Commit Graph

508 Commits

Author SHA1 Message Date
Sheogorath ecee16bd73
Fix disqus CSP
Disqus loads it's embed config.js from its root domain
(https://disqus.com). Our CSPs only allow subdomains (e.g.:
https://codimd.disqus.com). This causes the disqus embedding to fail.

This patch should fix this problem by adding https://disqus.com to the
CSP setting. From a security perspective there is no real change. Since
still the same parties are involved.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-12-05 13:17:14 +01:00
Sheogorath a556575b91
Fix CSP for speaker notes
Looks like I was wrong in my previous commit to update revealjs.[1]

The speaker notes broke again with the CSPs. So this patch updates the
hash and this way the speaker notes.

[1]: bcebf1e8d2

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-12-05 11:32:14 +01:00
Christoph (Sheogorath) Kern 786140331b
Merge pull request #1086 from SISheogorath/feature/urlWarning
Warn on missing serverURL
2018-12-01 12:25:02 +01:00
Sheogorath a4941be3de
Warn on missing serverURL
We see some issues that are based on not properly configured
`config.serverURL`.

This patch adds a warning when `config.serverURL` is an empty value.
This should provide users direct feedback about how to improve their
configs.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-28 14:38:49 +01:00
Christoph (Sheogorath) Kern b749d50e20
Merge pull request #1082 from cloudyu/pull
Fix wrong config options

In `./lib/web/auth/` some config includes still used `config.serverurl` instead of the correct `config.serverURL`. This causes wrong URL in worst case.

This patch should fix those problems and migrate the wrong statements to camelcase.
2018-11-28 13:27:38 +01:00
Daan Sprenkels 9fba268288 Prevent subdirectories in user export
This commit also refactors the code a bit, and adds a '-' separator
between a filename and its duplicate index.

This commit fixes #1079.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-11-28 09:13:28 +01:00
CloudYu 35a9f72a06 Fix typo
Signed-off-by: CloudYu <cloudyu322@gmail.com>
2018-11-27 22:14:37 +08:00
Sheogorath cee2aa92f9
Switch scrypt library to a successor
Since our previous scrypt library is unmaintained since 3 years, it's
time to look for an alternative.

A refactoring towards another password algorithm was worked on and this
is probably still the way to go. But for now the successor of our
previous library should already be enough.

https://www.npmjs.com/package/scrypt (old library)
https://github.com/ml1nk/node-scrypt (new library)
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-21 01:33:34 +01:00
Sheogorath 0aa3116805
Fix wrong maxAgeSeconds multiplication
It seems like the inital work on the hsts module expected milliseconds.
This has either changed or was never true. Either way, it caused that
the current defaults resulted in theory in a 1000 year HSTS policy.
Luckily helmet was smart enough to not go higher than 1 year.

Anyway, this patch fixes the multiplication of the configured size with
1000 by removing this multiplication.

Also to simplify the reading of the defaults, we split them into their
components, 60 times 60 seconds so we get one hour. 24 of those hours so
we get a day and finally 365 days to get our original wanted default of
one year.

Reference:
d69d65ea74
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-19 22:01:54 +01:00
Christoph (Sheogorath) Kern 5f0d04334b
Merge pull request #1053 from dsprenkels/robots.txt
Disallow creation of robots.txt in freeurl
2018-11-17 13:30:06 +01:00
Daan Sprenkels 4bd8d7eb91 Disallow creation of robots.txt in freeurl
Add a configuration setting to "hard"-disable creation of notes as
set by the configuration value. This defaults to `['robots.txt',
'favicon.ico']`, because these files are often accidentally created
by bots and browsers.

This commit fixes #1052.

