Commit Graph

289 Commits

Author SHA1 Message Date
Chris Lemaire
97f15eac03 Fix failing hledger-web test
This test appeared to have failed after adding source positions to
generated transactions. This is because the generated transaction id for
web pages appears to be dependent on whether the transaction has an
associated source file. Because it has one associated now, the id was
updated to be 'transaction-2-1' for instance, instead of
'transaction-0-1' as it would have been before. The fix is to change the
test.
2023-01-21 23:24:43 +01:00
Simon Michael
ae87b1efd5 fix: web: add form's typeahead now shows non-ascii text correctly (#1961)
(Fix contributed by Arsen Arsenović)
2022-12-16 12:48:42 -10:00
Simon Michael
ace185f7d2 ;doc: update old manual links 2022-12-10 18:56:47 -10:00
Simon Michael
c25c5cef44 fix: make no-argument --debug flag work with ui & web also 2022-11-03 08:13:58 -10:00
Simon Michael
07cb6bdc80 fix: web: add: don't fail when there's no file field (#1932) 2022-09-14 08:16:49 -10:00
Simon Michael
c97e05e0dd imp: web: add form: layout improvements, use available space 2022-08-27 12:12:57 +01:00
Simon Michael
3b2999ee29 fix: web: add form: allow empty description 2022-08-26 12:00:23 +01:00
Simon Michael
d718f2c50c fix: web: add form: re-enable the file field (#1229)
It was ignored since cc1241fa2 in 2018. Also simplify some types.
2022-08-26 11:29:22 +01:00
Simon Michael
6503bfec6a dev: web: clarify AddForm a bit (#1229) 2022-08-25 08:18:24 +01:00
Simon Michael
581831b16d dev: web: simplify types a little (#1229) 2022-08-25 08:13:02 +01:00
Simon Michael
c80c72d7cd dev: lib, cli, bin: enable/fix name shadowing warnings
And a few other cleanups.
2022-08-23 12:16:15 +01:00
Simon Michael
53332ee6a5 stack: re-enable hledger-web with ghc 9.2 2022-04-15 15:07:17 -10:00
Simon Michael
d70c547b15 imp: fix Foundation runExceptT import (#1847) 2022-03-25 16:08:16 -10:00
Stephen Morgan
603b2e9f09 ref: Use ExceptT String IO a instead of IO (Either String a).
This increases composability and avoids some ugly case handling. We
re-export runExceptT in Hledger.Read.

The final return types of the following functions has been changed from
IO (Either String a) to ExceptT String IO a. If this causes a problem,
you can get the old behaviour by calling runExceptT on the output:
readJournal, readJournalFiles, readJournalFile

Or, you can use the easy functions readJournal', readJournalFiles', and
readJournalFile', which assume default options and return in the IO
monad.
2022-03-25 14:23:27 -10:00
Simon Michael
1ef8f329c6 lib: simpler more robust version strings, with date/without patchlevel
We no longer rely on git tags and git describe output, since it's
hard to reliably select the correct tag eg for minor releases.
We might use them again in future for dev builds, but it requires
adding git describe --match support to githash. For now,

* Program name, OS and architecture are always shown.
* The package version is always shown.
* If there is git info at build time, the latest commit hash and commit date are shown.

Example outputs:
A homebrew binary, not built in git repo: hledger-ui 1.24, mac-aarch64
A CI release build, built in git repo:    hledger 1.24.1-g455b35293-20211210, mac-x86_64

API changes:

* new type synonyms ProgramName, PackageVersion, VersionString
* versionStringForProgname -> versionString with extra argument
* versionStringFor -> versionStringWith with extra argument
2021-12-10 12:42:40 -10:00
Stephen Morgan
4cfd3cb590 lib!: Remove GenericSourcePos, and replace it with either SourcePos or
(SourcePos, SourcePos).

This has been marked for possible removal for a while. We are keeping
strictly more information. Possible edge cases arise with Timeclock and
CsvReader, but I think these are covered.

The particular motivation for getting rid of this is that
GenericSourcePos is creating some awkward import considerations for
little gain. Removing this enables some flattening of the module
dependency tree.
2021-09-20 08:38:33 -10:00
Stephen Morgan
a24f9a61df fix: web: Toggle showing zero elements properly even when called with
--empty. (#1237)

Calling with --empty now overrides any cookies determining whether
zero accounts are hidden.
2021-09-18 11:50:36 -10:00
Stephen Morgan
df424a7a96 fix: web: Do not hide empty accounts if they have non-empty subaccounts. (#1237) 2021-09-10 16:44:57 -10:00
Stephen Morgan
3456fcb862 test: ui: web: Use report date from _rsDay for hledger-ui and
hledger-web, rather than getCurrentDay.

File watching in hledger-ui continues to use getCurrentDay.
2021-09-09 14:40:39 -10:00
Stephen Morgan
4cb631c0f2 fix: web: Handle non-regular postings in the add transaction form. (#1058) 2021-09-08 13:21:50 -10:00
Stephen Morgan
8274da81fc cln: tests: Remove test and tests, which are just aliases for testCase
and testGroup.

