AZEN-SGG/Kavita
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Lots of Bugfixes (#1426)

Browse source 
* Fixed bookmarks not being able to load due to missing [AllowAnonymous]

* Downgraded Docnet to 2.4.0-alpha2 which is the version we added our patches to. This might fix reports of broken PDF reading on ARM

* Updated all but one api in collections to admin only policy

* Ensure all config folders are created or exist on first load

* Ensure plugins can authenticate

* Updated some headers we use on Kavita to tighten security.

* Tightened up cover upload flow to restrict more APIs to only the admin

* Enhanced the reset password flow to ensure that the user passes their existing password in (if already authenticated). Admins can still change other users without having existing password.

* Removed an additional copy during build and copied over the prod appsettings and not Development.

* Fixed up the caching mechanism for cover resets and migrated to profiles. Left an etag filter for reference.

* Fixed up manual jump key calculation to include period in #

* Added jumpbar to reading lists page

* Fixed a double scrollbar on library detail page

* Fixed weird scroll issues with want to read

* Fixed a bug where remove from want to read list wasn't hooked up on series card

* Cleaned up Clear bookmarks to use a dedicated api for bulk clearing. Converted Bookmark page to OnPush.

* Fixed jump bar being offset when clicking a jump key

* Ensure we don't overflow on add to reading list

* Fixed a bad name format on reading list items
This commit is contained in:
Joseph Milazzo 2022-08-11 20:16:31 -05:00 committed by GitHub
parent 7392747388
commit b6a38bbd86
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
37 changed files with 497 additions and 96 deletions
Download patch file Download diff file Expand all files Collapse all files

15
API/Controllers/AccountController.cs
View file

@ -79,14 +79,25 @@ namespace API.Controllers
var user = await _userManager.Users.SingleOrDefaultAsync(x => x.UserName == resetPasswordDto.UserName);
if (user == null) return Ok(); // Don't report BadRequest as that would allow brute forcing to find accounts on system
var isAdmin = User.IsInRole(PolicyConstants.AdminRole);
if (resetPasswordDto.UserName == User.GetUsername() && !(User.IsInRole(PolicyConstants.ChangePasswordRole) || User.IsInRole(PolicyConstants.AdminRole)))
if (resetPasswordDto.UserName == User.GetUsername() && !(User.IsInRole(PolicyConstants.ChangePasswordRole) || isAdmin))
return Unauthorized("You are not permitted to this operation.");
if (resetPasswordDto.UserName != User.GetUsername() && !User.IsInRole(PolicyConstants.AdminRole))
if (resetPasswordDto.UserName != User.GetUsername() && !isAdmin)
return Unauthorized("You are not permitted to this operation.");
if (string.IsNullOrEmpty(resetPasswordDto.OldPassword) && !isAdmin)
return BadRequest(new ApiException(400, "You must enter your existing password to change your account unless you're an admin"));
// If you're an admin and the username isn't yours, you don't need to validate the password
var isResettingOtherUser = (resetPasswordDto.UserName != User.GetUsername() && isAdmin);
if (!isResettingOtherUser && !await _userManager.CheckPasswordAsync(user, resetPasswordDto.OldPassword))
{
return BadRequest("Invalid Password");
}
var errors = await _accountService.ChangeUserPassword(user, resetPasswordDto.Password);
if (errors.Any())
{

1
API/Controllers/CollectionController.cs
View file

@ -99,6 +99,7 @@ namespace API.Controllers
/// </summary>
/// <param name="dto"></param>
/// <returns></returns>
[Authorize(Policy = "RequireAdminRole")]
[HttpPost("update-for-series")]
public async Task<ActionResult> AddToMultipleSeries(CollectionTagBulkAddDto dto)
{

