dependabot[bot]
5801e6d7ef
Bump pg from 1.2.3 to 1.3.0 ( #17349 )
...
Bumps [pg](https://github.com/ged/ruby-pg ) from 1.2.3 to 1.3.0.
- [Release notes](https://github.com/ged/ruby-pg/releases )
- [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc )
- [Commits](https://github.com/ged/ruby-pg/compare/v1.2.3...v1.3.0 )
---
updated-dependencies:
- dependency-name: pg
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
f5401e89f3
Bump axios from 0.24.0 to 0.25.0 ( #17354 )
...
Bumps [axios](https://github.com/axios/axios ) from 0.24.0 to 0.25.0.
- [Release notes](https://github.com/axios/axios/releases )
- [Changelog](https://github.com/axios/axios/blob/master/CHANGELOG.md )
- [Commits](https://github.com/axios/axios/compare/v0.24.0...v0.25.0 )
---
updated-dependencies:
- dependency-name: axios
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
b7de46786d
Bump rdf-normalize from 0.4.0 to 0.5.0 ( #17226 )
...
Bumps [rdf-normalize](https://github.com/ruby-rdf/rdf-normalize ) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/ruby-rdf/rdf-normalize/releases )
- [Commits](https://github.com/ruby-rdf/rdf-normalize/compare/0.4.0...0.5.0 )
---
updated-dependencies:
- dependency-name: rdf-normalize
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
Claire
56a49e9334
Merge branch 'main' into glitch-soc/merge-upstream
...
Conflicts:
- `config/environments/production.rb`:
Upstream changed a header but we had different default headers.
Applied the same change, and also dropped HSTS headers redundant with
Rails'.
3 years ago
Claire
6e8d231e27
Fix local distribution of edited statuses ( #17380 )
...
Because `FanOutOnWriteService#update?` was broken, edits were considered as new
toots and a regular `update` payload was sent.
3 years ago
Su Yang
43b5489c0f
Add healthcheck for sidekiq ( #17365 )
3 years ago
Eugen Rochko
b6364cf1ad
Fix poll updates being saved as status edits ( #17373 )
...
Fix #17344
3 years ago
Claire
f6d9fac166
Merge pull request #1667 from ClearlyClaire/glitch-soc/fixes/hcaptcha-text
...
Improve explanations around the hCaptcha feature
3 years ago
Claire
25d4ff98e7
Add link to /about/more to the CAPTCHA verification page
3 years ago
Claire
599b27788a
Add some explanation text on the CAPTCHA confirmation page
3 years ago
Claire
77ea23decf
Add mention of accessibility issues to hCaptcha option in admin page
3 years ago
Claire
7c94eaf269
Merge pull request #1665 from ClearlyClaire/glitch-soc/features/hcaptcha
...
Add optional hCaptcha support
3 years ago
Claire
ea32eb89e1
Change CAPTCHA handling to be only on email verification
...
This simplifies the implementation considerably, and while not providing
ideal UX, it's the most flexible approach.
3 years ago
Claire
6988e6ecc3
Add ability to set hCaptcha either on registration form or on e-mail validation
...
Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band
registration API.
3 years ago
Claire
a9faba63f1
Disable `registrations` flag in /api/v1/instance when CAPTCHA is enabled
...
This is to avoid apps trying and failing at using the registrations API,
which does not let us require a CAPTCHA and cannot be clearly signaled as
unavailable.
3 years ago
dependabot[bot]
73e36415e8
Bump sass from 1.48.0 to 1.49.0 ( #17352 )
...
Bumps [sass](https://github.com/sass/dart-sass ) from 1.48.0 to 1.49.0.
- [Release notes](https://github.com/sass/dart-sass/releases )
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md )
- [Commits](https://github.com/sass/dart-sass/compare/1.48.0...1.49.0 )
---
updated-dependencies:
- dependency-name: sass
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
cb80dc6c35
Bump json-ld-preloaded from 3.1.6 to 3.2.0 ( #17353 )
...
Bumps [json-ld-preloaded](https://github.com/ruby-rdf/json-ld-preloaded ) from 3.1.6 to 3.2.0.
- [Release notes](https://github.com/ruby-rdf/json-ld-preloaded/releases )
- [Commits](https://github.com/ruby-rdf/json-ld-preloaded/compare/3.1.6...3.2.0 )
---
updated-dependencies:
- dependency-name: json-ld-preloaded
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
e2e7aad5e8
Bump fabrication from 2.23.1 to 2.24.0 ( #17356 )
...
Bumps [fabrication](https://github.com/paulelliott/fabrication ) from 2.23.1 to 2.24.0.
- [Release notes](https://github.com/paulelliott/fabrication/releases )
- [Changelog](https://github.com/paulelliott/fabrication/blob/master/Changelog.markdown )
- [Commits](https://github.com/paulelliott/fabrication/commits )
---
updated-dependencies:
- dependency-name: fabrication
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
5a3db0d7b9
Bump sidekiq from 6.3.1 to 6.4.0 ( #17350 )
...
