Discussion of NodeBB Updates


  • Notification Spam Recipient

    @ben_lubar said in NodeBB Updates:

    • Posts can no longer have 1 replies.

    0_1495953858067_266e77c4-b431-442b-8d13-56a2285134ae-image.png

    Well, you're not wrong...



  • I don't like the new emoji. 🚎 in particular is less nice now.



  • :kermit_flail:



  • @wharrgarbl said in Discussion of NodeBB Updates:

    :kermit_flail:

    That one I like. It's just the do-over of Emoji One I don't like.



  • @ben_lubar said in NodeBB Updates:

    Update scheduled for 19:00 UTC

    Highlights

    • User-specific CSS can now be set in user settings.
    • Everyone likes it when the Emoji One set completely changes, right?
    • Added :kermit_flail: and :thonking:
    • 🌈
    • Posts can no longer have 1 replies.
    • Fixed chat layout on mobile.

    Change lists

    Happy Memorial Day weekend, @area_usa!

    People enjoyed :thonking: so much Ben added it? Wow.

    Wait, was I not the person that shared :thonking: ?


  • FoxDev

    @JazzyJosh said in Discussion of NodeBB Updates:

    Wait, was I not the person that shared :thonking: ?

    The PR was mine, and I got it from a Discord server I'm on, so if it was originally you who mentioned it, then I stole your thunder :P



  • @RaceProUK said in Discussion of NodeBB Updates:

    @JazzyJosh said in Discussion of NodeBB Updates:

    Wait, was I not the person that shared :thonking: ?

    The PR was mine, and I got it from a Discord server I'm on, so if it was originally you who mentioned it, then I stole your thunder :P

    Wait, I added it to a Discord server you're on after I accepted the PR...

    :thonking:


  • FoxDev

    @ben_lubar This may come as a shock, but there's more than one Discord server 😛


  • Notification Spam Recipient

    Status: This is one truly aweful color combination when f.lux is active...

    0_1496215757611_deb1a8c6-9f6c-4662-9a0b-e9cb8a1e5af1-image.png


  • 🚽 Regular

    @Tsaukpaetra said in Discussion of NodeBB Updates:

    Status: This is one truly aweful color combination regardless of whenther f.lux is active...



  • @Tsaukpaetra Well, now you don't even need fancy pants browser extensions to override that horrible mess with some sensible CSS.

    0_1496242092624_31db7c5d-c6db-4766-b398-2bc6f93b9ff0-image.png



  • @hungrier ...I still haven't decided whether I want to move any of my giant mass of CSS from my userscript into the fancy new box, or if I do, how much of it I want to move there (a fair amount of it only applies to stuff that the userscript does, anyway)...

    ...it's really a fairly non-insignificant amount of CSS...
    .versions .fa {
        padding: 6px;
        cursor: pointer;
    }
    .versions[data-version='1'] .fa-chevron-left, .versions.last-version .fa-chevron-right, .versions.last-version .fa-trash {
        color: #aaa;
        cursor: default;
    }
    .versions[data-max-version='1'] {
        transition: linear 2s;
        opacity: 0;
    }
    
    .navbar.header {
        -moz-user-select: none;
    }
    
    [data-original-title="Categories"] ~ .tooltip {
        display: none !important;
    }
    
    .category-list-bar {
        width: 100%;
        overflow: hidden;
        background: #fff;
        position: absolute;
        white-space: nowrap;
        border-bottom: solid 1px #eee;
        transition: linear .25s;
    }
    
    .category-list-bar li {
        display: inline-block;
        vertical-align: top;
        margin: 0 5px;
        padding: 0;
    }
    
    .categories.category-list-bar > li .content h2 {
        margin-left: 55px;
    }
    
    .categories.category-list-bar .content .icon {
        margin: 0;
        position: absolute;
    }
    
    .category-list-bar .category > ul {
        opacity: 1;
    }
    
    .category-list-bar .subcategory {
        padding: 0;
        margin: 0 0 0 50px;
        display: block;
        min-height: unset;
    }
    
