Commit graph

1276 commits

Author SHA1 Message Date
ThibG
4e292c23d6 Fix not being able to unbookmark toots when blocked by their author (#14604)
* Fix not being able to unbookmark toots when blocked by their author

* Add tests
2020-08-19 19:02:06 +02:00
ThibG
8baad22f68 Improve email address validation (#14565)
* Increase DNS timeout from 1 second to 5 seconds for MX check

1 seconds is rather short when using a recursive DNS resolver which
hasn't got a cached result already available. Use 5 seconds instead,
which is the timeout value we use for outgoing HTTP queries.

* Add more precise error messages for invalid e-mail addresses
2020-08-12 12:40:25 +02:00
ThibG
7792bab1cd Fix RSS feeds not being cachable (#14368)
* Add tests for some cachable responses

This only covers responses that we should have managed to make cachable
so far. It's not the case of all responses that should be cachable in
the end.

* Fix RSS feeds not being cachable
2020-07-22 11:44:02 +02:00
Ariel
ac1a3386bd Fix/14021 behaviour on add or remove toots (#14212)
* Add toot send by current user at local state after send a new toot

Related to #14021

* Decrement toot counter at profile when remove a toot

Related to #14021

* Remove semicolon at end of line
2020-07-19 17:04:02 +02:00
ThibG
c9fbf47a23 Fix being unable to unboost when blocked by their author (#14308)
Fixes #14307
2020-07-15 14:43:19 +02:00
abcang
aca93fa882 Fix rubocop warning (#14288)
* Fix rubocop warning

* use limit variable

* use ContextCreatingMethods option
2020-07-14 19:05:07 +02:00
Eugen Rochko
0edde9d6c8 Fix media attachments enumeration (#14254)
* Fix media attachment enumeration

* Switch media_attachments id to snowflake ids

Co-authored-by: Thibaut Girka <thib@sitedethib.com>
2020-07-07 15:26:51 +02:00
Eugen Rochko
a79c5e5e63 Fix other sessions not being logged out on password change (#14252)
While OAuth tokens were immediately revoked, accessing the home
controller immediately generated new OAuth tokens and "revived"
the session due to a combination of using remember_me tokens and
overwriting the `authenticate_user!` method
2020-07-07 15:26:31 +02:00
ThibG
3afc7977b1 Add user notes on accounts (#14148)
* Add UserNote model

* Add UI for user notes

* Put comment in relationships entity

* Add API to create user notes

* Copy user notes to new account when receiving a Move activity

* Address some of the review remarks

* Replace modal by inline edition

* Please CodeClimate

* Button design changes

* Change design again

* Cancel note edition when pressing Escape

* Fixes

* Tweak design again

* Move “Add note” item, and allow users to add notes to themselves

* Rename UserNote into AccountNote, rename “comment” Relationship attribute to “note”
2020-06-30 19:19:50 +02:00
Eugen Rochko
a3ce01a102 Add customizable thumbnails for audio and video attachments (#14145)
- Change audio files to not be stripped of metadata
- Automatically extract cover art from audio if it exists
- Add `thumbnail` parameter to `POST /api/v1/media`, `POST /api/v2/media` and `PUT /api/v1/media/:id`
- Add `icon` to represent it in attachments in ActivityPub
- Fix `preview_url` containing URL of missing missing image when there is no thumbnail instead of null
- Fix duration of audio not being displayed on public pages until the file is loaded
2020-06-29 13:56:55 +02:00
fuyu
ad1dfea4fa Fix not working I18n on 2FA and Sign in token page (#14087) 2020-06-20 13:30:13 +02:00
ThibG
6a3e2b0fe5 Fix functional user requirements in whitelist mode (#14093)
Fixes #14092
2020-06-19 19:18:47 +02:00
Eugen Rochko
2dbf6bc5ad Add e-mail-based sign in challenge for users with disabled 2FA (#14013) 2020-06-09 10:23:06 +02:00
Takeshi Umeda
654c13ecfb Add limit parameter to rss (#13743) 2020-06-09 00:18:47 +02:00
ThibG
8b552d6f0c Fix unpermitted operations on custom emojis leading to cryptic errors (#13951)
* Display appropriate error when performing unpermitted operation on custom emoji

Fixes #13897

* Remove links to custom emoji actions not performable by moderators
2020-06-05 15:23:27 +02:00
Eugen Rochko
9de5c70980 Fix wrong route helper in encrypted messages controller (#13952)
And add `created_at` to encrypted message serializer
2020-06-03 20:32:15 +02:00
ThibG
8d57f6c4b4 Fix account redirect confirmation message talking about moved followers (#13950)
Fixes #13949
2020-06-03 20:18:19 +02:00
Eugen Rochko
b864e78db8 Add E2EE API (#13820) 2020-06-02 19:24:53 +02:00
ThibG
60bb6ac6f4 Fix webfinger returning wrong status code on malformed or missing param (#13759)
Fixes #13757
2020-05-14 23:28:06 +02:00
ThibG
f48e191e8e Fix sr locale being selected over sr-Latn (#13693)
* Fix sr locale being selected over sr-Latn

* Update tests
2020-05-11 01:09:21 +02:00
Eugen Rochko
fc7cad8b2d Add ability to remove identity proofs from account (#13682)
Fix #12613
2020-05-10 11:21:10 +02:00
Takeshi Umeda
861661100c Add remote only to public timeline (#13504)
* Add remote only to public timeline

* Fix code style
2020-05-10 10:36:18 +02:00
ThibG
e9227d8c10 Remove confusing “You are already signed in.” flash message (#13547)
When attempting to access the log-in page while already logged in,
Devise's `require_no_authentication` kicks in and sets a flash
message “You are already signed in.”

In almost all cases, this also causes a redirect to /web, which
does not display or clear flash messages, thus leaving the message
to a potentially much later date, like for instance, accessing
/preferences several minutes after being redirected to /web.
2020-05-10 10:16:39 +02:00
ThibG
5479d33843 Fix own following/followers not showing muted users (#13614)
Fixes #13612
2020-05-08 20:36:34 +02:00
Eugen Rochko
e80d4479c7 Add more ActivityPub controller tests (#13590) 2020-05-03 22:19:24 +02:00
Eugen Rochko
0ca06d0ba9 Add more tests for ActivityPub controllers (#13585) 2020-05-03 16:30:36 +02:00
sternenseemann
674005c08e Allow users to delete their header and avatar (#13234)
This is achieved by sending a DELETE request to
/settings/profile/pictures/{avatar,header} via a link that is part of
the upload form's hint of the respective picture.
2020-04-20 14:03:03 +02:00
Takeshi Umeda
f5606cdab4 Add local only to hashtag timeline (#13502) 2020-04-18 21:52:39 +02:00
Eugen Rochko
2d3219549b Change delivery failure tracking to work with hostnames instead of URLs (#13437) 2020-04-15 20:33:24 +02:00
Eugen Rochko
50fa554899 Add rate limit for reporting (#13390) 2020-04-05 14:40:08 +02:00
Eugen Rochko
6932e0e2af Add ability to filter audit log in admin UI (#13381) 2020-04-03 13:06:34 +02:00
Takeshi Umeda
1c2a286244 Fix ImportsController param to permit :mode (#13347) 2020-03-31 12:43:42 +02:00
ThibG
1a993f9675 Fix 404 and 410 API errors being silently discarded in WebUI (#13279)
* Fix 404 and 410 API errors being silently discarded in WebUI

Fixes #13278

* Return more appropriate error when user replies to a deleted toot

* Please CodeClimate

* Fix 404/410 errors on fetching account timelines & identity proofs

* Refactor error handling

* Move error message string to statuses.errors
2020-03-28 17:59:45 +01:00
Eugen Rochko
9ced8b6dd5 Add option to include resolved DNS records when blacklisting e-mail domains in admin UI (#13254)
* Add shortcuts to blacklist a user's e-mail domain in admin UI

* Add option to blacklist resolved MX and IP records for e-mail domains
2020-03-12 22:35:20 +01:00
Eugen Rochko
da9d81c4ac Add titles to warning presets in admin UI (#13252) 2020-03-12 17:57:59 +01:00
ThibG
cd7c22da32 Add federation support for the "hide network" preference (#11673)
* Change ActivityPub follower/following collections to not link first page

* Add support for hiding followers and following of remote users

* Switch to using a single `hide_collections` column

* Address code style remarks
2020-03-09 00:10:29 +01:00
Eugen Rochko
f459919552 Change local media attachments to perform heavy processing asynchronously (#13210)
Fix #9106
2020-03-08 23:56:18 +01:00
ThibG
cb93be3b88 Add ability to delete files uploaded for settings in admin UI (#13192)
* Allow deleting site uploads

