From a3c5815be16c7219577469137f15980d95252588 Mon Sep 17 00:00:00 2001 From: Davide Cavaliere Date: Tue, 19 May 2026 18:12:38 +0200 Subject: [PATCH 1/2] fix(notes): accept numeric color in saveNote schema saveNote schema declared color as String but the dashboard (countly.common.notes.js COLOR_TAGS) sends a numeric index 1..5. Validation stayed dormant until H-5 started enforcing validateArgs, after which every create/edit failed with 'Invalid type for color'. Switched color to IntegerString so both Number (JSON body) and numeric string (URL query) are accepted. Slack context: https://countly.slack.com/archives/CV9KV4UQ1/p1779195915103949 Ports: Countly/countly-platform#280 Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 1 + api/parts/mgmt/users.js | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32c9d742d93..d1fa6f67697 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ Security Fixes (backport of #7535 — bug-bounty-style hardening pass): - [output] Remove `noescape` query-string bypass on `returnOutput` (reflected-XSS via parameter) - [auth] Handle `req.session.regenerate` error in token login - [data] Return 404 (not 500) when `event_groups` lookup misses +- [notes] Accept numeric color in saveNote schema so graph note create/edit no longer fails validation after H-5 enforcement (backport of #7578) 24.05-specific notes (some master fixes were not directly applicable): - C-1 (`$graphLookup`) and M-11 (dbviewer non-admin filter scope): master uses a `whiteListedAggregationStages` mechanism (added by SER-2122) and a `getBaseAppFilter` per-collection app-id mechanism that 24.05 does not have. C-1 is implemented as a minimal targeted block; M-11 is not applicable here. A broader 24.05 dbviewer hardening (porting SER-2122 + filter scope + M-11) is left for a separate change. diff --git a/api/parts/mgmt/users.js b/api/parts/mgmt/users.js index 4e2f77e55b9..15e3e4d3baf 100644 --- a/api/parts/mgmt/users.js +++ b/api/parts/mgmt/users.js @@ -908,8 +908,11 @@ usersApi.saveNote = async function(params) { 'type': 'String', }, 'color': { + // Frontend (countly.common.notes.js COLOR_TAGS) sends a numeric + // index 1..5. URL query callers may send "5" as a string. + // Mirror the ts handling — IntegerString accepts both. 'required': true, - 'type': 'String' + 'type': 'IntegerString' }, 'category': { 'required': false, From 97edec459a581fc24f594b49464c7d32cf1893e9 Mon Sep 17 00:00:00 2001 From: Anna Sosina Date: Tue, 19 May 2026 19:57:34 +0300 Subject: [PATCH 2/2] Change 'ts' type from empty to 'IntegerString' --- api/parts/mgmt/users.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/parts/mgmt/users.js b/api/parts/mgmt/users.js index 15e3e4d3baf..0719550f012 100644 --- a/api/parts/mgmt/users.js +++ b/api/parts/mgmt/users.js @@ -901,7 +901,7 @@ usersApi.saveNote = async function(params) { }, 'ts': { 'required': true, - 'type': '' + 'type': 'IntegerString' }, 'noteType': { 'required': true, @@ -1187,4 +1187,4 @@ usersApi.ackNotification = function(params) { }); }; -module.exports = usersApi; \ No newline at end of file +module.exports = usersApi;