Commit graph

1566 commits

Author SHA1 Message Date
Sheogorath
638eae0dfb
Add check for undefined UUID
This check is needed at there are tons of LDAP implementations out there
and none has at least one guaranteed unique field. As we currently check
three fields and added an option to select one yourself, it's still not
said that any of these fields is set. This will now create an error
and fail the authentication instead of letting people may get access to
other people's notes which are stored under a this way deterministic
wrong userid named `LDAP-undefined`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-18 00:27:07 +01:00
Christoph (Sheogorath) Kern
9cbe03d8a8
Merge pull request #761 from SISheogorath/feature/reportURI
Add config option for report URI in CSP
2018-03-14 22:10:23 +01:00
Christoph (Sheogorath) Kern
976657dc21
Merge pull request #765 from vazontang/master
Convert  HMD_MINIO_PORT into Number type.
2018-03-14 21:33:21 +01:00
vazontang
070dd27f95
Convert HMD_MINIO_PORT into Number type.
fix hackmdio/hackmd#763

Signed-off-by: Tang TsungYi <vazontang@gmail.com>
2018-03-15 04:07:45 +08:00
Sheogorath
efa490a50f
Add config option for report URI in CSP
This option is needed as it's currently not possible to add an report
URI by the directives array. This option also allows to get CSP reports
not only on docker based setup but also on our heroku instances.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-14 17:57:41 +01:00
Christoph (Sheogorath) Kern
2698aa4b5f
Merge pull request #760 from thegcat/fix/support_multiple_emails_in_ldap
Multiple emails from LDAP are already an Array
2018-03-10 20:40:59 +01:00
Felix Schäfer
12dae4465f Multiple emails from LDAP are already an Array
Signed-off-by: Felix Schäfer <felix@thegcat.net>
2018-03-09 14:39:08 +01:00
Sheogorath
21be5a5517
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-03-07 11:30:08 +01:00
Christoph (Sheogorath) Kern
17d6fe716d
Merge pull request #756 from davidmehren/master
Remove engine.io-client dependency
2018-03-07 11:15:54 +01:00
David Mehren
7904558292
Remove engine.io-client dependency and fix webpack config
Signed-off-by: David Mehren <dmehren1@gmail.com>
2018-03-06 14:45:14 +01:00
Christoph (Sheogorath) Kern
66d8d3180a
Merge pull request #755 from thegcat/fix/remove_unused_ldap_options
Remove unused LDAP option `tokenSecret`

fixes #754
2018-03-06 14:22:50 +01:00
Felix Schäfer
6094c61871 Remove unused LDAP option tokenSecret
hackmdio/hackmd#754

Signed-off-by: Felix Schäfer <felix@thegcat.net>
2018-03-05 14:06:05 +01:00
Christoph (Sheogorath) Kern
eb46378fc5
Merge pull request #753 from senk/patch-1
Fix small typo
2018-03-05 10:25:31 +01:00
Robin Naundorf
e547664727 Fix small typo
Signed-off-by: Robin Naundorf <r.naundorf@fh-muenster.de>
2018-03-05 09:06:37 +01:00
Christoph (Sheogorath) Kern
96c9096d50
Merge pull request #750 from fooker/master
Use ldap.usernameField over hardcoded uid fields
2018-03-03 23:56:01 +01:00
Dustin Frisch
d6ee10d176
Introduce ldap.useridField
Signed-off-by: Dustin Frisch <fooker@lab.sh>
2018-03-01 23:51:47 +01:00
Christoph (Sheogorath) Kern
b0ce3d0230
Merge pull request #744 from hackmdio/add-more-html5-tags
Support more html5 tags and styles
2018-02-26 19:41:53 +01:00
Max Wu
ea118c2ec8 Update styles of details, summary and figure
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 21:05:13 +08:00
Max Wu
95e9f96aa0 Update to allow rp tag for ruby
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 20:55:10 +08:00
Max Wu
711a11ce23 Remove manual allow details tag since default already allow it
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-26 20:54:57 +08:00
Christoph (Sheogorath) Kern
912cce2b40
Merge pull request #740 from SISheogorath/feature/moreHTML5
Extend HTML5 support by whitelisting various tags
2018-02-25 21:50:11 +01:00
Sheogorath
5d347d583d
Extend HTML5 support by whitelisting various tags
HTML5 provides a wide feature set of useful elements. Since Markdown
usually supports HTML it should be able to use these HTML5 tags as well.
As they were requested by some users and they where checked for being
safe, whitelisting them isn't a problem. To make the experience the same
as on GitHub when it comes to the basic look and feel of the rendered
markdown, some CSS was added to make the summary and the details tag
look like on GitHub.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-25 14:54:21 +01:00
Christoph (Sheogorath) Kern
f642a11599
Merge pull request #739 from SISheogorath/fix/sublime-esc
Allow the usage of the esc-key by codemirror
2018-02-25 14:25:26 +01:00
Sheogorath
9c77e9d7f0
Allow the usage of the esc-key by codemirror
This change allows all input modes of codemirror to use the information
from an input esc-key and make this way vim and sublime more
functional. To prevent this change from breaking the return from the
fullscreen mode, it catches the esc-key in this case. Hopefully this is
an acceptable solution.

