From 0ebfba8d050e968a404a16e94a9930c72fa830d9 Mon Sep 17 00:00:00 2001 From: Ozzie Isaacs Date: Sun, 25 Feb 2024 19:32:04 +0100 Subject: [PATCH 1/2] Added blobs to csp for reader page (fix for #3005) --- cps/web.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/cps/web.py b/cps/web.py index 68b9bbc5..8d8faed2 100644 --- a/cps/web.py +++ b/cps/web.py @@ -86,9 +86,13 @@ except ImportError: @app.after_request def add_security_headers(resp): - csp = "default-src 'self'" - csp += ''.join([' ' + host for host in config.config_trustedhosts.strip().split(',')]) - csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'" + default_src = ([host.strip() for host in config.config_trustedhosts.split(',') if host] + + ["'self'", "'unsafe-inline'", "'unsafe-eval'"]) + csp = "default-src " + ' '.join(default_src) + "; " + csp += "font-src 'self' data:" + if request.endpoint == "web.read_book": + csp += " blob:" + csp += "; img-src 'self'" if request.path.startswith("/author/") and config.config_use_goodreads: csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com" csp += " data:" From b38a1b2298c5c995312c15865b1b8dfb8eac4f2d Mon Sep 17 00:00:00 2001 From: Ozzie Isaacs Date: Sun, 25 Feb 2024 20:03:38 +0100 Subject: [PATCH 2/2] Admin can now force full sync for users (fix for #2993 --- cps/admin.py | 21 ++++++++++++++++----- cps/static/js/main.js | 8 ++++++-- cps/templates/user_edit.html | 2 +- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/cps/admin.py b/cps/admin.py index fa29759e..c07fc29f 100644 --- a/cps/admin.py +++ b/cps/admin.py @@ -916,11 +916,15 @@ def list_restriction(res_type, user_id): @admi.route("/ajax/fullsync", methods=["POST"]) @login_required -def ajax_fullsync(): - count = ub.session.query(ub.KoboSyncedBooks).filter(current_user.id == ub.KoboSyncedBooks.user_id).delete() - message = _("{} sync entries deleted").format(count) - ub.session_commit(message) - return Response(json.dumps([{"type": "success", "message": message}]), mimetype='application/json') +def ajax_self_fullsync(): + return do_full_kobo_sync(current_user.id) + + +@admi.route("/ajax/fullsync/", methods=["POST"]) +@login_required +@admin_required +def ajax_fullsync(userid): + return do_full_kobo_sync(userid) @admi.route("/ajax/pathchooser/") @@ -930,6 +934,13 @@ def ajax_pathchooser(): return pathchooser() +def do_full_kobo_sync(userid): + count = ub.session.query(ub.KoboSyncedBooks).filter(userid == ub.KoboSyncedBooks.user_id).delete() + message = _("{} sync entries deleted").format(count) + ub.session_commit(message) + return Response(json.dumps([{"type": "success", "message": message}]), mimetype='application/json') + + def check_valid_read_column(column): if column != "0": if not calibre_db.session.query(db.CustomColumns).filter(db.CustomColumns.id == column) \ diff --git a/cps/static/js/main.js b/cps/static/js/main.js index 34d3bc96..1e88fc6d 100644 --- a/cps/static/js/main.js +++ b/cps/static/js/main.js @@ -621,8 +621,12 @@ $(function() { "btnfullsync", "GeneralDeleteModal", $(this).data('value'), - function(value){ - path = getPath() + "/ajax/fullsync" + function(userid) { + if (userid) { + path = getPath() + "/ajax/fullsync/" + userid + } else { + path = getPath() + "/ajax/fullsync" + } $.ajax({ method:"post", url: path, diff --git a/cps/templates/user_edit.html b/cps/templates/user_edit.html index 18b018e6..454fa6c9 100644 --- a/cps/templates/user_edit.html +++ b/cps/templates/user_edit.html @@ -67,7 +67,7 @@
- +
{% endif %}