Kezdőlap Felfedezés Súgó
Bejelentkezés
mirrors
/
wekan
tükrözi: https://github.com/wekan/wekan.git
2
0
Másolás 0
Fájlok Problémák 0 Wiki
Fa: 3257f78d24
Branch-ok Tag-ek
wekan
/
models
/
export.js

export.js 6.1 KB
Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192 
  1. /* global JsonRoutes */
    2. 

  2. if (Meteor.isServer) {
    3. 

  3.   // todo XXX once we have a real API in place, move that route there
    4. 

  4.   // todo XXX also  share the route definition between the client and the server
    5. 

  5.   // so that we could use something like
    6. 

  6.   // `ApiRoutes.path('boards/export', boardId)``
    7. 

  7.   // on the client instead of copy/pasting the route path manually between the
    8. 

  8.   // client and the server.
    9. 

  9.   /**
    10. 

  10.    * @operation export
    11. 

  11.    * @tag Boards
    12. 

  12.    *
    13. 

  13.    * @summary This route is used to export the board **FROM THE APPLICATION**.
    14. 

  14.    *
    15. 

  15.    * @description If user is already logged-in, pass loginToken as param
    16. 

  16.    * "authToken": '/api/boards/:boardId/export?authToken=:token'
    17. 

  17.    *
    18. 

  18.    * See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/
    19. 

  19.    * for detailed explanations
    20. 

  20.    *
    21. 

  21.    * @param {string} boardId the ID of the board we are exporting
    22. 

  22.    * @param {string} authToken the loginToken
    23. 

  23.    */
    24. 

  24.   JsonRoutes.add('get', '/api/boards/:boardId/export', function(req, res) {
    25. 

  25.     const boardId = req.params.boardId;
    26. 

  26.     let user = null;
    27. 

  27.     // todo XXX for real API, first look for token in Authentication: header
    28. 

  28.     // then fallback to parameter
    29. 

  29.     const loginToken = req.query.authToken;
    30. 

  30.     if (loginToken) {
    31. 

  31.       const hashToken = Accounts._hashLoginToken(loginToken);
    32. 

  32.       user = Meteor.users.findOne({
    33. 

  33.         'services.resume.loginTokens.hashedToken': hashToken,
    34. 

  34.       });
    35. 

  35.     }
    36. 

  36. 

  37.     const exporter = new Exporter(boardId);
    38. 

  38.     if (exporter.canExport(user)) {
    39. 

  39.       JsonRoutes.sendResult(res, {
    40. 

  40.         code: 200,
    41. 

  41.         data: exporter.build(),
    42. 

  42.       });
    43. 

  43.     } else {
    44. 

  44.       // we could send an explicit error message, but on the other hand the only
    45. 

  45.       // way to get there is by hacking the UI so let's keep it raw.
    46. 

  46.       JsonRoutes.sendResult(res, 403);
    47. 

  47.     }
    48. 

  48.   });
    49. 

  49. }
    50. 

  50. 

  51. class Exporter {
    52. 

  52.   constructor(boardId) {
    53. 

  53.     this._boardId = boardId;
    54. 

  54.   }
    55. 

  55. 

  56.   build() {
    57. 

  57.     const byBoard = { boardId: this._boardId };
    58. 

  58.     const byBoardNoLinked = { boardId: this._boardId, linkedId: {$in: ['', null] } };
    59. 

  59.     // we do not want to retrieve boardId in related elements
    60. 

  60.     const noBoardId = {
    61. 

  61.       fields: {
    62. 

  62.         boardId: 0,
    63. 

  63.       },
    64. 

  64.     };
    65. 

  65.     const result = {
    66. 

  66.       _format: 'wekan-board-1.0.0',
    67. 

  67.     };
    68. 

  68.     _.extend(result, Boards.findOne(this._boardId, {
    69. 

  69.       fields: {
    70. 

  70.         stars: 0,
    71. 

  71.       },
    72. 

  72.     }));
    73. 

  73.     result.lists = Lists.find(byBoard, noBoardId).fetch();
    74. 

  74.     result.cards = Cards.find(byBoardNoLinked, noBoardId).fetch();
    75. 

  75.     result.swimlanes = Swimlanes.find(byBoard, noBoardId).fetch();
    76. 

  76.     result.customFields = CustomFields.find(byBoard, noBoardId).fetch();
    77. 

  77.     result.comments = CardComments.find(byBoard, noBoardId).fetch();
    78. 

  78.     result.activities = Activities.find(byBoard, noBoardId).fetch();
    79. 

  79.     result.rules = Rules.find(byBoard, noBoardId).fetch();
    80. 

  80.     result.checklists = [];
    81. 

  81.     result.checklistItems = [];
    82. 

  82.     result.subtaskItems = [];
    83. 

  83.     result.triggers = [];
    84. 

  84.     result.actions = [];
    85. 

  85.     result.cards.forEach((card) => {
    86. 

  86.       result.checklists.push(...Checklists.find({
    87. 

  87.         cardId: card._id,
    88. 

  88.       }).fetch());
    89. 

