markdownr 0.8.0 → 0.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d2cb82d0149fbfce233b73c5dac9743b941dab4242eb7a28431e4c796c89dc1b
-  data.tar.gz: eafe8d88da6cac6033d80f3aeae204c3f99b19d99ef09102389e0095112fd173
+  metadata.gz: e25bef09e610cf90ddade4977a1ab04e69c5eff89e1904e7f25edebeacd11d05
+  data.tar.gz: ef7183813e31254cc73a8be5776e445dc67830c3387629724c3110707205ed50
 SHA512:
-  metadata.gz: 92eac0f8d752b3c4daf1fa484feb3ae56f2eef2c7b64e8b6e757a5377c5f17655acecae47466a7a5dcad53be1ef06f4e00c62e81afc9f776fdb8f963fb154a42
-  data.tar.gz: 80dd17b97f0f869381b79624b91a15b025514a9b5d58e65f1b1943a5dce6f7338ad9abbe2cc3436b268f072800adce4135624d94c5346afc970a7549b73a2d3d
+  metadata.gz: e9528e7bf4f77ebf68486cf0ae3ac72042084365a6e8853a0ea638b6af1bc7edb2986c46ce0612c42880e38c34e9f169ce5ec93759af79253ad93a0f7f5d38ed
+  data.tar.gz: 4ccd4fac98ce2a4ce78d04bc1dec843be9648baa949cc5510f8da559aeb2b59d8db5a980b5a4da50cd60873f5c15662e066e793b0a151da14723e894056bc8e7

data/bin/markdownr

@@ -32,6 +32,14 @@ OptionParser.new do |opts|
     options[:behind_proxy] = true
   end
 
+  opts.on("--admin", "Grant admin access to every visitor (use only on trusted local networks)") do
+    options[:admin_all] = true
+  end
+
+  opts.on("--admin-only", "Block all routes except /admin/login until logged in as admin") do
+    options[:admin_only] = true
+  end
+
   opts.on("-i", "--index-file FILENAME", "Render this file instead of the directory listing when present (e.g. index.md, moc.md)") do |f|
     options[:index_file] = f
   end
@@ -48,6 +56,18 @@ OptionParser.new do |opts|
     options[:verbose] = true
   end
 
+  opts.on("--default-vim", "Open the in-browser editor in vim mode by default (per-user toggle still wins via localStorage)") do
+    options[:default_vim] = true
+  end
+
+  opts.on("--allow-editor", "Enable the in-browser file editor (markdown / source). Without this flag, the Edit button is hidden and all editor write/preview/source routes return errors, even for admins.") do
+    options[:allow_editor] = true
+  end
+
+  opts.on("--allow-csv-editor", "Enable CSV editing (row update, duplicate, delete, add-on actions). Without this flag, CSV tables are forced read-only on the server and in the UI, even for admins.") do
+    options[:allow_csv_editor] = true
+  end
+
   opts.on("--plugin NAME", "Enable a plugin by name (can be specified multiple times)") do |name|
     options[:plugin_overrides] = (options[:plugin_overrides] || {}).merge(
       name => (options.dig(:plugin_overrides, name) || {}).merge("enabled" => true)
@@ -58,6 +78,14 @@ OptionParser.new do |opts|
     (options[:plugin_dirs] ||= []) << d
   end
 
+  opts.on("--follow-link PATH", Array, "Allow this symlink (inside the served dir) to escape to its target. Repeatable; comma-separated values also accepted.") do |paths|
+    (options[:follow_links] ||= []).concat(paths)
+  end
+
+  opts.on("--unhide ENTRY", "Show a normally-hidden entry (repeatable). Bare name matches anywhere; @/path is project-root-anchored; multi-segment narrows the listing.") do |v|
+    (options[:unhide] ||= []) << v
+  end
+
   opts.on("-v", "--version", "Show version") do
     puts "markdownr #{MarkdownServer::VERSION}"
     exit
@@ -74,18 +102,39 @@ end
 