    .category-list-bar .subcategory ul {
        padding: 0 0 0 20px;
    }
    
    .category-list-bar .subcategory .subcategory {
        margin: 0;
    }
    
    summary {
        display: list-item !important;
    }
    
    
    .floating {
        position: absolute;
        line-height: 0;
        z-index: 1;
    }
    
    .floating.orphaned {
        position: fixed;
        transition: bottom 1s, opacity 0.2s;
        box-shadow: 0 0 15px 15px white;
        left: unset !important;
        top: unset !important;
        bottom: 15px;
        right: 15px;
        opacity: 1;
    }
    
    .floating.orphaned[data-state-name="playing"] {
        z-index: 2;
    }
    
    .floating.orphaned:after {
        content: 'X';
        position: absolute;
        background: rgba(255, 255, 255, 0.5);
        box-shadow: 0 0 5px white;
        border-radius: 0.75em;
        text-align: center;
        line-height: 1.5em;
        font-weight: bold;
        cursor: pointer;
        height: 1.5em;
        width: 1.5em;
        right: -4px;
        top: -2px;
        opacity: 0;
        transition: opacity 0.2s;
    }
    
    .floating.orphaned:hover {
        z-index: 3;
    }
    
    .floating.orphaned:hover:after {
        opacity: 1;
    }
    
    .floating.orphaned iframe {
        width: 240px !important;
        height: unset !important;
    }
    
    .floating.orphaned ~ .orphaned {
        bottom: 55px !important;
    }
    
    .floating.orphaned ~ .orphaned ~ .orphaned {
        bottom: 95px !important;
    }
    
    .floating.orphaned ~ .orphaned ~ .orphaned ~ .orphaned {
        bottom: 135px !important;
    }
    
    .floating.orphaned ~ .orphaned ~ .orphaned ~ .orphaned ~ .orphaned {
        bottom: 175px !important;
    }
    
    /* 5 videos should be enough for anyone, right? */
    
    
    /* Make the "drag and drop images here" div *correctly* cover the composer area */
    /* This has sort of been fixed already, but I still like mine better... */
    .imagedrop > * {
        position: relative;
        top: 50%;
        transform: translatey(-50%);
    }
    .imagedrop {
        top: 0 !important;
        height: 100% !important;
        left: 0;
    }
    
    /* Replace hyphens with spaces in @mentions (this is an UGLY HACK) */
    a.plugin-mentions-a {
        font-family: "@mention";
        font-size: inherit !important;
    }
    @font-face {
        font-family: "@mention";
        font-style: normal;
        font-weight: 400;
        src: local("Roboto"), local("Roboto-Regular"), url("https://fonts.gstatic.com/s/roboto/v16/CWB0XYA8bzo0kSThX0UTuA.woff2")format("woff2");
        unicode-range: U+0-2C, U+2E-FF, U+131, U+152-153, U+2C6, U+2DA, U+2DC, U+2000-206F, U+2074, U+20AC, U+2212, U+2215, U+E0FF, U+EFFD, U+F000;
    }
    @font-face {
        font-family: "@mention";
        font-style: normal;
        font-weight: 400;
        unicode-range: U+2D;
        src: url("data:font/woff2;base64,d09GMgABAAAAAAIwAA0AAAAABaAAAAHdAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGh4GVgCCShEIClRiCwoAATYCJAMQBCAFg0IHKhu5BMgeg+NuCcr488kUotRfL8uOh//2+/0+M3MF06QeOp7xkN4iRkKHRGR1otiXFH7Ta/X76b4g+cw8GbofZuMAyaWEtkaQ8K1xlSirqlsLof93E+kDHeKJrMak8MCO8F5A06R0DZAtEnieUKoJp25bSGdgMIiWg1zxUQyC7eAsBHzWjw3wtfTzW5YODGIaJCHLQkFCpNe4V2krr/SBmMPl8k+tZAISAAQAnN7kG0ghVOM/j9ULCEBGxgwGjogFZkhsgFoREna7Djxf9wMDiBoCEAkkePkcyHhGdJ0ECmhRYRTMAiigAkrGSzTq9vrNvtNT9Av6HuvrLG+kD0/iZgHSxnjIr36tP4pZ8TyKYoBA8Hq39JT1sT8FBexRvx7kDekLWgkEtXzM1ygRYPgnJV/rAeme+INAMUoKEkJgDwCDbgUItWEBksYqBrItRwIUw54xUBnwS4DacJghFkWJMEiBZNgUZJcIihlPUJn23qc249+5sZqxhTEEGlku0dS2NFA1g29hKHBibGRx50xbE+chcOEiuJGCBuhqFy834kU8XNwCEH4kqWDWbnKP4OIRvoBPE2kjvW7y0pUMD3MFuvKAa00zc13HgnO79PHeZOkWXGZBQmxX6xGFw3dGAQA=") format("woff2");
    }
    
