Hello. I use HedgeDoc for a couple of months and I discovered this app thanks to Yunohost. Unfortunately, I see some problems with keeping this app secure.
Context
HedgeDoc with default config.json file lets strangers to make an account with fake e-mails without any email confirmation. Also, anonymous users can store notes on our server.
It can be real security problem. Strangers can store files and notes on our server.
How can it be fixed?
It is possible to block creating account and anonymous notes. In config.json file we need to add: allowEmailRegister: false and allowAnonymous: false
Expected behavior
It can be fixed in two ways. The first way is to make allowEmailRegister: false and allowAnonymous: false default for every HedgeDoc installation in Yunohost.
The second way is to ask user what he wants to do with this values while he is configuring app in WebAdmin.
Hello. I use HedgeDoc for a couple of months and I discovered this app thanks to Yunohost. Unfortunately, I see some problems with keeping this app secure.
Context
HedgeDoc with default
config.json
file lets strangers to make an account with fake e-mails without any email confirmation. Also, anonymous users can store notes on our server. It can be real security problem. Strangers can store files and notes on our server.How can it be fixed?
It is possible to block creating account and anonymous notes. In
config.json
file we need to add:allowEmailRegister: false
andallowAnonymous: false
Expected behavior
It can be fixed in two ways. The first way is to make
allowEmailRegister: false
andallowAnonymous: false
default for every HedgeDoc installation in Yunohost. The second way is to ask user what he wants to do with this values while he is configuring app in WebAdmin.