Merge branch 'next' into SER-1680

Author: Cookiezaurs

CHANGELOG.md

@@ -47,6 +47,9 @@ Enterprise fixes:
 - [nps] Fixed bug in the editor where the "internal name" field was not mandatory
 - [ratings] Fixed UI bug where "Internal name" was not a mandatory field
 
+Security:
+- Fixing minor vulnerability that would allow for unauthorized file upload
+
 ## Version 24.05.16
 Fixes:
 - [core] Replaced "Users" with "Sessions" label on technology home widgets

frontend/express/app.js

@@ -603,6 +603,10 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_
     app.use(function(req, res, next) {
         var contentType = req.headers['content-type'];
         if (req.method.toLowerCase() === 'post' && contentType && contentType.indexOf('multipart/form-data') >= 0) {
+            if (!req.session?.uid || Date.now() > req.session?.expires) {
+                res.status(401).send('Unauthorized');
+                return;
+            }
             var form = new formidable.IncomingForm();
             form.uploadDir = __dirname + '/uploads';
             form.parse(req, function(err, fields, files) {

frontend/express/public/core/device-and-type/javascripts/countly.views.js

@@ -443,6 +443,20 @@ var GridComponent = countlyVue.views.create({
             }
             return val;
         },
+        onWidgetCommand: function(event) {
+            if (event === 'add' || event === 'manage' || event === 'show') {
+                this.graphNotesHandleCommand(event);
+                return;
+            }
+            else if (event === 'zoom') {
+                this.triggerZoom();
+                return;
+            }
+            else {
+                this.$emit('command', event);
+                return;
+            }
+        },
     }
 });