diff --git a/frontend/src/components/ControlledDatePicker.js b/frontend/src/components/ControlledDatePicker.js index bb0eedcd87..7615f255f3 100644 --- a/frontend/src/components/ControlledDatePicker.js +++ b/frontend/src/components/ControlledDatePicker.js @@ -21,6 +21,7 @@ export default function ControlledDatePicker({ isStartDate, inputId, endDate, + customValidationMessages, required, }) { /** @@ -54,20 +55,25 @@ export default function ControlledDatePicker({ const formattedValue = value ? moment(value, DATE_DISPLAY_FORMAT).format(DATEPICKER_VALUE_FORMAT) : ''; + const { + beforeMessage, + afterMessage, + invalidMessage, + } = customValidationMessages; + // this is our custom validation function we pass to the hook form controller function validate(v) { const newValue = moment(v, DATE_DISPLAY_FORMAT); - if (!newValue.isValid()) { - return 'Enter valid date'; + return invalidMessage || 'Enter valid date'; } if (newValue.isBefore(min.moment)) { - return `Please enter a date after ${min.display}`; + return afterMessage || `Please enter a date after ${min.display}`; } if (newValue.isAfter(max.moment)) { - return `Please enter a date before ${max.display}`; + return beforeMessage || `Please enter a date before ${max.display}`; } return true; @@ -135,6 +141,11 @@ ControlledDatePicker.propTypes = { inputId: PropTypes.string.isRequired, endDate: PropTypes.string, required: PropTypes.bool, + customValidationMessages: PropTypes.shape({ + beforeMessage: PropTypes.string, + afterMessage: PropTypes.string, + invalidMessage: PropTypes.string, + }), }; ControlledDatePicker.defaultProps = { @@ -145,4 +156,9 @@ ControlledDatePicker.defaultProps = { setEndDate: () => {}, required: true, value: '', + customValidationMessages: { + beforeMessage: '', + afterMessage: '', + invalidMessage: '', + }, }; diff --git a/frontend/src/components/__tests__/ControlledDatePicker.js b/frontend/src/components/__tests__/ControlledDatePicker.js index 36dec43be1..f17e073350 100644 --- a/frontend/src/components/__tests__/ControlledDatePicker.js +++ b/frontend/src/components/__tests__/ControlledDatePicker.js @@ -2,17 +2,24 @@ import '@testing-library/jest-dom'; import React from 'react'; import moment from 'moment'; -import { render, screen, act } from '@testing-library/react'; +import { + render, screen, act, fireEvent, +} from '@testing-library/react'; import { useForm } from 'react-hook-form'; import userEvent from '@testing-library/user-event'; import { Grid } from '@trussworks/react-uswds'; import { DATE_DISPLAY_FORMAT } from '../../Constants'; - import ControlledDatePicker from '../ControlledDatePicker'; +const defaultValidation = { + beforeMessage: '', + afterMessage: '', + invalidMessage: '', +}; + describe('Controlled Date Picker', () => { // eslint-disable-next-line react/prop-types - const TestDatePicker = ({ setEndDate }) => { + const TestDatePicker = ({ setEndDate, customValidationMessages = defaultValidation }) => { const { control, errors, handleSubmit, watch, } = useForm({ @@ -34,9 +41,11 @@ describe('Controlled Date Picker', () => { Start date { minDate={startDate} key="endDateKey" inputId="endDate" + customValidationMessages={customValidationMessages} /> @@ -89,6 +99,47 @@ describe('Controlled Date Picker', () => { expect(setEndDate).toHaveBeenCalled(); }); + it('displays custom validation messages', async () => { + const setEndDate = jest.fn(); + render(); + + const ed = await screen.findByRole('textbox', { name: /end date/i }); + const sd = await screen.findByRole('textbox', { name: /start date/i }); + + act(() => { + userEvent.type(ed, '12/31/2020'); + userEvent.type(sd, '01/03/2021'); + }); + expect(await screen.findByText('Invalid message')).toBeVisible(); + act(() => { + userEvent.clear(sd); + userEvent.clear(ed); + }); + userEvent.type(ed, '12/31/2020'); + userEvent.type(sd, '08/31/2020'); + + fireEvent.blur(sd); + + expect(await screen.findByText('After message')).toBeVisible(); + + act(() => { + userEvent.clear(sd); + userEvent.clear(ed); + }); + userEvent.type(ed, '12/31/2020'); + userEvent.type(sd, '01/01/2021'); + + fireEvent.blur(ed); + expect(await screen.findByText('Before message')).toBeVisible(); + }); + it('can set future start date and adjust end date', async () => { const setEndDate = jest.fn(); render(); diff --git a/frontend/src/pages/Admin/FeedPreview.js b/frontend/src/pages/Admin/FeedPreview.js new file mode 100644 index 0000000000..a9e4ab2528 --- /dev/null +++ b/frontend/src/pages/Admin/FeedPreview.js @@ -0,0 +1,158 @@ +import React, { useState, useRef } from 'react'; +import { + ButtonGroup, + Button, + Form, + FormGroup, + Label, + TextInput, +} from '@trussworks/react-uswds'; +import ContentFromFeedByTag from '../../components/ContentFromFeedByTag'; +import Container from '../../components/Container'; +import