 MarkdownServer::App.set :root_dir, dir
 MarkdownServer::App.set :behind_proxy, options[:behind_proxy] || false
+MarkdownServer::App.set :admin_all, options[:admin_all] || false
+MarkdownServer::App.set :admin_only, options[:admin_only] || false
 MarkdownServer::App.set :custom_title, options[:title]
 MarkdownServer::App.set :allow_robots, options[:allow_robots] || false
 MarkdownServer::App.set :index_file, options[:index_file]
 MarkdownServer::App.set :link_tooltips, options.fetch(:link_tooltips, true)
 MarkdownServer::App.set :hard_wrap, options.fetch(:hard_wrap, true)
 MarkdownServer::App.set :verbose, options[:verbose] || false
+MarkdownServer::App.set :default_vim, options[:default_vim] || false
+MarkdownServer::App.set :allow_editor, options[:allow_editor] || false
+MarkdownServer::App.set :allow_csv_editor, options[:allow_csv_editor] || false
 MarkdownServer::App.set :port, options[:port]
 MarkdownServer::App.set :bind, options[:bind]
 MarkdownServer::App.set :server_settings, { max_threads: options[:threads], min_threads: 1 }
 MarkdownServer::App.set :plugin_overrides, options[:plugin_overrides] || {}
 MarkdownServer::App.set :plugin_dirs, options[:plugin_dirs] || []
 
+root_real = File.realpath(dir)
+followed_links = (options[:follow_links] || []).filter_map do |p|
+  expanded = File.expand_path(p, dir)
+  unless File.exist?(expanded)
+    $stderr.puts "Warning: --follow-link path does not exist, skipping: #{p}"
+    next nil
+  end
+  link_real = File.realpath(expanded)
+  unless expanded == root_real || expanded.start_with?("#{root_real}/")
+    $stderr.puts "Warning: --follow-link path is outside the served dir, skipping: #{p}"
+    next nil
+  end
+  link_real
+end.uniq
+MarkdownServer::App.set :followed_links, followed_links
+
 # Load .markdownr.yml popup settings
 config_path = File.join(dir, ".markdownr.yml")
 if File.exist?(config_path)
@@ -102,6 +151,10 @@ if File.exist?(config_path)
     MarkdownServer::App.set :plugin_dirs, (yaml["plugin_dirs"] + existing).uniq
   end
 
+  if yaml && yaml.key?("admin_only") && !options[:admin_only]
+    MarkdownServer::App.set :admin_only, yaml["admin_only"] == true
+  end
+
   # Load CSV database config (top-level key or legacy plugin key)
   csv_db_paths = yaml&.dig("csv_databases") || yaml&.dig("plugins", "csv_browser", "databases")
   if csv_db_paths.is_a?(Array) && !csv_db_paths.empty?
@@ -118,6 +171,17 @@ if File.exist?(config_path)
   end
 end
 
+# Compile and apply unhide rules (YAML + CLI, additive merge).
+yaml_unhide = (defined?(yaml) && yaml.is_a?(Hash) && yaml["unhide"].is_a?(Array)) ? yaml["unhide"] : []
+combined_unhide = (yaml_unhide + (options[:unhide] || [])).uniq
+unless combined_unhide.empty?
+  begin
+    MarkdownServer::App.set :unhide_rules, MarkdownServer::Unhide.compile(combined_unhide)
+  rescue MarkdownServer::Unhide::CompileError => e
+    abort "Invalid unhide config: #{e.message}"
+  end
+end
+
 MarkdownServer::App.load_plugins!
 
 puts "Serving #{dir} on http://#{options[:bind]}:#{options[:port]}/"

data/bin/start-claude

@@ -0,0 +1,2 @@
+#!/bin/sh
+claude --chrome

data/lib/markdown_server/app.rb

@@ -10,11 +10,14 @@ require "pathname"
 require "set"
 require "net/http"
 require "base64"
+require "digest"
 require_relative "plugin"
 require_relative "csv_browser/config_loader"
 require_relative "csv_browser/table_reader"
 require_relative "csv_browser/addon_registry"
 require_relative "csv_browser/row_context"
+require_relative "permitted_bases"
+require_relative "unhide"
 require_relative "helpers/path_helpers"
 require_relative "helpers/formatting_helpers"
 require_relative "helpers/markdown_helpers"
@@ -41,6 +44,8 @@ module MarkdownServer
       set :protection, false
       set :host_authorization, { permitted_hosts: [] }
       set :behind_proxy, false
+      set :admin_all, false
+      set :admin_only, false
       set :verbose, false
       set :session_secret, ENV.fetch("MARKDOWNR_SESSION_SECRET", SecureRandom.hex(64))
       set :sessions, key: "markdownr_session", same_site: :strict, httponly: true
@@ -53,6 +58,11 @@ module MarkdownServer
       set :dictionary_url, nil
       set :plugin_dirs, []
       set :csv_browser_config, nil
+      set :followed_links, []
+      set :unhide_rules, []
+      set :default_vim, false
+      set :allow_editor, false
+      set :allow_csv_editor, false
     end
 
