Merge pull request #8177 from ProcessMaker/epic/FOUR-22580

FOUR-22580: [SUMMER 25] IFrame Whitelist Configs

Author: ryancooley

ProcessMaker/Http/Controllers/Api/SettingController.php

@@ -3,6 +3,7 @@
 namespace ProcessMaker\Http\Controllers\Api;
 
 use DB;
+use Illuminate\Database\QueryException;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Storage;
@@ -265,6 +266,28 @@ public function update(Setting $setting, Request $request)
         return response([], 204);
     }
 
+    public function store(Request $request)
+    {
+        $setting = new Setting();
+
+        try {
+            $setting->fill($request->json()->all());
+            $setting->saveOrFail();
+
+            return response([], 201);
+        } catch (QueryException $e) {
+            // Check for duplicate entry error code
+            if ($e->errorInfo[1] == 1062) {
+                return response()->json([
+                    'message' => 'The "Site Name" you\'re trying to add already exists. Please select a different name or review the existing entries to avoid duplication.',
+                ], 409);
+            }
+
+            // Handle other query exceptions
+            return response()->json(['message' => 'An error occurred while saving the setting.'], 500);
+        }
+    }
+
     public function destroy(Setting $setting)
     {
         $setting->delete();

config/session.php

@@ -170,7 +170,7 @@
     |
     */
 
-    'secure' => env('SESSION_SECURE_COOKIE'),
+    'secure' => env('SESSION_SECURE_COOKIE', false),
 
     /*
     |--------------------------------------------------------------------------
@@ -198,6 +198,6 @@
     |
     */
 
-    'same_site' => 'lax',
+    'same_site' => env('SESSION_SAME_SITE', 'lax'),
 
 ];

resources/js/admin/settings/components/ModalWhiteList.vue

@@ -0,0 +1,127 @@
+<template>
+  <b-modal
+    id="bv-modal-whitelist"
+    ref="bv-modal-whitelist"
+    hide-footer
+  >
+    <template #modal-title>
+      <div class="tw-self-stretch tw-text-base tw-font-medium tw-text-[#20242A]">
+        {{ $t("Configure URL Parents for Embedding") }}
+      </div>
+      <div class="tw-self-stretch tw-text-sm tw-text-[#596372]">
+        {{ $t("Please provide a valid URL (e.g., https://example.com ) to specify the allowed origin(s) permitted to embed ProcessMaker.") }}
+      </div>
+    </template>
+    <div class="tw-block">
+      <div class="form-group col-md-12">
+        <div class="d-flex flex-column">
+          <label for="site-name">
+            {{ $t("Site Name") }}
+          </label>
+          <b-form-input
+            id="site-name"
+            v-model="siteName"
+            type="text"
+            required
+            :state="stateSiteName"
+            :placeholder="$t('Site Name')"
+          />
+        </div>
+      </div>
+      <div class="form-group col-md-12">
+        <div class="d-flex flex-column">
+          <label for="url">
+            {{ $t("Url") }}
+          </label>
+          <b-form-input
+            id="url"
+            v-model="url"
+            type="text"
+            required
+            placeholder="https://www.sample.org/head"
+            :state="stateURL"
+          />
+          <div v-if="urlError" class="text-danger mt-1">
+            {{ urlError }}
+          </div>
+        </div>
+      </div>
+    </div>
+    <div class="tw-block tw-mt-8">
+      <b-button
+        id="confirm"
+        type="submit"
+        variant="primary"
+        block
+        @click="addWhiteListURL"
+      >
+        {{ $t('Create') }}
+      </b-button>
+    </div>
+  </b-modal>
+</template>
+
+<script>
+export default {
+  data() {
+    return {
+      siteName: "",
+      url: "",
+      stateSiteName: null,
+      stateURL: null,
+      groupName: "",
+      group_id: 3,
+      urlError: "",
+    };
+  },
+  methods: {
+    show(groupName) {
+      this.clear();
+      this.groupName = groupName;
+      return this.$refs["bv-modal-whitelist"].show();
+    },
+    clear() {
+      this.siteName = "";
+      this.url = "";
+      this.urlError = "";
+    },
+    validateURL(url) {
+      const pattern = /^(https?:\/\/)?(\*\.)?([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}(:\d+)?(\/.*)?$/;
+      return pattern.test(url);
+    },
+    addWhiteListURL() {
+      if (!this.siteName) {
+        this.stateSiteName = false;
+        return;
+      }
+      if (!this.url) {
+        this.stateURL = false;
+        return;
+      }
+      // Validate the URL using the regex pattern
+      if (!this.validateURL(this.url)) {
+        this.stateURL = false;
+        this.urlError = __("Please enter a valid URL.");
+        return;
+      }
+      const site = this.siteName.toLocaleLowerCase().trim().replaceAll(" ", "_");
+      const data = {
+        key: `white_list.${site}`,
+        format: "text",
+        config: this.url,
+        name: this.siteName,
+        group: this.groupName,
+        group_id: this.group_id,
+        hidden: false,
+        ui: null,
+      };
+      ProcessMaker.apiClient
+        .post("settings", data)
+        .then(() => {
+          this.$parent.refresh();
+          this.$refs["bv-modal-whitelist"].hide();
+        });
+    },
+  },
+};
+</script>