* Refactor and move links into hints

* Fix i18n tests

* Fix HTML output of site_upload_delete_hint
2020-03-08 16:00:24 +01:00
Eugen Rochko
a4668d994b Add specific rate limits for posting and following (#13172) 2020-03-08 15:17:39 +01:00
Eugen Rochko
9619521459 Remove useless respond_to calls (#13208) 2020-03-06 01:29:38 +01:00
Eugen Rochko
e0db9f37f5 Fix leak of arbitrary statuses through unfavourite action in REST API (#13161) 2020-02-27 12:32:54 +01:00
ThibG
c004399975 Fix dismissing an announcement twice raising an obscure error (#13124) 2020-02-24 22:21:40 +01:00
ThibG
8e8d9b3727 Fix account JSON/RSS not being cacheable due to wrong mime type comparison (#13116)
`request.format` is not a symbol but a `Mime::Type`, so the condition actually
never matched, and a session was created even for those requests, preventing
caching.
2020-02-19 22:31:53 +01:00
ThibG
ddd9bad7f1 Fix sign-ups without checked user agreement being accepted through the web form (#13088)
* Fix user agreement not being verified

* Fix tests

* Fix up agreement field being dismissed
2020-02-16 12:56:53 +01:00
Eugen Rochko
f1317633b5 Fix unfiltered params error when generating ActivityPub tag pagination (#13049) 2020-02-08 17:29:40 +01:00
Eugen Rochko
bf4fb26b9d Fix malformed HTML causing uncaught error (#13042)
Fix OEmbed preview API leaking existence of private statuses (see #12930)
2020-02-07 15:24:22 +01:00
Eugen Rochko
5c4b1db54a Change signature verification to ignore signatures with invalid host (#13033)
Instead of returning a signature verification error, pretend there
was no signature (i.e., this does not allow access to resources that
need a valid signature), so public resources can still be fetched

Fix #13011
2020-02-03 17:48:23 +01:00
ThibG
99cf92a3cf Change how unread announcements are handled (#13020)
* Change meaning of /api/v1/announcements/:id/dismiss to mark an announcement as read

* Change how unread announcements are counted in UI

* Add unread marker to announcements and mark announcements as unread as they are displayed

* Fixups
2020-02-03 01:53:09 +01:00
Eugen Rochko
9fb8165712 Add publish/unpublish controls to announcements in admin UI (#12967) 2020-01-27 11:05:33 +01:00
Eugen Rochko
dd68e44cfa Add streaming API updates for announcements being modified or deleted (#12963)
Change `all_day` to be a visual client-side cue only

Publish immediately if `scheduled_at` is in the past

Add `published_at` and `updated_at` to announcements JSON
2020-01-26 20:07:26 +01:00
Eugen Rochko
669f1f5e7f Fix OEmbed leaking information about existence of non-public statuses (#12930) 2020-01-24 00:20:51 +01:00
Eugen Rochko
e4aa4a1c28 Fix password change/reset not immediately invalidating other sessions (#12928)
While making browser requests in the other sessions after a password
change or reset does not allow you to be logged in and correctly
invalidates the session making the request, sessions have API tokens
associated with them, which can still be used until that session
is invalidated.

This is a security issue for accounts that were already compromised
some other way because it makes it harder to throw out the hijacker.
2020-01-24 00:20:38 +01:00
Eugen Rochko
36b1dd934d Fix relationships page not showing results in admin UI (#12934)
Follow-up to #12927
2020-01-24 00:20:23 +01:00
Eugen Rochko
f95fd62bac Add announcements (#12662)
* Add announcements

Fix #11006

* Add reactions to announcements

* Add admin UI for announcements

* Add unit tests

* Fix issues

- Add `with_dismissed` param to announcements API
- Fix end date not being formatted when time range is given
- Fix announcement delete causing reactions to send streaming updates
- Fix announcements container growing too wide and mascot too small
- Fix `all_day` being settable when no time range is given
- Change text "Update" to "Announcement"

* Fix scheduler unpublishing announcements before they are due

* Fix filter params not being passed to announcements filter
2020-01-23 22:00:13 +01:00
Eugen Rochko
67172aa4f9 Change followers page to relationships page in admin UI (#12927)
Allow browsing and filtering all relationships instead of just
followers, unify the codebase with the user-facing relationship
manager, add ability to see who the user invited
2020-01-23 20:33:20 +01:00
Eugen Rochko
9ebfb23e87 Various fixes and improvements (#12878)
* Fix unused role routes being generated

* Remove unused JavaScript code

* Refactor filters code to be DRYer

* Fix `.count == 0` comparisons to `.empty?` in views

* Fix filters in views
2020-01-20 15:55:03 +01:00
Eugen Rochko
61320da638 Fix access to OEmbed endpoint in secure mode (#12864) 2020-01-14 08:52:32 +01:00
Eugen Rochko
413cb7e861 Fix base64-encoded file uploads not being possible (#12748)
Fix #3804, Fix #5776
2020-01-04 01:54:07 +01:00
Eugen Rochko
e066de9a3c Fix missing authentication call in filters controller (#12746) 2020-01-03 05:29:08 +01:00
Eugen Rochko
91422d35ed Fix uncaught unknown format errors in host meta controller (#12747) 2020-01-03 05:28:56 +01:00
ThibG
f0cca7a79f Hide blocked users from more places (#12733)
* Hide blocked, muted, and blocked-by users from toot favourite lists

* Hide blocked, muted, and blocked-by users from toot reblog lists

* Hide blocked, muted, and blocked-by users from followers/following (API)

* Fix tests

* Hide blocked, muted, and blocked-by users from followers/following on public pages
2019-12-31 00:55:32 +01:00
Eugen Rochko
c3ef5d7628 Fix error when fetching followers/following from REST API when user has network hidden (#12716)
Fix #12510
2019-12-31 00:54:38 +01:00
ThibG
6b20921c88 Remove unused AccountRelationshipsPresenter call in public pages (#12734)
Those were used to show a “follow” or “unfollow” button on account grid on
public pages, but that got removed a while ago.
2019-12-30 19:13:02 +01:00
Eugen Rochko
49b6881379 Fix settings pages being cacheable by the browser (#12714)
Fix #12255
2019-12-30 04:38:30 +01:00
Eugen Rochko
7cca47919f Fix HTML error pages being returned when JSON is expected (#12713)
Fix #12509
See also #12214
2019-12-30 04:38:18 +01:00
Eugen Rochko
af95252d4c Fix missing error templates for non-HTML requests (#12593) 2019-12-10 07:39:54 +01:00
Eugen Rochko
2eda06b768 Fix generic HTTP 500 error on duplicate records (#12563)
Fix #12551
Fix #12547
2019-12-06 22:40:06 +01:00
ThibG
60d26cabf0 Add follow_request notification type (#12198)
* Add follow_request notification type

The notification type already existed in the backend but was never pushed
to the front-end. This also means translation strings were also available
for the backend, from the notification mailer.

Unlike other notification types, these are off by default, to match what
I remember of Gargron's view on the topic: that follow requests should not
clutter notifications and should instead be reviewed at the user's own
leisure in the dedicated column.

Since follow requests have their own column, I've deemed it unnecessary to
add a specific tab for them in the notification quick filter.

* Show follow request link in single-column if there are pending requests, even if account isn't locked

* Push follow requests from notifications to the follow_requests list

* Offer to accept or reject follow request from the notification

* Redesign follow request notification
2019-12-01 17:25:29 +01:00
ThibG
4b0a6d79dd Add ability to filter reports by target account domain (#12154)
* Add ability to filter reports by target account domain

* Reword by_target_domain label
2019-11-30 19:53:58 +01:00
Eugen Rochko
5761622a1e Fix proofs API being inaccessible in secure mode (#12495) 2019-11-28 04:07:49 +01:00
Gomasy
d13e680f74 Support min_id-based pagination for bookmarks (#12381)
* Support min_id-based pagination for bookmarks

* Fix spec
2019-11-17 17:09:41 +01:00
Jennifer Glauche
0aae35e310 make it not return http 400 when passing and empty source argument (#12259)
* make it not return http 400 when passing and empty source argument

* create a spec for the empty source hash bug

* compact checks for nil, empty? parameters

* use nil.blank? instead checking for nil
2019-11-16 19:02:09 +01:00
ThibG
517c1cd062 Add bookmarks (#7107)
* Add backend support for bookmarks

Bookmarks behave like favourites, except they aren't shared with other
users and do not have an associated counter.

