Server: Add support for item size limit

2024-12-24 10:27:10 +02:00 · 2021-05-17 18:35:01 +02:00 · 2021-05-17 18:35:01 +02:00 · 6afde54bda
commit 6afde54bda
parent ec7f0f479a
14 changed files with 121 additions and 11 deletions
--- a/packages/server/schema.sqlite
+++ b/packages/server/schema.sqlite
--- a/packages/server/src/db.ts
+++ b/packages/server/src/db.ts
@ -275,6 +275,7 @@ export interface User extends WithDates, WithUuid {
 	password?: string;
 	full_name?: string;
 	is_admin?: number;
+	item_max_size?: number;
 }

 export interface Session extends WithDates, WithUuid {
@ -377,6 +378,7 @@ export const databaseSchema: DatabaseTables = {
 		is_admin: { type: 'number' },
 		updated_time: { type: 'string' },
 		created_time: { type: 'string' },
+		item_max_size: { type: 'number' },
 	},
 	sessions: {
 		id: { type: 'string' },
--- a/packages/server/src/migrations/20210517173042_user_item_size_limit.ts
+++ b/packages/server/src/migrations/20210517173042_user_item_size_limit.ts
@ -0,0 +1,12 @@
+import { Knex } from 'knex';
+import { DbConnection } from '../db';
+
+export async function up(db: DbConnection): Promise<any> {
+	await db.schema.alterTable('users', function(table: Knex.CreateTableBuilder) {
+		table.integer('item_max_size').defaultTo(0).notNullable();
+	});
+}
+
+export async function down(_db: DbConnection): Promise<any> {
+
+}
--- a/packages/server/src/models/ItemModel.ts
+++ b/packages/server/src/models/ItemModel.ts
@ -3,7 +3,7 @@ import { ItemType, databaseSchema, Uuid, Item, ShareType, Share, ChangeType, Use
 import { defaultPagination, paginateDbQuery, PaginatedResults, Pagination } from './utils/pagination';
 import { isJoplinItemName, isJoplinResourceBlobPath, linkedResourceIds, serializeJoplinItem, unserializeJoplinItem } from '../utils/joplinUtils';
 import { ModelType } from '@joplin/lib/BaseModel';
-import { ApiError, ErrorForbidden, ErrorNotFound, ErrorUnprocessableEntity } from '../utils/errors';
+import { ApiError, ErrorForbidden, ErrorNotFound, ErrorPayloadTooLarge, ErrorUnprocessableEntity } from '../utils/errors';
 import { Knex } from 'knex';
 import { ChangePreviousItem } from './ChangeModel';

@ -282,10 +282,10 @@ export default class ItemModel extends BaseModel<Item> {
 		return this.itemToJoplinItem(raw);
 	}

-	public async saveFromRawContent(userId: Uuid, name: string, buffer: Buffer, options: ItemSaveOption = null): Promise<Item> {
+	public async saveFromRawContent(user: User, name: string, buffer: Buffer, options: ItemSaveOption = null): Promise<Item> {
 		options = options || {};

-		const existingItem = await this.loadByName(userId, name);
+		const existingItem = await this.loadByName(user.id, name);

 		const isJoplinItem = isJoplinItemName(name);
 		let isNote = false;
@ -322,8 +322,14 @@ export default class ItemModel extends BaseModel<Item> {

 		if (options.shareId) item.jop_share_id = options.shareId;

+		// If the item is encrypted, we apply a multipler because encrypted
+		// items can be much larger (seems to be up to twice the size but for
+		// safety let's go with 2.2).
+		const maxSize = user.item_max_size * (item.jop_encryption_applied ? 2.2 : 1);
+		if (maxSize && buffer.byteLength > maxSize) throw new ErrorPayloadTooLarge();
+
 		return this.withTransaction<Item>(async () => {
-			const savedItem = await this.saveForUser(userId, item);
+			const savedItem = await this.saveForUser(user.id, item);