Replacing these removes a layer of indirection, and reduces the need to
depend on Hledger.Utils.Test.
2021-08-30 16:32:19 -10:00
Stephen Morgan
83aa7324eb dev: cli: Move Template Haskell to get git hash from Hledger.Cli.Version
to Hledger.Cli.

Since the git hash changes whenever any file in the repository changes,
this means Hledger.Cli.Version needs to be recompiled all the time.
Since it is at the bottom of the module hierarchy, this means that the
whole hledger package needs to be recompiled. We instead move the
TemplateHaskell splice to one of the top modules, so much less needs to
be recompiled.

Note: Ghc seems to be able to get out of most of the recompiling a lot
of the time (due to caching?), but this makes things more reliable.
2021-08-30 15:57:33 -10:00
Stephen Morgan
1ed06f3bc8 pkg!: Remove Hledger.Utils.UTF8IOCompat module.
This module does nothing beyond define error' and usageError, which have
been moved to Hledger.Utils.
2021-08-30 15:57:33 -10:00
Stephen Morgan
13206d0b18 cln: Rename balancingOpts to defbalancingopts, to be consistent with definputopts, defreportopts, etc. 2021-08-28 19:12:04 -10:00
Stephen Morgan
32dad455fd cln: hlint: Clean up section related warnings. 2021-08-27 06:13:56 -10:00
Stephen Morgan
8bf7c95697 cln: hlint: Clean up Functor related hlint warnings, and NOINLINE warning. 2021-08-27 06:13:56 -10:00
Stephen Morgan
330c21659f cln: hlint: Clean up Maybe related hlint warnings. 2021-08-27 06:13:56 -10:00
Stephen Morgan
e13239386f cln: hlint: Clean up == and elem related hlint warnings. 2021-08-27 06:13:56 -10:00
Stephen Morgan
eb6047e81b cln: hlint: Remove redundant where and lambda warnings. 2021-08-26 21:00:35 -10:00
Arsen Arsenović
3504a91b42 ref: web: refactor toBloodhoundJson for Data.Text
This has the advantage of there being no extra unpacking/packing of
Data.Text to/from strings where it isn't necessary.
2021-08-24 05:04:12 -10:00
Arsen Arsenović
9ce55146c8 fix: web: b64 encode user controlled input (#1525)
This fixes a reported Stored XSS vulnerability in toBloodhoundJson by
encoding the user-controlled values in this payload into base64 and
parsing them with atob.

In my exploration of the vulnerability with various payloads I and
others crafted, it would appear that this is the only available XSS in
hledger-web in relation to stored accounts and transaction details. If
there is other parts of the UI which may contain user-controlled data,
they should be examined for similar things. In this instance,
protections provided by yesod and other libraries worked fine, but in a
bit of code that hledger-web was generating, the user could insert a
</Script> tag (which is valid HTML and equivalent to </script> but not
caught by the T.Replace that existed in toBloodhoundJson) in order to
switch out of a script context, allowing the parser to be reset, and for
arbitrary JavaScript to run.

The real fix is a bit more involved, but produces much better results:
Content-Security-Policy headers should be introduced, and using
sha256-<hash of script> or a different algorithm, they should be marked
as trusted in the header. This way, if the (in-browser) parser and
hledger-web generator disagree on the source code of the script, the
script won't run. Note that this would still be susceptible to attacks
that involve changing the script by escaping from the string inside it
or something similar to that, which can be avoided additionally by using
either the method used in this commit, or a proper JSON encoder.

The second approach has the advantage of preventing further XSS, to the
extent specified above, in practice, a combination of both should be
used, b64 for embedded data and the CSP sha256-hash script-src over
everything else, which will eliminate all injected or malformed script
blocks (via CSP), in combination with eliminating any HTML closing tags
which might occur in stored data (via b64).

This vulnerability appears to have been first introduced when
autocompletion was added in hledger-web, git tag hledger-0.24, commit
hash: ec51d28839

Test payload: </Script><svg onload=alert(1)//>

Closes #1525
2021-08-24 05:04:12 -10:00
Arjen Langebaerd
3426030a91 feat: added commodity style commandline option 2021-08-17 22:05:29 -10:00
Simon Michael
c8e5673287 ;web: fix ci, haddock failure 2021-08-07 11:35:19 -10:00
Simon Michael
49ff039312 lib: cli/ui/web: clarify version string code
version -> packageversion
versiondescription -> versionStringFor
2021-08-05 22:54:25 -10:00
Simon Michael
606d992fc8 cli: disable no-longer-used --binary-filename flag
It was still supported (as a hidden flag) by hledger-web,
and now is not.
2021-08-05 21:51:10 -10:00
Stephen Morgan
918c243fa9 fix: forecast: Generate forecast transactions at journal finalisation,
rather than as a postprocessing step. (#1638)

This allows us to have a uniform procedure for balancing transactions,
whether they are normal transactions or forecast transactions, including
dealing with balance assignments, balance assertions, and auto postings.
2021-08-05 21:10:47 -10:00
Stephen Morgan
c404800fbf ref!: forecast: Move forecast_ from ReportOpts to InputOpts. 2021-08-05 21:10:47 -10:00
Stephen Morgan
fc8aa602cf lib!: modifyTransactions now takes a Map of commodity styles, and will
style amounts according to that argument. journalAddForecast and
journalTransform now return an Either String Journal.