     def self.load_plugins!
@@ -83,16 +93,21 @@ module MarkdownServer
     end
 
     before do
-      if request.path_info.start_with?("/browser", "/csv-browser")
-        cache_control :no_cache, :no_store, :must_revalidate
-      else
-        cache_control :public, max_age: 14400
-      end
-
       if settings.verbose
         $stdout.puts "#{Time.now.strftime("%Y-%m-%d %H:%M:%S")} #{client_ip} #{request.request_method} #{request.fullpath}"
         $stdout.flush
       end
+
+      if admin_only_mode? && !admin_only_public_route?(request.path_info) && !admin?
+        cache_control :no_cache, :no_store, :must_revalidate
+        redirect "/admin/login?return_to=#{CGI.escape(request.fullpath)}"
+      end
+
+      if request.path_info.start_with?("/browser", "/csv-browser", "/__markdownr/api")
+        cache_control :no_cache, :no_store, :must_revalidate
+      else
+        cache_control :public, max_age: 14400
+      end
     end
 
     get "/" do
@@ -110,6 +125,175 @@ module MarkdownServer
       { ok: true }.to_json
     end
 
+    EDITOR_FILE_MAX_BYTES = 5 * 1024 * 1024
+
+    def editor_loader_path
+      @@editor_loader_path ||= File.expand_path("assets/editor-loader.js", __dir__)
+    end
+
+    def editor_loader_version
+      path = editor_loader_path
+      content = File.read(path) + editor_import_map_json
+      Digest::SHA256.hexdigest(content)[0, 10]
+    end
+
+    EDITOR_PKGS = {
+      "@codemirror/state"           => "6.6.0",
+      "@codemirror/view"            => "6.41.1",
+      "@codemirror/commands"        => "6.10.3",
+      "@codemirror/language"        => "6.12.3",
+      "@codemirror/search"          => "6.7.0",
+      "@codemirror/autocomplete"    => "6.20.1",
+      "@codemirror/theme-one-dark"  => "6.1.3",
+      "@codemirror/lang-markdown"   => "6.5.0",
+      "@codemirror/lang-javascript" => "6.2.5",
+      "@codemirror/lang-json"       => "6.0.2",
+      "@codemirror/lang-yaml"       => "6.1.3",
+      "@codemirror/lang-html"       => "6.4.11",
+      "@codemirror/lang-css"        => "6.3.1",
+      "@codemirror/lang-python"     => "6.2.1",
+      "@codemirror/legacy-modes"    => "6.5.2",
+      "@replit/codemirror-vim"      => "6.3.0"
+    }.freeze
+
+    EDITOR_SHARED_DEPS = %w[
+      @codemirror/state
+      @codemirror/view
+      @codemirror/language
+      @codemirror/commands
+    ].freeze
+
+    def editor_import_map_json
+      @@editor_import_map_json ||= begin
+        imports = {}
+        EDITOR_PKGS.each do |pkg, ver|
+          deps = EDITOR_SHARED_DEPS.reject { |d| d == pkg }
+          imports[pkg] = "https://esm.sh/#{pkg}@#{ver}?external=#{deps.join(",")}"
+        end
+        EDITOR_PKGS.each do |pkg, ver|
+          next unless pkg == "@codemirror/legacy-modes"
+          %w[ruby shell].each do |mode|
+            deps = EDITOR_SHARED_DEPS.reject { |d| d == pkg }
+            imports["#{pkg}/mode/#{mode}"] =
+              "https://esm.sh/#{pkg}@#{ver}/mode/#{mode}.js?external=#{deps.join(",")}"
+          end
+        end
+        JSON.dump({ imports: imports })
+      end
+    end
+
+    get "/__markdownr/editor-loader.js" do
+      halt 404, "editor disabled" unless settings.allow_editor
+      cache_control :public, max_age: 14400
+      send_file File.expand_path("assets/editor-loader.js", __dir__),
+                type: "application/javascript"
+    end
+
+    get "/__markdownr/api/file/source/?*" do
+      halt 404, '{"error":"editor disabled"}' unless settings.allow_editor
+      requested = params["splat"].first.to_s.chomp("/")
+      halt 400, '{"error":"missing path"}' if requested.empty?
+
+      real_path = safe_path(requested)
+      halt 404, '{"error":"not a file"}' unless File.file?(real_path)
+
+      size = File.size(real_path)
+      halt 413, { error: "file too large", max: EDITOR_FILE_MAX_BYTES, size: size }.to_json if size > EDITOR_FILE_MAX_BYTES
+
+      content = File.read(real_path, encoding: "utf-8")
+      etag = Digest::SHA256.hexdigest(content)
+      headers "ETag" => %("#{etag}")
+      headers "Last-Modified" => File.mtime(real_path).httpdate
+      content_type "text/plain; charset=utf-8"
+      cache_control :no_cache, :no_store, :must_revalidate
