From b31a5bf5d8af981eee3c8990571577c58ae5f7d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 4 Feb 2024 21:56:44 +0100 Subject: [PATCH] hedgedoc: fix util list --- hosts/hedgedoc/hedgedoc-util-postgres.diff | 27 +++++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/hosts/hedgedoc/hedgedoc-util-postgres.diff b/hosts/hedgedoc/hedgedoc-util-postgres.diff index 3c547eed..963bee1a 100644 --- a/hosts/hedgedoc/hedgedoc-util-postgres.diff +++ b/hosts/hedgedoc/hedgedoc-util-postgres.diff @@ -53,12 +53,18 @@ for fieldname in fieldnames: if fieldname in i: if i[fieldname] == None: -@@ -87,31 +82,35 @@ - def pad_list(db, columns, last_change_older=0, owner=0): +@@ -84,34 +79,40 @@ + def note_id_encode_to_url(input_id): + return base64.urlsafe_b64encode(binascii.unhexlify(input_id.replace('-', '').encode())).decode().replace('=', '') + +-def pad_list(db, columns, last_change_older=0, owner=0): ++def pad_list(db, columns, last_change_older, owner): ++ if owner == None: ++ owner = "00000000-0000-0000-0000-000000000000" with db.cursor() as cursor: # this is no sql injection vulnerability because we let click verify the content of "columns" to match a whitelist - cursor.execute(F"SELECT {','.join(columns)} FROM Notes WHERE (%(last_change_older)s = 0 OR DATEDIFF(NOW(), lastchangeAt) > %(last_change_older)s OR (lastchangeAt IS NULL AND DATEDIFF(NOW(), createdAt) > %(last_change_older)s) AND (%(owner)s = '' OR ownerId = %(owner)s)) ORDER BY id", {'last_change_older': last_change_older, 'owner': owner}) -+ cursor.execute(F"SELECT {','.join(columns)} FROM \"Notes\" WHERE (%(last_change_older)s = 0 OR DATEDIFF(NOW(), lastchangeAt) > %(last_change_older)s OR (lastchangeAt IS NULL AND DATEDIFF(NOW(), createdAt) > %(last_change_older)s) AND (%(owner)s = '' OR ownerId = %(owner)s)) ORDER BY id", {'last_change_older': last_change_older, 'owner': owner}) ++ cursor.execute(F"SELECT {','.join(columns)} FROM \"Notes\" WHERE (%(last_change_older)s = 0 OR NOW() - \"lastchangeAt\" > interval '%(last_change_older)s' OR (\"lastchangeAt\" IS NULL AND NOW() - \"createdAt\" > interval '%(last_change_older)s') AND (%(owner)s = '' OR \"ownerId\" = %(owner)s::uuid)) ORDER BY id", {'last_change_older': last_change_older, 'owner': owner}) return _decode_nested_json(cursor.fetchall(), ['authorship']) def pad_get(db, id): @@ -105,7 +111,7 @@ def pad_mail(db, id, template, formats): with db.cursor() as cursor: -@@ -144,12 +143,12 @@ +@@ -144,12 +145,12 @@ def user_list(db, columns): with db.cursor() as cursor: # this is no sql injection vulnerability because we let click verify the content of "columns" to match a whitelist @@ -120,7 +126,7 @@ return _decode_nested_json([cursor.fetchone()], ['profile', 'history'])[0] def user_get_mail(db, id): -@@ -192,12 +191,11 @@ +@@ -192,12 +193,11 @@ @click.group() @click.option('-o', '--output', type=click.Choice(['text', 'json', 'tsv', 'tsv-noheader']), default='text', help='Select output format', show_default=True, show_envvar=True) @@ -135,7 +141,16 @@ @click.pass_context def cli(ctx, **kwargs): ctx.obj = GlobalState(kwargs) -@@ -231,10 +229,10 @@ +@@ -219,7 +219,7 @@ + @cli_pad.command(name="list", help="List all pads") + @click.option('-c', '--columns', default=['id'], type=click.Choice(['id', 'title', 'content', 'ownerId', 'createdAt', 'updatedAt', 'shortid', 'permission', 'viewcount', 'lastchangeuserId', 'lastchangeAt', 'alias', 'deletedAt', 'authorship']), help="Select what data to display. Can be passed multiple times.", multiple=True, show_default=True, show_envvar=True) + @click.option('--last-change-older', type=click.INT, default=0, help='Only list those pads which are older than this value. In days.', show_envvar=True) +-@click.option('--owner', type=click.STRING, default='', help='Only list pads with this owner, pass the user id', show_envvar=True) ++@click.option('--owner', type=click.STRING, help='Only list pads with this owner, pass the user id', show_envvar=True) + @click.pass_obj + def _pad_list(obj, columns, last_change_older, owner): + output_object(pad_list(obj.db, columns, last_change_older=last_change_older, owner=owner)) +@@ -231,10 +231,10 @@ output_object(pad_get(obj.db, id)) @cli_pad.command(name="delete", help="Deletes a pad")