@jsreport/jsreport-scripts - npm Package Compare versions

Comparing version 3.2.1 to 3.3.0

lib/worker.js

@@ -223,3 +223,3 @@ /*!
 
-    const items = await Promise.all(req.template.scripts.map(async (script) => {
+    let items = await Promise.all(req.template.scripts.map(async (script) => {
       if (script.content) {
@@ -238,19 +238,48 @@ return script
 
-      let items = await this.reporter.documentStore.collection('scripts').find(query, req)
+      const originalItems = await this.reporter.documentStore.collection('scripts').find(query, req)
+      const items = originalItems.filter((s) => s.scope === 'template' || (s.scope == null && !s.isGlobal))
 
-      items = items.filter((s) => s.scope === 'template' || (s.scope == null && !s.isGlobal))
-
       if (items.length < 1) {
-        const error = this.reporter.createError(`Script not found or user not authorized to read it (${
-          (script.shortid || script.name)
-        })`, {
-          weak: true,
-          statusCode: 403
-        })
+        // executing request to store without user to verify if the script exists or if
+        // it is just not accessible for the current user
+        const scriptResultFromLocal = await this.reporter.documentStore.collection('scripts').findAdmin(query, req)
 
+        let error
+
+        if (scriptResultFromLocal.length === 0) {
+          error = this.reporter.createError(`Script not found (${
+            (script.name || script.shortid)
+          })`, {
+            weak: true,
+            statusCode: 404
+          })
+        } else {
+          const attachedScript = scriptResultFromLocal[0]
+
+          if (originalItems.length > 0) {
+            // if we get to here it means that script was attached to template but the script
+            // found has scope that is not expected to be run at the template level
+            this.reporter.logger.warn(`Skipping execution of script attached to template (${
+              (attachedScript.name || attachedScript.shortid)
+            }) because its scope is inconsistent`, req)
+
+            return null
+          }
+
+          error = this.reporter.createError(`User not authorized to read script (${
+            (attachedScript.name || attachedScript.shortid)
+          })`, {
+            weak: true,
+            statusCode: 403
+          })
+        }
+
         throw error
       }
+
       return items[0]
     }))
 
+    items = items.filter((i) => i != null)
+
     const globalItems = await this.reporter.documentStore.collection('scripts').find({
@@ -257,0 +286,0 @@ $or: [

package.json

 {
   "name": "@jsreport/jsreport-scripts",
-  "version": "3.2.1",
+  "version": "3.3.0",
   "description": "jsreport extension capable of running custom javascript functions during the rendering process",
@@ -32,6 +32,6 @@ "keywords": [
   "devDependencies": {
-    "@jsreport/jsreport-assets": "3.4.2",
-    "@jsreport/jsreport-core": "3.6.1",
+    "@jsreport/jsreport-assets": "3.5.0",
+    "@jsreport/jsreport-core": "3.9.0",
     "@jsreport/jsreport-jsrender": "3.0.0",
-    "@jsreport/studio-dev": "3.1.0",
+    "@jsreport/studio-dev": "3.2.0",
     "bluebird": "3.7.2",
@@ -38,0 +38,0 @@ "mocha": "5.2.0",

README.md

@@ -10,2 +10,6 @@ # @jsreport/jsreport-scripts
 
+### 3.3.0
+
+- ignore scripts attached to template which contain scope that is not compatible to run at the template level
+
 ### 3.2.1
@@ -12,0 +16,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

96073

increased by1.34%

Lines of code

1518

increased by1.54%

Number of lines in readme file

27

increased by17.39%

No dependency changes