2.2.7

.circleci/config.yml

@@ -39,6 +39,7 @@ aliases:
     name: Setup and build
     command:
       |
+        cp now-secrets.example.json now-secrets.json
         yarn run build:web
         yarn run build:api
 
@@ -107,10 +108,10 @@ jobs:
       - run:
           name: Danger
           when: always
-          command: test -z $DANGER_GITHUB_API_TOKEN && yarn run danger ci || echo "forks are not allowed to run danger"
+          command: test $DANGER_GITHUB_API_TOKEN && yarn run danger ci || echo "forks are not allowed to run danger"
       - run:
           name: Run E2E Tests
-          command: yarn run test:e2e
+          command: test $CYPRESS_RECORD_KEY && yarn run test:e2e -- --record || yarn run test:e2e
 
   # Run eslint, flow etc.
   test_static_js:

.github/PULL_REQUEST_TEMPLATE.md

@@ -12,6 +12,7 @@
 - mercury
 - hermes
 - chronos
+- pluto
 - mobile
 
 **Run database migrations (delete if no migration was added)**

.gitignore

@@ -31,3 +31,4 @@ api/.env
 .expo
 mobile/.expo
 test-results.json
+public/uploads

.prettierignore

@@ -1 +1,2 @@
 flow-typed
+package.json

.prettierrc

@@ -0,0 +1,4 @@
+{
+  "singleQuote": true,
+  "trailingComma": "es5"
+}

README.md

@@ -190,6 +190,11 @@ yarn run db:seed
 # ⚠️ To empty the database (e.g. if there's faulty data) run yarn run db:drop
 ```
 
+There's a shortcut for dropping, migrating and seeding the database too:
+```sh
+yarn run db:reset
+```
+
 #### Getting the secrets
 
 While the app will run without any secrets set up, you won't be able to sign in locally. To get that set up, copy the provided example secrets file to the real location:

admin/package.json

@@ -44,11 +44,8 @@
     "subscriptions-transport-ws": "^0.9.5"
   },
   "scripts": {
-    "start": "react-scripts start",
-    "build": "react-scripts build",
-    "test": "react-scripts test --env=jsdom",
-    "eject": "react-scripts eject",
-    "predeploy": "npm run build",
-    "deploy": "now build"
+    "start": "NODE_PATH=../ react-scripts start",
+    "build": "NODE_PATH=../ react-scripts build",
+    "test": "NODE_PATH=../ react-scripts test --env=jsdom"
   }
 }

api/index.js

@@ -11,6 +11,7 @@ import express from 'express';
 import Raven from 'shared/raven';
 import { ApolloEngine } from 'apollo-engine';
 import toobusy from 'shared/middlewares/toobusy';
+import addSecurityMiddleware from 'shared/middlewares/security';
 import { init as initPassport } from './authentication.js';
 import type { DBUser } from 'shared/types';
 
@@ -28,6 +29,9 @@ app.set('trust proxy', true);
 // Return the request if the server is too busy
 app.use(toobusy);
 
+// Security middleware.
+addSecurityMiddleware(app);
+
 // Send all responses as gzip
 app.use(compression());
 

api/models/community.js

@@ -1,7 +1,7 @@
 // @flow
 const { db } = require('./db');
 import { parseRange } from './utils';
-import { uploadImage } from '../utils/s3';
+import { uploadImage } from '../utils/file-storage';
 import getRandomDefaultPhoto from '../utils/get-random-default-photo';
 import {
   sendNewCommunityWelcomeEmailQueue,

api/models/user.js

@@ -1,6 +1,6 @@
 // @flow
 const { db } = require('./db');
-import { uploadImage } from '../utils/s3';
+import { uploadImage } from '../utils/file-storage';
 import { createNewUsersSettings } from './usersSettings';
 import { sendNewUserWelcomeEmailQueue } from 'shared/bull/queues';
 import type { PaginationOptions } from '../utils/paginate-arrays';

api/mutations/channel/disableChannelTokenJoin.js

@@ -22,12 +22,28 @@ export default async (
     return new UserError('You must be signed in to manage this channel.');
   }
 
-  const [permissions, settings] = await Promise.all([
+  const [channelPermissions, channel, settings] = await Promise.all([
     loaders.userPermissionsInChannel.load([currentUser.id, channelId]),
+    loaders.channel.load(channelId),
     loaders.channelSettings.load(channelId),
   ]);
 
-  if (!permissions.isOwner) {
+  const communityPermissions = await loaders.userPermissionsInCommunity.load([
+    currentUser.id,
+    channel.communityId,
+  ]);
+
+  if (!channelPermissions || !communityPermissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const canEdit =
+    channelPermissions.isOwner ||
+    channelPermissions.isModerator ||
+    communityPermissions.isOwner ||
+    communityPermissions.isModerator;
+
