jrogelstad / featherbone Goto Github PK

A non-super user is able to export a super user object. Because user object exports include credentials, this allows any user to authenticate to any other user in the system except for the initial administrative account (E.G.: postgres) as that password does appear to be stripped.

Issue:

1. Password should not be exported in plaintext (see related issue)
2. UI is greyed out for exporting user objects, however the action is still permitted
3. User is able to view and export an object that may not be desirable in a production system.

Expected result:

1. User is not able to export object because the option is greyed out.
2. Optionally, user may not view other user object without authorization
3. Object export should not include plaintext password (see related issue)

Incomplete feature

When a feather is created, it is not immediately available for use when a new workbook is created. Work around is to refresh the browser.

Export a user object from the FeatherBone UI.

The user's password is included in plain text.

Expected result: Strip the password out, or encrypt it.

Also, the UI for exporting user objects appears greyed out, but still allows the object to be exported.

Auto populate contact children for email and phone

Should be able to web search all documents.

Prevent it from being possible to run a sql statement from a service definition stored in the database.

Need a way to create settings via designer GUI. Also include in packaging

How should it work?

Server should not accept value if it's not in the dataList and feather property format is enum.

Try filtering on "amount" in opportunity in cardinal project. It can not be done.

Missing newer authentication functions. Needs API key support.

Password issues when creating a user:

1. plain text credential is being logged/written to console on user create (this is understood as being in development, but something to filter out before getting anywhere close to production)

2. user and credential are posted together over an unencrypted connection. Add HTTPS/TLS support, and investigate/confirm either a) hooks to third party libraries allow you to wholly bypass touching passwords, and/or that they protect the credential at the time of account creation.

Drag 'n drop actions on worksheets including column width, column position and tab move/delete do not work on Firefox browsers.

On the current basic authentication form (username, password), specifically the password field, add a keypress handler for {event}.keyCode == 13 to submit form without having to tab to or click on the submit button.

A user should be able to update their own contact information from within the application. Currently a menu option exists that is disabled.

On a form like the "Feather" form where there are two or more lists, if you do Alt + I you can an insert on all the lists

Currently 'postgres' is set as the service user by default as a matter of convenience, but this user created by the postgres installer has super user access which is very dangerous to grant to a service.

Proposed solution:

• Disallow the service user from being a db super user
• Require superuser credentials at the command line when running install when either the database or service user does not exist
• Create service user if necessary on install and grant necessary db privileges to function as service user

A user should be able to update their own password from within the application. Currently a menu option exists that is disabled.

Add a function to synchronize roles and user accounts based on postgres roles.

If an empty database is created ahead of time (instead of featherbone creating it itself) and you run node install against it, it will throw an error:

C:\Users\john\Documents\GitHub\featherbone>node install
(node:6992) UnhandledPromiseRejectionWarning: error: relation "$settings" does not exist
at Connection.parseE (C:\Users\john\Documents\GitHub\featherbone\node_modules\pg\lib\connection.js:554:11)
at Connection.parseMessage (C:\Users\john\Documents\GitHub\featherbone\node_modules\pg\lib\connection.js:379:19)
at Socket. (C:\Users\john\Documents\GitHub\featherbone\node_modules\pg\lib\connection.js:119:22)
at Socket.emit (events.js:200:13)
at addChunk (_stream_readable.js:294:12)
at readableAddChunk (_stream_readable.js:275:11)
at Socket.Readable.push (_stream_readable.js:210:10)
at TCP.onStreamRead (internal/stream_base_commons.js:166:17)
(node:6992) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:6992) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

If you create a new record in a form that was launched in a new browser tab, based on the worksheet configuration to create records in a new browser tab, the record can not be deleted. Work around: refresh the browser.

Need to do the following

• Call Delete feather
• Hard delete old feather record

While trying to create the feather ... picked one. Then I decided to try to change it. However, when I did (from Object to Document) I received an error about 'Owner' not existing. When I tried to add 'Owner' I received a script callback error.

It should be possible to deactivate a user so they can not log in, without deleting their account.

So Open API integration can work

Should not be allowed for now. Long term, deleting a module should hard delete all it's constituent components.

When you change a user name in the UI. When you save, you get an error about the role name not existing.

Expected behavior: Server should throw an error name cannot be changed. Client should make the name field read only so this isn't possible from the client in the first place.

Overloads for default, required, type aren't enforced on server side

No default password policy or reset confirmation are in effect.

1. When changing a password, the current password is not required for the current user to confirm they know the current password. However, resetting a password to blank indicates success, but does not actually change the value (apparently), and the previous password is still in effect.
2. No password policy or strength rule is in effect. Blank and single character passwords are allowed.

Reproduction Steps:

1. Authenticate as a non-super user
2. Edit account for context user
3. Set context user as a super user
4. Save

Observed Results:

User

1. is promoted to super user

Expected Results:

1. User is not authorized to edit field
2. User is not authorized to affect change to escalate privilege.

Repro Steps:

1. Create a new module
2. In the code section, add the following:
   throw "Hi John!";
3. Restart node
4. Try to login.

Expected Results: No change, or the error is caught.
Observed Results: Login does not proceed with any indication of status. Any attempt to access the app afterwards results in a blank page.
Recovery: It is then necessary to delete the module from the script table before the app may be accessed again.