fix: users can't navigate to hidden or private built-in pages

Fixes https://github.com/logseq/db-test/issues/91 where user is creating error states by accessing private built-in pages they shouldn't be able to access. Also fixes https://github.com/logseq/db-test/issues/92#issuecomment-2352089389 where user could navigate to hidden page
2024-09-16 12:51:37 -04:00 · 2024-09-16 12:51:37 -04:00 · c8d43c2718
parent f8a94686ad
commit c8d43c2718
3 changed files with 40 additions and 22 deletions
--- a/deps/db/src/logseq/db.cljs
+++ b/deps/db/src/logseq/db.cljs
@ -482,6 +482,19 @@
       (contains? (set (get-in (db-class/built-in-classes (:db/ident class-entity)) [:schema :properties]))
                  (:db/ident property-entity))))

+(defn private-built-in-page?
+  "Private built-in pages should not be navigable or searchable by users. Later it
+   could be useful to use this for the All Pages view"
+  [page]
+  (cond (property? page)
+        (not (public-built-in-property? page))
+        (or (class? page) (= "page" (:block/type page)))
+        false
+        ;; Default to true for closed value and future internal types.
+        ;; Other types like whiteboard are not considered because they aren't built-in
+        :else
+        true))
+
 (def write-transit-str sqlite-util/write-transit-str)
 (def read-transit-str sqlite-util/read-transit-str)

--- a/src/main/frontend/handler/route.cljs
+++ b/src/main/frontend/handler/route.cljs
@ -15,7 +15,9 @@
            [reitit.frontend.easy :as rfe]
            [frontend.context.i18n :refer [t]]
            [clojure.string :as string]
-            [logseq.common.util :as common-util]))
+            [logseq.common.util :as common-util]
+            [frontend.handler.notification :as notification]
+            [logseq.db :as ldb]))

 (defn redirect!
  "If `push` is truthy, previous page will be left in history."
@ -80,6 +82,10 @@
             (and (string? page-name) (not (string/blank? page-name))))
     (let [page (db/get-page page-name)
           whiteboard? (db/whiteboard-page? page)]
+       (if (and (not config/dev?)
+                (or (ldb/hidden? page)
+                    (and (ldb/built-in? page) (ldb/private-built-in-page? page))))
+         (notification/show! "Cannot go to an internal page." :warning)
         (if-let [source (db/get-alias-source-page (state/get-current-repo) (:db/id page))]
           (redirect-to-page! (:block/uuid source) opts)
           (do
@ -102,7 +108,7 @@

                         (boolean? push)
                         (assoc :push push))]
-               (redirect! m)))))))))
+                 (redirect! m))))))))))

 (defn get-title
  [name path-params]
--- a/src/main/frontend/worker/search.cljs
+++ b/src/main/frontend/worker/search.cljs
@ -286,8 +286,7 @@ DROP TRIGGER IF EXISTS blocks_au;
                                            true
                                            (if built-in?
                                              (or (not (ldb/built-in? block))
-                                                 (ldb/class? block)
-                                                 (ldb/public-built-in-property? block))
+                                                  (not (ldb/private-built-in-page? block)))
                                              (not (ldb/built-in? block))))
                                      {:db/id (:db/id block)
                                       :block/uuid block-id