 			if (isNote) {
 				await this.models().itemResource().deleteByItemId(savedItem.id);
--- a/packages/server/src/models/UserModel.ts
+++ b/packages/server/src/models/UserModel.ts
@ -29,6 +29,7 @@ export default class UserModel extends BaseModel<User> {
 		if ('password' in object) user.password = object.password;
 		if ('is_admin' in object) user.is_admin = object.is_admin;
 		if ('full_name' in object) user.full_name = object.full_name;
+		if ('item_max_size' in object) user.item_max_size = object.item_max_size;

 		return user;
 	}
@ -50,9 +51,12 @@ export default class UserModel extends BaseModel<User> {
 		}

 		if (action === AclAction.Update) {
+			const previousResource = await this.load(resource.id);
+
 			if (!user.is_admin && resource.id !== user.id) throw new ErrorForbidden('non-admin user cannot modify another user');
 			if (!user.is_admin && 'is_admin' in resource) throw new ErrorForbidden('non-admin user cannot make themselves an admin');
 			if (user.is_admin && user.id === resource.id && 'is_admin' in resource && !resource.is_admin) throw new ErrorForbidden('admin user cannot make themselves a non-admin');
+			if (!user.is_admin && resource.item_max_size !== previousResource.item_max_size) throw new ErrorForbidden('non-admin user cannot change item_max_size');
 		}

 		if (action === AclAction.Delete) {
--- a/packages/server/src/routes/api/items.test.ts
+++ b/packages/server/src/routes/api/items.test.ts
@ -1,4 +1,4 @@
-import { beforeAllDb, afterAllTests, beforeEachDb, createUserAndSession, models, createItem, makeTempFileWithContent, makeNoteSerializedBody, createItemTree, expectHttpError } from '../../utils/testing/testUtils';
+import { beforeAllDb, afterAllTests, beforeEachDb, createUserAndSession, models, createItem, makeTempFileWithContent, makeNoteSerializedBody, createItemTree, expectHttpError, createNote, expectNoHttpError } from '../../utils/testing/testUtils';
 import { NoteEntity } from '@joplin/lib/services/database/types';
 import { ModelType } from '@joplin/lib/BaseModel';
 import { deleteApi, getApi, putApi } from '../../utils/testing/apiUtils';
@ -6,7 +6,7 @@ import { Item } from '../../db';
 import { PaginatedItems } from '../../models/ItemModel';
 import { shareFolderWithUser } from '../../utils/testing/shareApiUtils';
 import { resourceBlobPath } from '../../utils/joplinUtils';
-import { ErrorForbidden } from '../../utils/errors';
+import { ErrorForbidden, ErrorPayloadTooLarge } from '../../utils/errors';

 describe('api_items', function() {

@ -239,4 +239,41 @@ describe('api_items', function() {
 		);
 	});

+	test('should check permissions - uploaded item should be below the allowed limit', async function() {
+		const { user: user1, session: session1 } = await createUserAndSession(1);
+
+		{
+			await models().user().save({ id: user1.id, item_max_size: 4 });
+
+			await expectHttpError(
+				async () => createNote(session1.id, {
+					id: '00000000000000000000000000000001',
+					body: '12345',
+				}),
+				ErrorPayloadTooLarge.httpCode);
+		}
+
+		{
+			await models().user().save({ id: user1.id, item_max_size: 1000 });
+
+			await expectNoHttpError(
+				async () => createNote(session1.id, {
+					id: '00000000000000000000000000000002',
+					body: '12345',
+				})
+			);
+		}
+
+		{
+			await models().user().save({ id: user1.id, item_max_size: 0 });
+
+			await expectNoHttpError(
+				async () => createNote(session1.id, {
+					id: '00000000000000000000000000000003',
+					body: '12345',
+				})
+			);
+		}
+	});
+
 });
--- a/packages/server/src/routes/api/items.ts
+++ b/packages/server/src/routes/api/items.ts
@ -86,7 +86,7 @@ router.put('api/items/:id/content', async (path: SubPath, ctx: AppContext) => {
 			await itemModel.checkIfAllowed(ctx.owner, AclAction.Create, { jop_share_id: saveOptions.shareId });
 		}