DrawerTriggerButton from '../../components/DrawerTriggerButton'; +import Drawer from '../../components/Drawer'; + +export default function FeedPreview() { + const [title, setTitle] = useState(''); + const [tag, setTag] = useState(''); + const [contentSelector, setContentSelector] = useState(''); + const [cssClass, setCssClass] = useState(''); + const drawerTriggerRef = useRef(null); + + const onSubmit = (e) => { + e.preventDefault(); + const data = new FormData(e.target); + setTitle(data.get('title')); + setTag(data.get('tag')); + setContentSelector(data.get('contentSelector')); + setCssClass(data.get('cssClass')); + }; + + const onReset = () => { + setTitle(''); + setTag(''); + setContentSelector(''); + setCssClass(''); + }; + + return ( + +

Preview confluence RSS feed

+ {' '} + {tag && ( + <> + + Preview drawer + + + + + + + )} +
+
+ More info +

+ The CSS class is used to style the feed preview by the engineers. + The option to add it here is so that you can preview changes to existing feeds. + (It won't do anything unless an engineer has already + added corresponding styles.) +

+
+ + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Existing drawer configuration +
Drawer titleTagContent selectorCSS class
Support typettahub-tta-support-typetablettahub-drawer--objective-support-type-guidance
Objective topicsttahub-topictablettahub-drawer--objective-topics-guidance
Class review first sectionttahub-class-thresholdsdiv:nth-child(3)ttahub-class-feed-article
Class review second sectionttahub-class-thresholdsdiv:nth-child(4)ttahub-class-feed-article
+ + + ); +} diff --git a/frontend/src/pages/Admin/__tests__/FeedPreview.js b/frontend/src/pages/Admin/__tests__/FeedPreview.js new file mode 100644 index 0000000000..52c28f6918 --- /dev/null +++ b/frontend/src/pages/Admin/__tests__/FeedPreview.js @@ -0,0 +1,51 @@ +import '@testing-library/jest-dom'; +import React from 'react'; +import { + render, screen, act, + waitFor, +} from '@testing-library/react'; +import userEvent from '@testing-library/user-event'; +import fetchMock from 'fetch-mock'; +import join from 'url-join'; +import FeedPreview from '../FeedPreview'; +import { mockRSSData } from '../../../testHelpers'; + +const tagUrl = join('/', 'api', 'feeds', 'item', '?tag=tag'); + +describe('FeedPreview', () => { + const renderTest = () => { + render(); + }; + + afterEach(() => fetchMock.restore()); + + it('renders page and submits form', async () => { + fetchMock.get(tagUrl, mockRSSData()); + act(() => { + renderTest(); + }); + + userEvent.type(await screen.findByLabelText('Tag'), 'tag'); + userEvent.type(await screen.findByLabelText('Title'), 'title'); + userEvent.type(await screen.findByLabelText('Content selector'), 'contentSelector'); + userEvent.type(await screen.findByLabelText('CSS class'), 'cssClass'); + + userEvent.click(await screen.findByRole('button', { name: 'Reset' })); + + expect(await screen.findByLabelText('Tag')).toHaveValue(''); + expect(await screen.findByLabelText('Title')).toHaveValue(''); + expect(await screen.findByLabelText('Content selector')).toHaveValue(''); + expect(await screen.findByLabelText('CSS class')).toHaveValue(''); + + userEvent.type(await screen.findByLabelText('Tag'), 'tag'); + userEvent.type(await screen.findByLabelText('Title'), 'title'); + userEvent.type(await screen.findByLabelText('Content selector'), 'contentSelector'); + userEvent.type(await screen.findByLabelText('CSS class'), 'cssClass'); + + act(() => { + userEvent.click(screen.getByRole('button', { name: 'Save changes' })); + }); + + await waitFor(() => expect(fetchMock.called(tagUrl)).toBe(true)); + }); +}); diff --git a/frontend/src/pages/Admin/__tests__/index.js b/frontend/src/pages/Admin/__tests__/index.js index 2f47dbaa57..06250b80b5 100644 --- a/frontend/src/pages/Admin/__tests__/index.js +++ b/frontend/src/pages/Admin/__tests__/index.js @@ -97,4 +97,16 @@ describe('Admin landing page', () => { const heading = await screen.findByRole('heading', { name: /national centers/i }); expect(heading).toBeVisible(); }); + + it('displays the feed preview page', async () => { + history.push('/admin/feed-preview'); + render( + + + , + ); + + const heading = await screen.findByRole('heading', { name: /Preview confluence RSS feed/i }); + expect(heading).toBeVisible(); + }); }); diff --git a/frontend/src/pages/Admin/index.js b/frontend/src/pages/Admin/index.js index bf90a595c6..e0c76fce71 100644 --- a/frontend/src/pages/Admin/index.js +++ b/frontend/src/pages/Admin/index.js @@ -13,13 +13,14 @@ import SS from './SS'; import TrainingReports from './TrainingReports'; import Courses from './Courses'; import CourseEdit from './CourseEdit'; +import FeedPreview from './FeedPreview'; function Admin() { return ( <>

Admin

Support

-
+