* Add spec for bookmark endpoints

* Add front-end support for bookmarks

* Introduce OAuth scopes for bookmarks

* Add bookmarks to archive takeout

* Fix migration

* Coding style fixes

* Fix rebase issue

* Update bookmarked_statuses to latest UI changes

* Update bookmark actions to properly reflect status changes in state

* Add bookmarks item to single-column layout

* Make active bookmarks red
2019-11-13 23:02:10 +01:00
Yamagishi Kazutoshi
2ede35e843 Change to always returns html document in error pages (#12214) 2019-11-13 22:53:05 +01:00
Faye Duxovni
6bca6dbc2d Add setting for whether to crop images in unexpanded toots (#12126) 2019-10-24 22:51:41 +02:00
ThibG
795144fbbb Fix incoming federation in whitelist mode (#12185)
… posting to the AP inbox required a logged-in local user…
2019-10-24 22:45:35 +02:00
Eugen Rochko
2e07a901c5 Fix attachment not being re-downloaded even if file is not stored (#12125)
Change the behaviour of remotable concern. Previously, it would skip
downloading an attachment if the stored remote URL is identical to
the new one. Now it would not be skipped if the attachment is not
actually currently stored by Paperclip.
2019-10-09 07:10:46 +02:00
Eugen Rochko
6b96a6dd15 Fix GET /api/v1/instance REST APIs being unavailable in secure mode (#12089) 2019-10-06 22:11:29 +02:00
Eugen Rochko
c453888616 Fix performance of home feed regeneration (#12084)
Fetching statuses from all followed accounts at once takes too long
within Postgres. Fetching them one by one and merging in Ruby
could be a lot less resource-intensive

Because the query for dynamically fetching the home timeline is so
heavy, we can no longer offer it when the home timeline is missing
2019-10-06 22:11:17 +02:00
Eugen Rochko
059287ad08 Add reason param to POST /api/v1/accounts REST API (#12064)
For approval-required registrations mode
2019-10-03 17:50:59 +02:00
ThibG
be13fc919c Fix RSS caching (but disable localization) (#12054) 2019-10-02 18:30:33 +02:00
Eugen Rochko
28c19c66ba Fix featured hashtag URL being interpreted as media or with_replies (#12048)
Fix #12034
2019-10-02 04:53:17 +02:00
Eugen Rochko
51a72a802f Add a nodeinfo endpoint (#12002)
* Add nodeinfo endpoint

* dont commit stuff from my local dev

* consistant naming since we implimented 2.1 schema

* Add some additional node info stuff

* Add nodeinfo endpoint

* dont commit stuff from my local dev

* consistant naming since we implimented 2.1 schema

* expanding this to include federation info

* codeclimate feedback

* CC feedback

* using activeserializers seems like a good idea...

* get rid of draft 2.1 version

* Reimplement 2.1, also fix metaData -> metadata

* Fix metaData -> metadata here too

* Fix nodeinfo 2.1 tests

* Implement cache for monthly user aggregate

* Useless

* Remove ostatus from the list of supported protocols

* Fix nodeinfo's open_registration reading obsolete setting variable

* Only serialize domain blocks with user-facing limitations

* Do not needlessly list noop severity in nodeinfo

* Only serialize domain blocks info in nodeinfo when they are set to be displayed to everyone

* Enable caching for nodeinfo endpoints

* Fix rendering nodeinfo

* CodeClimate fixes

* Please CodeClimate

* Change InstancePresenter#active_user_count_months for clarity

* Refactor NodeInfoSerializer#metadata

* Remove nodeinfo 2.1 support as the schema doesn't exist

* Clean-up
2019-09-29 21:31:51 +02:00
Eugen Rochko
ae03161ad9 Fix account migration not affecting followers on origin server (#11980) 2019-09-29 16:23:13 +02:00
Eugen Rochko
f5c71a6cd2 Add (back) option to set redirect notice on account without moving followers (#11994)
Fix #11913
2019-09-29 05:03:19 +02:00
Eugen Rochko
561b0509c3 Fix redirecting non-functional accounts on public pages (#11978)
Fix #11969
2019-09-28 01:33:27 +02:00
Eugen Rochko
66d3e13777 Add exclude_unreviewed param to GET /api/v2/search REST API (#11977)
Make it so normal search returns even unreviewed matches, but
autosuggestions do not.

Fix #11960
2019-09-28 01:02:21 +02:00
ThibG
70990720c5 Change silences to always require approval on follow (#11975)
* Change silenced accounts to require approval on follow

* Also require approval for follows by people explicitly muted by target accounts

* Do not auto-accept silenced or muted accounts when switching from locked to unlocked

* Add `follow_requests_count` to verify_credentials

* Show “Follow requests” menu item if needed even if account is locked

* Add tests

* Correctly reflect that follow requests weren't auto-accepted when local account is silenced

* Accept follow requests from user-muted accounts to avoid leaking mutes
2019-09-27 21:13:51 +02:00
abcang
4c0da93bc7 Improve status pin query (#11972) 2019-09-27 15:23:30 +02:00
Eugen Rochko
67796a267d Fix relays UI being available in whitelist/secure mode (#11963)
Fix relays UI referencing relay that is not functional
2019-09-27 02:13:34 +02:00
Eugen Rochko
3773115066 Fix authentication before 2FA challenge (#11943)
Regression from #11831
2019-09-24 04:35:36 +02:00
Takeshi Umeda
45fe523a18 Addition of update activity distribution by alias, minor correction (#11905)
* Addition of update activity distribution by alias, minor correction

* Distribute Update activity after adding alias
* Add uniqueness verification to alias uri
* accept acct starting with @

* fix double-quoted to single-quoted
2019-09-21 09:11:21 +02:00
Takeshi Umeda
74e4abcebc Fixed an error in the aliases template of the aliases controller (#11902) 2019-09-21 02:59:37 +02:00
Eugen Rochko
a2d3728c36 Add account migration UI (#11846)
Fix #10736

- Change data export to be available for non-functional accounts
- Change non-functional accounts to include redirecting accounts
2019-09-19 20:58:19 +02:00
Eugen Rochko
61442032a2 Add table of contents to about page (#11885)
Move public domain blocks information to about page
2019-09-19 11:09:05 +02:00
Eugen Rochko
1781358bd9 Add password challenge to 2FA settings, e-mail notifications (#11878)
Fix #3961
2019-09-18 16:37:27 +02:00
Eugen Rochko
8904a4eb36 Fix TOTP codes not being filtered from logs during enabling/disabling (#11877)
Not a serious issue because they are meaningless past single use
2019-09-18 02:48:40 +02:00
Eugen Rochko
ae443cb6ea Fix webfinger response not returning 410 when account is suspended (#11869) 2019-09-17 14:58:02 +02:00
mayaeh
566e85716f Add search and sort functions to hashtag admin UI (#11829)
* Add search and sort functions to hashtag admin UI

* Move scope processing from tags_controller to tag_filter

* Fix based on method naming conventions

* Fixed not to get 500 errors for invalid requests
2019-09-16 14:27:29 +02:00
Eugen Rochko
8eb0d880cb Fix 2FA challenge and password challenge for non-database users (#11831)
* Fix 2FA challenge not appearing for non-database users

Fix #11685

* Fix account deletion not working when using external login

Fix #11691
2019-09-15 21:08:39 +02:00
Eugen Rochko
8824964836 Remove deprecated GET /api/v1/search API (#11823)
Use `GET /api/v2/search` instead
2019-09-13 16:11:13 +02:00
ThibG
7d2fceae9b Change /api/v1/timelines/public to require auth when public preview is off (#11802)
Fixes #11289
2019-09-13 16:03:46 +02:00
Eugen Rochko
ec20fd2112 Change unlisted custom emoji to not appear in autosuggestions (#11818)
Fix #11669
2019-09-13 16:01:09 +02:00
Eugen Rochko
605a4e654a Fix uncaught errors in media proxy controller (#11811) 2019-09-12 01:51:12 +02:00
Eugen Rochko
4291b74031 Change deletes to preserve soft-deleted statuses in unresolved reports (#11805)
Change all account actions except "none" to resolve all unresolved reports

Refactor `SuspendAccountService` to be more readable
2019-09-11 16:32:44 +02:00
ThibG
875d2e2b59 Add updated relationship to follow request API responses (#11800)
Fixes #11747
2019-09-10 20:56:42 +02:00
Eugen Rochko
25fb124ee6 Add batch actions and categories to admin UI for custom emojis (#11793) 2019-09-09 22:44:17 +02:00
Eugen Rochko
7799c7c75f Add batch approve/reject for pending hashtags in admin UI (#11791) 2019-09-09 12:50:09 +02:00
Takeshi Umeda
50c2f0dcc1 Add featured tags API (#11778)
* Add featured tags API

* Remove show and update, change scope, fix code style
2019-09-09 10:50:33 +02:00
Yamagishi Kazutoshi
7544167f3c Add healthcheck endpoint for web (#11770) 2019-09-07 02:47:51 +02:00
Eugen Rochko
89989b6255 Add timeline read markers API (#11762)
Fix #4093
2019-09-06 13:55:51 +02:00
Eugen Rochko
09fe562dd6 Fix wrong variable regression from #11753 (#11763) 2019-09-05 06:13:50 +02:00
Eugen Rochko
7ef93513f7 Change account deletion page to have better explanations (#11753)
Fix deletion of unconfirmed account not freeing up the username

Add prefill of logged-in user's email in the reconfirmation form
2019-09-04 04:13:54 +02:00
Eugen Rochko
436266ca27 Change trending hashtags to not disappear instantly after midnight (#11712) 2019-09-02 18:11:13 +02:00
Eugen Rochko
76bdc01aee Fix wrong percentages in admin UI for hashtag usage breakdown (#11714) 2019-09-01 19:44:05 +02:00
Eugen Rochko
b47119eb61 Change layout of public profile directory to be the same as in web UI (#11705) 2019-08-30 07:41:16 +02:00
Eugen Rochko
73d8f314a9 Fix error in REST API for an account's statuses (#11700) 2019-08-30 02:49:44 +02:00
Eugen Rochko
a2a65f43b2 Fix uncaught error when resource param is missing in Webfinger request (#11701) 2019-08-30 02:49:33 +02:00
Eugen Rochko
ee9d0c0f38 Fix uncaught domain normalization error in remote follow (#11703) 2019-08-30 02:19:17 +02:00
Eugen Rochko
f21e27e914 Fix uncaught parameter missing exceptions and missing error templates (#11702) 2019-08-30 01:34:47 +02:00
Eugen Rochko
79922ae20f Add profile directory to web UI (#11688)
* Add profile directory to web UI

