Bump version to 1.3.1

Signed-off-by: Julius Härtl <jus@bitgrid.net>

CHANGELOG.md

@@ -1,6 +1,16 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 1.3.1 - 2021-03-05
+
+### Fixed
+
+* [#2827](https://github.com/nextcloud/deck/pull/2827) Also include /apps/spreed urls in the listener for loading the talk integration
+* [#2844](https://github.com/nextcloud/deck/pull/2844) Search by mail on the board sharing input
+* [#2849](https://github.com/nextcloud/deck/pull/2849) Switch to Content-Disposition attachment and check for sane mimetypes
+* [#2859](https://github.com/nextcloud/deck/pull/2859) Properly pass the user to fetch circles when calling through occ
+
+
 ## 1.3.0 - 2021-02-20
 
 ### Added

appinfo/info.xml

@@ -17,7 +17,7 @@
 - 🚀 Get your project organized
 
 </description>
-    <version>1.3.0</version>
+    <version>1.3.1</version>
     <licence>agpl</licence>
     <author>Julius Härtl</author>
     <namespace>Deck</namespace>

lib/Db/BoardMapper.php

@@ -169,7 +169,7 @@ class BoardMapper extends DeckMapper implements IPermissionMapper {
 		}
 		$circles = array_map(function ($circle) {
 			return $circle->getUniqueId();
-		}, \OCA\Circles\Api\v1\Circles::joinedCircles('', true));
+		}, \OCA\Circles\Api\v1\Circles::joinedCircles($userId, true));
 		if (count($circles) === 0) {
 			return [];
 		}

lib/Listeners/BeforeTemplateRenderedListener.php

@@ -49,11 +49,12 @@ class BeforeTemplateRenderedListener implements IEventListener {
 		}
 		Util::addStyle('deck', 'deck');
 
-		if (strpos($this->request->getPathInfo(), '/apps/calendar') === 0) {
+		$pathInfo = $this->request->getPathInfo();
+		if (strpos($pathInfo, '/apps/calendar') === 0) {
 			Util::addScript('deck', 'calendar');
 		}
 
-		if (strpos($this->request->getPathInfo(), '/call/') === 0) {
+		if (strpos($pathInfo, '/call/') === 0 || strpos($pathInfo, '/apps/spreed') === 0) {
 			Util::addScript('deck', 'talk');
 		}
 	}

lib/Service/FileService.php

@@ -27,10 +27,9 @@ use OCA\Deck\Db\Attachment;
 use OCA\Deck\Db\AttachmentMapper;
 use OCA\Deck\StatusException;
 use OCA\Deck\Exceptions\ConflictException;
-use OCP\AppFramework\Http\ContentSecurityPolicy;
-use OCP\AppFramework\Http\FileDisplayResponse;
 use OCP\AppFramework\Http\StreamResponse;
 use OCP\Files\IAppData;
+use OCP\Files\IMimeTypeDetector;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
 use OCP\Files\NotPermittedException;
@@ -49,6 +48,7 @@ class FileService implements IAttachmentService {
 	private $rootFolder;
 	private $config;
 	private $attachmentMapper;
+	private $mimeTypeDetector;
 
 	public function __construct(
 		IL10N $l10n,
@@ -57,7 +57,8 @@ class FileService implements IAttachmentService {
 		ILogger $logger,
 		IRootFolder $rootFolder,
 		IConfig $config,
-		AttachmentMapper $attachmentMapper
+		AttachmentMapper $attachmentMapper,
+		IMimeTypeDetector $mimeTypeDetector
 	) {
 		$this->l10n = $l10n;
 		$this->appData = $appData;
@@ -66,6 +67,7 @@ class FileService implements IAttachmentService {
 		$this->rootFolder = $rootFolder;
 		$this->config = $config;
 		$this->attachmentMapper = $attachmentMapper;
+		$this->mimeTypeDetector = $mimeTypeDetector;
 	}
 
 	/**
@@ -225,27 +227,14 @@ class FileService implements IAttachmentService {
 
 	/**
 	 * @param Attachment $attachment
-	 * @return FileDisplayResponse|\OCP\AppFramework\Http\Response|StreamResponse
+	 * @return StreamResponse
 	 * @throws \Exception
 	 */
 	public function display(Attachment $attachment) {
 		$file = $this->getFileFromRootFolder($attachment);
-		if (method_exists($file, 'fopen')) {
-			$response = new StreamResponse($file->fopen('r'));
-			$response->addHeader('Content-Disposition', 'inline; filename="' . rawurldecode($file->getName()) . '"');
-		} else {
-			$response = new FileDisplayResponse($file);
-		}
-		// We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none'
-		// https://bugs.chromium.org/p/chromium/issues/detail?id=271452
-		$policy = new ContentSecurityPolicy();
-		$policy->addAllowedObjectDomain('\'self\'');
-		$policy->addAllowedObjectDomain('blob:');
-		$policy->addAllowedMediaDomain('\'self\'');
-		$policy->addAllowedMediaDomain('blob:');
-		$response->setContentSecurityPolicy($policy);
-
-		$response->addHeader('Content-Type', $file->getMimeType());
+		$response = new StreamResponse($file->fopen('rb'));
+		$response->addHeader('Content-Disposition', 'attachment; filename="' . rawurldecode($file->getName()) . '"');
+		$response->addHeader('Content-Type', $this->mimeTypeDetector->getSecureMimeType($file->getMimeType()));
 		return $response;
 	}
 

