Commit Graph

9110 Commits (58930199379305e718d57b48488cc752b452e72a)

Author SHA1 Message Date
Claire 7c2204314a Add some explanation text on the CAPTCHA confirmation page 2022-01-26 13:24:51 +01:00
Claire b7cf3941b3 Change CAPTCHA handling to be only on email verification
This simplifies the implementation considerably, and while not providing
ideal UX, it's the most flexible approach.
2022-01-25 23:56:57 +01:00
Claire 0fb907441c Add ability to set hCaptcha either on registration form or on e-mail validation
Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band
registration API.
2022-01-25 23:09:48 +01:00
Claire a9269f8786 Disable `registrations` flag in /api/v1/instance when CAPTCHA is enabled
This is to avoid apps trying and failing at using the registrations API,
which does not let us require a CAPTCHA and cannot be clearly signaled as
unavailable.
2022-01-25 13:58:24 +01:00
Claire bf351d72af Disable captcha if registrations are disabled for various reasons 2022-01-24 22:12:57 +01:00
Claire 6a2f248fe4 Renew Rails session ID on successful registration 2022-01-24 22:01:05 +01:00
Claire 04050fbd46 Please CodeClimate 2022-01-24 21:29:50 +01:00
Claire 1b493c9fee Add optional hCaptcha support
Fixes #1649

This requires setting `HCAPTCHA_SECRET_KEY` and `HCAPTCHA_SITE_KEY`, then
enabling the admin setting at
`/admin/settings/edit#form_admin_settings_captcha_enabled`

Subsequently, a hCaptcha widget will be displayed on `/about` and
`/auth/sign_up` unless:
- the user is already signed-up already
- the user has used an invite link
- the user has already solved the captcha (and registration failed for another
  reason)

The Content-Security-Policy headers are altered automatically to allow the
third-party hCaptcha scripts on `/about` and `/auth/sign_up` following the same
rules as above.
2022-01-24 21:22:13 +01:00
Claire 9483d0c6b2 [Glitch] Change `percent` to `rate` in retention metrics API
Port a63495230a to glitch-soc

Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2022-01-23 18:24:40 +01:00
Claire 4dd4fc2e5e [Glitch] Fix text being incorrectly pre-selected in composer textarea on /share
Port 3a103cd317 to glitch-soc

Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2022-01-23 18:24:34 +01:00
Claire 61ef81c548 Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `spec/models/status_spec.rb`:
  Upstream added tests too close to glitch-soc-specific tests.
  Kept both tests.
2022-01-23 18:24:01 +01:00
Claire 0a120d86d2
Fix error-prone SQL queries (#15828)
* Fix error-prone SQL queries in Account search

While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.

This PR parameterises the `to_tsquery` input to make the query more robust.

* Harden code for Status#tagged_with_all and Status#tagged_with_none

Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.

* Remove unneeded spaces surrounding tsquery term

* Please CodeClimate

* Move advanced_search_for SQL template to its own function

This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.

* Add tests covering tagged_with, tagged_with_all and tagged_with_none

* Rewrite tagged_with_none to avoid multiple joins and make it more robust

* Remove obsolete brakeman warnings

* Revert "Remove unneeded spaces surrounding tsquery term"

The two queries are not strictly equivalent.

This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-01-23 18:10:10 +01:00
Claire a63495230a
Change `percent` to `rate` in retention metrics API (#16910) 2022-01-23 16:01:25 +01:00
Claire bddd9ba36d
Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288)
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN

Fixes #15959

Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.

However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228.

As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.

* Add OMNIAUTH_ONLY environment variable to enforce external log-in only

* Disable user registration when OMNIAUTH_ONLY is set to true

* Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2022-01-23 15:52:58 +01:00
Claire cfa583fa71
Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)
Fixes #15959

Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.

However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228.

As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
2022-01-23 15:50:41 +01:00
Claire 8a07ecd377
Remove leftover database columns from Devise::Models::Rememberable (#17191)
* Remove leftover database columns from Devise::Models::Rememberable

* Update fix-duplication maintenance script

* Improve errors/warnings in the fix-duplicates maintenance script
2022-01-23 15:46:30 +01:00
Claire 3a103cd317
Fix text being incorrectly pre-selected in composer textarea on /share (#17339)
Fixes #17295
2022-01-20 20:56:21 +01:00
Claire 6eea3f8f9c
Add post edited notice in admin and public UIs (#17335)
* Add edited toot flag on public pages

* Add toot edit flag to admin pages
2022-01-20 13:37:31 +01:00
Claire 4d0383d75a Add content-type to status source in glitch-soc 2022-01-20 00:03:44 +01:00
Eugen Rochko d4654dc892 [Glitch] Add support for editing for published statuses
Port front-end changes from 1060666c58 to glitch-soc

Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2022-01-20 00:03:41 +01:00
Claire 1af4618a06 Merge branch 'main' into glitch-soc/merge-upstream 2022-01-19 23:52:53 +01:00
Claire fe89554a54 Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `app/lib/activitypub/activity/create.rb`:
  Upstream refactored how `Create` activities are handled and how values are
  extracted from `Create`d objects. This conflicted with how glitch-soc
  supported the `directMessage` flag to explicitly distinguish between
  limited and direct messages.
  Ported glitch-soc's changes to latest upstream changes.
- `app/services/fan_out_on_write_service.rb`:
  Upstream largely refactored that file and changed some of the logic.
  This conflicted with glitch-soc's handling of the direct timeline and
  the options to allow replies and boosts in public feeds.
  Ported those glitch-soc changes on top of latest upstream changes.
- `app/services/process_mentions_service.rb`:
  Upstream refactored to move mention-related ActivityPub deliveries to
  `ActivityPub::DeliveryWorker`, while glitch-soc contained an extra check
  to not send local-only toots to remote mentioned users.
  Took upstream's version, as the check is not needed anymore, since it is
  performed at the `ActivityPub::DeliveryWorker` call site already.
- `app/workers/feed_insert_worker.rb`:
  Upstream added support for `update` toot events, while glitch-soc had
  support for an extra timeline support, `direct`.
  Ported upstream changes and extended them to the `direct` timeline.

