summaryrefslogtreecommitdiff
path: root/lib/response.js (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add token based security featureSheogorath2018-05-251-4/+23
| | | | | | | | | | | | In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add privacy and ToS linksSheogorath2018-05-241-1/+4
| | | | | | | | | | | | | | To be GDPR compliant we need to provide privacy statement. These should be linked on the index page. So as soon as a document exist under `public/docs/privacy.md` the link will show up. Since we already add legal links, we also add Terms of Use, which will show up as soon as `public/docs/terms-of-use.md` exists. This should allow everyone to provide the legal documents they need for GDPR and other privacy and business laws. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix typos for `allowAnonymousEdits`Sheogorath2018-04-101-2/+2
| | | | | | | | | Looks like we lost some variables during the refactoring of the configs to camel case. This should fix it. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Fix CSP for disqus and Google AnalyticsSheogorath2018-03-301-1/+2
| | | | | | | | | | | | | This commit should fix existing problems with Disqus and Google Analytics enabled in the meta-yaml section of a note. Before this commit they were blocked by the strict CSP. It's still possible to disable the added directives using `addDisqus` and `addGoogleAnalytics` in the `csp` config section. They are enabled by default to prevent breaking changes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Change config to camel case with backwards compatibilitySheogorath2018-03-251-44/+44
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Remove and replace all note id compression in LZString with base64urlMax Wu2018-02-261-6/+5
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Fix to show 500 message when got error in parseNoteIdMax Wu2018-02-171-1/+2
| | | | Signed-off-by: Max Wu <jackymaxj@gmail.com>
* Fix ldap provider name in templateSheogorath2018-01-261-0/+2
| | | | | | | | Before this fix it's impossible to set the provider name in the sign-model since `ldap` is a boolean there and this way not able to have an attribute like `ldap.providerName`. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #598 from xxyy/feature/cspChristoph (Sheogorath) Kern2018-01-221-1/+2
|\ | | | | Implement basic CSP support
| * CSP: Add nonce to slide view inline JSLiterallie2017-10-221-1/+2
| |
* | Merge pull request #673 from fooker/masterChristoph (Sheogorath) Kern2018-01-201-1/+2
|\ \ | | | | | | Allow posting new note with content
| * | Allow posting new note with contentDustin Frisch2018-01-181-1/+2
| | | | | | | | | | | | Signed-off-by: Dustin Frisch <fooker@lab.sh>
* | | Add option to enable `freely` permission in closed instanceDario Ernst2018-01-201-0/+2
|/ / | | | | | | | | | | | | | | Before, closed disallowed guest edits completely, by removing the `freely` permission. This makes it possible to explicitely bring back guest-editing, but not guest-note-creation, to closed instances. Signed-off-by: Dario Ernst <dario@kanojo.de>
* | Fix file permission, remove useless executablePeter Dave Hello2017-12-141-0/+0
| |
* | Initial support for SAML authenticationNorihito Nakae2017-11-281-0/+2
| |
* | Fix mattermost breaking notesSheogorath2017-10-311-0/+1
| |
* | Add mattermost authenticationChristoph Witzany2017-10-311-0/+1
| |
* | Adds 403 response if PDF export is disabledgeekyd2017-10-251-1/+6
| |
* | Adds PDF export via configgeekyd2017-10-251-1/+3
|/
* Fix slide might not provide slideOptions metaWu Cheng-Han2017-06-051-1/+1
|
* check if reveal theme existsbutlerx2017-06-011-1/+2
|
* add the ability to set slide theme in slide optionsbutlerx2017-05-311-0/+1
|
* refactor(config.js): Extract config fileBoHong Li2017-05-081-16/+16
| | | | | * Separate different config source to each files * Freeze config object
* refactor: Remove `require` extension filenameBoHong Li2017-05-081-2/+2
|
* Use strict mode in all backend filesBoHong Li2017-03-141-0/+1
| | | | add ‘use strict’ in all backend file
* Use JavaScript Standard StyleBoHong Li2017-03-081-547/+539
| | | | | Introduce JavaScript Standard Style as project style rule, and fixed all fail on backend code.
* Refactor checkViewPermission to fix limited & protected permission check bug ↵Wu Cheng-Han2017-01-161-3/+3
| | | | and fix code style
* Fix missing config in hackmd responseWu Cheng-Han2017-01-161-1/+2
|
* Add `allowemailregister` optionSheogorath2017-01-121-0/+1
|
* Merge pull request #313 from elct9620/feature/disable_anonymous_viewMax Wu2017-01-101-2/+7
|\ | | | | WIP: Add options to limit anonymous view note
| * Add limited and protected permission蒼時弦也2017-01-101-2/+7
| |
| * Recovery tariling spaces蒼時弦也2017-01-101-2/+2
| |
| * Remove temporary change蒼時弦也2017-01-101-3/+0
| |
| * Fix anonymouse view permission check蒼時弦也2017-01-051-1/+4
| |
| * Add limit for constrain anonymous view note蒼時弦也2017-01-051-3/+3
| |
* | Merge pull request #279 from alecdwm/ldap-authMax Wu2017-01-091-0/+2
|\ \ | |/ |/| Support for LDAP server authentication
| * Initial support for LDAP server authenticationalecdwm2016-12-131-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Limitations as of this commit: - tlsOptions can only be specified in config.json, not as env vars - authentication failures are not yet gracefully handled by the UI - instead the error message is shown on a blank page (/auth/ldap) - no email address is associated with the LDAP user's account - no picture/profile URL is associated with the LDAP user's account - we might have to generate our own access + refresh tokens, because we aren't using oauth. The currently generated tokens are just a placeholder. - 'LDAP Sign in' needs to be translated to each locale
* | Fix and refactor extracting content using metaMarked directly might lead in ↵Wu Cheng-Han2017-01-041-45/+14
| | | | | | | | invalid object
* | Fix yaml metadata description not able to showWu Cheng-Han2017-01-021-3/+3
| |
* | Remove LZString compression for data storageWu Cheng-Han2017-01-021-7/+7
| |
* | Fixed typo: anonmyousFlorian Rhiem2016-12-211-3/+3
| |
* | Add support of allow free url config option with correspond modificationsWu Cheng-Han2016-12-161-2/+9
| |
* | Add support of allow anonymous config option with correspond modificationsWu Cheng-Han2016-12-151-0/+4
|/
* Update to support optional email register and signinWu Cheng-Han2016-12-021-6/+10
|
* Update to auto generate meta description based on content in publish note ↵Wu Cheng-Han2016-11-261-7/+14
| | | | and slide
* Fix possible XSS in yaml-metadata and turn using ejs escape syntax than ↵Wu Cheng-Han2016-11-261-5/+2
| | | | external lib [Security Issue]
* Fix slide might trigger script when processing markdown which cause XSS ↵Wu Cheng-Han2016-11-261-11/+1
| | | | [Security Issue]
* Update to improve history api error and bad request handlingWu Cheng-Han2016-10-101-0/+3
|
* Update to allow CORS as API on revision actionsWu Cheng-Han2016-10-101-0/+14
|
* Update to support showing owner on the infobarWu Cheng-Han2016-10-101-0/+6
|