From a79ed8613d63bc316c8d12cb4669084d36fd4b22 Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Thu, 19 Sep 2024 23:15:58 +0800 Subject: [PATCH 1/4] docs: specify dev branch on forked repository syncing --- docs/pages/installation.mdx | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/pages/installation.mdx b/docs/pages/installation.mdx index 3dd87308..9072632e 100644 --- a/docs/pages/installation.mdx +++ b/docs/pages/installation.mdx @@ -37,12 +37,16 @@ For detailed instructions on these steps, refer to the [Post-Installation](/post If you are working on a forked repository behind several updates from the parent **`acap-v2`** repository, you can get the latest updates or bug fixes using any of the options: -- "Sync" to the parent repository -- Create a Pull Request (PR) from the parent repository (**acap-v2**) to your forked repository, then merge/resolve conflicts. +- "Sync" to the parent repository's `dev` branch. + + Take care not to "discard" your commits. + +- Create a Pull Request (PR) from the parent repository's (**acap-v2**) - **`dev`** branch to your forked repository, then merge/resolve conflicts. +- `cherry-pick` target commit(s) from the parent `dev` branch to the `dev` branch of your forked repository. - Pick only the target updates/fixes, then commit them to your fork. Project Maintainers occasionally update the parent repository **acap-v2** for maintenance, bug fixes, and minor/optional updates. Sometimes, massive new feature updates. -Of the three (3) repository syncing options mentioned, doing the first or second options ensures up-to-date sync with the latest updates and bug fixes. +Of the four (4) repository syncing options mentioned, doing the first or second options ensures up-to-date sync with the latest updates and bug fixes. \ No newline at end of file From ad56ecae06b05656751054ee8973f6121be204cf Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Thu, 19 Sep 2024 23:23:11 +0800 Subject: [PATCH 2/4] docs: list 2.0 security tech debts --- docs/pages/changelog.mdx | 52 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 49 insertions(+), 3 deletions(-) diff --git a/docs/pages/changelog.mdx b/docs/pages/changelog.mdx index 124651a0..4b0d7cc6 100644 --- a/docs/pages/changelog.mdx +++ b/docs/pages/changelog.mdx @@ -1,4 +1,42 @@ +import { useEffect, useState, useMemo } from 'react' import { Callout, Steps } from 'nextra/components' +import { useTheme } from 'next-themes' + +export function FAQBoxError({ title, children, open = false }) { + const [isClient, setIsClient] = useState(false) + const { theme, resolvedTheme } = useTheme() + + useEffect(() => { + setIsClient(true) + }, []) + + const detailsBgStyle = useMemo(() => { + const bg = resolvedTheme === 'dark' + ? 'nx-bg-red-900/30' + : 'nx-bg-red-100' + + return { + details: `nx-overflow-x-auto nx-mt-6 nx-flex nx-rounded-lg nx-border nx-py-2 ltr:nx-pr-4 rtl:nx-pl-4 contrast-more:nx-border-current contrast-more:dark:nx-border-current nx-border-red-200 nx-bg-red-100 nx-text-red-900 dark:nx-border-red-200/30 dark:nx-bg-red-900/30 dark:nx-text-red-200`, + + summary: `nx-flex nx-items-center nx-cursor-pointer nx-list-none nx-p-1 nx-transition-colors hover:${resolvedTheme} dark:hover:${resolvedTheme} before:nx-mr-1 before:nx-inline-block before:nx-transition-transform before:nx-content-[''] dark:before:nx-invert before:nx-shrink-0 rtl:before:nx-rotate-180 [[data-expanded]>&]:before:nx-rotate-90` + } + }, [resolvedTheme]) + + return !isClient + ?
...
