v0.80.0

2026-05-07 06:23:06 +08:00 · 2026-04-14 16:40:28 +01:00
24 changed files with 52 additions and 222 deletions
@@ -222,8 +222,6 @@
  "Edit comment": "Kommentar bearbeiten",
  "Delete comment": "Kommentar löschen",
  "Are you sure you want to delete this comment?": "Sind Sie sicher, dass Sie diesen Kommentar löschen möchten?",
-  "Delete chat": "Chat löschen",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "Sind Sie sicher, dass Sie '{{title}}' löschen möchten? Diese Aktion kann nicht rückgängig gemacht werden.",
  "Comment created successfully": "Kommentar erfolgreich erstellt",
  "Error creating comment": "Fehler beim Erstellen des Kommentars",
  "Comment updated successfully": "Kommentar erfolgreich aktualisiert",
@@ -222,8 +222,6 @@
  "Edit comment": "Edit comment",
  "Delete comment": "Delete comment",
  "Are you sure you want to delete this comment?": "Are you sure you want to delete this comment?",
-  "Delete chat": "Delete chat",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "Are you sure you want to delete '{{title}}'? This action cannot be undone.",
  "Comment created successfully": "Comment created successfully",
  "Error creating comment": "Error creating comment",
  "Comment updated successfully": "Comment updated successfully",
@@ -222,8 +222,6 @@
  "Edit comment": "Editar comentario",
  "Delete comment": "Eliminar comentario",
  "Are you sure you want to delete this comment?": "¿Está seguro de que desea eliminar este comentario?",
-  "Delete chat": "Eliminar chat",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "¿Está seguro de que desea eliminar '{{title}}'? Esta acción no se puede deshacer.",
  "Comment created successfully": "Comentario creado con éxito",
  "Error creating comment": "Error al crear comentario",
  "Comment updated successfully": "Comentario actualizado con éxito",
@@ -222,8 +222,6 @@
  "Edit comment": "Modifier le commentaire",
  "Delete comment": "Supprimer le commentaire",
  "Are you sure you want to delete this comment?": "Êtes-vous sûr de vouloir supprimer ce commentaire ?",
-  "Delete chat": "Supprimer la conversation",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "Êtes-vous sûr de vouloir supprimer '{{title}}' ? Cette action est irréversible.",
  "Comment created successfully": "Commentaire créé avec succès",
  "Error creating comment": "Erreur lors de la création du commentaire",
  "Comment updated successfully": "Commentaire mis à jour avec succès",
@@ -222,8 +222,6 @@
  "Edit comment": "Modifica commento",
  "Delete comment": "Elimina commento",
  "Are you sure you want to delete this comment?": "Sei sicuro di voler eliminare questo commento?",
-  "Delete chat": "Elimina chat",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "Sei sicuro di voler eliminare '{{title}}'? Questa azione non può essere annullata.",
  "Comment created successfully": "Commento creato con successo",
  "Error creating comment": "Si è verificato un errore durante la creazione del commento",
  "Comment updated successfully": "Commento aggiornato con successo",
@@ -222,8 +222,6 @@
  "Edit comment": "コメントを編集する",
  "Delete comment": "コメントを削除する",
  "Are you sure you want to delete this comment?": "このコメントを削除してもよろしいですか?",
-  "Delete chat": "チャットを削除",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "「{{title}}」を削除してもよろしいですか？この操作は元に戻せません。",
  "Comment created successfully": "コメントを作成しました",
  "Error creating comment": "コメントの作成に失敗しました",
