Commit Graph

70 Commits

Author SHA1 Message Date
Martin Zimmermann
b15f17738e isso.dispatch now dispatches multiple sites based on relative URLs
The previous approach using a custom X-Custom header did work for the
client-side, but not for activation and deletion links. Now, you need
to add a `name = foo` option to the general section. `isso.dispatch`
then binds this configuration to /foo and can distinguish all API
calls without a special HTTP header.
2013-12-08 19:09:56 +01:00
Martin Zimmermann
232e2fb474 another approach to fix #40 (return 403 on false Content-Type)
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
2013-12-04 23:36:48 +01:00
Martin Zimmermann
1db06bbf39 Revert "HTTP Origin is only sent on cross-origin requests in Firefox"
Revert "use Referer instead of Origin when using IE"
Revert "fix unittests"
Revert "check if Origin matches Host to mitigate CSRF, part of #40"

This reverts commit 9376511485c70deaf908aa67bcdc8f0c9a0b003e.
This reverts commit 9a03cca793.
This reverts commit 4c16ba76cc.
This reverts commit 32e4b70510.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
b839b2be31 HTTP Origin is only sent on cross-origin requests in Firefox
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).

Also add a basic unit test which asserts the failure for false origins.
2013-12-04 17:09:22 +01:00
Laurent Arnoud
02db978308 Add check with blank text 2013-12-04 00:35:09 +01:00
Martin Zimmermann
4c16ba76cc fix unittests 2013-12-01 13:40:11 +01:00
Martin Zimmermann
b3d6215d2b fix unittest for werkzeug==0.8 2013-11-18 12:40:27 +01:00
Martin Zimmermann
60d15e0f41 fix unittest 2013-11-17 11:57:48 +01:00
Martin Zimmermann
4367e56734 fix Python 3.3 2013-11-13 21:30:18 +01:00
Martin Zimmermann
d4e7ee134d add option reply-to-self, defaults to false 2013-11-13 21:20:32 +01:00
Martin Zimmermann
70b426d770 add unittest for spam guard 2013-11-13 20:43:00 +01:00
Martin Zimmermann
f0ee0a18b1 move unittest helpers into a separate file 2013-11-13 14:25:05 +01:00
Martin Zimmermann
6e85c54a2e refactor views and introduce an API for notifications
Keep Isso modular, not monolithic. Make it easy to integrate a
web interface or add XMPP notifications.

This refactorization includes minor bugfixes and changes:

* CORS middleware did not work properly due to wrong unit tests
* more type checks on JSON input
* new detection for origin and public url, closes #28
* new activation and delete url (no redirect for old urls, but you can
  convert the old urls: copy hash after `/activate/` (or delete) and
  open `/id/<id of comment>/activate/<hash>`
* move crypto.py to utils/

With this commit, SMTP is no longer automatically configured: add
`notify = smtp` to the `[general]` section to use SMTP.
2013-11-11 12:09:19 +01:00
Martin Zimmermann
1174259b27 mv comment -> comments 2013-11-08 18:55:02 +01:00
Martin Zimmermann
af6695e935 lowercase MiddleWare and fix TypeError in Headers 2013-11-05 14:03:46 +01:00
Martin Zimmermann
4950e7dd4d add unittest for CORS headers 2013-11-05 13:08:21 +01:00
Martin Zimmermann
8d1171df29 improve request decoding and json parsing 2013-11-05 12:44:16 +01:00
Martin Zimmermann
e08e7be464 remove stale threads after all comments have been deleted 2013-10-31 11:08:00 +01:00
Martin Zimmermann
a658021f7e fix unittest for 1358fac and extend internal documentation 2013-10-31 10:44:46 +01:00
Martin Zimmermann
cb40c7ca42 improve doctests and refactor title extraction 2013-10-29 12:01:45 +01:00
Martin Zimmermann
2db98d0d34 move http utils in separate module 2013-10-24 14:38:43 +02:00
Martin Zimmermann
48b4c9f9a5 purge comments in moderation queue after given time, closes #13 2013-10-24 14:38:40 +02:00
Martin Zimmermann
11246f51dc support for moderated comments, part of #13
* add moderated = true to your configuration (defaults to false)
* comment activation via email to the Isso owner
2013-10-13 15:02:42 +02:00
Martin Zimmermann
61a486d2ea support for Python 3.3 2013-10-09 16:33:49 +02:00
Martin Zimmermann
ab618ad898 add basic spam protection 2013-10-06 18:37:05 +02:00
Martin Zimmermann
6242d243c9 update cookie after editing a comment 2013-10-03 18:12:59 +02:00
Martin Zimmermann
b36e2fdb28 COMMIT ALL THE THINGS
* refactor JS (a lot)
* use a CSS framework (neat/bourbon), because CSS is hard
* up/downvote comments
* cleaner HTML
* HTML inclusion in JS
* SVG icons for reference, up and downvote
* basic i18n: english and german supported ootb
* lazy (because slow) client-side identicon generation (preview ability)
* removed website input field for no particular reason
* remove HTML.js in favour of a homebrew DOM manipulation tool
2013-10-01 14:47:01 +02:00
Martin Zimmermann
560e73cc0a rewrite db backend 2013-09-19 18:44:37 +02:00
Martin Zimmermann
e56d6a087a fix unittests with mocking 2013-09-13 16:12:26 +02:00
Martin Zimmermann
adb3d40c03 send notification for new comments
This commit also introduces a new db which maps path to thread title.
The title is read by parsing the HTML for a related <h1> tag using
`html5lib`.

