Merge branch 'feat/enhanced-access-token' into imprv/167279-add-scopes-to-endpoints-where-accesstokenparser-has-no-scopes-configured

apps/app/src/server/routes/apiv3/export.js

@@ -1,3 +1,5 @@
+import sanitize from 'sanitize-filename';
+
 import { SupportedAction } from '~/interfaces/activity';
 import { SCOPE } from '@growi/core/dist/interfaces';
 import { accessTokenParser } from '~/server/middlewares/access-token-parser';
@@ -268,7 +270,8 @@ module.exports = (crowi) => {
       const { fileName } = req.params;
 
       try {
-        const zipFile = exportService.getFile(fileName);
+        const sanitizedFileName = sanitize(fileName);
+        const zipFile = exportService.getFile(sanitizedFileName);
         fs.unlinkSync(zipFile);
         const parameters = { action: SupportedAction.ACTION_ADMIN_ARCHIVE_DATA_DELETE };
         activityEvent.emit('update', res.locals.activity._id, parameters);

apps/app/src/server/routes/apiv3/page/index.ts

@@ -229,7 +229,7 @@ module.exports = (crowi) => {
       let pages;
       try {
         if (isSharedPage) {
-          const shareLink = await ShareLink.findOne({ _id: shareLinkId });
+          const shareLink = await ShareLink.findOne({ _id: { $eq: shareLinkId } });
           if (shareLink == null) {
             throw new Error('ShareLink is not found');
           }

apps/app/src/server/routes/apiv3/share-links.js

@@ -1,10 +1,10 @@
 // TODO remove this setting after implemented all
 /* eslint-disable no-unused-vars */
+import { SCOPE } from '@growi/core/dist/interfaces';
 import { ErrorV3 } from '@growi/core/dist/models';
 import express from 'express';
 
 import { SupportedAction } from '~/interfaces/activity';
-import { SCOPE } from '@growi/core/dist/interfaces';
 import { accessTokenParser } from '~/server/middlewares/access-token-parser';
 import { generateAddActivityMiddleware } from '~/server/middlewares/add-activity';
 import { apiV3FormValidator } from '~/server/middlewares/apiv3-form-validator';
@@ -156,7 +156,7 @@ module.exports = (crowi) => {
       }
 
       try {
-        const shareLinksResult = await ShareLink.find({ relatedPage }).populate({ path: 'relatedPage', select: 'path' });
+        const shareLinksResult = await ShareLink.find({ relatedPage: { $eq: relatedPage } }).populate({ path: 'relatedPage', select: 'path' });
         return res.apiv3({ shareLinksResult });
       }
       catch (err) {
@@ -292,7 +292,7 @@ module.exports = (crowi) => {
       }
 
       try {
-        const deletedShareLink = await ShareLink.remove({ relatedPage });
+        const deletedShareLink = await ShareLink.deleteMany({ relatedPage: { $eq: relatedPage } });
 
         activityEvent.emit('update', res.locals.activity._id, { action: SupportedAction.ACTION_SHARE_LINK_DELETE_BY_PAGE });
 

apps/app/src/server/routes/apiv3/user-group.js

@@ -197,7 +197,7 @@ module.exports = (crowi) => {
       const { groupId } = req.query;
 
       try {
-        const userGroup = await UserGroup.findById(groupId);
+        const userGroup = await UserGroup.findOne({ _id: { $eq: groupId } });
         const ancestorUserGroups = await UserGroup.findGroupsWithAncestorsRecursively(userGroup);
         return res.apiv3({ ancestorUserGroups });
       }
@@ -370,7 +370,7 @@ module.exports = (crowi) => {
       const { groupId } = req.query;
 
       try {
-        const userGroup = await UserGroup.findById(groupId);
+        const userGroup = await UserGroup.findOne({ _id: { $eq: groupId } });
 
         const descendantGroups = await UserGroup.findGroupsWithDescendantsRecursively([userGroup], []);
         const descendantGroupIds = descendantGroups.map(userGroups => userGroups._id.toString());
@@ -423,7 +423,7 @@ module.exports = (crowi) => {
       const { groupId } = req.query;
 
       try {
-        const userGroup = await UserGroup.findById(groupId);
+        const userGroup = await UserGroup.findOne({ _id: { $eq: groupId } });
 
         const [ancestorGroups, descendantGroups] = await Promise.all([
           UserGroup.findGroupsWithAncestorsRecursively(userGroup, []),