MYVAIBHA
diff --git a/‎.env.example‎
Lines changed: 1 addition & 0 deletions b/‎.env.example‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 0 additions & 1 deletion b/‎.gitignore‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 28 additions & 5 deletions b/‎CHANGELOG.md‎
Lines changed: 28 additions & 5 deletions
diff --git a/‎UnicodeData.txt‎
Lines changed: 0 additions & 30592 deletions b/‎UnicodeData.txt‎
Lines changed: 0 additions & 30592 deletions
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/src/auth/jwt.js‎
Lines changed: 16 additions & 6 deletions b/‎api/src/auth/jwt.js‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎api/src/auth/passport.js‎
Lines changed: 9 additions & 2 deletions b/‎api/src/auth/passport.js‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎api/src/controllers/StatementController.js‎
Lines changed: 2 additions & 1 deletion b/‎api/src/controllers/StatementController.js‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/src/routes/HttpRoutes.js‎
Lines changed: 34 additions & 2 deletions b/‎api/src/routes/HttpRoutes.js‎
Lines changed: 34 additions & 2 deletions
diff --git a/‎api/src/routes/tests/http-test.js‎
Lines changed: 2 additions & 3 deletions b/‎api/src/routes/tests/http-test.js‎
Lines changed: 2 additions & 3 deletions
@@ -191,6 +191,7 @@ FS_REPO=local
 ########
 # MISC #
 ########
+#RESTRICT_CREATE_ORGANISATION=true
 
 # Location of virus scanning binary (ClamAV - https://www.clamav.net/)
 #CLAMDSCAN_BINARY=/usr/bin/clamdscan
 
@@ -12,7 +12,6 @@ storage/**/*.csv
 api/logs/*
 dist/
 dump.rdb
-node_modules/
 node_modules
 npm-debug.log*
 pids/
 
@@ -9,18 +9,41 @@ Format based on [Keep a Changelog](http://keepachangelog.com/)
 ### Security
 ### Migrations
 
-## [2.2.5]
+## [2.3.0]
+### Added
+ - Multiple shareable links per dashboard (#1096)
+ - Requires migration to be run - `yarn migrate`
+ - Aggregations now can read from secondary members on replica set (#1095)
+ - Sentinel Redis support (#1119)
+ - New role to allow organisation creation (via site admin) (#1110)
+ - Widgets now auto pick visualisation name when populated (#1126)
+### Security
+ - Passwords can only be changed for the user logged in or by site admins (#1112)
+### Fixes
+ - Unicode data now pulled from dependency (#1125)
+ - Ensure order on personaIdentifier IFI values (fixes issue with multiple personaIdents for the same actor) (#1120)
+ - Fix for personaIdentifier migration
+ - Client can select more than 10 xAPI stores (#1130)
+ - Server side validation of Statement Forward queries (#1138)
+ - Statement forwards decode `&46;` in statement keys (#1134)
+ - Fixed issue with hanging file imports on persona data (#1141)
+ - Switch to `clamdscan` as primary AV scanner (#1141)
+ - Requires updated .env settings - refer to .env.example
+### Performance and build
+ - Webpack 3 - improved build speed (#1094)
+### Migrations
+**This update requires a migration which can be run using `yarn migrate`.**
 
 ## [2.2.4]
 ### Fixes
- - Ensure statementForwarding query is valid json. (#1138)
+ - Server side validation of Statement Forward queries (#1138)
  - Persona import errors if there are no iris. (#1140)
- - Workers handle errors on missing personas
- - Workers handle errors on invalid JSON in statement forward callbacks
+ - Workers handle errors on missing personas (#1137)
+ - Workers handle errors on invalid JSON in statement forward callbacks (#1137)
 
 ## [2.2.3]
 ### Fixes
- - Parse persona ident and attribute queries
+ - Persona Attribute and Identifier APIs now parse $oid values for `persona` filters (#1133)
 
 ## [2.2.2]
 ### Fixes
 
@@ -1 +1 @@
-2.2.5
+2.3.0
@@ -28,11 +28,13 @@ const payloadDefaults = ({
  provider = 'native',
  scopes = [],
  extensions = {},
+ organisation = null,
  ...others
 }) => ({
  provider,
  scopes,
  extensions,
+ organisation,
  ...others
 });
 
@@ -43,11 +45,13 @@ const createJWT = ({
  filter,
  tokenType,
  tokenId,
- extensions
+ shareableId = null,
+ extensions,
+ organisation = null
 }, opts = {
  expiresIn: '7d'
 }) => sign(
- { userId, provider, scopes, tokenType, tokenId, extensions, filter },
+ { userId, provider, scopes, tokenType, tokenId, shareableId, extensions, filter, organisation },
  process.env.APP_SECRET,
  opts
 );
@@ -87,22 +91,28 @@ const createOrgJWT = async (user, organisationId, provider) => {
  return createJWT(orgTokenPayload);
 };
 
-const createDashboardTokenPayload = async (dashboard, provider) => {
+const createDashboardTokenPayload = async (dashboard, shareableId, provider) => {
+ if (!shareableId && dashboard.shareable.length > 0) {
+ shareableId = dashboard.shareable[0]._id;
+ }
+
  const visualisationIds = getVisualisationIdsFromDashboard(dashboard);
  return payloadDefaults({
  provider,
  scopes: getDashboardScopes(dashboard),
  tokenType: 'dashboard',
  tokenId: String(dashboard._id),
- filter: JSON.parse(dashboard.filter),
+ shareableId,
+ organisation: String(dashboard.organisation),
+ filter: {},
  extensions: {
  visualisationIds,
  }
  });
 };
 
