overleaf/services/web/app/views/admin/index.pug
Shane Kilkelly 7f7b10aa09 Sanitize display of system messages.
When showing system-messages, use default Angular sanitizer, also,
on the admin panel itself, show the verbatim text of the message.

This solves a mild Stored-XSS vulnerability whereby a user could
put `<script>` tags in a message. We don't want that, but we do want
to be able to use basic html tags.
2018-08-22 10:15:50 +01:00

87 lines
3.5 KiB
Text

extends ../layout
block content
.content.content-alt
.container
.row
.col-xs-12
.card
.page-header
h1 Admin Panel
tabset(ng-cloak)
tab(heading="System Messages")
each message in systemMessages
.alert.alert-info.row-spaced #{message.content}
hr
form(enctype='multipart/form-data', method='post', action='/admin/messages')
input(name="_csrf", type="hidden", value=csrfToken)
.form-group
label(for="content")
input.form-control(name="content", type="text", placeholder="Message...", required)
button.btn.btn-primary(type="submit") Post Message
hr
form(enctype='multipart/form-data', method='post', action='/admin/messages/clear')
input(name="_csrf", type="hidden", value=csrfToken)
button.btn.btn-danger(type="submit") Clear all messages
tab(heading="Open Sockets")
.row-spaced
ul
each agents, url in openSockets
li #{url} - total : #{agents.length}
ul
each agent in agents
li #{agent}
tab(heading="Close Editor")
.row-spaced
form(enctype='multipart/form-data', method='post',action='/admin/closeEditor')
input(name="_csrf", type="hidden", value=csrfToken)
button.btn.btn-danger(type="submit") Close Editor
p.small Will stop anyone opening the editor. Will NOT disconnect already connected users.
.row-spaced
form(enctype='multipart/form-data', method='post',action='/admin/dissconectAllUsers')
input(name="_csrf", type="hidden", value=csrfToken)
button.btn.btn-danger(type="submit") Disconnect all users
p.small Will force disconnect all users with the editor open. Make sure to close the editor first to avoid them reconnecting.
tab(heading="Subscriptions")
h3 Link Recurly subscription to user
.row
form.form.col-xs-6(enctype='multipart/form-data', method='post',action='/admin/syncUserToSubscription')
input(name="_csrf", type="hidden", value=csrfToken)
.form-group
label(for='subscription_id') subscription_id (in Recurly)
input.form-control(type='text', name='subscription_id', placeholder='subscription_id', required)
.form-group
label(for='user_id') user_id
input.form-control(type='text', name='user_id', placeholder='user_id', required)
.form-group
button.btn-primary.btn(type='submit') Link
tab(heading="TPDS/Dropbox Management")
h3 Flush project to TPDS
.row
form.col-xs-6(enctype='multipart/form-data', method='post',action='/admin/flushProjectToTpds')
input(name="_csrf", type="hidden", value=csrfToken)
.form-group
label(for='project_id') project_id
input.form-control(type='text', name='project_id', placeholder='project_id', required)
.form-group
button.btn-primary.btn(type='submit') Flush
hr
h3 Poll Dropbox for user
.row
form.col-xs-6(enctype='multipart/form-data', method='post',action='/admin/pollDropboxForUser')
input(name="_csrf", type="hidden", value=csrfToken)
.form-group
label(for='user_id') user_id
input.form-control(type='text', name='user_id', placeholder='user_id', required)
.form-group
button.btn-primary.btn(type='submit') Poll