Secure grapesJs services, improve their logic, add notes
Showing
2 changed files
with
74 additions
and
60 deletions
... | @@ -171,7 +171,7 @@ along with this software (see the LICENSE.md file). If not, see | ... | @@ -171,7 +171,7 @@ along with this software (see the LICENSE.md file). If not, see |
171 | window.emailTemplateId = new URLSearchParams(window.location.search).get('emailTemplateId'); | 171 | window.emailTemplateId = new URLSearchParams(window.location.search).get('emailTemplateId'); |
172 | 172 | ||
173 | const request = new XMLHttpRequest(); | 173 | const request = new XMLHttpRequest(); |
174 | request.open("GET", ("${baseLinkUrl}/rest/s1/moqui-mjml/mjml?grapesLocation="+window.grapesLocation+"&htmlLocation="+window.htmlLocation+"&emailTemplateId="+window.emailTemplateId), false); // `false` makes the request synchronous | 174 | request.open("GET", ("${baseLinkUrl}/rest/s1/moqui-mjml/mjml?emailTemplateId="+window.emailTemplateId), false); // `false` makes the request synchronous |
175 | request.send(null); | 175 | request.send(null); |
176 | 176 | ||
177 | let response; | 177 | let response; |
... | @@ -203,8 +203,8 @@ along with this software (see the LICENSE.md file). If not, see | ... | @@ -203,8 +203,8 @@ along with this software (see the LICENSE.md file). If not, see |
203 | // Default storage options | 203 | // Default storage options |
204 | options: { | 204 | options: { |
205 | remote: { | 205 | remote: { |
206 | urlLoad: "${baseLinkUrl}/rest/s1/moqui-mjml/mjml?grapesLocation="+window.grapesLocation+"&htmlLocation="+window.htmlLocation, | 206 | urlLoad: "${baseLinkUrl}/rest/s1/moqui-mjml/mjml?emailTemplateId="+window.emailTemplateId, |
207 | urlStore: "${baseLinkUrl}/rest/s1/moqui-mjml/mjml?grapesLocation="+window.grapesLocation+"&htmlLocation="+window.htmlLocation, | 207 | urlStore: "${baseLinkUrl}/rest/s1/moqui-mjml/mjml?emailTemplateId="+window.emailTemplateId, |
208 | headers: { | 208 | headers: { |
209 | "X-CSRF-Token": document.getElementById('confMoquiSessionToken').value | 209 | "X-CSRF-Token": document.getElementById('confMoquiSessionToken').value |
210 | }, | 210 | }, |
... | @@ -222,9 +222,11 @@ along with this software (see the LICENSE.md file). If not, see | ... | @@ -222,9 +222,11 @@ along with this software (see the LICENSE.md file). If not, see |
222 | const url = new URL(window.location.href) | 222 | const url = new URL(window.location.href) |
223 | url.searchParams.set('grapesLocation', result.grapesLocation); | 223 | url.searchParams.set('grapesLocation', result.grapesLocation); |
224 | url.searchParams.set('htmlLocation', result.htmlLocation); | 224 | url.searchParams.set('htmlLocation', result.htmlLocation); |
225 | url.searchParams.set('emailTemplateId', result.emailTemplateId); | ||
225 | window.history.pushState({}, '', url) | 226 | window.history.pushState({}, '', url) |
226 | window.grapesLocation = result.grapesLocation; | 227 | window.grapesLocation = result.grapesLocation; |
227 | window.htmlLocation = result.htmlLocation; | 228 | window.htmlLocation = result.htmlLocation; |
229 | window.emailTemplateId = result.emailTemplateId; | ||
228 | } | 230 | } |
229 | // console.log('onLoad ', result) | 231 | // console.log('onLoad ', result) |
230 | return result.data | 232 | return result.data | ... | ... |
... | @@ -15,11 +15,11 @@ along with this software (see the LICENSE.md file). If not, see | ... | @@ -15,11 +15,11 @@ along with this software (see the LICENSE.md file). If not, see |