* Add a line of bio to the directory
2019-08-30 00:14:36 +02:00
Eugen Rochko
9959cdc79f Add option to include reported statuses in warning e-mail (#11639) 2019-08-23 22:37:23 +02:00
Eugen Rochko
32c781ec6b Add soft delete for statuses for instant deletes through API (#11623)
* Add soft delete for statuses to allow them to appear instant

* Allow reporting soft-deleted statuses and show them in the admin UI

* Change index for getting an account's statuses
2019-08-22 21:55:56 +02:00
Eugen Rochko
e4605bbb4a Fix remote and staff-removed statuses leaving media behind for a day (#11638)
The reason for unattaching media instead of removing it is to support
delete & redraft functionality, but remote or staff-removed statuses
will never be redrafted, so the media should be deleted immediately
2019-08-22 04:17:12 +02:00
ThibG
f17b0ff712 Add invite comments (#10465) 2019-08-19 11:40:42 +02:00
ThibG
867b9f3e9c Add public blocks to /about/blocks (#11298)
* Add automatic blocklist display in /about/blocks

Inspired by https://github.com/Gargron/mastodon.social-misc

* Add admin option to set who can see instance blocks

* Normalize locales files

* Rename “Sandbox” to “Silence” for consistency

* Disable /about/blocks when in whitelist mode

* Optionally display rationale for domain blocks

* Only display domain blocks that have user-facing limitations, and order them

* Redesign table of blocked domains to better handle long domain names and rationales

* Change domain blocks ordering now that rationales aren't displayed right away

* Only show explanation for block severities actually in use

* Reword instance block explanations and add disclaimer for public fetch mode
2019-08-19 11:35:48 +02:00
Takeshi Umeda
363c6e8f52 Add an RSS feed tagged to a public profile page (#10502)
* Add featured tag support to rss feed on public account page

* fix codeing style
2019-08-18 20:54:36 +02:00
Eugen Rochko
dde2c17e12 Fix uncaught 422 and 500 errors (#11590) 2019-08-18 18:04:18 +02:00
Eugen Rochko
dc20e1af71 Add HTTP signature keyId to request log (#11591) 2019-08-18 18:03:56 +02:00
Eugen Rochko
8e76c759c1 Add explanation to featured hashtags page and profile (#11586) 2019-08-17 18:07:52 +02:00
ThibG
404b64f5ca Fix multiple issues with replies collection for pages further than self-replies (#11582)
* Fix the replies collection returning snowflakes ids rather than URIs

Fixes #11568

* Fix min_id in replies queries once self-replies are exhausted

* Fix `next` attribute of replies collection being nil when there are no self-replies

* Rename other_accounts param to only_other_accounts
2019-08-16 22:58:51 +02:00
Eugen Rochko
a8d983934e Fix blurhash and autoplay not working on public pages (#11585) 2019-08-16 19:15:05 +02:00
Eugen Rochko
88ef061da1 Fix 422 being returned instead of 404 when POSTing (#11574) 2019-08-16 02:08:35 +02:00
ThibG
cfc3fc6bcd Fix reverse-proxy caching of instance actor object (#11561) 2019-08-13 15:30:37 +02:00
ThibG
93e6461e66 Fix more ActivityPub queries setting cookies and preventing caching (#11557) 2019-08-12 22:26:07 +02:00
ThibG
bfa0b76a6c Fix ActivityPub and REST API queries setting cookies and preventing caching (#11539)
Regression from #8657
2019-08-11 22:59:40 +02:00
Eugen Rochko
24a5f99d10 Fix pinned statuses API returning pagination headers (#11526)
Fix #10227
2019-08-08 23:04:04 +02:00
Eugen Rochko
85466a2b9d Fix weekly usage not being displayed correctly in hashtag admin UI (#11524)
Fix percentages in usage breakdown having too many digits

Change trending hashtags to only ask for review if a hashtag enters
the top 3 position in the set, since it's the only items shown in
the default web UI
2019-08-08 23:03:28 +02:00
Eugen Rochko
10b486f627 Fix acct URIs with IDN domains not being resolved (#11520)
Fix #11494
2019-08-07 21:14:08 +02:00
Eugen Rochko
cc1e24ddc7 Add breakdown of usage by source to admin UI for hashtags (#11517)
Allows determining where the majority of posts in a hashtag come
from on a given day at a glance.
2019-08-07 20:20:39 +02:00
ThibG
072e696aa1 Add domain block notes (#11515)
* Add database columns for adding notes to domain blocks/restrctions

* Add admin UI to set private and public comments when blocking a domain

* Add text for private and public comments on domain blocks

* Show domain block comments in admin UI

* Add comments to the domain block undo page

* Make UnblockDomainService more robust regarding upgraded domain blocks

* Allow editing domain blocks

* Rename button from “undo domain block” to “view domain block” in account admin UI

* Change test to unsilence silenced users from upgraded blocks
2019-08-07 20:20:23 +02:00
Eugen Rochko
25f549557b Fix trending tags returning less items than requested sometimes (#11513)
Add better sorting defaults to the hashtags admin UI

Add "not reviewed" filter to hashtags admin UI
2019-08-07 17:08:30 +02:00
Eugen Rochko
bfb43d7104 Add number of pending accounts and pending hashtags to admin dashboard (#11514) 2019-08-07 16:13:34 +02:00
Eugen Rochko
fd352ec288 Fix account tags not being saved correctly (#11507)
* Fix account tags not being saved correctly

Regression from b838607

Fix Tag#discoverable not returning tags where listable is nil instead of true

Add notice when saving hashtags in admin UI

Change public hashtag and directory pages to return 404 for forbidden tags

* Remove unused locale string
2019-08-07 10:01:55 +02:00
Eugen Rochko
6362ac6617 Fix admin dashboard missing latest features (#11505)
Fix redis-namespace deprecation warning about administrative commands
2019-08-06 19:40:06 +02:00
Eugen Rochko
191392e5c3 Add trends UI with admin and user settings (#11502) 2019-08-06 17:57:52 +02:00
Eugen Rochko
05e9cd13eb Change admin UI for hashtags and add back whitelisted trends (#11490)
Fix #271

Add back the `GET /api/v1/trends` API with the caveat that it does
not return tags that have not been allowed to trend by the staff.

When a hashtag begins to trend (internally) and that hashtag has
not been previously reviewed by the staff, the staff is notified.

The new admin UI for hashtags allows filtering hashtags by where
they are used (e.g. in the profile directory), whether they have
been reviewed or are pending reviewal, they show by how many people
the hashtag is used in the directory, how many people used it
today, how many statuses with it have been created today, and it
allows fixing the name of the hashtag to make it more readable.

The disallowed hashtags feature has been reworked. It is now
controlled from the admin UI for hashtags instead of from
the file `config/settings.yml`
2019-08-05 19:54:29 +02:00
Eugen Rochko
0ed96e9aee Remove XML version of Webfinger and remove links to Atom feeds (#11460)
Fix #11453
2019-08-01 19:14:02 +02:00
Eugen Rochko
825dc3ca22 Add whitelist mode (#11291) 2019-07-30 11:10:46 +02:00
ThibG
52cda33b82 Fix invites not being disabled upon account suspension (#11412)
* Disable invite links from disabled/suspended users

* Add has_many invites relationship to users

* Destroy unused invites when suspending an account
2019-07-26 18:55:33 +02:00
dependabot-preview[bot]
884e20c028 Bump active_model_serializers from 0.10.9 to 0.10.10 (#11311)
* Bump active_model_serializers from 0.10.9 to 0.10.10

Bumps [active_model_serializers](https://github.com/rails-api/active_model_serializers) from 0.10.9 to 0.10.10.
- [Release notes](https://github.com/rails-api/active_model_serializers/releases)
- [Changelog](https://github.com/rails-api/active_model_serializers/blob/v0.10.10/CHANGELOG.md)
- [Commits](https://github.com/rails-api/active_model_serializers/compare/v0.10.9...v0.10.10)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Add root option to render method
2019-07-23 11:10:42 +02:00
Eugen Rochko
6be7b414e2 Change unconfirmed user login behaviour (#11375)
Allow access to account settings, 2FA, authorized applications, and
account deletions to unconfirmed and pending users, as well as
users who had their accounts disabled. Suspended users cannot update
their e-mail or password or delete their account.

Display account status on account settings page, for example, when
an account is frozen, limited, unconfirmed or pending review.

After sign up, login users straight away and show a simple page that
tells them the status of their account with links to account settings
and logout, to reduce onboarding friction and allow users to correct
wrongly typed e-mail addresses.

