts b/app/api/auth/CSRFMiddleware.ts
@@ -0,0 +1,15 @@
+import { Request, Response, NextFunction } from 'express';
+
+export default (req: Request, res: Response, next: NextFunction) => {
+  if (!['POST', 'DELETE', 'PUT', 'OPTIONS'].includes(req.method)) {
+    return next();
+  }
+  if (req.get('X-Requested-With') === 'XMLHttpRequest') {
+    return next();
+  }
+  res.status(403);
+  return res.json({
+    error: 'Forbidden',
+    message: 'X-Requested-With header was not sent!',
+  });
+};
diff --git a/app/api/auth/authMiddleware.ts b/app/api/auth/authMiddleware.ts
@@ -10,11 +10,7 @@ declare global {
 }
 
 export default (roles = ['admin']) => (req: Request, res: Response, next: NextFunction) => {
-  if (
-    req.user &&
-    roles.includes(req.user.role || '') &&
-    req.get('X-Requested-With') === 'XMLHttpRequest'
-  ) {
+  if (req.user && roles.includes(req.user.role || '')) {
     return next();
   }
   res.status(401);

diff --git a/app/api/auth/specs/CSRFMiddleware.spec.js b/app/api/auth/specs/CSRFMiddleware.spec.js
@@ -0,0 +1,39 @@
+import CSRFMiddleware from '../CSRFMiddleware';
+
+describe('CSRFMiddleware', () => {
+  let req;
+  let res;
+  let next;
+
+  beforeEach(() => {
+    req = { get: () => 'XMLHttpRequest' };
+    res = {
+      status: jasmine.createSpy('status'),
+      json: jasmine.createSpy('json'),
+    };
+    next = jasmine.createSpy('next');
+  });
+
+  it('should return an error when no X-Requested-With header in POST', () => {
+    req = { get: () => '', method: 'POST' };
+
+    CSRFMiddleware(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: 'X-Requested-With header was not sent!',
+    });
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  it('should not return an error when no X-Requested-With header in GET', () => {
+    req = { get: () => '', method: 'GET' };
+
+    CSRFMiddleware(req, res, next);
+
+    expect(res.status).not.toHaveBeenCalled();
+    expect(res.json).not.toHaveBeenCalled();
+    expect(next).toHaveBeenCalled();
+  });
+});
diff --git a/app/api/auth/specs/authMiddleware.spec.js b/app/api/auth/specs/authMiddleware.spec.js
@@ -33,18 +33,6 @@ describe('authMiddleware', () => {
     expect(next).not.toHaveBeenCalled();
   });
 
-  it('should return an error when logged in but no X-Requested-With header', () => {
-    req = { get: () => '' };
-
-    const middleWare = authMiddleware(['editor']);
-    req.user = { role: 'editor' };
-    middleWare(req, res, next);
-
-    expect(res.status).toHaveBeenCalledWith(401);
-    expect(res.json).toHaveBeenCalledWith({ error: 'Unauthorized', message: 'Unauthorized' });
-    expect(next).not.toHaveBeenCalled();
-  });
-
   it('should call next when the user role is in the allowed roles', () => {
     const middleWare = authMiddleware(['editor']);
     req.user = { role: 'editor' };

diff --git a/app/api/documents/specs/deprecatedRoutes.spec.js b/app/api/documents/specs/deprecatedRoutes.spec.js
@@ -54,7 +54,6 @@ describe('documents', () => {
       spyOn(documents, 'save').and.returnValue(new Promise(resolve => resolve('document')));
       await request(app)
         .post('/api/documents')
-        .set('X-Requested-With', 'XMLHttpRequest')
         .send(req)
         .expect(401);
     });
@@ -64,7 +63,6 @@ describe('documents', () => {
       currentUser = adminUser;
       const response = await request(app)
         .post('/api/documents')
-        .set('X-Requested-With', 'XMLHttpRequest')
         .send(document);
       expect(response.body).toBe('document');
       expect(documents.save).toHaveBeenCalledWith(document, {
@@ -91,7 +89,6 @@ describe('documents', () => {
     it('should return documents.get', async () => {
       const response = await request(app)
         .get('/api/documents')
-        .set('X-Requested-With', 'XMLHttpRequest')
         .query({ _id: 'id' });
       expect(documents.getById).toHaveBeenCalledWith('id', 'es');
       expect(response.body).toEqual({ rows: ['documents'] });
@@ -115,7 +112,6 @@ describe('documents', () => {
     it('should return count of documents using a specific template', async () => {
       const response = await request(app)
         .get('/api/documents/count_by_template')
-        .set('X-Requested-With', 'XMLHttpRequest')
         .query({ templateId: 'templateId' });
       expect(templates.countByTemplate).toHaveBeenCalledWith('templateId');
       expect(response.body).toEqual(2);
@@ -131,7 +127,6 @@ describe('documents', () => {
       currentUser = adminUser;
       const response = await request(app)
         .delete('/api/documents')
-        .set('X-Requested-With', 'XMLHttpRequest')
         .send({});
 
