ub-server
Added
5.23.2 2023-02-12
- new ubConfig parameter
security.sessionKeyReuseDelaySec: max allowed session signature time shift in second.
Authorization tokens generated before the specified period are not accepted by UB authorization.
This prevents authorization reply attack.
Validation disabled if parameter = 0. Default is 60 seconds
- new ubConfig parameter
security.strictUBQL: ubql endpoint will verify each passed UBQL is safe before call actual method implementation.
WARNING in future versions parameter will be removed and client-side UBQL should always be strict. Changes what may affect existed code:
- in
fieldList FUNCTION(attr)(example: COUNT(ID)) is not allowed - attribute MUST be always bracketed. Valid expression is COUNT([ID])
- in
whereList name of attributes in expression MUST be bracketed [ettr]
- in
logicalPredicates all where item names MUST be bracketed. Only OR/AND is allowed. Expression MUST be wrapped in ().
5.23.01 2023-02-01
- new command line switch
--console-test (-ct) - do not output server threads logs to stdout/stderror.
Useful for tests what starts server using startServer()
Changed
5.23.2 2023-02-12
- detailed description of UB Authorization token validation error now logged in both prod and dev modes (only in dev before changes)
5.23.01 2023-02-01
- ServerApp.els will return
false in case passed method is not exists - the same behavior
as on client side JS implementation
- when adding or changing entries in unity entities with mixins.multitenancy.enabled=true,
corresponding to entities with mixins.multitenancy.enabled=false, set mi_tenantID=0
Fixed
5.23.3 2023-02-20
- consider
COUNT(1) functional expression in UBQL fieldList is safe (well-known pattern to calc total)
- consider
logicalPredicates expression can be without wrapped () - SQL builder adds it by itself
5.23.2 2023-02-12
- fixed a security issue that allowed the same session signature to be reused for more than 60 seconds (in some cases)
- invalid expression in
whereList part of client UBQL now throws ESecurityException,
so will be logged into uba_audit and client got <<<Access deny>>> instead of Internal server error.
Behavior is the same as for unsafe attribute in fieldList
Added
5.23.45 2023-02-22
Form processing: beforeMaster flag support in the collection config which allows to execute collection actions before the main request.
This can be useful in scenarios such as adding document participants before changing the author, which preserves document
access for the user
5.23.44 2023-02-15
UDialog: support for custom dialog width via given width property
const dialog = await dialog({
title: 'title',
msg: 'message',
type: 'warning',
buttons: {
yes: 'yes',
no: 'no',
cancel: 'cancel'
},
width: '700px'
})
5.23.43 2023-02-10
USelectEntity: new property beforeDeleteRecord: function(recordID) - callback which will be called
with one parameter recordID before delete. If returns false - deletion will be canceled.@unitybase/adminui-vue exports new escapeHtml function
Fixed
5.23.45 2023-02-22
- table entity in modal window: set focus on table by default to fix issue with 'ESC' button in some cases
5.23.44 2023-02-15
USelectEntity: fixed the work of drop-down menu items in debug (-dev) mode.
Before the fix all menu buttons did nothing when were clicked onUSelectEntity: the chooseOption handler triggered setQueryByValue
method twice (within itself and within the value watcher) and in some cases
each time with different valuesUSelectEntity: in case of several consecutive calls to setQueryByValue,
they change the label in the order they are called. Before this fix,
the result depended on the presence of a value in the already loaded optionsUTableEntity - fix enum-equal filter (unknown value is displayed instead of empty while adding new filter)
5.23.43 2023-02-10
export to HTML will escape possible HTML special characters in column values.
Works for columns where custom exportFormat function is not defined.
Custom exportFormat can use escapeHtml function., exported by @unitybase/adminui-vue to perform their own escapingmoment package upgraded to 5.29.4 (there is CVE-2022-31129 in moment@5.29.3)
Added
5.24.25 2023-02-06
- new method
$App.showAccessRights - show aclRls grid for specified instance
Fixed
5.24.25 2023-02-06
- aclRls (Access rights) action for
EntityGridPanel
Fixed
5.23.14 2023-02-10
- fixed
SyncConnection.lookup to produce safe UBQL (attribute in whereList expression MUST be wrapped by [])
5.23.13 2023-02-06
- Fix
LOCAL_SERVER_UBQL_V2 detection for future versions of UB (past v5)
Added
5.23.17 2023-02-15
- new BLOB stores configuration properties:
whitelistExtensions: array of allowed file extensions (with ., lowercase), example: ['.jpg', '.png']. If empty(default) - any extension is allowedblacklistExtensions: array of NOT allowed file extensions (with ., lowercase), example: ['.exe', '.sh']
Example:
"name": "simple",
"path": "/%stores/documents/simple", // default ./ added for test only!
"isDefault": true,
"blacklistExtensions": [".exe", ".com", ".bat", ".sh"]
"name": "avatars",
"path": "%UB_APPDATA%stores/documents/avatars",
"whitelistExtensions": [".png", ".jpg", ".jpeg", ".webp"]
Added
5.23.30 2023-02-15
- added
providerConfig.fields parameter for registerProvider - an id.gov.ua specific
Fixed
5.23.30 2023-02-15
- during redirection to provider auth endpoint
state parameter now filled randomly to prevent request forgery and stored in global cache;
During auth handshake state is compared with initial one (retrieved from global cache by cookie OIDC_SESSID_COOKIE value)
Added
5.23.45 2023-02-22
- added a new role
LocalOrgManager - allows to create and change the organizational structure in own organization
- added new
ownOrganization property into userData - a lower organization of permanent staff unit assignment for employee
- added new entity-method
org_employee.createUserForEmployee to create new user on save employee without login
Changed
5.23.45 2023-02-22
- changed shortcuts order in the directory
org_folder_internal
Changed
5.23.20 2023-02-10
AsyncConnection.insert|update|runTrans DO NOT stringify execParams values for keys with dots before sending them to server
await UB.connection.update({
entity: 'entityCode',
execParams: {
ID: 1,
'attrValues.ldoc2908': [1000000000244, 1000000000245]
}
// before changes sends over network
// "execParams": { "ID": 1, "attrValues.ldoc2908": "[1000000000244, 1000000000245]"}
//after changes
// "execParams": { "ID": 1, "attrValues.ldoc2908": [1000000000244, 1000000000245]}
Fixed
5.23.19 2023-02-06
- fix
Cannot read properties of undefined (reading 'adminUI') when try to connect from NodeJS services to UB in maintenance mode
Added
5.24.11 2023-02-15
- new BLOB stores configuration properties:
whitelistExtensions: array of allowed file extensions (with ., lowercase), example: ['.jpg', '.png']. If empty(default) - any extension is allowedblacklistExtensions: array of NOT allowed file extensions (with ., lowercase), example: ['.exe', '.sh']
5.24.10 2023-02-10
- new server-side event
applicationReady for App. Fires inside each working thread after all initialization step
is done during startup (domain, endpoints and BLOB stores are initialized)
Changed
5.23.35 2023-02-06
- Stop during migrations on multitenant environments call
fixTenantIdForUbaSubject in the migration hook;
slightly improved logging in that migration hook
Changed
5.24.7 2023-02-06
server_name directive in nginx template for ub-proxy.conf (used by ubcli generateNginxCfg) is moved above
ssl configuration for better readability