You can set up SMTP in your configuration (here the defaults):

    [SMTP]
    host = localhost
    port = 465
    ssl = on
    username =
    password =
    recipient =
    sender =

In short, by default Isso uses a local SMTP server using SSL without
any authentication. An email is send on comment creation to "recipient"
from "Ich schrei sonst <sender>".

This commit also uses a simple ANSI colorization module from my static
blog compiler project.

On server startup, Isso will connect to the SMTP server and fall back to
a null mailer. It also tries to connect to your website, so if that
doesn't work, you probably can't comment on your website either.
2013-09-13 15:21:18 +02:00
Martin Zimmermann
45d4e18aef new /count?uri=path and count.js
A separate (minified) JS to load only the comment count for each
`<a href="...#isso-thread">...</a>` link. If there are no comments,
return a 404, otherwise return the number JSON formatted.

To built `count.ks`, run `r.js -o build.count.js`.
2013-09-12 17:22:37 +02:00
Martin Zimmermann
5744a79e4d fix test for 88b77ff 2013-09-09 14:52:32 +02:00
Martin Zimmermann
f0c1574c15 remove stale comments from DB, closes #9 2013-09-08 17:21:33 +02:00
Martin Zimmermann
5cad8fb8b5 clean db interface and comment model 2013-09-08 13:02:25 +02:00
Martin Zimmermann
c7ee35423b implement db backend for votes/likes #5 2013-09-06 17:19:25 +02:00
Martin Zimmermann
11c6e4d720 remove email column 2013-09-06 15:56:43 +02:00
Martin Zimmermann
59706815e7 add comment.hash to recognize user by email or ip fallback
also: fixed test_comment json.dumps(json.loads(json.dumps(...)))
madness.
2013-09-05 23:09:56 +02:00
Martin Zimmermann
35926037a6 fix tests 2013-09-05 21:13:33 +02:00
Martin Zimmermann
dd4ba9263a refactor all the things (use werkzeug instead of NIH to handle WSGI)
Also: use ?uri=%2Fpath%2F as path indicator.
2013-09-02 14:44:53 +02:00
posativ
63b990838d fix tests 2012-12-16 00:31:55 +01:00
posativ
a4514e1f91 rewrite using NIH 2012-12-16 00:14:30 +01:00
posativ
66cc7911f5 limit to 20 by default 2012-10-24 23:56:52 +02:00
posativ
7420e6a130 add path to comment class 2012-10-24 20:38:07 +02:00
posativ
05b77f99fe add db.recent(mode, limit) method 2012-10-24 20:09:22 +02:00
posativ
39899dda81 /comment/ -> /1.0/ 2012-10-23 21:09:51 +02:00
posativ
ac6d88f61e isso import FILE can import Disqus export 2012-10-23 20:36:43 +02:00
posativ
ecd4c6b120 fix an edge case, where mallory can delete comments by bo 2012-10-23 16:40:30 +02:00
posativ
d2bc2537a1 remove limit, introduced unnecessary complexity 2012-10-21 22:37:39 +02:00
posativ
443eb2bbe1 fix tests 2012-10-21 09:51:32 +02:00
posativ
d30c3c059b sort in chronological order 2012-10-19 21:12:56 +02:00