Merge branch 'next' into anna/next

Cookiezaurs · web-flow · commit 13caf58e5192 · 2024-11-13T10:03:16.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -47,6 +47,9 @@ Enterprise fixes:
 - [nps] Fixed bug in the editor where the "internal name" field was not mandatory
 - [ratings] Fixed UI bug where "Internal name" was not a mandatory field
 
+Security:
+- Fixing minor vulnerability that would allow for unauthorized file upload
+
 ## Version 24.05.16
 Fixes:
 - [core] Replaced "Users" with "Sessions" label on technology home widgets
diff --git a/frontend/express/app.js b/frontend/express/app.js
@@ -603,6 +603,10 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_
     app.use(function(req, res, next) {
         var contentType = req.headers['content-type'];
         if (req.method.toLowerCase() === 'post' && contentType && contentType.indexOf('multipart/form-data') >= 0) {
+            if (!req.session?.uid || Date.now() > req.session?.expires) {
+                res.status(401).send('Unauthorized');
+                return;
+            }
             var form = new formidable.IncomingForm();
             form.uploadDir = __dirname + '/uploads';
             form.parse(req, function(err, fields, files) {
diff --git a/frontend/express/public/core/app-resolution/templates/app-resolution.html b/frontend/express/public/core/app-resolution/templates/app-resolution.html
@@ -5,10 +5,7 @@
 	>
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-              <!--<span :class="item.icon"></span>-->
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+			<el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
     </cly-header>
diff --git a/frontend/express/public/core/app-version/templates/app-version.html b/frontend/express/public/core/app-version/templates/app-version.html
@@ -5,10 +5,7 @@
   >
   <template v-slot:header-right>
         <cly-more-options v-if="topDropdown" size="small">
-          <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-            <!--<span :class="item.icon"></span>-->
-            <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-          </el-dropdown-item>
+          <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
         </cly-more-options>
       </template>
   </cly-header>
diff --git a/frontend/express/public/core/carrier/templates/carrier.html b/frontend/express/public/core/carrier/templates/carrier.html
@@ -6,10 +6,7 @@
 	>
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-			  <!--<span :class="item.icon"></span>-->
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
     </cly-header>
diff --git a/frontend/express/public/core/device-and-type/javascripts/countly.views.js b/frontend/express/public/core/device-and-type/javascripts/countly.views.js
@@ -443,6 +443,20 @@ var GridComponent = countlyVue.views.create({
             }
             return val;
         },
+        onWidgetCommand: function(event) {
+            if (event === 'add' || event === 'manage' || event === 'show') {
+                this.graphNotesHandleCommand(event);
+                return;
+            }
+            else if (event === 'zoom') {
+                this.triggerZoom();
+                return;
+            }
+            else {
+                this.$emit('command', event);
+                return;
+            }
+        },
     }
 });
 
diff --git a/frontend/express/public/core/device-and-type/templates/devices-and-types.html b/frontend/express/public/core/device-and-type/templates/devices-and-types.html
@@ -5,10 +5,7 @@
   >
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-              <!--<span :class="item.icon"></span>-->
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
 		 <template v-slot:header-tabs>
diff --git a/frontend/express/public/core/geo-countries/templates/countries.html b/frontend/express/public/core/geo-countries/templates/countries.html
@@ -5,10 +5,7 @@
 	>
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-			  <!--<span :class="item.icon"></span>-->
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
     </cly-header>
diff --git a/frontend/express/public/core/platform/templates/platform.html b/frontend/express/public/core/platform/templates/platform.html
@@ -5,10 +5,7 @@
     >
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-              <!--<span :class="item.icon"></span>-->  
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
     </cly-header>
diff --git a/frontend/express/public/core/user-analytics-overview/templates/overview.html b/frontend/express/public/core/user-analytics-overview/templates/overview.html
@@ -9,10 +9,7 @@ <h2> {{i18n('user-analytics.overview-title')}} </h2>
         </template>
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-			  <!--<span :class="item.icon"></span>-->	
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+			<el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
     </cly-header>
diff --git a/frontend/express/public/javascripts/countly/countly.helpers.js b/frontend/express/public/javascripts/countly/countly.helpers.js
@@ -397,6 +397,12 @@
         if (options.isExternalLink) {
             window.open(options.url, '_blank', 'noopener,noreferrer');
         }