15 | <services xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/service-definition-3.xsd"> | 15 | <services xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://moqui.org/xsd/service-definition-3.xsd"> |
16 | 16 | ||
17 | <service verb="load" noun="GrapeJs"> | 17 | <service verb="load" noun="GrapeJs"> |
18 | <description>Create MJML</description> | 18 | <description>Load GrapesJs resource. Can be adapted to entity other than EmailTemplate, but must have data for the grapesLocation and htmlLocation to ensure safety of read and write of resources.</description> |
19 | <in-parameters> | 19 | <in-parameters> |
20 | <parameter name="grapesLocation"/> | 20 | <parameter name="grapesLocation"/> |
21 | <parameter name="htmlLocation"/> | 21 | <parameter name="htmlLocation"/> |
22 | <parameter name="emailTemplateId"/> | 22 | <parameter name="emailTemplateId" required="true"/> |
23 | </in-parameters> | 23 | </in-parameters> |
24 | <out-parameters> | 24 | <out-parameters> |
25 | <parameter name="grapesLocation"/> | 25 | <parameter name="grapesLocation"/> |
... | @@ -31,21 +31,10 @@ along with this software (see the LICENSE.md file). If not, see | ... | @@ -31,21 +31,10 @@ along with this software (see the LICENSE.md file). If not, see |
31 | <if condition="htmlLocation == 'null'"><set field="htmlLocation" from="null"/></if> | 31 | <if condition="htmlLocation == 'null'"><set field="htmlLocation" from="null"/></if> |
32 | <!-- <log level="warn" message="resourceId is ${resourceId} resourceId.getClass().getName() ${resourceId.getClass().getName()} resourceId == 'null' ${resourceId == 'null'} resourceId == null ${resourceId == null}"/>--> | 32 | <!-- <log level="warn" message="resourceId is ${resourceId} resourceId.getClass().getName() ${resourceId.getClass().getName()} resourceId == 'null' ${resourceId == 'null'} resourceId == null ${resourceId == null}"/>--> |
33 | <!-- <log level="warn" message="load context.toString() ${context.toString()}"/>--> | 33 | <!-- <log level="warn" message="load context.toString() ${context.toString()}"/>--> |
34 | <if condition="emailTemplateId"> | ||
35 | <entity-find-one entity-name="moqui.basic.email.EmailTemplate" value-field="emailTemplate" auto-field-map="[emailTemplateId:emailTemplateId]"/> | 34 | <entity-find-one entity-name="moqui.basic.email.EmailTemplate" value-field="emailTemplate" auto-field-map="[emailTemplateId:emailTemplateId]"/> |
36 | <if condition="!grapesLocation"><set field="grapesLocation" from="emailTemplate?.grapesLocation"/></if> | 35 | <if condition="!emailTemplate"><return error="true" message="Resource not found"/></if> |
37 | <if condition="grapesLocation && grapesLocation != emailTemplate?.grapesLocation"> | 36 | <set field="grapesLocation" from="emailTemplate?.grapesLocation"/> |
38 | <!-- This should almost never happen, but if it does it basically creates a resource leak for the previously used resource --> | 37 | <set field="htmlLocation" from="emailTemplate?.htmlLocation"/> |
39 | <log message="Changing resource id from ${grapesLocation} to ${emailTemplate?.grapesLocation} for email template ${emailTemplateId}"/> | ||
40 | <service-call name="update#moqui.basic.email.EmailTemplate" in-map="[emailTemplateId:emailTemplateId,grapesLocation:grapesLocation]"/> | ||
41 | </if> | ||
42 | <if condition="!htmlLocation"><set field="htmlLocation" from="emailTemplate?.htmlLocation"/></if> | ||
43 | <if condition="htmlLocation && htmlLocation != emailTemplate?.htmlLocation"> | ||
44 | <!-- This should almost never happen, but if it does it basically creates a resource leak for the previously used resource --> | ||
