Badger's revenge

This is a very small patch to address a bug in today's Badger release.

Badger

Badger release (v2.1.0)

Goals

This is a small release due to a surplus of holidays in France during the Month of May.
We'd been planning to implement Password-protected Pads for a long time, but we had not found a good opportunity to do so within our roadmap.
After a generous donation from one of our users who considered this a critical feature, we were able to dedicate some resources towards delivering it to all of our users.

Update notes

This release depends on new APIs in our chainpad-crypto module. Additionally, we have fixed a critical bug in chainpad-listmap.
Admins will need to update their clientside dependencies with bower update when deploying.

What's new

For Users

• Users can now protect their new pads with a password.
  • This makes it safer to share very sensitive links over email or messengers, as anyone who gains access to the link will still need the password to edit or view pads.
  • This also protects your pads against browsers which share your history across devices via the cloud.
  • We recommend that you share passwords using a different messenger tool.
  • Passwords cannot be set or changed after creation time (yet), so we also recommend you consider how secure your pad will need to be when you create it.
• Password protection coincides with an update to our URL encoding scheme. URLs are generally quite a bit shorter than before, while offering more functionality.
• Existing users will have a short delay the first time that they load this version of CryptPad, as it contains a migration of their CryptDrive's data format.
  • This migration is very tolerant of interuptions, so if you need to close your browser while it is in progress, you are free to do so.

For Admins

• Admins can look forward to happier users!

Bug fixes

• data loss when reconnecting in our poll app
• we've fixed a minor bug in our poll app which caused an increasing number of tooltips to be added to elements

Alpaca

Alpaca release (v2.0.0)

This is the first release of our 2.0 cycle.

After careful consideration we've decided to name each release in this cycle after a cute animal, iterating through the letters of the Latin alphabet from A to Z.

Goals

We wanted to update CryptPad's appearance once more, adopting the colors from our logo throughout more of its interface.

Update notes

This release coincides with the introduction of new APIs in ChainPad, so we recommend that adminstrators update their clientside dependencies by running bower update.

As recent updates have updated serverside dependencies, we also recommend that you run npm update and restart your server.

What's new

For Users

• CryptPad 2.0.0 features a complete German-language translation, thanks to contributions from @polx, @kpcyrd, and @michaelachmann
• CryptPad has a new look!
  • we've adopted the color scheme of our logo for more UI elements throughout CryptPad, on the loading screen and various dialogs
  • we've customized our checkboxes and radio buttons to match
  • we've updated the look of our pad creation screen to feature up to four templates per page, with tab and button navigation
  • tooltips have been made to match the dialogs on our pad creation screen
  • clients now store their usage of various templates in their CryptDrive, and rank templates by popularity in the pad creation screen
  • we no longer show usage tips on the loading screen
• Users who visit pads which have been deleted or otherwise do not exist are now prompted to redirect to their home page
• Our poll and whiteboard apps now use an in-house CSS framework to help us maintain consistency with the other applications

For Admins

• we've updated the example configuration file (config.example.js) to no longer require a leading space before the domain, as we found it to be a common source of confusion. This will only affect newly generated config files.
• our webserver has been configured to support HTTP access of the client datastore, to facilitate scripts which parse and decrypt history without having to go through our websocket infrastructure
• we no longer use a single image for our favicon and our loading screen icon, allowing admins to customize either feature of their instance independently
• We've also moved the rest of the styles for the loading screen from /common/ into /customize.dist/,
• move loading screen implementation from /common/ to /customize.dist/

Bug fixes

• don't eat tab presses when focused on register button
• idempotent picker initialization
• CKEditor fixes
  • drag and drop text
  • media-tag movement integrated as CKEditor plugin
  • avoid media-tag flicker on updates
• set content type for the 404 page

toSource

toSource release (v1.29.0)

Goals

For this release we wanted to direct our effort towards improving user experience issues surrounding user accounts.

