From 38219f0ea386d4857be920a86106d30594a37c13 Mon Sep 17 00:00:00 2001
From: Andrew Kingston <aptkingston@ssl-mail.com>
Date: Thu, 25 Nov 2021 11:21:54 +0000
Subject: [PATCH 1/5] Fix issue with determining when to hide sensitive fields
 from query definitions and never delete the query schema

---
 packages/server/src/api/controllers/query.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/server/src/api/controllers/query.js b/packages/server/src/api/controllers/query.js
index 502ef5e67b..80da246166 100644
--- a/packages/server/src/api/controllers/query.js
+++ b/packages/server/src/api/controllers/query.js
@@ -1,6 +1,10 @@
 const { processString } = require("@budibase/string-templates")
 const CouchDB = require("../../db")
-const { generateQueryID, getQueryParams } = require("../../db/utils")
+const {
+  generateQueryID,
+  getQueryParams,
+  isProdAppID,
+} = require("../../db/utils")
 const { BaseQueryVerbs } = require("../../constants")
 const env = require("../../environment")
 const { Thread, ThreadType } = require("../../threads")
@@ -90,10 +94,9 @@ exports.find = async function (ctx) {
   const db = new CouchDB(ctx.appId)
   const query = enrichQueries(await db.get(ctx.params.queryId))
   // remove properties that could be dangerous in real app
-  if (env.isProd()) {
+  if (isProdAppID(ctx.appId)) {
     delete query.fields
     delete query.parameters
-    delete query.schema
   }
   ctx.body = query
 }

From 63fac77ad193894f2d6856a55120d3a669b1772e Mon Sep 17 00:00:00 2001
From: Andrew Kingston <aptkingston@ssl-mail.com>
Date: Thu, 25 Nov 2021 11:35:19 +0000
Subject: [PATCH 2/5] Ensure horizontal cards in the card block don't exceed
 the width of the screen

---
 packages/client/src/components/app/blocks/CardsBlock.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/client/src/components/app/blocks/CardsBlock.svelte b/packages/client/src/components/app/blocks/CardsBlock.svelte
index d5a5f064b6..ec631ede36 100644
--- a/packages/client/src/components/app/blocks/CardsBlock.svelte
+++ b/packages/client/src/components/app/blocks/CardsBlock.svelte
@@ -182,7 +182,7 @@
           }}
           styles={{
             display: "grid",
-            "grid-template-columns": `repeat(auto-fill, minmax(${cardWidth}px, 1fr))`,
+            "grid-template-columns": `repeat(auto-fill, minmax(min(${cardWidth}px, 100%), 1fr))`,
           }}
         >
           <BlockComponent

From aea0a9082b06973c6169a4c39c8334834c1f392f Mon Sep 17 00:00:00 2001
From: Andrew Kingston <aptkingston@ssl-mail.com>
Date: Thu, 25 Nov 2021 11:42:46 +0000
Subject: [PATCH 3/5] Lint

---
 packages/server/src/api/controllers/query.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packages/server/src/api/controllers/query.js b/packages/server/src/api/controllers/query.js
index 80da246166..cf6f03f00f 100644
--- a/packages/server/src/api/controllers/query.js
+++ b/packages/server/src/api/controllers/query.js
@@ -6,7 +6,6 @@ const {
   isProdAppID,
 } = require("../../db/utils")
 const { BaseQueryVerbs } = require("../../constants")
-const env = require("../../environment")
 const { Thread, ThreadType } = require("../../threads")
 
 const Runner = new Thread(ThreadType.QUERY, { timeoutMs: 10000 })

From 3abaded20abde824cc8dda9f0d243751557d78c7 Mon Sep 17 00:00:00 2001
From: Andrew Kingston <aptkingston@ssl-mail.com>
Date: Thu, 25 Nov 2021 11:52:02 +0000
Subject: [PATCH 4/5] Update tests