+        else if (options.download) {
+            var a = document.createElement('a');
+            a.href = options.url;
+            a.download = options.download;
+            a.click();
+        }
         else {
             app.backlinkUrl = options.from;
             app.backlinkTitle = options.title;
diff --git a/frontend/express/public/javascripts/countly/vue/components/dropdown.js b/frontend/express/public/javascripts/countly/vue/components/dropdown.js
@@ -1,4 +1,4 @@
-/* global jQuery, Vue, ELEMENT, CV */
+/* global jQuery, Vue, ELEMENT, CV, CountlyHelpers */
 
 (function(countlyVue) {
 
@@ -612,7 +612,12 @@
         methods: {
             handleMenuItemClick: function(command, instance) {
                 if (!this.disabled) {
-                    this.$emit('command', command, instance);
+                    if (command && command.url) {
+                        CountlyHelpers.goTo({url: command.url, download: !!command.download, isExternalLink: !!command.isExternalLink});
+                    }
+                    else {
+                        this.$emit('command', command, instance);
+                    }
                     this.$refs.dropdown.handleClose();
                 }
             },
diff --git a/plugins/browser/frontend/public/templates/browser.html b/plugins/browser/frontend/public/templates/browser.html
@@ -5,10 +5,7 @@
 	>
 		<template v-slot:header-right>
 			<cly-more-options v-if="topDropdown" size="small">
-				<el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-				  <!--<span :class="item.icon"></span>-->
-				  <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-				</el-dropdown-item>
+				<el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
 			  </cly-more-options>
 		  </template>
     </cly-header>
diff --git a/plugins/compliance-hub/frontend/public/javascripts/countly.views.js b/plugins/compliance-hub/frontend/public/javascripts/countly.views.js
@@ -13,9 +13,6 @@
             this.$store.dispatch("countlyConsentManager/fetchUserDataResource");
         },
         methods: {
-            switchToConsentHistory: function(uid) {
-                window.location.hash = "#/manage/compliance/history/" + uid;
-            },
             deleteUserData: function(uid) {
                 var self = this;
                 CountlyHelpers.confirm(this.i18n("app-users.delete-userdata-confirm"), "popStyleGreen", function(result) {
@@ -77,8 +74,21 @@
             downloadExportedData: function(uid) {
                 var win = window.open(countlyCommon.API_PARTS.data.r + "/app_users/download/appUser_" + countlyCommon.ACTIVE_APP_ID + "_" + uid + "?auth_token=" + countlyGlobal.auth_token + "&app_id=" + countlyCommon.ACTIVE_APP_ID, '_blank');
                 win.focus();
+            },
+            handleCommand: function(command, uid) {
+                if (command === "deleteUserData") {
+                    this.deleteUserData(uid);
+                }
+                else if (command === "exportUserData") {
+                    this.exportUserData(uid);
+                }
+                else if (command === "deleteExport") {
+                    this.deleteExport(uid);
+                }
+                else if (command === "downloadExportedData") {
+                    this.downloadExportedData(uid);
+                }
             }
-
         }
     });
     var ConsentView = countlyVue.views.create({
diff --git a/plugins/compliance-hub/frontend/public/templates/user.html b/plugins/compliance-hub/frontend/public/templates/user.html
@@ -51,28 +51,12 @@
                 </el-table-column>
                 <el-table-column type="options">
                     <template v-slot="rowScope">
-                        <cly-more-options test-id="compliance-hub-users" v-if="rowScope.row.hover" size="small">
-                            <el-dropdown-item>
-                                <el-link v-if="canUserRead" class="bu-ml-1" plain @click="switchToConsentHistory(rowScope.row.uid)" :data-test-id="'datatable-more-button-go-to-consent-history-select-' + rowScope.$index"> {{i18n("consent.go-history")}} </el-link>
-                            </el-dropdown-item>
-                            <el-dropdown-item v-if="!rowScope.row.appUserExport && canUserRead">
-                                <el-link class="bu-ml-1" plain @click="exportUserData(rowScope.row.uid)" :data-test-id="'datatable-more-button-export-user-data-select-' + rowScope.$index">
-                                    {{i18n("app-users.export-userdata")}}</el-link>
-                            </el-dropdown-item>
-                            <el-dropdown-item v-if="rowScope.row.appUserExport && canUserRead">
-                                <el-link class="bu-ml-1" plain @click="downloadExportedData(rowScope.row.uid)" :data-test-id="'datatable-more-button-download-export-select-' + rowScope.$index">
-                                    {{i18n("app-users.download-export")}}</span>
-                                </el-link>
-                            </el-dropdown-item>
-                            <el-dropdown-item v-if="rowScope.row.appUserExport && canUserDelete">
