Commit Graph

1203 Commits

Author SHA1 Message Date
Dan Brown
e765e61854
Addressed user detail harvesting issue
Altered access & usage of the /search/users/select endpoint with the
following changes:
- Removed searching of email address to prevent email detail discovery
  via hunting via search queries.
- Required the user to be logged in and have permission to manage users
  or manage permissions on items in some way.
- Removed the user migration option on user delete unless they have
  permission to manage users.

For #3108
Reported in https://huntr.dev/bounties/135f2d7d-ab0b-4351-99b9-889efac46fca/
Reported by @haxatron
2021-12-14 18:47:22 +00:00
Dan Brown
b22dd3cb88
Added url and preview_html params to search API results
Allows easy direct linking and usage of the HTML preview content
we show in the UI when viewing search results.
Note: preview_html content is a rough representation only, it does not
match exactly what was matched in the database-search-operation which
finds the results.

For #3096 and #3080
2021-12-06 20:42:04 +00:00
Dan Brown
9490457d04
Applied StyleCI changes 2021-11-30 14:25:09 +00:00
Dan Brown
3b3eb0f44f
Updated API session auth to consider public access setting
For #3091
2021-11-30 13:55:56 +00:00
Dan Brown
b4fa82e329
Fixed related permissions query not considering drafts
Page-related items added on drafts could be visible in certain scenarios
since the applied permissions query filters would not consider
page draft visibility.
This commit alters queries on related items to apply such filtering.

Included test to cover API scenario.
Thanks to @haxatron for reporting.
2021-11-30 00:06:17 +00:00
Dan Brown
42703dd859
Tweaked pdf export iframe replacement to fix compatibility
Was using a method that wasn't a proper available part of the
DomElement API.
2021-11-28 21:01:35 +00:00
Dan Brown
2c21850da7
Added conversion of iframes to anchors on PDF export
- Replaced iframe elements with anchor elements wrapped in a paragraph.
- Extracted PDF generation action to seperate class for easier mocking
  within testing.
- Added test to cover.

For #3077
2021-11-25 15:12:32 +00:00
Dan Brown
cd7788f2e9
Updated translators and merged styleci fixes 2021-11-23 20:41:12 +00:00
Dan Brown
197caddf96
Changed homepage card header links to be bottom-card-links
The old links in the headers were not obvious. This changes the
header-based links to instead be a link at the bottom of the card.

Related to #3046
2021-11-23 18:18:49 +00:00
Dan Brown
024924eef3
Applied another round of static analysis updates 2021-11-22 23:33:55 +00:00
Dan Brown
1bf59f434b
Tweaked custom command registration, Added StyleCI fixes
Old command registration method was interfering with default commands,
causing only a limited subset of commands to show overall.
This change follows the method the frameworks uses when loading in from a
directory to prevent issues with run/load order.
2021-11-22 22:22:31 +00:00
Dan Brown
cb30c258df
Added test for logical-theme-system command registration
Changed how the command registration was handled due to complications of
action order found during testing. Now the theme service will resolve
and directly register the command on the Kernel instead of them being
fetched from the ThemeService from within Kernel.
More direct, Seems to work.
2021-11-22 19:03:04 +00:00
Dan Brown
cdaad2f40e
Support custom commands via logical theme system
Added initial work to support registering commands through the logical
theme system. Includes docs changes and example.

Not yet covered via testing.
2021-11-22 18:30:58 +00:00
Dan Brown
4ddbc9556b
Merge branch 'assign_ids_to_nested_headers' of https://github.com/Julesdevops/BookStack into Julesdevops-assign_ids_to_nested_headers 2021-11-22 16:34:28 +00:00
julesdevops
f8c16494fd feat(PageContent): set unique ids on nested headers 2021-11-21 22:45:25 +01:00
Dan Brown
876bc10d4d
Applied another set of static analysis improvements 2021-11-20 14:03:56 +00:00
Dan Brown
79c75f9296
Updated translators and made StyleCI changes 2021-11-16 12:29:50 +00:00
Dan Brown
555723a966
Fixed tags listing grouping by name only on search
Included test to cover case
2021-11-15 19:00:37 +00:00
Dan Brown
b546098b36
Fixed page editor back button sometimes going nowhere
Updated the back button to be a proper link instead of a reference to
the last viewed URL since it could break if the last page was the
current one (On validation for example).