  "Comment updated successfully": "コメントを更新しました",
@@ -222,8 +222,6 @@
  "Edit comment": "댓글 수정",
  "Delete comment": "댓글 삭제",
  "Are you sure you want to delete this comment?": "이 댓글을 삭제하시겠습니까?",
-  "Delete chat": "채팅 삭제",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "'{{title}}'을(를) 삭제하시겠습니까? 이 작업은 되돌릴 수 없습니다.",
  "Comment created successfully": "댓글 생성 완료",
  "Error creating comment": "댓글 생성 오류",
  "Comment updated successfully": "댓글 업데이트 완료",
@@ -222,8 +222,6 @@
  "Edit comment": "Bewerk reactie",
  "Delete comment": "Verwijder reactie",
  "Are you sure you want to delete this comment?": "Weet je zeker dat je deze reactie wilt verwijderen?",
-  "Delete chat": "Chat verwijderen",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "Weet je zeker dat je '{{title}}' wilt verwijderen? Deze actie kan niet ongedaan worden gemaakt.",
  "Comment created successfully": "Reactie succesvol aangemaakt",
  "Error creating comment": "Fout bij het aanmaken van reactie",
  "Comment updated successfully": "Opmerking succesvol bijgewerkt",
@@ -222,8 +222,6 @@
  "Edit comment": "Editar comentário",
  "Delete comment": "Excluir comentário",
  "Are you sure you want to delete this comment?": "Você tem certeza de que deseja excluir este comentário?",
-  "Delete chat": "Excluir chat",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "Tem certeza de que deseja excluir '{{title}}'? Esta ação não pode ser desfeita.",
  "Comment created successfully": "Comentário criado com sucesso",
  "Error creating comment": "Erro ao criar comentário",
  "Comment updated successfully": "Comentário atualizado com sucesso",
@@ -222,8 +222,6 @@
  "Edit comment": "Редактировать комментарий",
  "Delete comment": "Удалить комментарий",
  "Are you sure you want to delete this comment?": "Вы уверены, что хотите удалить этот комментарий?",
-  "Delete chat": "Удалить чат",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "Вы уверены, что хотите удалить '{{title}}'? Это действие нельзя отменить.",
  "Comment created successfully": "Комментарий успешно создан",
  "Error creating comment": "Ошибка при создании комментария",
  "Comment updated successfully": "Комментарий успешно обновлён",
@@ -222,8 +222,6 @@
  "Edit comment": "Редагувати коментар",
  "Delete comment": "Видалити коментар",
  "Are you sure you want to delete this comment?": "Ви впевнені, що хочете видалити цей коментар?",
-  "Delete chat": "Видалити чат",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "Ви впевнені, що хочете видалити '{{title}}'? Цю дію неможливо скасувати.",
  "Comment created successfully": "Коментар успішно створено",
  "Error creating comment": "Помилка при створенні коментаря",
  "Comment updated successfully": "Коментар успішно оновлено",
@@ -222,8 +222,6 @@
  "Edit comment": "编辑评论",
  "Delete comment": "删除评论",
  "Are you sure you want to delete this comment?": "你确定要删除这条评论吗？",
-  "Delete chat": "删除聊天",
-  "Are you sure you want to delete '{{title}}'? This action cannot be undone.": "您确定要删除「{{title}}」吗？此操作无法撤销。",
  "Comment created successfully": "成功创建评论",
  "Error creating comment": "创建评论时出错",
  "Comment updated successfully": "评论更新成功",
@@ -9,7 +9,7 @@ import classes from "../styles/chat-sidebar.module.css";
 type Props = {
  chat: AiChat;
  isActive: boolean;
-  onDelete: (chatId: string, title: string | null) => void;
+  onDelete: (chatId: string) => void;
  onRename: (chatId: string, title: string) => void;
 };

