azareal / gosora Goto Github PK

/user/edit/critical/submit/
There was a security issue with your request.

I can not change my password?

Certain actions like fiddling with 2FA or deleting an account or forum should require re-authentication, perhaps forcing them to authenticate through all their authentication methods (both password and 2FA, if they have 2FA enabled).

We don't want to annoy users too much though, so we should probably have a grace period after that where the system doesn't bother them as much, although it should still have an "Are you sure?" for deleting accounts.

Alternatively, we might want to force mods / admins to re-authenticate in order to access the Control Panel rather than ambushing them when they're doing one particular action, although the notion of the Control Panel might grow weak in the future, if we start exporting functionality out of there in favour of making the software friendlier and less filled with ceremony.

Perhaps, a hybrid approach might work? Needs research.

This one keeps getting delayed, but we really need an area in the Control Panel where the administrator can manage which widgets they want and where they should appear.

Admin can change its username in admin panel but has no permission to change it own password.
Is that intended?

PgSQL would be a nice database to have.

Blocked by lib/pq#24

http://secunet.cc/topic/create/submit/?s

When i toppic is created this error message appears.
The toppic gets created anyway.

An error has occurred
Bad file

An error has occurred
There was a security issue with your request.

I'll throw this here, so I don't forget about it. Editing pure text posts seems to be fine, although I haven't tested multi-line posts, but ones with attachments seem to break.

This is probably because we're using {{.ContentHTML}} instead of {{.Content}} for the textarea for replies, we might want to go something along the lines of how we do things in the opening post.

http://localhost/user/edit/notifications

An error has occurred
The provided UserID is not a valid number.

Some good measures were implemented like the JS gate and the trap question, but we might want something even more powerful like this that's harder for a bot to deal with consistently.

I have an idea in mind for a CAPTCHA (which I won't mention, lest they prepare for it) which should help keep the pesky little creatures out. We might also want to add email domain blacklists in addition to it to help in getting rid of the annoying little machines.

I'm adding some information for using Gosora without a systemd service, although this is mainly intended for use behind a reverse-proxy or to try out the software.

We should mostly bypass the server when creating topics and just have it send back a message to say whether it's succeeded or not and what the ID for the topic is.

I'll leave a checklist of the things I need to call Docker supported.

• Dockerfile. Done.
• Tweak the update pipeline. In progress.
• Make the installer accept flags. Not started.
• Write a mountain of documentation for installing via, updating via, and administrating via Docker. Not started.

It would be nice to have non-javascript option for certain networks such as Tor and I2P
Have tried to test it works or not with tor browser on demo forum, but even register was not possible for now.

Users should be able to make replies without being shunted up to the top of the page or doing a roundtrip to the server complete with the entire page being re-rendered and served.

There are two parts to this:

• Replies to topics.
• Replies to profiles (might be delayed to v0.2 and forked into it's own issue on here).

This header can be useful for running scripts which shouldn't, however there are a few spots where we run inline scripts, so we want to make sure we don't end up killing those along with the baddies.

We probably want to start by surveying every spot with inline scripts and going through there, perhaps we can keep them working with a nonce or something while still getting that anti-XSS goodness.
There are plenty of resources on the web which go into it, but Troy Hunt as an interesting stance in: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

We're probably going to want to fix the bug where the WYSIWYG editor on Cosora, Trumbowyg, occasionally spews out some strange HTML in posts.

We want users to be able to subscribe to forums, there are several use cases for this:

• The user might want to be notified when an announcement comes in.
• They might want to be informed when a report is made. Reports are currently implemented with a reports forum, so this is one way to do moderation alerts without necessarily having to implement moderation alerts, although it might be useful to have a second alert stream to seperate it from the more mundane things in the header.
• A user might want to be informed of everything that happens on a small site without much activity.
• A user might want to be informed of everything that happens in a small forum without much activity.

It seems like the dynamic menu system has somewhat broken the menus on small mobiles, we should probably fix that.

There are two options we could do for this, tweak the HTML markup in the menu template or rebuild the CSS files every-time someone changes the menus on their site, I'm leaning towards the first as it's the far saner choice, although it'll bloat the DOM slightly.

I forked gopsutil a few months ago as a commit came out which caused some major slowdowns in Gosora, but it might be time to explore resyncing with the latest commits and seeing if they have any problems.

Posts which are inline edited aren't properly rendered until the page is refreshed.
I've fixed this bug in the upcoming commit, but I'm leaving this issue here for reference.

Transitioning from a topic page to the topic list should be a lot faster than it is now, especially when we have already visited the page. For this, we could use data from our previous visit to the topic list and perhaps some accompanying data from the server.

This is part of the rapid series of issues which tries to reduce the software's reliance on the server, as things have a tendency of getting slower as we move further away from the physical server.

Plugin Guilds has been in disrepair for a while and I'd to bring it back to life, and not only that but I'd to revamp it to make it more powerful than ever. E.g. A new interface, an easier to maintain architecture, and far more functionality.

Creating the admin user Error 1364: Field 'oldestItemLikedCreatedAt' doesn't have a default value Aborting installation...

We might want to look into using a ten times faster than JSON message format like MessagePack.

I think would be nice if all plugins will be in their own folder

A lot of the error messages aren't localised, although they're hopefully things the users won't be running into one a too frequent basis, we might want to localise these sooner or later though, so that people who don't speak English can understand the errors better.

There should a way for users to see which other users are currently viewing a topic, possibly in a widget of sorts? It needs to be visible enough for the user to take notice (in contrast to the competition), but not so excessive that it takes their attention from everything else.

