* Merge remote-tracking branch 'refs/remotes/origin/dev' into fix-for-csrf
Fix CSRF protection
Seems like it doesn't work anymore...
I tried to
fix it but couldn't get /api without csrf. So I changed the
dependency
for another csrf package (nosurf).
Behavior: Same as previously. You
just have to include the block
csrf_token
* changing dependency to nosurf
* Logout is now a posted form
Instead of using a get method, I've moved it to a post method.
Doing that made possible to use CSRF token and also fix#902
* Update _badgemenu.html
* New config files
As decided, config files are parsed at runtime.
I decided to go for YAML config files because there can be comments in
it.
There are 2 files:
* config/default_config.yml <= which shouldn't be edited unless we add a
config parameter
* config/config.yml <= which is the user-defined config. This file
shouldn't be commited
Changed every call to config.XXX to config.Conf.XXX (look to the new
stucture of config in config/types.go)
Of course, putting config parameters in config.yml overrides config in
config_default.yml. You don't have to put everything in it, just add
what you want to override.
* Fixing test
Replacing conf.New by config.Conf
* Fixing call to config.Conf to config.Config{} in test files
* Might have fixed testing with this
Printf instead of Fatalf
* Renaming config.yml in example file
* Forbid commiting config.yml
* Should be now fixed
* Do not need this file anymore
As per suggestion of @yiiTT, CSRF is limited on users login,
registration, profile edit, comments post, torrent edit.
Uploads are not yet CSRF protected because api upload can't be used for
that
* added pagination
* cleanup
* indentation fix
* fix
* Loads theme from context
* Basic theme switching working
* working properly
* Fuck golint tbqh
* united language and theme into one settings page
* made the settings page a little nicer
* fixed it so it works properly now
* removed parts of inline js and fixed bug
* removed remains of other theme switching method
* fixed very minor bug
* fix
* Added a new function to only update columns of table user (less
useless query)
* Changed method to GET instead of POST because it is a link not a
button anymore
* Display of user profile if changes are successful
* Making the code Golint friendly
* No exported variables when not needed
* Same for functions
* Simplifying Templates variables with a form basic template variable
and a modelList basic template variable
* Adapted templates to new template variables
* use of .Models instead of model list
* use of .Form instead of modelform
* Small fix
* Small fix 2
Forgot $.Form
* Reverting templateDir as a var
* Torrent Mass Edit Api (WIP)
* Torrents can be deleted in mass from frontend with api post request
* Torrents status can be edited from frontend with api post request
-- Look to function doc for more info on how to use it
It is a WIP so it might not work =D
* Finished Mass mod Api
As per suggestion of @yiiTT in #720, I added:
* Changing torrents category
* Deletion of reports with deletion of a torrent
* Changing owner of multiple torrents
Commit also add some new translation strings.
* Make some changes
* Reports can now be cleared for the torrents selected without having to
delete them
* Users with no admin rights can't delete reports
* Fix moveto to status
moveto deprecated in api
* Tested and works!
Changes:
* Updates only the colomns of torrent table
* Moved categories config in config/torrents.go
* Forgot this file in last commit
* Less useless queries
The use of Save makes it that users are created and updates also all the
associatiated models. Better to just update the colomns needed (less
useless queries)
* Some Updates
* Added a new status of 5 for locking torrents
* Modifying the list torrents view for using it in deleted torrents view
* Added function to get deleted torrents
* Torrents (and reports) can be definitely deleted
* Some new translation string
* Fixing
* fix 2
* Added upload check for locked torrents
If a user owns a torrent, has deleted it and try to repload it. As long
as it has not been locked, he can.
* Fixing wrong condition in isdeleted
* Finished
* Info messages on success when deletes or lock
* Fixed double deleted_at is Null
* Added Link to view of deleted torrents
* Added new translation string
* Torrents can be deleted in mass from frontend with api post request
* Torrents status can be edited from frontend with api post request
-- Look to function doc for more info on how to use it
It is a WIP so it might not work =D
* Implement HEAD for /view/{id}
Implement HEAD for the torrent view route by calling GetRawTorrentById.
Run gofmt on the file while we are here.
* Implement HEAD for /api/view/{id}
Implement HEAD in the same way as /view/{id}
Also run gofmt on the api_handler.go
User can edit torrents
* delete torrents
+ New translation string for mod panel and user edit torrent panel
+ Improvement of messages util with implementation of T (no need to get
Tfunc now, messages util do that for you)
+ Use of @ElegantMonkey GetCategories to generate select of categories
in search and forms
* Use ModeratorDir variable
* Rename cookieHelper to cookie_helper for consistency
* Use named constant instead of literals
* Fix ability to upload when uploads are disabled
The old code let people upload under the right conditions when uploads
were disabled. (ie: User is banned and config.AdminAreStillAllowedTo is
false)
* Increase timeout (fixes#517)
* Fix inconsistent indentation *.{js, css} (fix#583)
* Fix negative page
Temporary fix. The issue was that going to a negative page caused the
sql query to have a negative offset. This caused an error in the
database query.
We need to cleanup this code, but this will work for now.
* Fix wrong PG_DATA directory due to upgrade to 9.6
* Add server status link to FAQ
* Fix failing tests
* Clarify group_vars/all and hosts doc
* Add a wrapper to protect /mod route
* Fix login page not showing form errors
* Keep naming consistent
* Remove execute bit from files
* Default to DefaultLanguage (without passing it to the func)
* Remove commented code
* Use Content-Type to get language json
* Lines of 400 characters is dumb
* Update new repo in README
* Remove useless script since we fallback to a defaultlang
* Fix fallback language panic
* Fix uninitialized MaxPerPage when not in querystr
The issue was that the req.MaxPerPage was not set (default to 0) when
the query string didn't include "max". This makes the server query the
whole db since the resulting limit is 0.
* Fix creating empty torrents (only worked once)
* Lines of 400 characters is still dumb
akuma06
Steindór
Eliot Whalan
nopjmp
alucard0134
tomleb
Ramon Dantas
PantsuDev
sfan5
ayame-git
ripdog
SpamNeko
Your Name