diff --git a/app/controllers/about_controller.rb b/app/controllers/about_controller.rb
index 31cf177105..d276e8fe5f 100644
--- a/app/controllers/about_controller.rb
+++ b/app/controllers/about_controller.rb
@@ -3,6 +3,7 @@
class AboutController < ApplicationController
layout 'public'
+ before_action :require_open_federation!, only: [:show, :more]
before_action :set_body_classes, only: :show
before_action :set_instance_presenter
before_action :set_expires_in
@@ -19,6 +20,10 @@ class AboutController < ApplicationController
private
+ def require_open_federation!
+ not_found if whitelist_mode?
+ end
+
def new_user
User.new.tap do |user|
user.build_account
diff --git a/app/controllers/activitypub/base_controller.rb b/app/controllers/activitypub/base_controller.rb
index a3b5c4dfa5..0c2591e974 100644
--- a/app/controllers/activitypub/base_controller.rb
+++ b/app/controllers/activitypub/base_controller.rb
@@ -1,6 +1,8 @@
# frozen_string_literal: true
class ActivityPub::BaseController < Api::BaseController
+ skip_before_action :require_authenticated_user!
+
private
def set_cache_headers
diff --git a/app/controllers/activitypub/inboxes_controller.rb b/app/controllers/activitypub/inboxes_controller.rb
index 7cfd9a25e1..bcfc1e6d42 100644
--- a/app/controllers/activitypub/inboxes_controller.rb
+++ b/app/controllers/activitypub/inboxes_controller.rb
@@ -1,6 +1,6 @@
# frozen_string_literal: true
-class ActivityPub::InboxesController < Api::BaseController
+class ActivityPub::InboxesController < ActivityPub::BaseController
include SignatureVerification
include JsonLdHelper
include AccountOwnedConcern
diff --git a/app/controllers/admin/domain_allows_controller.rb b/app/controllers/admin/domain_allows_controller.rb
new file mode 100644
index 0000000000..31be1978bb
--- /dev/null
+++ b/app/controllers/admin/domain_allows_controller.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+class Admin::DomainAllowsController < Admin::BaseController
+ before_action :set_domain_allow, only: [:destroy]
+
+ def new
+ authorize :domain_allow, :create?
+
+ @domain_allow = DomainAllow.new(domain: params[:_domain])
+ end
+
+ def create
+ authorize :domain_allow, :create?
+
+ @domain_allow = DomainAllow.new(resource_params)
+
+ if @domain_allow.save
+ log_action :create, @domain_allow
+ redirect_to admin_instances_path, notice: I18n.t('admin.domain_allows.created_msg')
+ else
+ render :new
+ end
+ end
+
+ def destroy
+ authorize @domain_allow, :destroy?
+ UnallowDomainService.new.call(@domain_allow)
+ redirect_to admin_instances_path, notice: I18n.t('admin.domain_allows.destroyed_msg')
+ end
+
+ private
+
+ def set_domain_allow
+ @domain_allow = DomainAllow.find(params[:id])
+ end
+
+ def resource_params
+ params.require(:domain_allow).permit(:domain)
+ end
+end
diff --git a/app/controllers/admin/instances_controller.rb b/app/controllers/admin/instances_controller.rb
index 7888e844fb..d4f2018079 100644
--- a/app/controllers/admin/instances_controller.rb
+++ b/app/controllers/admin/instances_controller.rb
@@ -2,6 +2,10 @@
module Admin
class InstancesController < BaseController
+ before_action :set_domain_block, only: :show
+ before_action :set_domain_allow, only: :show
+ before_action :set_instance, only: :show
+
def index
authorize :instance, :index?
@@ -11,20 +15,38 @@ module Admin
def show
authorize :instance, :show?
- @instance = Instance.new(Account.by_domain_accounts.find_by(domain: params[:id]) || DomainBlock.find_by!(domain: params[:id]))
@following_count = Follow.where(account: Account.where(domain: params[:id])).count
@followers_count = Follow.where(target_account: Account.where(domain: params[:id])).count
@reports_count = Report.where(target_account: Account.where(domain: params[:id])).count
@blocks_count = Block.where(target_account: Account.where(domain: params[:id])).count
@available = DeliveryFailureTracker.available?(Account.select(:shared_inbox_url).where(domain: params[:id]).first&.shared_inbox_url)
@media_storage = MediaAttachment.where(account: Account.where(domain: params[:id])).sum(:file_file_size)
- @domain_block = DomainBlock.rule_for(params[:id])
end
private
+ def set_domain_block
+ @domain_block = DomainBlock.rule_for(params[:id])
+ end
+
+ def set_domain_allow
+ @domain_allow = DomainAllow.rule_for(params[:id])
+ end
+
+ def set_instance
+ resource = Account.by_domain_accounts.find_by(domain: params[:id])
+ resource ||= @domain_block
+ resource ||= @domain_allow
+
+ if resource
+ @instance = Instance.new(resource)
+ else
+ not_found
+ end
+ end
+
def filtered_instances
- InstanceFilter.new(filter_params).results
+ InstanceFilter.new(whitelist_mode? ? { allowed: true } : filter_params).results
end
def paginated_instances
diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 6f33a1ea99..109e38ffab 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -9,6 +9,7 @@ class Api::BaseController < ApplicationController
skip_before_action :store_current_location
skip_before_action :require_functional!
