Commit Graph

107 Commits

Author SHA1 Message Date
Christoph (Sheogorath) Kern 56d78a7d6c
Merge pull request #830 from SISheogorath/feature/GDPR
GDPR compliant part 1
2018-06-17 23:33:57 +02:00
Christoph (Sheogorath) Kern 551840ad57
Merge pull request #784 from pferreir/add-oauth2-support
Add "generic" OAuth2 support
2018-06-04 15:54:47 +02:00
Christoph (Sheogorath) Kern 12ab90020a
Merge pull request #785 from pferreir/redirect-to-login
403: Redirect user to login page if not logged in
2018-05-31 12:16:11 +02:00
Sheogorath 70df29790a
Add token based security feature
In the current setup users could be tricked into deleting their data by
providing a malicious link like `[click me](/me/delete)`. This commit
prevents such an easy attack and need the user's deleteToken to get his
data deleted. In case someone requests his deletion by email you can
also ask him for this token.

We can add a GUI that shows it later on.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-25 18:26:06 +02:00
Sheogorath 41a36e2e18
Add privacy and ToS links
To be GDPR compliant we need to provide privacy statement. These should
be linked on the index page. So as soon as a document exist under
`public/docs/privacy.md` the link will show up.

Since we already add legal links, we also add Terms of Use, which will
show up as soon as `public/docs/terms-of-use.md` exists.

This should allow everyone to provide the legal documents they need for
GDPR and other privacy and business laws.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-05-24 18:10:36 +02:00
Sheogorath 2492cf2cdf
Fix typos for `allowAnonymousEdits`
Looks like we lost some variables during the refactoring of the configs
to camel case.

This should fix it.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-04-10 14:40:27 +02:00
Sheogorath d939de17df
Fix CSP for disqus and Google Analytics
This commit should fix existing problems with Disqus and Google
Analytics enabled in the meta-yaml section of a note.

Before this commit they were blocked by the strict CSP. It's still
possible to disable the added directives using `addDisqus` and
`addGoogleAnalytics` in the `csp` config section.

They are enabled by default to prevent breaking changes.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-30 16:33:52 +02:00
Pedro Ferreira 99abac343b 403: redirect user to login page if not logged in
Signed-Off-By: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-27 08:53:37 +02:00
Pedro Ferreira 40b3855702 Add support for generic OAuth2 providers
Signed-off-by: Pedro Ferreira <pedro.ferreira@cern.ch>
2018-03-26 15:55:39 +02:00
Sheogorath 2411dffa2c
Change config to camel case with backwards compatibility
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-25 19:08:14 +02:00
Max Wu baa0418fb5 Remove and replace all note id compression in LZString with base64url
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 16:43:29 +08:00
Max Wu 15ef54c2dc Fix to show 500 message when got error in parseNoteId
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-17 00:57:00 +08:00
Sheogorath e44751b3f1
Fix ldap provider name in template
Before this fix it's impossible to set the provider name in the
sign-model since `ldap` is a boolean there and this way not able
to have an attribute like `ldap.providerName`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-26 10:46:22 +01:00
Christoph (Sheogorath) Kern 7de6e3211f
Merge pull request #598 from xxyy/feature/csp
Implement basic CSP support
2018-01-22 20:43:46 +01:00
Christoph (Sheogorath) Kern 268c81a323
Merge pull request #673 from fooker/master
Allow posting new note with content
2018-01-20 19:45:41 +01:00
Dario Ernst 6ae4b8bf13 Add option to enable `freely` permission in closed instance
Before, closed disallowed guest edits completely, by removing
the `freely` permission. This makes it possible to explicitely bring
back guest-editing, but not guest-note-creation, to closed instances.

