It can be a security concern in some environments to expose system
capabilities even though they don't expose any PII. Add some
flags (defaulted `true` to maintain existing behaviour) to control
whether the /metrics and /status (and anything in the StatusRouter)
are exposed.
Signed-off-by: Stéphane Maniaci <stephane.maniaci@beta.gouv.fr>
In e17cc644 the Webpack build process for CodeMirror was changed.
For unknown reasons, not all plugins and modes were added.
This adds all plugins currently enabled in
https://github
.com/hedgedoc/CodeMirror/blob/951b3d94bb5ad9ac7b44642adbe595e843390506/release.sh
Signed-off-by: David Mehren <git@herrmehren.de>
The markdown for the publish-view is generated
using the `Note.extractMeta` method.
It uses meta-marked to separate the metadata from markdown.
Only the raw markdown is then sent to the client,
so it cannot respect the `breaks` option.
This adds an evil hack to send the `breaks` option with the markdown
if it is contained in the metadata block.
Fixes https://github.com/hedgedoc/hedgedoc/issues/2358
Signed-off-by: David Mehren <git@herrmehren.de>
When using mysql the normal text attribute has a fixed size. When this size is reached then the json will be cut off and becomes invalid.
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
Since https://github.com/vesse/node-ldapauth-fork/commit
/741a648df98d789856b3301d65103b74872fdeea, ldapauth-fork calls `push` on
the attributes array.
Since we deep-freeze our config object in https://github
.com/hedgedoc/hedgedoc/blob/master/lib/config/index.js#L200, this
causes a crash.
This commit fixes the crash by creating a mutable clone of the LDAP
config and passing that to the LDAP strategy.
Fixes https://github.com/hedgedoc/hedgedoc/issues/2561
Signed-off-by: David Mehren <git@herrmehren.de>
This patch removes the call of `/usr/bin/env` when calling the migration
script in favour of using the processes own nodejs invocation path.
This should drop the requirement for `/usr/bin/env` to exist on a
system/in a container that runs hedgedoc.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
The snippet export broke due to two reasons.
First of all, the request to GitLab fail in the
default configuration due to the CSP not being
set properly. This commit adds the configured
GitLab base url to the connect-src directives.
The second problem is a change in the GitLab API
spec. Instead of `code` and `file_name` the
GitLab API now requires an `files` array with
`content` and `file_path` entries per snippet.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
The hex2rgb function seems to previously have been available globally.
It probably got lost in the great Webpack refactoring and nobody noticed
that.
This copies the function into its own file (to make importing it easy)
and adds an import in index.js.
Fixes https://github.com/hedgedoc/hedgedoc/issues/2248
Signed-off-by: David Mehren <git@herrmehren.de>
Using `CMD_SAML_PROVIDERNAME` and the respective auth provider objects
in the configuration structures.
Signed-off-by: Moritz Schlarb <schlarbm@uni-mainz.de>
We discourage allowing HedgeDoc to be embedded into other pages in the
FAQ.
Therefore, we should not advertise this feature, especially as it needs
a non-standard config.
Signed-off-by: David Mehren <git@herrmehren.de>
Sequelize generates invalid SQL for the 'fix-enum' migration from 2018.
Since nobody has complained about this issue since then, we can just
drop support for SQL Server.
Signed-off-by: David Mehren <git@herrmehren.de>
There were several reports of HedgeDoc not looking correctly when having some variants of fonts locally installed which HedgeDoc uses. The only way to fix this for the users was to remove the locally installed font or update them to another variant.
As we use woff font files which aren't very heavy in terms of file-size, it seems reasonable to fetch them always from the server (or the local browser cache).
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