---
 packages/server/src/api/routes/tests/query.spec.js | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/packages/server/src/api/routes/tests/query.spec.js b/packages/server/src/api/routes/tests/query.spec.js
index 6b9be7447f..f5ba497d1b 100644
--- a/packages/server/src/api/routes/tests/query.spec.js
+++ b/packages/server/src/api/routes/tests/query.spec.js
@@ -19,10 +19,12 @@ describe("/queries", () => {
   })
 
   async function createInvalidIntegration() {
-    const datasource = await config.createDatasource({datasource: {
-      ...basicDatasource().datasource,
-      source: "INVALID_INTEGRATION",
-    }})
+    const datasource = await config.createDatasource({
+      datasource: {
+        ...basicDatasource().datasource,
+        source: "INVALID_INTEGRATION",
+      },
+    })
     const query = await config.createQuery()
     return { datasource, query }
   }
@@ -98,7 +100,6 @@ describe("/queries", () => {
           .expect("Content-Type", /json/)
         expect(res.body.fields).toBeUndefined()
         expect(res.body.parameters).toBeUndefined()
-        expect(res.body.schema).toBeUndefined()
       })
     })
   })

From 0b239a5bec0529a0dfb3e4c8d6e2fe09cd43049d Mon Sep 17 00:00:00 2001
From: Andrew Kingston <aptkingston@ssl-mail.com>
Date: Thu, 25 Nov 2021 13:00:43 +0000
Subject: [PATCH 5/5] Add test to ensure query schema is correctly cleared for
 prod app IDs

---
 .../server/src/api/routes/tests/query.spec.js | 35 +++++++++++++++++--
 1 file changed, 32 insertions(+), 3 deletions(-)

diff --git a/packages/server/src/api/routes/tests/query.spec.js b/packages/server/src/api/routes/tests/query.spec.js
index f5ba497d1b..37c969aba8 100644
--- a/packages/server/src/api/routes/tests/query.spec.js
+++ b/packages/server/src/api/routes/tests/query.spec.js
@@ -1,6 +1,13 @@
-// mock out postgres for this
+// Mock out postgres for this
 jest.mock("pg")
 
+// Mock isProdAppID to we can later mock the implementation and pretend we are
+// using prod app IDs
+const authDb = require("@budibase/auth/db")
+const { isProdAppID } = authDb
+const mockIsProdAppID = jest.fn(isProdAppID)
+authDb.isProdAppID = mockIsProdAppID
+
 const setup = require("./utilities")
 const { checkBuilderEndpoint } = require("./utilities/TestFunctions")
 const { basicQuery, basicDatasource } = setup.structures
@@ -98,10 +105,32 @@ describe("/queries", () => {
           .set(await config.defaultHeaders())
           .expect(200)
           .expect("Content-Type", /json/)
-        expect(res.body.fields).toBeUndefined()
-        expect(res.body.parameters).toBeUndefined()
+        expect(res.body.fields).toBeDefined()
+        expect(res.body.parameters).toBeDefined()
+        expect(res.body.schema).toBeDefined()
       })
     })
+
+    it("should remove sensitive info for prod apps", async () => {
+      // Mock isProdAppID to pretend we are using a prod app
+      mockIsProdAppID.mockClear()
+      mockIsProdAppID.mockImplementation(() => true)
+
+      const query = await config.createQuery()
+      const res = await request
+        .get(`/api/queries/${query._id}`)
+        .set(await config.defaultHeaders())
+        .expect("Content-Type", /json/)
+        .expect(200)
+      expect(res.body._id).toEqual(query._id)
+      expect(res.body.fields).toBeUndefined()
+      expect(res.body.parameters).toBeUndefined()
+      expect(res.body.schema).toBeDefined()
+
+      // Reset isProdAppID mock
+      expect(mockIsProdAppID).toHaveBeenCalledTimes(1)
+      mockIsProdAppID.mockImplementation(isProdAppID)
+    })
   })
 
   describe("destroy", () => {