Move the final sign-up step of SSO integrations to be the same
as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
Eugen Rochko
79b9eee938 Add (back) rails-level JSON caching (#11333) 2019-07-21 22:32:16 +02:00
Eugen Rochko
2b4fa0d6fa Change locale detection to run once per session (#8657)
Fix #6462
2019-07-21 18:08:02 +02:00
ThibG
47dfcc601b Fix some flash notices/alerts staying on unrelated pages (#11364) 2019-07-19 23:13:21 +02:00
ThibG
c2126e3f98 Add ActivityPub actor representing the entire server (#11321)
* Add support for an instance actor

* Skip username validation for local Application accounts

* Add migration script to create instance actor

* Make Codeclimate happy

* Switch to id -99 for instance actor

* Remove unused `icon` and `image` attributes from instance actor

* Use if/elsif/else instead of return + ternary operator

* Add instance actor to fresh installs

* Use instance actor as instance representative

Use instance actor for forwarding reports, relay operations, and spam
auto-reporting.

* Seed database in test environment

* Fix single-user mode

* Fix tests

* Fix specs to accomodate for an extra `Account`

* Auto-reject follows on instance actor

Following an instance actor might make sense, but we are not handling that
right now, so auto-reject.

* Fix webfinger lookup and serialization for instance actor

* Rename instance actor

* Make it clear in the HTML view that the instance actor should not be blocked

* Raise cache time for instance actor as there's no dynamic content

* Re-use /about/more with a flash message for instance actor profile
2019-07-19 01:44:42 +02:00
ThibG
9015b19e09 Add setting to disable the anti-spam (#11296)
* Add environment variable to disable the anti-spam

* Move antispam setting to admin settings

* Fix typo

* antispam → spam_check
2019-07-17 21:09:15 +02:00
Eugen Rochko
50caff4dc0 Change terms and privacy policy pages to always be accessible (#11334)
Fix #11328
2019-07-17 19:29:37 +02:00
ThibG
978792a112 Fix custom CSS controller (#11336) 2019-07-17 17:14:25 +02:00
ThibG
a4b1083795 Fix caching headers in ActivityPub endpoints (#11331)
* Fix reverse-proxy caching in public fetch mode

* Fix caching in ActivityPub-specific controllers
2019-07-17 00:00:39 +02:00
Eugen Rochko
9dead08055 Add option to disable real-time updates in web UI (#9984)
Fix #9031
Fix #7913
2019-07-16 06:30:47 +02:00
Eugen Rochko
39719ae981 Add ActivityPub secure mode (#11269)
* Add HTTP signature requirement for served ActivityPub resources

* Change `SECURE_MODE` to `AUTHORIZED_FETCH`

* Add 'Signature' to 'Vary' header and improve code style

* Improve code style by adding `public_fetch_mode?` method
2019-07-11 20:11:09 +02:00
Eugen Rochko
d0b0b63b1a Refactor domain block checks (#11268) 2019-07-09 03:27:35 +02:00
Eugen Rochko
e17c937f65 Remove unused remote unfollow controller (#11250) 2019-07-08 12:04:06 +02:00
Eugen Rochko
56f0203c66 Refactor controllers for statuses, accounts, and more (#11249) 2019-07-08 12:03:45 +02:00
Eugen Rochko
fbbcbd940d Remove Atom feeds and old URLs in the form of GET /:username/updates/:id (#11247) 2019-07-07 16:16:51 +02:00
Eugen Rochko
4931208dd8 Remove Salmon and PubSubHubbub (#11205)
* Remove Salmon and PubSubHubbub endpoints

* Add error when trying to follow OStatus accounts

* Fix new accounts not being created in ResolveAccountService
2019-07-06 23:26:16 +02:00
Eugen Rochko
d9f42ba34b Remove deprecated REST API GET /api/v1/statuses/:id/card (#11213) 2019-07-05 02:15:24 +02:00
Eugen Rochko
6cae1b40bf Remove deprecated REST API GET /api/v1/timelines/direct (#11212) 2019-07-05 02:14:56 +02:00
Eugen Rochko
1c612f24e4 Add categories for custom emojis (#11196)
Fix #7940
2019-06-28 15:54:10 +02:00
ThibG
4b3d91dc2c Add option to disable blurhash previews (#11188)
* Add option to disable blurhash previews

* Update option text

* Change options order
2019-06-26 19:33:04 +02:00
Eugen Rochko
8ed78f0b85 Fix unnecessary SQL query performed on unauthenticated requests (#11179) 2019-06-25 20:18:15 +02:00
Eugen Rochko
eac19f2300 Change domain blocks to automatically support subdomains (#11138)
* Change domain blocks to automatically support subdomains

If a more authoritative domain is blocked (example.com), then the
same block will be applied to a subdomain (foo.example.com)

* Match subdomains of existing accounts when blocking/unblocking domains

* Improve code style
2019-06-22 00:13:10 +02:00
Eugen Rochko
433036ab8c Add moderation API (#9387)
Fix #8580
Fix #7143
2019-06-20 02:52:34 +02:00
Acid Chicken (硫酸鶏)
f2f6c5d462 Fix layout of identity proofs settings (#11126) 2019-06-20 02:18:06 +02:00
Eugen Rochko
d7e2f554fb Add audio uploads (#11123)
* Add audio uploads

Fix #4827

Accept uploads of OGG, WAV, FLAC, OPUS and MP3 files, and converts
them to OGG. Media attachments get a new `audio` type. In the UI,
audio uploads are displayed identically to video uploads.

* Improve code style
2019-06-19 23:42:38 +02:00
Eugen Rochko
75ef673216 Fix login sometimes redirecting to paths that are not pages (#11019)
Fix #11016
2019-06-10 12:28:13 +02:00
Eugen Rochko
b788e58ea4 Change /settings/preferences to redirect to appearance, add /settings/preferences/other (#10988) 2019-06-07 16:51:08 +02:00
Eugen Rochko
8bf8d6d9d9 Change preferences page into appearance, notifications, and other (#10977) 2019-06-07 03:39:24 +02:00
Eugen Rochko
87f5646ec3 Add waiting time to list of pending accounts in admin UI (#10985) 2019-06-07 03:24:10 +02:00
ThibG
806c2f8102 Cleanup various controllers (#10972)
* Remove skip_session! as it is not supported in Rails 5

* Minor cleanup in StreamEntriesController

* Remove redundant mark_cacheable! calls
2019-06-05 14:02:59 +02:00
ThibG
e80cb67ed7 Fix potential private status leak (#10969) 2019-06-05 13:40:20 +02:00
Eugen Rochko
f3a02e70a8 Fix poll API not requiring authentication on non-public polls (#10960)
* Fix poll API not requiring authentication on non-public polls

That API does not reveal the content of the status, i.e. the question
itself, nor who the author is, nor which status it belongs to, but it
does reveal the poll options and how many answers they got

Fix #10959

* Add test
2019-06-04 20:10:26 +02:00
ThibG
31b8203887 Fix web push notifications for polls (#10864)
Fixes #10861
2019-05-28 00:26:08 +02:00
Eugen Rochko
a1bceb2cb6 Add responsive panels to the single-column layout (#10820)
* Add responsive panels to the single-column layout

* Fixes

* Fix not being able to save the preference

* Fix code style issues

* Set max-height on the compose textarea and add a link to relationship manager
2019-05-25 21:27:00 +02:00
ThibG
f5637b174f Move signature verification stoplight to the requests themselves (#10813)
* Move signature verification stoplight to the requests themselves

This avoids blocking messages from known keys for 5 minutes when only one fails…

* Put the stoplight on the actual client IP, not a potential reverse proxy
2019-05-23 15:22:39 +02:00
Paul Woolcock
626844dfb1 Add account_id param to GET /api/v1/notifications (#10796)
* Add `from_account` to notifications API

this adds the ability to filter notifications by the account they
originated from

* passing a non-existent user should cause none to be returned

* Fix codeclimate warnings

* fix more codeclimate warnings

* make requested changes:

* use account id instead of user@domain
* name the param `account_id` instead of `from_account`

* Don't use `return` in a lambda
2019-05-21 13:28:49 +02:00
ThibG
f1a3135809 Record account suspend/silence time and keep track of domain blocks (#10660)
* Record account suspend/silence time and keep track of domain blocks

* Also unblock users who were suspended/silenced before dates were recorded

* Add tests

* Keep track of suspending date for users suspended through the CLI

* Show accurate number of accounts that would be affected by unsuspending an instance

* Change migration to set silenced_at and suspended_at

* Revert "Also unblock users who were suspended/silenced before dates were recorded"

This reverts commit a015c65d2d1e28c7b7cfab8b3f8cd5fb48b8b71c.