CDI grants @@ -50,6 +51,9 @@ function Admin() { SS + + Confluence feed preview +

Engineer only

@@ -106,6 +110,10 @@ function Admin() { path="/admin/course/:courseId" render={({ match }) => } /> + } + /> ); diff --git a/frontend/src/pages/SessionForm/index.js b/frontend/src/pages/SessionForm/index.js index 2011f0f38a..e0d2042178 100644 --- a/frontend/src/pages/SessionForm/index.js +++ b/frontend/src/pages/SessionForm/index.js @@ -248,6 +248,7 @@ export default function SessionForm({ match }) { } try { const session = await getSessionBySessionId(sessionId); + // eslint-disable-next-line max-len const isPocFromSession = (session.event.pocIds || []).includes(user.id) && !isAdminUser; resetFormData(hookForm.reset, session, isPocFromSession, isAdminUser); reportId.current = session.id; @@ -440,6 +441,8 @@ export default function SessionForm({ match }) { } }; + const { event } = formData; + return (
{ error @@ -504,6 +507,7 @@ export default function SessionForm({ match }) { status: formData.status, pages: applicationPages, isAdminUser, + event, }} formData={formData} pages={applicationPages} diff --git a/frontend/src/pages/SessionForm/pages/sessionSummary.js b/frontend/src/pages/SessionForm/pages/sessionSummary.js index f03180db61..738090dd97 100644 --- a/frontend/src/pages/SessionForm/pages/sessionSummary.js +++ b/frontend/src/pages/SessionForm/pages/sessionSummary.js @@ -53,7 +53,7 @@ const DEFAULT_RESOURCE = { value: '', }; -const SessionSummary = ({ datePickerKey }) => { +const SessionSummary = ({ datePickerKey, event }) => { const { setIsAppLoading, setAppLoadingText } = useContext(AppLoadingContext); const { @@ -70,6 +70,8 @@ const SessionSummary = ({ datePickerKey }) => { const { id } = data; + const { startDate: eventStartDate } = (event || { data: { startDate: null } }).data; + const startDate = watch('startDate'); const endDate = watch('endDate'); const courses = watch('courses'); @@ -274,6 +276,10 @@ const SessionSummary = ({ datePickerKey }) => { isStartDate inputId="startDate" endDate={endDate} + minDate={eventStartDate} + customValidationMessages={{ + afterMessage: 'Date selected can\'t be before event start date.', + }} /> @@ -628,6 +634,15 @@ const SessionSummary = ({ datePickerKey }) => { SessionSummary.propTypes = { datePickerKey: PropTypes.string.isRequired, + event: PropTypes.shape({ + data: { + endDate: PropTypes.string, + }, + }), +}; + +SessionSummary.defaultProps = { + event: null, }; const fields = [...Object.keys(sessionSummaryFields), 'endDate', 'startDate']; @@ -667,7 +682,7 @@ export default { Alert, ) => (
- +
{ @@ -684,7 +699,6 @@ export default { && additionalData.status !== TRAINING_REPORT_STATUSES.COMPLETE && ( ) - }
diff --git a/frontend/src/pages/TrainingReports/components/EventCard.js b/frontend/src/pages/TrainingReports/components/EventCard.js index 5a581e8aa1..13da7fc91b 100644 --- a/frontend/src/pages/TrainingReports/components/EventCard.js +++ b/frontend/src/pages/TrainingReports/components/EventCard.js @@ -49,7 +49,7 @@ function EventCard({ const isComplete = data.status === TRAINING_REPORT_STATUSES.COMPLETE; const isNotCompleteOrSuspended = !isComplete && !isSuspended; - const canEditEvent = ((isOwnerOrCollaborator && !eventSubmitted && isNotCompleteOrSuspended) + const canEditEvent = ((isOwner && !eventSubmitted && isNotCompleteOrSuspended) || (hasAdminRights && isNotCompleteOrSuspended)); const canCreateSession = isNotCompleteOrSuspended && isOwnerOrCollaborator; const canDeleteEvent = hasAdminRights && (data.status === TRAINING_REPORT_STATUSES.NOT_STARTED diff --git a/frontend/src/pages/TrainingReports/components/__tests__/EventCards.js b/frontend/src/pages/TrainingReports/components/__tests__/EventCards.js index 59e43aabe8..248450d05e 100644 --- a/frontend/src/pages/TrainingReports/components/__tests__/EventCards.js +++ b/frontend/src/pages/TrainingReports/components/__tests__/EventCards.js @@ -270,7 +270,7 @@ describe('EventCards', () => { button.click(button); }); - it('collaborators cannot create training', () => { + it('collaborators cannot edit training', () => { const collaboratorEvents = [{ id: 1, ownerId: 3, @@ -314,7 +314,7 @@ describe('EventCards', () => { const button = screen.getByRole('button', { name: /actions for event TR-R01-1234/i }); button.click(button); expect(screen.queryByText(/create session/i)).toBeInTheDocument(); - expect(screen.queryByText(/edit event/i)).toBeInTheDocument(); + expect(screen.queryByText(/edit event/i)).not.toBeInTheDocument(); expect(screen.queryByText(/view event/i)).toBeInTheDocument(); button.click(button); }); diff --git a/frontend/yarn-audit-known-issues b/frontend/yarn-audit-known-issues index 570890a5bb..697c6815af 100644 --- a/frontend/yarn-audit-known-issues +++ b/frontend/yarn-audit-known-issues @@ -1,8 +1,5 @@ -{"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1099520,"path":"react-scripts>webpack-dev-server>express>body-parser","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.20.2","paths":["react-scripts>webpack-dev-server>express>body-parser"]}],"metadata":null,"vulnerable_versions":"<1.20.3","module_name":"body-parser","severity":"high","github_advisory_id":"GHSA-qwcr-r2fm-qrc7","cves":["CVE-2024-45590"],"access":"public","patched_versions":">=1.20.3","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-09-10T19:01:11.000Z","recommendation":"Upgrade to version 1.20.3 or later","cwe":["CWE-405"],"found_by":null,"deleted":null,"id":1099520,"references":"- https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7\n- https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45590\n- https://github.com/advisories/GHSA-qwcr-r2fm-qrc7","created":"2024-09-10T15:52:39.000Z","reported_by":null,"title":"body-parser vulnerable to denial of service when url encoding is enabled","npm_advisory_id":null,"overview":"### Impact\n\nbody-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.\n\n### Patches\n\nthis issue is patched in 1.20.3\n\n### References\n","url":"https://github.com/advisories/GHSA-qwcr-r2fm-qrc7"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1099525,"path":"react-scripts>webpack-dev-server>express>send","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.18.0","paths":["react-scripts>webpack-dev-server>express>send","react-scripts>webpack-dev-server>express>serve-static>send"]}],"metadata":null,"vulnerable_versions":"<0.19.0","module_name":"send","severity":"moderate","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","cves":["CVE-2024-43799"],"access":"public","patched_versions":">=0.19.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-09-10T19:42:42.000Z","recommendation":"Upgrade to version 0.19.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1099525,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1099525,"path":"react-scripts>webpack-dev-server>express>serve-static>send","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.18.0","paths":["react-scripts>webpack-dev-server>express>send","react-scripts>webpack-dev-server>express>serve-static>send"]}],"metadata":null,"vulnerable_versions":"<0.19.0","module_name":"send","severity":"moderate","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","cves":["CVE-2024-43799"],"access":"public","patched_versions":">=0.19.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-09-10T19:42:42.000Z","recommendation":"Upgrade to version 0.19.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1099525,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1099527,"path":"react-scripts>webpack-dev-server>express>serve-static","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.15.0","paths":["react-scripts>webpack-dev-server>express>serve-static"]}],"metadata":null,"vulnerable_versions":"<1.16.0","module_name":"serve-static","severity":"moderate","github_advisory_id":"GHSA-cm22-4g7w-348p","cves":["CVE-2024-43800"],"access":"public","patched_versions":">=1.16.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-09-10T19:42:34.000Z","recommendation":"Upgrade to version 1.16.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1099527,"references":"- https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43800\n- https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b\n- https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa\n- https://github.com/advisories/GHSA-cm22-4g7w-348p","created":"2024-09-10T19:42:33.000Z","reported_by":null,"title":"serve-static vulnerable to template injection that can lead to XSS","npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in serve-static 1.16.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","url":"https://github.com/advisories/GHSA-cm22-4g7w-348p"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1099529,"path":"react-scripts>webpack-dev-server>express","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.19.2","paths":["react-scripts>webpack-dev-server>express"]}],"metadata":null,"vulnerable_versions":"<4.20.0","module_name":"express","severity":"moderate","github_advisory_id":"GHSA-qw6h-vgh9-j6wx","cves":["CVE-2024-43796"],"access":"public","patched_versions":">=4.20.0","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"updated":"2024-09-10T19:41:07.000Z","recommendation":"Upgrade to version 4.20.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1099529,"references":"- https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43796\n- https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553\n- https://github.com/advisories/GHSA-qw6h-vgh9-j6wx","created":"2024-09-10T19:41:04.000Z","reported_by":null,"title":"express vulnerable to XSS via response.redirect()","npm_advisory_id":null,"overview":"### Impact\n\nIn express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in express 4.20.