+      content
+    end
+
+    put "/__markdownr/api/file/?*" do
+      content_type :json
+      cache_control :no_cache, :no_store, :must_revalidate
+      unless settings.allow_editor
+        halt 403, { error: "File editor disabled on this server. Restart with --allow-editor to enable." }.to_json
+      end
+      unless admin?
+        halt 403, { error: "Admin login required to save changes.",
+                    admin_url: "https://github.com/brianmd/markdown-server#admin-access",
+                    client_ip: client_ip }.to_json
+      end
+
+      requested = params["splat"].first.to_s.chomp("/")
+      halt 400, { error: "missing path" }.to_json if requested.empty?
+
+      real_path = safe_path(requested)
+      halt 404, { error: "not a file" }.to_json unless File.file?(real_path)
+
+      body = request.body.read
+      halt 413, { error: "file too large", max: EDITOR_FILE_MAX_BYTES, size: body.bytesize }.to_json if body.bytesize > EDITOR_FILE_MAX_BYTES
+
+      body = body.force_encoding("utf-8")
+      halt 400, { error: "body is not valid UTF-8" }.to_json unless body.valid_encoding?
+
+      if_match = request.env["HTTP_IF_MATCH"].to_s.strip
+      force = if_match.empty? || if_match == "*"
+
+      unless force
+        current = File.read(real_path, encoding: "utf-8")
+        current_etag = Digest::SHA256.hexdigest(current)
+        provided = if_match.gsub(/\A"|"\z/, "")
+        if provided != current_etag
+          halt 409, { error: "stale", current_etag: current_etag }.to_json
+        end
+      end
+
+      tmp_path = "#{real_path}.tmp.#{Process.pid}.#{Thread.current.object_id}"
+      File.write(tmp_path, body)
+      File.rename(tmp_path, real_path)
+
+      logger.info("file edit: #{client_ip} #{requested} #{body.bytesize}b") if respond_to?(:logger) && logger
+      new_etag = Digest::SHA256.hexdigest(body)
+      { etag: new_etag, mtime: File.mtime(real_path).iso8601, bytes: body.bytesize }.to_json
+    end
+
+    post "/__markdownr/api/render/preview" do
+      content_type :json
+      cache_control :no_cache, :no_store, :must_revalidate
+      unless settings.allow_editor
+        halt 403, { error: "File editor disabled on this server. Restart with --allow-editor to enable." }.to_json
+      end
+      unless admin?
+        halt 403, { error: "Admin login required to preview edits.",
+                    admin_url: "https://github.com/brianmd/markdown-server#admin-access",
+                    client_ip: client_ip }.to_json
+      end
+
+      payload = JSON.parse(request.body.read) rescue {}
+      content = payload["content"].to_s
+      halt 413, { error: "content too large" }.to_json if content.bytesize > EDITOR_FILE_MAX_BYTES
+
+      wiki_dir = payload["current_wiki_dir"].to_s
+      base_real = File.realpath(root_dir)
+      if wiki_dir.empty?
+        @current_wiki_dir = base_real
+      else
+        candidate = File.expand_path(wiki_dir, base_real)
+        @current_wiki_dir = (candidate == base_real || candidate.start_with?("#{base_real}/")) ? candidate : base_real
+      end
+
+      meta, body = parse_frontmatter(content)
+      html = render_markdown(body)
+      settings.plugins.each { |p| html = p.post_render(html, meta, self) }
+
+      frontmatter_html = ""
+      if meta && !meta.empty?
+        rows = meta.map { |key, value|
+          "<tr><th>#{h(key)}</th><td>#{render_frontmatter_value(value)}</td></tr>"
+        }.join
+        frontmatter_html = %(<div class="frontmatter"><div class="frontmatter-heading">Frontmatter</div><table class="meta-table">#{rows}</table></div>)
+      end
+
+      { html: html, frontmatter_html: frontmatter_html }.to_json
+    end
+
     get "/setup-info" do
       @title = "Setup Info"
       @client_ip = client_ip
@@ -150,6 +334,11 @@ module MarkdownServer
       @root_title = dir_title
       @start_mode = "directory"
       @csv_databases = csv_databases_json
+      @initial_path = ""
+      @is_admin = admin?
+      @default_vim = settings.default_vim
+      @allow_editor = settings.allow_editor
+      @allow_csv_editor = settings.allow_csv_editor
       erb :browser, layout: false
     end
 
