feat: import content + x-forwarded toggle

5b9dd43e · Nick · fddde494 · 5b9dd43e · 5b9dd43e · 5b9dd43e
Commit 5b9dd43e authored Oct 05, 2019 by Nick
9 changed files
--- a/client/components/admin/admin-general.vue
+++ b/client/components/admin/admin-general.vue
@@ -163,6 +163,7 @@
                    persistent-hint
                    hint='Prevents other websites from embedding your wiki in an iframe. This provides clickjacking protection.'
                    )
+
                  v-divider.mt-3
                  v-switch(
                    inset
@@ -176,6 +177,16 @@
                  v-divider.mt-3
                  v-switch(
                    inset
+                    label='Trust X-Forwarded-* Proxy Headers'
+                    color='red darken-2'
+                    v-model='config.securityTrustProxy'
+                    persistent-hint
+                    hint='Should be enabled when using a reverse-proxy like nginx, apache, CloudFlare, etc in front of Wiki.js. Turn off otherwise.'
+                    )
+
+                  v-divider.mt-3
+                  v-switch(
+                    inset
                    label='Enforce HSTS'
                    color='red darken-2'
                    v-model='config.securityHSTS'
@@ -250,6 +261,7 @@ export default {
        featureTinyPNG: false,
        securityIframe: true,
        securityReferrerPolicy: true,
+        securityTrustProxy: true,
        securityHSTS: false,
        securityHSTSDuration: 0,
        securityCSP: false,
@@ -296,6 +308,7 @@ export default {
            featurePersonalWikis: _.get(this.config, 'featurePersonalWikis', false),
            securityIframe: _.get(this.config, 'securityIframe', false),
            securityReferrerPolicy: _.get(this.config, 'securityReferrerPolicy', false),
+            securityTrustProxy: _.get(this.config, 'securityTrustProxy', false),
            securityHSTS: _.get(this.config, 'securityHSTS', false),
            securityHSTSDuration: _.get(this.config, 'securityHSTSDuration', 0),
            securityCSP: _.get(this.config, 'securityCSP', false),

--- a/client/components/admin/admin-groups-edit.vue
+++ b/client/components/admin/admin-groups-edit.vue
@@ -18,7 +18,7 @@
                v-icon(color='red') mdi-trash-can-outline
            v-card
              .dialog-header.is-red Delete Group?
-              v-card-text Are you sure you want to delete group #[strong {{ group.name }}]? All users will be unassigned from this group.
+              v-card-text.pa-4 Are you sure you want to delete group #[strong {{ group.name }}]? All users will be unassigned from this group.
              v-card-actions
                v-spacer
                v-btn(text, @click='deleteGroupDialog = false') Cancel

--- a/client/components/admin/admin-utilities-importv1.vue
+++ b/client/components/admin/admin-utilities-importv1.vue
--- a/client/graph/admin/site/site-mutation-save-config.gql
+++ b/client/graph/admin/site/site-mutation-save-config.gql
@@ -13,6 +13,7 @@ mutation (
  $featurePersonalWikis: Boolean!
  $securityIframe: Boolean!
  $securityReferrerPolicy: Boolean!
+  $securityTrustProxy: Boolean!
  $securityHSTS: Boolean!
  $securityHSTSDuration: Int!
  $securityCSP: Boolean!
@@ -34,6 +35,7 @@ mutation (
      featurePersonalWikis: $featurePersonalWikis,
      securityIframe: $securityIframe,
      securityReferrerPolicy: $securityReferrerPolicy,
+      securityTrustProxy: $securityTrustProxy,
      securityHSTS: $securityHSTS,
      securityHSTSDuration: $securityHSTSDuration,
      securityCSP: $securityCSP,

--- a/client/graph/admin/site/site-query-config.gql
+++ b/client/graph/admin/site/site-query-config.gql
@@ -15,6 +15,7 @@
      featurePersonalWikis
      securityIframe
      securityReferrerPolicy
+      securityTrustProxy
      securityHSTS
      securityHSTSDuration
      securityCSP

--- a/server/app/data.yml
+++ b/server/app/data.yml
@@ -45,6 +45,7 @@ defaults:
    security:
      securityIframe: true
      securityReferrerPolicy: true
+      securityTrustProxy: true
      securityHSTS: false
      securityHSTSDuration: 300
      securityCSP: false

--- a/server/graph/resolvers/site.js
+++ b/server/graph/resolvers/site.js
@@ -46,6 +46,7 @@ module.exports = {
        WIKI.config.security = {
          securityIframe: args.securityIframe,
          securityReferrerPolicy: args.securityReferrerPolicy,
+          securityTrustProxy: args.securityTrustProxy,
          securityHSTS: args.securityHSTS,
          securityHSTSDuration: args.securityHSTSDuration,
          securityCSP: args.securityCSP,
@@ -53,6 +54,12 @@ module.exports = {
        }
        await WIKI.configSvc.saveToDb(['host', 'title', 'company', 'seo', 'logo', 'features', 'security'])

+        if (WIKI.config.security.securityTrustProxy) {
+          WIKI.app.enable('trust proxy')
+        } else {
+          WIKI.app.disable('trust proxy')
+        }
+
        return {
          responseResult: graphHelper.generateSuccess('Site configuration updated successfully')
        }

--- a/server/graph/schemas/site.graphql
+++ b/server/graph/schemas/site.graphql
@@ -38,6 +38,7 @@ type SiteMutation {
    featurePersonalWikis: Boolean!
    securityIframe: Boolean!
    securityReferrerPolicy: Boolean!
+    securityTrustProxy: Boolean!
    securityHSTS: Boolean!
    securityHSTSDuration: Int!
    securityCSP: Boolean!
@@ -64,6 +65,7 @@ type SiteConfig {
  featurePersonalWikis: Boolean!
  securityIframe: Boolean!
  securityReferrerPolicy: Boolean!
+  securityTrustProxy: Boolean!
  securityHSTS: Boolean!
  securityHSTSDuration: Int!
  securityCSP: Boolean!

--- a/server/master.js
+++ b/server/master.js
@@ -48,7 +48,7 @@ module.exports = async () => {
  app.use(mw.security)
  app.use(cors(WIKI.config.cors))
  app.options('*', cors(WIKI.config.cors))
-  if (WIKI.config.trustProxy) {
+  if (WIKI.config.security.securityTrustProxy) {
    app.enable('trust proxy')
  }