Merge branch 'devel'

CHANGELOG.md

@@ -1,10 +1,22 @@
-# Upcoming Wekan release
+# v1.04 2018-06-12 Wekan release
 
 This release adds the following new features:
 
-* [Add Khmer language](https://github.com/wekan/wekan/commit/2156e458690d0dc34a761a48fd7fa3b54af79031).
+* [Add Khmer language](https://github.com/wekan/wekan/commit/2156e458690d0dc34a761a48fd7fa3b54af79031);
+* [Modify card covers/mini-cards so that: 1) received date is shown unless there is a start date
+   2) due date is shown, unless there is an end date](https://github.com/wekan/wekan/pull/1685);
+* [Change label text colour to black for specific label colours for better
+   visibility](https://github.com/wekan/wekan/pull/1689).
 
-Thanks to GitHub user xet7 for contributions.
+and fixes the following bugs:
+
+* [SECURITY FIX: Do not publish all of people collection. This bug has probably been present
+   since addition of Admin Panel](https://github.com/wekan/wekan/commit/dda49d2f07f9c50d5d57acfd5c7eee6492f93b33);
+* [Modify card covers/mini-cards so that: 1) received date is shown unless there is a start date
+   2) due date is shown, unless there is an end date](https://github.com/wekan/wekan/pull/1685).
+
+Thanks to GitHub users rjevnikar and xet7 for their contributions.
+Thanks to Adrian Genaid for security fix, he's now added to [Hall of Fame](https://wekan.github.io/hall-of-fame/).
 Thanks to translators.
 
