Commit graph

121 commits

Author SHA1 Message Date
John McLear
b7e88cb904 security: New setting for Socket.IO maxHttpBufferSize 2021-02-15 12:45:31 -05:00
Ole Langbehn
4c6a12ce2b Add commitRateLimiting settings block to settings.json.docker
The settings commitRateLimiting.duration and commitRateLimiting.points
were not available in the settings.json.docker file, and therefore it
was not possible to override their values via environment variables.

Now, they can be overridden by setting the following env vars:

* commitRateLimiting.duration: COMMIT_RATE_LIMIT_DURATION
* commitRateLimiting.points:   COMMIT_RATE_LIMIT_POINTS
2021-02-08 19:19:03 +00:00
John McLear
2b112ac851
tests: Admin Frontend Test Coverage(#4717)
Covers all frontend admin operations, runs separated in CI.
2021-02-07 11:32:57 +00:00
freddii
ea202e41f6 docs: fixed typos 2021-02-03 00:30:07 +01:00
John McLear
66df0a572f
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178)
This will be a breaking change for some people.  

We removed all internal password control logic.  If this affects you, you have two options:

1. Use a plugin for authentication and use session based pad access (recommended).
1. Use a plugin for password setting.

The reasoning for removing this feature is to reduce the overall security footprint of Etherpad.  It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
2020-10-07 13:43:54 +01:00
Richard Hansen
a8cf434d1d import: Replace the allowAnyoneToImport check with userCanModify
This reduces the number of hoops a user or tool must jump through to
import.
2020-10-05 18:48:16 +01:00
Richard Hansen
2db4b04af3 cookies: Use SameSite=None if in an iframe from another site 2020-10-04 08:57:44 +01:00
Richard Hansen
bf9d613e95
feature: New user-specific readOnly and canCreate settings (#4370)
Also:
  * Group the tests for readability.
  * Factor out some common test setup.
2020-09-28 11:22:06 +01:00
John McLear
40014d8230
Rate limit Socket IO communication - WIP (#4036)
Includes settings
    Includes i18n
    Includes a nice notification
    Disconnects on rate limit
    Includes feeding into metrics/stats
    Include console warn to server console.
2020-07-19 22:44:24 +01:00
John McLear
bfca481b0b
import: setting for allowing import without author existing 2020-06-01 18:19:06 +01:00
Daniel Krol
61c7bb9699
feat(i18n) Custom i18n strings (#4000)
* Custom i18n strings (and some code formatting)

* Documentation for per-instance l10n overwrites
2020-05-19 13:21:31 +01:00
muxator
9882362e2e settings: clarify that null defaults are supported, using the syntax "${VAR_NAME}"
Using "${VAR_NAME:null}", instead, would define the literal string "null".
2020-04-21 04:44:56 +02:00
Sebastian Castro
c6f5ced23c css: adds UI skin variants builder (only for colibris skin) 2020-04-19 03:03:44 +02:00
Sebastian Castro
709e5d2233 colibris: introduce skin variants, in order to customize the rendering
This provide a nice way to change the colors of main containers from settings file. See comment inside settings for how it works
2020-04-19 03:03:44 +02:00
John McLear
c9d55c81a3 import/export: always rate limit import and exports
This is a departure from previous versions, which did not limit import/export
requests. Now such requests are ALWAYS rate limited. The default is 10 requests
per IP each 90 seconds, and also applies to old instances upgraded to 1.8.3.

Administrators can tune the parameters via settings.importExportRateLimiting.
2020-04-14 03:36:13 +02:00
John McLear
f4418149cb import: introduce importMaxFileSize setting. Defaults to 50 MB
From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
file will always be bounded.

The maximum allowed size can be configured via importMaxFileSize.
2020-04-14 03:36:13 +02:00
muxator
6cba0f1dc5 settings: "http://etherpad.org" -> "https://etherpad.org" in the default text of a pad 2020-04-09 03:54:46 +02:00
Paul Tiedtke
79406051fa Settings.js: support newlines in default values when using variable substitution
This allows, among other things, to correctly support the configuration of
defaultPadText in Docker via an environment variable.
2020-04-07 04:32:37 +02:00
John McLear
fa3e4b146a settings: document the possibility of using Unix sockets
We have been supporting Unix sockets by ages, because express.listen()
(http://expressjs.com/en/4x/api.html#app.listen_path_callback) re-exposes
net.server.listen() (https://nodejs.org/api/net.html#net_server_listen), which
in turn supports Unix sockets.

The only remaining thing to do was documenting it.

