Stripped all CSRF token generation, injection, and validation since it
breaks behind Apache reverse proxy. Removed handlers/csrf.go, stripped
CSRFToken from PageData, removed validateCSRFToken from all POST handlers,
and cleaned up hidden inputs and JS CSRF references.
Added self-service password change at /password/ with current-password
verification and bcrypt update. New Password link in navbar.
Extended admin panel with user management: lists all users with join dates
and allows admins to delete other users (self-deletion blocked). Added
GetAllUsers() and DeleteUser() to models.
- Remove markdown_preview_default field from UserPreferences model
- Remove markdown_preview_default column from user_preferences table schema
- Simplify preferences form to only show draft auto-save checkbox
- Update handler to only process auto_save_drafts preference
- Clean up unused form fields and validation logic
Only the draft auto-save preference remains.
- Add user_preferences table to store per-user settings (auto_save_drafts, markdown_preview_default)
- Create UserPreferences model with GetUserPreferences, CreateDefaultPreferences, and UpdateUserPreferences functions
- Add PreferencesHandler for GET/POST requests to display and save user preferences
- Create preferences.html template with checkbox for draft auto-save and radio buttons for markdown preview default
- Add "Preferences" link to navbar for logged-in users
- Register /preferences/ route with login requirement
This establishes the foundation for advanced features like draft auto-save and markdown preview toggle, allowing users to customize their experience.
- A new `files` table to store metadata about uploaded files, including original name and hash.
- The `users` table is updated to reference a `pfp_file_id` from the new `files` table, removing the insecure `pfp_url` field.
- A new `/file` endpoint and handler (`handlers/file.go`) are created to serve files securely based on their ID, preventing direct file system access.
- Profile editing (`handlers/profile_edit.go` and `templates/pages/profile_edit.html`) is updated to handle file uploads instead of URL inputs.
- The chat feature (`models/chat.go` and `templates/pages/chat.html`) is updated to work with the new file ID system, ensuring avatars are displayed correctly.
Should also fix#68.
Joca