Previously, the user's session cookie was being checked against the
database for all non-static requests. However, this is not really
needed and wastes resources (and is slow).
For most page views (e.g. index, channel page), just parsing the value
of the cookie is sufficient:
* The cookies are already HMAC signed, so tampering with them ought to
be for all reasonable purposes, impossible.
* Assuming the worst case, all a nefarious user could manage to do is
change the text of the "Welcome, {user}" and cause a (non-functional)
ACP link to appear clientside, both of which are already possible by
using the Inspect Element tool.
For authenticated pages (currently, the ACP, and anything under
/account/), the full database check is still performed (for now).
We now allow server operators to customize the /r/ part of the channel links
The new config option in the template is commented and the config module validates and will terminate with status 78 if an improper value is used.
We've also dropped some old cruft and uses a more elegant method to assign CHANNEL.name
Resolves#668
1.) module dependency updated from jade 1.11.0 to pug 2.0.0-beta3
2.) All references to Jade have been changed to Pug
3.) /srv/web/jade.js is renamed to pug.js
4.) all template files renamed accordingly
5.) "mixin somename" is automatically considered a declaration, invocations must use "+somename"
6.) variable interpolation is no longer supported inside element attributes, use direct references and string concatenation instead.
7.) bumped minor version