Additional changes:
- `app/lib/activitypub/parser/status_parser.rb`:
  Added code to handle the `directMessage` flag and take it into account
  to compute visibility.
- `app/lib/feed_manager.rb`:
  Extended upstream's support of `update` toot events to glitch-soc's
  `direct` timeline.
2022-01-19 23:52:48 +01:00
Eugen Rochko 9eb775a9d1
Fix error when using raw distribution worker (#17334)
Regression from #16697
2022-01-19 23:05:59 +01:00
Eugen Rochko d412a8d1f2
Fix error when processing poll updates (#17333)
Regression from #16697
2022-01-19 22:50:01 +01:00
Eugen Rochko 1060666c58
Add support for editing for published statuses (#16697)
* Add support for editing for published statuses

* Fix references to stripped-out code

* Various fixes and improvements

* Further fixes and improvements

* Fix updates being potentially sent to unauthorized recipients

* Various fixes and improvements

* Fix wrong words in test

* Fix notifying accounts that were tagged but were not in the audience

* Fix mistake
2022-01-19 22:37:27 +01:00
Claire b209e919bd
Merge pull request #1662 from ClearlyClaire/glitch-soc/merge-upstream
Merge upstream changes
2022-01-19 14:22:59 +01:00
Claire c42938aed4 Merge branch 'main' into glitch-soc/merge-upstream 2022-01-19 12:32:44 +01:00
Jeong Arm 2d1f082bb6
Fix NameError on ActivityPub::FetchFeaturedCollectionService (#17326)
Related: #16954
2022-01-19 04:08:46 +01:00
Claire f6acc039ec
Merge pull request #1660 from ClearlyClaire/glitch-soc/features/themes-multiple-packs
Refactor glitch-soc's theme handling
2022-01-18 00:18:07 +01:00
Claire b9ed7e0f55 Please CodeClimate 2022-01-17 13:06:06 +01:00
Claire c7e2b9cf64 Move controller theming code to concern 2022-01-17 12:50:52 +01:00
Claire c60f8ce032
Fix `pinned` attribute not being set for private self-posts (#17304) 2022-01-17 11:59:46 +01:00
Eugen Rochko 69208ef6ff [Glitch] Add notifications for statuses deleted by moderators
Port front-end changes from 14f436c457 to glitch-soc

Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2022-01-17 11:19:44 +01:00
Claire b3bf32a21e Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `app/views/admin/reports/show.html.haml`:
  Conflicts due to glitch-soc's theming system.
2022-01-17 10:45:25 +01:00
Claire 77dd4ab8f5 Fix `pinned` attribute not being set for private self-posts 2022-01-17 09:52:19 +01:00
Eugen Rochko 14f436c457
Add notifications for statuses deleted by moderators (#17204) 2022-01-17 09:41:33 +01:00
Claire 5effc0f8fa [Glitch] Add support for private pinned posts
Port JS changes from d5c9feb7b7 to glitch-soc

Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2022-01-17 08:35:27 +01:00
Claire 2d4b4b0b45 Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `app/controllers/accounts_controller.rb`:
  Upstream introduced support for private pinned toots, but glitch-soc's query
  was a bit different as it filtered out local-only toots.
  Used upstream's query, while adding local-only filtering back.
- `app/controllers/activitypub/collections_controller.rb`:
  Same thing with regards to local-only posts.
- `app/validators/status_pin_validator.rb`:
  Not a real conflict, but the line below was different in glitch-soc due to
  the configurable pinned toots limit.
2022-01-17 08:28:52 +01:00
Claire d5c9feb7b7
Add support for private pinned posts (#16954)
* Add support for private pinned toots

* Allow local user to pin private toots

* Change wording to avoid "direct message"
2022-01-17 00:49:55 +01:00
Claire 278bd61d6f Merge branch 'main' into glitch-soc/merge-upstream 2022-01-16 22:29:05 +01:00
Claire de4c67c5fa Fix missing media: 'all' on default skins 2022-01-16 22:26:18 +01:00
Claire c789bcc844 Refactor theming HAML template a bit 2022-01-16 22:26:18 +01:00
Claire 1b386c881c Refactor theme config loading 2022-01-16 22:26:18 +01:00
Claire c61b29ebfd Refactor some more 2022-01-16 22:26:18 +01:00
Claire 30d9abdfc9 Refactor glitch-soc's theme handling 2022-01-16 22:12:11 +01:00
Claire 081e4426f8
Fix admin interface crash when displaying deleted user (#17301) 2022-01-16 20:57:37 +01:00
Jeong Arm 474cd302c9 [Glitch] Gradually increase retry waiting for media processing
Port bc7a8ae6d6 to glitch-soc

Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2022-01-16 18:14:33 +01:00
Claire b61c3ddff8 Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `README.md`:
  Upstream added some text, but our README is completely different.
  Kept our README unchanged.
2022-01-16 18:11:20 +01:00
Eugen Rochko 8e84ebf0cb
Remove IP tracking columns from users table (#16409) 2022-01-16 13:23:50 +01:00
Jeong Arm bc7a8ae6d6
Gradually increase retry waiting for media processing (#17271) 2022-01-10 14:25:08 +01:00