RE: General talk about the security off NodeBB

@xCausxn There aren't any very good websocket mapping webscanners/tools, the only real option is intercepting each websocket transmission in burp and testing each one. From this I'd assume nobody has really bothered testing all the routes for security purposes.

The NodeBB team will patch security issues reported in the middle of the night in like 15 minutes, so they've got a great security posture.

From a permissions and logging standpoint NodeBB doesn't really step up to the plate. It's likely that if someone compromised your forum you'd have absolutely no helpful logs to detect the attacker or how they got in. This is probably the biggest security concern at the moment I'd say. The permissions system is a little haphazard right now, and I'd wager it is the most likely place you'd find security vulns(but more than likely it'd just be viewing information you shouldn't).

Luckily, if your forum was compromised, user passwords wouldn't really be too at risk. They use a secure hashing algorithm with automatic salts(you'll notice logging in takes a second!). This is because generating that hash is computationally expensive, a good thing.

The loop to add buttons was merged into persona. A similar addition should probably be added to vanilla.

I now add buttons in my plugin via hook filter:post.getPosts and in the hook:

  Plugin.postsBuild = function(params, cb) {
    var histButton = {action: 'posts/edithistory', icon: 'fa-file-text', html: 'Edit History'};

    async.map(params.posts, function(post, next) {
      if(!post) return next();

      if(!!post.tools) {
        post.tools = [];
      }
      post.tools.push(histButton);

    });

    cb(null, params);
  };

here's a PR to take care of it--

https://github.com/NodeBB/nodebb-theme-persona/pull/158
https://github.com/NodeBB/NodeBB/pull/3604

dwendt created this issue in NodeBB/nodebb-theme-persona

closed Added post tools loop for plugins. #158

dwendt created this issue in NodeBB/NodeBB

closed Added filter:posts.build and postData.tools array for adding buttons #3604

Hey, I feel like I'm missing something but is there currently no method to have a plugin add a button to a post?

partials/topic/post-menu.tpl pulls data from a posts object defined here -- so that's where I guess a filter:posts.build would go, and then we'd add something similar to regFormEntry to the partial.

It feels sorta inefficient to do that for every single post but I guess that's what needs to be done? Am I missing something somewhere?

Redis is just as reliable as mongo and can be backed up to a different server just as easily, above.

No, redis is only installed if you set it to use redis in setup.

@xCausxn There aren't any very good websocket mapping webscanners/tools, the only real option is intercepting each websocket transmission in burp and testing each one. From this I'd assume nobody has really bothered testing all the routes for security purposes.

The NodeBB team will patch security issues reported in the middle of the night in like 15 minutes, so they've got a great security posture.

From a permissions and logging standpoint NodeBB doesn't really step up to the plate. It's likely that if someone compromised your forum you'd have absolutely no helpful logs to detect the attacker or how they got in. This is probably the biggest security concern at the moment I'd say. The permissions system is a little haphazard right now, and I'd wager it is the most likely place you'd find security vulns(but more than likely it'd just be viewing information you shouldn't).

Luckily, if your forum was compromised, user passwords wouldn't really be too at risk. They use a secure hashing algorithm with automatic salts(you'll notice logging in takes a second!). This is because generating that hash is computationally expensive, a good thing.

That's great, I am actually working on pretty much the same thing (semantic-ui, but with everything designed to be more friendly to old-style forum users).

I add semantic-ui as a submodule git submodule add and have a script to handle compilation / then copy the results to the lib and less (even though it is CSS) folders.

I didn't encounter your LESS issue because I'm not throwing everything out just yet, but try running grep -r "state-info-text" ./* to find the culprit.

I was thinking of making this plugin if nobody's already done so. Would just need to observe filter:post.save and purge to remove the history entries. It'd be nice to store just the diffs to save space, if there's already a library to handle diff->json and json back to applying a diff.

One concern I'd have is being able to display an edit history gui for a post that is theme agnostic. Not sure there's a way to do that? A modal with custom styling might be the best option in that case.

So when a page loads, vanilla will fade the contents in. I've looked pretty hard -- does anyone know where this is at? A loading bar/popin is way better, so I was going to fork and pull that out of lavender.

"IP Blacklist" as in a spam/malware blacklist. These are lists that security-conscious owners would naturally block, but occasionally contain innocent infected users.