Commit Graph

554 Commits

Author SHA1 Message Date
Jordi Gutiérrez Hermoso
54502280de (core) AdminPanel: hide the enterprise toggle in core and grist-ee images
Summary:
In the pure OSS `grist-oss` image, the `ActivationPage` module from
stubs is used, as the `ext` code is completely missing. We can easily
just always return `false` here.

In the case when the `ext` directory exists, this may mean we're in
the standard `grist` image or the `grist-ee` image. The latter is
distinguished by having `GRIST_FORCE_ENABLE_ENTERPRISE` so we check if
that's on, and hide the toggle accordingly if so.

Test Plan:
Use these changes to build the three Docker images
(`grist-oss`, `grist`, and `grist-ee`) and verify that only `grist`
shows the toggle.

Reviewers: jarek

Reviewed By: jarek

Subscribers: jarek

Differential Revision: https://phab.getgrist.com/D4321
2024-08-19 15:51:24 -04:00
Paul Fitzpatrick
0a78cdbaab (core) updates from grist-core 2024-08-19 07:01:01 -04:00
George Gevoian
e70c294e3d (core) Add custom widget gallery
Summary:
Custom widgets are now shown in a gallery.

The gallery is automatically opened when a new custom widget is
added to a page.

Descriptions, authors, and update times are pulled from the widget
manifest.

Test Plan: Browser tests.

Reviewers: jarek

Reviewed By: jarek

Subscribers: dsagal

Differential Revision: https://phab.getgrist.com/D4309
2024-08-14 16:48:36 -04:00
Grégoire Cutzach
93ed1bec5e
feat: forms inhibited when summary selected and vice versa (#1037) 2024-08-14 10:59:06 -04:00
Dmitry S
69aabd1ae0 (core) Limit related videos when playing onboarding video tour from home page
Summary:
When video is opened from the app homepage, it opens in a popup, which stays
open when it ends. The rel=0 parameter limits the related videos shown at the
end to those from the same channel, avoiding surprising unrelated videos.

This doesn't affect the video shown during initial onboarding, since that once
auto-closes when it ends.

Test Plan: Tested manually

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D4313
2024-08-09 19:24:09 -04:00
Paul Fitzpatrick
9b8d0c9fac (core) updates from grist-core 2024-08-09 17:56:34 -04:00
Dmitry S
4ed90faf79 (core) Fix more tests: bundleSize and Embed
Summary:
1. Unclear why Embed fails often. Locally, it fails for me every time, and
   this tweak makes it pass (while still keeping the test useful).
2. Reduced back main bundle's size by removing dependency of some common
   elements on the full AdminPanel. Updated expected size of errorPages
   bundle to the new reduced size.

Test Plan: No changes to functionality; relying on existing tests to verify that.

Reviewers: jordigh

Reviewed By: jordigh

Subscribers: georgegevoian, jordigh

Differential Revision: https://phab.getgrist.com/D4315
2024-08-09 16:08:31 -04:00
Florent
fde6c8142d
Support nonce and acr with OIDC + other improvements and tests (#883)
* Introduces new configuration variables for OIDC:
  - GRIST_OIDC_IDP_ENABLED_PROTECTIONS
  - GRIST_OIDC_IDP_ACR_VALUES
  - GRIST_OIDC_IDP_EXTRA_CLIENT_METADATA
* Implements all supported protections in oidc/Protections.ts
* Includes a better error page for failed OIDC logins
* Includes some other improvements, e.g. to logging, to OIDC
* Adds a large unit test for OIDCConfig
* Adds support for SERVER_NODE_OPTIONS for running tests
* Adds to documentation/develop.md info about GREP_TESTS, VERBOSE, and SERVER_NODE_OPTIONS.
2024-08-08 15:35:37 -04:00
Paul Fitzpatrick
773588f795 (core) updates from grist-core 2024-08-07 14:06:59 -04:00
Jordi Gutiérrez Hermoso
952544432e UserManager: show proper org domain (#476)
We had `getgrist.com` hardcoded here, which only works for SaaS. The
base domain as well as the way that orgs are encoded in the URL can be
different in other circumstances.

If we are encoding orgs in the domain name, that's easy. We just do
`orgname.base.domain.name`. If we are not, then we first try a base
domain, and if that isn't set, we'll use the domain of the home
server.
2024-08-06 14:39:43 -04:00
George Gevoian
1ce26ea6f5 (core) Fix typo in tutorial card
Test Plan: N/A

Reviewers: jarek

Reviewed By: jarek

Differential Revision: https://phab.getgrist.com/D4308
2024-08-06 09:53:49 -04:00
Jordi Gutiérrez Hermoso
1b6a80335f AdminPanel: add the toggle for enterprise
Final ingredient. This surfaces the work in creating the backend
config API, the frontend model, the grainjs observable, and the
grainjs DOM and CSS components.
2024-07-30 13:41:47 -04:00
Jordi Gutiérrez Hermoso
ffe3b22378 ToggleEnterpriseWidget: new frontend toggle for the admin
Strongly patterned after SupportGristPage. In fact, it has almost the
same structure.

