Commit graph

2162 commits

Author SHA1 Message Date
Christoph (Sheogorath) Kern
12ab90020a
Merge pull request #785 from pferreir/redirect-to-login
403: Redirect user to login page if not logged in
2018-05-31 12:16:11 +02:00
Sheogorath
fce735e833
Add privacy policy example
As we use various services and integration we should provide an example
privacy policy.

It has to be adjust when using it to match your setup.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-31 11:32:11 +02:00
Sheogorath
6f8bd8fdc9
Fix missing dependency
To export the notes we need the archiver package that takes care of
creating the zip files.

Looks like I forgot this one in the initial commit.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-27 15:28:46 +02:00
Sheogorath
75f28ca7f3
Add export data UI
This adds the UI for the export feature introduced in
bcbb8c67c9

It allows to download all notes from the main page in the default user
submenu.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-26 03:20:44 +02:00
Sheogorath
bcbb8c67c9
Add note export function
This function is the first step to get out data following GDPR about the
transportability of data.

Details: https://gdpr-info.eu/art-20-gdpr/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-26 03:12:21 +02:00
Sheogorath
70df29790a
Add token based security feature
In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.

We can add a GUI that shows it later on.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 18:26:06 +02:00
Sheogorath
9fd09a8dfb
Add delete user UI
This provides the UI for the delete user feature introduced in
4229084c62

Placing of the user delete button is not perfect, but can be moved to an
own user tab later on.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 17:11:11 +02:00
Sheogorath
e31d204d74
Fix requests for deleted users
When users are requested from the authorship which no longer exist, they
shouldn't cause a 500.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 16:15:18 +02:00
Sheogorath
4229084c62
Add delete function for authenticated users
Allow users to delete themselbes. This is require to be GDPR compliant.

See: https://gdpr-info.eu/art-17-gdpr/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 15:24:47 +02:00
Sheogorath
408ab7ae1d
Use cascaded deletes
When we delete a user we should delete all the notes that belong to this
user including the revisions of these notes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:55:18 +02:00
Sheogorath
8aa5c03213
Use hard delete instead of soft delete
Right now we only flag notes as deleted. This is no longer allowed under
GDPR. Make sure you do regular backups!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:50:37 +02:00
Sheogorath
41a36e2e18
Add privacy and ToS links
To be GDPR compliant we need to provide privacy statement. These should
be linked on the index page. So as soon as a document exist under
`public/docs/privacy.md` the link will show up.

Since we already add legal links, we also add Terms of Use, which will
show up as soon as `public/docs/terms-of-use.md` exists.

This should allow everyone to provide the legal documents they need for
GDPR and other privacy and business laws.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-24 18:10:36 +02:00
Sheogorath
a258719d34
Release 1.1.1-ce
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-23 12:01:26 +02:00
Christoph (Sheogorath) Kern
9e77d88024
Merge pull request #828 from SISheogorath/feature/release-notes-1.1.1-ce
Add release notes for 1.1.1-ce
2018-05-23 00:16:48 +02:00
Sheogorath
fada8a8103
Add release notes for 1.1.1-ce
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-22 23:17:20 +02:00
Sheogorath
7a91d01830
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-21 23:12:34 +02:00
Sheogorath
bd46230a7f
Add current requirements for node versions
Right now we can only run on node versions below 10.x thanks to scrypt
dependencies.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-21 23:08:13 +02:00
Christoph (Sheogorath) Kern
c71361467d
Merge pull request #826 from SISheogorath/upgrade/base64url
Upgrade base64url package
2018-05-17 15:37:25 +02:00
Sheogorath
af0a6b1d76
Upgrade base64url package
There was recently a possible security problem with base64url. Shouldn't
really hit us but it doesn't hurt.

Details: https://snyk.io/vuln/npm:base64url:20180511

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-17 15:19:24 +02:00
Christoph (Sheogorath) Kern
42b0965550
Merge pull request #825 from SISheogorath/remove/GoogleDrive
Removing google drive integration
2018-05-16 01:59:35 +02:00
Sheogorath
ad69c5017b
Removing google drive integration
It's sad but it's not working. For multiple releases this should be
already broken which shows how often it's used.

As there is also a security issue related to that, it's better to
remove the feature completely. Whoever wants to rewrite it, feel free to
go.

This commit removes the Google Drive integration from HackMD's Frontend
editor and this way removes the need to provide any API key and Client
ID in the frontend.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-16 01:34:55 +02:00
Christoph (Sheogorath) Kern
b8e7c4b97a
Merge pull request #824 from hackmdio/revert-813-fix/googleAPI
Revert "Workaround Google API problems"
2018-05-16 01:32:17 +02:00
Christoph (Sheogorath) Kern
6d44ded269
Revert "Workaround Google API problems" 2018-05-16 01:31:50 +02:00
Christoph (Sheogorath) Kern
e4e198c819
Merge pull request #813 from SISheogorath/fix/googleAPI
Workaround Google API problems
2018-05-10 00:13:23 +02:00
Sheogorath
2cc3058a44
Remove Google Upload from UI
This temporarily removes the Upload from the UI as it's broken right
now.