20
API/Controllers/ImageController.cs
View file

@ -2,6 +2,7 @@
using System.Threading.Tasks;
using API.Data;
using API.Entities.Enums;
using API.Extensions;
using API.Services;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
@ -16,7 +17,6 @@ namespace API.Controllers
{
private readonly IUnitOfWork _unitOfWork;
private readonly IDirectoryService _directoryService;
private const int ImageCacheSeconds = 1 * 60;
/// <inheritdoc />
public ImageController(IUnitOfWork unitOfWork, IDirectoryService directoryService)
@ -31,7 +31,7 @@ namespace API.Controllers
/// <param name="chapterId"></param>
/// <returns></returns>
[HttpGet("chapter-cover")]
[ResponseCache(Duration = ImageCacheSeconds, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Images")]
public async Task<ActionResult> GetChapterCoverImage(int chapterId)
{
var path = Path.Join(_directoryService.CoverImageDirectory, await _unitOfWork.ChapterRepository.GetChapterCoverImageAsync(chapterId));
@ -47,7 +47,7 @@ namespace API.Controllers
/// <param name="volumeId"></param>
/// <returns></returns>
[HttpGet("volume-cover")]
[ResponseCache(Duration = ImageCacheSeconds, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Images")]
public async Task<ActionResult> GetVolumeCoverImage(int volumeId)
{
var path = Path.Join(_directoryService.CoverImageDirectory, await _unitOfWork.VolumeRepository.GetVolumeCoverImageAsync(volumeId));
@ -62,7 +62,7 @@ namespace API.Controllers
/// </summary>
/// <param name="seriesId">Id of Series</param>
/// <returns></returns>
[ResponseCache(Duration = ImageCacheSeconds, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Images")]
[HttpGet("series-cover")]
public async Task<ActionResult> GetSeriesCoverImage(int seriesId)
{
@ -70,6 +70,8 @@ namespace API.Controllers
if (string.IsNullOrEmpty(path) || !_directoryService.FileSystem.File.Exists(path)) return BadRequest($"No cover image");
var format = _directoryService.FileSystem.Path.GetExtension(path).Replace(".", "");
Response.AddCacheHeader(path);
return PhysicalFile(path, "image/" + format, _directoryService.FileSystem.Path.GetFileName(path));
}
@ -79,7 +81,7 @@ namespace API.Controllers
/// <param name="collectionTagId"></param>
/// <returns></returns>
[HttpGet("collection-cover")]
[ResponseCache(Duration = ImageCacheSeconds, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Images")]
public async Task<ActionResult> GetCollectionCoverImage(int collectionTagId)
{
var path = Path.Join(_directoryService.CoverImageDirectory, await _unitOfWork.CollectionTagRepository.GetCoverImageAsync(collectionTagId));
@ -95,7 +97,7 @@ namespace API.Controllers
/// <param name="readingListId"></param>
/// <returns></returns>
[HttpGet("readinglist-cover")]
[ResponseCache(Duration = ImageCacheSeconds, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Images")]
public async Task<ActionResult> GetReadingListCoverImage(int readingListId)
{
var path = Path.Join(_directoryService.CoverImageDirectory, await _unitOfWork.ReadingListRepository.GetCoverImageAsync(readingListId));
@ -114,7 +116,7 @@ namespace API.Controllers
/// <param name="apiKey">API Key for user. Needed to authenticate request</param>
/// <returns></returns>
[HttpGet("bookmark")]
[ResponseCache(Duration = ImageCacheSeconds, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Images")]
public async Task<ActionResult> GetBookmarkImage(int chapterId, int pageNum, string apiKey)
{
var userId = await _unitOfWork.UserRepository.GetUserIdByApiKeyAsync(apiKey);
@ -134,9 +136,9 @@ namespace API.Controllers
/// </summary>
/// <param name="filename">Filename of file. This is used with upload/upload-by-url</param>
/// <returns></returns>
[AllowAnonymous]
[Authorize(Policy="RequireAdminRole")]
[HttpGet("cover-upload")]
[ResponseCache(Duration = ImageCacheSeconds, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Images")]
public ActionResult GetCoverUploadImage(string filename)
{
if (filename.Contains("..")) return BadRequest("Invalid Filename");