Perhaps one day it would be possible to synchronise the logic between
the two toggles even further, but I couldn't see a simple way to do so
now. For now, some code structure duplication seemed easiest in lieau
of more abstractions.
2024-07-30 13:41:47 -04:00
Jordi Gutiérrez Hermoso
4621b67c8e AdminToggleCss: factor out CSS from SupportGristPage
We will create a new enterprise toggle, so we will need to share the same CSS.
2024-07-30 13:41:47 -04:00
George Gevoian
4740f1f933 (core) Update onboarding flow
Summary:
A new onboarding page is now shown to all new users visiting the doc
menu for the first time. Tutorial cards on the doc menu have been
replaced with a new version that tracks completion progress, alongside
a new card that opens the orientation video.

Test Plan: Browser tests.

Reviewers: jarek

Reviewed By: jarek

Differential Revision: https://phab.getgrist.com/D4296
2024-07-23 11:49:23 -04:00
Dmitry S
063df75204 (core) Forms improvements: mouse selection in firefox, focus, and styling
Summary:
- Remove unused Form file (Label.ts)
- Fix Firefox-specific bug in Forms, where mouse selection wasn't working in textarea.
- Focus and set cursor in textarea on click.
- Save on blur but only when focus stays within the Grist app, as for editing cells.
- Make paragraph margins of rendered form match those in the form editor.

Test Plan: Tested manually on Firefox and Chrome; relying on existing tests that nothing broke.

Reviewers: jarek

Reviewed By: jarek

Differential Revision: https://phab.getgrist.com/D4281
2024-07-17 08:55:04 -04:00
Paul Fitzpatrick
6171a012db (core) updates from grist-core 2024-07-08 08:52:56 -04:00
CamilleLegeron
0bfdaa9c02
Add authorization header in webhooks stored in secrets table (#941)
Summary:
Adding authorization header support for webhooks.

Issue:  https://github.com/gristlabs/grist-core/issues/827

---------

Co-authored-by: Florent <florent.git@zeteo.me>
2024-07-04 14:17:10 +02:00
Jarosław Sadziński
7f28aee79c (core) Billing updates
Summary:
- Adding confirmation dialog when user doesn't want to cancel site
- Changing `Cancel subscription` to `Cancel plan`
- Removing `Pro` from upgrade header on pricing modal
- Better handling situation when there is no default price
- Removing mentions about sprouts program
- Removing cache for stripe plans

Test Plan: Updated tests

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D4273
2024-07-03 09:18:50 +02:00
Leslie H
24ce54b586
Improve session ID security (#1059)
Follow-up of #994. This PR revises the session ID generation logic to improve security in the absence of a secure session secret. It also adds a section in the admin panel "security" section to nag system admins when GRIST_SESSION_SECRET is not set.

Following is an excerpt from internal conversation.

TL;DR: Grist's current implementation generates semi-secure session IDs and uses a publicly known default signing key to sign them when the environment variable GRIST_SESSION_SECRET is not set. This PR generates cryptographically secure session IDs to dismiss security concerns around an insecure signing key, and encourages system admins to configure their own signing key anyway.

> The session secret is required by expressjs/session to sign its session IDs. It's designed as an extra protection against session hijacking by randomly guessing session IDs and hitting a valid one. While it is easy to encourage users to set a distinct session secret, this is unnecessary if session IDs are generated in a cryptographically secure way. As of now Grist uses version 4 UUIDs as session IDs (see app/server/lib/gristSessions.ts - it uses shortUUID.generate which invokes uuid.v4 under the hood). These contain 122 bits of entropy, technically insufficient to be considered cryptographically secure. In practice, this is never considered a real vulnerability. To compare, RSA2048 is still very commonly used in web servers, yet it only has 112 bits of security (>=128 bits = "secure", rule of thumb in cryptography). But for peace of mind I propose using crypto.getRandomValues to generate real 128-bit random values. This should render session ID signing unnecessary and hence dismiss security concerns around an insecure signing key.
2024-06-25 15:43:25 -04:00
Dmitry S
51a34835c5 (core) Disable formula timing UI for non-owners
Summary:
For non-owners, the timing section of Document Settings is now disabled.
For non-editors, the "Reload" section is disabled.