@@ -153,7 +153,7 @@ export default function AiChatSidebarItem({
              onClick={(e) => {
                e.preventDefault();
                e.stopPropagation();
-                onDelete(chat.id, chat.title);
+                onDelete(chat.id);
              }}
            >
              {t("Delete")}
@@ -1,14 +1,6 @@
 import { useState, useCallback, useEffect, useMemo, useRef } from "react";
 import { Link, useNavigate, useParams } from "react-router-dom";
-import {
-  ActionIcon,
-  Center,
-  Text,
-  TextInput,
-  Loader,
-  Tooltip,
-} from "@mantine/core";
-import { modals } from "@mantine/modals";
+import { ActionIcon, Center, TextInput, Loader, Tooltip } from "@mantine/core";
 import { useDebouncedValue } from "@mantine/hooks";
 import { IconPlus, IconSearch, IconMessageCircle2 } from "@tabler/icons-react";
 import { useTranslation } from "react-i18next";
@@ -81,31 +73,16 @@ export default function AiChatSidebar() {
  );

  const handleDelete = useCallback(
-    (id: string, title: string | null) => {
-      modals.openConfirmModal({
-        title: t("Delete chat"),
-        centered: true,
-        children: (
-          <Text size="sm">
-            {t("Are you sure you want to delete '{{title}}'? This action cannot be undone.", {
-              title: title || t("Untitled"),
-            })}
-          </Text>
-        ),
-        labels: { confirm: t("Delete"), cancel: t("Cancel") },
-        confirmProps: { color: "red" },
-        onConfirm: () => {
-          deleteMutation.mutate(id, {
-            onSuccess: () => {
-              if (chatId === id) {
-                navigate("/ai");
-              }
-            },
-          });
+    (id: string) => {
+      deleteMutation.mutate(id, {
+        onSuccess: () => {
+          if (chatId === id) {
+            navigate("/ai");
+          }
        },
      });
    },
-    [deleteMutation, chatId, navigate, t],
+    [deleteMutation, chatId, navigate],
  );

  const handleRename = useCallback(
@@ -53,7 +53,6 @@ import { EnvironmentService } from '../../integrations/environment/environment.s
 import { TokenService } from '../auth/services/token.service';
 import { JwtAttachmentPayload, JwtType } from '../auth/dto/jwt-payload';
 import * as path from 'path';
-import { sanitize } from 'sanitize-filename-ts';
 import { AttachmentInfoDto, RemoveIconDto } from './dto/attachment.dto';
 import { PageAccessService } from '../page/page-access/page-access.service';
 import { AuditEvent, AuditResource } from '../../common/events/audit-events';
@@ -357,10 +356,6 @@ export class AttachmentController {
      throw new BadRequestException('Invalid image attachment type');
    }

-    if (!fileName || sanitize(fileName) !== fileName) {
-      throw new BadRequestException('Invalid file name');
-    }
-
    const filenameWithoutExt = path.basename(fileName, path.extname(fileName));
    if (!isValidUUID(filenameWithoutExt)) {
      throw new BadRequestException('Invalid file id');
@@ -13,6 +13,10 @@ import { CreateUserDto } from '../../auth/dto/create-user.dto';
 export class UpdateUserDto extends PartialType(
  OmitType(CreateUserDto, ['password'] as const),
 ) {
+  @IsOptional()
+  @IsString()
+  avatarUrl: string;
+
  @IsOptional()
  @IsBoolean()
  fullPageWidth: boolean;
@@ -110,6 +110,10 @@ export class UserService {
      user.email = updateUserDto.email;
    }

+    if (updateUserDto.avatarUrl) {
+      user.avatarUrl = updateUserDto.avatarUrl;
+    }
+
    if (updateUserDto.locale) {
      user.locale = updateUserDto.locale;
    }
@@ -5,10 +5,15 @@ import {
  IsBoolean,
  IsInt,
  IsOptional,
+  IsString,
  Min,
 } from 'class-validator';

 export class UpdateWorkspaceDto extends PartialType(CreateWorkspaceDto) {
+  @IsOptional()
+  @IsString()
+  logo: string;
+
  @IsOptional()
  @IsArray()
  emailDomains: string[];
@@ -39,8 +39,6 @@ import {
 } from '../../common/helpers/prosemirror/utils';
 import { htmlToMarkdown } from '@docmost/editor-ext';

-type AllowedAttachment = { id: string; fileName: string; filePath: string };
-
@Injectable()
 export class ExportService {
  private readonly logger = new Logger(ExportService.name);
@@ -274,12 +272,6 @@ export class ExportService {

    computeLocalPath(tree, format, null, '', slugIdToPath);

-    // Batch resolve attachments once for the whole export so we only run the
-    // owning-page view check a single time, regardless of page count.
-    const allowedAttachments = includeAttachments
-      ? await this.resolveAccessibleAttachments(tree, userId, ignorePermissions)
-      : new Map<string, AllowedAttachment>();
-
    const stack: { folder: JSZip; parentPageId: string | null }[] = [
      { folder: zip, parentPageId: null },
    ];
@@ -309,7 +301,7 @@ export class ExportService {
        );

        if (includeAttachments) {
-          await this.zipAttachments(updatedJsonContent, folder, allowedAttachments);
+          await this.zipAttachments(updatedJsonContent, page.spaceId, folder);
          updatedJsonContent =
            updateAttachmentUrlsToLocalPaths(updatedJsonContent);
        }
@@ -355,80 +347,31 @@ export class ExportService {
    zip.file('docmost-metadata.json', JSON.stringify(metadata, null, 2));
  }

