Aller au contenu principal
Jahia Store
FR

Full Read Only Notifier

community
Télécharger 2.0.4

Informations

Identifiant du module
full-read-only-notifier
Identifiant de groupe
org.jahia.community
Statut
community
Catégorie
Admin Features
Auteur
Florent BOURASSE
Site web du développeur
http://www.jahia.com
Nécessite Jahia
8.2.1.0
Mis à jour
2026-07-09
Source
scm:git:git@github.com:Jahia/full-read-only-notifier.git

This (very) simple module displays once a notification when a Jahia instance is in full read-only mode and when it leaves this mode.

Versions

Site-administration panel now works for site administrators (not just root), and the menu loads correctly against richtext-ckeditor5 1.0.1.

Fixes ("menu not displayed / Permission denied")

  • Menu now loads with richtext-ckeditor5 1.0.1 — the admin UI consumes the CKEditor5 Module Federation remote under the correct global name appShell.remotes.richtextCkeditor5. The previous name (…ckeditor5) failed to resolve, so the remote never loaded, init.js threw, and the site-administration route was never registered.
  • Site-scoped permission enforcement — the GraphQL settings query and updateSettings mutation now check the siteAdminFullReadOnlyNotifier permission on the target site node (/sites/<siteKey>) using the current user's session, instead of the DXM @GraphQLRequiresPermission annotation, which evaluated against the repository root and therefore denied every non-root administrator (GqlAccessDeniedException). The permission is nested under site-admin, so the built-in site-administrator role grants it via permission-tree inheritance — no role provisioning required. The frontend route permission was aligned to match.

Security

  • Stored XSS in the notifier view closed via server-side render-time sanitization (#20#19).
  • Restricted the CKEditor GeneralHtmlSupport allowlist and enabled iframe sandboxing.
  • JCR HTML sanitized before DOM injection in the JSP; jsoup-based allowlist applied on write and render.
  • Added unit tests for the siteKey validation security boundary.

Other changes

  • Fixed view JSP rendering by importing org.jahia.taglibs.jcr.node (bnd does not scan JSPs) (#18).
  • Grouped GraphQL operations under a single fullReadOnlyNotifier namespace container (#17).
  • Added missing French (i18n) translation keys.
  • Dependency bumps: tar (#15), @babel/core (#16), and test-scope qsuuidtmp.

Tests

  • Java unit tests for the permission checker and existing extensions (35 passing).
  • Cypress e2e regression for the permission scope: a non-root site administrator can read/update/see the panel, while a user without the role is denied.

Compatibility

  • Requires Jahia 8.2.1.0+ and the richtext-ckeditor5 module (verified against 1.0.1).
Nécessite Jahia 8.2.1.0Mis à jour 2026-07-03

Highlights

  • Hardened security: JCR path-traversal prevention on siteKey, multi-character sanitization fixes for code-scanning alerts, and several CVE/Dependabot dependency upgrades.
  • Major accessibility overhaul of the admin UI to meet WCAG 2.1 AA (focus, contrast, live regions, ARIA, screen-reader announcements).
  • Test suite improvements (Cypress) and modernized developer/agent documentation.

Features

  • i18n: added settings.cancelled English key for cancel-action screen-reader announcement (60f6ed3).
  • Added agent context files: AGENTS.md and a CLAUDE.md pointer (b0310e31278878).

Fixes

  • Security — validate siteKey to prevent JCR path traversal in GraphQL extensions (b63c0a9; touches FronotifierConstants.javaFullReadOnlyNotifierMutationExtension.javaFullReadOnlyNotifierQueryExtension.java).
  • Security — two code-scanning fixes for incomplete multi-character sanitization (5354bc5bc69346).
  • Accessibility (WCAG 2.1 AA) in FullReadOnlyNotifier.jsx / .scss:
    • Two fixed live regions, aria-required / aria-invalid / aria-describedbyinert on disabled editors, dynamic document.title updates (f5d368d).
    • Contrast, :focus-visible, rem-based font sizes, removal of pointer-events on disabled editor (cbd4ebe).
    • Initial broad WCAG 2.1 AA pass on admin UI (f88edfd).
  • Fix typo in full-read-only-notifier.properties (60cf853).

Refactoring / Maintenance

  • Dependency upgrades:
    • systeminformation 5.31.5 → 5.31.6 (CVE) via resolution override (658b6d1).
    • @babel/plugin-transform-modules-systemjsfast-uriaxiosip-address Dependabot fixes (d70c3f0).
    • postcss 8.5.9 → 8.5.14 (9291789).
    • ip-address 10.1.0 → 10.2.0 (3d1c05b).
    • webpack 5.94.0 → 5.104.1 in /tests (47264d9).
    • General Dependabot remediation attempt (a7dff15).
  • Renamed CLAUDE.md → AGENTS.md with a backward-compatible reference (b0310e3).
  • Updated dependabot.ymlSECURITY.mdREADME.md (a34224cfaf546c84a75d9).
  • Removed obsolete docs and added .gitignore entries for tests (2c698b6e9feb24).
  • Maven release plugin: prepared for next development iteration (3ea3412).

Tests

  • Cypress test improvements (4c4f7f1).
  • Lint-driven corrections on Cypress tests (54483d7).
  • Updated tests/cypress/e2e/01-fronotifierSettings.cy.ts and 02-fronotifierPopup.cy.ts, plus tests/package.json and Yarn Berry configuration (.yarnrc.yml).
  •  

Full Changelog2_0_2...2_0_3

Nécessite Jahia 8.2.1.0Mis à jour 2026-05-19
Nécessite Jahia 8.2.1.0Mis à jour 2026-04-13