Test Plan: Added a test case for timing being disabled.

Reviewers: jarek

Reviewed By: jarek

Differential Revision: https://phab.getgrist.com/D4275
2024-06-18 10:18:38 -04:00
Jarosław Sadziński
1e2991519f (core) Restoring GRIST_DEFAULT_PRODUCT functionality
Summary: The GRIST_DEFAULT_PRODUCT wasn't used for grist-ee, now it is respected.

Test Plan:
I've build grist-ee docker image from github and run it using our instruction (both for recreating the issue and confirming it is fixed)
```
docker run -p 8484:8484 \
  -v $PWD:/persist \
  -e GRIST_SESSION_SECRET=invent-a-secret-here \
  -e GRIST_SINGLE_ORG=cool-beans
  -it gristlabs/grist-ee
```

For grist-core I recreated/confirmed it is fixed it just by `GRIST_SINGLE_ORG=team npm start` in the core folder.
I also created some team sites using stubbed UI and confirmed that they were using the GRIST_DEFAULT_PRODUCT product.

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D4271
2024-06-14 19:56:49 +02:00
Spoffy
b98bad0b93 (core) Makes EE frontend behave as core if EE isn't activated
Summary:
- Makes EE decide which ActivationPage to use
- Makes ProductUpgrades use core implementation if not activated
- Changes banners to proxy to core implementation if EE not activated
- [Fix] Enables new site creation in EE as in Core:
    - Core enables people to freely create new team sites.
    - Enterprise currently redirects to the pricing page.
    - This enables enterprise to also create team sites, instead of
    redirecting.

Test Plan: Manually test in EE, unit tests in Jenkins

Reviewers: paulfitz, jordigh

Reviewed By: paulfitz

Differential Revision: https://phab.getgrist.com/D4264
2024-06-14 00:43:51 +01:00
Paul Fitzpatrick
856dbef3df
make the example key on admin panel without auth work when insecure (#1024)
The example key shown on the admin panel to users who are not known to be
administrators is generated using a method that is only available in secure
environments. This adds a fallback for insecure environments. The key is less
solid but again, it is just an example, and for an insecure environment.

Tested manually running locally and using a hostname set in /etc/hosts.
2024-06-12 09:34:31 -04:00
Paul Fitzpatrick
50077540e2 (core) updates from grist-core 2024-06-03 12:31:22 -04:00
Spoffy
587d187453
Removes spacing from admin page auth translation key (#1001)
Updates the authentication message on the admin page, removing newlines and tabs. 

This cleans up the formatting of the resulting translation key (in `en.client.json`). 

Context: https://github.com/gristlabs/grist-core/pull/987#discussion_r1603799796
2024-05-30 15:32:32 +01:00
CamilleLegeron
5956c20c29
feat: add new translations (#1004) 2024-05-29 11:02:00 -07:00
George Gevoian
c469a68d6e (core) Removing virtual tables when they are not needed
Summary:
Clearing virtual tables after user navigates away from the pages
that show them. Leaving them behind will reveal them on the Raw
Data page, with a buggy experience as user can't view the data
there.

Test Plan: Extended tests.

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: jarek, georgegevoian

Differential Revision: https://phab.getgrist.com/D4258
2024-05-29 08:46:49 -07:00
Paul Fitzpatrick
5dc4706dc7
reconcile boot and admin pages further (#963)
This adds some remaining parts of the boot page to the admin panel, and then removes the boot page.
2024-05-23 16:40:31 -04:00
Paul Fitzpatrick
76a43129f1 (core) updates from grist-core 2024-05-23 13:27:59 -04:00
Jarosław Sadziński
a6ffa6096a (core) Adding UI for timing API
Summary:
Adding new buttons to control the `timing` API and a way to view the results
using virtual table features.

Test Plan: Added new

Reviewers: georgegevoian

Reviewed By: georgegevoian

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D4252
2024-05-22 14:56:53 +02:00
Jarosław Sadziński
60423edc17 (core) Customizable stripe plans.
Summary:
- Reading plans from Stripe, and allowing Stripe to define custom plans.
- Storing product features (aka limits) in Stripe, that override those in db.
- Adding hierarchical data in Stripe. All features are defined at Product level but can be overwritten on Price levels.
- New options for Support user to
-- Override product for team site (if he is added as a billing manager)
-- Override subscription and customer id for a team site
-- Attach an "offer", an custom plan configured in stripe that a team site can use
-- Enabling wire transfer for subscription by allowing subscription to be created without a payment method (which is customizable)

Test Plan: Updated and new.

