ub-server
Added
5.23.2 2023-02-12
- new ubConfig parameter
security.sessionKeyReuseDelaySec
: max allowed session signature time shift in second.
Authorization tokens generated before the specified period are not accepted by UB authorization.
This prevents authorization reply attack.
Validation disabled if parameter = 0. Default is 60 seconds
- new ubConfig parameter
security.strictUBQL
: ubql
endpoint will verify each passed UBQL is safe before call actual method implementation.
WARNING in future versions parameter will be removed and client-side UBQL should always be strict. Changes what may affect existed code:
- in
fieldList
FUNCTION(attr)
(example: COUNT(ID)
) is not allowed - attribute MUST be always bracketed. Valid expression is COUNT([ID])
- in
whereList
name of attributes in expression MUST be bracketed [ettr]
- in
logicalPredicates
all where item names MUST be bracketed. Only OR/AND is allowed. Expression MUST be wrapped in ().
5.23.01 2023-02-01
- new command line switch
--console-test
(-ct
) - do not output server threads logs to stdout/stderror.
Useful for tests what starts server using startServer()
Changed
5.23.2 2023-02-12
- detailed description of UB Authorization token validation error now logged in both prod and dev modes (only in dev before changes)
5.23.01 2023-02-01
- ServerApp.els will return
false
in case passed method is not exists - the same behavior
as on client side JS implementation
- when adding or changing entries in unity entities with mixins.multitenancy.enabled=true,
corresponding to entities with mixins.multitenancy.enabled=false, set mi_tenantID=0
Fixed
5.23.3 2023-02-20
- consider
COUNT(1)
functional expression in UBQL fieldList
is safe (well-known pattern to calc total)
- consider
logicalPredicates
expression can be without wrapped () - SQL builder adds it by itself
5.23.2 2023-02-12
- fixed a security issue that allowed the same session signature to be reused for more than 60 seconds (in some cases)
- invalid expression in
whereList
part of client UBQL now throws ESecurityException
,
so will be logged into uba_audit
and client got <<<Access deny>>>
instead of Internal server error
.
Behavior is the same as for unsafe attribute in fieldList
Added
5.23.45 2023-02-22
Form
processing: beforeMaster
flag support in the collection config which allows to execute collection actions before the main request.
This can be useful in scenarios such as adding document participants before changing the author, which preserves document
access for the user
5.23.44 2023-02-15
UDialog
: support for custom dialog width via given width
property
const dialog = await dialog({
title: 'title',
msg: 'message',
type: 'warning',
buttons: {
yes: 'yes',
no: 'no',
cancel: 'cancel'
},
width: '700px'
})
5.23.43 2023-02-10
USelectEntity
: new property beforeDeleteRecord: function(recordID)
- callback which will be called
with one parameter recordID
before delete
. If returns false
- deletion will be canceled.
@unitybase/adminui-vue
exports new escapeHtml
function
Fixed
5.23.45 2023-02-22
- table entity in modal window: set focus on table by default to fix issue with 'ESC' button in some cases
5.23.44 2023-02-15
USelectEntity
: fixed the work of drop-down menu items in debug (-dev) mode.
Before the fix all menu buttons did nothing when were clicked on
USelectEntity
: the chooseOption
handler triggered setQueryByValue
method twice (within itself and within the value
watcher) and in some cases
each time with different values
USelectEntity
: in case of several consecutive calls to setQueryByValue
,
they change the label in the order they are called. Before this fix,
the result depended on the presence of a value in the already loaded options
UTableEntity
- fix enum-equal filter (unknown value is displayed instead of empty while adding new filter)
5.23.43 2023-02-10
export to HTML
will escape possible HTML special characters in column values.
Works for columns where custom exportFormat
function is not defined.
Custom exportFormat
can use escapeHtml
function., exported by @unitybase/adminui-vue
to perform their own escaping
moment
package upgraded to 5.29.4 (there is CVE-2022-31129 in moment@5.29.3)
Added
5.24.25 2023-02-06
- new method
$App.showAccessRights
- show aclRls grid for specified instance
Fixed
5.24.25 2023-02-06
- aclRls (Access rights) action for
EntityGridPanel
Fixed
5.23.14 2023-02-10
- fixed
SyncConnection.lookup
to produce safe UBQL (attribute in whereList expression MUST be wrapped by [])
5.23.13 2023-02-06
- Fix
LOCAL_SERVER_UBQL_V2
detection for future versions of UB (past v5)
Added
5.23.17 2023-02-15
- new BLOB stores configuration properties:
whitelistExtensions
: array of allowed file extensions (with ., lowercase), example: ['.jpg', '.png']. If empty(default) - any extension is allowed
blacklistExtensions
: array of NOT allowed file extensions (with ., lowercase), example: ['.exe', '.sh']
Example:
"name": "simple",
"path": "/%stores/documents/simple", // default ./ added for test only!
"isDefault": true,
"blacklistExtensions": [".exe", ".com", ".bat", ".sh"]
"name": "avatars",
"path": "%UB_APPDATA%stores/documents/avatars",
"whitelistExtensions": [".png", ".jpg", ".jpeg", ".webp"]
Added
5.23.30 2023-02-15
- added
providerConfig.fields
parameter for registerProvider
- an id.gov.ua
specific
Fixed
5.23.30 2023-02-15
- during redirection to provider auth endpoint
state
parameter now filled randomly to prevent request forgery and stored in global cache;
During auth handshake state is compared with initial one (retrieved from global cache by cookie OIDC_SESSID_COOKIE value)
Added
5.23.45 2023-02-22
- added a new role
LocalOrgManager
- allows to create and change the organizational structure in own organization
- added new
ownOrganization
property into userData
- a lower organization of permanent staff unit assignment for employee
- added new entity-method
org_employee.createUserForEmployee
to create new user on save employee without login
Changed
5.23.45 2023-02-22
- changed shortcuts order in the directory
org_folder_internal
Changed
5.23.20 2023-02-10
AsyncConnection.insert|update|runTrans
DO NOT stringify execParams
values for keys with dots before sending them to server
await UB.connection.update({
entity: 'entityCode',
execParams: {
ID: 1,
'attrValues.ldoc2908': [1000000000244, 1000000000245]
}
// before changes sends over network
// "execParams": { "ID": 1, "attrValues.ldoc2908": "[1000000000244, 1000000000245]"}
//after changes
// "execParams": { "ID": 1, "attrValues.ldoc2908": [1000000000244, 1000000000245]}
Fixed
5.23.19 2023-02-06
- fix
Cannot read properties of undefined (reading 'adminUI')
when try to connect from NodeJS services to UB in maintenance mode
Added
5.24.11 2023-02-15
- new BLOB stores configuration properties:
whitelistExtensions
: array of allowed file extensions (with ., lowercase), example: ['.jpg', '.png']. If empty(default) - any extension is allowed
blacklistExtensions
: array of NOT allowed file extensions (with ., lowercase), example: ['.exe', '.sh']
5.24.10 2023-02-10
- new server-side event
applicationReady
for App
. Fires inside each working thread after all initialization step
is done during startup (domain, endpoints and BLOB stores are initialized)
Changed
5.23.35 2023-02-06
- Stop during migrations on multitenant environments call
fixTenantIdForUbaSubject
in the migration hook;
slightly improved logging in that migration hook
Changed
5.24.7 2023-02-06
server_name
directive in nginx template for ub-proxy.conf
(used by ubcli generateNginxCfg
) is moved above
ssl configuration for better readability