Merge branch 'main' into feature/audit-telemetry-gdpr-deletion

Author: yau-wd

packages/server/src/controllers/variables/index.ts

@@ -22,9 +22,12 @@ const createVariable = async (req: Request, res: Response, next: NextFunction) =
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Error: toolsController.createTool - workspace ${workspaceId} not found!`)
         }
         const body = req.body
-        body.workspaceId = workspaceId
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
         const newVariable = new Variable()
-        Object.assign(newVariable, body)
+        if (body.name !== undefined) newVariable.name = body.name
+        if (body.value !== undefined) newVariable.value = body.value
+        if (body.type !== undefined) newVariable.type = body.type
+        newVariable.workspaceId = workspaceId
         const apiResponse = await variablesService.createVariable(newVariable, orgId)
         return res.json(apiResponse)
     } catch (error) {
@@ -91,8 +94,11 @@ const updateVariable = async (req: Request, res: Response, next: NextFunction) =
             return res.status(404).send('Variable not found in the database')
         }
         const body = req.body
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
         const updatedVariable = new Variable()
-        Object.assign(updatedVariable, body)
+        if (body.name !== undefined) updatedVariable.name = body.name
+        if (body.value !== undefined) updatedVariable.value = body.value
+        if (body.type !== undefined) updatedVariable.type = body.type
         const apiResponse = await variablesService.updateVariable(variable, updatedVariable)
         return res.json(apiResponse)
     } catch (error) {

packages/server/src/enterprise/controllers/user.controller.ts

@@ -56,11 +56,11 @@ export class UserController {
             if (!currentUser) {
                 throw new InternalFlowiseError(StatusCodes.UNAUTHORIZED, UserErrorMessage.USER_NOT_FOUND)
             }
-            const { id } = req.body
+            const { id, name, oldPassword, newPassword, confirmPassword } = req.body
             if (currentUser.id !== id) {
                 throw new InternalFlowiseError(StatusCodes.FORBIDDEN, UserErrorMessage.USER_NOT_FOUND)
             }
-            const user = await userService.updateUser(req.body)
+            const user = await userService.updateUser({ id, name, updatedBy: currentUser.id, oldPassword, newPassword, confirmPassword })
             return res.status(StatusCodes.OK).json(user)
         } catch (error) {
             next(error)

packages/server/src/enterprise/services/user.service.ts

@@ -150,16 +150,10 @@ export class UserService {
                 if (!updateUserData) throw new InternalFlowiseError(StatusCodes.NOT_FOUND, UserErrorMessage.USER_NOT_FOUND)
             }
 
-            newUserData.createdBy = oldUserData.createdBy
-
             if (newUserData.name) {
                 this.validateUserName(newUserData.name)
             }
 
-            if (newUserData.status) {
-                this.validateUserStatus(newUserData.status)
-            }
-
             if (newUserData.oldPassword && newUserData.newPassword && newUserData.confirmPassword) {
                 if (!oldUserData.credential) {
                     throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, UserErrorMessage.INVALID_USER_CREDENTIAL)
@@ -176,7 +170,23 @@ export class UserService {
                 newUserData.tokenExpiry = undefined
             }
 
-            updatedUser = queryRunner.manager.merge(User, oldUserData, newUserData)
+            const safePatch: Partial<User> = {
+                createdBy: oldUserData.createdBy // always preserve from DB
+            }
+
+            if (newUserData.name) {
+                safePatch.name = newUserData.name
+            }
+
+            safePatch.updatedBy = newUserData.updatedBy // always set (controller forces req.user.id)
+            if (newUserData.oldPassword && newUserData.newPassword && newUserData.confirmPassword) {
+                // credential/tempToken/tokenExpiry were set by the validated workflow above
+                safePatch.credential = newUserData.credential
+                safePatch.tempToken = newUserData.tempToken
+                safePatch.tokenExpiry = newUserData.tokenExpiry
+            }
+
+            updatedUser = queryRunner.manager.merge(User, oldUserData, safePatch)
             await queryRunner.startTransaction()
             await this.saveUser(updatedUser, queryRunner)
             await queryRunner.commitTransaction()

packages/server/src/services/variables/index.ts

@@ -103,7 +103,9 @@ const updateVariable = async (variable: Variable, updatedVariable: Variable) =>
     if (appServer.identityManager.getPlatformType() === Platform.CLOUD && updatedVariable.type === 'runtime')
         throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Cloud platform does not support runtime variables!')
     try {
+        const originalWorkspaceId = variable.workspaceId
         const tmpUpdatedVariable = await appServer.AppDataSource.getRepository(Variable).merge(variable, updatedVariable)
+        tmpUpdatedVariable.workspaceId = originalWorkspaceId
         const dbResponse = await appServer.AppDataSource.getRepository(Variable).save(tmpUpdatedVariable)
         return dbResponse
     } catch (error) {

packages/ui/src/ui-component/input/RichInput.jsx

@@ -23,10 +23,19 @@ const isHtmlContent = (content) => {
 }
 
 // define your extension array
-const extensions = (availableNodesForVariable, availableState, acceptNodeOutputAsVariable, nodes, nodeData, isNodeInsideInteration) => [
+const extensions = (
+    availableNodesForVariable,
+    availableState,
+    acceptNodeOutputAsVariable,
+    nodes,
+    nodeData,
+    isNodeInsideInteration,
+    useMarkdown
+) => [
     Markdown,
     StarterKit.configure({
-        codeBlock: false
+        codeBlock: false,
+        ...(!useMarkdown && { link: false })
     }),
     CustomMention.configure({
         HTMLAttributes: {
@@ -103,6 +112,7 @@ const StyledEditorContent = styled(EditorContent)(({ theme, rows, disabled, isDa
 }))
 
 export const RichInput = ({ inputParam, value, nodes, edges, nodeId, onChange, disabled = false }) => {
+    const useMarkdown = !!inputParam?.rows
     const customization = useSelector((state) => state.customization)
     const isDarkMode = customization.isDarkMode
     const [availableNodesForVariable, setAvailableNodesForVariable] = useState([])
@@ -135,15 +145,20 @@ export const RichInput = ({ inputParam, value, nodes, edges, nodeId, onChange, d
                     inputParam?.acceptNodeOutputAsVariable,
                     nodes,
                     nodeData,
-                    isNodeInsideInteration
+                    isNodeInsideInteration,
+                    useMarkdown
                 ),
                 Placeholder.configure({ placeholder: inputParam?.placeholder })
             ],
             content: '',
             onUpdate: ({ editor }) => {
-                try {
-                    onChange(editor.getMarkdown())
-                } catch {
+                if (useMarkdown) {
+                    try {
+                        onChange(editor.getMarkdown())
+                    } catch {
+                        onChange(editor.getHTML())
+                    }
+                } else {
                     onChange(editor.getHTML())
                 }
             },
@@ -155,7 +170,7 @@ export const RichInput = ({ inputParam, value, nodes, edges, nodeId, onChange, d
     // Load initial content after editor is ready, detecting HTML vs markdown
     useEffect(() => {
         if (editor && value) {
-            if (isHtmlContent(value)) {
+            if (!useMarkdown || isHtmlContent(value)) {
                 editor.commands.setContent(value)
             } else {
                 editor.commands.setContent(value, { contentType: 'markdown' })