product-os / jellyfish Goto Github PK

Users should be able to see their own views

Currently the community chat view filters for chat threads, ideally it should just show all chat messages that the user can see. To implement this we will need to ensure that community users cannot see chat messages that are attached to cards that they cannot see, so there is a requirement on #153

When creating and updating a card, I would expect the card's timeline to credit the user who initiated the create or update action to be the actor shown on the timeline. Instead the actor for update and create cards is always the actions user.
This makes using the timeline as an audit trail impossible, as we can't tell which user did what.

User write permission should be checked client side to determine if an action on a card is available or what fields on a card can be edited.

At the moment, suitable lenses are detected automatically. We should change this so that lenses are specified by the view card

It would be very useful to extend json-schema to support semver and semver-range formats

Currently, you can only add fields to a card that are defined in that card type's schema.

Currently, logged in users can change other users passwords

await sdk.card.update('USER_ID', { 
  data: {
    password: { 
      hash: '6dafdadfffffffaaaaa' 
    } 
  } 
})

After logging in, the following warning can be seen in the console

Warning: a promise was created in a handler at http://localhost:9000/bundle.js:144116:16 but was not returned from it, see http://goo.gl/rRqMUw
    at new Promise (http://localhost:9000/bundle.js:17705:10)
    at getGravatar (http://localhost:9000/bundle.js:584:12)
    at Gravatar../lib/ui/components/Gravatar.tsx.Gravatar.load (http://localhost:9000/bundle.js:616:9)
    at Gravatar../lib/ui/components/Gravatar.tsx.Gravatar.componentWillReceiveProps (http://localhost:9000/bundle.js:607:22)
    at callComponentWillReceiveProps (http://localhost:9000/bundle.js:92665:16)
    at updateClassInstance (http://localhost:9000/bundle.js:92905:9)
    at updateClassComponent (http://localhost:9000/bundle.js:94118:22)
    at beginWork (http://localhost:9000/bundle.js:94755:16)
    at performUnitOfWork (http://localhost:9000/bundle.js:97587:16)
    at workLoop (http://localhost:9000/bundle.js:97616:26)
    at renderRoot (http://localhost:9000/bundle.js:97647:9)
    at performWorkOnRoot (http://localhost:9000/bundle.js:98222:24)
    at performWork (http://localhost:9000/bundle.js:98143:9)
    at performSyncWork (http://localhost:9000/bundle.js:98120:5)
    at requestWork (http://localhost:9000/bundle.js:98020:7)
    at scheduleWorkImpl (http://localhost:9000/bundle.js:97895:13)
    at scheduleWork (http://localhost:9000/bundle.js:97855:12)
    at Object.enqueueSetState (http://localhost:9000/bundle.js:92417:7)
    at Connect../node_modules/react/cjs/react.development.js.Component.setState (http://localhost:9000/bundle.js:145193:16)

The purpose is to be able to expand it to perform queries based on the timeline of a card.

See https://www.flowdock.com/app/rulemotion/p-cyclops/threads/YWRCmqSqxS-0SYrYa5_MXX3ftd3

http://jsonnet.org/learning/getting_started.html

Th jsonSchema.filter method is using the removeAdditional option in AJV ( https://github.com/epoberezkin/ajv#filtering-data ), which, when combined with user permissions allows us to whitelist fields. This is very useful for doing thing like stopping users from viewing other users password hashes.
At the moment, not every query result gets run through the filter function which means there may be cases where a malicious user could see data they are not meant to ( getElementBySlug, getElementById etc)

UI state stored in localstorage should be treated as untrusted and validated on load

At the moment configuration like Type cards is stored in LocalStorage and only gets reloaded if you logout and log back in again. This data should be refreshed on page reload and automatically via a socket connection.

There is a good guide for testing React + TypeScript using Ava and Enzyme here https://semaphoreci.com/community/tutorials/testing-react-components-with-ava

utils.waitForMatch can hang indefinitely if a matching card is created whilst the stream is initialising. To resolve this, a query for matching cards should be run once the stream is initialised, similar to how the actions server does it.

You should be able to create new views, or extend an existing view

We need to add error handling for sockets and API requests

This can be particularly useful to determine, client side, what type of card we should create given a certain active view.

When adding a new chat message, its created twice

Currently there is no message shown if you enter the wrong login details

If a user cannot view a card they should not be able to view any cards that are attached to it.
For example a card of type repo can have cards of type update, create and chat-message cards that target it. If a user cannot view the repo card, they should not be able to see any of these cards.

Currently, when a query is run, we filter the results on the server using JSONSchema.
This solution won't scale well and we need to be converting JSONSchema directly into Reql queries.

Users should be able to use @ to mention other users. Messages they are mentioned in should be shown in a new view

If a view has multiple groups available, the user should be able to choose between them

At the moment, its not obvious that signup has worked. Additionally we should make sure you can't signup with the same email/username