 # v1.03 2018-06-08 Wekan release

SECURITY.md

@@ -0,0 +1,129 @@
+Security is very important to us. If discover any issue regarding security, please disclose
+the information responsibly by sending an email to security (at) wekan.team and not by
+creating a GitHub issue. We will respond swiftly to fix verifiable security issues.
+
+We thank you with a place at our hall of fame page, that is
+at https://wekan.github.io/hall-of-fame . Others have just posted public GitHub issue,
+so they are not at that hall-of-fame page.
+
+## How should reports be formatted?
+
+```
+Name: %name
+Twitter: %twitter
+Bug type: %bugtype
+Domain: %domain
+Severity: %severity
+URL: %url
+PoC: %poc
+CVSS (optional): %cvss
+CWSS (optional): %cwss
+```
+
+## Who can participate in the program
+
+Anyone who reports a unique security issue in scope and does not disclose it to
+a third party before we have patched and updated may be upon their approval
+added to the Wekan Hall of Fame.
+
+## Which domains are in scope?
+
+No any public domains, because all those are donated to Wekan Open Source project,
+and we don't have any permissions to do security scans on those donated servers.
+
+Please don't perform research that could impact other users. Secondly, please keep
+the reports short and succinct. If we fail to understand the logics of your bug, we will tell you.
+
+You can [Install Wekan](https://github.com/wekan/wekan/releases) to your own computer
+and scan it's vulnerabilities there.
+
+## About Wekan versions
+
+There is only 2 versions of Wekan: Standalone Wekan, and Sandstorm Wekan.
+
+### Standalone Wekan Security
+
+Standalone Wekan includes all non-Sandstorm platforms. Some Standalone Wekan platforms
+like Snap and Docker have their own specific sandboxing etc features.
+
+Standalone Wekan by default does not load any files from Internet, like fonts, CSS, etc.
+This also means all Standalone Wekan functionality works in offline local networks.
+Wekan is used by companies that have [thousands of users](https://github.com/wekan/wekan/wiki/AWS) and at healthcare.
+
+Wekan uses xss package for input fields like cards, as you can see from
+[package.json](https://github.com/wekan/wekan/blob/devel/package.json). Other used versions can be seen from
+[Meteor versions file](https://github.com/wekan/wekan/blob/devel/.meteor/versions).
+Forms can include markdown links, html, image tags etc like you see at https://wekan.github.io .
+It's possible to add attachments to cards, and markdown/html links to files.
+
+Wekan attachments are not accessible without logging in. Import from Trello works by copying
+Trello export JSON to Wekan Trello import page, and in Trello JSON file there is direct links to all publicly
+accessible Trello attachment files, that Standalone Wekan downloads directly to Wekan MongoDB database in
+[CollectionFS](https://github.com/wekan/wekan/pull/875) format. When Wekan board is exported in
+Wekan JSON format, all board attachments are included in Wekan JSON file as base64 encoded text.
+That Wekan JSON format file can be imported to Sandstorm Wekan with all the attachments, when we get
+latest Wekan version working on Sandstorm, only couple of bugs are left before that. In Sandstorm it's not
+possible yet to import from Trello with attachments, because Wekan does not implement Sandstorm-compatible
+access to outside of Wekan grain.
+
+Standalone Wekan only has password auth currently, there is work in progress to add
+[oauth2](https://github.com/wekan/wekan/pull/1578), [Openid](https://github.com/wekan/wekan/issues/538),
+[LDAP](https://github.com/wekan/wekan/issues/119) etc. If you need more login security for Standalone Wekan now,
+it's possible add additional [Google Auth proxybouncer](https://github.com/wekan/wekan/wiki/Let's-Encrypt-and-Google-Auth) in front of password auth, and then use Google Authenticator for Google Auth. Standalone Wekan does have [brute force protection with eluck:accounts-lockout and browser-policy clickjacking protection](https://github.com/wekan/wekan/blob/devel/CHANGELOG.md#v080-2018-04-04-wekan-release). You can also optionally use some [WAF](https://en.wikipedia.org/wiki/Web_application_firewall)
+like for example [AWS WAF](https://aws.amazon.com/waf/).
+
+[All Wekan Platforms](https://github.com/wekan/wekan/wiki/Platforms)
+
+### Sandstorm Wekan Security
+
+On Sandstorm platform using environment variable Standalone Wekan features like Admin Panel etc are
+turned off, because Sandstorm platform provides SSO for all apps running on Sandstorm. 
+
+[Sandstorm](https://sandstorm.io) is separate Open Source platform that has been
+[security audited](https://sandstorm.io/news/2017-03-02-security-review) and found bugs fixed.
+Sandstorm also has passwordless login, LDAP, SAML, Google etc auth options already.
+At Sandstorm code is read-only and signed by app maintainers, only grain content can be modified.
+Wekan at Sandstorm runs in sandboxed grain, it does not have access elsewhere without user-visible
+PowerBox request or opening randomly-generated API key URL.
+Also read [Sandstorm Security Practices](https://docs.sandstorm.io/en/latest/using/security-practices/) and
+[Sandstorm Security non-events](https://docs.sandstorm.io/en/latest/using/security-non-events/).
+For Sandstorm specific security issues you can contact [kentonv](https://github.com/kentonv) by email. 
+
+## What Wekan bugs are eligible?
+
+Any typical web security bugs. If any of the previously mentioned is somehow problematic and
+a security issue, we'd like to know about it, and also how to fix it:
+
+- Cross-site Scripting
+- Open redirect
+- Cross-site request forgery
+- File inclusion
+- Authentication bypass
+- Server-side code execution
+
+## What Wekan bugs are NOT eligible?
+
+Typical already known or "no impact" bugs such as:
+
+- Brute force password guessign. Currently there is
+  [brute force protection with eluck:accounts-lockout](https://github.com/wekan/wekan/blob/devel/CHANGELOG.md#v080-2018-04-04-wekan-release).
+- Security issues related to that Wekan uses Meteor 1.6.0.1 related packages, and upgrading to newer
+  Meteor 1.6.1 is complicated process that requires lots of changes to many dependency packages.
+  Upgrading [has been tried many times, spending a lot of time](https://github.com/meteor/meteor/issues/9609)
+  but there still is issues. Helping with package upgrades is very welcome.
+- [Wekan API old tokens not replaced correctly](https://github.com/wekan/wekan/issues/1437)
+- Missing Cookie flags on non-session cookies or 3rd party cookies
+- Logout CSRF
+- Social engineering
+- Denial of service
+- SSL BEAST/CRIME/etc. Wekan does not have SSL built-in, it uses Caddy/Nginx/Apache etc at front.
+  Integrated Caddy support is updated often.
+- Email spoofing, SPF, DMARC & DKIM. Wekan does not include email server.
+
+Wekan is Open Source with MIT license, and free to use also for commercial use.
+We welcome all fixes to improve security by email to security (at) wekan.team .
+
+## Bonus Points
+
+If your Responsible Security Disclosure includes code for fixing security issue,
+you get bonus points, as seen on [Hall of Fame](https://wekan.github.io/hall-of-fame).