       expect(response.status).toBe(400);
@@ -144,7 +139,6 @@ describe('documents', () => {
       currentUser = adminUser;
       await request(app)
         .delete('/api/documents')
-        .set('X-Requested-With', 'XMLHttpRequest')
         .query({ sharedId: 123 });
       expect(documents.delete).toHaveBeenCalledWith('123');
     });

diff --git a/app/api/entities/endpointSchema.js b/app/api/entities/endpointSchema.js
@@ -91,7 +91,6 @@ const saveSchema = Joi.object()
     uploaded: Joi.boolean(),
     published: Joi.boolean(),
     metadata: metadataSchema,
-    pdfInfo: Joi.any(),
     user: Joi.string(),
   })
   .required();

diff --git a/app/api/entities/entities.js b/app/api/entities/entities.js
@@ -343,11 +343,11 @@ const validateWritePermissions = (ids, entitiesToUpdate) => {
   }
 };
 
-const withDocuments = async (entities, documentsFullText, withPdfInfo) => {
+const withDocuments = async (entities, documentsFullText) => {
   const sharedIds = entities.map(entity => entity.sharedId);
   const allFiles = await files.get(
     { entity: { $in: sharedIds } },
-    (documentsFullText ? '+fullText ' : ' ') + (withPdfInfo ? '+pdfInfo' : '')
+    documentsFullText ? '+fullText ' : ' '
   );
   const idFileMap = new Map();
   allFiles.forEach(file => {
@@ -501,21 +501,21 @@ export default {
   },
 
   async getUnrestrictedWithDocuments(query, select, options = {}) {
-    const { documentsFullText, withPdfInfo, ...restOfOptions } = options;
+    const { documentsFullText, ...restOfOptions } = options;
     const extendedSelect = extendSelect(select);
     const entities = await model.getUnrestricted(query, extendedSelect, restOfOptions);
-    return withDocuments(entities, documentsFullText, withPdfInfo);
+    return withDocuments(entities, documentsFullText);
   },
 
   async getUnrestricted(query, select, options) {
     return model.getUnrestricted(query, select, options);
   },
 
   async get(query, select, options = {}) {
-    const { withoutDocuments, documentsFullText, withPdfInfo, ...restOfOptions } = options;
+    const { withoutDocuments, documentsFullText, ...restOfOptions } = options;
     const extendedSelect = withoutDocuments ? select : extendSelect(select);
     const entities = await model.get(query, extendedSelect, restOfOptions);
-    return withoutDocuments ? entities : withDocuments(entities, documentsFullText, withPdfInfo);
+    return withoutDocuments ? entities : withDocuments(entities, documentsFullText);
   },
 
   async getWithRelationships(query, select, pagination) {

diff --git a/app/api/entities/routes.js b/app/api/entities/routes.js
@@ -107,7 +107,7 @@ export default app => {
       },
     }),
     (req, res, next) => {
-      const { omitRelationships, withPdfInfo, include = [], ...query } = req.query;
+      const { omitRelationships, include = [], ...query } = req.query;
       const action = omitRelationships ? 'get' : 'getWithRelationships';
       const published = req.user ? {} : { published: true };
       const language = req.language ? { language: req.language } : {};
@@ -116,7 +116,6 @@ export default app => {
         include.map(field => `+${field}`).join(' '),
         {
           limit: 1,
-          withPdfInfo,
         }
       )
         .then(_entities => {

diff --git a/app/api/entities/specs/fixtures.js b/app/api/entities/specs/fixtures.js
@@ -70,10 +70,6 @@ export default {
         2: 'page[[2]] 2[[2]]',
         3: '',
       },
-      pdfInfo: {
-        1: { chars: 10 },
-        2: { chars: 20 },
-      },
     },
     {
       _id: uploadId2,

diff --git a/app/api/entities/specs/routes.spec.ts b/app/api/entities/specs/routes.spec.ts
@@ -37,21 +37,6 @@ describe('entities routes', () => {
   afterAll(async () => db.disconnect());
 