    /* Prevent @mentions from showing up inside code blocks because ... seriously, wtf? */
    /*.hljs a.plugin-mentions-a, code a.plugin-mentions-a {
        font: inherit;
        pointer-events: none;
    }
    .hljs, code {
        cursor: text;
    }*/
    
    /* Make the preview container override the -moz-user-select: none that the entire composer has */
    .preview-container .preview {
        -moz-user-select: element;
    }
    
    /* Force the toaster notifications to appear at the top of the page, not the bottom */
    div.alert-window {
        top: 70px;
        bottom: auto;
    }
    
    /* Kill the ugly glowy border on the Lounge */
    body {
        box-shadow: none !important;
    }
    
    /* Make the highlight on unread notifications more visible */
    .container li.unread[data-nid] {
        background-color: #fcf8af;
    }
    
    /* Fix search result panels, because they have a max-height of 250px and cutting them off is :WTF: */
    /* Oh, and the stupid "fade-out" element doesn't use a gradient that displays properly in Firefox */
    .search-result-text {
        max-height: 600px !important;
        overflow: auto !important;
    }
    .search-result-text * {
        font-size: 100% !important;
    }
    .search-result-text .fade-out {
        display: none;
    }
    
    /* Prevent the edit/delete chat message tools from affecting the message's layout */
    .chat-content li.chat-message .controls {
        position: relative;
        margin-top: -25px;
    }
    
    /* Offset the post anchors enough vertically that the top of the post isn't underneath the header */
    .topic a[component="post/anchor"] {
        top: -83px;
    }
    
    .topic-list li.unread[data-cid="28"] a, /* Games */
    .topic-list li.unread[data-cid="29"] a, /* Mafia */
    .topic-list li.unread[data-cid="31"] a, /* Mafia - Current Game */
    .topic-list li.unread[data-cid="42"] a, /* Borderlands RPG */
    .topic-list li.unread[data-cid="43"] a, /* Borderlands RPG - Rules */
    .topic-list li.unread[data-cid="44"] a, /* Borderlands RPG - Character Info */
    .topic-list li.unread[data-cid="48"] a  /* PBP RPGs */ {
        color: #555;
    }
    
    [component$="/header"] > .fa-arrow-circle-right[title="moved"i] {
        display: none;
    }
    
    .topic .posts .icon .user-icon {
        overflow: hidden;
    }
    
    .topic .posts .content .iframely-link:last-child {
        margin-bottom: 2px;
    }
    
    .content [title]:not([component]):empty:after {
        content: attr(title);
        font-weight: initial;
        font-style: italic;
        color: #007c00;
    }
    
    .composer .resizer {
        left: 0;
    }
    
    .composer .resizer .trigger {
        width: 100%;
        height: 20px;
        top: -24px;
        left: 0;
        margin: 0;
        padding-left: 20px;
        background: none !important;
        border: none !important;
        border-radius: 0;
        line-height: 26px;
        cursor: ns-resize;
        text-align: left;
    }
    