-		const item = await itemModel.saveFromRawContent(ctx.owner.id, name, buffer, saveOptions);
+		const item = await itemModel.saveFromRawContent(ctx.owner, name, buffer, saveOptions);
 		outputItem = itemModel.toApiOutput(item) as Item;
 	} finally {
 		if (filePath) await safeRemove(filePath);
--- a/packages/server/src/routes/index/users.test.ts
+++ b/packages/server/src/routes/index/users.test.ts
@ -180,6 +180,9 @@ describe('index_users', function() {

 		// cannot delete own user
 		await expectHttpError(async () => execRequest(adminSession.id, 'POST', `users/${admin.id}`, { delete_button: true }), ErrorForbidden.httpCode);
+
+		// non-admin cannot change item_max_size
+		await expectHttpError(async () => patchUser(session1.id, { id: admin.id, item_max_size: 1000 }), ErrorForbidden.httpCode);
 	});


--- a/packages/server/src/routes/index/users.ts
+++ b/packages/server/src/routes/index/users.ts
@ -8,6 +8,7 @@ import config from '../../config';
 import { View } from '../../services/MustacheService';
 import defaultView from '../../utils/defaultView';
 import { AclAction } from '../../models/BaseModel';
+const prettyBytes = require('pretty-bytes');

 function makeUser(isNew: boolean, fields: any): User {
 	const user: User = {};
@ -15,6 +16,7 @@ function makeUser(isNew: boolean, fields: any): User {
 	if ('email' in fields) user.email = fields.email;
 	if ('full_name' in fields) user.full_name = fields.full_name;
 	if ('is_admin' in fields) user.is_admin = fields.is_admin;
+	if ('item_max_size' in fields) user.item_max_size = fields.item_max_size;

 	if (fields.password) {
 		if (fields.password !== fields.password2) throw new ErrorUnprocessableEntity('Passwords do not match');
@ -43,7 +45,12 @@ router.get('users', async (_path: SubPath, ctx: AppContext) => {
 	const users = await userModel.all();

 	const view: View = defaultView('users');
-	view.content.users = users;
+	view.content.users = users.map(user => {
+		return {
+			...user,
+			formattedItemMaxSize: user.item_max_size ? prettyBytes(user.item_max_size) : '∞',
+		};
+	});
 	return view;
 });

--- a/packages/server/src/utils/errors.ts
+++ b/packages/server/src/utils/errors.ts
@ -77,3 +77,12 @@ export class ErrorResyncRequired extends ApiError {
 		Object.setPrototypeOf(this, ErrorResyncRequired.prototype);
 	}
 }
+
+export class ErrorPayloadTooLarge extends ApiError {
+	public static httpCode: number = 413;
+
+	public constructor(message: string = 'Payload Too Large') {
+		super(message, ErrorPayloadTooLarge.httpCode);
+		Object.setPrototypeOf(this, ErrorPayloadTooLarge.prototype);
+	}
+}
--- a/packages/server/src/utils/testing/shareApiUtils.ts
+++ b/packages/server/src/utils/testing/shareApiUtils.ts
@ -45,6 +45,8 @@ function convertTree(tree: any): any[] {
 }

 async function createItemTree3(sessionId: Uuid, userId: Uuid, parentFolderId: string, shareId: Uuid, tree: any[]): Promise<void> {
+	const user = await models().user().load(userId);
+
 	for (const jopItem of tree) {
 		const isFolder = !!jopItem.children;
 		const serializedBody = isFolder ?
@ -58,7 +60,7 @@ async function createItemTree3(sessionId: Uuid, userId: Uuid, parentFolderId: st
 			}
 		}

