NodeBB Support Group



  • You can drag this icon:

    One Post does not allow replies from non-staff.

    Click this toaster to go back to where you were regardless of where you entered the thread:

    You can disable infiniscroll in your profile settings.

    Your post is run through an HTML parser and any tag that is not whitelisted gets completely escaped. That means you can enter a <script> tag and have it show up in the post, but it also means invalid HTML gets mangled (for example, ending tags are fixed) unless you escape it with either Markdown ` or HTML escaping.



  • Entering a thread marks the thread as read, regardless of how many posts in the thread you read. If you want to leave the thread before reading all the posts, you'll probably want to go back to the first post and mark the thread as unread. NodeBB will remember your last read post no matter if the thread is marked read or unread.



  • @ben_lubar said:

    You can drag this icon:

    ... for what purpose?



  • Everyone has been able to figure out that the resize-the-composer button resizes the composer, but most people had trouble with the fact that you could do things other than just maximizing it.


  • Discourse touched me in a no-no place

    Bookmarked for future reference. Thanks Ben :-)



  • Posting also causes the browser to scroll down to your post (unless it only scrolls down to the bottom of the currently loaded posts). I opened this, but @apapadimoulis got my github account hellbanned and the jerks at github aren't rescinding it after contacting them:

    After posting a reply the browser scrolls to the bottom of the topic. The browser should stay where it was so the user can keep reading from where he left off (even if it's only a user option to do so).

    We have a lot of long topics and losing one's place in there causes a lot of grief.

    That's the text I entered. Since no one from NodeBB has said anything there yet, I suspect they can't see it either. Maybe someone else needs to say something.

    EDIT: If you want to talk about github, go here.


  • mod

    16 posts were split to a new topic: In which Boomzilla is banned from Github


  • mod

    6 posts were merged into an existing topic: :horse: :car: Horses and Fords



  • @boomzilla said:

    https://github.com/NodeBB/NodeBB/issues/4363

    The devs have started chewing on it. Of course a PR was solicited. :grimacing:

    I poked around the code a bit and was overwhelmed, as one is when first peeking into a significant code base, especially in an unfamiliar language or whatever. I'm thinking about spinning up a new VM later today...



  • Happy to accept PR for a user setting though. That would be a nice thing to have.

    Something's wrong here...
    Where's the arrogance? Where's the assertion that 'long topics is doing it wrong'? Why has it not been locked already?

    :smile:


  • sockdevs

    they've been quite responsive to me so far. I've issued three PRs and counting regarding things for Sockbot. all were reviewed promptly (except for the first one that needed to get their attention for.... i think i did that one wrong, the others have been very quick to respond.)

    community seems nice too. very friendly.

    and the code is actually followable. it took me all of a couple of hours to find the bits and pieces i needed to poke for the first PR. and even less from then on.



  • @accalia said:

    it took me all of a couple of hours to find the bits and pieces i needed to poke for the first PR. and even less from then on.

    I'll report back. I have a VM up and running now. You found my post on the web installer. :smile: I hadn't even read to that point because the "alternatively came below." Probably if they had said initially that there were two ways to do it, I would have looked farther.

    The directions were excellent to that point, so it was surprising that there was no command line for that step.


  • sockdevs

    @boomzilla said:

    it was surprising that there was no command line for that step.

    it was surprising to me too, that's actually why i went looking for the command version of it.

    I think the way to trigger the web installer is to just start nodebb and visit the homepage... but i've always hated the idea of the seb installer because... well what ifg someone happens to drive by and snipe your install out from under you?



  • You can either use the web installer that it shows when there's no database config or type ./nodebb setup.


  • sockdevs

    ah. so i was right about how to start it then.

    i just used ./nodebb setup myself.



  • @accalia said:

    I think the way to trigger the web installer is to just start nodebb and visit the homepage.

    That's what I did.

    @accalia said:

    ...but i've always hated the idea of the seb installer because... well what ifg someone happens to drive by and snipe your install out from under you?

    Well, this is in a VM I just created that's sitting on my local network. The only other person with access currently is my wife, who doesn't know the host name of the VM and wouldn't care if she did. But yeah, I get what you're saying in a more general case.



  • @accalia said:

    I think the way to trigger the web installer is to just start nodebb and visit the homepage... but i've always hated the idea of the seb installer because... well what ifg someone happens to drive by and snipe your install out from under you?

    That's what .htaccess is for; set a username and password while installing and setting up, then remove the creds when you're done ;)


  • mod

    So my general plan to have SockRPG use a web-based installer isn't a go then? ;)

    I think Wordpress' easy install functionality is one of the major factors in its wide adoption.



  • I'm sorry, are you proposing we use Apache with NodeBB the way one would use a PHP script?


  • sockdevs

    @Yamikuronue said:

    So my general plan to have SockRPG use a web-based installer isn't a go then? :wink:

    nah. i understand the why of them.... and it's a good reason too.... i just don't like them.

    ;-)


  • sockdevs

    @ben_lubar said:

    I'm sorry, are you proposing we use Apache with NodeBB the way one would use a PHP script?

    ooh! IDEA!

    a NodeJS compiler for PHP!

    now you can run your fancy NodeJS code on the ultra stable and epic awesome PHP platform!