-                                <el-link class="bu-ml-1" plain @click="deleteExport(rowScope.row.uid)" :data-test-id="'datatable-more-button-delete-export-' + rowScope.$index">
-                                    {{i18n("app-users.delete-export")}}</span>
-                                </el-link>
-                            </el-dropdown-item>
-                            <el-dropdown-item v-if="canUserDelete">
-                                <el-link class="bu-ml-1" @click="deleteUserData(rowScope.row.uid)" :data-test-id="'datatable-more-button-delete-user-data-' + rowScope.$index" plain>
-                                    {{i18n("app-users.delete-userdata")}}</el-link>
-                            </el-dropdown-item>
+                        <cly-more-options test-id="compliance-hub-users" v-if="rowScope.row.hover" size="small" @command="handleCommand($event, rowScope.row.uid)">
+                            <el-dropdown-item v-if="canUserRead" :command="{url: '#/manage/compliance/history/' + rowScope.row.uid}" :data-test-id="'datatable-more-button-go-to-consent-history-select-' + rowScope.$index"> {{i18n("consent.go-history")}} </el-dropdown-item>
+                            <el-dropdown-item v-if="!rowScope.row.appUserExport && canUserRead" command="exportUserData" :data-test-id="'datatable-more-button-export-user-data-select-' + rowScope.$index">{{i18n("app-users.export-userdata")}}</el-dropdown-item>
+                            <el-dropdown-item v-if="rowScope.row.appUserExport && canUserRead" command="downloadExportedData" :data-test-id="'datatable-more-button-download-export-select-' + rowScope.$index">{{i18n("app-users.download-export")}}</el-dropdown-item>
+                            <el-dropdown-item v-if="rowScope.row.appUserExport && canUserDelete" command="deleteExport" :data-test-id="'datatable-more-button-delete-export-' + rowScope.$index">{{i18n("app-users.delete-export")}}</el-dropdown-item>
+                            <el-dropdown-item v-if="canUserDelete" command="deleteUserData" :data-test-id="'datatable-more-button-delete-user-data-' + rowScope.$index">{{i18n("app-users.delete-userdata")}}</el-dropdown-item>
                         </cly-more-options>
                     </template>
 
diff --git a/plugins/crashes/frontend/public/templates/crashgroup.html b/plugins/crashes/frontend/public/templates/crashgroup.html
@@ -98,20 +98,14 @@ <h2 class="crashes-crashgroup-header__name bu-mr-2" v-html="crashgroupName"></h2
                                             {{!crashgroupUnsymbolicatedStacktrace ? i18n("crash_symbolication.symbolicate_error") : i18n("crash_symbolication.resymbolicate")}}
                                         </span>
                                     </el-dropdown-item>
-                                    <el-dropdown-item v-if="symbolicationEnabled && !crashgroup._symbol_id">
-                                        <a href="#/crash/symbols/">
-                                            {{i18n("crash_symbolication.should-upload")}}
-                                        </a>
+                                    <el-dropdown-item v-if="symbolicationEnabled && !crashgroup._symbol_id" :command="{url: '#/crash/symbols/'}">
+                                        {{i18n("crash_symbolication.should-upload")}}
                                     </el-dropdown-item>
-                                    <el-dropdown-item v-if="!!crashgroup.binary_images">
-                                        <a :href="'/dashboard#/crashes/' + crashgroup._id + '/binary-images/' + crashgroup.lrid">
-                                            {{i18n("crashes.show-binary-images")}}
-                                        </a>
+                                    <el-dropdown-item v-if="!!crashgroup.binary_images" :command="{url: '/dashboard#/crashes/' + crashgroup._id + '/binary-images/' + crashgroup.lrid}">
+                                        {{i18n("crashes.show-binary-images")}}
                                     </el-dropdown-item>
-                                    <el-dropdown-item>
-                                        <a :href="'/o/crashes/download_stacktrace?auth_token=' + authToken +'&app_id=' + appId + '&crash_id=' + crashgroup.lrid" download>
-                                            {{i18n("crashes.download-stacktrace")}}
-                                        </a>
+                                    <el-dropdown-item :command="{url: '/o/crashes/download_stacktrace?auth_token=' + authToken +'&app_id=' + appId + '&crash_id=' + crashgroup.lrid, download: true}">
+                                        {{i18n("crashes.download-stacktrace")}}
                                     </el-dropdown-item>
                                 </cly-more-options>
                             </template>
@@ -332,20 +326,14 @@ <h4 class="bu-ml-2" v-if="'unit' in mobileDiagnostics[diagnosticKey]">
                                                         {{!props.row.symbolicated ? i18n("crash_symbolication.symbolicate_error") : i18n("crash_symbolication.resymbolicate")}}
                                                     </span>
                                                 </el-dropdown-item>
