Countly
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎api/utils/requestProcessor.js‎
Lines changed: 19 additions & 2 deletions b/‎api/utils/requestProcessor.js‎
Lines changed: 19 additions & 2 deletions
diff --git a/‎api/utils/rights.js‎
Lines changed: 26 additions & 1 deletion b/‎api/utils/rights.js‎
Lines changed: 26 additions & 1 deletion
diff --git a/‎frontend/express/app.js‎
Lines changed: 4 additions & 0 deletions b/‎frontend/express/app.js‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎frontend/express/public/core/app-resolution/templates/app-resolution.html‎
Lines changed: 1 addition & 4 deletions b/‎frontend/express/public/core/app-resolution/templates/app-resolution.html‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎frontend/express/public/core/app-version/templates/app-version.html‎
Lines changed: 1 addition & 4 deletions b/‎frontend/express/public/core/app-version/templates/app-version.html‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎frontend/express/public/core/carrier/templates/carrier.html‎
Lines changed: 1 addition & 4 deletions b/‎frontend/express/public/core/carrier/templates/carrier.html‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎frontend/express/public/core/device-and-type/javascripts/countly.views.js‎
Lines changed: 14 additions & 0 deletions b/‎frontend/express/public/core/device-and-type/javascripts/countly.views.js‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎frontend/express/public/core/device-and-type/templates/devices-and-types.html‎
Lines changed: 1 addition & 4 deletions b/‎frontend/express/public/core/device-and-type/templates/devices-and-types.html‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎frontend/express/public/core/geo-countries/templates/countries.html‎
Lines changed: 1 addition & 4 deletions b/‎frontend/express/public/core/geo-countries/templates/countries.html‎
Lines changed: 1 addition & 4 deletions
@@ -47,6 +47,9 @@ Enterprise fixes:
 - [nps] Fixed bug in the editor where the "internal name" field was not mandatory
 - [ratings] Fixed UI bug where "Internal name" was not a mandatory field
 
+Security:
+- Fixing minor vulnerability that would allow for unauthorized file upload
+
 ## Version 24.05.16
 Fixes:
 - [core] Replaced "Users" with "Sessions" label on technology home widgets
 
@@ -7,7 +7,7 @@ const Promise = require('bluebird');
 const url = require('url');
 const common = require('./common.js');
 const countlyCommon = require('../lib/countly.common.js');
-const { validateAppAdmin, validateUser, validateRead, validateUserForRead, validateUserForWrite, validateGlobalAdmin, dbUserHasAccessToCollection, validateUpdate, validateDelete, validateCreate } = require('./rights.js');
+const { validateAppAdmin, validateUser, validateRead, validateUserForRead, validateUserForWrite, validateGlobalAdmin, dbUserHasAccessToCollection, validateUpdate, validateDelete, validateCreate, getBaseAppFilter } = require('./rights.js');
 const authorize = require('./authorizer.js');
 const taskmanager = require('./taskmanager.js');
 const plugins = require('../../plugins/pluginManager.js');
@@ -2131,7 +2131,7 @@ const processRequest = (params) => {
                         }
 
                         dbUserHasAccessToCollection(params, params.qstring.collection, (hasAccess) => {
-                            if (hasAccess) {
+                            if (hasAccess || (params.qstring.db === "countly_drill" && params.qstring.collection === "drill_events") || (params.qstring.db === "countly" && params.qstring.collection === "events_data")) {
                                 var dbs = { countly: common.db, countly_drill: common.drillDb, countly_out: common.outDb, countly_fs: countlyFs.gridfs.getHandler() };
                                 var db = "";
                                 if (params.qstring.db && dbs[params.qstring.db]) {
@@ -2140,6 +2140,23 @@ const processRequest = (params) => {
                                 else {
                                     db = common.db;
                                 }
+                                if (!params.member.global_admin && params.qstring.collection === "drill_events" || params.qstring.collection === "events_data") {
+                                    var base_filter = getBaseAppFilter(params.member, params.qstring.db, params.qstring.collection);
+                                    if (base_filter && Object.keys(base_filter).length > 0) {
+                                        params.qstring.query = params.qstring.query || {};
+                                        for (var key in base_filter) {
+                                            if (params.qstring.query[key]) {
+                                                params.qstring.query.$and = params.qstring.query.$and || [];
+                                                params.qstring.query.$and.push({[key]: base_filter[key]});
+                                                params.qstring.query.$and.push({[key]: params.qstring.query[key]});
+                                                delete params.qstring.query[key];
+                                            }
+                                            else {
+                                                params.qstring.query[key] = base_filter[key];
+                                            }
+                                        }
+                                    }
+                                }
                                 countlyApi.data.exports.fromDatabase({
                                     db: db,
                                     params: params,
 