client/components/cards/cardDate.js

@@ -279,11 +279,14 @@ class CardDueDate extends CardDate {
 
   classes() {
     let classes = 'due-date' + ' ';
-    if (this.now.get().diff(this.date.get(), 'days') >= 2)
+    if ((this.now.get().diff(this.date.get(), 'days') >= 2) &&
+       (this.date.get().isBefore(this.data().endAt)))
       classes += 'long-overdue';
-    else if (this.now.get().diff(this.date.get(), 'minute') >= 0)
+    else if ((this.now.get().diff(this.date.get(), 'minute') >= 0) &&
+       (this.date.get().isBefore(this.data().endAt)))
       classes += 'due';
-    else if (this.now.get().diff(this.date.get(), 'days') >= -1)
+    else if ((this.now.get().diff(this.date.get(), 'days') >= -1) &&
+       (this.date.get().isBefore(this.data().endAt)))
       classes += 'almost-due';
     return classes;
   }

client/components/cards/labels.styl

@@ -3,7 +3,7 @@
 // XXX Use .board-widget-labels as a flexbox container
 .card-label
   border-radius: 4px
-  color: white
+  color: white  //Default white text, in select cases,  changed to black to improve contrast between label colour and text
   display: inline-block
   font-weight: 700
   font-size: 13px
@@ -48,9 +48,11 @@
 
 .card-label-yellow
   background-color: #fad900
+  color: #000000 //Black text for better visibility
 
 .card-label-orange
   background-color: #ff9f19
+  color: #000000 //Black text for better visibility
 
 .card-label-red
   background-color: #eb4646
@@ -63,6 +65,7 @@
 
 .card-label-pink
   background-color: #ff78cb
+  color: #000000 //Black text for better visibility
 
 .card-label-sky
   background-color: #00c2e0
@@ -72,18 +75,22 @@
 
 .card-label-lime
   background-color: #51e898
+  color: #000000 //Black text for better visibility
 
 .card-label-silver
   background-color: #c0c0c0
+  color: #000000 //Black text for better visibility
 
 .card-label-peachpuff
   background-color: #ffdab9
+  color: #000000 //Black text for better visibility
 
 .card-label-crimson
   background-color: #dc143c
 
 .card-label-plum
   background-color: #dda0dd
+  color: #000000 //Black text for better visibility
 
 .card-label-darkgreen
   background-color: #006400
@@ -96,6 +103,7 @@
 
 .card-label-gold
   background-color: #ffd700
+  color: #000000 //Black text for better visibility
 
 .card-label-navy
   background-color: #000080
@@ -108,9 +116,11 @@
 
 .card-label-paleturquoise
   background-color: #afeeee
+  color: #000000 //Black text for better visibility
 
 .card-label-mistyrose
   background-color: #ffe4e1
+  color: #000000 //Black text for better visibility
 