    .composer .resizer .trigger i {
        color: #333;
        background: rgba(255,255,255,.5);
        border-radius: 50%;
        height: 22px;
        width: 22px;
        text-align: center;
    }
    
    .composer .resizer:hover .trigger i {
        visibility: hidden;
    }
    
    /* this is too easy to click by mistake */
    .header .notif-dropdown-link .mark-all-read, .header .notif-dropdown-link:empty {
        display: none;
    }
    
    .replies-last {
        display: none;
    }
    
    /* Make elements with the "hidden" attribute visible, styled similar to HTML comments */
    [hidden] {
        display: unset !important;
        font-style: italic;
        color: #008000;
    }
    [hidden] * {
        font-style: italic;
        color: #008000 !important;
    }
    [hidden] > em {
        font-style: initial;
    }
    
    /* Ensure that the last element in posts has a margin under it, because otherwise it can overlap the post tools (:wtf:) */
    .content > *:last-child {
        margin: 0 0 10px;
    }
    
    /* Style posts differently based on upvoted or downvoted status... ok, mostly just downvoted */
    .topic .posts .downvoted > .content img:not(.emoji):not(:hover), .downvoted > .content video:not(:hover) {
        max-height: 20px !important;
        max-width: 40px !important;
        border: none;
        padding: 0;
        position: unset !important;
    }
    .downvoted > .content .js-lazyYT:not(:hover) {
        padding-bottom: 90px !important;
        width: 160px !important;
        height: 90px !important;
    }
    .downvoted > .content .js-lazyYT:not(:hover) .ytp-large-play-button {
        transform: scale(0.4) !important;
    }
    .downvoted > .content .panel-iframely {
        margin: 0;
        border: none;
        box-shadow: none;
    }
    .downvoted > .content .iframely-container * {
        display: inline !important;
        padding: 0;
        margin: 0;
        width: auto !important;
        height: auto !important;
    }
    .downvoted > .content .panel-iframely h4 {
        font-size: inherit;
        font-weight: inherit;
        line-height: inherit;
    }
    .downvoted > .content .iframely-meta, .downvoted > .content .iframely-embed .media,
    .downvoted > .content .description, .downvoted > .content .thumb {
        display: none !important;
    }
    .downvoted > .content big {
        font-size: 100%;
    }
    
    /* Replace deleted posts with "This post is deleted !" until you hover over it (if it's a post you deleted) */
    /*
    .posts .deleted:not(.cached) > .content:not(:hover) {
        color: transparent;
    }
    .posts .deleted:not(.cached) > .content:not(:hover):not(:empty)::before {
        content: 'This post is deleted!';
        position: absolute;
        color: #333;
    }
    .posts .deleted:not(.cached) > .content:not(:hover) > *,
    .posts .deleted:not(.cached) .divider:last-child {
        display: none;
    }
    */
    
    .deleted[data-uid="197"] > .post-footer > .pull-right > .post-tools [component],
    .deleted[data-uid="197"] > .post-footer > .pull-right > .votes,
    .deleted[data-uid="197"] > .post-footer > .pull-right > .moderator-tools,
    .deleted > .post-footer > .pull-right > .post-tools [component],
    .deleted > .post-footer > .pull-right > .moderator-tools,
    .deleted > .post-footer > .pull-right > .votes {
        display: inline !important;
    }
    
    .deleted[data-uid="197"] > .post-footer > .pull-right [component="post/quote"],
    .deleted[data-uid="197"] > .post-footer > .pull-right > .votes .fa,
    .deleted.not-cached:not([data-uid="197"]) > .post-footer > .pull-right [component="post/reply"],
    .deleted > .post-footer > .pull-right [component="post/quote"],
    .deleted > .post-footer > .pull-right > .votes .fa {
        background: transparent !important;
        box-shadow: 0 0 1px 1px lightgray inset;
    }
    
