This is a mega patch with a massive number of significant, complex
changes integrating the visual, drag-and-drop block editor library,
email-builder: https://github.com/usewaypoint/email-builder-js
It adds a new template type (`visual`) to templates and integrates the editor
UI in Admin -> Templates and Admin -> Campaigns UIs. There are changes to
templates and campaign APIs, UI flows, and database table schemas.
`email-builder` is written in TypeScript and React (eww) and is a massive lib,
(2.3MB minified+gzipped), bigger than all of listmonk's own JS and other deps
combined, but alas, there is no other viable editor and it has been a popular
demand for a long time.
So, `email-builder` is built separately, and the static assets are copied along
with listmonk's assets. Since it's basically a separate "app" altogether,
it's loaded as an iframe on the editor pages, outside of the Vue app.
The visual editor integration is courtesy of @vividvilla who did all the
R&D and trial and error and sent the original PR to make this possible.
I really loathe the Javascript ecosystem. Sigh.
Unfortunately, the tiny CodeFlask lib stopped getting updates 5+ years ago and
is buggy. The attempt to replace it with CodeInput (which itself seems to have
several open bugs) failed.
So, biting the bullet with CodeMirror, which is a robust, battle tested, albeit
large (~300KB) code editor library.
This patch replaces all code editor UIs (Campaign, Templates, Settings) with
CodeMirror.
- Fix merge conflicts.
- Simply logic in campaign preview handler.
- Remove redundant `GetCampaignForPreviewWithTemplate()` and switch to the old
query that optionally takes a template.
- Fix Vue linting issues.
- Disable visual templates from being made default.
- Refactor visual template selection flow in campaigns.
- Hide scroll if templates modal is active. This is to make sure it doesn't
flicker when adding blocks in visual-editor.
This permission was never checked for and had an unintended consequence of
allowing a non-superadmin user to execute arbitrary queries (expected), but
getting a superadmin session by joining the `sessions` table.
This patch:
- Introduces a table allowlist that uses the Postgres query plan (JSON)
and validate the referenced tables against the allowed ones on arbitrary
queries issued to the various `/subscribers` APIs.
- Explicitly adds the missing `subscribers:sql_query` permission check to all
handlers that accept `query`.
- Introduces a new `search` parameter on all handlers that accept `query`.
This parameter is an interface over the default name/email substring search
instead of relying on `query`.
- During install, listmonk now accepts the env `LISTMONK_ADMIN_API_USER`
and creates an API user (with username $LISTMONK_ADMIN_API_USER)
with full superadmin permissions. This requires LISTMONK_ADMIN_USER and
LISTMONK_ADMIN_API_PASSWORD to be set so that that there's always a superadmin
user to avoid bad states, mainly: bot superadmin exists, but no admin user
exists, leaving the installation perpetually open with the superadmin user
creation UI on the first login.
The API user's token is printed to stderr in the following format:
`export LISTMONK_ADMIN_API_TOKEN="7I81VSd90UWhKDj5Kq9c6YopToRduyDF"`
This can be redirected to a file with ./listmonk 2> /tmp/token or captured
directly and then source()'d.
- Add new function `core.GetRole(id)`.
- Fix `at least one super admin` query in user deletion.
This patch significantly cleans up clunky, repetitive, and pervasive
validation logic across HTTP handlers.
- Rather than dozens of handlers checking and using strconv to validate ID,
the handlers with `:id` are now wrapped in a `hasID()` middleware that does
the validation and sets an int `id` in the handler context that the wrapped
handlers can now access with `getID()`.
- Handlers that handled both single + multi resource requests
(eg: GET `/api/lists`) with single/multiple id checking conditions are all now
split into separate handlers, eg: `getList()`, `getLists()`.
- Attach all HTTP handlers to a new `Handlers{}` struct.
- Remove all `handle*` function prefixes.
- Remove awkward, repetitive `app = c.Get("app").(*App)` from all handlers
and instead, simply access it from `h.app` from `Handlers{}`
Originally proposed in #2292.
