By default CSRF protection is disabled for all views, since most
web endpoints and all API endpoints do not need it.
On the views that require it, we use the
current_app.csrf.protect() method.
Contains all the basics divided in blocks:
* node_preview
* node_details
* node_details_meta_extra (for additional list items)
* node_download - to override the download button
* node_comments
* node_scripts - for node specific scripts, like hdri or video
* footer_scripts
This is done via coercion rules. To cache the field 'content' in the
database, include this in your Eve schema:
{'content': {'type': 'string', 'coerce': 'markdown'},
'_content_html': {'type': 'string'}}
The `_content_html` field will be filled automatically when saving the
document via Eve.
To display the cached HTML, and fall back to display-time rendering if it
is not there, use `{{ document | markdowned('content') }}` in your template.
Still needs unit testing, a CLI command for regenerating the caches, and
a CLI command for migrating the node type definitions in existing projects.
Static files are now served with an 8-character hash before the last
extension. For example, `tutti.min.js` is now served as
`tutti.min.abcd1234.js`. When doing a request the hash is removed before
serving the static file.
The hash must be 8 characters long, and is taken from STATIC_FILE_HASH.
It is up to the deployment to change this configuration variable
whenever static files change. This forces browsers that download newly
deployed HTML to also refresh the dependencies (most importantly
JS/CSS).
For this to work, the URL must be built with `url_for('static_xxx',
filename='/path/to/file')`. The 'static' module still returns regular,
hashless URLs.
This is done via a custom PATCH due to the lack of transactions of MongoDB;
we cannot undelete both project-referenced files and file-referenced
projects in one atomic operation.
By refactoring part of comments_for_node into a dedicated function called render_comments_for_node, we enable Pillar apps to override the comment url and determine in each app what are the conditions that allow a user to post.
Further, we introduce an extensible and overridable list_embed.pug, which currently defines custom blocks for when the user is allowed and not allowed to post a comment,
This actually undoes commits 90c62664a6 and 18fe240b93 and simply adds the node.url property when rendering a post in the posts_view function. This is what the template macro actually expected in the first place.
This affects the user and notifications menus. It happens for two reasons:
- the only argument passed to the macros was current_user, which is always available
- we want to enable overriding and adding items to the menus via extensions
At the moment only the user menu takes advantage of the base template, since the blender-cloud extension makes use of it, while notifications.pug does not need it yet.
/join should only be used when someone can actually buy a new subscription.
/renew should be used when someone already has a subscription that needs
to be renewed.
Since url_for('cloud.xxxx') makes no sense in Pillar, I just hard-coded
/renew instead.
Added this button in the /u/ user/embed view, so that admins can easily force a re-check from Blender ID without requiring the user themselves to perform any actions.
