Merge branch 'main' into glitch-soc/merge-upstream

pull/1785/head
Claire 2022-05-26 22:49:47 +02:00
commit 7c6fff34d0
15 changed files with 61 additions and 10 deletions

View File

@ -4,6 +4,4 @@ not IE 11
not dead not dead
[development] [development]
last 1 chrome version supports es6-module
last 1 firefox version
last 1 safari version

View File

@ -14,7 +14,7 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
| ------- | ------------------ | | ------- | ------------------ |
| 3.5.x | Yes | | 3.5.x | Yes |
| 3.4.x | Yes | | 3.4.x | Yes |
| 3.3.x | Yes | | 3.3.x | No |
| < 3.3 | No | | < 3.3 | No |
[bug-bounty]: https://app.intigriti.com/programs/mastodon/mastodonio/detail [bug-bounty]: https://app.intigriti.com/programs/mastodon/mastodonio/detail

View File

@ -2,6 +2,7 @@
class ActivityPub::BaseController < Api::BaseController class ActivityPub::BaseController < Api::BaseController
skip_before_action :require_authenticated_user! skip_before_action :require_authenticated_user!
skip_before_action :require_not_suspended!
skip_around_action :set_locale skip_around_action :set_locale
private private

View File

@ -11,6 +11,7 @@ class Api::BaseController < ApplicationController
skip_before_action :require_functional!, unless: :whitelist_mode? skip_before_action :require_functional!, unless: :whitelist_mode?
before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access? before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
before_action :require_not_suspended!
before_action :set_cache_headers before_action :set_cache_headers
protect_from_forgery with: :null_session protect_from_forgery with: :null_session
@ -97,6 +98,10 @@ class Api::BaseController < ApplicationController
render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
end end
def require_not_suspended!
render json: { error: 'Your login is currently disabled' }, status: 403 if current_user&.account&.suspended?
end
def require_user! def require_user!
if !current_user if !current_user
render json: { error: 'This method requires an authenticated user' }, status: 422 render json: { error: 'This method requires an authenticated user' }, status: 422

View File

@ -89,7 +89,7 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
def after_confirmation_path_for(_resource_name, user) def after_confirmation_path_for(_resource_name, user)
if user.created_by_application && truthy_param?(:redirect_to_app) if user.created_by_application && truthy_param?(:redirect_to_app)
user.created_by_application.redirect_uri user.created_by_application.confirmation_redirect_uri
else else
super super
end end

View File

@ -12,4 +12,8 @@ module ApplicationExtension
def most_recently_used_access_token def most_recently_used_access_token
@most_recently_used_access_token ||= access_tokens.where.not(last_used_at: nil).order(last_used_at: :desc).first @most_recently_used_access_token ||= access_tokens.where.not(last_used_at: nil).order(last_used_at: :desc).first
end end
def confirmation_redirect_uri
redirect_uri.lines.first.strip
end
end end

View File

@ -20,4 +20,16 @@ class AccountStat < ApplicationRecord
belongs_to :account, inverse_of: :account_stat belongs_to :account, inverse_of: :account_stat
update_index('accounts', :account) update_index('accounts', :account)
def following_count
[attributes['following_count'], 0].max
end
def followers_count
[attributes['followers_count'], 0].max
end
def statuses_count
[attributes['statuses_count'], 0].max
end
end end

View File

@ -103,7 +103,7 @@ class Admin::StatusBatchAction
def handle_report! def handle_report!
@report = Report.new(report_params) unless with_report? @report = Report.new(report_params) unless with_report?
@report.status_ids = (@report.status_ids + status_ids.map(&:to_i)).uniq @report.status_ids = (@report.status_ids + allowed_status_ids).uniq
@report.save! @report.save!
@report_id = @report.id @report_id = @report.id
@ -135,4 +135,8 @@ class Admin::StatusBatchAction
def report_params def report_params
{ account: current_account, target_account: target_account } { account: current_account, target_account: target_account }
end end
def allowed_status_ids
AccountStatusesFilter.new(@report.target_account, current_account).results.with_discarded.where(id: status_ids).pluck(:id)
end
end end

View File

@ -17,6 +17,18 @@ class StatusStat < ApplicationRecord
after_commit :reset_parent_cache after_commit :reset_parent_cache
def replies_count
[attributes['replies_count'], 0].max
end
def reblogs_count
[attributes['reblogs_count'], 0].max
end
def favourites_count
[attributes['favourites_count'], 0].max
end
private private
def reset_parent_cache def reset_parent_cache

View File

@ -14,7 +14,8 @@ class AppealService < BaseService
private private
def create_appeal! def create_appeal!
@appeal = @strike.create_appeal!( @appeal = Appeal.create!(
strike: @strike,
text: @text, text: @text,
account: @strike.target_account account: @strike.target_account
) )

View File

@ -52,8 +52,9 @@ class ApproveAppealService < BaseService
end end
def undo_mark_statuses_as_sensitive! def undo_mark_statuses_as_sensitive!
representative_account = Account.representative
@strike.statuses.includes(:media_attachments).each do |status| @strike.statuses.includes(:media_attachments).each do |status|
UpdateStatusService.new.call(status, @current_account.id, sensitive: false) if status.with_media? UpdateStatusService.new.call(status, representative_account.id, sensitive: false) if status.with_media?
end end
end end

View File

@ -57,7 +57,7 @@ class ReportService < BaseService
end end
def reported_status_ids def reported_status_ids
@target_account.statuses.with_discarded.find(Array(@status_ids)).pluck(:id) AccountStatusesFilter.new(@target_account, @source_account).results.with_discarded.find(Array(@status_ids)).pluck(:id)
end end
def payload def payload

View File

@ -2,6 +2,8 @@
class UnfollowService < BaseService class UnfollowService < BaseService
include Payloadable include Payloadable
include Redisable
include Lockable
# Unfollow and notify the remote user # Unfollow and notify the remote user
# @param [Account] source_account Where to unfollow from # @param [Account] source_account Where to unfollow from
@ -13,8 +15,10 @@ class UnfollowService < BaseService
@target_account = target_account @target_account = target_account
@options = options @options = options
with_lock("relationship:#{[source_account.id, target_account.id].sort.join(':')}") do
unfollow! || undo_follow_request! unfollow! || undo_follow_request!
end end
end
private private

View File

@ -7,6 +7,8 @@ class VoteService < BaseService
include Lockable include Lockable
def call(account, poll, choices) def call(account, poll, choices)
return if choices.empty?
authorize_with account, poll, :vote? authorize_with account, poll, :vote?
@account = account @account = account

View File

@ -128,6 +128,13 @@ Doorkeeper.configure do
# #
force_ssl_in_redirect_uri false force_ssl_in_redirect_uri false
# Specify what redirect URI's you want to block during Application creation.
# Any redirect URI is whitelisted by default.
#
# You can use this option in order to forbid URI's with 'javascript' scheme
# for example.
forbid_redirect_uri { |uri| %w[data vbscript javascript].include?(uri.scheme.to_s.downcase) }
# Specify what grant flows are enabled in array of Strings. The valid # Specify what grant flows are enabled in array of Strings. The valid
# strings and the flows they enable are: # strings and the flows they enable are:
# #