Depending on how the system was setup, this bug lead to keep user's data
around even after a successful deletion of user'S account. This patch
will make sure the missing database constraints are implemented and
missed out deletions are executed.
This bug was introduced to insufficent testing after implementing the
feature initially. It was well tested, using the app process itself, but
the migrations where missed out. I'm currently not sure, if there was
also a change in how sequelize handles cassaded deletion, since I'm
unter the impression that before switching to sequelize 5, this feature
has worked. But I haven't verified this.
No matter what, the cleanup process is rather straight forward and will
be invoked on migration, but can also be done manually using the new
`bin/cleanup` script.
This change will result in a release 1.6.1.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Node 8 is End of Life since the beginning of 2020.[1] Due to not
deprecating it earlier, the next release will be the last release
supporting it. There are no breaking changes to be expected anymore,
therefore removing the Tests can be considered safe and the release can
start its existence with a green CI.
This patch removes the test for NodeJS version 8 from the TravisCI jobs.
[1]: https://nodejs.org/en/about/releases/
`CMD_ALLOW_ANONYMOUS_EDITS` is only applied when `CMD_ALLOW_ANONYMOUS` is `false`, see [here](9c1665ae5b/lib/config/index.js (L71-L73)).
Signed-off-by: Stefan Peters <stefandesu@exo.pm>
The revision view had a bug that clicking on a list entry would redirect
the user back to the index page instead of providing the revision diff.
This was cased by the baseurl which is now used as reference for hrefs.
Therefore when clicking on the `href="#"` this was actually pointing at
`<baseurl>#` which is usually the index page.
This patch simply removes the href from the list items and therefore the
link functionality. This fixes the whole problem by removing 9
characters from our source code.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
As we noticed in our poll about CDN usage, that most people
intentionally turn it off, but very little intetionally turn it on or
leave it on. [1]
There is also strong indicators that CDNs don't really provide any
benefits in loading time and due to the small deployments of CodiMD,
there is no big savings due to CDNs either. [2]
Therefore this patch changes the CDN default settings to off in order to
reduce the exposed user data.
[1]: https://community.codimd.org/t/poll-on-cdn-usage/28
[2]: https://csswizardry.com/2019/05/self-host-your-static-assets/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This update of revealJS helps us to get rid of the headjs depedency
integration using webpack. It updates reveal.js to 3.9.2 and updates the
csp hash accordingly for using the slide mode.
Background for this update is the critical security vulnerability
described by snyk in their disclosure:
https://snyk.io/vuln/SNYK-JS-REVEALJS-543841
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Webpack now uses relative paths for resources linked from by static
snippets. A templated <base> tag has been introduced in headers
so app.js can set the base URL at runtime.
Signed-off-by: Enrico Guiraud <enrico.guiraud@cern.ch>