@@ -1083,7 +1083,32 @@ function validateWrite(params, feature, accessType, callback, callbackParam) {
         });
     });
 }
-
+/**
+ * Creates filter object  to filter by member allowed collections
+ * @param {object} member - members object from params
+ * @param {string} dbName  - database name as string
+ * @param {string} collectionName  - collection Name
+ * @returns {object} filter object
+ */
+exports.getBaseAppFilter = function(member, dbName, collectionName) {
+    var base_filter = {};
+    var apps = exports.getUserApps(member);
+    if (dbName === "countly_drill" && collectionName === "drill_events") {
+        if (Array.isArray(apps) && apps.length > 0) {
+            base_filter.a = {"$in": apps};
+        }
+    }
+    else if (dbName === "countly" && collectionName === "events_data") {
+        var in_array = [];
+        if (Array.isArray(apps) && apps.length > 0) {
+            for (var i = 0; i < apps.length; i++) {
+                in_array.push(new RegExp("^" + apps[i] + "_.*"));
+            }
+            base_filter = {"_id": {"$in": in_array}};
+        }
+    }
+    return base_filter;
+};
 /**
 * Validate user for create access by api_key for provided app_id (both required parameters for the request).
 * @param {params} params - {@link params} object
 
@@ -603,6 +603,10 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_
     app.use(function(req, res, next) {
         var contentType = req.headers['content-type'];
         if (req.method.toLowerCase() === 'post' && contentType && contentType.indexOf('multipart/form-data') >= 0) {
+            if (!req.session?.uid || Date.now() > req.session?.expires) {
+                res.status(401).send('Unauthorized');
+                return;
+            }
             var form = new formidable.IncomingForm();
             form.uploadDir = __dirname + '/uploads';
             form.parse(req, function(err, fields, files) {
 
@@ -5,10 +5,7 @@
 	>
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-              <!--<span :class="item.icon"></span>-->
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+			<el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
     </cly-header>
 
@@ -5,10 +5,7 @@
   >
   <template v-slot:header-right>
         <cly-more-options v-if="topDropdown" size="small">
-          <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-            <!--<span :class="item.icon"></span>-->
-            <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-          </el-dropdown-item>
+          <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
         </cly-more-options>
       </template>
   </cly-header>
 
@@ -6,10 +6,7 @@
 	>
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-			  <!--<span :class="item.icon"></span>-->
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
     </cly-header>
 
@@ -443,6 +443,20 @@ var GridComponent = countlyVue.views.create({
             }
             return val;
         },
+        onWidgetCommand: function(event) {
+            if (event === 'add' || event === 'manage' || event === 'show') {
+                this.graphNotesHandleCommand(event);
+                return;
+            }
+            else if (event === 'zoom') {
+                this.triggerZoom();
+                return;
+            }
+            else {
+                this.$emit('command', event);
+                return;
+            }
+        },
     }
 });
 
 
@@ -5,10 +5,7 @@
   >
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-              <!--<span :class="item.icon"></span>-->
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
 		 <template v-slot:header-tabs>
 
@@ -5,10 +5,7 @@
 	>
 		<template v-slot:header-right>
           <cly-more-options v-if="topDropdown" size="small">
-            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown">
-			  <!--<span :class="item.icon"></span>-->
-              <a :href="item.value" class="bu-ml-1">{{item.label}}</a>
-            </el-dropdown-item>
+            <el-dropdown-item :key="idx" v-for="(item, idx) in topDropdown" :command="{url: item.value}">{{item.label}}</el-dropdown-item>
           </cly-more-options>
         </template>
     </cly-header>