 .card-label-indigo
   background-color: #4b0082

client/components/cards/minicard.jade

@@ -10,12 +10,22 @@ template(name="minicard")
       +viewer
         = title
     .dates
+      if receivedAt
+        unless startAt
+          unless dueAt
+            unless endAt
+              .date
+                +miniCardReceivedDate
       if startAt
         .date
           +minicardStartDate
       if dueAt
+        unless endAt
+          .date
+            +minicardDueDate
+      if endAt
         .date
-          +minicardDueDate
+          +minicardEndDate
       if spentTime
         .date
           +cardSpentTime

i18n/de.i18n.json

@@ -469,10 +469,10 @@
     "card-end-on": "Endet am",
     "editCardReceivedDatePopup-title": "Empfangsdatum ändern",
     "editCardEndDatePopup-title": "Enddatum ändern",
-    "assigned-by": "Zugeteilt von",
+    "assigned-by": "Zugewiesen von",
     "requested-by": "Angefordert von",
-    "board-delete-notice": "Löschen ist dauerhaft. Du verlierst alle Listen, Karten und Aktionen, welche mit diesem Board verbunden sind.",
-    "delete-board-confirm-popup": "Alle Listen, Karten, Beschriftungen und Akivitäten werden gelöscht, das Board kann nicht wiederhergestellt werden! Es gibt kein Rückgängig.",
+    "board-delete-notice": "Löschen kann nicht rückgängig gemacht werden. Sie werden alle Listen, Karten und Aktionen, die mit diesem Board verbunden sind, verlieren.",
+    "delete-board-confirm-popup": "Alle Listen, Karten, Labels und Akivitäten werden gelöscht und Sie können die Inhalte des Boards nicht wiederherstellen! Die Aktion kann nicht rückgängig gemacht werden.",
     "boardDeletePopup-title": "Board löschen?",
     "delete-board": "Board löschen"
 }

