* feat: allow passwords longer than 73 characters
Context: A bcrypt/blowfish limitation means that password length is capped at 72 characters. We can get around this without compromising on security
by hashing all incoming passwords with SHA512, and then sending that to bcrypt.
https://dropbox.tech/security/how-dropbox-securely-stores-your-passwords
* feat: add additional test for passwords > 73 chars
* fix: remove 'password-too-long' error message and all invocations
* test: added test to show that a super long password won't bring down NodeBB
* fix: remove debug log
* Revert "fix: remove 'password-too-long' error message and all invocations"
This reverts commit 1e312bf7ef7e119fa0f1bd3517d756ca013d5e79.
* fix: added back password length checks, but at 512 chars
As processing a large string still uses a lot of memory
'node_redis: The HGET command contains a invalid argument type.\n' +
'Only strings, dates and buffers are accepted. Please update your code to use valid argument types.'
* feat: wip admin/users
* feat: more work
* feat: more fixes
* feat: #8662, verified/unverified user groups
* feat: add filter
* feat: change user search to use filters array
* refactor: remove unused search call
* fix: tests
* fix: cant join system groups
* fix: upgrade script
* feat: fullname search
* fix: take last element
* fix: attempt to fix psql like query
* feat: upgrade sript, another fix attempt
* fix: psql test
* fix: psql scan
* feat: add debug for test
* feat: test collate
* feat: cleanup
* fix: upgrade script
* refactor: socket posts delete/restore/purge so tid is not necessary
* refactor: stop trying to be fancy
* fix: tests to not pass in tid into posts.deletePosts
* fix: some more unnecessary tid passing
* feat: privileges save button, #8537, WIP
* fix: disable firefox autocomplete on privilege form fields
* feat: closes#8537 privilege changes commit on save
- new language strings for confirmation and success modals/toasts
- indeterminate privilege handling (/cc @psychobunny)
- added new discard button
- both discard and save buttons now have confirmation dialogs
* fix(tests): remove duplicate template helper test
* fix(tests): broken template helper test
* feat: confirm dialogs for all privilege copy actions
Also, ability to add user to a privilege table without needing
to refresh the privilege table.
* feat: group row addition w/o table refresh
breaking: helpers.getUserPrivileges and helpers.getGroupPrivileges
no longer make socket calls to the following hooks:
- filter:privileges.list, filter:privileges.admin.list,
filter:privileges.global.list, filter:privileges.groups.list,
filter:privileges.admin.groups.list,
filter:privileges.gloval.groups.list
The filters are still called, but done before the helper method
is called, and the results are passed in instead. This change
should only affect you if you directly call the helper methods,
otherwise the change is transparent.
* fix: stale ajaxify data on privilege category switch
* fix: implicit privileges not showing for user privs
* fix: groups, not group, also fix tests
* fix(tests): again
* fix: wrong tpl rendered when adding group to global priv table
make isPrimary and isCluster always booleans
they were strings when using ./nodebb start and boolean if they were in config.json and started with node app.js
allow selecting main topic to merge into
allow specifying a new title for merge topic
upon merge go to correct topic
new tests for merging with options
* feat: add privilege give/rescind hooks
action:privileges.categories.give/rescind
action:privileges.global.give/rescind
breaking change, privileges.categories.give/rescind and privileges.global.give/rescind use full privilege name for groups ie `groups:find` instead of `find`
* fix: tests, privileges renamed
* feat: testing suite integration for openapi spec
The testing suite now takes the openapi spec into account. It will
check each route defined, make a call to it, and compare the
response with the defined schema. Any mismatches will cause the
test to fail.
* fix(openapi): removed debug stuff from tests
* fix(openapi): fixed some tests
* fix(openapi): added additional check to tests, test fixes
* fix(openapi): better tests, fixed spec errors
* fix(openapi): bad conditional in test
* fix: oops
* fix(openapi): more tests fixing
* fix(openapi): more tests
* fix(openapi): fix some more tests
* fix: verbose'd an info log
* fix: topic pagination route returns schema-optimized pagination block
* fix(openapi): more test/spec fixes
* fix(openapi): accidentally sending in authenticated jar for anon routes
* fix(openapi): more test/spec fixes
* fix(openapi): more spec fixes
* fix: timestampReadable Invalid Date
* fix(openapi): more tests... almost there
* fix(openapi): more tests fixing
* fix(openapi): finally all tests passing
* fix(openapi): added reverse test to compare response to spec
... and fixed all the tests that broke
* fix: remove tests related to group covers, as route is gone
* fix(openapi): broken test on travis
* fix(openapi): broken test on travis
* fix(openapi): broken test on travis
* fix(openapi): object cache is not present for psql
* fix: tests
Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com>
* fix: #8142, broken site if no server-side session
During the `addHeader` middleware, a check is now done to see if
`req.session.meta` is present. This value is only present if the user
has a valid server-side session. If it is missing, then it is probably
safe to assume that the server-side session was deleted (either
intentionally or accidentally). In that scenario, the client-side cookie
should be cleared.
