feat: option to disable note creation

The abuse of the demo instance required us to disallow note creation

Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
This commit is contained in:
Erik Michelson 2024-07-18 00:25:20 +02:00 committed by Tilman Vatteroth
parent c85b11463d
commit 858d7bf5d1
9 changed files with 20 additions and 2 deletions

1
app.js
View file

@ -203,6 +203,7 @@ app.locals.serverURL = config.serverURL
app.locals.sourceURL = config.sourceURL app.locals.sourceURL = config.sourceURL
app.locals.allowAnonymous = config.allowAnonymous app.locals.allowAnonymous = config.allowAnonymous
app.locals.allowAnonymousEdits = config.allowAnonymousEdits app.locals.allowAnonymousEdits = config.allowAnonymousEdits
app.locals.disableNoteCreation = config.disableNoteCreation
app.locals.authProviders = { app.locals.authProviders = {
facebook: config.isFacebookEnable, facebook: config.isFacebookEnable,
twitter: config.isTwitterEnable, twitter: config.isTwitterEnable,

View file

@ -110,6 +110,7 @@ these are rarely used for various reasons.
| `allowAnonymousEdits` | `CMD_ALLOW_ANONYMOUS_EDITS` | **`false`** or `true` | If `allowAnonymous` is `false`: allow users to select `freely` permission, allowing guests to edit existing notes (default is `false`). | | `allowAnonymousEdits` | `CMD_ALLOW_ANONYMOUS_EDITS` | **`false`** or `true` | If `allowAnonymous` is `false`: allow users to select `freely` permission, allowing guests to edit existing notes (default is `false`). |
| `allowFreeURL` | `CMD_ALLOW_FREEURL` | **`false`** or `true` | Set to allow new note creation by accessing a nonexistent note URL. This is the behavior familiar from [Etherpad](https://github.com/ether/etherpad-lite). | | `allowFreeURL` | `CMD_ALLOW_FREEURL` | **`false`** or `true` | Set to allow new note creation by accessing a nonexistent note URL. This is the behavior familiar from [Etherpad](https://github.com/ether/etherpad-lite). |
| `requireFreeURLAuthentication` | `CMD_REQUIRE_FREEURL_AUTHENTICATION` | **`false`** or `true` | Set to require authentication for FreeURL mode style note creation. | | `requireFreeURLAuthentication` | `CMD_REQUIRE_FREEURL_AUTHENTICATION` | **`false`** or `true` | Set to require authentication for FreeURL mode style note creation. |
| `disableNoteCreation` | `CMD_DISABLE_NOTE_CREATION` | **`false`** or `true` | Set to `true` to disallow any person to create notes. |
| `defaultPermission` | `CMD_DEFAULT_PERMISSION` | **`editable`**, `freely`, `limited`, `locked`, `protected` or `private` | Set notes default permission (only applied on signed-in users). | | `defaultPermission` | `CMD_DEFAULT_PERMISSION` | **`editable`**, `freely`, `limited`, `locked`, `protected` or `private` | Set notes default permission (only applied on signed-in users). |
| `sessionName` | | **`connect.sid`** | Cookie session name. | | `sessionName` | | **`connect.sid`** | Cookie session name. |
| `sessionLife` | `CMD_SESSION_LIFE` | **`14 * 24 * 60 * 60 * 1000`**, `1209600000` (14 days) | Cookie session life time in milliseconds. | | `sessionLife` | `CMD_SESSION_LIFE` | **`14 * 24 * 60 * 60 * 1000`**, `1209600000` (14 days) | Cookie session life time in milliseconds. |

View file

@ -35,6 +35,7 @@ module.exports = {
allowAnonymousEdits: false, allowAnonymousEdits: false,
allowFreeURL: false, allowFreeURL: false,
requireFreeURLAuthentication: false, requireFreeURLAuthentication: false,
disableNoteCreation: false,
forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'], forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api', 'build', 'css', 'docs', 'fonts', 'js', 'uploads', 'vendor', 'views'],
defaultPermission: 'editable', defaultPermission: 'editable',
dbURL: '', dbURL: '',

View file

@ -33,6 +33,7 @@ module.exports = {
allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS), allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS),
allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL), allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL),
requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION), requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION),
disableNoteCreation: toBooleanConfig(process.env.CMD_DISABLE_NOTE_CREATION),
forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS), forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS),
defaultPermission: process.env.CMD_DEFAULT_PERMISSION, defaultPermission: process.env.CMD_DEFAULT_PERMISSION,
dbURL: process.env.CMD_DB_URL, dbURL: process.env.CMD_DB_URL,

View file

@ -82,6 +82,9 @@ exports.showNote = function (req, res, next) {
} }
exports.createFromPOST = function (req, res, next) { exports.createFromPOST = function (req, res, next) {
if (config.disableNoteCreation) {
return errors.errorForbidden(res)
}
let body = '' let body = ''
if (req.body && req.body.length > config.documentMaxLength) { if (req.body && req.body.length > config.documentMaxLength) {
return errors.errorTooLong(res) return errors.errorTooLong(res)

View file

@ -19,7 +19,11 @@ exports.findNote = function (req, res, callback, include = null, createIfNotFoun
include: include || null include: include || null
}).then(function (note) { }).then(function (note) {
if (!note && createIfNotFound) { if (!note && createIfNotFound) {
return exports.newNote(req, res, '') if (config.disableNoteCreation) {
return errors.errorNotFound(res)
} else {
return exports.newNote(req, res, '')
}
} }
if (!note && !createIfNotFound) { if (!note && !createIfNotFound) {
return errors.errorNotFound(res) return errors.errorNotFound(res)