45 | <log message="Changing resource id from ${htmlLocation} to ${emailTemplate?.htmlLocation} for email template ${emailTemplateId}"/> | ||
46 | <service-call name="update#moqui.basic.email.EmailTemplate" in-map="[emailTemplateId:emailTemplateId,htmlLocation:htmlLocation]"/> | ||
47 | </if> | ||
48 | </if> | ||
49 | 38 | ||
50 | <set field="grapesJsResource" from="ec.resource.getLocationReference('dbresource://grapesjs/project')"/> | 39 | <set field="grapesJsResource" from="ec.resource.getLocationReference('dbresource://grapesjs/project')"/> |
51 | <if condition="!grapesLocation && !htmlLocation"> | 40 | <if condition="!grapesLocation && !htmlLocation"> |
... | @@ -62,11 +51,9 @@ along with this software (see the LICENSE.md file). If not, see | ... | @@ -62,11 +51,9 @@ along with this software (see the LICENSE.md file). If not, see |
62 | grapesFile.move(grapesLocation) | 51 | grapesFile.move(grapesLocation) |
63 | ]]></script> | 52 | ]]></script> |
64 | 53 | ||
65 | <if condition="emailTemplateId"> | ||
66 | <service-call name="update#moqui.basic.email.EmailTemplate" in-map="[emailTemplateId:emailTemplateId,grapesLocation:grapesLocation,htmlLocation:htmlLocation]"/> | 54 | <service-call name="update#moqui.basic.email.EmailTemplate" in-map="[emailTemplateId:emailTemplateId,grapesLocation:grapesLocation,htmlLocation:htmlLocation]"/> |
67 | </if> | ||
68 | </then> | 55 | </then> |
69 | <else> | 56 | <else-if condition="grapesLocation && htmlLocation"> |
70 | <set field="putDbResource" from="ec.resource.getLocationReference(grapesLocation)"/> | 57 | <set field="putDbResource" from="ec.resource.getLocationReference(grapesLocation)"/> |
71 | <!-- TODO: Is this a strong enough check to prevent unauthorized access? --> | 58 | <!-- TODO: Is this a strong enough check to prevent unauthorized access? --> |
72 | <if condition="!putDbResource || putDbResource.parent?.location != grapesJsResource.location"> | 59 | <if condition="!putDbResource || putDbResource.parent?.location != grapesJsResource.location"> |
... | @@ -74,65 +61,90 @@ along with this software (see the LICENSE.md file). If not, see | ... | @@ -74,65 +61,90 @@ along with this software (see the LICENSE.md file). If not, see |
74 | </if> | 61 | </if> |
75 | 62 | ||
76 | <set field="data" from="putDbResource.getText()"/> | 63 | <set field="data" from="putDbResource.getText()"/> |
64 | </else-if> | ||
65 | <else> | ||
66 | <return error="true" message="Resource not found"/> | ||
77 | </else> | 67 | </else> |
78 | </if> | 68 | </if> |
79 | </actions> | 69 | </actions> |
80 | </service> | 70 | </service> |
81 | <service verb="store" noun="GrapeJs" authenticate="anonymous-all"> | 71 | <service verb="store" noun="GrapeJs" authenticate="anonymous-all"> |
82 | <description>Create MJML</description> | 72 | <description>Store GrapesJs resource. Can be adapted to entity other than EmailTemplate, but must have data for the grapesLocation and htmlLocation to ensure safety of read and write of resources.</description> |
83 | <in-parameters> | 73 | <in-parameters> |
84 | <parameter name="resourceId"/> | 74 | <parameter name="htmlLocation"/> |
75 | <parameter name="grapesLocation"/> | ||
76 | <parameter name="emailTemplateId"/> | ||
85 | <parameter name="data"/> | 77 | <parameter name="data"/> |
86 | <parameter name="html" allow-html="any"/> | 78 | <parameter name="html" allow-html="any"/> |
87 | </in-parameters> | 79 | </in-parameters> |
88 | <out-parameters> | 80 | <out-parameters> |
89 | <parameter name="resourceId"/> | 81 | <parameter name="htmlLocation"/> |
82 | <parameter name="grapesLocation"/> | ||
90 | </out-parameters> | 83 | </out-parameters> |
