Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Add token based security feature | Sheogorath | 2018-05-25 | 1 | -4/+23 |
| | | | | | | | | | | | | In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> | ||||
* | Add privacy and ToS links | Sheogorath | 2018-05-24 | 1 | -1/+4 |
| | | | | | | | | | | | | | | To be GDPR compliant we need to provide privacy statement. These should be linked on the index page. So as soon as a document exist under `public/docs/privacy.md` the link will show up. Since we already add legal links, we also add Terms of Use, which will show up as soon as `public/docs/terms-of-use.md` exists. This should allow everyone to provide the legal documents they need for GDPR and other privacy and business laws. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> | ||||
* | Fix typos for `allowAnonymousEdits` | Sheogorath | 2018-04-10 | 1 | -2/+2 |
| | | | | | | | | | Looks like we lost some variables during the refactoring of the configs to camel case. This should fix it. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> | ||||
* | Fix CSP for disqus and Google Analytics | Sheogorath | 2018-03-30 | 1 | -1/+2 |
| | | | | | | | | | | | | | This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> | ||||
* | Change config to camel case with backwards compatibility | Sheogorath | 2018-03-25 | 1 | -44/+44 |
| | | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> | ||||
* | Remove and replace all note id compression in LZString with base64url | Max Wu | 2018-02-26 | 1 | -6/+5 |
| | | | | Signed-off-by: Max Wu <jackymaxj@gmail.com> | ||||
* | Fix to show 500 message when got error in parseNoteId | Max Wu | 2018-02-17 | 1 | -1/+2 |
| | | | | Signed-off-by: Max Wu <jackymaxj@gmail.com> | ||||
* | Fix ldap provider name in template | Sheogorath | 2018-01-26 | 1 | -0/+2 |
| | | | | | | | | Before this fix it's impossible to set the provider name in the sign-model since `ldap` is a boolean there and this way not able to have an attribute like `ldap.providerName`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> | ||||
* | Merge pull request #598 from xxyy/feature/csp | Christoph (Sheogorath) Kern | 2018-01-22 | 1 | -1/+2 |
|\ | | | | | Implement basic CSP support | ||||
| * | CSP: Add nonce to slide view inline JS | Literallie | 2017-10-22 | 1 | -1/+2 |
| | | |||||
* | | Merge pull request #673 from fooker/master | Christoph (Sheogorath) Kern | 2018-01-20 | 1 | -1/+2 |
|\ \ | | | | | | | Allow posting new note with content | ||||
| * | | Allow posting new note with content | Dustin Frisch | 2018-01-18 | 1 | -1/+2 |
| | | | | | | | | | | | | Signed-off-by: Dustin Frisch <fooker@lab.sh> | ||||
* | | | Add option to enable `freely` permission in closed instance | Dario Ernst | 2018-01-20 | 1 | -0/+2 |
|/ / | | | | | | | | | | | | | | | Before, closed disallowed guest edits completely, by removing the `freely` permission. This makes it possible to explicitely bring back guest-editing, but not guest-note-creation, to closed instances. Signed-off-by: Dario Ernst <dario@kanojo.de> | ||||
* | | Fix file permission, remove useless executable | Peter Dave Hello | 2017-12-14 | 1 | -0/+0 |
| | | |||||
* | | Initial support for SAML authentication | Norihito Nakae | 2017-11-28 | 1 | -0/+2 |
| | | |||||
* | | Fix mattermost breaking notes | Sheogorath | 2017-10-31 | 1 | -0/+1 |
| | | |||||
* | | Add mattermost authentication | Christoph Witzany | 2017-10-31 | 1 | -0/+1 |
| | | |||||
* | | Adds 403 response if PDF export is disabled | geekyd | 2017-10-25 | 1 | -1/+6 |
| | | |||||
* | | Adds PDF export via config | geekyd | 2017-10-25 | 1 | -1/+3 |
|/ | |||||
* | Fix slide might not provide slideOptions meta | Wu Cheng-Han | 2017-06-05 | 1 | -1/+1 |
| | |||||
* | check if reveal theme exists | butlerx | 2017-06-01 | 1 | -1/+2 |
| | |||||
* | add the ability to set slide theme in slide options | butlerx | 2017-05-31 | 1 | -0/+1 |
| | |||||
