summaryrefslogtreecommitdiff
path: root/lib/response.js (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add link to imprintMatthias Lindinger2019-08-261-0/+1
| | | | Signed-off-by: Matthias Lindinger <m.lindinger@live.de>
* Respect DNT headerSheogorath2019-06-081-2/+4
| | | | | | | | | | | | | | | | | | | | Do Not Track (DNT) is an old web standard in order to notify pages that the user doesn't want to be tracked. Even while a lot of pages either ignore this header or even worse, use it for tracking purposes, the orignal intention of this header is good and should be adopted. This patch implements a respect of the DNT header by no longer including the optional Google Analytics and disqus integrations when sending a DNT header. This should reduce outside resource usage and help to stay more private. This should later-on extended towards other document content (i.e. iframe based content). The reason to not change the CDN handling is that CDNs will be deprecated with next release and removed in long term. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix eslint warningsSheogorath2019-05-311-11/+11
| | | | | | | | | | | Since we are about to release it's time to finally fix our linting. This patch basically runs eslint --fix and does some further manual fixes. Also it sets up eslint to fail on every warning on order to make warnings visable in the CI process. There should no functional change be introduced. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* change default mode to "both" when clicking editStéphane Guillou2019-04-051-2/+2
| | | | | | | | | | Add "both" mode to URLs because I assume most people want to straight away see the code when they click the "edit" button in a published note. Fixes https://github.com/codimd/server/issues/27 Not tested, followed instructions from @ccoenen , please do review! :) Signed-off-by: Stéphane Guillou <stephane.guillou@member.fsf.org>
* Fix empty serverURL did not redirect properlytoshi01232019-03-041-1/+1
| | | | Signed-off-by: toshi0123 <7948737+toshi0123@users.noreply.github.com>
* Fix broken PDF export by wrong unlink callSheogorath2019-01-241-1/+1
| | | | | | | | | | | We used `fs.unlink()` to remove the pdf file after we send it out to the client. This breaks in Node 10, when no function as second parameter is supplied. This patches changes it to the `fs.unlinkSync` function that doesn't have this requirement and this way doesn't crash. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Disallow creation of robots.txt in freeurlDaan Sprenkels2018-11-171-1/+1
| | | | | | | | | | | Add a configuration setting to "hard"-disable creation of notes as set by the configuration value. This defaults to `['robots.txt', 'favicon.ico']`, because these files are often accidentally created by bots and browsers. This commit fixes #1052. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
* Merge pull request #1027 from asg017/masterChristoph (Sheogorath) Kern2018-11-121-0/+3
|\ | | | | Add download action to published notes
| * forgot break statementAlex Garcia2018-10-271-0/+1
| | | | | | | | Signed-off-by: Alex Garcia <alexsebastian.garcia@gmail.com>
| * Add download action to published notesAlex Garcia2018-10-271-0/+2
| | | | | | | | Signed-off-by: Alex Garcia <alexsebastian.garcia@gmail.com>
* | removing global site layout vars from individual routers, putting them into ↵Claudius2018-11-031-50/+2
|/ | | | | | app.local Signed-off-by: Claudius <opensource@amenthes.de>
* Fix #1001: get only project user is member of (and return max of results)Cédric Couralet2018-10-091-1/+1
| | | | Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
* Add OpenID to CodiMDSheogorath2018-10-051-1/+3
| | | | | | | | With OpenID every OpenID capable provider can provide authentication for users of a CodiMD instance. This means we have federated authentication. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #940 from WilliButz/fix-configurable-pathsChristoph (Sheogorath) Kern2018-10-051-6/+6
|\ | | | | enhance configurabiltiy of paths & make execution path-independent
| * removing superfluous config parameters for template filesClaudius2018-09-261-6/+6
| | | | | | | | Signed-off-by: Claudius <opensource@amenthes.de>
* | Fix little bug in length limitSheogorath2018-09-281-1/+1
| | | | | | | | Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix document length limit on postSheogorath2018-09-261-1/+9
|/ | | | | | | | | We recently introduced a new way to create notes using a post requeest to the `/new` endpoint. This is not limited in size, other than pasting a note in the editor. This patch should enforce this limit also on this way. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix server crash on PDF creationSheogorath2018-09-241-0/+4
| | | | | | | | | `markdown-pdf` seems to fail to provide the PDFs on tmpfs. This leads crashing codimd which expects the file to be there. This patch should add some proper error handling when expectation and reality don't fit together. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add possibility to choose between version v3 or v4 for the gitlab api.Cédric Couralet2018-07-311-2/+2
| | | | | | | | Apart from the uri versioning, one big change is the snippet visibility post data (visibility_level -> visibility) Default gitlab api version to v4 Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
* Final replacementsSheogorath2018-06-241-1/+1