-                                                <el-dropdown-item v-if="symbolicationEnabled && !props.row._symbol_id">
-                                                    <a href="#/crash/symbols/">
-                                                        {{i18n("crash_symbolication.should-upload")}}
-                                                    </a>
+                                                <el-dropdown-item v-if="symbolicationEnabled && !props.row._symbol_id" :command="{url: '#/crash/symbols/'}">
+                                                    {{i18n("crash_symbolication.should-upload")}}
                                                 </el-dropdown-item>
-                                                <el-dropdown-item v-if="!!props.row.binary_images">
-                                                    <a :href="'/dashboard#/crashes/' + crashgroup._id + '/binary-images/' + props.row._id">
-                                                        {{i18n('crashes.show-binary-images')}}
-                                                    </a>
+                                                <el-dropdown-item v-if="!!props.row.binary_images" :command="{url: '/dashboard#/crashes/' + crashgroup._id + '/binary-images/' + props.row._id}">
+                                                    {{i18n('crashes.show-binary-images')}}
                                                 </el-dropdown-item>
-                                                <el-dropdown-item>
-                                                    <a :href="'/o/crashes/download_stacktrace?auth_token=' + authToken +'&app_id=' + appId + '&crash_id=' + props.row._id" download>
-                                                        {{i18n('crashes.download-stacktrace')}}
-                                                    </a>
+                                                <el-dropdown-item :command="{url: '/o/crashes/download_stacktrace?auth_token=' + authToken +'&app_id=' + appId + '&crash_id=' + props.row._id, download: true}">
+                                                    {{i18n('crashes.download-stacktrace')}}
                                                 </el-dropdown-item>
                                             </cly-more-options>
                                         </template>
diff --git a/plugins/data-manager/frontend/public/javascripts/countly.views.js b/plugins/data-manager/frontend/public/javascripts/countly.views.js
@@ -1052,9 +1052,6 @@
                 else if (event === 'import-schema') {
                     this.importDialogVisible = true;
                 }
-                else if (event === 'navigate-settings') {
-                    app.navigate("#/manage/configurations/data-manager", true);
-                }
             },
             onSaveImport: function() {
                 var self = this;
diff --git a/plugins/data-manager/frontend/public/templates/events.html b/plugins/data-manager/frontend/public/templates/events.html
@@ -33,9 +33,7 @@
                 <el-dropdown-item v-if="canUserUpdate" command="regnerate">{{i18n('data-manager.regenerate')}}</el-dropdown-item>
                 <el-dropdown-item v-if="canUserCreate" command="export-schema">{{i18n('data-manager.export-schema')}}</el-dropdown-item>
                 <el-dropdown-item v-if="canUserUpdate" command="import-schema">{{i18n('data-manager.import-schema')}}</el-dropdown-item>
-                <el-dropdown-item v-if="isUserGlobalAdmin" command="navigate-settings">
-                    <a href="#/manage/configurations/data-manager" > {{i18n('plugins.configs')}} </a>
-                </el-dropdown-item>
+                <el-dropdown-item v-if="isUserGlobalAdmin" :command="{url: '#/manage/configurations/data-manager'}">{{i18n('plugins.configs')}}</el-dropdown-item>
             </cly-more-options>
         </div>
     </template>
diff --git a/plugins/density/frontend/public/templates/density.html b/plugins/density/frontend/public/templates/density.html
@@ -5,11 +5,8 @@
 	>
 		<template v-slot:header-right>
 			<cly-more-options v-if="topDropdown" size="small">
-				<el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-				  <!--<span :class="item.icon"></span>-->
-				  <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-				</el-dropdown-item>
-			  </cly-more-options>
+				<el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
+			</cly-more-options>
 		  </template>
     </cly-header>
     <cly-main>
diff --git a/plugins/locale/frontend/public/templates/language.html b/plugins/locale/frontend/public/templates/language.html
@@ -6,10 +6,7 @@
     >
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-              <!--<span :class="item.icon"></span>-->
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
     </cly-header>
diff --git a/plugins/sdk/frontend/public/templates/stats.html b/plugins/sdk/frontend/public/templates/stats.html
diff --git a/plugins/sources/frontend/public/templates/sources-tab.html b/plugins/sources/frontend/public/templates/sources-tab.html
diff --git a/plugins/views/frontend/public/templates/views.html b/plugins/views/frontend/public/templates/views.html