Bumps [sidekiq](https://github.com/mperham/sidekiq ) from 6.3.1 to 6.4.0.
- [Release notes](https://github.com/mperham/sidekiq/releases )
- [Changelog](https://github.com/mperham/sidekiq/blob/main/Changes.md )
- [Commits](https://github.com/mperham/sidekiq/compare/v6.3.1...v6.4.0 )
---
updated-dependencies:
- dependency-name: sidekiq
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
7b20b2a4e8
Bump @babel/plugin-transform-runtime from 7.16.8 to 7.16.10 ( #17361 )
...
Bumps [@babel/plugin-transform-runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-runtime ) from 7.16.8 to 7.16.10.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.16.10/packages/babel-plugin-transform-runtime )
---
updated-dependencies:
- dependency-name: "@babel/plugin-transform-runtime"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
67ce5d774c
Bump cld3 from 3.4.3 to 3.4.4 ( #17357 )
...
Bumps [cld3](https://github.com/akihikodaki/cld3-ruby ) from 3.4.3 to 3.4.4.
- [Release notes](https://github.com/akihikodaki/cld3-ruby/releases )
- [Commits](https://github.com/akihikodaki/cld3-ruby/compare/v3.4.3...v3.4.4 )
---
updated-dependencies:
- dependency-name: cld3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
a6360a47d5
Bump aws-sdk-s3 from 1.111.1 to 1.111.3 ( #17368 )
...
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby ) from 1.111.1 to 1.111.3.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases )
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md )
- [Commits](https://github.com/aws/aws-sdk-ruby/commits )
---
updated-dependencies:
- dependency-name: aws-sdk-s3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
e23ac7533c
Bump bootsnap from 1.10.1 to 1.10.2 ( #17367 )
...
Bumps [bootsnap](https://github.com/Shopify/bootsnap ) from 1.10.1 to 1.10.2.
- [Release notes](https://github.com/Shopify/bootsnap/releases )
- [Changelog](https://github.com/Shopify/bootsnap/blob/main/CHANGELOG.md )
- [Commits](https://github.com/Shopify/bootsnap/compare/v1.10.1...v1.10.2 )
---
updated-dependencies:
- dependency-name: bootsnap
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
7a153d7e73
Bump node-fetch from 2.6.1 to 2.6.7 ( #17366 )
...
Bumps [node-fetch](https://github.com/node-fetch/node-fetch ) from 2.6.1 to 2.6.7.
- [Release notes](https://github.com/node-fetch/node-fetch/releases )
- [Commits](https://github.com/node-fetch/node-fetch/compare/v2.6.1...v2.6.7 )
---
updated-dependencies:
- dependency-name: node-fetch
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
babd992684
Bump nanoid from 3.1.23 to 3.2.0 ( #17342 )
...
Bumps [nanoid](https://github.com/ai/nanoid ) from 3.1.23 to 3.2.0.
- [Release notes](https://github.com/ai/nanoid/releases )
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md )
- [Commits](https://github.com/ai/nanoid/compare/3.1.23...3.2.0 )
---
updated-dependencies:
- dependency-name: nanoid
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
cdbb032e21
Bump @babel/preset-env from 7.16.8 to 7.16.11 ( #17358 )
...
Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env ) from 7.16.8 to 7.16.11.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.16.11/packages/babel-preset-env )
---
updated-dependencies:
- dependency-name: "@babel/preset-env"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
2a3e637e56
Bump rubocop from 1.24.1 to 1.25.0 ( #17322 )
...
Bumps [rubocop](https://github.com/rubocop/rubocop ) from 1.24.1 to 1.25.0.
- [Release notes](https://github.com/rubocop/rubocop/releases )
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md )
- [Commits](https://github.com/rubocop/rubocop/compare/v1.24.1...v1.25.0 )
---
updated-dependencies:
- dependency-name: rubocop
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
e3d7ed2139
Bump @babel/core from 7.16.7 to 7.16.12 ( #17360 )
...
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core ) from 7.16.7 to 7.16.12.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.16.12/packages/babel-core )
---
updated-dependencies:
- dependency-name: "@babel/core"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
3 years ago
dependabot[bot]
c4647b48d2
Bump rails from 6.1.4.1 to 6.1.4.4 ( #17159 )
...
* Bump rails from 6.1.4.1 to 6.1.4.4
Bumps [rails](https://github.com/rails/rails ) from 6.1.4.1 to 6.1.4.4.