Signed-off-by: Dario Ernst <dario@kanojo.de>
2018-01-20 15:14:56 +01:00
Dustin Frisch f47601857e
Allow posting new note with content
Signed-off-by: Dustin Frisch <fooker@lab.sh>
2018-01-18 10:41:58 +01:00
Peter Dave Hello 76873d3f7e Fix file permission, remove useless executable 2017-12-14 05:05:18 +08:00
Norihito Nakae 4a4ae9d332 Initial support for SAML authentication 2017-11-28 18:52:24 +09:00
Sheogorath 8808399c48
Fix mattermost breaking notes 2017-10-31 13:48:35 +01:00
Christoph Witzany 5cda55086a Add mattermost authentication 2017-10-31 10:34:51 +01:00
geekyd f7d2ef970a Adds 403 response if PDF export is disabled 2017-10-25 19:21:34 +05:30
geekyd d63e6780eb Adds PDF export via config 2017-10-25 19:19:37 +05:30
Literallie 080436aebb
CSP: Add nonce to slide view inline JS 2017-10-22 00:03:45 +02:00
Wu Cheng-Han ca95901204 Fix slide might not provide slideOptions meta 2017-06-05 01:12:40 +08:00
butlerx c531d96f66
check if reveal theme exists 2017-06-01 10:12:40 +01:00
butlerx e5834c077f
add the ability to set slide theme in slide options 2017-05-31 23:28:43 +01:00
BoHong Li ecb0533605 refactor(config.js): Extract config file
* Separate different config source to each files
* Freeze config object
2017-05-08 19:29:07 +08:00
BoHong Li aca01f064d refactor: Remove `require` extension filename 2017-05-08 19:29:06 +08:00
BoHong Li 5870d988b5 Use strict mode in all backend files
add ‘use strict’ in all backend file
2017-03-14 13:02:43 +08:00
BoHong Li 4889e9732d Use JavaScript Standard Style
Introduce JavaScript Standard Style as project style rule,
and fixed all fail on backend code.
2017-03-08 18:45:51 +08:00
Wu Cheng-Han 1473437295 Refactor checkViewPermission to fix limited & protected permission check bug and fix code style 2017-01-16 23:47:53 +08:00
Wu Cheng-Han 3c0667813c Fix missing config in hackmd response 2017-01-16 12:41:34 +08:00
Sheogorath 747629e549 Add `allowemailregister` option 2017-01-12 13:54:45 +01:00
Max Wu a8068d38d5 Merge pull request #313 from elct9620/feature/disable_anonymous_view
WIP: Add options to limit anonymous view note
2017-01-10 20:23:47 +08:00
蒼時弦也 89b8ddeaba Add limited and protected permission 2017-01-10 10:02:37 +08:00
蒼時弦也 c21fb8e2a0 Recovery tariling spaces 2017-01-10 09:35:21 +08:00
蒼時弦也 f8e5b54767 Remove temporary change 2017-01-10 09:32:44 +08:00
Max Wu b13635aac9 Merge pull request #279 from alecdwm/ldap-auth
Support for LDAP server authentication
2017-01-09 00:49:40 +08:00
蒼時弦也 1fbecbb03d Fix anonymouse view permission check 2017-01-05 23:37:10 +08:00
蒼時弦也 aaf1ff4b2f Add limit for constrain anonymous view note 2017-01-05 22:36:40 +08:00
Wu Cheng-Han c1b5e74cf9 Fix and refactor extracting content using metaMarked directly might lead in invalid object 2017-01-04 23:57:16 +08:00
Wu Cheng-Han 10a8448c6a Fix yaml metadata description not able to show 2017-01-02 11:13:41 +08:00
Wu Cheng-Han f6d8e3ab00 Remove LZString compression for data storage 2017-01-02 10:59:53 +08:00
Florian Rhiem fdea226159 Fixed typo: anonmyous 2016-12-21 14:36:54 +01:00
Wu Cheng-Han 5bb3de2675 Add support of allow free url config option with correspond modifications 2016-12-16 15:38:05 +08:00
Wu Cheng-Han 5c7eb48319 Add support of allow anonymous config option with correspond modifications 2016-12-15 14:11:23 +08:00
alecdwm 02e9927714 Initial support for LDAP server authentication
Limitations as of this commit:

- tlsOptions can only be specified in config.json, not as env vars
- authentication failures are not yet gracefully handled by the UI
  - instead the error message is shown on a blank page (/auth/ldap)
- no email address is associated with the LDAP user's account
- no picture/profile URL is associated with the LDAP user's account
- we might have to generate our own access + refresh tokens,
  because we aren't using oauth. The currently generated
  tokens are just a placeholder.
- 'LDAP Sign in' needs to be translated to each locale
2016-12-13 22:41:07 +01:00
Wu Cheng-Han a73d9ce39e Update to support optional email register and signin 2016-12-02 01:58:14 +08:00
Wu Cheng-Han 71a356552f Update to auto generate meta description based on content in publish note and slide 2016-11-26 23:04:29 +08:00