Add options to limit anonymous view note

README.md

@@ -3,16 +3,16 @@ HackMD
 
 [![Join the chat at https://gitter.im/hackmdio/hackmd](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/hackmdio/hackmd?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 
-HackMD lets you create realtime collaborative markdown notes on all platforms.  
-Inspired by Hackpad, with more focus on speed and flexibility.  
+HackMD lets you create realtime collaborative markdown notes on all platforms.
+Inspired by Hackpad, with more focus on speed and flexibility.
 Still in the early stage, feel free to fork or contribute to HackMD.
 
 Thanks for using! :smile:
 
 [docker-hackmd](https://github.com/hackmdio/docker-hackmd)
 ---
 
-Before you go too far, here is the great docker repo for HackMD.  
+Before you go too far, here is the great docker repo for HackMD.
 With docker, you can deploy a server in minutes without any downtime.
 
 Heroku Deployment
@@ -25,14 +25,14 @@ You can quickly setup a sample heroku hackmd application by clicking the button
 [migration-to-0.5.0](https://github.com/hackmdio/migration-to-0.5.0)
 ---
 
-We don't use LZString to compress socket.io data and DB data after version 0.5.0.  
+We don't use LZString to compress socket.io data and DB data after version 0.5.0.
 Please run the migration tool if you're upgrading from the old version.
 
 [migration-to-0.4.0](https://github.com/hackmdio/migration-to-0.4.0)
 ---
 
-We've dropped MongoDB after version 0.4.0.  
-So here is the migration tool for you to transfer the old DB data to the new DB.  
+We've dropped MongoDB after version 0.4.0.
+So here is the migration tool for you to transfer the old DB data to the new DB.
 This tool is also used for official service.
 
 Browsers Requirement
@@ -125,6 +125,7 @@ Environment variables (will overwrite other server configs)
 | HMD_URL_ADDPORT | `true` or `false` | set to add port on callback url (port 80 or 443 won't applied) (only applied when domain is set) |
 | HMD_USECDN | `true` or `false` | set to use CDN resources or not (default is `true`) |
 | HMD_ALLOW_ANONYMOUS | `true` or `false` | set to allow anonymous usage (default is `true`) |
+| HMD_ALLOW_ANONYMOUS_VIEW | `true` or `false` | set to allow anonymous view note (default is `true`) |
 | HMD_ALLOW_FREEURL | `true` or `false` | set to allow new note by accessing not exist note url |
 | HMD_DB_URL | `mysql://localhost:3306/database` | set the db url |
 | HMD_FACEBOOK_CLIENTID | no example | Facebook API client id |
@@ -213,9 +214,9 @@ Third-party integration oauth callback urls
 Operational Transformation
 ---
 
-From 0.3.2, we started supporting operational transformation.  
-It makes concurrent editing safe and will not break up other users' operations.  
-Additionally, now can show other clients' selections.  
+From 0.3.2, we started supporting operational transformation.
+It makes concurrent editing safe and will not break up other users' operations.
+Additionally, now can show other clients' selections.
 See more at [http://operational-transformation.github.io/](http://operational-transformation.github.io/)
 
 **License under MIT.**

lib/config.js

@@ -20,6 +20,7 @@ var urladdport = process.env.HMD_URL_ADDPORT ? (process.env.HMD_URL_ADDPORT ===
 var usecdn = process.env.HMD_USECDN ? (process.env.HMD_USECDN === 'true') : ((typeof config.usecdn === 'boolean') ? config.usecdn : true);
 
 var allowanonymous = process.env.HMD_ALLOW_ANONYMOUS ? (process.env.HMD_ALLOW_ANONYMOUS === 'true') : ((typeof config.allowanonymous === 'boolean') ? config.allowanonymous : true);
+var allowanonymousView = process.env.HMD_ALLOW_ANONYMOUS_VIEW ? (process.env.HMD_ALLOW_ANONYMOUS_VIEW === 'true') : ((typeof config.allowanonymousView === 'boolean') ? config.allowanonymousView : true);
 
 var allowfreeurl = process.env.HMD_ALLOW_FREEURL ? (process.env.HMD_ALLOW_FREEURL === 'true') : !!config.allowfreeurl;
 
@@ -128,6 +129,7 @@ module.exports = {
     serverurl: getserverurl(),
     usecdn: usecdn,
     allowanonymous: allowanonymous,
+    allowanonymousView: allowanonymousView,
     allowfreeurl: allowfreeurl,
     dburl: dburl,
     db: db,

lib/response.js

@@ -123,6 +123,9 @@ function checkViewPermission(req, note) {
         else
             return true;
     } else {
+        if(!config.allowanonymousView && !req.isAuthenticated()) {
+            return false;
+        }
         return true;
     }
 }
@@ -161,7 +164,7 @@ function showNote(req, res, next) {
     findNote(req, res, function (note) {
         // force to use note id
         var noteId = req.params.noteId;
-        var id = LZString.compressToBase64(note.id); 
+        var id = LZString.compressToBase64(note.id);
         if ((note.alias && noteId != note.alias) || (!note.alias && noteId != id))
             return res.redirect(config.serverurl + "/" + (note.alias || id));
         return responseHackMD(res, note);
@@ -413,7 +416,7 @@ function publishSlideActions(req, res, next) {
             res.redirect(config.serverurl + '/' + (note.alias ? note.alias : LZString.compressToBase64(note.id)));
             break;
         default:
-            res.redirect(config.serverurl + '/p/' + note.shortid);    
+            res.redirect(config.serverurl + '/p/' + note.shortid);
             break;
         }
     });