From 41a36e2e1877b4a2ab6751c011e80582f8ccbcf2 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Wed, 23 May 2018 01:14:52 +0200 Subject: Add privacy and ToS links To be GDPR compliant we need to provide privacy statement. These should be linked on the index page. So as soon as a document exist under `public/docs/privacy.md` the link will show up. Since we already add legal links, we also add Terms of Use, which will show up as soon as `public/docs/terms-of-use.md` exists. This should allow everyone to provide the legal documents they need for GDPR and other privacy and business laws. Signed-off-by: Sheogorath --- lib/response.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib/response.js') diff --git a/lib/response.js b/lib/response.js index ae3e45fa..2ea2f1c6 100644 --- a/lib/response.js +++ b/lib/response.js @@ -2,6 +2,7 @@ // response // external modules var fs = require('fs') +var path = require('path') var markdownpdf = require('markdown-pdf') var shortId = require('shortid') var querystring = require('querystring') @@ -75,7 +76,9 @@ function showIndex (req, res, next) { allowPDFExport: config.allowPDFExport, signin: req.isAuthenticated(), infoMessage: req.flash('info'), - errorMessage: req.flash('error') + errorMessage: req.flash('error'), + privacyStatement: fs.existsSync(path.join(config.docsPath, 'privacy.md')), + termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md')) }) } -- cgit v1.2.3 From 70df29790a83db4abb40ed1e16cb05a3aa760672 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Fri, 25 May 2018 18:19:31 +0200 Subject: Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath --- lib/response.js | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) (limited to 'lib/response.js') diff --git a/lib/response.js b/lib/response.js index 2ea2f1c6..b1b89c78 100644 --- a/lib/response.js +++ b/lib/response.js @@ -56,7 +56,10 @@ function responseError (res, code, detail, msg) { } function showIndex (req, res, next) { - res.render(config.indexPath, { + var authStatus = req.isAuthenticated() + var deleteToken = '' + + var data = { url: config.serverURL, useCDN: config.useCDN, allowAnonymous: config.allowAnonymous, @@ -74,12 +77,28 @@ function showIndex (req, res, next) { email: config.isEmailEnable, allowEmailRegister: config.allowEmailRegister, allowPDFExport: config.allowPDFExport, - signin: req.isAuthenticated(), + signin: authStatus, infoMessage: req.flash('info'), errorMessage: req.flash('error'), privacyStatement: fs.existsSync(path.join(config.docsPath, 'privacy.md')), - termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md')) - }) + termsOfUse: fs.existsSync(path.join(config.docsPath, 'terms-of-use.md')), + deleteToken: deleteToken + } + + if (authStatus) { + models.User.findOne({ + where: { + id: req.user.id + } + }).then(function (user) { + if (user) { + data.deleteToken = user.deleteToken + res.render(config.indexPath, data) + } + }) + } else { + res.render(config.indexPath, data) + } } function responseHackMD (res, note) { -- cgit v1.2.3