The analytics system is fairly powerful (although, I'm not satisfied with what we have), but I have noticed it lead to a number of different pages in the Control Panel Menu.

I would like to see if we can bring this number down without reducing the functionality of the Control Panel, perhaps by adding more drop-downs, etc?

I'd like to see what we can do to get Unicode characters in the URLs. E.g. as part of slugs.
We currently only have support for latin characters there. This might take a bit of research though.

I believe Discourse handles other languages by simply leaving out the slug and just having an ID, but this makes it harder for users to tell the subject of a URL simply by looking at it.

We're probably going to want a single source of truth rather than supporting numerous formats (Markdown, HTML, and BBCode) in plugins and possibly risk markup showing up when one of these plugins is disabled.

The single source of truth, for instance, could be HTML which the WYSIWYG naturally consumes anyway.
Each plugin (or possibly even the core) could take in their respective formats and translate that to HTML.

Translating it back on-demand on the client-side for any BBCode Editors (if there are any) shouldn't be too costly in any case.

I'll need to move more route logic into middleware where possible to reduce the amount of boilerplate and to make things a little more flexible.

It would be useful, if posts could be stored in some sort of local memory prior to submission, so that if the browser crashes or they go some other page for some reason, then the user will be able to continue typing their post after they come back rather than start over on it.

http://localhost/user/admin.1

http://localhost/user/something

This is basically for a family of features centered around pushing content in real-time (or within acceptable margins) to the client in order for them to quickly react to events as they occur.

For instance, someone might want to know when an incident occurs and they have to go in to moderate a forum, or several people might want to have a fast paced discussion without having to refresh the page several times to see the other people's opinions.

However, it also needs to be possible for administrators to quickly and easily disable this feature (possibly just picking a sub-feature rather than the entire component?), as they might opt to leave it off for any number of concerns including scalability or it not being a cultural fit for their community.

There are multiple parts to this:

• Live Alerts. Currently implemented.
• Live Moderation Alerts. Requires Moderation Alerts first, currently on the backburner.
• Live Topic List. Currently in development.
• Live Forum List. Debating it, how useful is it to you?
• Live Forum. Not in development yet.
• Live Topics. Debating it, how useful is it to you?
• Live PMs. Requires PMs first, currently on the backburner.

Things are nearly done here, but I need to move the rest of the routes into the routes package, so it's easier for people to maintain and develop for Gosora.

EQCSS.js was originally added in the Cosora Theme to spark a new paradigm of UI development, but it seems to have taken a toll on performance, despite the modifications I made to my copy of it to reduce the weight of the thing.

It's not so much that the library is slow, as much as it is it's insistence to scan every CSS file and not subsets of them. Beyond rolling my own EQCSS, or modifying it beyond what I'm willing to maintain, it would seem that there is little which can really be done to improve it's performance.

And despite intending to use it more, use of it has actually held steady with a single element query, one query which has a major impact on improvement everywhere. That is not acceptable. I think it's time to see it for the failed experiment that it was, it was a nice idea, but it's time to cut back.

It's already absent in the older themes like Shadow and in the upcoming Nox Theme. This should increase perceived performance for the end-user on first load in particular by a fair bit and it should be doable in a span of a few days of so, in contrast, to the time it would take to get anything meaningful done with EQCSS in the realm of performance.

Users should be able to hover over relative times in order to see the actual dates for those items, maybe have some sort of interface where you can click on the date to flip the two?

This is likely to be a recurring issue as new features land, but we want to make sure that the older themes don't fall too far behind the flagship themes in usability and functionality (unless they're retired, of course).

Per-topic view counts are a little useless as they count all the views from the start of time to now, I'd like to do something a little more useful where you can restrict that to the last day, week or month.

Anything further back (asides from all-time) isn't worth tracking and would just waste resources.

Chosen theme seems to fall back to default theme when login is unsuccessful .

Login: https://gosora-project.com/accounts/login/
Unsuccesful referral: https://gosora-project.com/accounts/login/submit/

Nox is a dark theme which will be the next major theme after Cosora (although, not necessarily the last theme for Gosora).

It features a redesigned main menu (which now has the user's username and avatar in the menu for them to quickly see who they're logged in as and to help personalize the experience) and a number of visual changes to make the software quicker and easier to use.

It also helps to simplify the CSS rules in some areas to make writing Gosora themes easier and helps to push the theme system to new heights by challenging it to do things none of the themes did before.
It's currently in development, but I should be able to unveil it fairly soon.

There should be a way for users to compare their levels and to see who has the top level to perhaps fuel their competitive streaks? And to help to gamify the system a little more.

It would nice to have Middleware support perhaps implemented with Alice.

We probably want to add support for Let's Encrypt directly in Gosora, so it can manage our certificates for us. There are plenty of good tools which can do this already to some extent, but it would be nice, if we could eliminate the burden entirely, especially when the software is exposed directly to the internet.

We should use AJAX for loading pages in the Control Panel in order to speed it up, although I'll have to keep a careful eye on any inline scripts we have there and I'll have to make sure that the CSRF counter-measures still work.

in install.bat

We should use a more sophisticated smiley replacement mechanism where it only replaces traditional smiley codes with their associated emoji when the smiley is a standalone word rather than embedded inside something that might very well be a piece of code or something important.

I want to know the Admin password, Because I couldn't find any information about the password.

There are a few spots in the Control Panel which I seem to have missed, it's probably not a particularly high priority task as only administrators can access it, but I'd like to get the software open to a more international audience.