What's new

• newly registered users are now able to delete their accounts automatically, along with any personal information which had been created:
  • ToDo list data is automatically deleted, along with user profiles
  • all of a user's owned pads are also removed immediately in their account deletion process
• users who predate account deletion will not benefit from automatic account deletion, since the server does not have sufficient knowledge to guarantee that the information they could request to have deleted is strictly their own. For this reason, we've started working on scripts for validating user requests, so as to enable manual deletion by the server administrator.
  • the script can be found in cryptpad/check-account-deletion.js, and it will be a part of an ongoing effort to improve administrator tooling for situations like this
• users who have not logged in, but wish to use their drive now see a ghost icon which they can use to create pads. We hope this makes it easier to get started as a new user
• registered users who have saved templates in their drives can now use those templates at any time, rather than only using them to create new pads
• we've updated our file encryption code such that it does not interfere with other scripts which may be running at the same time (synchronous blocking, for those who are interested)
• we now validate message signatures clientside, except when they are coming from the history keeper because clients trust that the server has already validated those signatures

Bug fixes

• we've removed some dependencies from our home page that were introduced when we updated to use bootstrap4
• we now import fontawesome as css, and not less, which saves processing time and saves room in our localStorage cache
• templates which do not have a 'type' attribute set are migrated such that the pads which are created with their content are valid
• thumbnail creation for pads is now disabled by default, due to poor performance
  • users can enable thumbnail creation in their settings page
• we've fixed a significant bug in how our server handles checkpoints (special patches in history which contain the entire pads content)
  • it was possible for two users to independently create checkpoints in close proximity while the document was in a forked state. New users joining while the session was in this state would get stuck on one side of the fork, and could lose data if the users on the opposing fork overrode their changes
• we've updated our tests, which have been failing for some time because their success conditions were no longer valid
• while trying to register a previously registered user, users could cancel the prompt to login as that user. If they did so, the registration form remained locked. This has been fixed.

Admin notes

This release features breaking changes to some clientside dependencies. Administrators must make sure to deploy the latest server with npm update before updating your clientside dependencies with bower update.

toString

toString release (v1.28.0)

Goals

For this release, we focused on improving performance and expanding support for owned pads, providing more administrative options for users.

What's new

• We've added basic support for deleting your account from our server. The settings page exports a signed request to delete your data, along with all the information the server administrator will need to identify which data is yours. In the near future we plan to automate this process entirely.
• Other people's owned pads are no longer included in the list of pads that count towards your personal data quota
• New users who register will now create their CryptDrive as an owned pad, granting them additional administrative rights over it
• We've improved the layout of the poll app while in its mobile layout
• We've updated the layout and content of the Pad Creation Screen, simplifying it, and hopefully making it easier to use
• We've updated two of our dependencies: ChainPad and ChainPad-Listmap.
  • Listmap now accepts configuration parameters which make it possible to create a collaborative object as an owned pad, or as having an automatic expiration time. This has facillitated the owned drive feature listed above.
  • ChainPad now features a drastically improved diff algorithm, which should make many of CryptPad's features significantly more performant. This improved diff has also fixed a regression in our support for emoji in pads.
  • Finally, we've updated some of the code which uses ChainPad to better handle errors originating in the consensus mechanism.
• We've upgraded from Bootstrap 3 to Bootstrap 4

Bug fixes

• We've fixed some issues in the share menu which allows users to construct and share collaboration links
• The rich text editor was falsely identifying narrow windows as being mobile devices, causing CKEditor's toolbar to be hidden. This should now be fixed
• We've fixed some problems in the logic governing join and leave notifications for other editors in pads

null

null release (v1.27.0)

Goals

For this release, we wanted to work on making it easier for new users to approach CryptPad.
That included

• making it more obvious that you can register
• simplifying our interface
• making it easier to just start typing
• providing a FAQ to answer common questions

What's new

For users

• we've compiled a list of the questions we receive most commonly into faq.html, and linked to it from our home page
• we've hidden the disconnection alert in our editors, and animated the reconnecting text in the toolbar to provide the same functionality without interrupting disconnected users who are trying to read
• UI for pads which have been removed from the server
• warnings for pads which will be removed
• we no longer display initial text in newly created pads. Instead, we present a blank pad and some separate help text which users can hide
• when using the pad creation screen, new pads are created as owned and unlimited, meaning that the creator of the pad will have the ability to delete it from the server, but it will not be removed unless they explicitly take action to do so.
  • it also features a save button, which will preserve your current settings as your new defaults
• we've added some keyboard shortcuts to speed up common workflows for experienced CryptPad users
  • Mac users can bring up the pad creation dialog while in their CryptDrive or in a pad using CMD+E
  • everyone can use the tab key to select the next item in the pad creation screen
  • use the enter key to create a pad with your current choices on the pad creation screen
  • you can select all the items in your CryptDrive using CTRL+A, or CMD+A on a Mac
• we've standardized the order of buttons in the right side of apps' toolbars, and in the toolbar's drawer
• when you load your CryptDrive, if another user's owned pad no longer exists on the server, it will be removed from your CryptDrive
• we've improved our apps' layouts on mobile devices