    .deleted > .post-footer > .pull-right .divider,
    .deleted > .post-footer > .pull-right .view-raw,
    .deleted > .post-footer > .pull-right .reply-as-topic {
        display: none;
    }
    
    .deleted[data-uid="197"] > .post-footer > .pull-right :not([role="presentation"]) > a:not([component="post/reply"]):not([data-toggle]) {
        color: lightgray;
    }
    
    .deleted.not-cached:not([data-uid="197"]) > .post-footer > .pull-right [component="post/reply"],
    .deleted:not([data-uid="197"]) > .post-footer > .pull-right a:not([component="post/reply"]),
    .deleted[data-uid="197"] > .post-footer > .pull-right .post-tools a:not([component="post/reply"]),
    .deleted[data-uid="197"] > .post-footer > .pull-right .votes a {
        pointer-events: none;
        color: lightgray;
    }
    
    .plugin-mentions-a[href$="/uid/197"] {
        background: rgba(255, 255, 0, 0.8);
        box-shadow: 0 0 2px rgba(255, 255, 0, 0.8);
        border-radius: 0.5em;
    }
    


  • @anotherusername I've kept all my stuff in Stylish, at least for now. Some day the benefits of having my CSS be usable on my phone may outweigh the work required to change it.





  • @ben_lubar said in NodeBB Updates:

    • Added a huge number of Dilbert characters and also apparently whoever Todd is.

    I found these:
    :dilbert: :phb: :wally: :alice: :dogbert: :catbert: :asok: :ratbert: :tina: :elbonian: :topper: :loud_howard:

    Am I missing any?

    :todd: is apparently from the TV series, and is a mashup of Dilbert, Wally, Alice, Asok, and Loud Howard.


  • Trolleybus Mechanic

    @izzion said in Discussion of NodeBB Updates:

    Important note for infiniscroll users on potatoes!

    This change will cause infiniscroll to fully respect your "Settings > Pagination > Posts Per Page" setting (subject to the server limit, which is currently 50). If you have a high post per page setting, your browser will try to keep 2x the number of posts per page in the DOM after reloading additional posts. This may result in undesired memory consumption on resource limited systems.

    Reducing your posts per page setting will result in fewer posts maintained in the DOM and thus less memory consumption.

    50 posts.

    Each post contains, what, 100 words? About 500 bytes?

    50 posts is 25k of data.

    And that overloads the browser's memory?!?

    Fucking web 3.0.



  • @Lorne-Kates when you factor in all the DOM nodes, 100 posts is potentially a lot. Gotta have all that event binding.



  • @ben_lubar said in NodeBB Updates:

    Update scheduled for 16:15 UTC.

    Highlights

    What are all these alternative admin and mod groups? It seems the management structure of this forum is even more confusing than wtfbank


  • FoxDev

    @wharrgarbl said in Discussion of NodeBB Updates:

    the management structure of this forum

    That implies there's a structure



  • @RaceProUK schemaless management?


  • FoxDev

    @wharrgarbl said in Discussion of NodeBB Updates:

    @RaceProUK schemaless management?

    That implies there's management


  • BINNED

    @wharrgarbl

    Mods: 0_1497962677903_43ed5e22-dbd7-4019-8de2-4740b350e3a9-image.png original discourse group.

    Global Moderators: contains the same people as mods, might be we ended up with a double pit of laziness after the migration.

    Alternative Mods: 0_1497962713158_95ec6013-8796-4223-b615-0c5cd65ab512-image.png

    Mafie-dadoeda: related to the mafia games

    By Joining ...: you choose [yes] so you are mentioned at random ... @by-joining-this-group-you-agree-to-be-mentioned-randomly-for-no-reason-is-that-okay-yes-no

    Administrators: not a group but something special ... one thing is sure: it doesn't do work



  • @Luhmann said in Discussion of NodeBB Updates:

    Administrators: not a group but something special ... one thing is sure: it doesn't do work

    Those are the shadow forum government



  • @wharrgarbl said in Discussion of NodeBB Updates:

    @ben_lubar said in NodeBB Updates:

    Update scheduled for 16:15 UTC.