+ before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
before_action :set_cache_headers
protect_from_forgery with: :null_session
@@ -69,6 +70,10 @@ class Api::BaseController < ApplicationController
nil
end
+ def require_authenticated_user!
+ render json: { error: 'This API requires an authenticated user' }, status: 401 unless current_user
+ end
+
def require_user!
if !current_user
render json: { error: 'This method requires an authenticated user' }, status: 422
@@ -94,4 +99,8 @@ class Api::BaseController < ApplicationController
def set_cache_headers
response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
end
+
+ def disallow_unauthenticated_api_access?
+ authorized_fetch_mode?
+ end
end
diff --git a/app/controllers/api/v1/accounts_controller.rb b/app/controllers/api/v1/accounts_controller.rb
index b0c62778e6..b306e8e8cc 100644
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@@ -12,6 +12,8 @@ class Api::V1::AccountsController < Api::BaseController
before_action :check_account_suspension, only: [:show]
before_action :check_enabled_registrations, only: [:create]
+ skip_before_action :require_authenticated_user!, only: :create
+
respond_to :json
def show
diff --git a/app/controllers/api/v1/apps_controller.rb b/app/controllers/api/v1/apps_controller.rb
index e9f7a7291c..97177547a2 100644
--- a/app/controllers/api/v1/apps_controller.rb
+++ b/app/controllers/api/v1/apps_controller.rb
@@ -1,6 +1,8 @@
# frozen_string_literal: true
class Api::V1::AppsController < Api::BaseController
+ skip_before_action :require_authenticated_user!
+
def create
@app = Doorkeeper::Application.create!(application_options)
render json: @app, serializer: REST::ApplicationSerializer
diff --git a/app/controllers/api/v1/instances/activity_controller.rb b/app/controllers/api/v1/instances/activity_controller.rb
index d0080c5c2e..4fb5a69d8b 100644
--- a/app/controllers/api/v1/instances/activity_controller.rb
+++ b/app/controllers/api/v1/instances/activity_controller.rb
@@ -2,6 +2,7 @@
class Api::V1::Instances::ActivityController < Api::BaseController
before_action :require_enabled_api!
+
skip_before_action :set_cache_headers
respond_to :json
@@ -33,6 +34,6 @@ class Api::V1::Instances::ActivityController < Api::BaseController
end
def require_enabled_api!
- head 404 unless Setting.activity_api_enabled
+ head 404 unless Setting.activity_api_enabled && !whitelist_mode?
end
end
diff --git a/app/controllers/api/v1/instances/peers_controller.rb b/app/controllers/api/v1/instances/peers_controller.rb
index 450e6502f5..75c3cb4ba8 100644
--- a/app/controllers/api/v1/instances/peers_controller.rb
+++ b/app/controllers/api/v1/instances/peers_controller.rb
@@ -2,6 +2,7 @@
class Api::V1::Instances::PeersController < Api::BaseController
before_action :require_enabled_api!
+
skip_before_action :set_cache_headers
respond_to :json
@@ -14,6 +15,6 @@ class Api::V1::Instances::PeersController < Api::BaseController
private
def require_enabled_api!
- head 404 unless Setting.peers_api_enabled
+ head 404 unless Setting.peers_api_enabled && !whitelist_mode?
end
end
diff --git a/app/controllers/api/v1/instances_controller.rb b/app/controllers/api/v1/instances_controller.rb
index 93e4f00030..8d8231423e 100644
--- a/app/controllers/api/v1/instances_controller.rb
+++ b/app/controllers/api/v1/instances_controller.rb
@@ -2,6 +2,7 @@
class Api::V1::InstancesController < Api::BaseController
respond_to :json
+
skip_before_action :set_cache_headers
def show
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 41ce1a0ca2..0d3913ee07 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -11,12 +11,14 @@ class ApplicationController < ActionController::Base
include UserTrackingConcern
include SessionTrackingConcern
include CacheConcern
+ include DomainControlHelper
helper_method :current_account
helper_method :current_session
helper_method :current_theme
helper_method :single_user_mode?
helper_method :use_seamless_external_login?
+ helper_method :whitelist_mode?
rescue_from ActionController::RoutingError, with: :not_found
rescue_from ActiveRecord::RecordNotFound, with: :not_found
@@ -38,7 +40,7 @@ class ApplicationController < ActionController::Base
end
def authorized_fetch_mode?