@@ -158,6 +347,11 @@ module MarkdownServer
       @root_title = dir_title
       @start_mode = "csv"
       @csv_databases = csv_databases_json
+      @initial_path = ""
+      @is_admin = admin?
+      @default_vim = settings.default_vim
+      @allow_editor = settings.allow_editor
+      @allow_csv_editor = settings.allow_csv_editor
       erb :browser, layout: false
     end
 
@@ -351,6 +545,9 @@ module MarkdownServer
 
     put "/browser/api/csv/databases/:db/tables/:table/rows/:row" do
       content_type :json
+      unless settings.allow_csv_editor
+        halt 403, { error: "CSV editor disabled on this server. Restart with --allow-csv-editor to enable." }.to_json
+      end
       unless admin?
         halt 403, { error: "Admin login required to save changes.",
                     admin_url: "https://github.com/brianmd/markdown-server#admin-access",
@@ -385,6 +582,9 @@ module MarkdownServer
 
     post "/browser/api/csv/databases/:db/tables/:table/rows/:row/duplicate" do
       content_type :json
+      unless settings.allow_csv_editor
+        halt 403, { error: "CSV editor disabled on this server. Restart with --allow-csv-editor to enable." }.to_json
+      end
       unless admin?
         halt 403, { error: "Admin login required to duplicate rows.",
                     admin_url: "https://github.com/brianmd/markdown-server#admin-access",
@@ -415,6 +615,9 @@ module MarkdownServer
 
     delete "/browser/api/csv/databases/:db/tables/:table/rows/:row" do
       content_type :json
+      unless settings.allow_csv_editor
+        halt 403, { error: "CSV editor disabled on this server. Restart with --allow-csv-editor to enable." }.to_json
+      end
       unless admin?
         halt 403, { error: "Admin login required to delete rows.",
                     admin_url: "https://github.com/brianmd/markdown-server#admin-access",
@@ -482,6 +685,9 @@ module MarkdownServer
     # Invoke an add-on action (initial call or prompt continuation).
     post "/browser/api/csv/databases/:db/tables/:table/addons/:addon/:action" do
       content_type :json
+      unless settings.allow_csv_editor
+        halt 403, { error: "CSV editor disabled on this server. Restart with --allow-csv-editor to enable." }.to_json
+      end
       unless admin?
         halt 403, { error: "Admin login required to run add-on actions.",
                     admin_url: "https://github.com/brianmd/markdown-server#admin-access",
@@ -550,6 +756,34 @@ module MarkdownServer
       }.to_json
     end
 