Also, there was an issue where the sessionRefresh flag was never cleared
after a successful login, so that was fixed too.
* feat: exported method to get cookie config
* fix: don't clear cookie if cookie is being set
* fix: socket.io tests
Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com>
* feat: add assignee checking when updating flag
Prior to this, it was possible to update the assignee to any value (or
any user. This commit adds checking to allow only admins, global
moderators, or in the case of flagged posts, moderators.
Also some prep work was added for value checking `state`.
* feat: value checking `state` on flag update
The state should be one of the constants defined earlier in the file.
* feat: add failing test for pagination
* feat: test
* fix: redis tests
* refactor: remove logs
* fix: add new test
* feat: make sortedSetRangeByScore work with keys on redis
* fix: hardcoded set name
* feat: show topics from readable categories on recent/popular/top
* feat: rewrite unread topics
respect watched categories and followed topics
* fix: term + watched
* Add view users info global privilege
* Show user ip only to global mods and admins
* fix missing comma
* Hide link for users without correct privilege
* move getting privilege information to getAllData
* Hide the link from Global Moderators as well
* Give Global Moderator view:users:info privilege
* Restrict ip in post menu to view:users:info
* add some trailing commas....
* Add privilege to categories test
* Add group privilege to categories test
* add upgrade script
* fix style for TravisCI
* more styling - change spaces to tabs
* some more styling fixes (hopefully final one)
* fix style for Travis CI
* hide ip in chat messages
* Don't show even hidden ips on user profile page
* fix: removed duplicate checkContent call in addMessage
addMessage is called in one place (sendMessage), and the checks
are already contained there. addMessage is the lower level call
and so should be called only from within core itself.
* feat: #7330 chat system messages for join, leave, rename
* fix: add back content checking in .addMessage();
* fix: tests, and added .addSystemMessage() method
Tests were relying on message indices that changed due to the
new system messages.
* feat: add tests for system chat messages
* refactor: rewrite half of src/messaging/rooms.js, fix tests
* feat: #7743 messaging/room.js
* fix: tests for messaging/room.js, #7743
* fix: trying to fix tests
* fix: omg :rage2:
* feat: added new admin option newbiePostEditDuration
Also:
- Grammar-checked a couple language strings
- Moved a couple form inputs around in new user restrictions
- Added a test for the new option
- fix: 'defore' typo
* feat: add upgrade script to give mods privs
* feat: give all privileges when making a moderator
* feat: remove implicit privs
* feat: give global mods default privs
* feat: more priv fixes
* feat: use lodash
* fix: remove implicit mod priv from topic delete
* fix: more privs
* fix: posts.canEdit
* fix: canDelete and canEdit
* fix: tests, remove console.log
* feat: shorter functions
* feat: add tests
* fix: uids
* fix: redis random test fail
sets.groupNames is an array that contains other arrays of groupnames so passing it to getMembersOfGroups returned wrong results when there were more than 1 element in it.
* feat: ability to copy a groups privileges
ability to copy a group's privileges to all categories, or children of current category
* feat: switch to dropdown
added copy from category to groups
* fix: indents
* fix: cache refactor
db.getObjectField no longer loads entire object
db.getObjectsFields only clones data once
more tests
* feat: add back cache to redis
db.getObjectField no longer loads entire object
* auto unban when User.getUsersFields is called and the user is banned but has expired
* cleanups and removal of expiry_readable
* expiry_readable make an alias for backward compatibility
* User.bans.func vs User.*ban*Func
* console.log cleanups, plus todo message added
* use code util.deprecate
* fix: remove ununsed winston require
* fix: display proper site logo or og-image with sizes in head
* fix: refactor og:image logic, #7444
- Updated logic to set additional og:image tags based on more
factors
- logo.png fallback
* feat: save image sizes on post upload, re: #7444
* fix: awaiting addTags in topic controller
* fix: pass strings to meta tags object
* fix: sending absolute image url to meta tag
* fix: removed unneeded async and requiring sync db
* feat: upgrade to calculate image sizes for all post uploads tracked
* fix: tests
* fix: removal of timeago fallback middleware
Instead of loading English fallback on missing language, we opt
to not send a script tag for a missing language to begin with.