Includes test to cover.
Also applied some styleCI changes.

Fixes #2834
2021-11-15 11:19:03 +00:00
Dan Brown
88e6f93abf
Prevented auto-login from direct email confirmation actions
Was done for convenience but could potentially be exploited by an
attacker using signing up via one of these routes, then forwarding
an email confirmation to another user so they unknowingly utilise
an account someone else controls.

Tweaks the flow of confirming email, and the user invite flow.

For #3050
2021-11-15 10:50:28 +00:00
Dan Brown
e29d03ae76
Updated page includes to be top-level for code blocks
This change means that code blocks are now included still wrapped in
their pre tags, as we do for tables and lists.
Previously the <code> inner content would be included which would lead
to a generally bad/broken presentation.

Hopefully should not be a breaking change as section include tags for
code was tricky to get to, and it was in a semi-broken state.

For #2406
2021-11-15 00:48:05 +00:00
Dan Brown
85154fff69
Added an env configurable file upload size limit
Replaces the old suggestion of setting JS head 'window.uploadLimit'
variable. This new env option will be used by back-end validation and
front-end libs/logic too.

Limits already likely exist within prod environments at a PHP and
webserver level but this allows an app-level limit and centralises the
option on the BookStack side into the .env

Closes #3033
2021-11-14 22:03:22 +00:00
Dan Brown
f910738a80
Changed logout routes to POST instead of GET
As per #3047.

Also made some SAML specific fixes:
- IDP initiated login was broken due to forced default session value.
  Double checked against OneLogin lib docs that this reverted logic was fine.
- Changed how the saml login flow works to use 'withoutMiddleware' on
  the route instead of hacking out the session driver. This was due to
  the array driver (previously used for the hack) no longer being
  considered non-persistent.
2021-11-14 21:13:24 +00:00
Dan Brown
6f1bdbf771
Added API search endpoint
Is a little awkward, emulates a 'list' API endpoint but has unstable
paging and does not support filters/sort. This is detailed on the
endpoint though.

Made some updates to the docs system to better support parameters
and examples on GET requests.

Includes tests to cover.

For #909
2021-11-14 16:28:01 +00:00
Dan Brown
7025cb38df
Removed prefix route groups, applyed styleci changes
Removing prefix route groups out of visual preference.
Those don't really save much and I prefer seeing the complete
paths when going down the list to better guage where I am.
2021-11-14 15:16:18 +00:00
Dan Brown
8e71cd9bac
Fixed issue where markdown drafts showed as HTML
Markdown content was not being stored, only the sent
HTML representation, causing the draft to show as HTML upon next edit.
Added test to cover.

Fixes #3054
2021-11-14 12:17:22 +00:00
Dan Brown
fc7bd57dc8
Fixed occurances of altered titles in search results 2021-11-13 15:04:04 +00:00
Dan Brown
755dc99c72
Made further tweaks to search results formatting
- Updated page names to not be limited to a certain length.
- Added better start/end fill logic.
- Prevented <strong> tags from being counted towards the target content
  length desired from the formatter.
2021-11-13 14:37:40 +00:00
Dan Brown
221458ccfd
Fixed failing tests due to search highlighting changes 2021-11-13 13:43:41 +00:00
Dan Brown
2633b94deb
Applied StyleCI changes 2021-11-13 13:28:17 +00:00
Dan Brown
339518e2a6
Added tag highlighting in search
Using basic match of name or value containing a general term.
2021-11-13 13:02:32 +00:00
Dan Brown
ab4e99bb18
Added name highlighting in search results 2021-11-13 12:44:27 +00:00
Dan Brown
f30b937bb0
Added search result preview text highlighting
Created a new class to manage formatting of content for search results.
Turned out to be quite a complex task. This only does the preview text
so far, not titles or tags.