Signed-off-by: Daan Sprenkels <hello@dsprenkels.com>
2018-11-17 13:23:03 +01:00
Christoph (Sheogorath) Kern 1e2bf3698f
Merge pull request #1040 from sunbit/master
Fix migration failure due to change on error messages
2018-11-17 12:34:15 +01:00
Carles Bruguera 5da10c0e2c Update error message text checks
Signed-off-by: Carles Bruguera <carlesba@gmail.com>
2018-11-16 23:53:50 +01:00
Sheogorath bdeb053397
Fix streaming for winston
During the upgrade of winston in
c3584770f2 a the class extension for
streaming was removed.

This caused silent crashes. Somehow winston simply called
`process.exit(1)` whenever `logger.write()` was called. This is really
bad and only easy to debug because of the testing right after upgrading.

However, reimplementing the stream interface as it was, didn't work, due
to the fact that `logger.write()` is already implemented and causes the
mentioned problem. So we extent the object with an `stream` object that
implements `write()` for streams and pass that to morgan.

So this patch fixes unexpected exiting for streaming towards our logging
module.

References:
https://www.digitalocean.com/community/tutorials/how-to-use-winston-to-log-node-js-applications
c3584770f2
https://stackoverflow.com/a/28824464
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-16 11:49:39 +01:00
Christoph (Sheogorath) Kern f1367ba270
Merge pull request #1058 from ccoenen/bug/oauth2internalerror
InternalOAuthError is not part of passport, but of passport-oauth2 #1056
2018-11-16 11:45:50 +01:00
Claudius Coenen 858a59529e switching to eslint for code checking
most rules degraded to WARN, so we don't go insane. This will
change over time. The aim is to conform to a common style

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 23:15:36 +01:00
Claudius Coenen 56c043424d InternalOAuthError is not part of passport, but of passport-oauth2
This fixes part of #1056: an error while obtaining the profile
would have `502`-crashed the server.

Signed-off-by: Claudius Coenen <opensource@amenthes.de>
2018-11-14 14:38:47 +01:00
Christoph (Sheogorath) Kern f9aa001ee7
Merge pull request #1055 from SISheogorath/upgrade/winston
Upgrade winston / refactor logging
2018-11-14 12:13:43 +01:00
Sheogorath c3584770f2
Upgrade winston
Our log library got a new major version which should be implemented.

That's exactly what this patch does. Implementing the new version of the
logging library.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-14 00:47:11 +01:00
Sheogorath 694fb37aea
Fix logging in ot module
Seems like there was some debugging going on some day, this patch should
make sure the right logging is used.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-13 23:30:13 +01:00
Christoph (Sheogorath) Kern 54d3d930cf
Merge pull request #1027 from asg017/master
Add download action to published notes
2018-11-12 22:11:44 +01:00
Christoph (Sheogorath) Kern 4a39017fe0
Merge pull request #1051 from SISheogorath/feature/fullversion
Fix wrong reading from commit
2018-11-12 14:21:03 +01:00
Sheogorath 4b0528ac4f
Fix wrong reading from commit
Right now we use a substr after reading the commit. That's definitely
wrong and leads to wrong commit hashes since the first 5 chars are
missing.

This patch removes the substr usage here and this way fixes the
generated links.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-12 11:18:38 +01:00
Christoph (Sheogorath) Kern a1211abd32
Merge pull request #961 from SISheogorath/feature/osTEMP
Use OS based tmp dir
2018-11-11 19:00:58 +01:00
Sheogorath bcc914a773
Add full version string
Currently we only provide the version from `package.json`. This means
that during updates of instances, e.g. the demo instance, which runs
latest master instead of a stable release, changes are not reflected to
the webclient.