Fixes #3312
2020-03-30 03:36:55 +02:00
muxator
70bc71c0c3 skins: make "colibris" the default skin for new installations
Colibris skin was first introduced in 1.7.5 and received some bugfixes in 1.8.0.
It is now time to make it the default for new installs.
2019-12-08 00:32:03 +01:00
muxator
a817acbbcc security: when served over https, set the "secure" flag for "express_sid" and "language" cookie
The mechanism used for determining if the application is being served over SSL
is wrapped by the "express-session" library for "express_sid", and manual for
the "language" cookie, but it's very similar in both cases.

The "secure" flag is set if one of these is true:

1. we are directly serving Etherpad over SSL using the native nodejs
   functionality, via the "ssl" options in settings.json

2. Etherpad is being served in plaintext by nodejs, but we are using a reverse
   proxy for terminating the SSL for us;
   In this case, the user has to be instructed to properly set trustProxy: true
   in settings.json, and the information wheter the application is over SSL or
   not will be extracted from the X-Forwarded-Proto HTTP header.

Please note that this will not be compatible with applications being served over
http and https at the same time.

The change on webaccess.js amends 009b61b338, which did not work when the SSL
termination was performed by a reverse proxy.

Reference for automatic "express_sid" configuration:
https://github.com/expressjs/session/blob/v1.17.0/README.md#cookiesecure

Closes #3561.
2019-12-07 04:36:01 +01:00
muxator
7c099fef5e settings: do not create a user if he has no password field, or if his password is null.
This will be used by the settings.json in the default Dockerfile to eschew
creating an admin user when no password is set.

Closes #3648.
2019-10-19 00:54:56 +02:00
muxator
4e758a9f4a settings: better explain that no default value is very different from ''
If environment variable PASSW is not defined, the following would be very
different:

  "password": "${PASSW}"  // would result in password === null
  "password": "${PASSW:}" // would result in password === ''

This characteristic will be used in the next commit, when we will use it to
discard a user if his password were null (and in turn use it for docker
containerization).

No functional changes.
2019-10-19 00:34:00 +02:00
muxator
1cc6838772 settings: reformat settings.json.template, in preparation for next commits
No functional changes.
2019-10-10 20:25:34 +02:00
Tristram Gräbener
357780d573 Display the version in the web interface
In the settings drop-down this adds an “About” section that also shows
the commit if "exposeVersion" is set to true.

Fixes #2968
2019-04-15 23:17:34 +00:00
Tristram Gräbener
28a6f505c5 Parameters: the version is exposed in http header only when configured
Currently the version is exposed in a 'Server' http headers.

This commit allows to parameterize it in the settings. By defaults it is
not exposed.

Fixes #3423
2019-04-15 23:17:34 +00:00
muxator
2955740a6e Settings.js: support syntax for default values
+---------------------------+---------------+------------------+
| Configuration string in   | Value of      | Resulting confi- |
| settings.json             | ENV_VAR       | guration value   |
|---------------------------|---------------|------------------|
| "${ENV_VAR}"              | "some_string" | "some_string"    |
| "${ENV_VAR}"              | "9001"        | 9001             |
| "${ENV_VAR}"              | undefined     | null             |
| "${ENV_VAR:some_default}" | "some_string" | "some_string"    |
| "${ENV_VAR:some_default}" | undefined     | "some_default"   |
+---------------------------+---------------+------------------+

Mention this briefly in the main README.md, also.

Closes #3578.
2019-03-21 23:32:08 +01:00
muxator
21ac37170e doc: rephrase settings.json.template and Settings.js
Better document current behaviour.
In this revision, ENV_VAR are supported, default values are not.
2019-03-21 23:32:08 +01:00
muxator
6d400050a3 Settings.js: support configuration via environment variables.
All the configuration values can be read from environment variables using the
syntax "${ENV_VAR_NAME}".
This is useful, for example, when running in a Docker container.

EXAMPLE:
   "port":     "${PORT}"
   "minify":   "${MINIFY}"
   "skinName": "${SKIN_NAME}"

Would read the configuration values for those items from the environment
variables PORT, MINIFY and SKIN_NAME.

REMARKS:
Please note that a variable substitution always needs to be quoted.
   "port":   9001,          <-- Literal values. When not using substitution,
   "minify": false              only strings must be quoted: booleans and
   "skin":   "colibris"         numbers must not.

   "port":   ${PORT}        <-- ERROR: this is not valid json
   "minify": ${MINIFY}
   "skin":   ${SKIN_NAME}

   "port":   "${PORT}"      <-- CORRECT: if you want to use a variable
   "minify": "${MINIFY}"        substitution, put quotes around its name,
   "skin":   "${SKIN_NAME}"     even if the required value is a number or a
                                boolean.
                                Etherpad will take care of rewriting it to
                                the proper type if necessary.