  89.       result.checklistItems.push(...ChecklistItems.find({
    90. 

  90.         cardId: card._id,
    91. 

  91.       }).fetch());
    92. 

  92.       result.subtaskItems.push(...Cards.find({
    93. 

  93.         parentid: card._id,
    94. 

  94.       }).fetch());
    95. 

  95.     });
    96. 

  96.     result.rules.forEach((rule) => {
    97. 

  97.       result.triggers.push(...Triggers.find({
    98. 

  98.         _id: rule.triggerId,
    99. 

  99.       }, noBoardId).fetch());
    100. 

  100.       result.actions.push(...Actions.find({
    101. 

  101.         _id: rule.actionId,
    102. 

  102.       }, noBoardId).fetch());
    103. 

  103.     });
    104. 

  104. 

  105.     // [Old] for attachments we only export IDs and absolute url to original doc
    106. 

  106.     // [New] Encode attachment to base64
    107. 

  107.     const getBase64Data = function(doc, callback) {
    108. 

  108.       let buffer = new Buffer(0);
    109. 

  109.       // callback has the form function (err, res) {}
    110. 

  110.       const readStream = doc.createReadStream();
    111. 

  111.       readStream.on('data', function(chunk) {
    112. 

  112.         buffer = Buffer.concat([buffer, chunk]);
    113. 

  113.       });
    114. 

  114.       readStream.on('error', function(err) {
    115. 

  115.         callback(err, null);
    116. 

  116.       });
    117. 

  117.       readStream.on('end', function() {
    118. 

  118.         // done
    119. 

  119.         callback(null, buffer.toString('base64'));
    120. 

  120.       });
    121. 

  121.     };
    122. 

  122.     const getBase64DataSync = Meteor.wrapAsync(getBase64Data);
    123. 

  123.     result.attachments = Attachments.find(byBoard).fetch().map((attachment) => {
    124. 

  124.       return {
    125. 

  125.         _id: attachment._id,
    126. 

  126.         cardId: attachment.cardId,
    127. 

  127.         // url: FlowRouter.url(attachment.url()),
    128. 

  128.         file: getBase64DataSync(attachment),
    129. 

  129.         name: attachment.original.name,
    130. 

  130.         type: attachment.original.type,
    131. 

  131.       };
    132. 

  132.     });
    133. 

  133. 

  134.     // we also have to export some user data - as the other elements only
    135. 

  135.     // include id but we have to be careful:
    136. 

  136.     // 1- only exports users that are linked somehow to that board
    137. 

  137.     // 2- do not export any sensitive information
    138. 

  138.     const users = {};
    139. 

  139.     result.members.forEach((member) => {
    140. 

  140.       users[member.userId] = true;
    141. 

  141.     });
    142. 

  142.     result.lists.forEach((list) => {
    143. 

  143.       users[list.userId] = true;
    144. 

  144.     });
    145. 

  145.     result.cards.forEach((card) => {
    146. 

  146.       users[card.userId] = true;
    147. 

  147.       if (card.members) {
    148. 

  148.         card.members.forEach((memberId) => {
    149. 

  149.           users[memberId] = true;
    150. 

  150.         });
    151. 

  151.       }
    152. 

  152.     });
    153. 

  153.     result.comments.forEach((comment) => {
    154. 

  154.       users[comment.userId] = true;
    155. 

  155.     });
    156. 

  156.     result.activities.forEach((activity) => {
    157. 

  157.       users[activity.userId] = true;
    158. 

  158.     });
    159. 

  159.     result.checklists.forEach((checklist) => {
    160. 

  160.       users[checklist.userId] = true;
    161. 

  161.     });
    162. 

  162.     const byUserIds = {
    163. 

  163.       _id: {
    164. 

  164.         $in: Object.getOwnPropertyNames(users),
    165. 

  165.       },
    166. 

  166.     };
    167. 

  167.     // we use whitelist to be sure we do not expose inadvertently
    168. 

  168.     // some secret fields that gets added to User later.
    169. 

  169.     const userFields = {
    170. 

  170.       fields: {
    171. 

  171.         _id: 1,
    172. 

  172.         username: 1,
    173. 

  173.         'profile.fullname': 1,
    174. 

  174.         'profile.initials': 1,
    175. 

  175.         'profile.avatarUrl': 1,
    176. 

  176.       },
    177. 

  177.     };
    178. 

  178.     result.users = Users.find(byUserIds, userFields).fetch().map((user) => {
    179. 

  179.       // user avatar is stored as a relative url, we export absolute
    180. 

  180.       if (user.profile.avatarUrl) {
    181. 

  181.         user.profile.avatarUrl = FlowRouter.url(user.profile.avatarUrl);
    182. 

  182.       }
    183. 

  183.       return user;
    184. 

  184.     });
    185. 

  185.     return result;
    186. 

  186.   }
    187. 

  187. 

  188.   canExport(user) {
    189. 

  189.     const board = Boards.findOne(this._boardId);
    190. 

  190.     return board && board.isVisibleBy(user);
    191. 

  191.   }
    192. 

  192. }
    193.