This patch adds a fullversion string that contains the current commit
and this way makes that clients are notified about changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-11-11 12:44:19 +01:00
Cédric Couralet 67f8a64f2b Fix menu for github and dropbox
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-11-07 12:30:17 +00:00
Claudius 44ffc564da removing global site layout vars from individual routers, putting them into app.local
Signed-off-by: Claudius <opensource@amenthes.de>
2018-11-03 00:52:48 +01:00
Sheogorath 59b3885dda
Use OS based tmp dir
We should use the official OS temp directory instead of an own one, to
not run into conflicts. Also various dependencies already use the OS
temp directory, which makes it pointless to use a different for our
internal purposes then. This commit provides the changes needed to use
the OS tmp directory by default.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-31 00:37:11 +01:00
Alex Garcia fcf08f89c3 forgot break statement
Signed-off-by: Alex Garcia <alexsebastian.garcia@gmail.com>
2018-10-27 17:54:01 -07:00
Alex Garcia 5b789025f3 Add download action to published notes
Signed-off-by: Alex Garcia <alexsebastian.garcia@gmail.com>
2018-10-27 16:55:14 -07:00
Christoph (Sheogorath) Kern 763b000bc6
Merge pull request #985 from SISheogorath/fix/helmetCSP
Add `data:` URL to CSP and upgrade helmet
2018-10-11 00:19:24 +02:00
Christoph (Sheogorath) Kern 5c4df14bbc
Merge pull request #990 from SISheogorath/fix/oauthProviderName
Make oauth2 provider name accessible
2018-10-09 21:57:37 +02:00
Cédric Couralet d7987def7f Fix #1001: get only project user is member of (and return max of results)
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-10-09 07:04:04 +00:00
Sheogorath 9f9c4089be
Add OpenID to CodiMD
With OpenID every OpenID capable provider can provide authentication for
users of a CodiMD instance. This means we have federated
authentication.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-05 22:43:32 +02:00
Christoph (Sheogorath) Kern 32af96aa37
Merge pull request #940 from WilliButz/fix-configurable-paths
enhance configurabiltiy of paths & make execution path-independent
2018-10-05 22:21:01 +02:00
Sheogorath 3d1d03fa87
Make oauth2 provider name accessible
Right now the feature exists but is almost not usable since the only way
to configure it is to know that it exists from reading the source code
and add it to config.json. This patch provides all needed changes so it
can be used by everyone including documentation.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-04 20:45:25 +02:00
Sheogorath d4a9bb3c7e
Add `data:` URL to CSP and upgrade helmet
Seems like the old version of helmet had a problem with `data:`. This
patch upgrades to the latest version and adds the CSP rule to allow
Google Fonts and the offline version of it, to properly include the
fonts and no longer throw ugly error messages at us.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-10-04 03:04:36 +02:00
Sheogorath c03b42d5d4
Fix little bug in length limit
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-28 00:17:43 +02:00
Christoph (Sheogorath) Kern ffc28e06f3
Merge pull request #971 from SISheogorath/fix/gitlabWarning
Set default to `v4`
2018-09-27 22:45:12 +02:00
Sheogorath 57e6d3a482
Set default to `v4`
Seems like we didn't fix the problem with the last patch. This should
finally fix it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-27 21:57:12 +02:00
Claudius bb80bc2292
removing superfluous config parameters for template files
Signed-off-by: Claudius <opensource@amenthes.de>
2018-09-26 21:01:15 +02:00
WilliButz 12cd747270
imageRouter/filesystem: make callback path-independent
Images are now properly served when `config.uploadsPath`
differs from its default value.

Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-09-26 20:55:15 +02:00
WilliButz 556783ffad
lib/config: use `path.resolve` instead of `path.join`
While paths like `tmpPath` could previously be configured,
they were all interpreted relative to `appRootPath` because
of `path.join`.

Now the configurable paths can be canonical and therefore
independent of the `appRootPath`.

Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-09-26 16:56:37 +02:00
WilliButz e48852e0e2
lib/config: add environment variable to set config file
Previously it was assumed that `config.json` would be placed in
the same directory as the rest of CodiMD without any optional override.

This allows to override the path to the `config.json` by setting
`CMD_CONFIG_FILE` to the canonical path of the desired config file.

Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-09-26 16:56:37 +02:00
WilliButz bd2f7cef49
lib/models/revision.js: make independent of exec-path
Previously calling `app.js` from another directory than
the base directory of CodiMD would result in an error being
thrown because `lib/workers/dmpWorker.js` could not be found.