i18n/zh-CN.i18n.json

@@ -7,7 +7,7 @@
     "act-addComment": "在 __card__ 发布评论: __comment__",
     "act-createBoard": "创建看板 __board__",
     "act-createCard": "添加卡片 __card__  至列表 __list__",
-    "act-createCustomField": "created custom field __customField__",
+    "act-createCustomField": "创建了自定义字段 __customField__",
     "act-createList": "添加列表 __list__  至看板 __board__",
     "act-addBoardMember": "添加成员 __member__  至看板 __board__",
     "act-archivedBoard": "__board__ 已被移入回收站 ",
@@ -31,7 +31,7 @@
     "activity-archived": "%s 已被移入回收站",
     "activity-attached": "添加附件 %s 至 %s",
     "activity-created": "创建 %s",
-    "activity-customfield-created": "created custom field %s",
+    "activity-customfield-created": "创建了自定义字段 %s",
     "activity-excluded": "排除 %s 从 %s",
     "activity-imported": "导入 %s 至 %s 从 %s 中",
     "activity-imported-board": "已导入 %s 从 %s 中",
@@ -113,7 +113,7 @@
     "card-due-on": "期限",
     "card-spent": "耗时",
     "card-edit-attachments": "编辑附件",
-    "card-edit-custom-fields": "Edit custom fields",
+    "card-edit-custom-fields": "编辑自定义字段",
     "card-edit-labels": "编辑标签",
     "card-edit-members": "编辑成员",
     "card-labels-title": "更改该卡片上的标签",
@@ -121,8 +121,8 @@
     "card-start": "开始",
     "card-start-on": "始于",
     "cardAttachmentsPopup-title": "附件来源",
-    "cardCustomField-datePopup-title": "Change date",
-    "cardCustomFieldsPopup-title": "Edit custom fields",
+    "cardCustomField-datePopup-title": "修改日期",
+    "cardCustomFieldsPopup-title": "编辑自定义字段",
     "cardDeletePopup-title": "彻底删除卡片？",
     "cardDetailsActionsPopup-title": "卡片操作",
     "cardLabelsPopup-title": "标签",
@@ -172,25 +172,25 @@
     "createBoardPopup-title": "创建看板",
     "chooseBoardSourcePopup-title": "导入看板",
     "createLabelPopup-title": "创建标签",
-    "createCustomField": "Create Field",
-    "createCustomFieldPopup-title": "Create Field",
+    "createCustomField": "创建字段",
+    "createCustomFieldPopup-title": "创建字段",
     "current": "当前",
-    "custom-field-delete-pop": "There is no undo. This will remove this custom field from all cards and destroy its history.",
-    "custom-field-checkbox": "Checkbox",
+    "custom-field-delete-pop": "没有撤销，此动作将从所有卡片中移除自定义字段并销毁历史。",
+    "custom-field-checkbox": "选择框",
     "custom-field-date": "日期",
-    "custom-field-dropdown": "Dropdown List",
-    "custom-field-dropdown-none": "(none)",
-    "custom-field-dropdown-options": "List Options",
-    "custom-field-dropdown-options-placeholder": "Press enter to add more options",
-    "custom-field-dropdown-unknown": "(unknown)",
-    "custom-field-number": "Number",
-    "custom-field-text": "Text",
-    "custom-fields": "Custom Fields",
+    "custom-field-dropdown": "下拉列表",
+    "custom-field-dropdown-none": "(无)",
+    "custom-field-dropdown-options": "列表选项",
+    "custom-field-dropdown-options-placeholder": "回车可以加入更多选项",
+    "custom-field-dropdown-unknown": "(未知)",
+    "custom-field-number": "数字",
+    "custom-field-text": "文本",
+    "custom-fields": "自定义字段",
     "date": "日期",
     "decline": "拒绝",
     "default-avatar": "默认头像",
     "delete": "删除",
-    "deleteCustomFieldPopup-title": "Delete Custom Field?",
+    "deleteCustomFieldPopup-title": "删除自定义字段？",
     "deleteLabelPopup-title": "删除标签？",
     "description": "描述",
     "disambiguateMultiLabelPopup-title": "标签消歧 [?]",
@@ -205,7 +205,7 @@
     "soft-wip-limit": "软在制品限制",
     "editCardStartDatePopup-title": "修改起始日期",
     "editCardDueDatePopup-title": "修改截止日期",
-    "editCustomFieldPopup-title": "Edit Field",
+    "editCustomFieldPopup-title": "编辑字段",
     "editCardSpentTimePopup-title": "修改耗时",
     "editLabelPopup-title": "更改标签",
     "editNotificationPopup-title": "编辑通知",
@@ -242,12 +242,12 @@
     "filter-clear": "清空过滤器",
     "filter-no-label": "无标签",
     "filter-no-member": "无成员",
-    "filter-no-custom-fields": "No Custom Fields",
+    "filter-no-custom-fields": "无自定义字段",
     "filter-on": "过滤器启用",
     "filter-on-desc": "你正在过滤该看板上的卡片，点此编辑过滤。",
     "filter-to-selection": "要选择的过滤器",
-    "advanced-filter-label": "Advanced Filter",
-    "advanced-filter-description": "Advanced Filter allows to write a string containing following operators: == != <= >= && || ( ) A space is used as a separator between the Operators. You can filter for all Custom Fields by typing their names and values. For Example: Field1 == Value1. Note: If fields or values contains spaces, you need to encapsulate them into single quotes. For Example: 'Field 1' == 'Value 1'. Also you can combine multiple conditions. For Example: F1 == V1 || F1 = V2. Normally all operators are interpreted from left to right. You can change the order by placing brackets. For Example: F1 == V1 and ( F2 == V2 || F2 == V3 )",
+    "advanced-filter-label": "高级过滤器",
+    "advanced-filter-description": "高级过滤器可以使用包含如下操作符的字符串进行过滤：== != <= >= && || ( ) 。操作符之间用空格隔开。输入字段名和数值就可以过滤所有自定义字段。例如：Field1 == Value1. 注意如果字段名或数值包含空格，需要用单引号。例如: 'Field 1' == 'Value 1'。支持组合使用多个条件，例如: F1 == V1 || F1 = V2。通常以从左到右的顺序进行判断。可以通过括号修改顺序,例如：F1 == V1 and ( F2 == V2 || F2 == V3 )",
     "fullname": "全称",
     "header-logo-title": "返回您的看板页",
     "hide-system-messages": "隐藏系统消息",
@@ -389,7 +389,7 @@
     "title": "标题",
     "tracking": "跟踪",
     "tracking-info": "当任何包含您（作为创建者或成员）的卡片发生变更时，您将得到通知。",
-    "type": "Type",
+    "type": "类型",
     "unassign-member": "取消分配成员",
     "unsaved-description": "存在未保存的描述",
     "unwatch": "取消关注",
@@ -454,7 +454,7 @@
     "hours": "小时",
     "minutes": "分钟",
     "seconds": "秒",
-    "show-field-on-card": "Show this field on card",
+    "show-field-on-card": "在卡片上显示此字段",
     "yes": "是",
     "no": "否",
     "accounts": "账号",
@@ -469,10 +469,10 @@
     "card-end-on": "终止于",
     "editCardReceivedDatePopup-title": "修改接收日期",
     "editCardEndDatePopup-title": "修改终止日期",
-    "assigned-by": "Assigned By",
-    "requested-by": "Requested By",
-    "board-delete-notice": "Deleting is permanent. You will lose all lists, cards and actions associated with this board.",
-    "delete-board-confirm-popup": "All lists, cards, labels, and activities will be deleted and you won't be able to recover the board contents. There is no undo.",
-    "boardDeletePopup-title": "Delete Board?",
-    "delete-board": "Delete Board"
+    "assigned-by": "分配人",
+    "requested-by": "需求人",
+    "board-delete-notice": "删除时永久操作，将会丢失此看板上的所有列表、卡片和动作。",
+    "delete-board-confirm-popup": "所有列表、卡片、标签和活动都回被删除，将无法恢复看板内容。不支持撤销。",
+    "boardDeletePopup-title": "删除看板？",
+    "delete-board": "删除看板"
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "wekan",
-  "version": "1.03.0",
+  "version": "1.04.0",
   "description": "The open-source Trello-like kanban",
   "private": true,
   "scripts": {

