| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
Fix possible line-ending issues for init note
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
By uploading a malicous note currently it is possible to prevent this
note from being edited. This happens when using Windows line endings.
With this commit we remove all `\r` characters from the notes and this
way prevent this problem.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
|
|
|
|
|
|
|
|
|
| |
As it turns out, if the serverURL can't be generated correctly, HackMD
will use relative paths in image upload. This causes broken links in
PDF.
With this commit we force absolute links during PDF creation which
hopefully fixes the problem.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
GDPR compliant part 1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.
We can add a GUI that shows it later on.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To be GDPR compliant we need to provide privacy statement. These should
be linked on the index page. So as soon as a document exist under
`public/docs/privacy.md` the link will show up.
Since we already add legal links, we also add Terms of Use, which will
show up as soon as `public/docs/terms-of-use.md` exists.
This should allow everyone to provide the legal documents they need for
GDPR and other privacy and business laws.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\ \
| | |
| | | |
Add "generic" OAuth2 support
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
|
| |\ \ \
| |_|/
|/| | |
403: Redirect user to login page if not logged in
|
| | |/
| |
| |
| | |
Signed-Off-By: Pedro Ferreira <pedro.ferreira@cern.ch>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Looks like we lost some variables during the refactoring of the configs
to camel case.
This should fix it.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
This commit should fix existing problems with Disqus and Google
Analytics enabled in the meta-yaml section of a note.
Before this commit they were blocked by the strict CSP. It's still
possible to disable the added directives using `addDisqus` and
`addGoogleAnalytics` in the `csp` config section.
They are enabled by default to prevent breaking changes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
| |
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
| |
Signed-off-by: Max Wu <jackymaxj@gmail.com>
|
| |
|
|
| |
Signed-off-by: Max Wu <jackymaxj@gmail.com>
|
| |
|
|
|
|
|
|
| |
Before this fix it's impossible to set the provider name in the
sign-model since `ldap` is a boolean there and this way not able
to have an attribute like `ldap.providerName`.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
Implement basic CSP support
|
| | | |
|
| |\ \
| | |
| | | |
Allow posting new note with content
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Dustin Frisch <fooker@lab.sh>
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
Before, closed disallowed guest edits completely, by removing
the `freely` permission. This makes it possible to explicitely bring
back guest-editing, but not guest-note-creation, to closed instances.
Signed-off-by: Dario Ernst <dario@kanojo.de>
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
* Separate different config source to each files
* Freeze config object
|
| | |
|
| |
|
|
| |
add ‘use strict’ in all backend file
|
| |
|
|
|
| |
Introduce JavaScript Standard Style as project style rule,
and fixed all fail on backend code.
|
| |
|
|
| |
and fix code style
|
| | |
|
| | |
|
| |\
| |
| | |
WIP: Add options to limit anonymous view note
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| |/
|/| |
Support for LDAP server authentication
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Limitations as of this commit:
- tlsOptions can only be specified in config.json, not as env vars
- authentication failures are not yet gracefully handled by the UI
- instead the error message is shown on a blank page (/auth/ldap)
- no email address is associated with the LDAP user's account
- no picture/profile URL is associated with the LDAP user's account
- we might have to generate our own access + refresh tokens,
because we aren't using oauth. The currently generated
tokens are just a placeholder.
- 'LDAP Sign in' needs to be translated to each locale
|
| | |
| |
| |
| | |
invalid object
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