91 | <actions> | 84 | <actions> |
92 | <if condition="resourceId == 'null'"><set field="resourceId" from="null"/></if> | 85 | <if condition="htmlLocation == 'null'"><set field="htmlLocation" from="null"/></if> |
86 | <if condition="grapesLocation == 'null'"><set field="grapesLocation" from="null"/></if> | ||
87 | <entity-find-one entity-name="moqui.basic.email.EmailTemplate" value-field="emailTemplate" auto-field-map="[emailTemplateId:emailTemplateId]"/> | ||
88 | <if condition="!emailTemplate"><return error="true" message="Resource not found"/></if> | ||
89 | <set field="grapesLocation" from="emailTemplate?.grapesLocation"/> | ||
90 | <set field="htmlLocation" from="emailTemplate?.htmlLocation"/> | ||
93 | <set field="data" from="groovy.json.JsonOutput.toJson(new groovy.json.JsonSlurper().parseText(ec.web.secureRequestParameters._requestBodyText).data)"/> | 91 | <set field="data" from="groovy.json.JsonOutput.toJson(new groovy.json.JsonSlurper().parseText(ec.web.secureRequestParameters._requestBodyText).data)"/> |
94 | 92 | ||
95 | <if condition="!resourceId"> | ||
96 | <then> | ||
97 | <set field="grapesJsResource" from="ec.resource.getLocationReference('dbresource://grapesjs/project')"/> | 93 | <set field="grapesJsResource" from="ec.resource.getLocationReference('dbresource://grapesjs/project')"/> |
98 | <service-call name="create#moqui.resource.DbResource" in-map="[parentResourceId:grapesJsResource.getDbResourceId(),isFile:'Y']" out-map="dbResource"/> | 94 | <if condition="!htmlLocation && !grapesLocation"> |
99 | <service-call name="update#moqui.resource.DbResource" in-map="[resourceId:dbResource.resourceId,filename:dbResource.resourceId+'.json']" out-map="dbResource"/> | 95 | <then> |
100 | <set field="versionName" value="01"/> | 96 | <!-- TODO: This should work, but isn't used anywhere and is untested. |
101 | <service-call name="create#moqui.resource.DbResourceFile" in-map="[resourceId: dbResource.resourceId,mimeType: 'text/json',versionName: versionName,rootVersionName: versionName,fileData:data]"/> | 97 | <set field="htmlFile" from="grapesJsResource.makeFile(java.util.UUID.randomUUID().toString()+'.html')"/> |
102 | <service-call name="create#moqui.resource.DbResourceFileHistory" in-map="[resourceId: dbResource.resourceId,versionDate: ec.user.nowTimestamp,userId: ec.user.userId,isDiff: 'N']"/> | 98 | <set field="grapesFile" from="grapesJsResource.makeFile(java.util.UUID.randomUUID().toString()+'.json')"/> |
103 | <set field="resourceId" from="dbResource.resourceId"/> | ||
104 | 99 | ||
105 | <set field="htmlFile" from="grapesJsResource.makeFile(resourceId.toString()+'.html')"/> | 100 | <set field="htmlLocation" from="grapesJsResource.location + '/' + htmlFile?.dbResourceId + '.html'"/> |
106 | <script><![CDATA[htmlFile.putText(html)]]></script> | 101 | <set field="grapesLocation" from="grapesJsResource.location + '/' + grapesFile?.dbResourceId + '.json'"/> |
102 | <if condition="ec.resource.getLocationReference(htmlLocation).parent?.location != grapesJsResource.location"> | ||
103 | <return error="true" message="Resource not found"/> | ||
104 | </if> | ||
105 | <if condition="ec.resource.getLocationReference(grapesLocation).parent?.location != grapesJsResource.location"> | ||
106 | <return error="true" message="Resource not found"/> | ||
107 | </if> | ||
108 | <script><![CDATA[ | ||
109 | htmlFile.putText(html) | ||
110 | htmlFile.move(htmlLocation) | ||
111 | grapesFile.putText(data) | ||
112 | grapesFile.move(grapesLocation) | ||
113 | ]]></script>--> | ||
114 | <return error="true" message="Resource not found"/> | ||
