This permission was never checked for and had an unintended consequence of
allowing a non-superadmin user to execute arbitrary queries (expected), but
getting a superadmin session by joining the `sessions` table.
This patch:
- Introduces a table allowlist that uses the Postgres query plan (JSON)
and validate the referenced tables against the allowed ones on arbitrary
queries issued to the various `/subscribers` APIs.
- Explicitly adds the missing `subscribers:sql_query` permission check to all
handlers that accept `query`.
- Introduces a new `search` parameter on all handlers that accept `query`.
This parameter is an interface over the default name/email substring search
instead of relying on `query`.
- During install, listmonk now accepts the env `LISTMONK_ADMIN_API_USER`
and creates an API user (with username $LISTMONK_ADMIN_API_USER)
with full superadmin permissions. This requires LISTMONK_ADMIN_USER and
LISTMONK_ADMIN_API_PASSWORD to be set so that that there's always a superadmin
user to avoid bad states, mainly: bot superadmin exists, but no admin user
exists, leaving the installation perpetually open with the superadmin user
creation UI on the first login.
The API user's token is printed to stderr in the following format:
`export LISTMONK_ADMIN_API_TOKEN="7I81VSd90UWhKDj5Kq9c6YopToRduyDF"`
This can be redirected to a file with ./listmonk 2> /tmp/token or captured
directly and then source()'d.
- Add new function `core.GetRole(id)`.
- Fix `at least one super admin` query in user deletion.
This patch significantly cleans up clunky, repetitive, and pervasive
validation logic across HTTP handlers.
- Rather than dozens of handlers checking and using strconv to validate ID,
the handlers with `:id` are now wrapped in a `hasID()` middleware that does
the validation and sets an int `id` in the handler context that the wrapped
handlers can now access with `getID()`.
- Handlers that handled both single + multi resource requests
(eg: GET `/api/lists`) with single/multiple id checking conditions are all now
split into separate handlers, eg: `getList()`, `getLists()`.
- Attach all HTTP handlers to a new `Handlers{}` struct.
- Remove all `handle*` function prefixes.
- Remove awkward, repetitive `app = c.Get("app").(*App)` from all handlers
and instead, simply access it from `h.app` from `Handlers{}`
Originally proposed in #2292.
- Make the beginning of handlers consistent with uniform variable declaration
and grouping.
- Add missing comments.
- Fix staticcheck/vet warnings and idiom issues.
- Move user models from `/models` to `internal/auth`.
- Move and refactor various permission check functions into `User.()`
- Refactor awkward `get, manage bool` function args into `Get|Manage` bitflags.
This patch introduces new `campaigns:get_all` and `campaigns:manage_all`
permissions which alter the behaviour of the the old `campaigns:get` and
`campaigns:manage` permissions. This is a subtle breaking behavioural change.
Old:
- `campaigns:get` -> View all campaigns irrespective of a user's list
permissions.
- `campaigns:manage` -> Manage all campaigns irrespective of a user's list
permissions.
New:
- `campaigns:get_all` -> View all campaigns irrespective of a user's list
permissions.
- `campaigns:manage_all` -> Manage all campaigns irrespective of a user's list
permissions.
- `campaigns:get` -> View only the campaigns that have at least one list to
which which a user has get or manage access.
- `campaigns:manage` -> Manage only the campaigns that have at list one list
to which a user has get or manage access.
In addition, this patch refactors and cleans up certain permission related
logic and functions.
- Fix status/button state management issues when `Send at` was toggled
under various scenarios.
- Allow paused campaigns to be edited and turned into scheduled campaigns.
- Add Cypress UI tests for unscheduling.
This patch introduces a new `Domain allowlist` input in Settings -> Privacy UI
as a new tab alongside domain `Domain blocklist`. If any domains are entered
here, then only subscriptions/imports/additions of e-mails from those particular
domains are accepted. blocklist is mutually exclusive with allowlist when there
are values in the allowlist.
This patch removes the forced suffixing of all media upload filenames with
random strings. The upload handler now checks the `media` table to ensure that
the filename being uploaded doesn't exist before forcing a suffix.
Outright rejecting duplicate filenames cannot be done to maintain backwards
compatibility with the old behaviour.
Closes#2277.
- Update translation for "powered by" text
- Refine user-related translations for role and status labels
- Improve clarity of translations for user type and role descriptions
- Modify "username help" text for better guidance
Signed-off-by: appleboy <appleboy.tw@gmail.com>
This patch adds a new optional `name` field to SMTP server config on the UI.
When a name is given to an SMTP server, it's initialized as a standalone messenger
which shows up as a sub-group item under the main "email" messenger
on the campaign page.
Co-authored-by: Kailash Nadh <kailash@nadh.in>