+    get "/browser/*" do
+      splat = params["splat"].first.to_s
+      pass if splat.start_with?("api/")
+      @title = dir_title
+      @root_title = dir_title
+      @start_mode = "directory"
+      @csv_databases = csv_databases_json
+      @initial_path = splat.chomp("/")
+      @is_admin = admin?
+      @default_vim = settings.default_vim
+      @allow_editor = settings.allow_editor
+      @allow_csv_editor = settings.allow_csv_editor
+      erb :browser, layout: false
+    end
+
+    get "/csv-browser/*" do
+      @title = dir_title
+      @root_title = dir_title
+      @start_mode = "csv"
+      @csv_databases = csv_databases_json
+      @initial_path = params["splat"].first.to_s.chomp("/")
+      @is_admin = admin?
+      @default_vim = settings.default_vim
+      @allow_editor = settings.allow_editor
+      @allow_csv_editor = settings.allow_csv_editor
+      erb :browser, layout: false
+    end
+
     get "/browse/?*" do
       requested = params["splat"].first.to_s
       requested = requested.chomp("/")
@@ -606,11 +840,7 @@ module MarkdownServer
         halt 404, '{"error":"not found"}'
       end
 
-      halt 403, '{"error":"forbidden"}' unless real.start_with?(base)
-
-      relative = real.sub("#{base}/", "")
-      first_segment = relative.split("/").first
-      halt 403, '{"error":"forbidden"}' if EXCLUDED.include?(first_segment) || first_segment&.start_with?(".")
+      halt 403, '{"error":"forbidden"}' unless permitted_path?(real)
 
       halt 404, '{"error":"not found"}' unless File.file?(real) && File.extname(real).downcase == ".md"
 
@@ -756,8 +986,8 @@ module MarkdownServer
     end
 
     def render_directory(real_path, relative_path)
-      entries = Dir.entries(real_path).reject do |e|
-        e.start_with?(".") || EXCLUDED.include?(e)
+      entries = Dir.entries(real_path).select do |e|
+        e != "." && e != ".." && entry_admitted?(real_path, relative_path, e)
       end
 
       browse_prefix = relative_path.empty? ? "/browse/" : "/browse/#{relative_path}/"
@@ -899,8 +1129,8 @@ module MarkdownServer
     end
 
     def browser_render_directory(real_path, requested)
-      entries = Dir.entries(real_path).reject do |e|
-        e.start_with?(".") || EXCLUDED.include?(e)
+      entries = Dir.entries(real_path).select do |e|
+        e != "." && e != ".." && entry_admitted?(real_path, requested, e)
       end
 
       browse_prefix = requested.empty? ? "" : "#{requested}/"
@@ -927,7 +1157,12 @@ module MarkdownServer
         item
       end.compact
 
-      title = requested.empty? ? dir_title : File.basename(requested)
+      title = if requested.empty?
+                dir_title
+              else
+                parent = File.dirname(requested)
+                parent == "." ? File.basename(requested) : "#{File.basename(requested)} (#{parent})"
+              end
       { type: "directory", path: requested, title: title, items: items }
     end
 
@@ -1046,17 +1281,7 @@ module MarkdownServer
           size = File.size(real_path) rescue 0
           { type: "download", title: title, href: download_href, size: format_size(size) }
         else
-          lang = case ext
-                 when ".py" then "python"
-                 when ".rb" then "ruby"
-                 when ".csv" then "text"
-                 when ".sh" then "bash"
-                 when ".yaml", ".yml" then "yaml"
-                 when ".erb" then "html"
-                 when ".css" then "css"
-                 when ".js" then "javascript"
-                 else "text"
-                 end
+          lang = detect_source_language(real_path, content)
           { type: "code", title: title, language: lang, html: syntax_highlight(content, lang) }
         end
       end
@@ -1142,19 +1367,7 @@ module MarkdownServer
         if content.nil? || content.encoding == Encoding::BINARY || !content.valid_encoding?
           send_file real_path, disposition: "inline"
         else
-          lang = case ext
-                 when ".py" then "python"
-                 when ".rb" then "ruby"
-                 when ".csv" then "text"
-                 when ".sh" then "bash"
-                 when ".yaml", ".yml" then "yaml"
-                 when ".erb" then "html"
-                 # .html and .js are handled by dedicated branches above;
-                 # kept here for completeness if those branches are ever removed
-                 when ".html" then "html"
-                 when ".js" then "javascript"
-                 else "text"
-                 end
+          lang = detect_source_language(real_path, content)
           @code = syntax_highlight(content, lang)
           @language = lang
           erb :raw