mirror of https://github.com/logseq/logseq
fix: users can't navigate to hidden or private built-in pages
Fixes https://github.com/logseq/db-test/issues/91 where user is creating error states by accessing private built-in pages they shouldn't be able to access. Also fixes https://github.com/logseq/db-test/issues/92#issuecomment-2352089389 where user could navigate to hidden pagepull/11531/head
parent
f8a94686ad
commit
c8d43c2718
|
@ -482,6 +482,19 @@
|
|||
(contains? (set (get-in (db-class/built-in-classes (:db/ident class-entity)) [:schema :properties]))
|
||||
(:db/ident property-entity))))
|
||||
|
||||
(defn private-built-in-page?
|
||||
"Private built-in pages should not be navigable or searchable by users. Later it
|
||||
could be useful to use this for the All Pages view"
|
||||
[page]
|
||||
(cond (property? page)
|
||||
(not (public-built-in-property? page))
|
||||
(or (class? page) (= "page" (:block/type page)))
|
||||
false
|
||||
;; Default to true for closed value and future internal types.
|
||||
;; Other types like whiteboard are not considered because they aren't built-in
|
||||
:else
|
||||
true))
|
||||
|
||||
(def write-transit-str sqlite-util/write-transit-str)
|
||||
(def read-transit-str sqlite-util/read-transit-str)
|
||||
|
||||
|
|
|
@ -15,7 +15,9 @@
|
|||
[reitit.frontend.easy :as rfe]
|
||||
[frontend.context.i18n :refer [t]]
|
||||
[clojure.string :as string]
|
||||
[logseq.common.util :as common-util]))
|
||||
[logseq.common.util :as common-util]
|
||||
[frontend.handler.notification :as notification]
|
||||
[logseq.db :as ldb]))
|
||||
|
||||
(defn redirect!
|
||||
"If `push` is truthy, previous page will be left in history."
|
||||
|
@ -80,29 +82,33 @@
|
|||
(and (string? page-name) (not (string/blank? page-name))))
|
||||
(let [page (db/get-page page-name)
|
||||
whiteboard? (db/whiteboard-page? page)]
|
||||
(if-let [source (db/get-alias-source-page (state/get-current-repo) (:db/id page))]
|
||||
(redirect-to-page! (:block/uuid source) opts)
|
||||
(do
|
||||
(if (and (not config/dev?)
|
||||
(or (ldb/hidden? page)
|
||||
(and (ldb/built-in? page) (ldb/private-built-in-page? page))))
|
||||
(notification/show! "Cannot go to an internal page." :warning)
|
||||
(if-let [source (db/get-alias-source-page (state/get-current-repo) (:db/id page))]
|
||||
(redirect-to-page! (:block/uuid source) opts)
|
||||
(do
|
||||
;; Always skip onboarding when loading an existing whiteboard
|
||||
(when-not new-whiteboard? (state/set-onboarding-whiteboard! true))
|
||||
(when-let [db-id (:db/id page)]
|
||||
(recent-handler/add-page-to-recent! db-id click-from-recent?))
|
||||
(if (and whiteboard? (= (str page-name) (state/get-current-page)) block-id)
|
||||
(state/focus-whiteboard-shape block-id)
|
||||
(let [m (cond->
|
||||
(default-page-route (str page-name))
|
||||
(when-not new-whiteboard? (state/set-onboarding-whiteboard! true))
|
||||
(when-let [db-id (:db/id page)]
|
||||
(recent-handler/add-page-to-recent! db-id click-from-recent?))
|
||||
(if (and whiteboard? (= (str page-name) (state/get-current-page)) block-id)
|
||||
(state/focus-whiteboard-shape block-id)
|
||||
(let [m (cond->
|
||||
(default-page-route (str page-name))
|
||||
|
||||
block-id
|
||||
(assoc :query-params (if whiteboard?
|
||||
{:block-id block-id}
|
||||
{:anchor (str "ls-block-" block-id)}))
|
||||
block-id
|
||||
(assoc :query-params (if whiteboard?
|
||||
{:block-id block-id}
|
||||
{:anchor (str "ls-block-" block-id)}))
|
||||
|
||||
anchor
|
||||
(assoc :query-params {:anchor anchor})
|
||||
anchor
|
||||
(assoc :query-params {:anchor anchor})
|
||||
|
||||
(boolean? push)
|
||||
(assoc :push push))]
|
||||
(redirect! m)))))))))
|
||||
(boolean? push)
|
||||
(assoc :push push))]
|
||||
(redirect! m))))))))))
|
||||
|
||||
(defn get-title
|
||||
[name path-params]
|
||||
|
|
|
@ -286,8 +286,7 @@ DROP TRIGGER IF EXISTS blocks_au;
|
|||
true
|
||||
(if built-in?
|
||||
(or (not (ldb/built-in? block))
|
||||
(ldb/class? block)
|
||||
(ldb/public-built-in-property? block))
|
||||
(not (ldb/private-built-in-page? block)))
|
||||
(not (ldb/built-in? block))))
|
||||
{:db/id (:db/id block)
|
||||
:block/uuid block-id
|
||||
|
|
Loading…
Reference in New Issue