-  async zipAttachments(
-    prosemirrorJson: any,
-    zip: JSZip,
-    allowed: Map<string, AllowedAttachment>,
-  ) {
+  async zipAttachments(prosemirrorJson: any, spaceId: string, zip: JSZip) {
    const attachmentIds = getAttachmentIds(prosemirrorJson);

-    await Promise.all(
-      attachmentIds.map(async (id) => {
-        const attachment = allowed.get(id);
-        if (!attachment) return;
-        try {
-          const fileBuffer = await this.storageService.read(
-            attachment.filePath,
-          );
-          const filePath = `/files/${attachment.id}/${attachment.fileName}`;
-          zip.file(filePath, fileBuffer);
-        } catch (err) {
-          this.logger.debug(`Attachment export error ${attachment.id}`, err);
-        }
-      }),
-    );
-  }
+    if (attachmentIds.length > 0) {
+      const attachments = await this.db
+        .selectFrom('attachments')
+        .select(['id', 'fileName', 'filePath'])
+        .where('id', 'in', attachmentIds)
+        .where('spaceId', '=', spaceId)
+        .execute();

-  private async resolveAccessibleAttachments(
-    tree: PageExportTree,
-    userId: string | undefined,
-    ignorePermissions: boolean,
-  ): Promise<Map<string, AllowedAttachment>> {
-    const allAttachmentIds = new Set<string>();
-    let spaceId: string | undefined;
-    for (const siblings of Object.values(tree)) {
-      for (const page of siblings) {
-        if (!spaceId) spaceId = page.spaceId;
-        for (const id of getAttachmentIds(getProsemirrorContent(page.content))) {
-          allAttachmentIds.add(id);
-        }
-      }
-    }
-
-    if (allAttachmentIds.size === 0 || !spaceId) {
-      return new Map();
-    }
-
-    const attachments = await this.db
-      .selectFrom('attachments')
-      .select(['id', 'fileName', 'filePath', 'pageId'])
-      .where('id', 'in', [...allAttachmentIds])
-      .where('spaceId', '=', spaceId)
-      .execute();
-
-    let visible = attachments;
-    if (!ignorePermissions && userId) {
-      const ownerPageIds = [
-        ...new Set(
-          attachments
-            .map((a) => a.pageId)
-            .filter((id): id is string => !!id),
-        ),
-      ];
-      const accessible = ownerPageIds.length
-        ? await this.pagePermissionRepo.filterAccessiblePageIds({
-            pageIds: ownerPageIds,
-            userId,
-            spaceId,
-          })
-        : [];
-      const accessibleSet = new Set(accessible);
-      visible = attachments.filter(
-        (a) => a.pageId && accessibleSet.has(a.pageId),
+      await Promise.all(
+        attachments.map(async (attachment) => {
+          try {
+            const fileBuffer = await this.storageService.read(
+              attachment.filePath,
+            );
+            const filePath = `/files/${attachment.id}/${attachment.fileName}`;
+            zip.file(filePath, fileBuffer);
+          } catch (err) {
+            this.logger.debug(`Attachment export error ${attachment.id}`, err);
+          }
+        }),
      );
    }
-
-    return new Map(visible.map((a) => [a.id, a]));
  }

