Commit Graph

80 Commits

Author SHA1 Message Date
Martin Zimmermann
1e2efb24b3 remove duplicate test 2014-03-25 18:50:21 +01:00
Martin Zimmermann
5ce48de94a add POST request to get comment counts for multiple URLs
The old way via `GET /count?uri=...` still works, but is now deprecated
and might be removed in future releases.
The new way is much more efficient especially fore multiple listings.

The internal implemention is improvable though.
2014-03-25 18:50:21 +01:00
Martin Zimmermann
c4b80ff702 make CORS middleware more generic to use 2014-03-04 15:40:21 +01:00
Martin Zimmermann
8f70a3a7cb add tests for 81ecc8e 2014-02-18 17:01:02 +01:00
Martin Zimmermann
16d085c9d1 improve tests for comment field validation 2014-02-04 15:34:02 +01:00
Martin Zimmermann
5efa81b57e replace assert foo == bar with appropriate self.assert$Foo calls
except for test_migration because there are improved tests available
in the feature/cli branch
2014-02-04 15:05:32 +01:00
Martin Zimmermann
3713d5e8ee allow raw HTML markup for a few (whitelisted) tags
To be compatible with comments from Disqus (and users unfamiliar with
Markdown), Misaka no longer disables user-inputted HTML, but the
generated HTML is now post-processed and all "unsafe" tags (not
possible with Markdown) are discarded.

Whitelist: p, a, pre, blockquote, h1-h6, em, sub, sup, del, ins, math,
           dl, ol, ul, li

This commit also removes an unnecessary newline generated by
Misaka/Sundown.
2014-01-12 14:44:39 +01:00
Martin Zimmermann
82da63a81b check if hash is a base-16 string 2013-12-19 08:55:06 +01:00
Martin Zimmermann
d4f836fd65 add test for /check-ip 2013-12-18 19:27:36 +01:00
Martin Zimmermann
2a86b46893 add test for disqus import 2013-12-18 13:08:54 +01:00
Martin Zimmermann
b15f17738e isso.dispatch now dispatches multiple sites based on relative URLs
The previous approach using a custom X-Custom header did work for the
client-side, but not for activation and deletion links. Now, you need
to add a `name = foo` option to the general section. `isso.dispatch`
then binds this configuration to /foo and can distinguish all API
calls without a special HTTP header.
2013-12-08 19:09:56 +01:00
Martin Zimmermann
232e2fb474 another approach to fix #40 (return 403 on false Content-Type)
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
2013-12-04 23:36:48 +01:00
Martin Zimmermann
1db06bbf39 Revert "HTTP Origin is only sent on cross-origin requests in Firefox"
Revert "use Referer instead of Origin when using IE"
Revert "fix unittests"
Revert "check if Origin matches Host to mitigate CSRF, part of #40"

This reverts commit 9376511485c70deaf908aa67bcdc8f0c9a0b003e.
This reverts commit 9a03cca793.
This reverts commit 4c16ba76cc.
This reverts commit 32e4b70510.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
b839b2be31 HTTP Origin is only sent on cross-origin requests in Firefox
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).

Also add a basic unit test which asserts the failure for false origins.
2013-12-04 17:09:22 +01:00
Laurent Arnoud
02db978308 Add check with blank text 2013-12-04 00:35:09 +01:00
Martin Zimmermann
4c16ba76cc fix unittests 2013-12-01 13:40:11 +01:00
Martin Zimmermann
b3d6215d2b fix unittest for werkzeug==0.8 2013-11-18 12:40:27 +01:00
Martin Zimmermann
60d15e0f41 fix unittest 2013-11-17 11:57:48 +01:00
Martin Zimmermann
4367e56734 fix Python 3.3 2013-11-13 21:30:18 +01:00
Martin Zimmermann
d4e7ee134d add option reply-to-self, defaults to false 2013-11-13 21:20:32 +01:00
Martin Zimmermann
70b426d770 add unittest for spam guard 2013-11-13 20:43:00 +01:00
Martin Zimmermann
f0ee0a18b1 move unittest helpers into a separate file 2013-11-13 14:25:05 +01:00
Martin Zimmermann
6e85c54a2e refactor views and introduce an API for notifications
Keep Isso modular, not monolithic. Make it easy to integrate a
web interface or add XMPP notifications.