As before the vim-mode is handled different in fulltext-mode as it is
esc-key heavy.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-24 21:14:47 +01:00
Christoph (Sheogorath) Kern
6bcc72e090
Merge pull request #735 from SISheogorath/fix/jsonlint
Use jq instead of jsonlint
2018-02-19 20:00:59 +01:00
Sheogorath
faa839ed3a
Use jq instead of jsonlint
As the jsonlint package from NPM causes problems and looks unmaintained,
it'll be replaced with `jq` a well maintained project which allows to
search through JSON files in a `grep`-like style, but knowing the JSON
structure.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-19 19:50:01 +01:00
Christoph (Sheogorath) Kern
298d3d62bb
Merge pull request #730 from Zearin/patch-1
Update README.md
2018-02-19 11:32:13 +01:00
Zearin
b8e019c6b0 Rerun doctoc
Signed-off-by: Anthony "Zearin" Rogers <zearin@users.sourceforge.net>
2018-02-17 13:08:05 -05:00
Zearin
b0f524e55e Update README.md
Signed-off-by: Anthony "Zearin" Rogers <zearin@users.sourceforge.net>
2018-02-17 12:51:48 -05:00
Christoph (Sheogorath) Kern
e4783837ef
Merge pull request #728 from hackmdio/fix-show-error-in-parseNoteId
Fix to show 500 message when got error in parseNoteId
2018-02-17 17:32:26 +01:00
Max Wu
15ef54c2dc Fix to show 500 message when got error in parseNoteId
Signed-off-by: Max Wu <jackymaxj@gmail.com>
2018-02-17 00:57:00 +08:00
Christoph (Sheogorath) Kern
e793738833
Merge pull request #725 from SISheogorath/fix/referrerPolicy
Add referrer policy
2018-02-12 22:23:19 +01:00
Sheogorath
714504618c
Add referrer policy
This commit adds a referrer policy to all requests.

The usage of `same-origin` allows HackMD to still interpret all requests
and this way not break anything. But it prevents 3rd party scripts,
pictures and more to get informations that may lead to not secured note.

It has to be mentioned that this maybe breaks some features of the
Google Analytics embedding. This has to be tested.

Fixes #724

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-02-12 01:59:48 +01:00
Max Wu
bb5e021f20 Fix field type to prevent data truncation of authorship (#721)
* Fix field type to prevent data truncation of authorship
2018-02-09 14:27:06 +01:00
Christoph (Sheogorath) Kern
dfa0851d8f
Add matrix.org badge to README.md
Matrix.org is an interesting platform for collaboration and community building. 

Thanks to various clients it supports it's maybe better than gitter to keep people on track and have a community feeling, discuss changes and more.

Not not split up into two parties not knowing of each other, the Gitter channel and the Matrix channel are bridged. This helps to keep everyone informed while add more medias.

Signed-off-by: Christoph Kern <sheogorath@shivering-isles.com>
2018-02-08 15:27:07 +01:00
Christoph (Sheogorath) Kern
d7c66ea49b
Merge pull request #718 from takmatsu/master
Fix typo of DB migration script
2018-02-08 14:53:20 +01:00
Takeaki Matsumoto
a9973cabc4 Fix typo of DB migration script
Signed-off-by: Takeaki Matsumoto <takeaki.matsumoto@ntt.com>
2018-02-08 10:15:05 +09:00
Christoph (Sheogorath) Kern
f3358b49f5
Merge pull request #716 from stbuehler/fix-referer
don't require referer to find note id in socket.io connections (fixes #623)
2018-02-05 14:50:47 +01:00
Stefan Bühler
c4f8fb78ee don't require referer to find note id in socket.io connections (fixes #623)
Signed-off-by: Stefan Bühler <buehler@cert.uni-stuttgart.de>
2018-02-05 14:26:42 +01:00
Christoph (Sheogorath) Kern
2024262200
Merge pull request #714 from SISheogorath/fix/uncaughtException
Fix uncaught exception for non-existent user
2018-01-31 20:48:59 +01:00
Sheogorath
1a4800e21a
Update Heroku button
The button needs a parameter to work, that provides the git repository
that is used for the deployment. This commit corrects the link and this
way fixes the provisioning as it's not working with the wrong/default
buildpacks.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-31 14:00:49 +01:00
Sheogorath
6b97dd7aac
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-31 01:16:52 +01:00
Sheogorath
eddf8a3a33
Fix uncaught exception for non-existent user
Since we added user management it's possible to get non-existent users
which can cause a crash of the Backend server.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-30 21:53:36 +01:00
Christoph (Sheogorath) Kern
e5edd1a124
Merge pull request #713 from SISheogorath/update/socketio
Update socket.io to version 2.0.4
2018-01-30 21:43:31 +01:00
Sheogorath
a01b4a843c
Update socket.io to version 2.0.4
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-30 19:44:32 +01:00
Sheogorath
a40dcdd222
Prevent "wrong type"-issue
The argument is may interpreted as number which causes the "pass"
parameter of the user creation to fail. Probably the same applies to the
mail address. But mail addresses are by definition not allowed to start
by a number (iirc) which makes it less a problem. This is mainly a quick
fix. Should be refactored a bit in future.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-29 22:41:12 +01:00
Sheogorath
e055f270b4
Update yarn.lock
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-29 22:37:02 +01:00
Christoph (Sheogorath) Kern
80950f806b
Merge pull request #707 from Nebukadneza/add_cmdline_usermanager
Add simple user-management tool for emailsignin
2018-01-29 22:35:20 +01:00
Sheogorath
be02aed1c0
Update badges in README.md
The docker badges have to be updated since we now provide official image
like tags. So `latest-alpine` became `alpine`.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2018-01-29 22:01:31 +01:00
Dario Ernst
31f1db4100 Make travis run shellcheck only on shellscripts
There are only a few scripts in bin/, but not all might be shell. At
least for the moment, it seems reasonable to explicitely enumerate all
shell-scripts in bin/ for shellcheck …

Signed-off-by: Dario Ernst <dario@kanojo.de>
2018-01-29 19:49:04 +01:00