+ : ( +
+ + {title} + +
{children}
+
+ ) +} + # ACAP Change Log @@ -16,10 +54,16 @@ Version 2.0 highlights ongoing improvements and newly added features, expanding ACAP 2.0 is the latest ACAP version. It's latest stable version is Release/Tag version {process.env.RELEASE_VERSION ?? '0.0.0'}, dev branch @{process.env.COMMIT_ID ?? '123456'} accessible in the **acap-v2** code repository. - + Version 2.0 and later versions may have new requirements that will thrive on new development approaches loosely tied to the recommended [Security](/security) and [Server](/directories/server) guidelines of **ACAP 1.0**, requiring thorough testing and validation. + +1. Lenient use of the Firestore database, inadvertently allowing unvalidated input on new collections using the Firestore REST APIs outside the front end +2. Validation of What-You-See-Is-What-You-Get (WYSIWYG) HTML input for mitigating Cross-Site Scripting (XSS) attacks (caused by item #1) +3. Crop recommendations data integrity, ensuring unaltered data presentation in the PDF bulletins + +
@@ -50,7 +94,7 @@ Version 2.0 and later versions may have new requirements that will thrive on new - Removal of the single-month selection trigger for determining the crop stage/s - Removal of the rainfall condition trigger 2. Public/admin 10-day recommendations and bulletin PDF generation - - Removal of the dates trigger within the active PAGASA 10-day date range for determining the crop stage/s + - Removal of the single-date selection trigger within the active PAGASA 10-day date range for determining the crop stage/s 3. Deprecation of the **uploaders** group of Node Package Manager (NPM) scripts in favor of cropping calendar/recommendations Excel file upload through the UI 4. Allow creating seasonal bulletin PDFs with more than one (1) page. 5. Text blast recipients by province/municipality instead of individual selection @@ -68,7 +112,9 @@ ACAP 1.0's last stable version is Release/Tag version [**v9.5.6**](https://githu Version 1.0 marks the initial ACAP Bicol release used as a base model and template for subsequent developer training and sharing with other regions in the succeeding years starting on [**July 2023**](https://uplbfi.org/?p=2097). -It has the following features, strictly following and is tested compatible with the recommended [Security](/security) and  [Server](/directories/server) guidelines: +Developed with a Security-first approach, ACAP 1.0 especially notes common Firestore security pitfalls and keeps a watchful eye on Cross-Site Scripting (XSS) attacks since it uses What-You-See-Is-What-You-Get (WYSIWYG) HTML input for crop recommendations and PDF generation. + +It has the following features, strictly following and is tested compatible with the recommended [Security](/security) and [Server](/directories/server) guidelines:
From e68d337ed68770df70022c5c8a982a3cd07fc4c5 Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Fri, 20 Sep 2024 00:48:04 +0800 Subject: [PATCH 3/4] docs: update tech debt text --- docs/pages/changelog.mdx | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/pages/changelog.mdx b/docs/pages/changelog.mdx index 4b0d7cc6..07e26da0 100644 --- a/docs/pages/changelog.mdx +++ b/docs/pages/changelog.mdx @@ -58,10 +58,12 @@ ACAP 2.0 is the latest ACAP version. It's latest stable version is Release/Tag v Version 2.0 and later versions may have new requirements that will thrive on new development approaches loosely tied to the recommended [Security](/security) and [Server](/directories/server) guidelines of **ACAP 1.0**, requiring thorough testing and validation. - -1. Lenient use of the Firestore database, inadvertently allowing unvalidated input on new collections using the Firestore REST APIs outside the front end -2. Validation of What-You-See-Is-What-You-Get (WYSIWYG) HTML input for mitigating Cross-Site Scripting (XSS) attacks (caused by item #1) -3. Crop recommendations data integrity, ensuring unaltered data presentation in the PDF bulletins + +1. **Lenient use of the Firestore database:** Inadvertently allows unvalidated input in new collections via Firestore REST APIs outside the front end. This issue, not present in Version 1.0, began with Version 2.0 using methods to speed up the development process. We are addressing this in future updates. +2. **Validation of crop recommendations WYSIWYG HTML input:** This is necessary to mitigate Cross-Site Scripting (XSS) attacks (related to the above issue), which also arose from the new approaches in Version 2.0. Enhancements to security will be implemented in future releases. +3. **Crop recommendations data integrity:** Ensuring unaltered data presentation in PDF bulletins, brought about by items 1 and 2. + +> These issues, brought to the attention of the current active ACAP Maintainer during the early stages of 2.0 development, are to be resolved and addressed within their available time and schedule in the current ACAP timeline or the new ACAP iterations.
From 44fcfccc8833d9523769990578d2121728a26d64 Mon Sep 17 00:00:00 2001 From: acaptutorials Date: Fri, 20 Sep 2024 00:54:12 +0800 Subject: [PATCH 4/4] chore: update text --- docs/pages/changelog.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages/changelog.mdx b/docs/pages/changelog.mdx index 07e26da0..6a91bbe3 100644 --- a/docs/pages/changelog.mdx +++ b/docs/pages/changelog.mdx @@ -61,7 +61,7 @@ Version 2.0 and later versions may have new requirements that will thrive on new 1. **Lenient use of the Firestore database:** Inadvertently allows unvalidated input in new collections via Firestore REST APIs outside the front end. This issue, not present in Version 1.0, began with Version 2.0 using methods to speed up the development process. We are addressing this in future updates. 2. **Validation of crop recommendations WYSIWYG HTML input:** This is necessary to mitigate Cross-Site Scripting (XSS) attacks (related to the above issue), which also arose from the new approaches in Version 2.0. Enhancements to security will be implemented in future releases. -3. **Crop recommendations data integrity:** Ensuring unaltered data presentation in PDF bulletins, brought about by items 1 and 2. +3. **Crop recommendations data integrity:** Ensuring unaltered data presentation in PDF bulletins, resulting from the issues identified in items 1 and 2. > These issues, brought to the attention of the current active ACAP Maintainer during the early stages of 2.0 development, are to be resolved and addressed within their available time and schedule in the current ACAP timeline or the new ACAP iterations.