- ENV['AUTHORIZED_FETCH'] == 'true'
+ ENV['AUTHORIZED_FETCH'] == 'true' || Rails.configuration.x.whitelist_mode
end
def public_fetch_mode?
diff --git a/app/controllers/concerns/account_owned_concern.rb b/app/controllers/concerns/account_owned_concern.rb
index 99c240fe98..460f71f65f 100644
--- a/app/controllers/concerns/account_owned_concern.rb
+++ b/app/controllers/concerns/account_owned_concern.rb
@@ -4,6 +4,7 @@ module AccountOwnedConcern
extend ActiveSupport::Concern
included do
+ before_action :authenticate_user!, if: -> { whitelist_mode? && request.format != :json }
before_action :set_account, if: :account_required?
before_action :check_account_approval, if: :account_required?
before_action :check_account_suspension, if: :account_required?
diff --git a/app/controllers/directories_controller.rb b/app/controllers/directories_controller.rb
index 5949076740..d2ef76f069 100644
--- a/app/controllers/directories_controller.rb
+++ b/app/controllers/directories_controller.rb
@@ -3,7 +3,8 @@
class DirectoriesController < ApplicationController
layout 'public'
- before_action :check_enabled
+ before_action :authenticate_user!, if: :whitelist_mode?
+ before_action :require_enabled!
before_action :set_instance_presenter
before_action :set_tag, only: :show
before_action :set_tags
@@ -19,7 +20,7 @@ class DirectoriesController < ApplicationController
private
- def check_enabled
+ def require_enabled!
return not_found unless Setting.profile_directory
end
diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb
index 42493cd782..22d507e779 100644
--- a/app/controllers/home_controller.rb
+++ b/app/controllers/home_controller.rb
@@ -55,7 +55,7 @@ class HomeController < ApplicationController
end
def default_redirect_path
- if request.path.start_with?('/web')
+ if request.path.start_with?('/web') || whitelist_mode?
new_user_session_path
elsif single_user_mode?
short_account_path(Account.local.without_suspended.where('id > 0').first)
diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index b3b7519a1c..1f693de320 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -5,6 +5,7 @@ class MediaController < ApplicationController
skip_before_action :store_current_location
+ before_action :authenticate_user!, if: :whitelist_mode?
before_action :set_media_attachment
before_action :verify_permitted_status!
before_action :check_playable, only: :player
diff --git a/app/controllers/media_proxy_controller.rb b/app/controllers/media_proxy_controller.rb
index 8fc18dd060..8da6c6fe0c 100644
--- a/app/controllers/media_proxy_controller.rb
+++ b/app/controllers/media_proxy_controller.rb
@@ -5,6 +5,8 @@ class MediaProxyController < ApplicationController
skip_before_action :store_current_location
+ before_action :authenticate_user!, if: :whitelist_mode?
+
def show
RedisLock.acquire(lock_options) do |lock|
if lock.acquired?
diff --git a/app/controllers/public_timelines_controller.rb b/app/controllers/public_timelines_controller.rb
index 23506b990c..324bdc5088 100644
--- a/app/controllers/public_timelines_controller.rb
+++ b/app/controllers/public_timelines_controller.rb
@@ -3,7 +3,8 @@
class PublicTimelinesController < ApplicationController
layout 'public'
- before_action :check_enabled
+ before_action :authenticate_user!, if: :whitelist_mode?
+ before_action :require_enabled!
before_action :set_body_classes
before_action :set_instance_presenter
@@ -16,7 +17,7 @@ class PublicTimelinesController < ApplicationController
private
- def check_enabled
+ def require_enabled!
not_found unless Setting.timeline_preview
end
diff --git a/app/controllers/remote_interaction_controller.rb b/app/controllers/remote_interaction_controller.rb
index cc6993c52b..fa742fb0ae 100644
--- a/app/controllers/remote_interaction_controller.rb
+++ b/app/controllers/remote_interaction_controller.rb
@@ -5,6 +5,7 @@ class RemoteInteractionController < ApplicationController
layout 'modal'
+ before_action :authenticate_user!, if: :whitelist_mode?
before_action :set_interaction_type
before_action :set_status
before_action :set_body_classes
diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb
index d08e5a61a5..3cd2d9e204 100644
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@@ -8,6 +8,7 @@ class TagsController < ApplicationController
layout 'public'
before_action :require_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
+ before_action :authenticate_user!, if: :whitelist_mode?
before_action :set_tag
before_action :set_body_classes
before_action :set_instance_presenter
diff --git a/app/helpers/domain_control_helper.rb b/app/helpers/domain_control_helper.rb
index efd328f817..067b2c2cd6 100644
--- a/app/helpers/domain_control_helper.rb
+++ b/app/helpers/domain_control_helper.rb
@@ -12,6 +12,14 @@ module DomainControlHelper
end
end
- DomainBlock.blocked?(domain)
+ if whitelist_mode?