-const createDashboardJWT = async (dashboard, provider) => {
- const dashboardPayload = await createDashboardTokenPayload(dashboard, provider);
+const createDashboardJWT = async (dashboard, shareableId, provider) => {
+ const dashboardPayload = await createDashboardTokenPayload(dashboard, shareableId, provider);
  return createJWT(dashboardPayload);
 };
 
 
@@ -7,7 +7,7 @@ import Promise from 'bluebird';
 import CustomStrategy from 'passport-custom';
 import bcrypt from 'bcrypt';
 import jwt from 'jsonwebtoken';
-import { find, get, omit } from 'lodash';
+import { find, get, omit, omitBy } from 'lodash';
 import { fromJS } from 'immutable';
 import assert from 'assert';
 import Client from 'lib/models/client';
@@ -49,8 +49,13 @@ const createPayloadFromPayload = (payload) => {
  return { expectedToken, user };
  }
  case 'dashboard': {
+ const shareable = find(dashboard.shareable, share =>
+ share._id.toString() === payload.shareableId
+ );
+
  const expectedToken = await createDashboardTokenPayload(
  dashboard,
+ (shareable ? shareable._id.toString() : null),
  provider
  );
  return { expectedToken };
@@ -69,10 +74,12 @@ async function verifyToken(token, done) {
  const decodedToken = await verifyPromise(token, process.env.APP_SECRET);
 
  // Recreates the token's payload to make sure that all scopes are still valid.
+
  const { expectedToken, user } = await createPayloadFromPayload(
  decodedToken
  );
- const tokenToVerify = omit(decodedToken, ['iat', 'exp']);
+ const tokenToVerify1 = omit(decodedToken, ['iat', 'exp']);
+ const tokenToVerify = omitBy(tokenToVerify1, (v, k) => k === 'shareableId' && !v);
 
  const iExpectedToken = fromJS(expectedToken);
  const iTokenToVerify = fromJS(tokenToVerify);
 
@@ -16,7 +16,7 @@ const aggregate = (req) => {
  const maxTimeMS = Number(req.query.maxTimeMS) || MAX_TIME_MS;
  const maxScan = Number(req.query.maxScan) || MAX_SCAN;
  const pipeline = JSON.parse(req.query.pipeline);
- return statementsService.aggregate({
+ const out = statementsService.aggregate({
  authInfo,
  limit,
  skip,
@@ -25,6 +25,7 @@ const aggregate = (req) => {
  maxScan,
  pipeline
  });
+ return out;
 };
 
 const aggregateStatements = catchErrors(async (req, res) => {
 
@@ -3,6 +3,11 @@ import express from 'express';
 import restify from 'express-restify-mongoose';
 import git from 'git-rev';
 import Promise from 'bluebird';
+import { omit, findIndex } from 'lodash';
+import getAuthFromRequest from 'lib/helpers/getAuthFromRequest';
+import getScopesFromRequest from 'lib/services/auth/authInfoSelectors/getScopesFromAuthInfo';
+import getUserIdFromAuthInfo from 'lib/services/auth/authInfoSelectors/getUserIdFromAuthInfo';
+import { SITE_ADMIN } from 'lib/constants/scopes';
 import { jsonSuccess, serverError } from 'api/utils/responses';
 import passport from 'api/auth/passport';
 import {
@@ -193,13 +198,40 @@ router.get(
  * REST APIS
  */
 restify.defaults(RESTIFY_DEFAULTS);
-restify.serve(router, Organisation);
+restify.serve(router, Organisation, {
+ preUpdate: (req, res, next) => {
+ const authInfo = getAuthFromRequest(req);
+ const scopes = getScopesFromRequest(authInfo);
+ if (
+ findIndex(scopes, item => item === SITE_ADMIN) < 0
+ ) {
+ req.body = omit(req.body, 'expiration');
+ }
+ next();
+ }
+});
 restify.serve(router, Stream);
 restify.serve(router, Export);
 restify.serve(router, Download);
 restify.serve(router, Query);
 restify.serve(router, ImportCsv);
-restify.serve(router, User);
+restify.serve(router, User, {
+ preUpdate: (req, res, next) => {
+ const authInfo = getAuthFromRequest(req);
+ const scopes = getScopesFromRequest(authInfo);
+
+ if (findIndex(scopes, item => item === SITE_ADMIN) < 0) {
+ // remove scope changes 
+ req.body = omit(req.body, 'scopes');
+ if (req.body._id !== getUserIdFromAuthInfo(authInfo).toString()){
+ // Don't allow changing of passwords
+ req.body = omit(req.body, 'password');
+ }
+ }
+
+ next();
+ }
+});
 restify.serve(router, Client);
 restify.serve(router, Visualisation);
 restify.serve(router, Dashboard);
 
@@ -18,12 +18,11 @@ let jwtToken;
 let orgJwtToken;
 const provider = 'native';
 
-describe('API HTTP Route tests', () => {
+describe('API HTTP Route tests', function describeTest() {
+ this.timeout(10000);
  before((done) => {
- console.log('readyState', connection.readyState);
  if (connection.readyState !== 1) {
  connection.on('connected', () => {
- console.log('connected');
  done();
  });
  } else {