lib/Service/FilesAppService.php

@@ -26,10 +26,9 @@ namespace OCA\Deck\Service;
 use OCA\Deck\Db\Attachment;
 use OCA\Deck\Sharing\DeckShareProvider;
 use OCA\Deck\StatusException;
-use OCP\AppFramework\Http\ContentSecurityPolicy;
-use OCP\AppFramework\Http\FileDisplayResponse;
 use OCP\AppFramework\Http\StreamResponse;
 use OCP\Constants;
+use OCP\Files\IMimeTypeDetector;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
 use OCP\IDBConnection;
@@ -50,6 +49,7 @@ class FilesAppService implements IAttachmentService, ICustomAttachmentService {
 	private $l10n;
 	private $preview;
 	private $permissionService;
+	private $mimeTypeDetector;
 
 	public function __construct(
 		IRequest $request,
@@ -60,6 +60,7 @@ class FilesAppService implements IAttachmentService, ICustomAttachmentService {
 		DeckShareProvider $shareProvider,
 		IPreview $preview,
 		PermissionService $permissionService,
+		IMimeTypeDetector $mimeTypeDetector,
 		string $userId = null
 	) {
 		$this->request = $request;
@@ -70,6 +71,7 @@ class FilesAppService implements IAttachmentService, ICustomAttachmentService {
 		$this->shareManager = $shareManager;
 		$this->userId = $userId;
 		$this->preview = $preview;
+		$this->mimeTypeDetector = $mimeTypeDetector;
 	}
 
 	public function listAttachments(int $cardId): array {
@@ -147,22 +149,10 @@ class FilesAppService implements IAttachmentService, ICustomAttachmentService {
 		if ($file === null || $share->getSharedWith() !== (string)$attachment->getCardId()) {
 			throw new NotFoundException('File not found');
 		}
-		if (method_exists($file, 'fopen')) {
-			$response = new StreamResponse($file->fopen('r'));
-			$response->addHeader('Content-Disposition', 'inline; filename="' . rawurldecode($file->getName()) . '"');
-		} else {
-			$response = new FileDisplayResponse($file);
-		}
-		// We need those since otherwise chrome won't show the PDF file with CSP rule object-src 'none'
-		// https://bugs.chromium.org/p/chromium/issues/detail?id=271452
-		$policy = new ContentSecurityPolicy();
-		$policy->addAllowedObjectDomain('\'self\'');
-		$policy->addAllowedObjectDomain('blob:');
-		$policy->addAllowedMediaDomain('\'self\'');
-		$policy->addAllowedMediaDomain('blob:');
-		$response->setContentSecurityPolicy($policy);
 
-		$response->addHeader('Content-Type', $file->getMimeType());
+		$response = new StreamResponse($file->fopen('rb'));
+		$response->addHeader('Content-Disposition', 'attachment; filename="' . rawurldecode($file->getName()) . '"');
+		$response->addHeader('Content-Type', $this->mimeTypeDetector->getSecureMimeType($file->getMimeType()));
 		return $response;
 	}
 

src/components/board/SharingTabSidebar.vue

@@ -10,7 +10,7 @@
 			:loading="isLoading || !!isSearching"
 			:disabled="isLoading"
 			track-by="multiselectKey"
-			:internal-search="true"
+			:internal-search="false"
 			@input="clickAddAcl"
 			@search-change="asyncFind">
 			<template #noOptions>
@@ -73,6 +73,7 @@ import { CollectionList } from 'nextcloud-vue-collections'
 import { mapGetters, mapState } from 'vuex'
 import { getCurrentUser } from '@nextcloud/auth'
 import { showError } from '@nextcloud/dialogs'
+import { debounce } from 'lodash'
 
 export default {
 	name: 'SharingTabSidebar',
@@ -148,18 +149,13 @@ export default {
 		this.asyncFind('')
 	},
 	methods: {
+		debouncedFind: debounce(async function(query) {
+			this.isSearching = true
+			await this.$store.dispatch('loadSharees', query)
+			this.isSearching = false
+		}, 300),
 		async asyncFind(query) {
-			// manual debounce to handle async searching more easily and have more control over the loading state
-			const timestamp = (new Date()).getTime()
-			if (!this.isSearching || timestamp > this.isSearching + 300) {
-				this.isSearching = timestamp
-				await this.$store.dispatch('loadSharees', query)
-
-				// only reset searching flag if the most recent search finished
-				if (this.isSearching === timestamp) {
-					this.isSearching = false
-				}
-			}
+			await this.debouncedFind(query)
 		},
 		async clickAddAcl() {
 			this.addAclForAPI = {