This refactorization includes minor bugfixes and changes:

* CORS middleware did not work properly due to wrong unit tests
* more type checks on JSON input
* new detection for origin and public url, closes #28
* new activation and delete url (no redirect for old urls, but you can
  convert the old urls: copy hash after `/activate/` (or delete) and
  open `/id/<id of comment>/activate/<hash>`
* move crypto.py to utils/

With this commit, SMTP is no longer automatically configured: add
`notify = smtp` to the `[general]` section to use SMTP.
2013-11-11 12:09:19 +01:00
Martin Zimmermann
1174259b27 mv comment -> comments 2013-11-08 18:55:02 +01:00
Martin Zimmermann
af6695e935 lowercase MiddleWare and fix TypeError in Headers 2013-11-05 14:03:46 +01:00
Martin Zimmermann
4950e7dd4d add unittest for CORS headers 2013-11-05 13:08:21 +01:00
Martin Zimmermann
8d1171df29 improve request decoding and json parsing 2013-11-05 12:44:16 +01:00
Martin Zimmermann
e08e7be464 remove stale threads after all comments have been deleted 2013-10-31 11:08:00 +01:00
Martin Zimmermann
a658021f7e fix unittest for 1358fac and extend internal documentation 2013-10-31 10:44:46 +01:00
Martin Zimmermann
cb40c7ca42 improve doctests and refactor title extraction 2013-10-29 12:01:45 +01:00
Martin Zimmermann
2db98d0d34 move http utils in separate module 2013-10-24 14:38:43 +02:00
Martin Zimmermann
48b4c9f9a5 purge comments in moderation queue after given time, closes #13 2013-10-24 14:38:40 +02:00
Martin Zimmermann
11246f51dc support for moderated comments, part of #13
* add moderated = true to your configuration (defaults to false)
* comment activation via email to the Isso owner
2013-10-13 15:02:42 +02:00
Martin Zimmermann
61a486d2ea support for Python 3.3 2013-10-09 16:33:49 +02:00
Martin Zimmermann
ab618ad898 add basic spam protection 2013-10-06 18:37:05 +02:00
Martin Zimmermann
6242d243c9 update cookie after editing a comment 2013-10-03 18:12:59 +02:00
Martin Zimmermann
b36e2fdb28 COMMIT ALL THE THINGS
* refactor JS (a lot)
* use a CSS framework (neat/bourbon), because CSS is hard
* up/downvote comments
* cleaner HTML
* HTML inclusion in JS
* SVG icons for reference, up and downvote
* basic i18n: english and german supported ootb
* lazy (because slow) client-side identicon generation (preview ability)
* removed website input field for no particular reason
* remove HTML.js in favour of a homebrew DOM manipulation tool
2013-10-01 14:47:01 +02:00
Martin Zimmermann
560e73cc0a rewrite db backend 2013-09-19 18:44:37 +02:00
Martin Zimmermann
e56d6a087a fix unittests with mocking 2013-09-13 16:12:26 +02:00
Martin Zimmermann
adb3d40c03 send notification for new comments
This commit also introduces a new db which maps path to thread title.
The title is read by parsing the HTML for a related <h1> tag using
`html5lib`.

You can set up SMTP in your configuration (here the defaults):

    [SMTP]
    host = localhost
    port = 465
    ssl = on
    username =
    password =
    recipient =
    sender =

In short, by default Isso uses a local SMTP server using SSL without
any authentication. An email is send on comment creation to "recipient"
from "Ich schrei sonst <sender>".

This commit also uses a simple ANSI colorization module from my static
blog compiler project.

On server startup, Isso will connect to the SMTP server and fall back to
a null mailer. It also tries to connect to your website, so if that
doesn't work, you probably can't comment on your website either.
2013-09-13 15:21:18 +02:00
Martin Zimmermann
45d4e18aef new /count?uri=path and count.js
A separate (minified) JS to load only the comment count for each
`<a href="...#isso-thread">...</a>` link. If there are no comments,
return a 404, otherwise return the number JSON formatted.

To built `count.ks`, run `r.js -o build.count.js`.
2013-09-12 17:22:37 +02:00
Martin Zimmermann
5744a79e4d fix test for 88b77ff 2013-09-09 14:52:32 +02:00
Martin Zimmermann
f0c1574c15 remove stale comments from DB, closes #9 2013-09-08 17:21:33 +02:00
Martin Zimmermann
5cad8fb8b5 clean db interface and comment model 2013-09-08 13:02:25 +02:00
Martin Zimmermann
c7ee35423b implement db backend for votes/likes #5 2013-09-06 17:19:25 +02:00
Martin Zimmermann
11c6e4d720 remove email column 2013-09-06 15:56:43 +02:00
Martin Zimmermann
59706815e7 add comment.hash to recognize user by email or ip fallback
also: fixed test_comment json.dumps(json.loads(json.dumps(...)))
madness.
2013-09-05 23:09:56 +02:00
Martin Zimmermann
35926037a6 fix tests 2013-09-05 21:13:33 +02:00
Martin Zimmermann
dd4ba9263a refactor all the things (use werkzeug instead of NIH to handle WSGI)
Also: use ?uri=%2Fpath%2F as path indicator.
2013-09-02 14:44:53 +02:00
posativ
63b990838d fix tests 2012-12-16 00:31:55 +01:00