+ !DomainAllow.allowed?(domain)
+ else
+ DomainBlock.blocked?(domain)
+ end
+ end
+
+ def whitelist_mode?
+ Rails.configuration.x.whitelist_mode
end
end
diff --git a/app/models/domain_allow.rb b/app/models/domain_allow.rb
new file mode 100644
index 0000000000..85018b636e
--- /dev/null
+++ b/app/models/domain_allow.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+# == Schema Information
+#
+# Table name: domain_allows
+#
+# id :bigint(8) not null, primary key
+# domain :string default(""), not null
+# created_at :datetime not null
+# updated_at :datetime not null
+#
+
+class DomainAllow < ApplicationRecord
+ include DomainNormalizable
+
+ validates :domain, presence: true, uniqueness: true
+
+ scope :matches_domain, ->(value) { where(arel_table[:domain].matches("%#{value}%")) }
+
+ class << self
+ def allowed?(domain)
+ !rule_for(domain).nil?
+ end
+
+ def rule_for(domain)
+ return if domain.blank?
+
+ uri = Addressable::URI.new.tap { |u| u.host = domain.gsub(/[\/]/, '') }
+
+ find_by(domain: uri.normalized_host)
+ end
+ end
+end
diff --git a/app/models/instance.rb b/app/models/instance.rb
index 797a191e07..3c740f8a2b 100644
--- a/app/models/instance.rb
+++ b/app/models/instance.rb
@@ -7,8 +7,9 @@ class Instance
def initialize(resource)
@domain = resource.domain
- @accounts_count = resource.is_a?(DomainBlock) ? nil : resource.accounts_count
+ @accounts_count = resource.respond_to?(:accounts_count) ? resource.accounts_count : nil
@domain_block = resource.is_a?(DomainBlock) ? resource : DomainBlock.rule_for(domain)
+ @domain_allow = resource.is_a?(DomainAllow) ? resource : DomainAllow.rule_for(domain)
end
def countable?
diff --git a/app/models/instance_filter.rb b/app/models/instance_filter.rb
index 848fff53e1..8bfab826d7 100644
--- a/app/models/instance_filter.rb
+++ b/app/models/instance_filter.rb
@@ -12,6 +12,10 @@ class InstanceFilter
scope = DomainBlock
scope = scope.matches_domain(params[:by_domain]) if params[:by_domain].present?
scope.order(id: :desc)
+ elsif params[:allowed].present?
+ scope = DomainAllow
+ scope = scope.matches_domain(params[:by_domain]) if params[:by_domain].present?
+ scope.order(id: :desc)
else
scope = Account.remote
scope = scope.matches_domain(params[:by_domain]) if params[:by_domain].present?
diff --git a/app/policies/domain_allow_policy.rb b/app/policies/domain_allow_policy.rb
new file mode 100644
index 0000000000..5030453bbc
--- /dev/null
+++ b/app/policies/domain_allow_policy.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class DomainAllowPolicy < ApplicationPolicy
+ def create?
+ admin?
+ end
+
+ def destroy?
+ admin?
+ end
+end
diff --git a/app/services/concerns/payloadable.rb b/app/services/concerns/payloadable.rb
index 953740faa3..7f9f21c4b9 100644
--- a/app/services/concerns/payloadable.rb
+++ b/app/services/concerns/payloadable.rb
@@ -14,6 +14,6 @@ module Payloadable
end
def signing_enabled?
- ENV['AUTHORIZED_FETCH'] != 'true'
+ ENV['AUTHORIZED_FETCH'] != 'true' && !Rails.configuration.x.whitelist_mode
end
end
diff --git a/app/services/unallow_domain_service.rb b/app/services/unallow_domain_service.rb
new file mode 100644
index 0000000000..d4387c1a19
--- /dev/null
+++ b/app/services/unallow_domain_service.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class UnallowDomainService < BaseService
+ def call(domain_allow)
+ Account.where(domain: domain_allow.domain).find_each do |account|
+ SuspendAccountService.new.call(account, destroy: true)
+ end
+
+ domain_allow.destroy
+ end
+end
diff --git a/app/views/admin/domain_allows/new.html.haml b/app/views/admin/domain_allows/new.html.haml
new file mode 100644
index 0000000000..52599857aa
--- /dev/null
+++ b/app/views/admin/domain_allows/new.html.haml
@@ -0,0 +1,14 @@
+- content_for :header_tags do
+ = javascript_pack_tag 'admin', integrity: true, async: true, crossorigin: 'anonymous'
+
+- content_for :page_title do
+ = t('admin.domain_allows.add_new')
+
+= simple_form_for @domain_allow, url: admin_domain_allows_path do |f|
+ = render 'shared/error_messages', object: @domain_allow
+
+ .fields-group
+ = f.input :domain, wrapper: :with_label, label: t('admin.domain_blocks.domain'), required: true
+
+ .actions
+ = f.button :button, t('admin.domain_allows.add_new'), type: :submit
diff --git a/app/views/admin/instances/index.html.haml b/app/views/admin/instances/index.html.haml
index 61e578409a..982dc50354 100644
--- a/app/views/admin/instances/index.html.haml
+++ b/app/views/admin/instances/index.html.haml
@@ -6,24 +6,30 @@
%strong= t('admin.instances.moderation.title')
%ul
%li= filter_link_to t('admin.instances.moderation.all'), limited: nil
- %li= filter_link_to t('admin.instances.moderation.limited'), limited: '1'
+
+ - unless whitelist_mode?