| | | | | | | Looks like I missed a few. This should be complete now. And make us ready for the repo rename and merging. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Do final internal renameingSheogorath2018-06-241-2/+2
| | | | | | | | A little minor change, by moving the CodiMD version header in its own middleware. Should simplify to determine the version number of the Backend in future. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Rename HackMD view to CodiMDSheogorath2018-06-241-1/+1
| | | | | | | | Even when it looks a bit weird in first place to rename all internals step by step, it makes sense to do so, because we run into confusion afterwards. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #856 from hackmdio/fix/lineEndingsChristoph (Sheogorath) Kern2018-06-241-1/+3
|\ | | | | Fix possible line-ending issues for init note
| * Fix possible line-ending issues for init noteSheogorath2018-06-241-1/+3
| | | | | | | | | | | | | | | | | | | | By uploading a malicous note currently it is possible to prevent this note from being edited. This happens when using Windows line endings. With this commit we remove all `\r` characters from the notes and this way prevent this problem. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix broken images in PDF caused by misconfigred server URLSheogorath2018-06-241-1/+4
|/ | | | | | | | | | | As it turns out, if the serverURL can't be generated correctly, HackMD will use relative paths in image upload. This causes broken links in PDF. With this commit we force absolute links during PDF creation which hopefully fixes the problem. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #830 from SISheogorath/feature/GDPRChristoph (Sheogorath) Kern2018-06-171-4/+26
|\ | | | | GDPR compliant part 1
| * Add token based security featureSheogorath2018-05-251-4/+23
| | | | | | | | | | | | | | | | | | | | | | | | In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| * Add privacy and ToS linksSheogorath2018-05-241-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | To be GDPR compliant we need to provide privacy statement. These should be linked on the index page. So as soon as a document exist under `public/docs/privacy.md` the link will show up. Since we already add legal links, we also add Terms of Use, which will show up as soon as `public/docs/terms-of-use.md` exists. This should allow everyone to provide the legal documents they need for GDPR and other privacy and business laws. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #784 from pferreir/add-oauth2-supportChristoph (Sheogorath) Kern2018-06-041-0/+4
|\ \ | | | | | | Add "generic" OAuth2 support
| * | Add support for generic OAuth2 providersPedro Ferreira2018-03-261-0/+4
| | | | | | | | | | | | Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
* | | Merge pull request #785 from pferreir/redirect-to-loginChristoph (Sheogorath) Kern2018-05-311-1/+7
|\ \ \ | |_|/ |/| | 403: Redirect user to login page if not logged in
| * | 403: redirect user to login page if not logged inPedro Ferreira2018-03-271-1/+7
| |/ | | | | | | Signed-Off-By: Pedro Ferreira <pedro.ferreira@cern.ch>
* | Fix typos for `allowAnonymousEdits`Sheogorath2018-04-101-2/+2
| | | | | | | | | | | | | | | | | | Looks like we lost some variables during the refactoring of the configs to camel case. This should fix it. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Fix CSP for disqus and Google AnalyticsSheogorath2018-03-301-1/+2
|/ | | | | | | | | | | | | This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Change config to camel case with backwards compatibilitySheogorath2018-03-251-44/+44
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Remove and replace all note id compression in LZString with base64urlMax Wu2018-02-261-6/+5
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Fix to show 500 message when got error in parseNoteIdMax Wu2018-02-171-1/+2
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Fix ldap provider name in templateSheogorath2018-01-261-0/+2
| | | | | | | | Before this fix it's impossible to set the provider name in the sign-model since `ldap` is a boolean there and this way not able to have an attribute like `ldap.providerName`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #598 from xxyy/feature/cspChristoph (Sheogorath) Kern2018-01-221-1/+2
|\ | | | | Implement basic CSP support
| * CSP: Add nonce to slide view inline JSLiterallie2017-10-221-1/+2
| |
* | Merge pull request #673 from fooker/masterChristoph (Sheogorath) Kern2018-01-201-1/+2
|\ \ | | | | | | Allow posting new note with content
| * | Allow posting new note with contentDustin Frisch2018-01-181-1/+2
| | | | | | | | | | | | Signed-off-by: Dustin Frisch <fooker@lab.sh>
* | | Add option to enable `freely` permission in closed instanceDario Ernst2018-01-201-0/+2
|/ / | | | | | | | | | | | | | | Before, closed disallowed guest edits completely, by removing the `freely` permission. This makes it possible to explicitely bring back guest-editing, but not guest-note-creation, to closed instances. Signed-off-by: Dario Ernst <dario@kanojo.de>
* | Fix file permission, remove useless executablePeter Dave Hello2017-12-141-0/+0
| |
* | Initial support for SAML authenticationNorihito Nakae2017-11-281-0/+2
| |
* | Fix mattermost breaking notesSheogorath2017-10-311-0/+1
| |
* | Add mattermost authenticationChristoph Witzany2017-10-311-0/+1
| |
* | Adds 403 response if PDF export is disabledgeekyd2017-10-251-1/+6
| |
* | Adds PDF export via configgeekyd2017-10-251-1/+3
|/
* Fix slide might not provide slideOptions metaWu Cheng-Han2017-06-051-1/+1
|