  async turnPageMentionsToLinks(
@@ -1,67 +0,0 @@
-import { resolve, sep } from 'path';
-import { LocalDriver } from './local.driver';
-
-type FullPath = (filePath: string) => string;
-
-describe('LocalDriver._fullPath', () => {
-  const ROOT = resolve('/data/storage');
-  const driver = new LocalDriver({ storagePath: ROOT });
-  const fullPath = ((driver as any)._fullPath as FullPath).bind(driver);
-
-  describe('legitimate inputs (behavior preserved)', () => {
-    it.each([
-      ['workspace-id/avatars/uuid.png', `${ROOT}${sep}workspace-id${sep}avatars${sep}uuid.png`],
-      ['workspace-id/files/uuid/file.pdf', `${ROOT}${sep}workspace-id${sep}files${sep}uuid${sep}file.pdf`],
-      ['a/b/c/d/e.bin', `${ROOT}${sep}a${sep}b${sep}c${sep}d${sep}e.bin`],
-      ['', ROOT],
-      ['.', ROOT],
-      ['./x/y.png', `${ROOT}${sep}x${sep}y.png`],
-      ['a//b', `${ROOT}${sep}a${sep}b`],
-      ['a/b/../c', `${ROOT}${sep}a${sep}c`],
-    ])('resolves %j to %j', (input, expected) => {
-      expect(fullPath(input)).toBe(expected);
-    });
-  });
-
-  describe('traversal rejected', () => {
-    it.each([
-      '../etc/passwd',
-      '../../../etc/passwd',
-      'workspace/../../../etc/passwd',
-      '..',
-      '../..',
-      'a/../../..',
-    ])('throws for %j', (input) => {
-      expect(() => fullPath(input)).toThrow('Invalid file path');
-    });
-  });
-
-  describe('absolute path rejected', () => {
-    it.each([
-      '/etc/passwd',
-      '/root/.ssh/id_rsa',
-      sep + 'absolute',
-    ])('throws for %j', (input) => {
-      expect(() => fullPath(input)).toThrow('Invalid file path');
-    });
-  });
-
-  describe('prefix-confusion rejected', () => {
-    it('rejects a sibling directory whose name starts with the storage root', () => {
-      const siblingDriver = new LocalDriver({ storagePath: '/data/storage' });
-      const siblingFullPath = ((siblingDriver as any)._fullPath as FullPath).bind(siblingDriver);
-      // Attempt to reach /data/storage-evil/secret by traversal:
-      // resolve('/data/storage', '../storage-evil/secret') === '/data/storage-evil/secret'
-      // Without the `+ sep` guard, a startsWith check would match.
-      expect(() => siblingFullPath('../storage-evil/secret')).toThrow('Invalid file path');
-    });
-  });
-
-  describe('storage root itself', () => {
-    it('accepts the root when input resolves to it', () => {
-      expect(fullPath('')).toBe(ROOT);
-      expect(fullPath('.')).toBe(ROOT);
-      expect(fullPath('a/..')).toBe(ROOT);
-    });
-  });
-});
@@ -3,7 +3,7 @@ import {
  LocalStorageConfig,
  StorageOption,
 } from '../interfaces';
-import { dirname, resolve, sep } from 'path';
+import { join, dirname } from 'path';
 import * as fs from 'fs-extra';
 import { Readable } from 'stream';
 import { createReadStream, createWriteStream } from 'node:fs';
@@ -17,12 +17,7 @@ export class LocalDriver implements StorageDriver {
  }

  private _fullPath(filePath: string): string {
-    const storageRoot = resolve(this.config.storagePath);
-    const fullPath = resolve(storageRoot, filePath);
-    if (fullPath !== storageRoot && !fullPath.startsWith(storageRoot + sep)) {
-      throw new Error('Invalid file path');
-    }
-    return fullPath;
+    return join(this.config.storagePath, filePath);
  }

  async upload(filePath: string, file: Buffer | Readable): Promise<void> {
@@ -131,8 +131,7 @@
      "@xmldom/xmldom": "0.8.12",
      "handlebars": "4.7.9",
      "axios": "1.15.0",
-      "langsmith": "0.5.18",
-      "follow-redirects": "1.16.0"
+      "langsmith": "0.5.18"
    },
    "neverBuiltDependencies": []
  }
@@ -39,7 +39,6 @@ overrides:
  handlebars: 4.7.9
  axios: 1.15.0
  langsmith: 0.5.18
-  follow-redirects: 1.16.0

 patchedDependencies:
  react-arborist@3.4.0:
@@ -6997,8 +6996,8 @@ packages:
  flatted@3.4.2:
    resolution: {integrity: sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==}

-  follow-redirects@1.16.0:
-    resolution: {integrity: sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==}
+  follow-redirects@1.15.11:
+    resolution: {integrity: sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==}
    engines: {node: '>=4.0'}
    peerDependencies:
      debug: '*'
@@ -16274,7 +16273,7 @@ snapshots:

  axios@1.15.0:
    dependencies:
-      follow-redirects: 1.16.0
+      follow-redirects: 1.15.11
      form-data: 4.0.5
      proxy-from-env: 2.1.0
    transitivePeerDependencies:
@@ -17940,7 +17939,7 @@ snapshots:

  flatted@3.4.2: {}

-  follow-redirects@1.16.0: {}
+  follow-redirects@1.15.11: {}

  for-each@0.3.3:
    dependencies: