Thomas Lamprecht [Tue, 31 Jan 2023 16:21:05 +0000 (17:21 +0100)]
form: display-edit: add safe default renderer for display field
Due to the value binding on can get interesting effects when the
displayEdit field is in write (input) mode, as then the values still
get relayed to the display field, which itself is wanted as the field
supports live-switching, but even though the display field is
disabled and hidden, the value will be still rendered and a user can
XSS themselves inserting things like:
<img src="a" onerror="alert('cookie:'+document.cookie);"></token
And even though it's harmless (your browser knows your own cookie
already), it is rather odd and simply to cheap to harden against (per
default) to not do so.
Reported-by: Marcel Fromkorth <marcel.fromkorth@8com.de> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 31 Jan 2023 14:56:25 +0000 (15:56 +0100)]
api request: add wide spread alert-error logic as smart-on option
The "smartness" is mostly "enable it automatically if the caller did
not specify an explicit override and there's neither a failure nor
callback function define", but that should cover most cases.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 31 Jan 2023 14:41:39 +0000 (15:41 +0100)]
utils: always html-encode response message
while this is something that only the user that made the request will
see, and for most people the possibility of "hacking" themselves is
rather redundant, it is still not nice to have this possible in
general; as even if it's highly unlikely that there ever can be an
error triggered to another user via API2 request handling, hardening
against it is simply to cheap to not do it.
Reported-by: Marcel Fromkorth <marcel.fromkorth@8com.de> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Wed, 18 Jan 2023 13:12:57 +0000 (14:12 +0100)]
ComboGrid: make height for the error configurable
by introducing a errorHeight config property. This is necessary when
the ComboGrid has e.g. a toolbar and we show the error in the grid body
only, 100 pixels is not enough then. To solve that without hardcoding
different heights, let the subclass/caller configure that
also set this when the store load fails completely (was not done until now)
Dominik Csapak [Wed, 18 Jan 2023 13:12:56 +0000 (14:12 +0100)]
ComboGrid: use the grids view for the error message
for most of the combogrids, this does not make a difference, but we
want to have a node selection in some of their toolbars. There
having the error over the whole grid makes it impossible to select a
different node (which might be necessary to get rid of the error), so
we show the error on the view (which is the grids content body only).
privilege role selector: fix renderer for Proxmox VE
In PBS we get an array here, so the renderer is fine, but in pve it's
just a long string, so add a space after commas to achieve the same
effect.
Without this, the second column is not visible in pve because of an
error in the renderer (no 'join' function on a string)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
[ T: squash in code-reduction to make it a one-liner again ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Adds a download button in the TaskViewer. Uses the newly created
downloadAsFile() method in the Utils class.
Signed-off-by: Daniel Tschlatscher <d.tschlatscher@proxmox.com> Tested-by: Stefan Sterz <s.sterz@proxmox.com> Reviewed-by: Stefan Sterz <s.sterz@proxmox.com>
Adds a function for downloading a file from a remote URL in the Utils
class and uses it to revise one similar usage in FileBrowser.js
Signed-off-by: Daniel Tschlatscher <d.tschlatscher@proxmox.com> Tested-by: Stefan Sterz <s.sterz@proxmox.com> Reviewed-by: Stefan Sterz <s.sterz@proxmox.com>
fix #4271: api-viewer: display nested formats instead of [object Object]
I tried to keep the format as close to the HTML docs as possible, but
there are a few discrepancies between HTML docs and how this patch
displays parameters, instead of:
- <enum>,the enum variants are displayed. [1]
- <0|1>, <boolean> is displayed.
[1] The HTML docs explain parameters after the initial format string,
which the GUI doesn't (and there's no space for that). Showing the
variants inline is the easiest way to not loose information here.
Thomas Lamprecht [Tue, 15 Nov 2022 14:16:39 +0000 (15:16 +0100)]
input panel: add onSetValues hook
As counter-part to `onGetValue`, which is for form assembly, add the
`onSetValues` helper that allows to hook into setting the values on
the fields, for example if one needs to transform a `disabled` to
`enable`.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Daniel Bowder [Fri, 1 Jul 2022 00:09:47 +0000 (17:09 -0700)]
fix #3593: add CpuSet type to js
Regex parses a cpuset via 2 matches. Find number(s) or range(s) folowed
by a comma, then, find a single number or a single range not followed
by a comma. E.g., 0-1,4-5,6,7,10,11,14-15
CpuSet function first checks regex, then ensures left num <= right num
Signed-off-by: Daniel Bowder <daniel@bowdernet.com>
The text needs to be defined in the wait() call as otherwise the
Ext.Progressbar will show a percentage that is not correct anyway but
just reflects where the animated progress bar itself is.
Stefan Sterz [Wed, 7 Sep 2022 09:37:40 +0000 (11:37 +0200)]
fix: toolkit: make email regex pattern match pve-common
`proxmoxMail` used its own regex pattern to validate emails. that
meant certain email addresses were rejected by the front-end that
were accepted by the backend that uses the functionality from
`pve-common`. examples include the following:
fix: gui: up/down arrow keys increment/decrement twice in Number field
When the up or down arrow key on the keyboard was pressed while a
number text field (or any one descending from Ext.form.field.Spinner)
was selected, the up and down callbacks for that text fields KeyNav
were called twice. Therefore, the value in the text field would always
incorrectly increment/decrement by step * 2.
The problem was an overwrite for the onRender() method of the Spinner
class, which caused the callbacks for pressing an arrow key to be
registered for a second time. Simply not doing that in the overwritten
onRender() method fixes the problem.
The redundant declarations for spinUpEl and spinDownEl were removed as
well. Additionally, the 'mousewheel' event handler, registered in the
overwritten (but still executed) parent function, is unregistered now,
as it could lead to unintended side effects in browsers which still
implement this event.
Signed-off-by: Daniel Tschlatscher <d.tschlatscher@proxmox.com>
Thomas Lamprecht [Sun, 15 May 2022 08:37:43 +0000 (10:37 +0200)]
file browser: only disable button if not downloadable and add hint in tooltip
To avoid to much layout jumping if the whole button disappears
(changes height of footer bar too), rather explain to the user the
why and what they can do instead.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Sterz [Thu, 5 May 2022 13:52:48 +0000 (15:52 +0200)]
fix #4001: FileBrowser: add menu to button and selected entry label
this commit adds a label showing the currently selected entry in the
file browser and merges the "Download .tar.zst" and "Download .zip"
button into one menu button.
Thomas Lamprecht [Sat, 14 May 2022 12:07:06 +0000 (14:07 +0200)]
ui: acl role selector: make wider and wrap priv column
as UX was pretty poort, one could only see one and a half privileges
of the role, the rest overflowed and was hidden. While the column
could be resized, doing so would make the role name column shrink
automatically, and it really shouldn't be required in the first
place.
This is a very important selector and all privs of a role must be
visible when opening without any manual user interaction required.
So increase the width to 500px, make the priv colum take more
relative space and enable cellWrap to avoid hidden overflow.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
window/FileBrowser: try reload again when getting a 503 error
for the file restore, we return a 503 error when we were not finished
mounting a disk in the restore vm, so ignore that error and try again
(up to 10 times) so a file listing now has a "real" timeout of
up to 300 seconds (30s pveproxy timeout * 10) instead of only 30,
which should be enough for most situations.
we also increase the proxy timeout to 60 seconds, since if one has many
disks, all of them will try to load at the same time, but the browser
has a maximum request limit and will stall+queue the remaining ones. so
those will not run into the extjs timeout when we increase it here.
for older backends without the new 503 returning feature, the calls
will still run into a pveproxy timeout anyway.
we also have to reimplement the 'monStoreErrors' functionality to
get a slightly different behaviour:
we disable the default extj loadMask of the treepanel and set it
ourselves. then on 503 we leave it up, and only remove it on success
or error (for non initial loads)
Dominik Csapak [Thu, 10 Mar 2022 14:31:37 +0000 (15:31 +0100)]
StatusView: fix usage calculation for fields without valid values
Sometimes, total can be zero (e.g. for swap when it's not used), which
leads to the usage being NaN. This led to the progressbar not being
updated for InfoWidgets, leaving a spurious '0%' as text.
Stefan Sterz [Tue, 12 Apr 2022 10:34:21 +0000 (12:34 +0200)]
toolkit: refactor markdown based NotesView and NotesEdit
refactor them to make them more flexible and, thus, usable in pbs.
adds parameters for enabling the TBar, setting the help section in the
editing dialog and cleans up the code in some places
Stefan Sterz [Tue, 12 Apr 2022 10:34:20 +0000 (12:34 +0200)]
toolkit: add NotesView panel and NotesEdit window
move them here from pve so we can maintain them across several
products
Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
[ T: also rename class/xtypes to avoid temporary breakage ] Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 13 Apr 2022 09:09:07 +0000 (11:09 +0200)]
css: fix tab icon/text baseline
the baseline for the text was seriously off, the text had
(relatively) much more space below than above, which looks off for
buttons with an actual background
Instead of centering with margin/padding explicitly, do so with the
flex layout model.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 12 Apr 2022 14:36:50 +0000 (16:36 +0200)]
object grid: call rendere with our scope
having window as this scope has zero benefits and while one could
already try to get the local scope via some Ext.ComponentQuery query
its just nicer to have it easily available.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Mon, 28 Mar 2022 13:53:45 +0000 (15:53 +0200)]
form: combo grid: fix selection after filtering
firing 'refresh' in 'clearLocalFilter' was wrong, since that triggers
too often, for example when selecting an entry (since the field lost
focus). This lead to the picker refreshing and not registering the
click and thus not selecting the desired entry.
Instead refresh the view when we really need it: when the picker is shown.
The filter is already gone, but the picker grid does not know this yet,
so we fire the event then.
Dominik Csapak [Tue, 29 Mar 2022 14:04:10 +0000 (16:04 +0200)]
node/Tasks: don't count 'preFilters' as normal filters
they can not be removed nor are they visible, so don't count them.
When having a prefilter, we now don't show anymore that there is an
active filter, and don't enable the button anymore.
This is the case for vms for example (vmid is a prefilter).
Dominik Csapak [Fri, 18 Mar 2022 10:00:11 +0000 (11:00 +0100)]
utils: clear cookies with secure flag set
otherwise firefox complains with a deprecation warning that the secure-flag
is not set but SameSite to 'None'. Since we cannot know how firefox will
behave once that behaviour is no longer supported, add the secure flag
now.
Note: ExtJS also clears by setting the cookie with an empty value,
there's no browser supported clear api.
Dominik Csapak [Thu, 3 Mar 2022 14:11:45 +0000 (15:11 +0100)]
fix #3919: log view: show first task output line correctly
if a task did not produce output yet, we always get a single line
with "no output". our heuristic in the gui counts the total lines +
the current position. so to update the first output correctly, we
have to update every time in case we only have one line.
Otherwise, we only update on the second line, which is bad
in case the only line we ever get is the result.
Dominik Csapak [Wed, 23 Feb 2022 11:05:06 +0000 (12:05 +0100)]
fix drag&drop for pointerType 'pen'
some devices (e.g. vms via novnc, and some laptops) get the pointerType
'pen' under chromium.
the DragZone handler tries to ignore touch input for that by
checking for "=== 'mouse'" which does not include 'pen'
so override that to handle it when the pointerType !== 'touch'
Fabian Ebner [Tue, 7 Dec 2021 11:53:30 +0000 (12:53 +0100)]
sorters: use correct property 'direction' and keep default 'ASC'
Ext.util.Sorter does not have an 'order' property, so 'order: DESC'
didn't have an effect. The default is 'ASC' and it is arguably the
preferred direction for realm anyways.