For admins

• we've added scripts for removing inactive, unpinned pads, with a configurable time before a pad is considered inactive
  • see inactiveTime in config.example.js
  • you will need to provide your own method of periodically calling this script. We use a crontab
• we've updated the version of our Express.js dependency to mitigate some denial-of-service vulnerability
  • you will need to run npm update on your instance if you are serving static assets

Bug fixes

• improved support for Internet Explorer
  • fixed some layout issues caused by different CSS syntax
• fixed inconsistent tooltips in the toolbar
• restored the missing media-tag creation button in the code app (while in markdown mode)

undefined

Undefined release (1.26.0)

Goals

For our first release after having finished all 26 letters of the alphabet, we wanted to deploy some features that we've been working on for some time: Owned Pads, and the Pad Creation Screen.

Components of these two features have been in development for some time, and we're very happy to be able to put it all into production.
Users will now be able to set some more basic permissions about a pad at the time that they create it.

New features

• the Pad creation screen allows users to set basic attributes of a pad at the time that they create it
  • a pad can be owned or open.
    • owned pads can be deleted by their creators
    • open pads have no owner, and cannot be removed by anyone except the server administrator
  • a pad can be expiring or unlimited
    • expiring pads have a set lifetime, after which they will be removed from the server
    • unlimited pads last as long as a registered user has the pad in their drive, unless its owner chooses to remove it
• serverside scripts
  • schedule removal of files
• new extension points
  • server administrators who wish to customize their CryptPad instance now have a more ways to do so. To learn more, see the wiki
• better tests for completeness of translations
• registered users can navigate to the accounts.cryptpad.fr from their settings page, making it easier to administrate your account

Bug fixes

• the todo app could get into a bad state where it would fail to load. we've added sanity checks for the data structure which will attempt to fix it
• the loading screen was not displayed correctly on the register and login pages, but this has been fixed
• retrieving a pad's full history from the server could take a significant amount of time, depending on the age of the pad in question. We've removed an arbitrary time limit from the code which made it impossible to retreive some older history
• links to encrypted files shown by the properties dialog in the drive (accessible via the contextmenu) behave differently from other links, and as such displayed https://cryptpad.frundefined for a read-only link, but this has been fixed.

Updating

Administrators who wish to upgrade to this version will need to update dependencies and restart their server:

cd /path/to/cryptpad
npm update
bower update
# restart your server and update cache settings

Finally, the task of removing documents which should have expired is not handled by the CryptPad server itself.
You will need to periodically run the script: cryptpad/expire-channels.js

We recommend writing a cronjob which runs this script every 5 minutes.
If this is not an option, you can disable the pad creation screen via cryptpad/customize/application_config.js, by setting AppConfig.displayCreationScreen = false;

Zombie

Zombie release (v1.25.0)

What's new

• We've made some changes in our code editor
  • We've added support for Org-mode with some help from @ryanpcmcquen
  • we've decided to replace the default markdown syntax highlighting module with github-flavoured markdown, as many users have reported that they've had difficulty discovering its features
• We've changed how the Share menu works
  • Instead of a dropdown menu, users are now presented with dialog which allows them to craft a link with several options:
    • edit/view link
    • embed mode
    • present mode
  • afterward they can:
    • copy the link to their clipboard by clicking a button
    • open the link in a new tab
• System administrators who want to debug their CryptPad server's performance can capture Heap dumps
  • see config.example.js for the require statement which loads the necessary module
  • you will need to install dependencies with npm install, and relaunch your server
  • if you have difficulties installing because of the new dependency, you can ignore it by running npm install --production
• CryptDrive
  • The "+" ghost icon is no longer displayed in folders in the trash
  • we've refactored the context menu code to make it easier to add or update options
  • we've added the option to view a file in its parent folder, when viewing it within the recent pads or experimental owned pads category
• It was possible (though unlikely) that a user could navigate to a 404 page from within the sandboxed iframe used for UI elements. If this occurred, users were prompted to go to the home page (or their CryptDrive if they were logged in). This would erroneously navigate the iframe, and not the parent frame, but we've fixed that.
• Our custom popup dialogs, which we use in place of browser's native alert, confirm, and prompt, now feature colored buttons to better hint to users what the outcome will be. Dangerous actions may be coloured red, default actions are colored white, and cancel actions are a darker grey.
• The Settings page now links to https://accounts.cryptpad.fr
• We've added a page which illustrates the different features available to registered users, available at https://cryptpad.fr/features.html
• The home page now features a meta description tag for SEO purposes
• We've implemented a number of extension points for CryptPad. It is now possible to:
  • add elements to the share menu
  • hook into the login/logout process, to integrate into LDAP or some other SSO system
  • retrieve an avatar image from a third-party source
• We've prepared the vast majority of the features necessary for our EXPERIMENTAL Pad Creation Screen
  • when creating a new pad, users will be presented with a screen with various options
  • a newly created pad can be owned or not. owned pads can be deleted at a later time by their owners
  • creators may also specify an automatic expiration time, after which that pad will be deleted (if so configured by the server administrator)
• The encrypted-file display app is now styled to include a grey backround, rather than a plain white background