Resolves #3543
2019-03-11 08:11:30 +01:00
muxator
ee4a27d10e settings.json.template: minor rewording of a comment 2019-03-11 08:11:30 +01:00
muxator
7edc0fea16 skins: added new parameter "skinName" in setting.json.template
"colibris" does not exist yet, but let's mention it anyway.
2018-08-26 21:17:04 +02:00
muxator
06476f7ad2 settings.json.template: reorganized dbSetting section to be more comment-friendly
It is better to keep the dirtyDB settings together, so they can be commented out
via a /* ... */.
Nested comments blocks would crash the application on start, because they are
syntactically incorrect.

Let's reduce this possibility, promoting an easier standard.
2018-08-24 01:26:05 +02:00
muxator
d38f53181f settings.json: in the mysql example, mention the existence of port parameter
The port parameter is supported by the mysql driver, but to know this one has to
read through ueberDB's code.

At least for this simple case, it may make sense to be explicit.

Fixes #3453
2018-08-11 16:44:37 +02:00
muxator
10f0cb3253 security: suggest installing ep_hash_auth to get rid of plain text passwords
In its current form, Etherpad stores passwords for users in plain text in
settings.json. We should at least mention the opportunity of installing
ep_hash_auth to start tackling this problem.

The advice was added in README.md and in settings.json.template

Fixes #3444
2018-08-09 00:17:15 +02:00
muxator
044f761b99 settings.json: reformat comments, no functional changes. 2018-08-08 23:49:32 +02:00
Wikinaut
6dd172d6b7 Update settings.json.template 2018-05-12 21:48:21 +02:00
Wikinaut
784bd8c7cc Update settings.json.template
harmonizing the database name. "store" is the table name - not to be used here! Database name must not contain "-", but can contain "_". See https://github.com/ether/etherpad-lite/wiki/How-to-use-Etherpad-Lite-with-MySQL
2018-05-12 21:48:21 +02:00
Joas Souza
f1fcd16894 Add settings to scroll on edition out of viewport (#3282)
* Add scroll when it edits a line out of viewport

By default, when there is an edition of a line, which is out of the
viewport, Etherpad scrolls the minimum necessary to make this line
visible. This makes that the line stays either on the top or the bottom
of the viewport. With this commit, we add a setting to make possible to
scroll to a position x% pixels from the viewport. Besides of that, we
add a setting to make an animation of this scroll.
If nothing is changed on settings.json the Etherpad default behavior is
kept
2018-01-03 19:57:28 -02:00
Luiza Pagliari
0cb8d31e95 [fix] Have one setting for each shortcut to create ordered list
This is an adjustment to #2891.
2017-05-11 14:56:09 -03:00
Luiza Pagliari
97038c2183 [fix] Fix shortcut enabling flag for 'ESC'
This is an adjustment to #2891.
2017-05-11 12:36:20 -03:00
Luiza Pagliari
688e8f37a3 [fix] Fix format of settings template + add information about shortcuts
There was an extra comma at the end of shortcut list, this was breaking
Etherpad startup.

This is an adjustment to #2891.
2017-05-11 12:32:12 -03:00
Luiza Pagliari
1ebcf0dc47 Merge pull request #2891 from bhldev/padShortcutDisable
Added pad shortcut disabling feature to settings.json
2017-05-11 11:29:25 -03:00
Luiza Pagliari
009cd31243 [feature] Create option to automatically reconnect after a few seconds
On some erros that display a modal with "Force reconnect" button, allow
Etherpad to automatically reload pad after a few seconds. Amount of
seconds is defined on settings.json.

Still need to create tests for this feature, and implement i18n.
2017-04-04 11:09:24 -03:00
Paul Carver
573b55af8b Correct the spelling of occured to occurred
The correct spelling is occurred. See
http://www.gingersoftware.com/english-online/spelling-book/misspelling/occurred-occured-ocurred
or other dictionary search results.
2016-11-11 12:46:40 -05:00
Dan Bornstein
219a1dc3e3 Fix value to be valid JSON.
Also fixed some errant EOL whitespace.
2016-08-12 11:05:40 -07:00
LokeshN
a8d5dc0693 Issue #2960 - deactivate settings.json
Deactivate settings.json in Admin dashboard
2016-05-22 21:12:21 +05:30
Brian Lim
26aeb7b705 Added pad shortcut disabling feature 2016-01-21 07:38:41 -05:00
Stefan
8bf53c63cc set charset for mysql connection in settings.json 2015-12-21 21:02:54 +01:00
John McLear
0617f81689 remove applySettings hook and allow credentials.json to be part of core 2015-12-02 11:53:41 +00:00
John McLear
50171a4c3c Merge pull request #2805 from storytouch/indentationSetting
Create setting to control if a new line will be indented or not
2015-10-22 16:12:07 +01:00