diff --git a/CHANGELOG.md b/CHANGELOG.md index 32c9d742d93..d1fa6f67697 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ Security Fixes (backport of #7535 — bug-bounty-style hardening pass): - [output] Remove `noescape` query-string bypass on `returnOutput` (reflected-XSS via parameter) - [auth] Handle `req.session.regenerate` error in token login - [data] Return 404 (not 500) when `event_groups` lookup misses +- [notes] Accept numeric color in saveNote schema so graph note create/edit no longer fails validation after H-5 enforcement (backport of #7578) 24.05-specific notes (some master fixes were not directly applicable): - C-1 (`$graphLookup`) and M-11 (dbviewer non-admin filter scope): master uses a `whiteListedAggregationStages` mechanism (added by SER-2122) and a `getBaseAppFilter` per-collection app-id mechanism that 24.05 does not have. C-1 is implemented as a minimal targeted block; M-11 is not applicable here. A broader 24.05 dbviewer hardening (porting SER-2122 + filter scope + M-11) is left for a separate change. diff --git a/api/parts/mgmt/users.js b/api/parts/mgmt/users.js index 4e2f77e55b9..0719550f012 100644 --- a/api/parts/mgmt/users.js +++ b/api/parts/mgmt/users.js @@ -901,15 +901,18 @@ usersApi.saveNote = async function(params) { }, 'ts': { 'required': true, - 'type': '' + 'type': 'IntegerString' }, 'noteType': { 'required': true, 'type': 'String', }, 'color': { + // Frontend (countly.common.notes.js COLOR_TAGS) sends a numeric + // index 1..5. URL query callers may send "5" as a string. + // Mirror the ts handling — IntegerString accepts both. 'required': true, - 'type': 'String' + 'type': 'IntegerString' }, 'category': { 'required': false, @@ -1184,4 +1187,4 @@ usersApi.ackNotification = function(params) { }); }; -module.exports = usersApi; \ No newline at end of file +module.exports = usersApi;