NunoSempere/calibre-web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into Develop

Browse Source 
# Conflicts:
#	test/Calibre-Web TestSummary_Linux.html
This commit is contained in:
Ozzie Isaacs 2022-01-25 19:33:21 +01:00
commit d9d6fb33ba
6 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
SECURITY.md
View File

@ -29,6 +29,9 @@ To receive fixes for security vulnerabilities it is required to always upgrade t
| V 0.6.15 | Cross-Site Scripting vulnerability on uploaded cover file names. Thanks to @ibarrionuevo || | V 0.6.15 | Cross-Site Scripting vulnerability on uploaded cover file names. Thanks to @ibarrionuevo ||
| V 0.6.15 | Creating public shelfs is now denied if user is missing the edit public shelf right. Thanks to @ibarrionuevo || | V 0.6.15 | Creating public shelfs is now denied if user is missing the edit public shelf right. Thanks to @ibarrionuevo ||
| V 0.6.15 | Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo || | V 0.6.15 | Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo ||
| V 0.6.16 | JavaScript could get executed on authors page. Thanks to @alicaz ||
| V 0.6.16 | Localhost can no longer be used to upload covers. Thanks to @scara31 ||
| V 0.6.16 | Another case where public shelfs could be created without permission is prevented. Thanks to @ibarrionuevo ||
## Staement regarding Log4j (CVE-2021-44228 and related) ## Staement regarding Log4j (CVE-2021-44228 and related)

2
cps/constants.py
View File

@ -151,7 +151,7 @@ def selected_roles(dictionary):
BookMeta = namedtuple('BookMeta', 'file_path, extension, title, author, cover, description, tags, series, ' BookMeta = namedtuple('BookMeta', 'file_path, extension, title, author, cover, description, tags, series, '
'series_id, languages, publisher') 'series_id, languages, publisher')
STABLE_VERSION = {'version': '0.6.16 Beta'} STABLE_VERSION = {'version': '0.6.17 Beta'}
NIGHTLY_VERSION = {} NIGHTLY_VERSION = {}
NIGHTLY_VERSION[0] = '$Format:%H$' NIGHTLY_VERSION[0] = '$Format:%H$'

10
cps/static/js/caliBlur.js
View File

@ -270,7 +270,7 @@ if ($("body.book").length > 0) {
if (position + $("#add-to-shelves").width() > $(window).width()) { if (position + $("#add-to-shelves").width() > $(window).width()) {
positionOff = position + $("#add-to-shelves").width() - $(window).width(); positionOff = position + $("#add-to-shelves").width() - $(window).width();
adsPosition = position - positionOff - 5 adsPosition = position - positionOff - 5;
$("#add-to-shelves").attr("style", "left: " + adsPosition + "px !important; right: auto; top: " + topPos + "px"); $("#add-to-shelves").attr("style", "left: " + adsPosition + "px !important; right: auto; top: " + topPos + "px");
} else { } else {
$("#add-to-shelves").attr("style", "left: " + position + "px !important; right: auto; top: " + topPos + "px"); $("#add-to-shelves").attr("style", "left: " + position + "px !important; right: auto; top: " + topPos + "px");
@ -429,7 +429,7 @@ if($("body.advsearch").length > 0) {
if (position + $("#add-to-shelves").width() > $(window).width()) { if (position + $("#add-to-shelves").width() > $(window).width()) {
positionOff = position + $("#add-to-shelves").width() - $(window).width(); positionOff = position + $("#add-to-shelves").width() - $(window).width();
adsPosition = position - positionOff - 5 adsPosition = position - positionOff - 5;
$("#add-to-shelves").attr("style", "left: " + adsPosition + "px !important; right: auto; top: " + topPos + "px"); $("#add-to-shelves").attr("style", "left: " + adsPosition + "px !important; right: auto; top: " + topPos + "px");
} else { } else {
$("#add-to-shelves").attr("style", "left: " + position + "px !important; right: auto; top: " + topPos + "px"); $("#add-to-shelves").attr("style", "left: " + position + "px !important; right: auto; top: " + topPos + "px");
@ -479,12 +479,12 @@ if ($.trim($("#add-to-shelves").html()).length === 0) {
$("#add-to-shelf").addClass("empty-ul"); $("#add-to-shelf").addClass("empty-ul");
} }
shelfLength = $("#add-to-shelves li").length shelfLength = $("#add-to-shelves li").length;
emptyLength = 0 emptyLength = 0;
$("#add-to-shelves").on("click", "li a", function () { $("#add-to-shelves").on("click", "li a", function () {
console.log("#remove-from-shelves change registered"); console.log("#remove-from-shelves change registered");
emptyLength++ emptyLength++;
setTimeout(function () { setTimeout(function () {
if (emptyLength >= shelfLength) { if (emptyLength >= shelfLength) {