+ %li= filter_link_to t('admin.instances.moderation.limited'), limited: '1'
%div{ style: 'flex: 1 1 auto; text-align: right' }
- = link_to t('admin.domain_blocks.add_new'), new_admin_domain_block_path, class: 'button'
+ - if whitelist_mode?
+ = link_to t('admin.domain_allows.add_new'), new_admin_domain_allow_path, class: 'button'
+ - else
+ = link_to t('admin.domain_blocks.add_new'), new_admin_domain_block_path, class: 'button'
-= form_tag admin_instances_url, method: 'GET', class: 'simple_form' do
- .fields-group
- - Admin::FilterHelper::INSTANCES_FILTERS.each do |key|
- - if params[key].present?
- = hidden_field_tag key, params[key]
+- unless whitelist_mode?
+ = form_tag admin_instances_url, method: 'GET', class: 'simple_form' do
+ .fields-group
+ - Admin::FilterHelper::INSTANCES_FILTERS.each do |key|
+ - if params[key].present?
+ = hidden_field_tag key, params[key]
- - %i(by_domain).each do |key|
- .input.string.optional
- = text_field_tag key, params[key], class: 'string optional', placeholder: I18n.t("admin.instances.#{key}")
+ - %i(by_domain).each do |key|
+ .input.string.optional
+ = text_field_tag key, params[key], class: 'string optional', placeholder: I18n.t("admin.instances.#{key}")
- .actions
- %button= t('admin.accounts.search')
- = link_to t('admin.accounts.reset'), admin_instances_path, class: 'button negative'
+ .actions
+ %button= t('admin.accounts.search')
+ = link_to t('admin.accounts.reset'), admin_instances_path, class: 'button negative'
%hr.spacer/
@@ -47,8 +53,11 @@
- unless first_item
•
= t('admin.domain_blocks.rejecting_reports')
+ - elsif whitelist_mode?
+ = t('admin.accounts.whitelisted')
- else
= t('admin.accounts.no_limits_imposed')
- if instance.countable?
.trends__item__current{ title: t('admin.instances.known_accounts', count: instance.accounts_count) }= number_to_human instance.accounts_count, strip_insignificant_zeros: true
+
= paginate paginated_instances
diff --git a/app/views/admin/instances/show.html.haml b/app/views/admin/instances/show.html.haml
index c7992a490d..fbb49ba02f 100644
--- a/app/views/admin/instances/show.html.haml
+++ b/app/views/admin/instances/show.html.haml
@@ -38,7 +38,9 @@
= link_to t('admin.accounts.title'), admin_accounts_path(remote: '1', by_domain: @instance.domain), class: 'button'
%div{ style: 'float: right' }
- - if @domain_block
+ - if @domain_allow
+ = link_to t('admin.domain_allows.undo'), admin_domain_allow_path(@domain_allow), class: 'button button--destructive', data: { confirm: t('admin.accounts.are_you_sure'), method: :delete }
+ - elsif @domain_block
= link_to t('admin.domain_blocks.undo'), admin_domain_block_path(@domain_block), class: 'button'
- else
= link_to t('admin.domain_blocks.add_new'), new_admin_domain_block_path(_domain: @instance.domain), class: 'button'
diff --git a/app/views/admin/settings/edit.html.haml b/app/views/admin/settings/edit.html.haml
index b3bf3849c0..1e2ed3f77f 100644
--- a/app/views/admin/settings/edit.html.haml
+++ b/app/views/admin/settings/edit.html.haml
@@ -42,11 +42,12 @@
%hr.spacer/
- .fields-group
- = f.input :timeline_preview, as: :boolean, wrapper: :with_label, label: t('admin.settings.timeline_preview.title'), hint: t('admin.settings.timeline_preview.desc_html')
+ - unless whitelist_mode?
