Sheogorath
70df29790a
Add token based security feature
...
In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.
We can add a GUI that shows it later on.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 18:26:06 +02:00
Sheogorath
e31d204d74
Fix requests for deleted users
...
When users are requested from the authorship which no longer exist, they
shouldn't cause a 500.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 16:15:18 +02:00
Sheogorath
408ab7ae1d
Use cascaded deletes
...
When we delete a user we should delete all the notes that belong to this
user including the revisions of these notes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:55:18 +02:00
Sheogorath
8aa5c03213
Use hard delete instead of soft delete
...
Right now we only flag notes as deleted. This is no longer allowed under
GDPR. Make sure you do regular backups!
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:50:37 +02:00
Christoph (Sheogorath) Kern
763479bea8
Merge pull request #803 from SISheogorath/fix/letterAvatarCSP
...
Move letter-avatars into own request
2018-04-17 22:29:37 +02:00
Sheogorath
69aed93282
Move letter-avatars into own request
...
To prevent further weakening of our CSP policies, moving the Avatars
into a non-inline version is the way to go.
This implementation probably needs some beautification. But already fixes
the bug.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-17 19:06:59 +02:00
Sheogorath
735b806d5d
Add check for noteId length
...
As we know the length of an UUID we can check if the base64 string
of the provided UUID is long enough for a legacy base64 encoded nodeId
and stop processing it in legacy mode, if it's not the case.
This should make the ugly warning way less common.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 16:10:34 +02:00
Sheogorath
2411dffa2c
Change config to camel case with backwards compatibility
...
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Max Wu
5e975cbe69
Fix to log instead of throwing error on parse note id
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-11 02:52:24 +08:00
Max Wu
c7657ae81e
Fix parseNoteId order to fix some edge case
...
that LZString note url could be parsed by base64url note url and thus return wrong note id
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-03-10 16:52:24 +08:00
Max Wu
fe429e9ac1
Update to use buffer in encode/decode note id
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-27 20:57:31 +08:00
Max Wu
baa0418fb5
Remove and replace all note id compression in LZString with base64url
...
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 16:43:29 +08:00
Max Wu
bb5e021f20
Fix field type to prevent data truncation of authorship ( #721 )
...
* Fix field type to prevent data truncation of authorship
2018-02-09 14:27:06 +01:00
Sheogorath
8bf8a1aef1
Ignore empty values for revision.
...
Fixes #420
2018-01-18 11:19:47 +01:00
Christoph (Sheogorath) Kern
af082d9347
Merge pull request #567 from ccoenen/fix-mysql-text-length
...
converting all content fields to MEDIUMTEXT (affects MySQL only)
2018-01-18 11:16:59 +01:00
Norihito Nakae
4a4ae9d332
Initial support for SAML authentication
2017-11-28 18:52:24 +09:00
Christoph Witzany
5cda55086a
Add mattermost authentication
2017-10-31 10:34:51 +01:00
Claudius Coenen
cc49ce55c8
Fix #521 by converting content fields to LONGTEXT in MySQL, to prevent truncation of data.
2017-10-16 10:13:11 +02:00
Claudius Coenen
724a6bc26f
createdAt DESC with quotation marks did not work with MySQL fixes #565
2017-10-09 14:03:33 +02:00
Sheogorath
500207545f
Fix broken profile images
2017-09-22 12:40:43 +02:00
Wu Cheng-Han
20c5c78c29
Fix typo in the db config
2017-06-05 03:52:25 +08:00
BoHong Li
ecb0533605
refactor(config.js): Extract config file
...
* Separate different config source to each files
* Freeze config object
2017-05-08 19:29:07 +08:00
BoHong Li
aca01f064d
refactor: Remove require
extension filename
2017-05-08 19:29:06 +08:00
Wu Cheng-Han
4a1d08c653
Fix strip null byte in model should cast to string to use replace function
2017-03-15 22:12:24 +08:00
Wu Cheng-Han
baf13072c1
Fix update doc from filesystem cause redundant authorship stringify
2017-03-14 17:11:52 +08:00
BoHong Li
5870d988b5
Use strict mode in all backend files
...
add ‘use strict’ in all backend file
2017-03-14 13:02:43 +08:00
BoHong Li
4889e9732d
Use JavaScript Standard Style
...
Introduce JavaScript Standard Style as project style rule,
and fixed all fail on backend code.
2017-03-08 18:45:51 +08:00
Wu Cheng-Han
2aee0f267c
Fix user profile photo might not replace to proper size
2017-02-18 20:07:15 +08:00
NV
0a7adaf35d
Add default permission config
2017-02-10 10:16:38 +09:00
Wu Cheng-Han
8cfbfa4352
Update to add biggerphoto on parsing user profile
2017-02-03 21:48:36 +08:00
Wu Cheng-Han
5f65795e79
Fix permission order and keep wording consistency
2017-01-12 19:04:17 +08:00
Max Wu
a8068d38d5
Merge pull request #313 from elct9620/feature/disable_anonymous_view
...
WIP: Add options to limit anonymous view note
2017-01-10 20:23:47 +08:00
蒼時弦也
7b02c48d93
Adjust permission order to more clarly
2017-01-10 14:13:30 +08:00
蒼時弦也
89b8ddeaba
Add limited and protected permission
2017-01-10 10:02:37 +08:00
Max Wu
b13635aac9
Merge pull request #279 from alecdwm/ldap-auth
...
Support for LDAP server authentication
2017-01-09 00:49:40 +08:00
alecdwm
01361afa7a
Profile pictures for LDAP users
2017-01-06 05:37:40 +01:00
Wu Cheng-Han
c1b5e74cf9
Fix and refactor extracting content using metaMarked directly might lead in invalid object
2017-01-04 23:57:16 +08:00
Wu Cheng-Han
b1ec3ba748
Refactor data processing to model definition
2017-01-02 11:05:36 +08:00
Wu Cheng-Han
d9e19b6029
Update to remove null byte before saving to DB and remove null byte on changes
2017-01-02 11:05:05 +08:00
Wu Cheng-Han
f6d8e3ab00
Remove LZString compression for data storage
2017-01-02 10:59:53 +08:00
bananaappletw
96fb3743f3
Use dburl to configurate
2016-12-22 21:51:48 +08:00
bananaappletw
3a091ff9a5
Simplify code for heroku
2016-12-22 19:42:00 +08:00
bananaappletw
acaeef172a
Fix #293
2016-12-22 13:23:17 +08:00
Yukai Huang
5282bf491e
Update sequelize init condition
2016-12-12 11:12:59 +08:00
Yukai Huang
74c1da4536
Simplify output with sequelize database argument
2016-12-12 10:36:24 +08:00
Wu Cheng-Han
a73d9ce39e
Update to support optional email register and signin
2016-12-02 01:58:14 +08:00
Wu Cheng-Han
71a356552f
Update to auto generate meta description based on content in publish note and slide
2016-11-26 23:04:29 +08:00
Wu Cheng-Han
c671d54d67
Add dmp worker to leverage CPU intensive calculation to child process
2016-11-18 12:09:58 +08:00
Wu Cheng-Han
1e6de0b90e
Change revision saving policy period
2016-10-15 13:54:16 +08:00
Wu Cheng-Han
07673f0726
Fix note extract tags might get encoded HTML entity
2016-10-12 13:14:59 +08:00