8
cps/static/js/details.js
View File

@ -59,10 +59,10 @@ $("#archived_cb").on("change", function() {
) )
}; };
$("#shelf-actions").on("click", "[data-shelf-action]", function (e) { $("#add-to-shelves, #remove-from-shelves").on("click", "[data-shelf-action]", function (e) {
e.preventDefault(); e.preventDefault();
$.ajax({ $.ajax({
url: this.href, url: $(this).data('href'),
method:"post", method:"post",
data: {csrf_token:$("input[name='csrf_token']").val()}, data: {csrf_token:$("input[name='csrf_token']").val()},
}) })
@ -72,7 +72,7 @@ $("#archived_cb").on("change", function() {
case "add": case "add":
$("#remove-from-shelves").append( $("#remove-from-shelves").append(
templates.remove({ templates.remove({
add: this.href, add: $this.data('href'),
remove: $this.data("remove-href"), remove: $this.data("remove-href"),
content: $("<div>").text(this.textContent).html() content: $("<div>").text(this.textContent).html()
}) })
@ -82,7 +82,7 @@ $("#archived_cb").on("change", function() {
$("#add-to-shelves").append( $("#add-to-shelves").append(
templates.add({ templates.add({
add: $this.data("add-href"), add: $this.data("add-href"),
remove: this.href, remove: $this.data('href'),
content: $("<div>").text(this.textContent).html(), content: $("<div>").text(this.textContent).html(),
}) })
); );

8
cps/templates/detail.html
View File

@ -260,7 +260,7 @@
{% for shelf in g.shelves_access %} {% for shelf in g.shelves_access %}
{% if not shelf.id in books_shelfs and ( not shelf.is_public or g.user.role_edit_shelfs() ) %} {% if not shelf.id in books_shelfs and ( not shelf.is_public or g.user.role_edit_shelfs() ) %}
<li> <li>
<a href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}" <a data-href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
data-remove-href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}" data-remove-href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
data-shelf-action="add" data-shelf-action="add"
> >
@ -275,7 +275,7 @@
{% if books_shelfs %} {% if books_shelfs %}
{% for shelf in g.shelves_access %} {% for shelf in g.shelves_access %}
{% if shelf.id in books_shelfs %} {% if shelf.id in books_shelfs %}
<a href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}" <a data-href="{{ url_for('shelf.remove_from_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
data-add-href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}" data-add-href="{{ url_for('shelf.add_to_shelf', book_id=entry.id, shelf_id=shelf.id) }}"
class="btn btn-sm btn-default" role="button" data-shelf-action="remove" class="btn btn-sm btn-default" role="button" data-shelf-action="remove"
> >
@ -309,13 +309,13 @@
{% block js %} {% block js %}
<script type="text/template" id="template-shelf-add"> <script type="text/template" id="template-shelf-add">
<li> <li>
<a href="<%= add %>" data-remove-href="<%= remove %>" data-shelf-action="add"> <a data-href="<%= add %>" data-remove-href="<%= remove %>" data-shelf-action="add">
<%= content %> <%= content %>
</a> </a>
</li> </li>
</script> </script>
<script type="text/template" id="template-shelf-remove"> <script type="text/template" id="template-shelf-remove">
<a href="<%= remove %>" data-add-href="<%= add %>" class="btn btn-sm btn-default" data-shelf-action="remove"> <a data-href="<%= remove %>" data-add-href="<%= add %>" class="btn btn-sm btn-default" data-shelf-action="remove">
<span class="glyphicon glyphicon-remove"></span> <%= content %> <span class="glyphicon glyphicon-remove"></span> <%= content %>
</a> </a>
</script> </script>

1
cps/templates/search.html
View File

@ -9,6 +9,7 @@
{% if g.user.is_authenticated %} {% if g.user.is_authenticated %}
{% if g.user.shelf.all() or g.shelves_access %} {% if g.user.shelf.all() or g.shelves_access %}
<div id="shelf-actions" class="btn-toolbar" role="toolbar"> <div id="shelf-actions" class="btn-toolbar" role="toolbar">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div class="btn-group" role="group" aria-label="Add to shelves"> <div class="btn-group" role="group" aria-label="Add to shelves">
<button id="add-to-shelf" type="button" class="btn btn-primary btn-sm dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <button id="add-to-shelf" type="button" class="btn btn-primary btn-sm dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<span class="glyphicon glyphicon-list"></span> {{_('Add to shelf')}} <span class="glyphicon glyphicon-list"></span> {{_('Add to shelf')}}