src/store/main.js

@@ -416,7 +416,7 @@ export default new Vuex.Store({
 			params.append('search', query)
 			params.append('format', 'json')
 			params.append('perPage', 20)
-			params.append('itemType', [0, 1, 7])
+			params.append('itemType', [0, 1, 4, 7])
 
 			const response = await axios.get(generateOcsUrl('apps/files_sharing/api/v1') + 'sharees', { params })
 			commit('setSharees', response.data.ocs.data)

tests/unit/Service/FileServiceTest.php

@@ -25,10 +25,10 @@ namespace OCA\Deck\Service;
 
 use OCA\Deck\Db\Attachment;
 use OCA\Deck\Db\AttachmentMapper;
-use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\StreamResponse;
 use OCP\Files\Folder;
 use OCP\Files\IAppData;
+use OCP\Files\IMimeTypeDetector;
 use OCP\Files\IRootFolder;
 use OCP\Files\SimpleFS\ISimpleFile;
 use OCP\Files\SimpleFS\ISimpleFolder;
@@ -57,6 +57,8 @@ class FileServiceTest extends TestCase {
 	private $config;
 	/** @var AttachmentMapper|MockObject */
 	private $attachmentMapper;
+	/** @var IMimeTypeDetector|MockObject */
+	private $mimeTypeDetector;
 
 	public function setUp(): void {
 		parent::setUp();
@@ -67,7 +69,8 @@ class FileServiceTest extends TestCase {
 		$this->rootFolder = $this->createMock(IRootFolder::class);
 		$this->config = $this->createMock(IConfig::class);
 		$this->attachmentMapper = $this->createMock(AttachmentMapper::class);
-		$this->fileService = new FileService($this->l10n, $this->appData, $this->request, $this->logger, $this->rootFolder, $this->config, $this->attachmentMapper);
+		$this->mimeTypeDetector = $this->createMock(IMimeTypeDetector::class);
+		$this->fileService = new FileService($this->l10n, $this->appData, $this->request, $this->logger, $this->rootFolder, $this->config, $this->attachmentMapper, $this->mimeTypeDetector);
 	}
 
 	public function mockGetFolder($cardId) {
@@ -268,51 +271,13 @@ class FileServiceTest extends TestCase {
 		$file->expects($this->any())
 			->method('fopen')
 			->willReturn('fileresource');
+		$this->mimeTypeDetector->expects($this->once())
+			->method('getSecureMimeType')
+			->willReturn('image/jpeg');
 		$actual = $this->fileService->display($attachment);
 		$expected = new StreamResponse('fileresource');
 		$expected->addHeader('Content-Type', 'image/jpeg');
-		$expected->addHeader('Content-Disposition', 'inline; filename="' . rawurldecode($file->getName()) . '"');
-		$policy = new ContentSecurityPolicy();
-		$policy->addAllowedObjectDomain('\'self\'');
-		$policy->addAllowedObjectDomain('blob:');
-		$policy->addAllowedMediaDomain('\'self\'');
-		$policy->addAllowedMediaDomain('blob:');
-		$expected->setContentSecurityPolicy($policy);
-		$this->assertEquals($expected, $actual);
-	}
-
-	public function testDisplayPdf() {
-		$this->config->expects($this->once())
-			->method('getSystemValue')
-			->willReturn('123');
-		$appDataFolder = $this->createMock(Folder::class);
-		$deckAppDataFolder = $this->createMock(Folder::class);
-		$cardFolder = $this->createMock(Folder::class);
-		$this->rootFolder->expects($this->once())->method('get')->willReturn($appDataFolder);
-		$appDataFolder->expects($this->once())->method('get')->willReturn($deckAppDataFolder);
-		$deckAppDataFolder->expects($this->once())->method('get')->willReturn($cardFolder);
-		$attachment = $this->getAttachment();
-		$file = $this->createMock(\OCP\Files\File::class);
-		$cardFolder->expects($this->once())->method('get')->willReturn($file);
-		$file->expects($this->any())
-			->method('getMimeType')
-			->willReturn('application/pdf');
-		$file->expects($this->any())
-			->method('getName')
-			->willReturn('file1');
-		$file->expects($this->any())
-			->method('fopen')
-			->willReturn('fileresource');
-		$actual = $this->fileService->display($attachment);
-		$expected = new StreamResponse('fileresource');
-		$expected->addHeader('Content-Disposition', 'inline; filename="' . rawurldecode($file->getName()) . '"');
-		$expected->addHeader('Content-Type', 'application/pdf');
-		$policy = new ContentSecurityPolicy();
-		$policy->addAllowedObjectDomain('\'self\'');
-		$policy->addAllowedObjectDomain('blob:');
-		$policy->addAllowedMediaDomain('\'self\'');
-		$policy->addAllowedMediaDomain('blob:');
-		$expected->setContentSecurityPolicy($policy);
+		$expected->addHeader('Content-Disposition', 'attachment; filename="' . rawurldecode($file->getName()) . '"');
 		$this->assertEquals($expected, $actual);
 	}