    Highlights

    What are all these alternative admin and mod groups? It seems the management structure of this forum is even more confusing than wtfbank

    The only real admin group is administrators and the only real mod group is Global-Moderators. administators and mods are subsets of those groups (mods contains the other two admins you would recognize and does not include test accounts, administators includes the three admins you recognize and does not include Alex, Remy, Mark, etc.). ALTERNATIVE-MODS is a novelty group that anyone can join if they want the Fake News badge.



  • @Luhmann said in Discussion of NodeBB Updates:

    not a group

    Nah, it's a group, it's just not visible. Like the Mafia-Scum group.



  • @wharrgarbl said in Discussion of NodeBB Updates:

    @Luhmann said in Discussion of NodeBB Updates:

    Administrators: not a group but something special ... one thing is sure: it doesn't do work

    Those are the shadow forum government

    Paging @shadowmod


  • Notification Spam Recipient

    @ben_lubar said in NodeBB Updates:

    Update scheduled for [redacted].

    • NodeBB changes not noteworthy apart from one that one of the @administators will explain later.

    It's later! I demand service from [redacted]!


  • Discourse touched me in a no-no place

    @tsaukpaetra said in Discussion of NodeBB Updates:

    It's later! I demand service from [redacted]!

    I'm not entirely clear/happy that it's been mitigated properly...

    But an explanation will be forthcoming once I am.



  • I thought the sticky titles were annoying enough to be solved in the next release


  • 🚽 Regular

    Seems like the fix has been to make the title randomly disappear and hope it returns all right.


  • FoxDev

    @ben_lubar said in NodeBB Updates:

    • NodeBB changes not noteworthy apart from one that one of the @administators will explain later.

    @pjh said in Discussion of NodeBB Updates:

    @tsaukpaetra said in Discussion of NodeBB Updates:

    It's later! I demand service from [redacted]!

    I'm not entirely clear/happy that it's been mitigated properly...

    But an explanation will be forthcoming once I am.

    ...... that sounds dangerously ominous..........


  • FoxDev

    @zecc said in Discussion of NodeBB Updates:

    Seems like the fix has been to make the title randomly disappear and hope it returns all right.

    That function isn't called in the way I expected 😕


  • kills Dumbledore


  • 🚽 Regular

    @raceprouk Could it be a case of "don't forget to hard-refresh :giggity:"?


  • FoxDev

    @jaloopa said in Discussion of NodeBB Updates:

    @raceprouk
    0_1499251463629_ca17d213-24a7-407f-97e0-e65deb3005b1-image.png

    Clearly, the answer is to never rely on blubar for testing.


  • Discourse touched me in a no-no place

    @accalia said in Discussion of NodeBB Updates:

    ...... that sounds dangerously ominous..........

    The problem is fixed. The symptoms it caused, to my mind, aren't.


  • BINNED

    @pjh said in Discussion of NodeBB Updates:

    The problem is fixed. The symptoms it caused, to my mind, aren't.

    That sentence just fried my internal logic module.


  • Discourse touched me in a no-no place

    @luhmann said in Discussion of NodeBB Updates:

    @pjh said in Discussion of NodeBB Updates:

    The problem is fixed. The symptoms it caused, to my mind, aren't.

    That sentence just fried my internal logic module.

    An anology:

    1. I stopped drinking 10 hours ago. (problem fixed. Well I wouldn't consider that a problem, but you know what I mean)
    2. My hangover hasn't gone away yet. (there are some symptoms of the problem lingering around that need tidying up.)

  • FoxDev

    @pjh It seems what I did was a partial fix at best. Sadly, I'm not au fait enough with NodeBB as a whole to track and fix the rest of the issue (not yet, anyway).