-		const newItem = await models().item().saveFromRawContent(userId, `${jopItem.id}.md`, Buffer.from(serializedBody));
+		const newItem = await models().item().saveFromRawContent(user, `${jopItem.id}.md`, Buffer.from(serializedBody));
 		if (isFolder && jopItem.children.length) await createItemTree3(sessionId, userId, newItem.jop_id, shareId, jopItem.children);
 	}
 }
--- a/packages/server/src/utils/testing/testUtils.ts
+++ b/packages/server/src/utils/testing/testUtils.ts
@ -272,26 +272,28 @@ export async function createItemTree(userId: Uuid, parentFolderId: string, tree:

 export async function createItemTree2(userId: Uuid, parentFolderId: string, tree: any[]): Promise<void> {
 	const itemModel = models().item();
+	const user = await models().user().load(userId);

 	for (const jopItem of tree) {
 		const isFolder = !!jopItem.children;
 		const serializedBody = isFolder ?
 			makeFolderSerializedBody({ ...jopItem, parent_id: parentFolderId }) :
 			makeNoteSerializedBody({ ...jopItem, parent_id: parentFolderId });
-		const newItem = await itemModel.saveFromRawContent(userId, `${jopItem.id}.md`, Buffer.from(serializedBody));
+		const newItem = await itemModel.saveFromRawContent(user, `${jopItem.id}.md`, Buffer.from(serializedBody));
 		if (isFolder && jopItem.children.length) await createItemTree2(userId, newItem.jop_id, jopItem.children);
 	}
 }

 export async function createItemTree3(userId: Uuid, parentFolderId: string, shareId: Uuid, tree: any[]): Promise<void> {
 	const itemModel = models().item();
+	const user = await models().user().load(userId);

 	for (const jopItem of tree) {
 		const isFolder = !!jopItem.children;
 		const serializedBody = isFolder ?
 			makeFolderSerializedBody({ ...jopItem, parent_id: parentFolderId, share_id: shareId }) :
 			makeNoteSerializedBody({ ...jopItem, parent_id: parentFolderId, share_id: shareId });
-		const newItem = await itemModel.saveFromRawContent(userId, `${jopItem.id}.md`, Buffer.from(serializedBody));
+		const newItem = await itemModel.saveFromRawContent(user, `${jopItem.id}.md`, Buffer.from(serializedBody));
 		if (isFolder && jopItem.children.length) await createItemTree3(userId, newItem.jop_id, shareId, jopItem.children);
 	}
 }
@ -408,6 +410,22 @@ export async function expectHttpError(asyncFn: Function, expectedHttpCode: numbe
 	}
 }

+export async function expectNoHttpError(asyncFn: Function): Promise<void> {
+	let thrownError = null;
+
+	try {
+		await asyncFn();
+	} catch (error) {
+		thrownError = error;
+	}
+
+	if (thrownError) {
+		expect('throw').toBe('not throw');
+	} else {
+		expect(true).toBe(true);
+	}
+}
+
 export function makeNoteSerializedBody(note: NoteEntity = {}): string {
 	return `${'title' in note ? note.title : 'Title'}

--- a/packages/server/src/views/index/user.mustache
+++ b/packages/server/src/views/index/user.mustache
@ -14,6 +14,14 @@
 			<input class="input" type="email" name="email" value="{{user.email}}"/>
 		</div>
 	</div>
+	{{#global.owner.is_admin}}
+		<div class="field">
+			<label class="label">Max item size</label>
+			<div class="control">
+				<input class="input" type="number" name="item_max_size" value="{{user.item_max_size}}"/>
+			</div>
+		</div>
+	{{/global.owner.is_admin}}
 	<div class="field">
 		<label class="label">Password</label>
 		<div class="control">
--- a/packages/server/src/views/index/users.mustache
+++ b/packages/server/src/views/index/users.mustache
@ -3,6 +3,7 @@
 		<tr>
 			<th>Full name</th>
 			<th>Email</th>
+			<th>Max Item Size</th>
 			<th>Is admin?</th>
 			<th>Actions</th>
 		</tr>
@ -12,6 +13,7 @@
 			<tr>
 				<td>{{full_name}}</td>
 				<td>{{email}}</td>
+				<td>{{formattedItemMaxSize}}</td>
 				<td>{{is_admin}}</td>
 				<td><a href="{{{global.baseUrl}}}/users/{{id}}" class="button is-primary is-small">Edit</a></td>
 			</tr>