Bug fixes

• In case an encrypted file has been deleted by the server, we now display a message explaining that the file could not be retrieved
• It was possible to bypass the max upload size specified by the server, but now we check much more carefully
  • user storage quotas could not be bypassed
• Browsers that do not implement ES6 Symbol (Internet Explorer) can not possibly support Media-Tag elements. Rather than throwing an error, we display the default avatar (the first letter of your display name)

Yeti

Yeti release (v1.24.0)

Goals

• avoid letting the user ever see "a script is slowing down this page [stop, wait]"
  • could cause problems if this happens in a (web/shared)worker
• deal with out-of-memory crash on the server
  • we hit a scaling issue on our production instance which made this a high priority

What's new

• New configurable behaviours
  • hide the usage bar in the drive
  • make it easier to modify the login process by moving login code into /customize.dist/
    • also add hooks to be executed on logout
  • easily add new options to the share menu by changing /customize/application_config.js
  • don't store links for unregistered users automatically (disable anonymous drive)
• add images as slide backgrounds
• check which pads are pinned when the server launches, and update a representation in memory as the list changes
• provide option to import pads created when not logged in into your CryptDrive when logging in

Bug fixes

• fix issues on Internet Explorer..
  • add polyfill for Number.MAX_SAFE_INTEGER
  • malfunctioning login
• Remove the "delete" button for comments in the poll app when in view-only mode
• Do not print slides with an empty first page
• fix race condition in mode change for codemirror-based apps
• fix multiple upload (don't ask me again asked multiple times...)
• do not set the URL hash in the todo app
• avoid adding duplicate entries to the user list
• detected a race condition in Codemirror-based editors which caused editors to replace user content with the default content
• the "file picker" dialog now searches for files by your preferred name. If you have renamed a pad or uploaded file, it will show up under this name when you search

Xenomorph

CryptPad v1.23.0 (Xenomorph)

Goals

This release cycle landed during a very busy time of the year, so we focused on fixing bugs in the time we had available.

What's new

• Users can now use the print button in the rich text editor to print to a pdf
• the usage tips which are displayed while CryptPad is loading a pad can now be disabled (server-wide)
  • set config.hideLoadingScreenTips = false; in ./customize/application_config.js
• users who prefer a narrow layout when reading and writing can now check the Reduce the editor's width box on their settings page, in the rich text section.
• Users will now see an error message when they click invalid links within CryptPad, instead of having the redirect fail silently
• we've implemented a reliable server call to check whether a channel has any messages
• CryptPad now features a Greek translation, thanks to @koulaxizis

Bug fixes

• better error handling when fetching thumbnails for uploaded files
• we've added an optimization to our chainpad-listmap library, which is used throughout CryptPad. Very large and complex operations like emptying the trash from your CryptDrive will now complete much more quickly.
• the whiteboard application no longer shows a useless color palette when in read-only or present mode
• users who join a pad in read-only mode while they are also in edit mode in another tab were able to click the userlist and change their name, giving the impression that they were in edit mode. This is no longer the case.
• we've corrected some faulty behaviour in the poll application's read-only mode, where elements appeared to be editable, but the changes were not saved or propogated to other users
• we now disable the markdown toolbar in markdown-friendly editors when in read-only mode, since it could not be used
• rich text pads in read-only mode could still be modified, though any changes were not saved
• we've replaced some javascript animations with css-based effects, for smoother transitions
• we now use the isNewChannel RPC before setting initial content in a pad, to address a bug where a false-positive caused clients to overwrite documents

Notes on administration

• server administrators will need to restart their server and run bower update in their cryptpad directory
• in the event of a dependency conflict, newer versions of dependencies should be preferred