+ .fields-group
+ = f.input :timeline_preview, as: :boolean, wrapper: :with_label, label: t('admin.settings.timeline_preview.title'), hint: t('admin.settings.timeline_preview.desc_html')
- .fields-group
- = f.input :show_known_fediverse_at_about_page, as: :boolean, wrapper: :with_label, label: t('admin.settings.show_known_fediverse_at_about_page.title'), hint: t('admin.settings.show_known_fediverse_at_about_page.desc_html')
+ .fields-group
+ = f.input :show_known_fediverse_at_about_page, as: :boolean, wrapper: :with_label, label: t('admin.settings.show_known_fediverse_at_about_page.title'), hint: t('admin.settings.show_known_fediverse_at_about_page.desc_html')
.fields-group
= f.input :show_staff_badge, as: :boolean, wrapper: :with_label, label: t('admin.settings.show_staff_badge.title'), hint: t('admin.settings.show_staff_badge.desc_html')
@@ -54,17 +55,18 @@
.fields-group
= f.input :open_deletion, as: :boolean, wrapper: :with_label, label: t('admin.settings.registrations.deletion.title'), hint: t('admin.settings.registrations.deletion.desc_html')
- .fields-group
- = f.input :activity_api_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.activity_api_enabled.title'), hint: t('admin.settings.activity_api_enabled.desc_html')
+ - unless whitelist_mode?
+ .fields-group
+ = f.input :activity_api_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.activity_api_enabled.title'), hint: t('admin.settings.activity_api_enabled.desc_html')
- .fields-group
- = f.input :peers_api_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.peers_api_enabled.title'), hint: t('admin.settings.peers_api_enabled.desc_html')
+ .fields-group
+ = f.input :peers_api_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.peers_api_enabled.title'), hint: t('admin.settings.peers_api_enabled.desc_html')
- .fields-group
- = f.input :preview_sensitive_media, as: :boolean, wrapper: :with_label, label: t('admin.settings.preview_sensitive_media.title'), hint: t('admin.settings.preview_sensitive_media.desc_html')
+ .fields-group
+ = f.input :preview_sensitive_media, as: :boolean, wrapper: :with_label, label: t('admin.settings.preview_sensitive_media.title'), hint: t('admin.settings.preview_sensitive_media.desc_html')
- .fields-group
- = f.input :profile_directory, as: :boolean, wrapper: :with_label, label: t('admin.settings.profile_directory.title'), hint: t('admin.settings.profile_directory.desc_html')
+ .fields-group
+ = f.input :profile_directory, as: :boolean, wrapper: :with_label, label: t('admin.settings.profile_directory.title'), hint: t('admin.settings.profile_directory.desc_html')
.fields-group
= f.input :spam_check_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.spam_check_enabled.title'), hint: t('admin.settings.spam_check_enabled.desc_html')
@@ -76,7 +78,7 @@
.fields-group
= f.input :closed_registrations_message, as: :text, wrapper: :with_block_label, label: t('admin.settings.registrations.closed_message.title'), hint: t('admin.settings.registrations.closed_message.desc_html'), input_html: { rows: 8 }
- = f.input :site_extended_description, wrapper: :with_block_label, as: :text, label: t('admin.settings.site_description_extended.title'), hint: t('admin.settings.site_description_extended.desc_html'), input_html: { rows: 8 }
+ = f.input :site_extended_description, wrapper: :with_block_label, as: :text, label: t('admin.settings.site_description_extended.title'), hint: t('admin.settings.site_description_extended.desc_html'), input_html: { rows: 8 } unless whitelist_mode?
= f.input :site_terms, wrapper: :with_block_label, as: :text, label: t('admin.settings.site_terms.title'), hint: t('admin.settings.site_terms.desc_html'), input_html: { rows: 8 }
= f.input :custom_css, wrapper: :with_block_label, as: :text, input_html: { rows: 8 }, label: t('admin.settings.custom_css.title'), hint: t('admin.settings.custom_css.desc_html')
diff --git a/app/views/auth/registrations/new.html.haml b/app/views/auth/registrations/new.html.haml
index b4a7cced55..83384d7379 100644
--- a/app/views/auth/registrations/new.html.haml
+++ b/app/views/auth/registrations/new.html.haml
@@ -33,7 +33,7 @@
= f.input :invite_code, as: :hidden
.fields-group
- = f.input :agreement, as: :boolean, wrapper: :with_label, label: t('auth.checkbox_agreement_html', rules_path: about_more_path, terms_path: terms_path)
+ = f.input :agreement, as: :boolean, wrapper: :with_label, label: whitelist_mode? ? t('auth.checkbox_agreement_without_rules_html', terms_path: terms_path) : t('auth.checkbox_agreement_html', rules_path: about_more_path, terms_path: terms_path)
.actions
= f.button :button, @invite.present? ? t('auth.register') : sign_up_message, type: :submit
diff --git a/app/views/layouts/public.html.haml b/app/views/layouts/public.html.haml
index 2929ac599c..69738a2f75 100644
--- a/app/views/layouts/public.html.haml
+++ b/app/views/layouts/public.html.haml
@@ -10,10 +10,13 @@
= link_to root_url, class: 'brand' do
= svg_logo_full
- = link_to t('directories.directory'), explore_path, class: 'nav-link optional' if Setting.profile_directory
- = link_to t('about.about_this'), about_more_path, class: 'nav-link optional'
- = link_to t('about.apps'), 'https://joinmastodon.org/apps', class: 'nav-link optional'
+ - unless whitelist_mode?
+ = link_to t('directories.directory'), explore_path, class: 'nav-link optional' if Setting.profile_directory
+ = link_to t('about.about_this'), about_more_path, class: 'nav-link optional'
+ = link_to t('about.apps'), 'https://joinmastodon.org/apps', class: 'nav-link optional'
+
.nav-center
+
.nav-right
- if user_signed_in?
= link_to t('settings.back'), root_url, class: 'nav-link nav-button webapp-btn'
diff --git a/config/initializers/2_whitelist_mode.rb b/config/initializers/2_whitelist_mode.rb
new file mode 100644
index 0000000000..a17ad07a2c
--- /dev/null
+++ b/config/initializers/2_whitelist_mode.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+Rails.application.configure do
+ config.x.whitelist_mode = ENV['WHITELIST_MODE'] == 'true'
+end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 9e1be87be1..6c1a343001 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -186,6 +186,7 @@ en:
username: Username
warn: Warn
web: Web
+ whitelisted: Whitelisted
action_logs:
actions:
assigned_to_self_report: "%{name} assigned report %{target} to themselves"
@@ -269,6 +270,11 @@ en:
week_interactions: interactions this week
week_users_active: active this week
week_users_new: users this week
+ domain_allows:
+ add_new: Whitelist domain
+ created_msg: Domain has been successfully whitelisted
+ destroyed_msg: Domain has been removed from the whitelist
+ undo: Remove from whitelist
domain_blocks:
add_new: Add new domain block
created_msg: Domain block is now being processed
@@ -524,6 +530,7 @@ en:
apply_for_account: Request an invite
change_password: Password
checkbox_agreement_html: I agree to the server rules and terms of service
+ checkbox_agreement_without_rules_html: I agree to the terms of service
delete_account: Delete account
delete_account_html: If you wish to delete your account, you can proceed here. You will be asked for confirmation.
didnt_get_confirmation: Didn't receive confirmation instructions?
diff --git a/config/locales/simple_form.en.yml b/config/locales/simple_form.en.yml
index 12a7ec2b34..10b30e627f 100644
--- a/config/locales/simple_form.en.yml
+++ b/config/locales/simple_form.en.yml
@@ -38,6 +38,8 @@ en:
setting_use_pending_items: Hide timeline updates behind a click instead of automatically scrolling the feed
username: Your username will be unique on %{domain}
whole_word: When the keyword or phrase is alphanumeric only, it will only be applied if it matches the whole word
+ domain_allow:
+ domain: This domain will be able to fetch data from this server and incoming data from it will be processed and stored
featured_tag:
name: 'You might want to use one of these:'
imports:
diff --git a/config/navigation.rb b/config/navigation.rb
index 5ab2e43999..9b46da6032 100644
--- a/config/navigation.rb
+++ b/config/navigation.rb
@@ -39,7 +39,7 @@ SimpleNavigation::Configuration.run do |navigation|
s.item :accounts, safe_join([fa_icon('users fw'), t('admin.accounts.title')]), admin_accounts_url, highlights_on: %r{/admin/accounts|/admin/pending_accounts}
s.item :invites, safe_join([fa_icon('user-plus fw'), t('admin.invites.title')]), admin_invites_path
s.item :tags, safe_join([fa_icon('tag fw'), t('admin.tags.title')]), admin_tags_path
- s.item :instances, safe_join([fa_icon('cloud fw'), t('admin.instances.title')]), admin_instances_url(limited: '1'), highlights_on: %r{/admin/instances|/admin/domain_blocks}, if: -> { current_user.admin? }
+ s.item :instances, safe_join([fa_icon('cloud fw'), t('admin.instances.title')]), admin_instances_url(limited: whitelist_mode? ? nil : '1'), highlights_on: %r{/admin/instances|/admin/domain_blocks|/admin/domain_allows}, if: -> { current_user.admin? }
s.item :email_domain_blocks, safe_join([fa_icon('envelope fw'), t('admin.email_domain_blocks.title')]), admin_email_domain_blocks_url, highlights_on: %r{/admin/email_domain_blocks}, if: -> { current_user.admin? }
end
diff --git a/config/routes.rb b/config/routes.rb
index b6c215888a..04424bbbd1 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -154,6 +154,7 @@ Rails.application.routes.draw do
namespace :admin do
get '/dashboard', to: 'dashboard#index'
+ resources :domain_allows, only: [:new, :create, :show, :destroy]
resources :domain_blocks, only: [:new, :create, :show, :destroy]
resources :email_domain_blocks, only: [:index, :new, :create, :destroy]
resources :action_logs, only: [:index]
diff --git a/db/migrate/20190705002136_create_domain_allows.rb b/db/migrate/20190705002136_create_domain_allows.rb
