search

YunoHost-Apps / hedgedoc_ynh

HedgeDoc package for YunoHost
https://hedgedoc.org/
GNU General Public License v3.0
13 stars 8 forks source link

[REQUEST] Make HedgeDoc more secure in Yunohost #46

Closed cichy1173 closed 1 year ago

cichy1173 commented 1 year ago

Hello. I use HedgeDoc for a couple of months and I discovered this app thanks to Yunohost. Unfortunately, I see some problems with keeping this app secure.

Context

HedgeDoc with default config.json file lets strangers to make an account with fake e-mails without any email confirmation. Also, anonymous users can store notes on our server. It can be real security problem. Strangers can store files and notes on our server.

How can it be fixed?

It is possible to block creating account and anonymous notes. In config.json file we need to add: allowEmailRegister: false and allowAnonymous: false

Expected behavior

It can be fixed in two ways. The first way is to make allowEmailRegister: false and allowAnonymous: false default for every HedgeDoc installation in Yunohost. The second way is to ask user what he wants to do with this values while he is configuring app in WebAdmin.

ericgaspar commented 1 year ago

True. PR on its way. Thanks for sharing.

lapineige commented 1 year ago

Is that fixed ?

cichy1173 commented 1 year ago

Is that fixed ?

It was merged into testing branch.