* Switch from using suspended and silenced to suspended_at and silenced_at

* Add post-deployment migration script to remove `suspended` and `silenced` columns

* Use Account#silence! and Account#suspend! instead of updating the underlying property

* Add silenced_at and suspended_at migration to post-migration

* Change account fabricator to translate suspended and silenced attributes

* Minor fixes

* Make unblocking domains always retroactive
2019-05-14 19:05:02 +02:00
ThibG
2a917031c9 Add toot source to delete result to ease Delete & Redraft (#10669)
* Return Status with raw text in raw_content when deleting a status

* Use raw content if available on delete & redraft

* Rename raw_content to text; do not serialize formatted content when source is requested
2019-05-11 06:46:43 +02:00
ThibG
4870d7f122 Add some caching for HTML versions of statuses pages (#10701) 2019-05-09 22:03:44 +02:00
ThibG
4c4f9d78fd Explicitly disable storage of REST API results (#10655)
Fixes #10652
2019-05-03 20:39:19 +02:00
ThibG
8c716f917f Provide a link to existing domain block when trying to block an already-blocked domain (#10663)
* When trying to block an already-blocked domain, provide a link to the block

* Fix styling for links in flash messages

* Allow blocks to be upgraded but not downgraded
2019-05-03 20:36:36 +02:00
ThibG
af3971a0e6 Check that an invite link is valid before bypassing approval mode (#10657)
* Check that an invite link is valid before bypassing approval mode

Fixes #10656

* Add tests

* Only consider valid invite links in registration controller

* fixup
2019-05-02 04:30:12 +02:00
Eugen Rochko
2ba12c8917 Fix not being able to save e-mail preference for new pending accounts (#10622) 2019-04-25 02:49:06 +02:00
Alex Gessner
da3d516fcf compare usernames case-insensitively on new proof creation flow (#10544)
* compare usernames case-insensitively on new proof creation flow

* Fix code style issue
2019-04-10 18:05:11 +02:00
Eugen Rochko
6d5b05e3d5 Add invite request to pending account notification e-mail (#10528)
Fix sorting of the pending accounts page
2019-04-10 00:36:01 +02:00
Eugen Rochko
13c1b5bac8 Add preference to disable e-mails about new pending accounts (#10529) 2019-04-10 00:35:49 +02:00
Eugen Rochko
7eb05b8724 Add "why do you want to join" field to invite requests (#10524)
* Add "why do you want to join" field to invite requests

Fix #10512

* Remove unused translations

* Fix broken registrations when no invite request text is submitted
2019-04-09 23:06:30 +09:00
Eugen Rochko
55f25ceda3 Fix permission denied bug on approve all/reject all pending accounts (#10519) 2019-04-09 07:19:52 +02:00
ThibG
a604f766e0 Fix batch actions not working on pending accounts (#10508) 2019-04-08 18:35:41 +02:00
Eugen Rochko
c84c30c542 Improve blocked view of profiles (#10491)
* Revert "Fix filtering of favourited_by, reblogged_by, followers and following (#10447)"

This reverts commit 0317f37c6f.

* Revert "Hide blocking accounts from blocked users (#10442)"

This reverts commit 4cd944d364.

* Improve blocked view of profiles

- Change "You are blocked" to "Profile unavailable"
- Hide following/followers in API when blocked
- Disable follow button and show "Profile unavailable" on public profile as well
2019-04-07 04:59:13 +02:00
Eugen Rochko
c34a7f5bd2 Add batch actions for approving and rejecting pending accounts (#10469) 2019-04-06 17:53:45 +02:00
Eugen Rochko
d48f53cf1a Fix admin validation being too strict about usernames (#10449)
* Fix admin validation being too strict about usernames

Fix #10446

* Strip Setting.site_contact_username consistently throughout the codebase
2019-04-06 17:53:17 +02:00
ThibG
4fa0b331ae Cache featured collections, as well as outbox, followers and following (#10467) 2019-04-04 01:30:44 +02:00
ThibG
4cd944d364 Hide blocking accounts from blocked users (#10442)
* Revert "Add indication that you have been blocked in web UI (#10420)"

This reverts commit d31affe69b.

* Revert "Add `blocked_by` relationship to the REST API (#10373)"

This reverts commit a8bb10633d.

* Hide blocking accounts from search results

* Filter blocking accouts from account followers

* Filter blocking accouts from account's following accounts

* Filter blocking accounts from “reblogged by” and “favourited by” lists

* Remove blocking account from URL search

* Return 410 on trying to fetch user data from a user who blocked us

* Return 410 in /api/v1/account/statuses for suspended or blocking accounts

* Fix status filtering when performing URL search

* Restore some React improvements

Restore some cleanup from d31affe69b

* Refactor by adding `without_blocking` scope
2019-04-01 20:06:13 +02:00
ThibG
65930be714 Ensure request.body isn't emptied out before signature verification (#10432)
Fixes #10429
2019-03-31 17:27:24 +02:00
Alex Gessner
be7c92061c squashed identity proof updates (#10375) 2019-03-28 18:01:09 +01:00
Eugen Rochko
7aeb50cc89 Add order options to relationship manager UI (#10404) 2019-03-28 02:16:01 +01:00
Eugen Rochko
88a85f2574 Change icons of features on admin dashboard to remove bias (#10366)
Red crosses implied that it was bad/unexpected that certain features
were not enabled. In reality, they are options, so showing a green
or grey power-off icon is more appropriate.

Add status of timeline preview as well

Fix sample accounts changing too frequently due to wrong query

Sample accounts are intended to be sorted by popularity
2019-03-26 01:24:19 +01:00
Eugen Rochko
c21bdc81d3 Add validations to admin settings (#10348)
* Add validations to admin settings

- Validate correct HTML markup
- Validate presence of contact username & e-mail
- Validate that all usernames are valid
- Validate that enums have expected values

* Fix code style issue

* Fix tests
2019-03-23 14:07:04 +01:00
ThibG
c967088621 Mark the 410 gone response for suspended accounts as cachable (#10339)
This will help a great deal with #9377 when a caching reverse proxy is
configured.
2019-03-21 23:33:18 +01:00
ThibG
11c3ceb56e Do not try fetching keys of unknown accounts on a Delete from them (#10326) 2019-03-20 17:20:16 +01:00
ThibG
e9fc1e8ccb Do not distribute Delete when rejecting unapproved accounts (#10321) 2019-03-19 16:33:30 +01:00
Eugen Rochko
a3c41f3532 Add Keybase integration (#10297)
* create account_identity_proofs table

* add endpoint for keybase to check local proofs

* add async task to update validity and liveness of proofs from keybase

* first pass keybase proof CRUD

* second pass keybase proof creation

* clean up proof list and add badges

* add avatar url to keybase api

* Always highlight the “Identity Proofs” navigation item when interacting with proofs.

* Update translations.

* Add profile URL.

* Reorder proofs.

* Add proofs to bio.

* Update settings/identity_proofs front-end.

* Use `link_to`.

* Only encode query params if they exist.

URLs without params had a trailing `?`.

* Only show live proofs.

* change valid to active in proof list and update liveness before displaying

* minor fixes

* add keybase config at well-known path

* extremely naive feature flagging off the identity proof UI

* fixes for rubocop

* make identity proofs page resilient to potential keybase issues

* normalize i18n

* tweaks for brakeman

* remove two unused translations

* cleanup and add more localizations

* make keybase_contacts an admin setting

* fix ExternalProofService my_domain

* use Addressable::URI in identity proofs

* use active model serializer for keybase proof config

* more cleanup of keybase proof config

* rename proof is_valid and is_live to proof_valid and proof_live

* cleanup

* assorted tweaks for more robust communication with keybase

* Clean up

* Small fixes

* Display verified identity identically to verified links

* Clean up unused CSS

* Add caching for Keybase avatar URLs

* Remove keybase_contacts setting
2019-03-18 21:00:55 +01:00
Eugen Rochko
b1e0164848 Add dormant filter to relationship manager, rename other filters (#10308)
Rename "abandoned" to "moved", and "active" to "primary"
2019-03-18 03:53:17 +01:00
Ben Lubar
591c26dc97 Reduce server load caused by anonymous viewing. (#9059)
Do not start a session if the current user is not logged in for public-facing pages.

Mark pages that don't care about sessions as publicly cacheable.

Keep the max age as 0 so proxies and browsers will still try to retrieve an updated version but can still fall back to the stale version if the site is down or too slow.

Fixes #9035.
2019-03-17 15:39:25 +01:00
Eugen Rochko
4fa2d55d4e Add relationship manager UI (#10268) 2019-03-16 11:23:22 +01:00
Eugen Rochko
1279d85ff4 Add visibility param to reblog REST API (#9851)
Use async worker for creating reblog notification to improve performance
2019-03-15 04:36:41 +01:00
Eugen Rochko
e1130e461e Add a preferences API so apps can share basic behaviours (#10109) 2019-03-15 02:39:20 +01:00
Eugen Rochko
73fb7bfa0f Admission-based registrations mode (#10250)
Fix #6856
Fix #6951
2019-03-14 05:28:30 +01:00
Eugen Rochko
5ff943716e Fix tagged param not being normalized before querying tags (#10249) 2019-03-13 13:02:13 +01:00
Eugen Rochko
56822606f4 Redesign landing page (#10232) 2019-03-12 17:34:00 +01:00
ThibG
cdf5a7f854 Avoid race conditions when creating backups (#10234)
Under load, multiple backups for a single user could be planned, which
is very expensive.
2019-03-11 00:50:31 +01:00
Eugen Rochko
4a3acdc916 Add polls (#10111)
* Add polls