Needs a refactoring and can be added in again later on by undoing this
commit.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-01 23:22:53 +02:00
Christoph (Sheogorath) Kern
2232905c4a
Merge pull request #811 from hackmdio/fix-saml-typo
Fix typo of "grouptAttribute" in saml auth module
2018-04-28 01:13:39 +02:00
Max Wu
e0629c7d27
Fix typo of "grouptAttribute" in saml auth module
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-04-27 21:52:05 +08:00
Christoph (Sheogorath) Kern
763479bea8
Merge pull request #803 from SISheogorath/fix/letterAvatarCSP
Move letter-avatars into own request
2018-04-17 22:29:37 +02:00
Sheogorath
69aed93282
Move letter-avatars into own request
To prevent further weakening of our CSP policies, moving the Avatars
into a non-inline version is the way to go.

This implementation probably needs some beautification. But already fixes
the bug.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-17 19:06:59 +02:00
Sheogorath
43fa5cf57f
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-17 12:20:57 +02:00
Christoph (Sheogorath) Kern
2a9fe664d1
Merge pull request #805 from SISheogorath/fix/noFile
Fix possible file limit errors
2018-04-17 12:02:13 +02:00
Sheogorath
c4dba48f79
Fix possible file limit errors
As we currently may need higher nofile limits than usual/default on
various systems this commit should probide a fix for that an allow to
build HackMD without highering these limits and increase security.

Inspiration was found in a copy-webpack-plugin-issue[1] and found by
@thegcat[2]. Thanks for that!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>

[1]:
https://github.com/webpack-contrib/copy-webpack-plugin/issues/59#issuecomment-228563990
[2]: https://github.com/thegcat
2018-04-16 21:08:34 +02:00
Sheogorath
8a3cec73c1
Add config.json.example to npm test
This commit extends the find command to also match the example config
file.

This should validate the syntax or this file to prevent syntax errors
for future pull request.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-14 22:20:35 +02:00
Sheogorath
132b445fef
Fix example config
This commit fixes some json fromat issues in our config example that
causes errors on setup.

This change should fix it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-14 22:20:25 +02:00
Sheogorath
ef86bf5cba
Use API key instead of clientSecret
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-13 09:38:59 +02:00
Christoph (Sheogorath) Kern
10121118fb
Merge pull request #797 from SISheogorath/fix/LZErrorLog
Add check for noteId length
2018-04-11 22:48:40 +02:00
Christoph (Sheogorath) Kern
387afd1791
Merge pull request #799 from SISheogorath/fix/AnonymousEditTypos
Fix typos for `allowAnonymousEdits`
2018-04-11 22:48:15 +02:00
Sheogorath
f23f403bcb
Extend README
Add hint about file descriptor limits and add the new translation
platform.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-11 09:38:56 +02:00
Sheogorath
735b806d5d
Add check for noteId length
As we know the length of an UUID we can check if the base64 string
of the provided UUID is long enough for a legacy base64 encoded nodeId
and stop processing it in legacy mode, if it's not the case.

This should make the ugly warning way less common.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 16:10:34 +02:00
Sheogorath
2492cf2cdf
Fix typos for allowAnonymousEdits
Looks like we lost some variables during the refactoring of the configs
to camel case.

This should fix it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 14:40:27 +02:00
Sheogorath
bdb8631a7b
Release 1.1.0-ce
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-06 16:24:36 +02:00
Sheogorath
14a0f8594f
Merge branch 'feature/releaseNotes1.1.0' 2018-04-06 16:24:08 +02:00
Sheogorath
f4631b038a
Merge branch 'docs/features-1.1.0-ce' 2018-04-06 16:22:26 +02:00
Sheogorath
23b5e9e54a
Minor fixes in relase notes
Fix some spelling and style issues as well as adding the
latest changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-06 16:19:24 +02:00
Sheogorath
81e5ebf6d6
Add migration section to README.md
As it was requested to be more visable, this commit adds a migration
section about the introduced config style changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-06 02:20:34 +02:00
Christoph (Sheogorath) Kern
b97d6cebad
Merge pull request #796 from SISheogorath/feature/addMatrix
Add matrix.org / Riot link
2018-04-06 01:59:00 +02:00
Sheogorath
95f46520e3
Add matrix.org / Riot link
As an active part of the community prefers Matrix.org over Gitter, we
should link Matrix.org as a place to meet us.

As the matrix and gitter channels are interconnected. We don't loose any
message if a person decides to go for one or another.

We use an more universal way of translation to make it easier to provide
a link to various platforms.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-05 11:58:54 +02:00
Christoph (Sheogorath) Kern
5a5b3e9ddd
Merge pull request #790 from SISheogorath/fix/nightModeCSS
Fix modal and panel colors in night mode
2018-04-05 01:24:34 +02:00
Christoph (Sheogorath) Kern
96af23fa31
Merge pull request #791 from SISheogorath/fix/extendedCSPPolicies
Fix CSP for disqus and Google Analytics
2018-04-05 01:13:15 +02:00
Sheogorath
b90b215a84
Fix code blocks color in night mode
This provides more eye-friendly code boxes when night mode is active.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-05 00:58:41 +02:00