This explains how the configuration code works and give some hints on what do look out for while working on the configuration code.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
Replace the old docs index page with a hint where the (for now) 'real'
docs can be found and that HedgeDoc 2.0 is still in development.
Signed-off-by: David Mehren <git@herrmehren.de>
With this the backend now can hold a history entry.
Also included in this commit are some minor changes to tests and services so they can still work.
Signed-off-by: Philip Molares <philip.molares@udo.edu>
The note metadata will be automatically extracted from the note content and cannot be updated separately.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
This route should return a full `NotePermissions` object instead of only `NotePermissionsUpdate`
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
Previously, one had to send a complete `NoteMetadata` object when updating the pinned status of a note. A new `HistoryUpdateObject` type was introduced, that only contains the pinned status boolean.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
Previously, the metadata route was used to both update note metadata (like title, description and tags) and the permissions. Additionally, one had to send many unchangeable properties. In this commit, a /notes/{note}/permissions route is introduced, that only changes permissions. Additionally, PUT /notes/{note}/metadata now needs only the properties that are actually changeable.
Signed-off-by: David Mehren <git@herrmehren.de>
Co-authored-by: Yannick Bungers <git@innay.de>
It turned out that saving the file extension in a separate field is not necessary. Instead, the extension is saved in the complete filename in the `id` field.
Signed-off-by: David Mehren <git@herrmehren.de>
NoteRevisionsMetadata is an array containing revision data and not an object with a single property containing an array.
Revision timestamps are ISO strings, not UNIX timestamps.
Signed-off-by: David Mehren <git@herrmehren.de>
The precision of sqlites datetime() timestamp is only one second (see https://www.sqlite.org/lang_datefunc.html). Therefore we could not order revisions of one note that were created in the same second. To remedy this, the primary key was changed to a monotonically increasing number, which solves the ordering problem.
Signed-off-by: David Mehren <git@herrmehren.de>
Previously, single dashes were used for associatons, which makes PlantUML layout all of them in an horizontal line. I changed that to two dashes so that PlantUML uses normal layouting. I think that is far clearer.
(See https://plantuml.com/class-diagram for more on layouting)
Signed-off-by: Nicolas Lenz <nicolas@eisfunke.com>
As this document should contain the details of the stable external API, it was refactored and cleaned up.
Co-Authored-By: David Mehren <dmehren1@gmail.com>
Co-Authored-By: Yannick Bungers <git@innay.de>
Co-Authored-By: Philip Molares <philip.molares@udo.edu>
this change makes sense, because v2 client should still be able to call /api/v2/ on v2.1 servers
Signed-off-by: Philip Molares <philip.molares@udo.edu>
With the suggested usage of an Authorization header instead of relying on session-cookies, the API will finally become stateless. Therefore we don't need the tokens for user password change and deletion anymore.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
There's a new config property 'localesPath' - pointing to './locales' by default. The path resolution is similar to the docsPath, uploadsPath etc.
Signed-off-by: Erik Michelson <erik@liltv.de>
As we already decleared in earlier versions, this patch removes PDF
export entirely. It's a not acceptable security risk for every CodiMD
instance.
The current implementation allowed to extract arbitary files from the
CodiMD host and therefore leaking secrets from a `/etc/passwd` to
CodiMD's own config files and all secrets contained in it.
Thanks to Joona for finding this vulnerability in August last year,
which lead to an emergency disabling of PDF exports in 1.5.0.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
`CMD_ALLOW_ANONYMOUS_EDITS` is only applied when `CMD_ALLOW_ANONYMOUS` is `false`, see [here](9c1665ae5b/lib/config/index.js (L71-L73)).
Signed-off-by: Stefan Peters <stefandesu@exo.pm>
As we noticed in our poll about CDN usage, that most people
intentionally turn it off, but very little intetionally turn it on or
leave it on. [1]
There is also strong indicators that CDNs don't really provide any
benefits in loading time and due to the small deployments of CodiMD,
there is no big savings due to CDNs either. [2]
Therefore this patch changes the CDN default settings to off in order to
reduce the exposed user data.
[1]: https://community.codimd.org/t/poll-on-cdn-usage/28
[2]: https://csswizardry.com/2019/05/self-host-your-static-assets/
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