resources/js/admin/settings/components/SettingsListing.vue

@@ -188,6 +188,7 @@
         </div>
       </div>
     </div>
+    <modal-white-list ref="modal-whitelist" />
   </div>
 </template>
 
@@ -211,8 +212,10 @@ import SettingsRange from './SettingsRange';
 import SettingDriverAuthorization from './SettingDriverAuthorization';
 import { createUniqIdsMixin } from "vue-uniq-ids";
 import SettingsEmpty from "./SettingsEmpty.vue";
+import ModalWhiteList from "./ModalWhiteList.vue";
 
 const uniqIdsMixin = createUniqIdsMixin();
+const whiteListName = "IFrame Whitelist Config";
 
 export default {
   components: {
@@ -232,6 +235,7 @@ export default {
     SettingsRange,
     SettingSelect,
     SettingsEmpty,
+    ModalWhiteList,
   },
   mixins:[dataLoadingMixin, uniqIdsMixin],
   props: ['group'],
@@ -272,46 +276,55 @@ export default {
     },
   },
   mounted() {
-    this.$on("refresh-menu", this.removeElement);
-    if (! this.group) {
-      this.orderBy = "group";
-      this.fields.push({
-        key: "group",
-        label: "Group",
-        sortable: true,
-        tdClass: "td-group",
-      });
-    }
-
-    this.fields.push({
-      key: "name",
-      label: "Setting",
-      sortable: true,
-      tdClass: "align-middle td-name settings-listing-td1",
-    });
+    const that = this;
 
-    this.fields.push({
-      key: "config",
-      label: "Configuration",
-      sortable: false,
-      tdClass: "align-middle td-config settings-listing-td2",
-    });
-
-    this.fields.push({
-      key: "actions",
-      label: "",
-      sortable: false,
-      tdClass: "align-middle settings-listing-td3",
-    });
+    this.$on("refresh-menu", this.removeElement);
+    this.fillFields();
 
     ProcessMaker.EventBus.$on('setting-added-from-modal', () => {
       this.shouldDisplayNoDataMessage = false;
       this.$nextTick(() => {
         this.refresh();
       });
     });
+
+    window.addWhiteListURL = function (owner) {
+      that.$refs["modal-whitelist"].show(owner.group);
+    };
   },
   methods: {
+    fillFields() {
+      if (!this.group) {
+        this.orderBy = "group";
+        this.fields.push({
+          key: "group",
+          label: "Group",
+          sortable: true,
+          tdClass: "td-group",
+        });
+      }
+
+      this.fields.push({
+        key: "name",
+        label: this.group === whiteListName ? "Name" : "Setting",
+        sortable: true,
+        tdClass: "align-middle td-name settings-listing-td1",
+      });
+
+      this.fields.push({
+        key: "config",
+        label: this.group === whiteListName ? "Links" : "Configuration",
+        sortable: false,
+        tdClass: "align-middle td-config settings-listing-td2",
+      });
+
+      this.fields.push({
+        key: "actions",
+        label: "",
+        sortable: false,
+        tdClass: "align-middle settings-listing-td3",
+      });
+    },
     loadButtons() {
       ProcessMaker.apiClient.get(`/settings/group/${this.group}/buttons`)
         .then((response) => {