View file

@ -4,6 +4,7 @@
### Enhancements ### Enhancements
- Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports. - Add a pointer to Mermaid 9.1.7 documentation, which is what HedgeDoc 1 supports.
- Add `disableNoteCreation` config option for read-only instances
### Bugfixes ### Bugfixes
- Fix a crash when having numeric-only values in opengraph frontmatter - Fix a crash when having numeric-only values in opengraph frontmatter

View file

@ -22,8 +22,10 @@
<i class="fa fa-caret-down"></i> <i class="fa fa-caret-down"></i>
</a> </a>
<ul class="dropdown-menu list" role="menu" aria-labelledby="menu"> <ul class="dropdown-menu list" role="menu" aria-labelledby="menu">
<% if (!disableNoteCreation) { %>
<li role="presentation"><a role="menuitem" class="ui-new" tabindex="-1" href="<%- serverURL %>/new" target="_blank" rel="noopener"><i class="fa fa-plus fa-fw"></i> <%= __('New') %></a> <li role="presentation"><a role="menuitem" class="ui-new" tabindex="-1" href="<%- serverURL %>/new" target="_blank" rel="noopener"><i class="fa fa-plus fa-fw"></i> <%= __('New') %></a>
</li> </li>
<% } %>
<li role="presentation"><a role="menuitem" class="ui-publish" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-share-square-o fa-fw"></i> <%= __('Publish') %></a> <li role="presentation"><a role="menuitem" class="ui-publish" tabindex="-1" href="#" target="_blank" rel="noopener"><i class="fa fa-share-square-o fa-fw"></i> <%= __('Publish') %></a>
</li> </li>
<li class="divider"></li> <li class="divider"></li>
@ -112,11 +114,13 @@
</li> </li>
</ul> </ul>
<ul class="nav navbar-nav navbar-right" style="padding:0;"> <ul class="nav navbar-nav navbar-right" style="padding:0;">
<% if (!disableNoteCreation) { %>
<li> <li>
<a href="<%- serverURL %>/new" target="_blank" rel="noopener" class="ui-new"> <a href="<%- serverURL %>/new" target="_blank" rel="noopener" class="ui-new">
<i class="fa fa-plus"></i> <%= __('New') %> <i class="fa fa-plus"></i> <%= __('New') %>
</a> </a>
</li> </li>
<% } %>
<li> <li>
<a href="#" target="_blank" rel="noopener" class="ui-publish"> <a href="#" target="_blank" rel="noopener" class="ui-publish">
<i class="fa fa-share-square-o"></i> <%= __('Publish') %> <i class="fa fa-share-square-o"></i> <%= __('Publish') %>

View file

@ -12,7 +12,7 @@
<li class="ui-history<% if(signin) { %> active<% } %>"><a href="#"><%= __('History') %></a> <li class="ui-history<% if(signin) { %> active<% } %>"><a href="#"><%= __('History') %></a>
</li> </li>
<div class="ui-signin" style="float: right; margin-top: 8px;<% if(signin) { %> display: none;<% } %>"> <div class="ui-signin" style="float: right; margin-top: 8px;<% if(signin) { %> display: none;<% } %>">
<% if (allowAnonymous) { %> <% if (allowAnonymous && !disableNoteCreation) { %>
<a type="button" href="<%- serverURL %>/new" class="btn btn-sm btn-primary"><i class="fa fa-plus"></i> <%= __('New guest note') %></a> <a type="button" href="<%- serverURL %>/new" class="btn btn-sm btn-primary"><i class="fa fa-plus"></i> <%= __('New guest note') %></a>
<% } %> <% } %>
<% if (authProviders.facebook || authProviders.twitter || authProviders.github || authProviders.gitlab || authProviders.mattermost || authProviders.dropbox || authProviders.google || authProviders.ldap || authProviders.saml || authProviders.oauth2 || authProviders.email) { %> <% if (authProviders.facebook || authProviders.twitter || authProviders.github || authProviders.gitlab || authProviders.mattermost || authProviders.dropbox || authProviders.google || authProviders.ldap || authProviders.saml || authProviders.oauth2 || authProviders.email) { %>
@ -20,7 +20,9 @@
<% } %> <% } %>
</div> </div>
<div class="ui-signout" style="float: right; margin-top: 8px;<% if(!signin) { %> display: none;<% } %>"> <div class="ui-signout" style="float: right; margin-top: 8px;<% if(!signin) { %> display: none;<% } %>">
<% if (!disableNoteCreation) { %>
<a type="button" href="<%- serverURL %>/new" class="btn btn-sm btn-primary"><i class="fa fa-plus"></i> <%= __('New note') %></a> <a type="button" href="<%- serverURL %>/new" class="btn btn-sm btn-primary"><i class="fa fa-plus"></i> <%= __('New note') %></a>
<% } %>
<span class="ui-profile dropdown pull-right"> <span class="ui-profile dropdown pull-right">
<button id="profileLabel" class="btn btn-sm btn-link ui-profile-label" style="padding-right: 0;" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <button id="profileLabel" class="btn btn-sm btn-link ui-profile-label" style="padding-right: 0;" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
<img class="ui-avatar" width="20" height="20"><span class="hidden-xs hidden-sm">&ensp;<span class="ui-name"></span></span>&ensp;<i class="fa fa-caret-down"></i> <img class="ui-avatar" width="20" height="20"><span class="hidden-xs hidden-sm">&ensp;<span class="ui-name"></span></span>&ensp;<i class="fa fa-caret-down"></i>