The note metadata will be automatically extracted from the note content and cannot be updated separately.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
This route should return a full `NotePermissions` object instead of only `NotePermissionsUpdate`
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
Previously, one had to send a complete `NoteMetadata` object when updating the pinned status of a note. A new `HistoryUpdateObject` type was introduced, that only contains the pinned status boolean.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
Previously, the metadata route was used to both update note metadata (like title, description and tags) and the permissions. Additionally, one had to send many unchangeable properties. In this commit, a /notes/{note}/permissions route is introduced, that only changes permissions. Additionally, PUT /notes/{note}/metadata now needs only the properties that are actually changeable.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
It turned out that saving the file extension in a separate field is not necessary. Instead, the extension is saved in the complete filename in the `id` field.
Signed-off-by: David Mehren <git@herrmehren.de>
NoteRevisionsMetadata is an array containing revision data and not an object with a single property containing an array.
Revision timestamps are ISO strings, not UNIX timestamps.
Signed-off-by: David Mehren <git@herrmehren.de>
The precision of sqlites datetime() timestamp is only one second (see https://www.sqlite.org/lang_datefunc.html). Therefore we could not order revisions of one note that were created in the same second. To remedy this, the primary key was changed to a monotonically increasing number, which solves the ordering problem.
Signed-off-by: David Mehren <git@herrmehren.de>
Previously, single dashes were used for associatons, which makes PlantUML layout all of them in an horizontal line. I changed that to two dashes so that PlantUML uses normal layouting. I think that is far clearer.
(See https://plantuml.com/class-diagram for more on layouting)
Signed-off-by: Nicolas Lenz <nicolas@eisfunke.com>
As this document should contain the details of the stable external API, it was refactored and cleaned up.
Co-Authored-By: David Mehren <dmehren1@gmail.com>
Co-Authored-By: Yannick Bungers <git@innay.de>
Co-Authored-By: Philip Molares <philip.molares@udo.edu>
this change makes sense, because v2 client should still be able to call /api/v2/ on v2.1 servers
Signed-off-by: Philip Molares <philip.molares@udo.edu>
With the suggested usage of an Authorization header instead of relying on session-cookies, the API will finally become stateless. Therefore we don't need the tokens for user password change and deletion anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
There's a new config property 'localesPath' - pointing to './locales' by default. The path resolution is similar to the docsPath, uploadsPath etc.
Signed-off-by: Erik Michelson <erik@liltv.de>
As we already decleared in earlier versions, this patch removes PDF
export entirely. It's a not acceptable security risk for every CodiMD
instance.
The current implementation allowed to extract arbitary files from the
CodiMD host and therefore leaking secrets from a `/etc/passwd` to
CodiMD's own config files and all secrets contained in it.
Thanks to Joona for finding this vulnerability in August last year,
which lead to an emergency disabling of PDF exports in 1.5.0.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
`CMD_ALLOW_ANONYMOUS_EDITS` is only applied when `CMD_ALLOW_ANONYMOUS` is `false`, see [here](9c1665ae5b/lib/config/index.js (L71-L73)).
Signed-off-by: Stefan Peters <stefandesu@exo.pm>
As we noticed in our poll about CDN usage, that most people
intentionally turn it off, but very little intetionally turn it on or
leave it on. [1]
There is also strong indicators that CDNs don't really provide any
benefits in loading time and due to the small deployments of CodiMD,
there is no big savings due to CDNs either. [2]
Therefore this patch changes the CDN default settings to off in order to
reduce the exposed user data.
[1]: https://community.codimd.org/t/poll-on-cdn-usage/28
[2]: https://csswizardry.com/2019/05/self-host-your-static-assets/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
The current documents might end up confusing people and are not
completely accessible. This minor fixes should clear up the situation
and add alt texts to all badges, explain the links at the end of the
docs, and list LinuxServer.io in the supported provider section of the
README.
Some reasoning on the change in the listing:
Since we maintain an own container image which is for sure kept updated
on release, this is our first listing, as well as general solutions that
are build on that image, like the K8s integration.
The next listings are integrated provides which allow self-hosting, like
Cloudron and I also consider LinuxServer.io as this kind of providers.
Which try to enable people to run CodiMD on their own hardware or rented
servers in a very easy way, but by using their own images.
As third category I would look at hosted offers, like Heroku, which are
not completely SaaS but far enough away from the self-hostability that
I consider them as an own category. PaaS-based solutions are not as
FOSS-style as we want our setups to be, but of course still supported.
Finally the manual setup. We keep it down here, because we support it,
but don't recommend it in general. It's hard to upgrade and can cause
problems when dependencies are not correctly updated or people don't run
the db migrations.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