  • I was thinking of making a Node-to-Go compiler, but then I realized that it would either be a JavaScript interpreter or a really complicated static analysis thing.



  • @accalia said:

    but i've always hated the idea of the seb installer because... well what ifg someone happens to drive by and snipe your install out from under you?

    Deploy the initial config with HTTP auth and/or IP lock. Or run it on an non-exposed port and forward via SSH. Or use a VPN.



  • The setup doc doesn't make the site accessible until the setup is done.


  • sockdevs

    @CatPlusPlus said:

    Deploy the initial config with HTTP auth and/or IP lock. Or run it on an non-exposed port and forward via SSH. Or use a VPN.

    there are solutions, tons of them. doesn't change the fact that the whole web installer thing "fells wrong" to me

    then again, letting random sites execute javascript on my computer also "feels wrong" to me, but i generally let them do it (mediated by uBlock, and noscript of course)



  • @accalia said:

    there are solutions, tons of them. doesn't change the fact that the whole web installer thing "fells wrong" to me

    It's fairly annoying, because it usually means that the deployment is hard to fully automate. I don't want a pretty UI, I want something that I can feed to Ansible, dammit.


  • sockdevs

    @CatPlusPlus said:

    It's fairly annoying, because it usually means that the deployment is hard to fully automate. I don't want a pretty UI, I want something that I can feed to Ansible, dammit.

    If i had my druthers i'd ask Jane to do it for me.



  • @accalia said:

    that the whole web installer thing "fells wrong" to me

    Because you wouldn't want someone to happen across your unconfigured forum at the specific time between initial boot and you configuring it, and doing what? Helpfully configuring it for you?



  • "Oh no, somebody put their database credentials into my forum and now I have access to their database!"

    To be fair, you can install packages from NPM in the admin panel...


  • sockdevs

    @loopback0 said:

    Because you wouldn't want someone to happen across your unconfigured forum at the specific time between initial boot and you configuring it, and doing what?

    rooting the box.

    some pieces of software allow a surprisingly large amount of control over the system. particularly any that allow remote installing of plugins or software addons.



  • @accalia said:

    rooting the box

    If you're running any web application as root and it's not in its own Docker container or whatever, you're :doing_it_wrong:



  • @accalia said:

    rooting the box.

    From a forum web installer? Why would that even be running as root?


  • sockdevs

    anyone who can execute arbitrary code on your box, regardless of their current security level is a security risk. once you can execute arbitrary code you can perform privilage escalation attacks to gain root.



  • root in a container is by default root in a host system. There's support for UID namespaces now but running Docker with that introduces some limitations, and you have to turn it on explicitly.

    Anyway the webapp doesn't have to run as root, any arbitrary code execution is potential privilege escalation. And even non-privileged code can do damage, if you're not locking down everything tightly with SELinux or something.

    These installers usually don't assume that they'll be accessible by untrusted users, that's why it might be a problem.



  • But keep in mind that this requires the attacker to know you're setting up a NodeBB forum and for them to catch you before you enter the credentials. Which isn't a very big attack surface if you consider that most forums being set up using the web UI will be only accessible inside someone's house.



  • @CatPlusPlus said:

    root in a container is by default root in a host system.

    What can root do if it can't access any physical block devices, any of the processes outside of the container, the real network interface, or anything on the filesystem outside of its little chroot jail?



  • It's not very probable, unless you're setting a new thing up under existing URL, etc, but I'd still lock the site until it's ready. Security is a subset of paranoia, after all. ;)

    @ben_lubar said:

    What can root do if it can't access any physical block devices, any of the processes outside of the container, the real network interface, or anything on the filesystem outside of its little chroot jail?

    I don't think there are any known escape methods at the moment, but there have been in the past. The official Docker stance is still "we're not guaranteeing you can contain arbitrary code running at UID0" I believe. User namespaces mitigate that because from the host POV you're actually running code at UID 10000whatever, not 0.



  • @CatPlusPlus said:

    I'd still lock the site until it's ready

    Don't worry, I've taken every necessary precaution.



  • @ben_lubar said:

    Don't worry, I've taken every necessary precaution.

    What about unnecessary precautions?



  • Those two combined mean when I post a reply, I have to wait up to 2 seconds before the screen is responsive again.

    The NodeBB guys think 2 seconds is a long time... I like that :smile:

    Found on https://github.com/NodeBB/NodeBB/issues/4371


  • sockdevs

    @RaceProUK said:

    >Those two combined mean when I post a reply, I have to wait up to 2 seconds before the screen is responsive again.

    The NodeBB guys think 2 seconds is a long time... I like that :smile:

    Found on https://github.com/NodeBB/NodeBB/issues/4371

    that is a good sign indeed.

    :-)



  • new topic button isn't working for me at https://discourse.local.lubar.me/



  • Shame :laughing:



  • It works for me, but my connection might be shit for anyone not in my house.



  • Works fine here.



  • Chat is working well, I can read things, and everything else is snappy. I just can't create topics and can't reply to anything.



  • Why is that a problem? You'll only delete them anyway.



  • I can't delete things them if I can't post, that's the natural order of things



  • @RaceProUK said:

    Why has it not been lockedsilently deleted already?

    FTFY



  • It's a labour-saving tactic.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.