sandstorm-pkgdef.capnp

@@ -22,10 +22,10 @@ const pkgdef :Spk.PackageDefinition = (
     appTitle = (defaultText = "Wekan"),
     # The name of the app as it is displayed to the user.
 
-    appVersion = 88,
+    appVersion = 89,
     # Increment this for every release.
 
-    appMarketingVersion = (defaultText = "1.03.0~2018-06-08"),
+    appMarketingVersion = (defaultText = "1.04.0~2018-06-12"),
     # Human-readable presentation of the app version.
 
     minUpgradableAppVersion = 0,

server/publications/people.js

@@ -1,7 +1,25 @@
-Meteor.publish('people', (limit) => {
+Meteor.publish('people', function(limit) {
   check(limit, Number);
-  return Users.find({}, {
-    limit,
-    sort: {createdAt: -1},
-  });
+
+  if (!Match.test(this.userId, String)) {
+    return [];
+  }
+
+  const user = Users.findOne(this.userId);
+  if (user && user.isAdmin) {
+    return Users.find({}, {
+      limit,
+      sort: {createdAt: -1},
+      fields: {
+        'username': 1,
+        'profile.fullname': 1,
+        'isAdmin': 1,
+        'emails': 1,
+        'createdAt': 1,
+        'loginDisabled': 1,
+      },
+    });
+  } else {
+    return [];
+  }
 });