Not yet tested.
2021-11-12 22:57:50 +00:00
Dan Brown
7d0724e288
Added auto-conversion of search terms to exact values
Will occur when a search term contains a character that's used to split
content into search terms.
Added testing to cover.
2021-11-12 18:03:44 +00:00
Dan Brown
99587a0be6
Added tag values as part of the indexed search terms
This allows finding content via tag name/values when just searching
using normal seach terms.
Added testing to cover.

Related to #1577
2021-11-12 17:06:01 +00:00
Dan Brown
f28daa01d9
Added page content parsing to up-rank header text in search
This adds parsing of page content so that headers apply a boost to
scores in the search term index.
Additionally, this merges title and content terms to reduce the amount
of stored terms a little.
Includes testing to cover.
2021-11-12 13:47:23 +00:00
Dan Brown
820be162f5
Updated regen-search command to show some level of progress 2021-11-11 14:10:11 +00:00
Dan Brown
9f32613982
Refactored search indexer, Increase title/name score boost
- Title score boost changed from 5 to 40 (8x increase).
- Extracted entity parsing to its own function
2021-11-11 13:36:49 +00:00
Dan Brown
0ddd052818
Added missing comments or types
Checked over latest changes for potential SQL injection, all variable
usages are either (from trusted sourced AND case) or using
parameters/bindings to ensure it's handled at driver/lib level.
2021-11-09 15:13:15 +00:00
Dan Brown
bc472ca2d7
Improved relation loading during search
Relations now loaded during back-end query phase instead of being lazy
loaded one-by-one within views.

Reduced queries in testing from ~60 to ~20.

Need to check other areas list-item.php's "showPath" option is used to
ensure relations are properly loaded for those listings.
2021-11-08 15:24:49 +00:00
Dan Brown
b3e1c7da73
Applied styleci fixes and pluck improvement as per larastan 2021-11-08 15:00:47 +00:00
Dan Brown
7405613f8d
Added search term score popularity adjustment
Adds adjustment of search term 'score' (Using in result ranking) so that
a relative 0.3 to 1.3 mulitplier is applied based upon relative
popularity within the whole database. At this point the term popularity
is still done via a prefix match against the search term.

Uses a SUM(IF(cond, a, IF(cond, a, ...))) chain to produce the scoring
result in the select query.
2021-11-08 14:23:48 +00:00
Dan Brown
b0b6f466c1
Reduced data retreived from database on page search 2021-11-08 11:41:14 +00:00
Dan Brown
9e0164f4f4
Further search system refactorings
- Moved search term querying to its own method.
- Updated Large content seeder to be more performant
2021-11-08 11:29:25 +00:00
Dan Brown
e1b8fe45b0
Refactored search runner a little to be neater 2021-11-08 11:04:27 +00:00
Dan Brown
f2b1d2e1e7
Applied latest StyleCI changes 2021-11-06 22:00:33 +00:00
Dan Brown
899349c4b4
Added testing coverage for tag index
Also:
- Extracted out index table row to its own view.
- Added empty state.
- Ensured query params are set on pagination links.
2021-11-06 21:54:02 +00:00
Dan Brown
929c8312bd
Started build of tag view
- Created listing
- Allows drilldown to tag name
- Shows totals

Not yet covered via testing
2021-11-06 16:30:20 +00:00
Dan Brown
8d7c8ac8bf
Done a round of phpstan fixes 2021-11-06 00:32:01 +00:00
Dan Brown
5c6a6b50a0
Applied StyleCI changes, added php/larastan to attribution 2021-11-05 16:27:59 +00:00