   describe('GET', () => {
-    it('return pdfInfo if asked in the request', async () => {
-      const responseWithoutPdfInfo: SuperTestResponse = await request(app)
-        .get('/api/entities')
-        .query({ sharedId: 'shared' });
-
-      expect(responseWithoutPdfInfo.body.rows[0].documents[0].pdfInfo).toBe(undefined);
-
-      const responseWithPdfInfo: SuperTestResponse = await request(app)
-        .get('/api/entities')
-        .query({ sharedId: 'shared', withPdfInfo: true });
-
-      const expectedPdfInfo = fixtures.files[2].pdfInfo;
-      expect(responseWithPdfInfo.body.rows[0].documents[0].pdfInfo).toEqual(expectedPdfInfo);
-    });
-
     it('return asked entities with permissions', async () => {
       const response: SuperTestResponse = await request(app)
         .get('/api/entities')
@@ -67,7 +52,6 @@ describe('entities routes', () => {
       new UserInContextMockFactory().mock(user);
       const response: SuperTestResponse = await request(app)
         .post('/api/entities')
-        .set('X-Requested-With', 'XMLHttpRequest')
         .send({ title: 'newEntity' });
       expect(response.body).toEqual(
         expect.objectContaining({

diff --git a/app/api/files/PDF.js b/app/api/files/PDF.js
@@ -3,7 +3,7 @@ import fs from 'fs';
 import path from 'path';
 import { detectLanguage } from 'shared/detectLanguage';
 import { spawn } from 'child-process-promise';
-import errorLog from 'api/log/errorLog';
+import { errorLog } from 'api/log';
 import { createError } from 'api/utils';
 
 class PDF extends EventEmitter {

diff --git a/app/api/files/exportRoutes.ts b/app/api/files/exportRoutes.ts
@@ -1,6 +1,6 @@
 import { Application, Request, Response, NextFunction } from 'express';
 import { createWriteStream, unlink } from 'fs';
-import errorLog from 'api/log/errorLog';
+import { errorLog } from 'api/log';
 import { search } from 'api/search';
 import { CSVExporter } from 'api/csv';
 import settings from 'api/settings';

diff --git a/app/api/files/filesModel.ts b/app/api/files/filesModel.ts
@@ -2,12 +2,11 @@ import mongoose from 'mongoose';
 import date from 'api/utils/date.js';
 
 import { instanceModel } from 'api/odm';
-import { FileType } from '../../shared/types/fileType';
+import { FileType } from 'shared/types/fileType';
 
 const propsWithDBSpecifics = {
   creationDate: { type: Number, default: date.currentUTC },
   fullText: { type: mongoose.Schema.Types.Mixed, select: false },
-  pdfInfo: { type: mongoose.Schema.Types.Mixed, select: false },
   entity: { type: String, index: true },
   type: { type: String, index: true },
   filename: { type: String, index: true },

diff --git a/app/api/files/routes.ts b/app/api/files/routes.ts
@@ -1,7 +1,5 @@
 import { Application } from 'express';
-//@ts-ignore
-import debugLog from 'api/log/debugLog';
-import errorLog from 'api/log/errorLog';
+import { debugLog, errorLog } from 'api/log';
 import { processDocument } from 'api/files/processDocument';
 import { uploadsPath, fileExists, customUploadsPath, attachmentsPath } from 'api/files/filesystem';
 import needsAuthorization from 'api/auth/authMiddleware';

diff --git a/app/api/files/specs/PDF.spec.js b/app/api/files/specs/PDF.spec.js
@@ -2,7 +2,7 @@
 
 import path from 'path';
 import fs from 'fs';
-import errorLog from 'api/log/errorLog';
+import { errorLog } from 'api/log';
 import { PDF } from '../PDF.js';
 
 describe('PDF', () => {

diff --git a/app/api/files/specs/jsRoutes.spec.js b/app/api/files/specs/jsRoutes.spec.js
@@ -13,7 +13,7 @@ import mailer from 'api/utils/mailer';
 import { fixtures, templateId } from './fixtures';
 import instrumentRoutes from '../../utils/instrumentRoutes';
 import uploadRoutes from '../jsRoutes.js';
-import errorLog from '../../log/errorLog';
+import { errorLog } from '../../log';
 import { createDirIfNotExists } from '../filesystem';
 
 const mockExport = jest.fn();

diff --git a/app/api/files/specs/publicRoutes.spec.ts b/app/api/files/specs/publicRoutes.spec.ts
@@ -6,7 +6,7 @@ import { EntityWithFilesSchema } from 'shared/types/entityType';
 
 import { search } from 'api/search';
 import db from 'api/utils/testing_db';
-import errorLog from 'api/log/errorLog';
+import { errorLog } from 'api/log';
 import {
   uploadsPath,
   writeFile,