This improves efficiency, as we no longer have to restyle all amounts in
the journal after generating auto postings or periodic transactions.
Changing the return type of journalAddForecast and journalTransform
reduces partiality.

To get the previous behaviour for modifyTransaction, use modifyTransaction mempty.
2021-07-30 13:52:35 -10:00
Stephen Morgan
b0aa70b27a lib!: Rename the fields of ReportSpec.
This is done to be more consistent with future field naming conventions,
and to make automatic generation of lenses simpler. See discussion in
\#1545.

rsOpts -> _rsReportOpts
rsToday -> _rsDay
rsQuery -> _rsQuery
rsQueryOpts -> _rsQueryOpts
2021-07-23 10:37:08 -10:00
Stephen Morgan
3969eb2679 lib!: lib,cli,ui,web: For accountTransactionsReport, generate the overall
reportq from the ReportSpec, rather than being supplied as a separate
option.

This is the same approach used by the other reports, e.g. EntryReport,
PostingReport, MultiBalanceReport. This reduces code duplication, as
previously the reportq had to be separately tweaked in each of 5
different places.

If you call accountTransactionreport, there is no need to separately
derive the report query.
2021-07-22 19:00:37 -10:00
Stephen Morgan
f673e7c2eb lib!: lib,web: Remove unused TransactionReport. Move the useful utility
functions to AccountTransactionsReport.

If you use transactionsReport, you should either use entryReport if you
don't require a running total, or using accountTransactionsReport with
thisacctq as Any or None (depending on what you want included in the
running total).
2021-07-22 19:00:37 -10:00
Stephen Morgan
acfbd36fb8 dev: web: Use entriesReport instead of transactionReport.
This produces identical results. The only fields used in the TransactionReport were torig, split, and amt.
- torig is the same as in entriesReport
- since transactionsReport calls accountTransactionsReportItems with
  None as thisacctq, all accounts are considered ‘other accounts’, so
  amt is always zero, and ($if not split && not (mixedAmountLooksZero amt)) never fires.
- So the only thing used is torig, and we can just get that from the
  entriesReport.
2021-07-22 19:00:37 -10:00
Simon Michael
87f575e643 ref: bal: rename some report types to clarify/sync with docs
ReportType -> BalanceCalculation
 ChangeReport -> CalcChange
 BudgetReport -> CalcBudget
 ValueChangeReport -> CalcValueChange

BalanceType -> BalanceAccumulation
 PeriodChange -> PerPeriod
 CumulativeChange -> Cumulative
 HistoricalBalance -> Historical

ReportOpts:
 reporttype_ -> balancecalc_
 balancetype_ -> balanceaccum_

CompoundBalanceCommandSpec:
 cbctype -> cbcaccum

Hledger.Reports.ReportOptions:
 balanceTypeOverride -> balanceAccumulationOverride
2021-07-15 14:22:20 -10:00
Stephen Morgan
3380190d9a fix: web: register chart with multiple commodities/prices, broken in 1.22 (#1597)
Make sure to strip prices from amounts before generating JSON data for
the register chart.
2021-07-12 19:02:38 -10:00
Simon Michael
665fec83cd
Merge pull request #1560 from Xitian9/rationalisevaluation
Clean up valuation functions, and make clear which to use where.
2021-06-07 19:02:44 -10:00
Stephen Morgan
0f1837816d lib,cli,ui,web: Add check balancednoautoconversion command, which checks that
transactions are balanced possibly using explicit prices, but without
inferring any prices. This is included in --strict mode.

Renames check autobalanced to check balancedwithautoconversion.
2021-06-07 18:58:58 -10:00
Stephen Morgan
0a019e2167 lib,cli,web,bin: Replace journalSelectingAmountFromOpts with journalApplyValuationFromOpts.
This also has the effect of allowing valuation in more reports, for
example the transactionReport.
2021-06-08 14:55:05 +10:00
Stephen Morgan
68e975adf1 lib,cli,ui,web: Remove unused LANGUAGE pragmas. 2021-06-07 17:33:54 -10:00
Stephen Morgan
55308e1ca8 lib,cli,ui,web: Remove unnecessary CPP when dropping support for GHC 8.2. 2021-06-07 17:33:54 -10:00
Stephen Morgan
bf063e4538 cli,ui,web: Display full git description in --version report if able.
Remove unused prognameanddetailedversion code branches.
2021-06-02 19:46:18 -10:00