This change makes the function call independent of the path CodiMD
is started from.

Signed-off-by: WilliButz <wbutz@cyberfnord.de>
2018-09-26 16:56:36 +02:00
Sheogorath 353642c870
Fix document length limit on post
We recently introduced a new way to create notes using a post requeest
to the `/new` endpoint. This is not limited in size, other than pasting
a note in the editor. This patch should enforce this limit also on this
way.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-26 16:08:24 +02:00
Sheogorath 7e0be69abb
Omit unneeded warning if no gitlab is configured
This patch should fix the unneeded warning of the wrong API version,
when gitlab isn't configured at all.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-25 00:26:40 +02:00
Sheogorath 6fdb9eea46
Fix server crash on PDF creation
`markdown-pdf` seems to fail to provide the PDFs on tmpfs. This leads
crashing codimd which expects the file to be there. This patch should
add some proper error handling when expectation and reality don't fit
together.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-24 20:25:25 +02:00
Sheogorath 81e3d7bd00
Extend migration error handling
The current error handling seems to conflict with some sequelize
versions. So we add a second version of it in our excemptions.

I'm not happy about it, but when it helps to prevent further migration
breaking, it's worth it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-09-05 16:19:35 +01:00
Christoph (Sheogorath) Kern 007f252273
Merge pull request #906 from SISheogorath/fix/letterAvatarMail
Fix possible weird objects as email
2018-09-05 11:36:29 +01:00
Alexander Hesse f728fdb8ab BUGFIX: wrong version check for gitlab api
Signed-off-by: Alexander Hesse <alexander.hesse@sandstorm-media.de>
2018-08-23 14:06:26 +02:00
Christoph (Sheogorath) Kern 881ca88c51
Merge pull request #908 from micedre/gitlabV4
Add possibility to choose between version v3 or v4 for the gitlab api.
2018-07-31 10:55:08 +02:00
Cédric Couralet 66d374b128 Add possibility to choose between version v3 or v4 for the gitlab api.
Apart from the uri versioning, one big change is the snippet visibility post data (visibility_level -> visibility)