Timeago already loads with English as default, so it will just
continue to use English.
* fix: check userLang against supported language codes
* fix: cleaned up code as per @pitaj
* fix: added comments
* fix: more fixes as per @pitaj
* feat: added addl. test for timeago locales, fixed broken test
* feat: wip, category watch change
* feat: pass data to client
* feat: allow changing state
* fix: account page categories
* fix: show in unread if topic is followed or category is watched
* feat: add default watch state to acp
* feat: save user category watch state
* feat: update unread recent pages
* fix: remove dupe code
* fix: flip conditions
* fix: handle empty arrays
* fix: ignore/watch on others profile
* feat: upgrade script for category states
if there are any users ignoring categories set their state in new zset and delete cid:<cid>:ignorers
* fix: upgrade
* fix: tests
* fix: redis count
* fix: more tests
* fix: #7038, autoLocale logic not playing nicely with no-refresh auths
- on login, req.query.lang is deleted (since it seems to be left over)
- on logout, the middleware.autoLocale is executed, which resets
req.query.lang
- middleware.autoLocale is new, just refactored existing logic in
webserver.js into new middleware method.
* style: tests, use lodash
* fix: timeago strings not switching languages on login or out
* add cache to redis
move out cache module from mongo
* fix redis tests
* add callback noop
* fix typo
* del cache on field delete
* make redis/mongo caches separate
* WIP
* using bootswatch from npm instead of bootswatch CDN url
* feat: on-demand client css building for skins
* added ability for client-side to select a skin
* updated loading and saving logic of bootstrapSkin on client side user settings
* fix: broken test for #6849
- on category setParent dialog do not show children of current category
- break recursion if category parentCid is equal to child cid to prevent
infinite loop
- dont allow setting the parentCid of a category to one of it's children
* Store config fields as JSON in the db
Fewer parseInts
* Remove unnecessary parseInts
* remove some dupe code add tests
* remove console.log
* remove more parseInts
* WIP: read meta.configs defaults from defaults.json
remove more parseInts
* more work
* add log for failing test
* update admin pwd
* fix tests, dont require posts/cache before configs are initialized
* handle saves
* Test boolean conditions
* remove more parseInts
* Fix boolean values
* remove lots more parseInts
* removed json parsing
* renamed var to number
* categories dont have timestamp
* allow groups.join to take an array of group names
* pass an array to groups.join/leave in privileges
* split up groups/membership
* add hits/miss to group cache
* fix typo
* add probe image size and max image size
* replace jimp and image-probe with sharp
* better name for test
* resize with just path
* resize thumb inplace
* use filename
* [test/database/list] Fix test list 4 being used in two different tests
* [database/postgres] PostgreSQL database driver
* [database/postgres] Make transactions work based on continuation scope.
* [database/postgres] Implement nested transactions
* eslint --fix
* Add database changes from earlier this week to the PostgreSQL driver.
* Fix typo
* Fix postgres.incrObjectFieldBy returning undefined instead of null when given NaN
* [database/postgres] Fix sortedSetsCard returning an array of strings.
* Update socket.io postgres adapter
* Fix PostgreSQL erroring when multiple updates are made to the same sorted set entry in a single operation.
Add a test case to catch this error.
* Fix lint errors.
* Only prune sessions on one instance in a cluster to avoid deadlocks.
They're caught and handled by the database server, but they spam the logs.
* Fix arguments.slice.
- Benchpress compilation is 33x faster now
- Native module with JS fallback and pre-built binaries
- Dev template build is <1sec now
- Minified template build is ~5sec (uglify accounts for almost all)
* ACP quick actions
- Moved restart, build & restart, and logout into separate buttons
- Moved buttons on mobile into the side menu
- Added version and upgrade alert to header / mobile menu
- Moved version checking to server-side with a cache for rate limiting
- Changed "reload" translations to "rebuild and restart"
* Change info alert to black-on-white to match focused search bar
* Fix tests
* Fallback for failed fetch of latest version
Groups.destroy can take an array of groupnames
Groups.leave can take an array of groupnames
db.incrObjectField/decrObjectField can take an array of keys
db.sortedSetRemove can take an array of keys and values
db.setRemove can take an array of keys