* | refactor(config.js): Extract config file | BoHong Li | 2017-05-08 | 1 | -16/+16 |
| | | | | | * Separate different config source to each files * Freeze config object | ||||
* | refactor: Remove `require` extension filename | BoHong Li | 2017-05-08 | 1 | -2/+2 |
| | |||||
* | Use strict mode in all backend files | BoHong Li | 2017-03-14 | 1 | -0/+1 |
| | | | | add ‘use strict’ in all backend file | ||||
* | Use JavaScript Standard Style | BoHong Li | 2017-03-08 | 1 | -547/+539 |
| | | | | | Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code. | ||||
* | Refactor checkViewPermission to fix limited & protected permission check bug ↵ | Wu Cheng-Han | 2017-01-16 | 1 | -3/+3 |
| | | | | and fix code style | ||||
* | Fix missing config in hackmd response | Wu Cheng-Han | 2017-01-16 | 1 | -1/+2 |
| | |||||
* | Add `allowemailregister` option | Sheogorath | 2017-01-12 | 1 | -0/+1 |
| | |||||
* | Merge pull request #313 from elct9620/feature/disable_anonymous_view | Max Wu | 2017-01-10 | 1 | -2/+7 |
|\ | | | | | WIP: Add options to limit anonymous view note | ||||
| * | Add limited and protected permission | 蒼時弦也 | 2017-01-10 | 1 | -2/+7 |
| | | |||||
| * | Recovery tariling spaces | 蒼時弦也 | 2017-01-10 | 1 | -2/+2 |
| | | |||||
| * | Remove temporary change | 蒼時弦也 | 2017-01-10 | 1 | -3/+0 |
| | | |||||
| * | Fix anonymouse view permission check | 蒼時弦也 | 2017-01-05 | 1 | -1/+4 |
| | | |||||
| * | Add limit for constrain anonymous view note | 蒼時弦也 | 2017-01-05 | 1 | -3/+3 |
| | | |||||
* | | Merge pull request #279 from alecdwm/ldap-auth | Max Wu | 2017-01-09 | 1 | -0/+2 |
|\ \ | |/ |/| | Support for LDAP server authentication | ||||
| * | Initial support for LDAP server authentication | alecdwm | 2016-12-13 | 1 | -0/+2 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Limitations as of this commit: - tlsOptions can only be specified in config.json, not as env vars - authentication failures are not yet gracefully handled by the UI - instead the error message is shown on a blank page (/auth/ldap) - no email address is associated with the LDAP user's account - no picture/profile URL is associated with the LDAP user's account - we might have to generate our own access + refresh tokens, because we aren't using oauth. The currently generated tokens are just a placeholder. - 'LDAP Sign in' needs to be translated to each locale | ||||
* | | Fix and refactor extracting content using metaMarked directly might lead in ↵ | Wu Cheng-Han | 2017-01-04 | 1 | -45/+14 |
| | | | | | | | | invalid object | ||||
* | | Fix yaml metadata description not able to show | Wu Cheng-Han | 2017-01-02 | 1 | -3/+3 |
| | | |||||
* | | Remove LZString compression for data storage | Wu Cheng-Han | 2017-01-02 | 1 | -7/+7 |
| | | |||||
* | | Fixed typo: anonmyous | Florian Rhiem | 2016-12-21 | 1 | -3/+3 |
| | | |||||
* | | Add support of allow free url config option with correspond modifications | Wu Cheng-Han | 2016-12-16 | 1 | -2/+9 |
| | | |||||
* | | Add support of allow anonymous config option with correspond modifications | Wu Cheng-Han | 2016-12-15 | 1 | -0/+4 |
|/ | |||||
* | Update to support optional email register and signin | Wu Cheng-Han | 2016-12-02 | 1 | -6/+10 |
| | |||||
* | Update to auto generate meta description based on content in publish note ↵ | Wu Cheng-Han | 2016-11-26 | 1 | -7/+14 |
| | | | | and slide | ||||
* | Fix possible XSS in yaml-metadata and turn using ejs escape syntax than ↵ | Wu Cheng-Han | 2016-11-26 | 1 | -5/+2 |
| | | | | external lib [Security Issue] | ||||
* | Fix slide might trigger script when processing markdown which cause XSS ↵ | Wu Cheng-Han | 2016-11-26 | 1 | -11/+1 |
| | | | | [Security Issue] | ||||
* | Update to improve history api error and bad request handling | Wu Cheng-Han | 2016-10-10 | 1 | -0/+3 |
| | |||||
* | Update to allow CORS as API on revision actions | Wu Cheng-Han | 2016-10-10 | 1 | -0/+14 |
| | |||||
* | Update to support showing owner on the infobar | Wu Cheng-Han | 2016-10-10 | 1 | -0/+6 |
| |