new file mode 100644
index 0000000000..83b0728d9d
--- /dev/null
+++ b/db/migrate/20190705002136_create_domain_allows.rb
@@ -0,0 +1,9 @@
+class CreateDomainAllows < ActiveRecord::Migration[5.2]
+ def change
+ create_table :domain_allows do |t|
+ t.string :domain, default: '', null: false, index: { unique: true }
+
+ t.timestamps
+ end
+ end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 1847305c7f..2d83d8b764 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema.define(version: 2019_07_26_175042) do
+ActiveRecord::Schema.define(version: 2019_07_28_084117) do
# These are extensions that must be enabled in order to support this database
enable_extension "plpgsql"
@@ -245,6 +245,13 @@ ActiveRecord::Schema.define(version: 2019_07_26_175042) do
t.index ["account_id"], name: "index_custom_filters_on_account_id"
end
+ create_table "domain_allows", force: :cascade do |t|
+ t.string "domain", default: "", null: false
+ t.datetime "created_at", null: false
+ t.datetime "updated_at", null: false
+ t.index ["domain"], name: "index_domain_allows_on_domain", unique: true
+ end
+
create_table "domain_blocks", force: :cascade do |t|
t.string "domain", default: "", null: false
t.datetime "created_at", null: false
diff --git a/lib/mastodon/domains_cli.rb b/lib/mastodon/domains_cli.rb
index b081581fe5..f300623635 100644
--- a/lib/mastodon/domains_cli.rb
+++ b/lib/mastodon/domains_cli.rb
@@ -12,17 +12,33 @@ module Mastodon
end
option :dry_run, type: :boolean
- desc 'purge DOMAIN', 'Remove accounts from a DOMAIN without a trace'
+ option :whitelist_mode, type: :boolean
+ desc 'purge [DOMAIN]', 'Remove accounts from a DOMAIN without a trace'
long_desc <<-LONG_DESC
Remove all accounts from a given DOMAIN without leaving behind any
records. Unlike a suspension, if the DOMAIN still exists in the wild,
it means the accounts could return if they are resolved again.
+
+ When the --whitelist-mode option is given, instead of purging accounts
+ from a single domain, all accounts from domains that are not whitelisted
+ are removed from the database.
LONG_DESC
- def purge(domain)
+ def purge(domain = nil)
removed = 0
dry_run = options[:dry_run] ? ' (DRY RUN)' : ''
- Account.where(domain: domain).find_each do |account|
+ scope = begin
+ if options[:whitelist_mode]
+ Account.remote.where.not(domain: DomainAllow.pluck(:domain))
+ elsif domain.present?
+ Account.remote.where(domain: domain)
+ else
+ say('No domain given', :red)
+ exit(1)
+ end
+ end
+
+ scope.find_each do |account|
SuspendAccountService.new.call(account, destroy: true) unless options[:dry_run]
removed += 1
say('.', :green, false)
diff --git a/spec/fabricators/domain_allow_fabricator.rb b/spec/fabricators/domain_allow_fabricator.rb
new file mode 100644
index 0000000000..6226b1e20b
--- /dev/null
+++ b/spec/fabricators/domain_allow_fabricator.rb
@@ -0,0 +1,3 @@
+Fabricator(:domain_allow) do
+ domain "MyString"
+end
diff --git a/spec/models/domain_allow_spec.rb b/spec/models/domain_allow_spec.rb
new file mode 100644
index 0000000000..e65435127d
--- /dev/null
+++ b/spec/models/domain_allow_spec.rb
@@ -0,0 +1,5 @@
+require 'rails_helper'
+
+RSpec.describe DomainAllow, type: :model do
+ pending "add some examples to (or delete) #{__FILE__}"
+end
diff --git a/streaming/index.js b/streaming/index.js
index 0529804b1b..304e7e0465 100644
--- a/streaming/index.js
+++ b/streaming/index.js
@@ -12,6 +12,7 @@ const uuid = require('uuid');
const fs = require('fs');
const env = process.env.NODE_ENV || 'development';
+const alwaysRequireAuth = process.env.WHITELIST_MODE === 'true' || process.env.AUTHORIZED_FETCH === 'true';
dotenv.config({
path: env === 'production' ? '.env.production' : '.env',
@@ -271,7 +272,7 @@ const startWorker = (workerId) => {
const wsVerifyClient = (info, cb) => {
const location = url.parse(info.req.url, true);
- const authRequired = !PUBLIC_STREAMS.some(stream => stream === location.query.stream);
+ const authRequired = alwaysRequireAuth || !PUBLIC_STREAMS.some(stream => stream === location.query.stream);
const allowedScopes = [];
if (authRequired) {
@@ -306,7 +307,7 @@ const startWorker = (workerId) => {
return;
}
- const authRequired = !PUBLIC_ENDPOINTS.some(endpoint => endpoint === req.path);
+ const authRequired = alwaysRequireAuth || !PUBLIC_ENDPOINTS.some(endpoint => endpoint === req.path);
const allowedScopes = [];
if (authRequired) {