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D4201
2024-05-19 09:09:19 +02:00
CamilleLegeron
6443c9f914
feat: add translation of vue types when added (#946) 2024-05-17 11:55:24 -07:00
Spoffy
b4acb157f8
Displays the current authentication mechanism in the admin panel (#981)
* Adds authentication mechanism to admin panel

Adds field to the "Security settings" admin display, showing the
currently configured authentication mechanism.

* Adds 14px margin to admin panel names
2024-05-16 18:09:38 +01:00
Grégoire Cutzach
d8f4e075fe
feat: ADD Terms of service link (#985)
Adds an optional terms of service link for sites that need it.

---------

Co-authored-by: Jonathan Perret <j-github@jonathanperret.net>
2024-05-16 11:31:37 -04:00
Grégoire Cutzach
bb249ff462
fix: cancel when escape (#986) 2024-05-16 17:15:14 +02:00
George Gevoian
e299f4466b (core) Support reordering conditional styles
Summary: Conditional style rules can now be reordered by dragging and dropping them.

Test Plan: Browser test.

Reviewers: jarek

Reviewed By: jarek

Differential Revision: https://phab.getgrist.com/D4251
2024-05-13 14:45:11 -07:00
Paul Fitzpatrick
85f1040439 (core) updates from grist-core 2024-05-13 09:06:59 -04:00
Jarosław Sadziński
00c8343e8a (core) Updating UI for Document Settings
Summary: Updating UI for Document Settings, by reusing components from Admin panel

Test Plan: Existing

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D4250
2024-05-13 08:54:04 +02:00
Spoffy
1e63c28a2a
Adds multiple missing translations (#972)
Adds several missing translations, mostly in Forms and the onboarding modals.
2024-05-10 14:31:54 +01:00
Paul Fitzpatrick
d431c1eb63 (core) add a sandbox check to admin panel, and start reconciling boot and admin pages
Summary:
This adds a basic sandbox check to the admin panel. It also makes
the "probes" used in the boot page available from the admin panel,
though they are not yet displayed. The sandbox check is built as
a probe.

In the interests of time, a lot of steps had to be deferred:
 * Reconcile fully the admin panel and boot page. Specifically, the
   admin panel should be equally robust to common configuration problems.
 * Add tests for the sandbox check.
 * Generalize to multi-server setups. The read-out will not yet be useful
   for setups where doc workers and home servers are configured
   separately.

Test Plan: Added new test

Reviewers: jarek, georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D4241
2024-04-29 20:52:39 -04:00
Jarosław Sadziński
ecf242c6c6 (core) Adding latest version section to the admin panel.
Summary:
Update for the admin page to show the latest available version information.
- Latest version is read from docs.getgrist.com by default
- It sends basic information (installationId, deployment type, and version)
- Checks are done only on the page itself
- The actual request is routed through the API (to avoid CORS)

Test Plan: Added new test

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D4238
2024-04-29 21:59:36 +02:00
Paul Fitzpatrick
a3442aee77 (core) updates from grist-core 2024-04-29 15:01:40 -04:00
fflorent
f405ae715b Bump dependencies versions 2024-04-29 14:54:36 -04:00
George Gevoian
8012e376b5 (core) Add learn more link to tooltip
Summary:
Adds a link to the support site documentation from the tooltip
about filtering reference choices with dropdown conditions.

Test Plan: N/A

Reviewers: paulfitz

Reviewed By: paulfitz

Differential Revision: https://phab.getgrist.com/D4240
2024-04-26 18:28:53 -04:00
George Gevoian
3112433a58 (core) Add dropdown conditions
Summary:
Dropdown conditions let you specify a predicate formula that's used to filter
choices and references in their respective autocomplete dropdown menus.

Test Plan: Python and browser tests (WIP).

Reviewers: jarek, paulfitz

Reviewed By: jarek

Subscribers: dsagal, paulfitz

Differential Revision: https://phab.getgrist.com/D4235
2024-04-26 16:57:55 -04:00
Paul Fitzpatrick
4567fad947 (core) updates from grist-core 2024-04-15 09:24:09 -04:00
CamilleLegeron
fe9cc80ccc
Create team site for self-hosted instances (#903) 2024-04-15 00:55:57 -07:00
George Gevoian
6f3cd1ec2f (core) Remove forms popup
Summary: The forms announcement popup should no longer be shown.

Test Plan: N/A

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D4229
2024-04-12 16:10:44 -07:00
CamilleLegeron
76ef4d54f8
Webhook trigger update by column (#832)
Add functionality to filter webhooks based on a column or columns.
2024-04-12 16:04:37 -04:00