2
API/Controllers/PluginController.cs
View file

@ -2,6 +2,7 @@
using API.Data;
using API.DTOs;
using API.Services;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;
@ -26,6 +27,7 @@ namespace API.Controllers
/// <param name="apiKey"></param>
/// <param name="pluginName">Name of the Plugin</param>
/// <returns></returns>
[AllowAnonymous]
[HttpPost("authenticate")]
public async Task<ActionResult<UserDto>> Authenticate(string apiKey, string pluginName)
{

44
API/Controllers/ReaderController.cs
View file

@ -11,7 +11,6 @@ using API.Entities;
using API.Entities.Enums;
using API.Extensions;
using API.Services;
using API.SignalR;
using Hangfire;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
@ -48,7 +47,7 @@ namespace API.Controllers
/// <param name="chapterId"></param>
/// <returns></returns>
[HttpGet("pdf")]
[ResponseCache(Duration = 60 * 10, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Hour")]
public async Task<ActionResult> GetPdf(int chapterId)
{
var chapter = await _cacheService.Ensure(chapterId);
@ -80,7 +79,7 @@ namespace API.Controllers
/// <param name="page"></param>
/// <returns></returns>
[HttpGet("image")]
[ResponseCache(Duration = 60 * 10, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Hour")]
[AllowAnonymous]
public async Task<ActionResult> GetImage(int chapterId, int page)
{
@ -112,7 +111,8 @@ namespace API.Controllers
/// <remarks>We must use api key as bookmarks could be leaked to other users via the API</remarks>
/// <returns></returns>
[HttpGet("bookmark-image")]
[ResponseCache(Duration = 60 * 10, Location = ResponseCacheLocation.Client, NoStore = false)]
[ResponseCache(CacheProfileName = "Hour")]
[AllowAnonymous]
public async Task<ActionResult> GetBookmarkImage(int seriesId, string apiKey, int page)
{
if (page < 0) page = 0;
@ -554,6 +554,7 @@ namespace API.Controllers
{
var user = await _unitOfWork.UserRepository.GetUserByUsernameAsync(User.GetUsername(), AppUserIncludes.Bookmarks);
if (user.Bookmarks == null) return Ok("Nothing to remove");
try
{
var bookmarksToRemove = user.Bookmarks.Where(bmk => bmk.SeriesId == dto.SeriesId).ToList();
@ -580,7 +581,42 @@ namespace API.Controllers
}
return BadRequest("Could not clear bookmarks");
}
/// <summary>
/// Removes all bookmarks for all chapters linked to a Series
/// </summary>
/// <param name="dto"></param>
/// <returns></returns>
[HttpPost("bulk-remove-bookmarks")]
public async Task<ActionResult> BulkRemoveBookmarks(BulkRemoveBookmarkForSeriesDto dto)
{
var user = await _unitOfWork.UserRepository.GetUserByUsernameAsync(User.GetUsername(), AppUserIncludes.Bookmarks);
if (user.Bookmarks == null) return Ok("Nothing to remove");
try
{
foreach (var seriesId in dto.SeriesIds)
{
var bookmarksToRemove = user.Bookmarks.Where(bmk => bmk.SeriesId == seriesId).ToList();
user.Bookmarks = user.Bookmarks.Where(bmk => bmk.SeriesId != seriesId).ToList();
_unitOfWork.UserRepository.Update(user);
await _bookmarkService.DeleteBookmarkFiles(bookmarksToRemove);
}
if (!_unitOfWork.HasChanges() || await _unitOfWork.CommitAsync())
{
return Ok();
}
}
catch (Exception ex)
{
_logger.LogError(ex, "There was an exception when trying to clear bookmarks");
await _unitOfWork.RollbackAsync();
}
return BadRequest("Could not clear bookmarks");
}
/// <summary>

1
API/Controllers/ReadingListController.cs
View file

@ -508,6 +508,7 @@ namespace API.Controllers
private async Task<bool> AddChaptersToReadingList(int seriesId, IList<int> chapterIds,
ReadingList readingList)
{
// TODO: Move to ReadingListService and Unit Test
readingList.Items ??= new List<ReadingListItem>();
var lastOrder = 0;
if (readingList.Items.Any())