  • Discourse touched me in a no-no place

    @raceprouk said in Discussion of NodeBB Updates:

    @pjh It seems what I did was a partial fix at best. Sadly, I'm not au fait enough with NodeBB as a whole to track and fix the rest of the issue (not yet, anyway).

    The issue I'm talking about has nothing to do with the titles 🙂


  • BINNED

    @pjh said in Discussion of NodeBB Updates:

    The issue I'm talking about

    Are you attending the Lubar Business School of non-communication? 😁


  • Discourse touched me in a no-no place

    @luhmann said in Discussion of NodeBB Updates:

    Are you attending the Lubar Business School of non-communication?

    Acting visiting-Professor, until I'm happy with the fix.


  • BINNED

    @pjh said in Discussion of NodeBB Updates:

    visiting-Professor

    without tenure you are nothing


  • kills Dumbledore

    @pjh so it's something related to security or disclosure of sensitive information?

    And serious enough that it's being kept hidden rather than letting us play with it as we are wont to do


  • Discourse touched me in a no-no place

    @jaloopa Indeed.

    Well not that there's anything left to play with - as noted, that bit's fixed.



  • @wharrgarbl said in Discussion of NodeBB Updates:

    schemaless

    Oh, schema-less. At first it looked like something else.


  • Notification Spam Recipient

    @pjh said in Discussion of NodeBB Updates:

    @luhmann said in Discussion of NodeBB Updates:

    Are you attending the Lubar Business School of non-communication?

    Acting visiting-Professor, until I'm happy with the fix.

    OMGWTFBBQ how hard is it to spay her?!?! Geeze and I thought my bitch was bad (she had to go down twice because apparently they're abnormally big or something but they couldn't find the second one).


  • Discourse touched me in a no-no place


  • Discourse touched me in a no-no place

    Spoilers

    @pjh said in Discussion of NodeBB Updates:

    Acting visiting-Professor, until I'm happy with the fix.

    I have been reliably informed that I should now be happy.

    As a preface, and as a nod to to the NodeBB's team responsiveness, I would like to point out that the actual issue was

    1. reported (through security@nodebb.org) at 3.20 am UTC (don't ask why I was awake then to find the problem.)
    2. acknowledged by the first person within 3 minutes
    3. by more than one member within 5 minutes
    4. fixed, but not patched here, within 40 minutes

    Code to deal with collateral damage (it's now 20:15 UTC) has been pushed less than 24 hrs later.

    Now to what I was going to post about 12 hrs ago (8.00am UTC), before I realised the stuff about collateral damage:


    The code added to handle

    introduced a security leak, in that the token used to identify you to the system to access protected RSS feeds (i.e. on here, groups that you need to be logged in to view) was made available as part of public user data, to even non-logged in users, at https://what.thedailywtf.com/­api/user/<username>.

    The original fix simply removed that datum from the API. (And, subsequently further fixes invalidated any tokens already handed out - this latter is what delayed this post.)

    The hole had been there for two weeks (the time of the introduction of the code,) and only ever in master rather than any point release versions.

    I'm guessing, from the response from the NodeBB team, that we're the only ones running master, seriously, in production.

    The token concerned only allows something to authenticate as you only for the purpose of accessing RSS feeds - it cannot be used to impersonate you for any other activity on the site (such as posting new content.)

    Mitigating:

    • Not many people are aware of the route, so not many people will have 'seen' it
    • The hole has only been in there for two weeks
    • Only on master which most sites shouldn't be using in production anyway
    • It's unlikely search-engines won't have (certainly Google hasn't) any cached versions of those URLs
    • Any tokens already issued up to the implementation/update of the fix have now been invalidated

    You may all now scream, and shout, about how it shouldn't have happened and should have been tested.

    But, do realise, that - as was with Discourse - we are actually the testers.

    Only our last group project failed rather badly...

    Continue to be nice to the new ones please?


  • Grade A Premium Asshole

    @pjh at least they responded, very timely response also I might add, and took care of it in short order. No one is perfect, I won't rake them over the coals.


Log in to reply