Default gitlab api version to v4

Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
2018-07-31 08:36:56 +00:00
Christoph (Sheogorath) Kern 48ddcef31c
Merge pull request #894 from hcaloto/fixMigrationIssues
Add missing catch blocks for migration from 1.1.1 to 1.2.0
2018-07-31 10:26:39 +02:00
Hugo Caloto 26a14dd987 Add missing catch blocks for migration from 1.1.1 to 1.2.0
Signed-off-by: Hugo Caloto <hcaloto@gmail.com>
2018-07-31 08:19:57 +02:00
Christoph (Sheogorath) Kern 93a3ce1164
Merge pull request #907 from SISheogorath/fix/historyLZString
Some minor improvements for LZString handling
2018-07-28 15:03:06 +02:00
Sheogorath db5b86df4c
Further improvement of error handling for LZString
This does some more in depth check on the error message and minimizes
the log noise that is caused by LZString.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-07-27 15:42:58 +02:00
Miranda Kastemaa 70e8df5c04 Support 'host' & 'path' config options
Signed-off-by: Miranda Kastemaa <miranda@foldplop.com>
2018-07-27 15:35:29 +03:00
Sheogorath 1f85017625
Minimize number of errors in LZString parsing errors for history
Right now we still see a lot of LZString parsing errors in the logs. 
They probably come from the user history. We should minimize the number 
by add the basic length check there as well.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-07-27 13:59:55 +02:00
Sheogorath 187401a876
Fix possible weird objects as email
It seems like some providers return strange types for emails which cause
problems. We default to something that is definitely a string.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-07-27 13:36:22 +02:00
Maxence Ahlouche 972a81aa6f Upload images to the filesystem by default, rather than to imgur
Signed-off-by: Maxence Ahlouche <maxence.ahlouche@gmail.com>
2018-07-09 20:31:14 +02:00
Max Wu b7e5a82f52 Add script src hash for speaker note to CSP directives
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-07-05 18:41:27 +08:00
Sheogorath d76ea5440a
Fixing content types in status router
As it turns out, expressjs doesn't detect the right mimetype and it
seems like I didn't bother to test this enough. So lets fix it for the
next release.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-07-03 20:38:52 +02:00
Sheogorath 562985a115
Update passport-ldap
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-30 16:52:33 +02:00
Sheogorath 2184491f4a
Final replacements
Looks like I missed a few. This should be complete now. And make us
ready for the repo rename and merging.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 14:13:46 +02:00
Sheogorath a762928e97
Do final internal renameing
A little minor change, by moving the CodiMD version header in its own
middleware. Should simplify to determine the version number of the
Backend in future.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 14:05:41 +02:00
Sheogorath 23c33c0c04
Rename HackMD view to CodiMD
Even when it looks a bit weird in first place to rename all internals
step by step, it makes sense to do so, because we run into confusion
afterwards.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 13:40:18 +02:00
Sheogorath b242b59db4
Rename environment variables and add legacy support.
As we are no longer HackMD the short tag `HMD` doesn't match anymore. We
move it to the matching prefix `CMD` and inform our users about the
change.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 13:40:18 +02:00
Sheogorath 4b060c7dba
Rebrand HackMD to CodiMD
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 13:24:12 +02:00
Christoph (Sheogorath) Kern d87505d583
Merge pull request #854 from hackmdio/feature/disableGravatar
Allow to disable gravatar
2018-06-24 01:59:06 +02:00
Christoph (Sheogorath) Kern b8726bbe8d
Merge pull request #855 from hackmdio/fix/constants
Move config out of statics path
2018-06-24 01:58:08 +02:00
Christoph (Sheogorath) Kern cfdfafdb79
Merge pull request #856 from hackmdio/fix/lineEndings
Fix possible line-ending issues for init note
2018-06-24 01:57:47 +02:00
Christoph (Sheogorath) Kern ec78c4f2fc
Merge pull request #857 from hackmdio/fix/pdf-links
Fix broken images in PDF caused by misconfigred server URL
2018-06-24 01:57:26 +02:00
Sheogorath bf9400e107
Fix breaking regex
The image upload regex breaks with the new path for uploads.

This commit fixes it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 01:03:45 +02:00
Sheogorath f69e77de42
Fix broken images in PDF caused by misconfigred server URL
As it turns out, if the serverURL can't be generated correctly, HackMD
will use relative paths in image upload. This causes broken links in
PDF.

With this commit we force absolute links during PDF creation which
hopefully fixes the problem.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 01:00:29 +02:00
Sheogorath b7b621822c
Fix possible line-ending issues for init note
By uploading a malicous note currently it is possible to prevent this
note from being edited. This happens when using Windows line endings.

With this commit we remove all `\r` characters from the notes and this
way prevent this problem.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 00:32:50 +02:00
Sheogorath 0ed4b50098
Move config out of statics path
Since static path is providing with a high expiration data, we provide
configs via API. This shouldn't add any noticeable load while making it
uncached and this way working again.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-24 00:07:32 +02:00
Sheogorath 318b2d378f
Allow to disable gravatar
Since Gravatar is an external image source and not perfect from a
privacy perspective, forbidding it allows to improve privacy.

This commit also simplifies and optimizes the avatar code.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 23:40:55 +02:00
Sheogorath a2608c319a
Fix possible error if HackMD is started with wrong workdir
In https://github.com/hackmdio/hackmd/issues/834 is described how
starting HackMD crashes when using the wrong working dir.