+  if (!canEdit) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/channel/enableChannelTokenJoin.js

@@ -22,12 +22,28 @@ export default async (
     return new UserError('You must be signed in to manage this channel.');
   }
 
-  const [permissions, settings] = await Promise.all([
+  const [channelPermissions, channel, settings] = await Promise.all([
     loaders.userPermissionsInChannel.load([currentUser.id, channelId]),
+    loaders.channel.load(channelId),
     loaders.channelSettings.load(channelId),
   ]);
 
-  if (!permissions.isOwner) {
+  const communityPermissions = await loaders.userPermissionsInCommunity.load([
+    currentUser.id,
+    channel.communityId,
+  ]);
+
+  if (!channelPermissions || !communityPermissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const canEdit =
+    channelPermissions.isOwner ||
+    channelPermissions.isModerator ||
+    communityPermissions.isOwner ||
+    communityPermissions.isModerator;
+
+  if (!canEdit) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/channel/resetChannelJoinToken.js

@@ -23,12 +23,28 @@ export default async (
     return new UserError('You must be signed in to manage this channel.');
   }
 
-  const [permissions, settings] = await Promise.all([
+  const [channelPermissions, channel, settings] = await Promise.all([
     loaders.userPermissionsInChannel.load([currentUser.id, channelId]),
+    loaders.channel.load(channelId),
     loaders.channelSettings.load(channelId),
   ]);
 
-  if (!permissions.isOwner) {
+  const communityPermissions = await loaders.userPermissionsInCommunity.load([
+    currentUser.id,
+    channel.communityId,
+  ]);
+
+  if (!channelPermissions || !communityPermissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const canEdit =
+    channelPermissions.isOwner ||
+    channelPermissions.isModerator ||
+    communityPermissions.isOwner ||
+    communityPermissions.isModerator;
+
+  if (!canEdit) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/channel/togglePendingUser.js

@@ -12,6 +12,7 @@ import {
   getUserPermissionsInCommunity,
   createMemberInCommunity,
 } from '../../models/usersCommunities';
+import { sendPrivateChannelRequestApprovedQueue } from 'shared/bull/queues';
 
 type TogglePendingUserInput = {
   input: {
@@ -74,7 +75,9 @@ export default async (
   // user is neither a community or channel owner, they don't have permission
   if (
     currentUserChannelPermissions.isOwner ||
-    currentUserCommunityPermissions.isOwner
+    currentUserCommunityPermissions.isOwner ||
+    currentUserChannelPermissions.isModerator ||
+    currentUserCommunityPermissions.isModerator
   ) {
     // all checks passed
     // determine whether to approve or block them
@@ -91,6 +94,13 @@ export default async (
         input.userId
       );
 
+      sendPrivateChannelRequestApprovedQueue.add({
+        userId: input.userId,
+        channelId: input.channelId,
+        communityId: channelToEvaluate.communityId,
+        moderatorId: currentUser.id,
+      });
+
       // if the user is a member of the parent community, we can return
       if (evaluatedUserCommunityPermissions.isMember) {
         return Promise.all([channelToEvaluate, approveUser]).then(
@@ -113,6 +123,6 @@ export default async (
   }
 
   return new UserError(
-    "You don't have permission to make changes to this channel."
+    "You don't have permission to manage users in this channel."
   );
 };

api/mutations/channel/unblockUser.js

@@ -59,7 +59,9 @@ export default async (
   // if a user owns the community or owns the channel, they can make this change
   if (
     currentUserChannelPermissions.isOwner ||
-    currentUserCommunityPermissions.isOwner
+    currentUserCommunityPermissions.isOwner ||
+    currentUserChannelPermissions.isModerator ||
+    currentUserCommunityPermissions.isModerator
   ) {
     return unblockMemberInChannel(input.channelId, input.userId).then(
       () => channelToEvaluate

api/mutations/community/disableBrandedLogin.js

@@ -27,7 +27,13 @@ export default async (
     loaders.communitySettings.load(communityId),
   ]);
 
-  if (!permissions.isOwner) {
+  if (!permissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const { isOwner, isModerator } = permissions;
+
+  if (!isOwner && !isModerator) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/community/enableBrandedLogin.js

@@ -27,7 +27,13 @@ export default async (
     loaders.communitySettings.load(communityId),