resources/lang/en.json

@@ -444,6 +444,7 @@
   "Configure Script": "Configure Script",
   "Configure Template": "Configure Template",
   "Configure the authenticator app": "Configure the authenticator app",
+  "Configure URL Parents for Embedding": "Configure URL Parents for Embedding",
   "Configure": "Configure",
   "Confirm and Save": "Confirm and Save",
   "Confirm New Password": "Confirm New Password",
@@ -1549,6 +1550,7 @@
   "Please choose the tasks in your inbox that this new rule should apply to. <b>Use the column filters</b> to achieve this.": "Please choose the tasks in your inbox that this new rule should apply to. <b>Use the column filters</b> to achieve this.",
   "Please contact your administrator to get started.": "Please contact your administrator to get started.",
   "Please enter Tab Name": "Please enter Tab Name",
+  "Please provide a valid URL (e.g., https://example.com ) to specify the allowed origin(s) permitted to embed ProcessMaker.": "Please provide a valid URL (e.g., https://example.com ) to specify the allowed origin(s) permitted to embed ProcessMaker.",
   "Please log in to continue your work on this page.": "Please log in to continue your work on this page.",
   "Please select a Saved Search": "Please select a Saved Search",
   "Please take a look at it in the 'Rules' section located within your Inbox.": "Please take a look at it in the 'Rules' section located within your Inbox.",

routes/api.php

@@ -321,6 +321,8 @@
         ->name('settings.menu_groups')->middleware($viewSettings);
     Route::post('settings/import', [SettingController::class, 'import'])
         ->name('settings.import')->middleware($updateSettings);
+    Route::post('settings', [SettingController::class, 'store'])
+        ->name('settings.store')->middleware($updateSettings);
     Route::delete('settings/{setting}', [SettingController::class, 'destroy'])
         ->name('settings.destroy')->middleware($updateSettings);
     Route::put('settings/{setting}', [SettingController::class, 'update'])

tests/Feature/Api/SettingsTest.php

@@ -174,4 +174,59 @@ public function testUpdateExtendedPropertiesWithInvalidVariableName()
         //Verify variable were not updated
         $this->assertDatabaseMissing('settings', ['config' => '{"1myVar":"This is my variable 1","myVar space":"This is my variable 2"}']);
     }
+
+    public function test_it_can_create_a_setting()
+    {
+        $menu = SettingsMenus::create([
+            'menu_group' => 'Log-In & Auth',
+        ]);
+        $data = [
+            'key' => 'white_list.drive',
+            'format' => 'text',
+            'config' => 'https://drive.google.com',
+            'name' => 'Drive',
+            'group' => 'IFrame Whitelist Config',
+            'group_id' => $menu->id,
+            'hidden' => false,
+            'ui' => null,
+        ];
+        $route = route('api.settings.store');
+        $response = $this->apiCall('POST', $route, $data);
+        //Verify the status
+        $response->assertStatus(201);
+    }
+
+    public function test_it_returns_error_for_duplicate_entry()
+    {
+        $menu = SettingsMenus::create([
+            'menu_group' => 'Log-In & Auth',
+        ]);
+        // Create a setting first
+        Setting::create([
+            'key' => 'white_list.drive',
+            'format' => 'text',
+            'config' => 'https://drive.google.com',
+            'name' => 'Drive',
+            'group' => 'IFrame Whitelist Config',
+            'group_id' => $menu->id,
+            'hidden' => false,
+            'ui' => null,
+        ]);
+        // Data to create
+        $data = [
+            'key' => 'white_list.drive',
+            'format' => 'text',
+            'config' => 'https://drive.google.com',
+            'name' => 'Drive',
+            'group' => 'IFrame Whitelist Config',
+            'group_id' => $menu->id,
+            'hidden' => false,
+            'ui' => null,
+        ];
+        $route = route('api.settings.store');
+        $response = $this->apiCall('POST', $route, $data);
+        //Verify the status
+        $response->assertStatus(409)
+                 ->assertJson(['message' => 'The "Site Name" you\'re trying to add already exists. Please select a different name or review the existing entries to avoid duplication.']);
+    }
 }