Fix #1629

* Add tests

* Fixes

* Change API for creating polls

* Use name instead of content for votes

* Remove poll validation for remote polls

* Add polls to public pages

* When updating the poll, update options just in case they were changed

* Fix public pages showing both poll and other media
2019-03-03 22:18:23 +01:00
ThibG
892327c686 Give the replies collection an identifier and enable pagination (#10128) 2019-02-28 18:16:34 +01:00
abcang
affb8b1de9 Improve account media query (#10121) 2019-02-26 15:23:24 +01:00
Eugen Rochko
693f2353bc Add type, limit, offset, min_id, max_id, account_id to search API (#10091)
* Add type, limit, offset, min_id, max_id, account_id to search API

Fix #8939

* Make the offset work on accounts and hashtags search as well

* Assure brakeman we are not doing mass assignment here

* Do not allow paginating unless a type is chosen

* Fix search query and index id field on statuses instead of created_at
2019-02-26 15:21:36 +01:00
Hinaloe
7517957a91 Randomize emoji filename (#10090) 2019-02-22 16:52:04 +01:00
ThibG
abfa8617f3 Do not error out when performing admin actions on no statuses (#10094)
Same as #8220 but for reports
2019-02-21 19:36:48 +01:00
ThibG
9b7de13928 Add domain search/filter to the "Federation" (/admin/instances) page (#10071) 2019-02-18 14:59:19 +01:00
Eugen Rochko
99f902f224 Add vapid_key to the application entity in the REST API (#10058)
Fix #8785
2019-02-16 05:27:05 +01:00
ThibG
a60f90b078 Save IP address used for sign-up, not only sign-in (#10026)
Fixes #9995
2019-02-12 22:24:14 +01:00
Takeshi Umeda
3d54d631a4 Fix it as tagged_request of accounts_controller is not addressable_uri (#9976) 2019-02-05 15:11:11 +01:00
Eugen Rochko
06a8ca8937 Fix pinned statuses being shown in a featured hashtag (#9971) 2019-02-05 00:27:18 +01:00
rinsuki
d280cc15be Fix authorized applications list page design (#9969) 2019-02-04 22:25:42 +01:00
Eugen Rochko
d2d4d38f22 Add featured hashtags to profiles (#9755)
* Add hashtag filter to profiles

GET /@:username/tagged/:hashtag
GET /api/v1/accounts/:id/statuses?tagged=:hashtag

* Display featured hashtags on public profile

* Use separate model for featured tags

* Update featured hashtag counters on-write

* Limit featured tags to 10
2019-02-04 04:25:59 +01:00
ThibG
dfb101cd45 Make displaying application used to toot opt-in (#9897)
* Make storing and displaying application used to toot opt-in

* Revert to storing application info, and display it to the author via API
2019-02-02 19:18:15 +01:00
Eugen Rochko
f77529ca00 Fix directory showing tags that have no currently eligible accounts (#9872) 2019-01-20 12:56:53 +01:00
Eugen Rochko
83fdb7b4f4 Fix REST API showing non-public reblogs for a given status (#9850) 2019-01-18 20:58:00 +01:00
Eugen Rochko
380b246728 Redesign public hashtag page to use a masonry layout (#9822) 2019-01-16 19:47:46 +01:00
Eugen Rochko
f2ec1803cb Redesign admin instances area (#9645) 2019-01-08 13:39:49 +01:00
ThibG
e60999c3c5 Improvements to signature verification (#9667)
* Refactor signature verification a bit

* Rescue signature verification if recorded public key is invalid

Fixes #8822

* Always re-fetch AP signing key when HTTP Signature verification fails

But when the account is not marked as stale, avoid fetching collections and
media, and avoid webfinger round-trip.

* Apply stoplight to key/account update as well as initial key retrieval
2019-01-07 21:45:13 +01:00
Eugen Rochko
defe248b1c Change remote interaction dialog to use specific actions (#9743)
* Change remote interaction dialog to use specific actions

Instead of just "interact", use different strings based on whether
it's a reply, reblog or favourite. Add explanation why the step
is necessary in the first place

* Remove obsolete strings
2019-01-07 15:36:26 +01:00
Eugen Rochko
d62a2a69e4 Add locale param to sign-up API (#9747)
Fix #9627
2019-01-07 14:50:20 +01:00
Eugen Rochko
f6940286f5 Add cache to custom emojis API (#9732)
Fix #9729
2019-01-06 23:52:58 +01:00
Eugen Rochko
ae1aaa3b8a Add scheduled statuses (#9706)
Fix #340
2019-01-05 12:43:28 +01:00
ThibG
631a91cbc0 Add quick links to the admin interface in the WebUI (#8545)
* Allow to show a specific status in the admin interface

* Let the front-end know the current account is a moderator

* Add admin links to status and account menus

If the current logged-in user is an admin, add quick links to the admin
interface in account and toot dropdown menu. Suggestion by @ashkitten

* Use @statuses.first instead of @statuses[0]
2019-01-04 13:10:43 +01:00
Eugen Rochko
93f560423b Fix list of local followers showing remote followers in admin UI (#9700) 2019-01-03 06:40:16 +01:00
Eugen Rochko
9244a06846 Add CSV export for lists and domain blocks (#9677)
Fix #6893
Fix #9268
2019-01-01 13:44:04 +01:00
Eugen Rochko
8958e58bd4 Improve admin UI for account view (#9643) 2018-12-28 03:38:41 +01:00
chr v1.x
b659f51c43 Add local followers page to admin account UI (#9610)
* Add local followers page to admin account UI

For moderation, I often find myself wondering who, locally, is following
a remote user. Currently, to see this, I have to go back to the web UI,
paste in their full handle, click their profile, and go to the
"Followers" tab (plus, this information is incidental, and if mastodon
ever decides to resolve all of the follower information, there will be
no place local followers are shown). This PR adds a new page which is
accessible via the "following" count on the admin's account view
page, which shows the local followers. (It has filter parameters for
account location to indicate that only local followers are shown, and
leave room for expansion if mastodon ever decides to store the entire
remote follow list).

* Normalize en.yml
2018-12-27 13:15:39 +01:00
Eugen Rochko
d70d8321d3 Add exclude_reblogs option to account statuses API (#9640)
Fix #9606
2018-12-27 03:42:35 +01:00
Eugen Rochko
7c2340443e Redirect to reports overview instead of report after account action (#9639) 2018-12-27 03:42:29 +01:00
ThibG
d75e32caa3 Fix account unsilencing and unsuspension (#9637)
Fix regression from 2e0d617b8b
2018-12-26 19:16:15 +01:00
Eugen Rochko
e5ebd4df78 Fix signature verification stoplight triggering on non-timeout errors (#9617) 2018-12-26 19:15:43 +01:00
Takeshi Umeda
9f74c2b877 Add error message with invalid email confirmation (#9625) 2018-12-25 19:35:26 +01:00
Eugen Rochko
bbf9f4f93b Add REST API for creating an account (#9572)
* Add REST API for creating an account

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.

* Redirect users back to app from confirmation if they were created with an app

* Add tests

* Return 403 on the method if registrations are not open

* Require agreement param to be true in the API when creating an account
2018-12-24 19:12:38 +01:00
ThibG
4bf67e9cd0 Sanitize and sandbox toot embeds (#9552) 2018-12-23 02:16:35 +01:00
Eugen Rochko
5fdfe0c4cf Show 40 profiles per directory page instead of 30 (#9609)
To better align with the list of hashtags
2018-12-22 23:31:23 +01:00
Eugen Rochko
2e0d617b8b Add moderation warnings (#9519)
* Add moderation warnings

Replace individual routes for disabling, silencing, and suspending
a user, as well as the report update route, with a unified account
action controller that allows you to select an action (none,
disable, silence, suspend) as well as whether it should generate an
e-mail notification with optional custom text. That notification,
with the optional custom text, is saved as a warning.

Additionally, there are warning presets you can configure to save
time when performing the above.

* Use Account#local_username_and_domain
2018-12-22 20:02:09 +01:00
Eugen Rochko
ae8c6b892f Allow unauthenticated REST API access to GET /api/v1/accounts/:id/statuses (#9573)
Fix #7087

The same data is available over the ActivityPub outbox, RSS, and Atom, so
there is little benefit to keeping it limited in this method.
2018-12-20 01:30:43 +01:00
jomo
dc9f3d2cf2 fix CSP / X-Frame-Options for media embeds (#9558) 2018-12-18 16:40:30 +01:00
ysksn
7df45c6e11 Move #set_user to Admin::BaseController (#9470)
* Move #set_user to Admin::BaseController

* Rename Admin::TwoFactorAuthenticationsController

from `#set_user` to `#set_target_user` .
2018-12-17 11:40:51 +01:00
Eugen Rochko
32bd452b56 Remove "most popular" tab from profile directory, add responsive design (#9539)
* Remove "most popular" tab from profile directory, add responsive design

* Remove unused translations
2018-12-17 03:14:28 +01:00
ysksn
8996de49df Create Settings::BaseController (#9507)
Define `Settings::BaseController#set_body_classes` so that sub classes
inherit `Settings::BaseController` don't need to define
`#set_body_classes` agein.
2018-12-12 22:32:13 +01:00
ThibG
5548049e71 Add admin ability to remove an user's header image (#9495)
* Fix markup in admin/accounts/:id table for avatar