   ]);
 
-  if (!permissions.isOwner) {
+  if (!permissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const { isOwner, isModerator } = permissions;
+
+  if (!isOwner && !isModerator) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/community/saveBrandedLoginSettings.js

@@ -34,7 +34,13 @@ export default async (
     loaders.communitySettings.load(communityId),
   ]);
 
-  if (!permissions.isOwner) {
+  if (!permissions) {
+    return new UserError("You don't have permission to do this.");
+  }
+
+  const { isOwner, isModerator } = permissions;
+
+  if (!isOwner && !isModerator) {
     return new UserError("You don't have permission to do this.");
   }
 

api/mutations/directMessageThread/createDirectMessageThread.js

@@ -6,7 +6,7 @@ import {
   getDirectMessageThread,
   createDirectMessageThread,
 } from '../../models/directMessageThread';
-import { uploadImage } from '../../utils/s3';
+import { uploadImage } from '../../utils/file-storage';
 import { storeMessage } from '../../models/message';
 import {
   setUserLastSeenInDirectMessageThread,

api/mutations/message/addMessage.js

@@ -3,7 +3,7 @@ import { stateFromMarkdown } from 'draft-js-import-markdown';
 import { EditorState } from 'draft-js';
 import type { GraphQLContext } from '../../';
 import UserError from '../../utils/UserError';
-import { uploadImage } from '../../utils/s3';
+import { uploadImage } from '../../utils/file-storage';
 import { storeMessage } from '../../models/message';
 import { setDirectMessageThreadLastActive } from '../../models/directMessageThread';
 import { setUserLastSeenInDirectMessageThread } from '../../models/usersDirectMessageThreads';

api/mutations/thread/editThread.js

@@ -2,7 +2,7 @@
 import type { GraphQLContext } from '../../';
 import type { EditThreadInput } from '../../models/thread';
 import UserError from '../../utils/UserError';
-import { uploadImage } from '../../utils/s3';
+import { uploadImage } from '../../utils/file-storage';
 import { getThreads, editThread } from '../../models/thread';
 import { getUserPermissionsInCommunity } from '../../models/usersCommunities';
 import { getUserPermissionsInChannel } from '../../models/usersChannels';

api/mutations/thread/publishThread.js

@@ -3,7 +3,7 @@ const debug = require('debug')('api:mutations:thread:publish-thread');
 import stringSimilarity from 'string-similarity';
 import type { GraphQLContext } from '../../';
 import UserError from '../../utils/UserError';
-import { uploadImage } from '../../utils/s3';
+import { uploadImage } from '../../utils/file-storage';
 import {
   publishThread,
   editThread,

api/package.json

@@ -49,9 +49,11 @@
     "graphql-server-express": "1.3.0",
     "graphql-subscriptions": "0.4.x",
     "graphql-tools": "1.2.3",
+    "helmet": "^3.12.0",
     "highlight.js": "^9.10.0",
     "history": "^4.6.1",
     "hoist-non-react-statics": "^2.3.1",
+    "hpp": "^0.2.2",
     "imgix-core-js": "^1.0.6",
     "immutability-helper": "^2.2.0",
     "isomorphic-fetch": "^2.2.1",

api/queries/community/billingSettings.js

@@ -29,6 +29,8 @@ export default async (
     loaders.stripeCustomers.load(stripeCustomerId),
   ]);
 
+  if (!permissions) return defaultResult;
+
   const { isOwner, isModerator } = permissions;
   const customer =
     stripeCustomer && stripeCustomer.reduction.length > 0
@@ -49,8 +51,9 @@ export default async (
       : subscriptions;
 
   return {
-    pendingAdministratorEmail: isOwner ? pendingAdministratorEmail : null,
-    administratorEmail: isOwner ? administratorEmail : null,
+    pendingAdministratorEmail:
+      isOwner || isModerator ? pendingAdministratorEmail : null,
+    administratorEmail: isOwner || isModerator ? administratorEmail : null,
     sources: sources,
     invoices: cleanInvoices,
     subscriptions: subscriptions,

api/queries/community/hasChargeableSource.js

@@ -9,10 +9,14 @@ export default async (
 ) => {
   if (!stripeCustomerId || !user) return false;
 
-  const {
-    isOwner,
-    isModerator,
-  } = await loaders.userPermissionsInCommunity.load([user.id, id]);
+  const permissions = await loaders.userPermissionsInCommunity.load([
+    user.id,
+    id,
+  ]);
+
+  if (!permissions) return null;
+
+  const { isOwner, isModerator } = permissions;
 
   if (!isOwner && !isModerator) return null;
   return loaders.stripeCustomers.load(stripeCustomerId).then(results => {