This is caused by a relative path in our upload routine. This change
should fix it and prevent future crashes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-23 23:01:01 +02:00
Christoph (Sheogorath) Kern 56d78a7d6c
Merge pull request #830 from SISheogorath/feature/GDPR
GDPR compliant part 1
2018-06-17 23:33:57 +02:00
Sheogorath 634b3c9cea
Fix i18n writing locale files in production
This commit should prevent the i18n module from adding missing
translations to the local files in setups that are not for development.
This way we keep the directory clean and idempotent.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-06-05 01:40:50 +02:00
Christoph (Sheogorath) Kern 551840ad57
Merge pull request #784 from pferreir/add-oauth2-support
Add "generic" OAuth2 support
2018-06-04 15:54:47 +02:00
Adam Hoka b5574466cd Fix callback validation
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-06-01 14:26:28 +02:00
Ádám Hóka 376fcab2ca Add Azure Blob Storage support
Signed-off-by: Adam Hoka <hoka.adam@nexogen.hu>
2018-06-01 10:07:52 +02:00
Christoph (Sheogorath) Kern 12ab90020a
Merge pull request #785 from pferreir/redirect-to-login
403: Redirect user to login page if not logged in
2018-05-31 12:16:11 +02:00
Sheogorath bcbb8c67c9
Add note export function
This function is the first step to get out data following GDPR about the
transportability of data.

Details: https://gdpr-info.eu/art-20-gdpr/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-26 03:12:21 +02:00
Sheogorath 70df29790a
Add token based security feature
In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.

We can add a GUI that shows it later on.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 18:26:06 +02:00
Sheogorath e31d204d74
Fix requests for deleted users
When users are requested from the authorship which no longer exist, they
shouldn't cause a 500.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 16:15:18 +02:00
Sheogorath 4229084c62
Add delete function for authenticated users
Allow users to delete themselbes. This is require to be GDPR compliant.

See: https://gdpr-info.eu/art-17-gdpr/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 15:24:47 +02:00
Sheogorath 408ab7ae1d
Use cascaded deletes
When we delete a user we should delete all the notes that belong to this
user including the revisions of these notes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:55:18 +02:00
Sheogorath 8aa5c03213
Use hard delete instead of soft delete
Right now we only flag notes as deleted. This is no longer allowed under
GDPR. Make sure you do regular backups!

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 14:50:37 +02:00
Sheogorath 41a36e2e18
Add privacy and ToS links
To be GDPR compliant we need to provide privacy statement. These should
be linked on the index page. So as soon as a document exist under
`public/docs/privacy.md` the link will show up.

Since we already add legal links, we also add Terms of Use, which will
show up as soon as `public/docs/terms-of-use.md` exists.

This should allow everyone to provide the legal documents they need for
GDPR and other privacy and business laws.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-24 18:10:36 +02:00
Christoph (Sheogorath) Kern 6d44ded269
Revert "Workaround Google API problems" 2018-05-16 01:31:50 +02:00
Christoph (Sheogorath) Kern e4e198c819
Merge pull request #813 from SISheogorath/fix/googleAPI
Workaround Google API problems
2018-05-10 00:13:23 +02:00
Max Wu e0629c7d27
Fix typo of "grouptAttribute" in saml auth module
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-04-27 21:52:05 +08:00
Christoph (Sheogorath) Kern 763479bea8
Merge pull request #803 from SISheogorath/fix/letterAvatarCSP
Move letter-avatars into own request
2018-04-17 22:29:37 +02:00
Sheogorath 69aed93282
Move letter-avatars into own request
To prevent further weakening of our CSP policies, moving the Avatars
into a non-inline version is the way to go.

This implementation probably needs some beautification. But already fixes
the bug.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-17 19:06:59 +02:00
Sheogorath ef86bf5cba
Use API key instead of clientSecret
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-13 09:38:59 +02:00
Christoph (Sheogorath) Kern 10121118fb
Merge pull request #797 from SISheogorath/fix/LZErrorLog
Add check for noteId length
2018-04-11 22:48:40 +02:00
Sheogorath 735b806d5d
Add check for noteId length
As we know the length of an UUID we can check if the base64 string
of the provided UUID is long enough for a legacy base64 encoded nodeId
and stop processing it in legacy mode, if it's not the case.

This should make the ugly warning way less common.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 16:10:34 +02:00