Conversation
For empty boards, the canvas area is sometimes smaller than the available browser window. We want to be able to drop the image anywhere on the screen.
|
Thank you very much for contributing this long-requested feature ! I'll try to review it soon, but before:
|
|
I see there are also still TODOs in the code. Feel free to switch it back to ready for review when you are ready for me to have a look |
server/server.js
Outdated
| break; | ||
| case "board-assets": | ||
| const [, boardId, assetName] = parts; | ||
| const file = fs.readFileSync(path.join(config.HISTORY_DIR, `board-${boardId}`, assetName)); |
There was a problem hiding this comment.
also, we cannot have blocking code like this in the request handling function
There was a problem hiding this comment.
I can do some more research on this but do you happen to know if calling a function that returns a promise would solve this issue?
Something like this:
async function readFile(request, response) {
// ... create promise, read file from disk, and handle response.
}
function handleRequest(request, response) {
// ... handlers
case 'board-assets':
serveFile(request, response);
break;
// ... other handlers
}There was a problem hiding this comment.
you can look at how it's done in the rest on the code; we use async fs functions
client-data/tools/image/image.js
Outdated
| function createImageElement(data) { | ||
| var img = svg.getElementById(data.id) || Tools.createSVGElement("image"); | ||
| img.setAttribute("id", data.id); | ||
| img.setAttribute("href", data.src); |
There was a problem hiding this comment.
This is a big security vulnerability, isn't it ?
There was a problem hiding this comment.
Anyone can send an image event with the src attribute they want
There was a problem hiding this comment.
Is the concern that a user of Board A would be able to load images from Board B (which may be a "private" board)?
There was a problem hiding this comment.
The bigger concern is that they may have all users make requests to their own server
There was a problem hiding this comment.
Ah OK - so the concern is that an attacker could inject a URL that points to a server that they control, and that serves files with malicious content. Is that right?
There was a problem hiding this comment.
Yes, they could serve whatever they want, but also log the ip addresses of everyone connected
There was a problem hiding this comment.
I believe this has been addressed with the latest commit 👍 Let me know if you disagree.
client-data/tools/image/image.js
Outdated
| var img = svg.getElementById(data.id) || Tools.createSVGElement("image"); | ||
| img.setAttribute("id", data.id); | ||
| img.setAttribute("href", data.src); | ||
| img.setAttribute("href", getAbsoluteImageUrl(data.src)); |
There was a problem hiding this comment.
this is complicated. Can we remove the src altogether ?
| img.setAttribute("href", getAbsoluteImageUrl(data.src)); | |
| img.setAttribute("href", "./images/" + data.id); |
that would stress me less :)
There was a problem hiding this comment.
How would the browser know where to pull the image to display from?
There was a problem hiding this comment.
The browser would make a request to boards/{boardname}/images/{image_id}, the server would check that the image exists, and if so, serve it.
There was a problem hiding this comment.
Yours is a much better approach 😅 This has been updated.
|
Progress update: I've added some tests but for some reason I can't get them to pass in FireFox (though they pass fine in Chromium). |
|
Great to see progress ! I don't have a lot of time to spend on wbo at the moment, but I'm determined to merge this once we are confident it works, is secure and maintainable ! |
2 participants
Description
Drag images (JPG, GIF or PNG) onto the canvas to add them to the whiteboard. Images are saved to disk into a directory with the name name as the board JSON file.
Notable Code Changes
BoardDataListinstead of plain JS object forboardsinsocketsmodule.multipartyfor parsingFormDataon server.TODO
Future Improvements