* Add admin ability to remove an user's header image
2018-12-11 19:28:03 +01:00
ThibG
0686523e18 Add instance-wide setting to disable profile directory (#9497)
* Add instance-wide setting to disable profile directory

Fixes #9496

When the profile directory is disabled:
- The “discoverable” setting is hidden from users
- The “profile directory” link is not shown on public pages
- /explore returns 404

* Move Setting.profile_directory check to a before_action filter
2018-12-11 19:18:29 +01:00
ysksn
dfd6445334 Add specs for activitypub collections controller (#9484)
* Add specs for ActivityPub::CollectionsController#show

* Raise ActiveRecord::RecordNotFound

Raising ActiveRecord::NotFound raises NameError: uninitialized constant
ActiveRecord::NotFound.
2018-12-10 21:39:25 +01:00
ysksn
af123ea5e8 Remove RemoteAccountControllerConcern never used (#9482) 2018-12-10 21:38:01 +01:00
ysksn
a6641d0541 Fix Admin::TagsController#unhide (#9481) 2018-12-10 21:37:38 +01:00
ThibG
097d866028 Add setting to not aggregate reblogs (#9248)
* Add setting to not aggregate reblogs

Fixes #9222

* Handle cases where user is nil in add_to_home and add_to_list

* Add hint for setting_aggregate_reblogs option

* Reword setting_aggregate_reblogs label
2018-12-09 13:03:01 +01:00
Eugen Rochko
fd8ca11f19 Add profile directory (#9427)
Fix #5578
2018-12-06 17:36:11 +01:00
ThibG
5e2cd7f672 Fix thread depth computation in statuses_controller (#9426)
* Add test that should currently fail

* Fix depth computation (will still fail if statuses have been filtered out)

* Fix handling of broken threads
2018-12-05 02:12:29 +01:00
Eugen Rochko
305556274a Redesign admin accounts index (#9340)
* Improve overview of accounts in admin UI

- Display suspended status, role, last activity and IP prominently
- Default to showing local accounts
- Default to not showing suspended accounts

* Remove unused strings

* Fix tests

* Allow filtering accounts by IP mask
2018-11-26 15:53:27 +01:00
Eugen Rochko
62c0e112ea Extract counters from accounts table to account_stats table (#9295) 2018-11-19 00:43:52 +01:00
Eugen Rochko
7a939f7cfc Remove intermediary arrays when creating hash maps from results (#9291) 2018-11-16 15:02:18 +01:00
Eugen Rochko
d78aed7a37 Reduce connect timeout limit and limit signature failures by source IP (#9236)
* Reduce connect timeout from 10s to 1s

* Limit failing signature verifications per source IP
2018-11-08 21:35:58 +01:00
Eugen Rochko
5f613d55e6 Optimize the process of following someone (#9220)
* Eliminate extra accounts select query from FollowService

* Optimistically update follow state in web UI and hide loading bar

Fix #6205

* Asynchronize NotifyService in FollowService

And fix failing test

* Skip Webfinger resolve routine when called from FollowService if possible

If an account is ActivityPub, then webfinger re-resolving is not necessary
when called from FollowService. Improve options of ResolveAccountService
2018-11-08 21:05:42 +01:00
James Kiesel
d2a9ea58da Allow joining several hashtags in a single column (#8904)
* Nascent tag menu on frontend

* Hook up frontend to search

* Tag intersection backend first pass

* Update yarnlock

* WIP

* Fix for tags not searching correctly

* Make radio buttons function

* Simplify radio buttons with modeOption

* Better naming

* Rearrange options

* Add all/any/none functionality on backend

* Small PR cleanup

* Move to service from scope

* Small cleanup, add proper service tests

* Don't use send with user input :D

* Set appropriate column header

* Handle auto updating timeline

* Fix up toggle function

* Use tag value correctly

* A bit more correct to use 'self' rather than 'all' in status scope

* Fix some style issues

* Fix more code style issues

* Style select dropdown more better

* Only use to_id'ed value to ensure no SQL injection

* Revamp frontend to allow for multiple selects

* Update backend / col header to account for more flexible tagging

* Update brakeman ignore

* Codeclimate suggestions

* Fix presenter tag_url

* Implement initial PR feedback

* Handle additional tag streaming

* CodeClimate tweak
2018-11-05 18:53:25 +01:00
Eugen Rochko
ca87d98d16 Revert "feat(auth/session_controller): Send Clear-Site-Data when logging out (8627)" (#9161)
This reverts commit 0c756cfd54.
2018-10-30 16:25:54 +01:00
Eugen Rochko
cf2ab9c394 Include preview cards in status entity in REST API (#9120)
* Include preview cards in status entity in REST API

* Display preview card in-stream

* Improve in-stream display of preview cards
2018-10-28 06:35:03 +01:00
ThibG
b5042bbeeb Fix styling in /auth/edit (#9117) 2018-10-26 22:49:17 +02:00
Eugen Rochko
b110105a53 Allow inbox owner to view implicitly targeted ActivityPub payload (#9093)
Fix #9091
2018-10-25 18:12:22 +02:00
Yamagishi Kazutoshi
cad03e69b3 Set @body_classes to admin layout (#9081) 2018-10-25 00:10:01 +02:00
Eugen Rochko
40d23fc4d1 Add option to block reports from domain (#8830) 2018-10-20 08:02:44 +02:00
Eugen Rochko
9ccae7feff Add "disable" button to report screen (#9024)
* Add "disable" button to report screen

* i18n-tasks remove-unused
2018-10-20 02:39:39 +02:00
Eugen Rochko
e3b2234382 Add unread indicator to conversations (#9009) 2018-10-19 01:47:29 +02:00
Eugen Rochko
0a5b65533d Improve signature verification safeguards (#8959)
* Downcase signed_headers string before building the signed string

The HTTP Signatures draft does not mandate the “headers” field to be downcased,
but mandates the header field names to be downcased in the signed string, which
means that prior to this patch, Mastodon could fail to process signatures from
some compliant clients. It also means that it would not actually check the
Digest of non-compliant clients that wouldn't use a lowercased Digest field
name.

Thankfully, I don't know of any such client.

* Revert "Remove dead code (#8919)"

This reverts commit 65d1a2d10a.

* Restore time window checking, change it to 12 hours

By checking the Date header, we can prevent replaying old vulnerable
signatures. The focus is to prevent replaying old vulnerable requests
from software that has been fixed in the meantime, so a somewhat long
window should be fine and accounts for timezone misconfiguration.

* Escape users' URLs when formatting them

Fixes possible HTML injection

* Escape all string interpolations in Formatter class

Slightly improve performance by reducing class allocations
from repeated Formatter#encode calls

* Fix code style issues
2018-10-12 00:15:55 +02:00
ThibG
51c53e709f Set Content-Security-Policy rules through RoR's config (#8957)
* Set CSP rules in RoR's configuration

* Override CSP setting in the embed controller to allow frames
2018-10-11 20:35:46 +02:00
Eugen Rochko
65d1a2d10a Remove dead code (#8919)
SignatureVerification#matches_time_window? is not called anywhere.
2018-10-08 04:48:54 +02:00
ashleyhull-versent
ea57aca5e1 Replace SVG asset with Custom mascot (#8766) 2018-10-08 00:20:45 +02:00
Eugen Rochko
c9b5168ebd Add conversations API (#8832)
* Add conversations API

* Add web UI for conversations

* Add test for conversations API

* Add tests for ConversationAccount

* Improve web UI

* Rename ConversationAccount to AccountConversation

* Remove conversations on block and mute

* Change last_status_id to be a denormalization of status_ids

* Add optimistic locking
2018-10-07 23:44:58 +02:00
ThibG
8b48543b77 Ensure only toots from the reported users are reported (#8916) 2018-10-07 19:45:40 +02:00
Eugen Rochko
1ae62b87ed Change admin accounts default sort to most recent (#8813) 2018-10-04 16:05:38 +02:00
Eugen Rochko
5ddcdf3753 Support min_id-based pagination in REST API (#8736)
* Allow min_id pagination in Feed#get

* Add min_id pagination to home and list timeline APIs

* Add min_id pagination to account statuses, public and tag APIs

* Remove unused stub in reports API

* Use min_id pagination in notifications, favourites, and fix order

* Fix HomeFeed#from_database not using paginate_by_id
2018-09-28 02:23:45 +02:00
ふぁぼ原
bb8afc4608 Add a new preference to always hide all media (#8569) 2018-09-25 05:09:35 +02:00
Yamagishi Kazutoshi
449edebb1c Cache instance info (#8765) 2018-09-24 16:15:49 +02:00
Matt Sweetman
674865731a Add user preference to always expand toots marked with content warnings (#8762) 2018-09-24 05:44:01 +02:00
luzpaz
1bce70d3c7 Misc. typos (#8694)
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-14 00:53:09 +02:00
Eugen Rochko
72a8ca84e0 Add force_login option to OAuth authorize page (#8655)
* Add force_login option to OAuth authorize page

For when a user needs to sign into an app from multiple accounts
on the same server

* When logging out from modal header, redirect back after re-login
2018-09-09 04:10:44 +02:00