- [Release notes](https://github.com/rails/rails/releases )
- [Commits](https://github.com/rails/rails/compare/v6.1.4.1...v6.1.4.4 )
---
updated-dependencies:
- dependency-name: rails
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Revert marcel to 1.0.1
Avoid some regression that need to be investigated
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Claire
2d4faa5cfd
Disable captcha if registrations are disabled for various reasons
3 years ago
Claire
c209cf5a09
Renew Rails session ID on successful registration
3 years ago
Claire
49494c3379
Fix tests
3 years ago
Claire
d36eb0503f
Please CodeClimate
3 years ago
Claire
5c88cb1a67
Add optional hCaptcha support
...
Fixes #1649
This requires setting `HCAPTCHA_SECRET_KEY` and `HCAPTCHA_SITE_KEY`, then
enabling the admin setting at
`/admin/settings/edit#form_admin_settings_captcha_enabled`
Subsequently, a hCaptcha widget will be displayed on `/about` and
`/auth/sign_up` unless:
- the user is already signed-up already
- the user has used an invite link
- the user has already solved the captcha (and registration failed for another
reason)
The Content-Security-Policy headers are altered automatically to allow the
third-party hCaptcha scripts on `/about` and `/auth/sign_up` following the same
rules as above.
3 years ago
Wonderfall
85389ddd45
disable legacy XSS filtering ( #17289 )
...
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
3 years ago
Claire
d045ba2add
Fix link_to_login argument handling when a block is passed ( #17345 )
3 years ago
Claire
f7cf13bcef
Merge pull request #1663 from ClearlyClaire/glitch-soc/merge-upstream
...
Merge upstream changes
3 years ago
Claire
73eeb58f10
[Glitch] Change `percent` to `rate` in retention metrics API
...
Port 41d64ee271
to glitch-soc
Signed-off-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Claire
1800e05513
[Glitch] Fix text being incorrectly pre-selected in composer textarea on /share
...
Port 335049cc33
to glitch-soc
Signed-off-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Claire
67028c4779
Merge branch 'main' into glitch-soc/merge-upstream
...
Conflicts:
- `spec/models/status_spec.rb`:
Upstream added tests too close to glitch-soc-specific tests.
Kept both tests.
3 years ago
Claire
e92ac5b769
Fix error-prone SQL queries ( #15828 )
...
* Fix error-prone SQL queries in Account search
While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.
This PR parameterises the `to_tsquery` input to make the query more robust.
* Harden code for Status#tagged_with_all and Status#tagged_with_none
Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.
* Remove unneeded spaces surrounding tsquery term
* Please CodeClimate
* Move advanced_search_for SQL template to its own function
This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.
* Add tests covering tagged_with, tagged_with_all and tagged_with_none
* Rewrite tagged_with_none to avoid multiple joins and make it more robust
* Remove obsolete brakeman warnings
* Revert "Remove unneeded spaces surrounding tsquery term"
The two queries are not strictly equivalent.
This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
3 years ago
Claire
41d64ee271
Change `percent` to `rate` in retention metrics API ( #16910 )
3 years ago
Claire
06f653972a
Add OMNIAUTH_ONLY environment variable to enforce externa log-in ( #17288 )
...
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN
Fixes #15959
Introduced in #6540 , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.
However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228 .
As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
* Add OMNIAUTH_ONLY environment variable to enforce external log-in only
* Disable user registration when OMNIAUTH_ONLY is set to true
* Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
3 years ago
Claire
12bb24ea35
Remove support for OAUTH_REDIRECT_AT_SIGN_IN ( #17287 )
...
Fixes #15959
Introduced in #6540 , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.
However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228 .
As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
3 years ago
Claire
8114f4208f
Remove leftover database columns from Devise::Models::Rememberable ( #17191 )
...
* Remove leftover database columns from Devise::Models::Rememberable
* Update fix-duplication maintenance script
* Improve errors/warnings in the fix-duplicates maintenance script
3 years ago
Claire
12e087568d
Remove old duplicate index ( #17245 )
...
Some Mastodon versions (v1.1 and v1.2) had a duplicate index in `db/schema.rb`
without any migration script creating it. #2224 (included in v1.3) removed the
duplicate index from the file but did not provide a migration script to remove
it.
This means that any instance that was installed from v1.1 or v1.2's source code
has a duplicate index and a corresponding warning in PgHero. Instances set up
using an earlier or later Mastodon version do not have this issue.
This PR removes the duplicate index if it is present.
3 years ago
Claire
335049cc33
Fix text being incorrectly pre-selected in composer textarea on /share ( #17339 )
...
Fixes #17295
3 years ago
Claire
efd2f303fe
Change mastodon:webpush:generate_vapid_key task to not require functional env ( #17338 )
...
Fixes #17297
3 years ago
Claire
68a9057420
Add post edited notice in admin and public UIs ( #17335 )
...
* Add edited toot flag on public pages
* Add toot edit flag to admin pages
3 years ago
Claire
458f232d21
Add content-type to status source in glitch-soc
3 years ago