107 | </then> | 115 | </then> |
108 | <else> | 116 | <else-if condition="grapesLocation"> |
109 | <entity-find-one entity-name="moqui.resource.DbResource" value-field="dbResource" auto-field-map="[resourceId:resourceId]"/> | 117 | <set field="grapesFile" from="ec.resource.getLocationReference(grapesLocation)"/> |
110 | <if condition="!dbResource"> | 118 | <if condition="!grapesFile || grapesFile.parent?.location != grapesJsResource.location"> |
111 | <return error="true" message="Resource not found"/> | 119 | <return error="true" message="Resource not found"/> |
112 | </if> | 120 | </if> |
113 | <set field="actualDbResourcePath" from="null"/> | 121 | <script>grapesFile.putText(data)</script> |
114 | <set field="dbResourcePath" from="dbResource.filename"/> | ||
115 | <set field="lastDbResource" from="dbResource"/> | ||
116 | <script> | ||
117 | while (actualDbResourcePath == null) { | ||
118 | if (lastDbResource.parentResourceId == null) { | ||
119 | dbResourcePath = 'dbresource://'+dbResourcePath | ||
120 | actualDbResourcePath = dbResourcePath | ||
121 | } else { | ||
122 | lastDbResource = ec.entity.fastFindOne("moqui.resource.DbResource", true, false, lastDbResource.parentResourceId) | ||
123 | dbResourcePath = lastDbResource.filename+'/'+dbResourcePath | ||
124 | } | ||
125 | } | ||
126 | </script> | ||
127 | <set field="putDbResource" from="ec.resource.getLocationReference(actualDbResourcePath)"/> | ||
128 | <script> | ||
129 | putDbResource.putText(data) | ||
130 | </script> | ||
131 | 122 | ||
132 | <set field="grapesJsResource" from="ec.resource.getLocationReference('dbresource://grapesjs/project')"/> | 123 | <set field="htmlFile" from="null"/> |
133 | <set field="htmlFile" from="grapesJsResource.findChildFile(resourceId.toString()+'.html') ?: grapesJsResource.makeFile(resourceId.toString()+'.html')"/> | 124 | <if condition="htmlLocation"><then> |
134 | <script><![CDATA[htmlFile.putText(html)]]></script> | 125 | <set field="htmlFile" from="ec.resource.getLocationReference(htmlLocation)"/> |
126 | </then><else> | ||
127 | <entity-find entity-name="moqui.basic.email.EmailTemplate" list="emailTemplateList"> | ||
128 | <econdition field-name="grapesLocation"/> | ||
129 | <order-by field-name="-lastUpdatedStamp"/></entity-find> | ||
130 | <set field="emailTemplate" from="emailTemplateList.getFirst()"/> | ||
131 | <if condition="emailTemplateList.size() == 1 && emailTemplate.htmlLocation"><then> | ||
132 | <set field="htmlFile" from="ec.resource.getLocationReference(emailTemplate.htmlLocation)"/> | ||
133 | </then><else> | ||
134 | <set field="htmlFile" from="grapesJsResource.makeFile(java.util.UUID.randomUUID().toString()+'.html')"/> | ||
135 | <set field="htmlLocation" from="grapesJsResource.location + '/' + htmlFile?.dbResourceId + '.html'"/> | ||
136 | <script><![CDATA[htmlFile.move(htmlLocation)]]></script> | ||
|
|||
135 | 137 | ||
138 | <service-call name="update#moqui.basic.email.EmailTemplate" in-map="[emailTemplateId:emailTemplateId,htmlLocation:htmlLocation]"/> | ||
139 | </else></if> | ||
140 | </else></if> | ||
141 | <if condition="!htmlFile || htmlFile.parent?.location != grapesJsResource.location"> | ||
142 | <return error="true" message="Resource not found"/> | ||
143 | </if> | ||
144 | <script><![CDATA[htmlFile.putText(html)]]></script> | ||
145 | </else-if> | ||
146 | <else> | ||
147 | <return error="true" message="Resource not found"/> | ||
136 | </else> | 148 | </else> |
137 | </if> | 149 | </if> |
138 | </actions> | 150 | </actions> | ... | ... |
-
Please register or sign in to post a comment