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","url":"https://github.com/advisories/GHSA-qw6h-vgh9-j6wx"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","id":1097682,"npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","metadata":null,"cves":["CVE-2023-26136"],"access":"public","severity":"moderate","module_name":"tough-cookie","vulnerable_versions":"<4.1.3","github_advisory_id":"GHSA-72xf-g2v4-qvf3","recommendation":"Upgrade to version 4.1.3 or later","patched_versions":">=4.1.3","updated":"2024-06-21T21:33:53.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","id":1097682,"npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","metadata":null,"cves":["CVE-2023-26136"],"access":"public","severity":"moderate","module_name":"tough-cookie","vulnerable_versions":"<4.1.3","github_advisory_id":"GHSA-72xf-g2v4-qvf3","recommendation":"Upgrade to version 4.1.3 or later","patched_versions":">=4.1.3","updated":"2024-06-21T21:33:53.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","id":1097682,"npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","metadata":null,"cves":["CVE-2023-26136"],"access":"public","severity":"moderate","module_name":"tough-cookie","vulnerable_versions":"<4.1.3","github_advisory_id":"GHSA-72xf-g2v4-qvf3","recommendation":"Upgrade to version 4.1.3 or later","patched_versions":">=4.1.3","updated":"2024-06-21T21:33:53.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1099525,"path":"react-scripts>webpack-dev-server>express>serve-static>send","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.18.0","paths":["react-scripts>webpack-dev-server>express>serve-static>send"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","id":1099525,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43799"],"access":"public","severity":"moderate","module_name":"send","vulnerable_versions":"<0.19.0","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","recommendation":"Upgrade to version 0.19.0 or later","patched_versions":">=0.19.0","updated":"2024-09-10T19:42:42.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1099597,"path":"react-admin>ra-ui-materialui>dompurify","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.4.4","paths":["react-admin>ra-ui-materialui>dompurify"]}],"found_by":null,"deleted":null,"references":"- https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674\n- https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21\n- https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45801\n- https://github.com/advisories/GHSA-mmhx-hmjr-r674","created":"2024-09-16T20:34:26.000Z","id":1099597,"npm_advisory_id":null,"overview":"It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.\n\nThis renders dompurify unable to avoid XSS attack.\n\nFixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).","reported_by":null,"title":"DOMPurify allows tampering by prototype pollution","metadata":null,"cves":["CVE-2024-45801"],"access":"public","severity":"high","module_name":"dompurify","vulnerable_versions":"<2.5.4","github_advisory_id":"GHSA-mmhx-hmjr-r674","recommendation":"Upgrade to version 2.5.4 or later","patched_versions":">=2.5.4","updated":"2024-09-16T22:37:33.000Z","cvss":{"score":7,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},"cwe":["CWE-1321","CWE-1333"],"url":"https://github.com/advisories/GHSA-mmhx-hmjr-r674"}}} diff --git a/frontend/yarn.lock b/frontend/yarn.lock index 0bab59f938..ab9018c838 100644 --- a/frontend/yarn.lock +++ b/frontend/yarn.lock @@ -3741,10 +3741,10 @@ bluebird@^3.5.5: resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.7.2.tgz#9f229c15be272454ffa973ace0dbee79a1b0c36f" integrity sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg== -body-parser@1.20.2: - version "1.20.2" - resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd" - integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA== +body-parser@1.20.3: + version "1.20.3" + resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.3.tgz#1953431221c6fb5cd63c4b36d53fab0928e548c6" + integrity sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g== dependencies: bytes "3.1.2" content-type "~1.0.5" @@ -3754,7 +3754,7 @@ body-parser@1.20.2: http-errors "2.0.0" iconv-lite "0.4.24" on-finished "2.4.1" - qs "6.11.0" + qs "6.13.0" raw-body "2.5.2" type-is "~1.6.18" unpipe "1.0.0" @@ -3844,6 +3844,17 @@ call-bind@^1.0.0, call-bind@^1.0.2: function-bind "^1.1.1" get-intrinsic "^1.0.2" +call-bind@^1.0.7: + version "1.0.7" + resolved "https://registry.yarnpkg.com/call-bind/-/call-bind-1.0.7.tgz#06016599c40c56498c18769d2730be242b6fa3b9" + integrity sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w== + dependencies: + es-define-property "^1.0.0" + es-errors "^1.3.0" + function-bind "^1.1.2" + get-intrinsic "^1.2.4" + set-function-length "^1.2.1" + callsites@^3.0.0: version "3.1.0" resolved "https://registry.yarnpkg.com/callsites/-/callsites-3.1.0.tgz#b3630abd8943432f54b3f0519238e33cd7df2f73" @@ -4831,6 +4842,15 @@ default-gateway@^6.0.3: dependencies: execa "^5.0.0" +define-data-property@^1.1.4: + version "1.1.4" + resolved "https://registry.yarnpkg.com/define-data-property/-/define-data-property-1.1.4.tgz#894dc141bb7d3060ae4366f6a0107e68fbe48c5e" + integrity sha512-rBMvIzlpA8v6E+SJZoo++HAYqsLrkg7MSfIinMPFhmkorw7X+dOXVJQs+QT69zGkzMyfDnIMN2Wid1+NbL3T+A== + dependencies: + es-define-property "^1.0.0" + es-errors "^1.3.0" + gopd "^1.0.1" + define-lazy-prop@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/define-lazy-prop/-/define-lazy-prop-2.0.0.tgz#3f7ae421129bcaaac9bc74905c98a0009ec9ee7f" @@ -5196,6 +5216,11 @@ encodeurl@~1.0.2: resolved "https://registry.yarnpkg.com/encodeurl/-/encodeurl-1.0.2.tgz#ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59" integrity sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w== +encodeurl@~2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/encodeurl/-/encodeurl-2.0.0.tgz#7b8ea898077d7e409d3ac45474ea38eaf0857a58" + integrity sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg== + end-of-stream@^1.0.0: version "1.4.4" resolved "https://registry.yarnpkg.com/end-of-stream/-/end-of-stream-1.4.4.tgz#5ae64a5f45057baf3626ec14da0ca5e4b2431eb0" @@ -5273,6 +5298,18 @@ es-array-method-boxes-properly@^1.0.0: resolved "https://registry.yarnpkg.com/es-array-method-boxes-properly/-/es-array-method-boxes-properly-1.0.0.tgz#873f3e84418de4ee19c5be752990b2e44718d09e" integrity sha512-wd6JXUmyHmt8T5a2xreUwKcGPq6f1f+WwIJkijUqiGcJz1qqnZgP6XIK+QyIWU5lT7imeNxUll48bziG+TSYcA== +es-define-property@^1.0.0: + version "1.0.0" + resolved "https://registry.yarnpkg.com/es-define-property/-/es-define-property-1.0.0.tgz#c7faefbdff8b2696cf5f46921edfb77cc4ba3845" + integrity sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ== + dependencies: + get-intrinsic "^1.2.4" + +es-errors@^1.3.0: + version "1.3.0" + resolved "https://registry.yarnpkg.com/es-errors/-/es-errors-1.3.0.tgz#05f75a25dab98e4fb1dcd5e1472c0546d5057c8f" + integrity sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw== + es-get-iterator@^1.1.2: version "1.1.2" resolved "https://registry.yarnpkg.com/es-get-iterator/-/es-get-iterator-1.1.2.tgz#9234c54aba713486d7ebde0220864af5e2b283f7" @@ -5836,36 +5873,36 @@ expect@^29.0.0: jest-util "^29.3.1" express@^4.17.3, express@^4.19.2: - version "4.19.2" - resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465" - integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q== + version "4.20.0" + resolved "https://registry.yarnpkg.com/express/-/express-4.20.0.tgz#f1d08e591fcec770c07be4767af8eb9bcfd67c48" + integrity sha512-pLdae7I6QqShF5PnNTCVn4hI91Dx0Grkn2+IAsMTgMIKuQVte2dN9PeGSSAME2FR8anOhVA62QDIUaWVfEXVLw== dependencies: accepts "~1.3.8" array-flatten "1.1.1" - body-parser "1.20.2" + body-parser "1.20.3" content-disposition "0.5.4" content-type "~1.0.4" cookie "0.6.0" cookie-signature "1.0.6" debug "2.6.9" depd "2.0.0" - encodeurl "~1.0.2" + encodeurl "~2.0.0" escape-html "~1.0.3" etag "~1.8.1" finalhandler "1.2.0" fresh "0.5.2" http-errors "2.0.0" - merge-descriptors "1.0.1" + merge-descriptors "1.0.3" methods "~1.1.2" on-finished "2.4.1" parseurl "~1.3.3" - path-to-regexp "0.1.7" + path-to-regexp "0.1.10" proxy-addr "~2.0.7" qs "6.11.0" range-parser "~1.2.1" safe-buffer "5.2.1" - send "0.18.0" - serve-static "1.15.0" + send "0.19.0" + serve-static "1.16.0" setprototypeof "1.2.0" statuses "2.0.1" type-is "~1.6.18" @@ -6244,6 +6281,11 @@ function-bind@^1.1.1: resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.1.tgz#a56899d3ea3c9bab874bb9773b7c5ede92f4895d" integrity sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A== +function-bind@^1.1.2: + version "1.1.2" + resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.2.tgz#2c02d864d97f3ea6c8830c464cbd11ab6eab7a1c" + integrity sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA== + function.prototype.name@^1.1.2, function.prototype.name@^1.1.5: version "1.1.5" resolved "https://registry.yarnpkg.com/function.prototype.name/-/function.prototype.name-1.1.5.tgz#cce0505fe1ffb80503e6f9e46cc64e46a12a9621" @@ -6293,6 +6335,17 @@ get-intrinsic@^1.0.2, get-intrinsic@^1.1.0, get-intrinsic@^1.1.1, get-intrinsic@ has "^1.0.3" has-symbols "^1.0.3" +get-intrinsic@^1.2.4: + version "1.2.4" + resolved "https://registry.yarnpkg.com/get-intrinsic/-/get-intrinsic-1.2.4.tgz#e385f5a4b5227d449c3eabbad05494ef0abbeadd" + integrity sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ== + dependencies: + es-errors "^1.3.0" + function-bind "^1.1.2" + has-proto "^1.0.1" + has-symbols "^1.0.3" + hasown "^2.0.0" + get-own-enumerable-property-symbols@^3.0.0: version "3.0.2" resolved "https://registry.yarnpkg.com/get-own-enumerable-property-symbols/-/get-own-enumerable-property-symbols-3.0.2.tgz#b5fde77f22cbe35f390b4e089922c50bce6ef664" @@ -6633,6 +6686,18 @@ has-property-descriptors@^1.0.0: dependencies: get-intrinsic "^1.1.1" +has-property-descriptors@^1.0.2: + version "1.0.2" + resolved "https://registry.yarnpkg.com/has-property-descriptors/-/has-property-descriptors-1.0.2.tgz#963ed7d071dc7bf5f084c5bfbe0d1b6222586854" + integrity sha512-55JNKuIW+vq4Ke1BjOTjM2YctQIvCT7GFzHwmfZPGo5wnrgkid0YQtnAleFSqumZm4az3n2BS+erby5ipJdgrg== + dependencies: + es-define-property "^1.0.0" + +has-proto@^1.0.1: + version "1.0.3" + resolved "https://registry.yarnpkg.com/has-proto/-/has-proto-1.0.3.tgz#b31ddfe9b0e6e9914536a6ab286426d0214f77fd" + integrity sha512-SJ1amZAJUiZS+PhsVLf5tGydlaVB8EdFpaSO4gmiUKUOxk8qzn5AIy4ZeJUmh22znIdk/uMAUT2pl3FxzVUH+Q== + has-symbols@^1.0.1, has-symbols@^1.0.2, has-symbols@^1.0.3: version "1.0.3" resolved "https://registry.yarnpkg.com/has-symbols/-/has-symbols-1.0.3.tgz#bb7b2c4349251dce87b125f7bdf874aa7c8b39f8" @@ -6652,6 +6717,13 @@ has@^1.0.3: dependencies: function-bind "^1.1.1" +hasown@^2.0.0: + version "2.0.2" + resolved "https://registry.yarnpkg.com/hasown/-/hasown-2.0.2.tgz#003eaf91be7adc372e84ec59dc37252cedb80003" + integrity sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ== + dependencies: + function-bind "^1.1.2" + he@^1.2.0: version "1.2.0" resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f" @@ -8324,10 +8396,10 @@ memoize-one@^6.0.0: resolved "https://registry.yarnpkg.com/memoize-one/-/memoize-one-6.0.0.tgz#b2591b871ed82948aee4727dc6abceeeac8c1045" integrity sha512-rkpe71W0N0c0Xz6QD0eJETuWAJGnJ9afsl1srmwPrI+yBCkge5EycXXbYRyvL29zZVUWQCY7InPRCv3GDXuZNw== -merge-descriptors@1.0.1: - version "1.0.1" - resolved "https://registry.yarnpkg.com/merge-descriptors/-/merge-descriptors-1.0.1.tgz#b00aaa556dd8b44568150ec9d1b953f3f90cbb61" - integrity sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w== +merge-descriptors@1.0.3: + version "1.0.3" + resolved "https://registry.yarnpkg.com/merge-descriptors/-/merge-descriptors-1.0.3.tgz#d80319a65f3c7935351e5cfdac8f9318504dbed5" + integrity sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ== merge-stream@^2.0.0: version "2.0.0" @@ -8666,6 +8738,11 @@ object-inspect@^1.12.2, object-inspect@^1.9.0: resolved "https://registry.yarnpkg.com/object-inspect/-/object-inspect-1.12.2.tgz#c0641f26394532f28ab8d796ab954e43c009a8ea" integrity sha512-z+cPxW0QGUp0mcqcsgQyLVRDoXFQbXOwBaqyF7VIgI4TWNQsDHrBpUQslRmIfAoYWdYzs6UlKJtB2XJpTaNSpQ== +object-inspect@^1.13.1: + version "1.13.2" + resolved "https://registry.yarnpkg.com/object-inspect/-/object-inspect-1.13.2.tgz#dea0088467fb991e67af4058147a24824a3043ff" + integrity sha512-IRZSRuzJiynemAXPYtPe5BoI/RESNYR7TYm50MC5Mqbd3Jmw5y790sErYw3V6SryFJD64b74qQQs9wn5Bg/k3g== + object-is@^1.1.2, object-is@^1.1.5: version "1.1.5" resolved "https://registry.yarnpkg.com/object-is/-/object-is-1.1.5.tgz#b9deeaa5fc7f1846a0faecdceec138e5778f53ac" @@ -8948,7 +9025,7 @@ path-parse@^1.0.7: resolved "https://registry.yarnpkg.com/path-parse/-/path-parse-1.0.7.tgz#fbc114b60ca42b30d9daf5858e4bd68bbedb6735" integrity sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw== -path-to-regexp@0.1.7, path-to-regexp@^1.7.0, path-to-regexp@^1.9.0, path-to-regexp@^2.2.1: +path-to-regexp@0.1.10, path-to-regexp@^1.7.0, path-to-regexp@^1.9.0, path-to-regexp@^2.2.1: version "1.9.0" resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-1.9.0.tgz#5dc0753acbf8521ca2e0f137b4578b917b10cf24" integrity sha512-xIp7/apCFJuUHdDLWe8O1HIkb0kQrOMb/0u6FXQjemHn/ii5LrIzU6bdECnsiTF/GjZkMEKg1xdiZwNqDYlZ6g== @@ -9800,6 +9877,13 @@ qs@6.11.0: dependencies: side-channel "^1.0.4" +qs@6.13.0: + version "6.13.0" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.13.0.tgz#6ca3bd58439f7e245655798997787b0d88a51906" + integrity sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg== + dependencies: + side-channel "^1.0.6" + query-string@^5.1.1: version "5.1.1" resolved "https://registry.yarnpkg.com/query-string/-/query-string-5.1.1.tgz#a78c012b71c17e05f2e3fa2319dd330682efb3cb" @@ -10866,6 +10950,25 @@ send@0.18.0: range-parser "~1.2.1" statuses "2.0.1" +send@0.19.0: + version "0.19.0" + resolved "https://registry.yarnpkg.com/send/-/send-0.19.0.tgz#bbc5a388c8ea6c048967049dbeac0e4a3f09d7f8" + integrity sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw== + dependencies: + debug "2.6.9" + depd "2.0.0" + destroy "1.2.0" + encodeurl "~1.0.2" + escape-html "~1.0.3" + etag "~1.8.1" + fresh "0.5.2" + http-errors "2.0.0" + mime "1.6.0" + ms "2.1.3" + on-finished "2.4.1" + range-parser "~1.2.1" + statuses "2.0.1" + serialize-javascript@^4.0.0: version "4.0.0" resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-4.0.0.tgz#b525e1238489a5ecfc42afacc3fe99e666f4b1aa" @@ -10900,16 +11003,28 @@ serve-index@^1.9.1: mime-types "~2.1.17" parseurl "~1.3.2" -serve-static@1.15.0: - version "1.15.0" - resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.15.0.tgz#faaef08cffe0a1a62f60cad0c4e513cff0ac9540" - integrity sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g== +serve-static@1.16.0: + version "1.16.0" + resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.16.0.tgz#2bf4ed49f8af311b519c46f272bf6ac3baf38a92" + integrity sha512-pDLK8zwl2eKaYrs8mrPZBJua4hMplRWJ1tIFksVC3FtBEBnl8dxgeHtsaMS8DhS9i4fLObaon6ABoc4/hQGdPA== dependencies: encodeurl "~1.0.2" escape-html "~1.0.3" parseurl "~1.3.3" send "0.18.0" +set-function-length@^1.2.1: + version "1.2.2" + resolved "https://registry.yarnpkg.com/set-function-length/-/set-function-length-1.2.2.tgz#aac72314198eaed975cf77b2c3b6b880695e5449" + integrity sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg== + dependencies: + define-data-property "^1.1.4" + es-errors "^1.3.0" + function-bind "^1.1.2" + get-intrinsic "^1.2.4" + gopd "^1.0.1" + has-property-descriptors "^1.0.2" + setimmediate@^1.0.5: version "1.0.5" resolved "https://registry.yarnpkg.com/setimmediate/-/setimmediate-1.0.5.tgz#290cbb232e306942d7d7ea9b83732ab7856f8285" @@ -10966,6 +11081,16 @@ side-channel@^1.0.4: get-intrinsic "^1.0.2" object-inspect "^1.9.0" +side-channel@^1.0.6: + version "1.0.6" + resolved "https://registry.yarnpkg.com/side-channel/-/side-channel-1.0.6.tgz#abd25fb7cd24baf45466406b1096b7831c9215f2" + integrity sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA== + dependencies: + call-bind "^1.0.7" + es-errors "^1.3.0" + get-intrinsic "^1.2.4" + object-inspect "^1.13.1" + signal-exit@^3.0.2, signal-exit@^3.0.3: version "3.0.7" resolved "https://registry.yarnpkg.com/signal-exit/-/signal-exit-3.0.7.tgz#a9a1767f8af84155114eaabd73f99273c8f59ad9" diff --git a/package.json b/package.json index 55162ffde8..d84ca2a6bf 100644 --- a/package.json +++ b/package.json @@ -318,7 +318,7 @@ "csv-stringify": "^5.6.2", "cucumber-html-reporter": "^5.2.0", "deepmerge": "^4.3.1", - "dompurify": "^3.1.0", + "dompurify": "^3.1.3", "dot-wild": "^3.0.1", "dotenv": "^16.4.1", "email-templates": "^8.0.4", diff --git a/src/policies/event.js b/src/policies/event.js index e53643acb4..10df396720 100644 --- a/src/policies/event.js +++ b/src/policies/event.js @@ -140,7 +140,7 @@ export default class EventReport { // some handy & fun aliases canEditEvent() { - return this.isAdmin() || this.isAuthor() || this.isCollaborator(); + return this.isAdmin() || this.isAuthor(); } canCreateSession() { diff --git a/src/policies/event.test.js b/src/policies/event.test.js index 2a12379e73..333c6d2e74 100644 --- a/src/policies/event.test.js +++ b/src/policies/event.test.js @@ -171,16 +171,16 @@ describe('Event Report policies', () => { expect(policy.canEditEvent()).toBe(true); }); - it('is true if the user is a collaborator', () => { + it('is false if the user is a collaborator', () => { const eventRegion1 = createEvent({ ownerId: authorRegion1, collaboratorIds: [authorRegion1Collaborator.id], }); const policy = new EventReport(authorRegion1Collaborator, eventRegion1); - expect(policy.canEditEvent()).toBe(true); + expect(policy.canEditEvent()).toBe(false); }); - it('is true if the user is a poc', () => { + it('is false if the user is a poc', () => { const eventRegion1 = createEvent({ ownerId: authorRegion1, pocIds: [authorRegion1Collaborator.id], diff --git a/yarn.lock b/yarn.lock index 42ba822c4f..1f24f6d7b8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5802,14 +5802,14 @@ domhandler@^5.0.1, domhandler@^5.0.2, domhandler@^5.0.3: domelementtype "^2.3.0" dompurify@^2.2.8: - version "2.4.0" - resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.4.0.tgz#c9c88390f024c2823332615c9e20a453cf3825dd" - integrity sha512-Be9tbQMZds4a3C6xTmz68NlMfeONA//4dOavl/1rNw50E+/QO0KVpbcU0PcaW0nsQxurXls9ZocqFxk8R2mWEA== + version "2.5.6" + resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.5.6.tgz#8402b501611eaa7fb3786072297fcbe2787f8592" + integrity sha512-zUTaUBO8pY4+iJMPE1B9XlO2tXVYIcEA4SNGtvDELzTSCQO7RzH+j7S180BmhmJId78lqGU2z19vgVx2Sxs/PQ== -dompurify@^3.1.0: - version "3.1.0" - resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.1.0.tgz#8c6b9fe986969a33aa4686bd829cbe8e14dd9445" - integrity sha512-yoU4rhgPKCo+p5UrWWWNKiIq+ToGqmVVhk0PmMYBK4kRsR3/qhemNFL8f6CFmBd4gMwm3F4T7HBoydP5uY07fA== +dompurify@^3.1.3: + version "3.1.6" + resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.1.6.tgz#43c714a94c6a7b8801850f82e756685300a027e2" + integrity sha512-cTOAhc36AalkjtBpfG6O8JimdTMWNXjiePT2xQH/ppBGi/4uIpmj8eKyIkMJErXWARyINV/sB38yf8JCLF5pbQ== domutils@^2.0.0, domutils@^2.5.2: version "2.8.0"