Merge commit '1467f1e1e1c18dc4b310862ff1f719165a24cfb6' into glitch-soc/merge-upstream

main-rebase-security-fix
Claire 2024-02-24 14:15:49 +01:00
commit dfd74f0dae
12 changed files with 108 additions and 230 deletions

View File

@ -164,6 +164,7 @@ class EmojiPickerMenuImpl extends PureComponent {
intl: PropTypes.object.isRequired,
skinTone: PropTypes.number.isRequired,
onSkinTone: PropTypes.func.isRequired,
pickerButtonRef: PropTypes.func.isRequired
};
static defaultProps = {
@ -178,7 +179,7 @@ class EmojiPickerMenuImpl extends PureComponent {
};
handleDocumentClick = e => {
if (this.node && !this.node.contains(e.target)) {
if (this.node && !this.node.contains(e.target) && !this.props.pickerButtonRef.contains(e.target)) {
this.props.onClose();
}
};
@ -233,6 +234,7 @@ class EmojiPickerMenuImpl extends PureComponent {
emoji.native = emoji.colons;
}
if (!(event.ctrlKey || event.metaKey)) {
this.props.onClose();
}
this.props.onPick(emoji);
@ -407,6 +409,7 @@ class EmojiPickerDropdown extends PureComponent {
onSkinTone={onSkinTone}
skinTone={skinTone}
frequentlyUsedEmojis={frequentlyUsedEmojis}
pickerButtonRef={this.target}
/>
</div>
</div>

View File

@ -2,31 +2,26 @@
require 'rails_helper'
describe Api::V1::Admin::Trends::Links::PreviewCardProvidersController do
render_views
describe 'API V1 Admin Trends Links Preview Card Providers' do
let(:role) { UserRole.find_by(name: 'Admin') }
let(:user) { Fabricate(:user, role: role) }
let(:scopes) { 'admin:read admin:write' }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
let(:account) { Fabricate(:account) }
let(:preview_card_provider) { Fabricate(:preview_card_provider) }
before do
allow(controller).to receive(:doorkeeper_token) { token }
end
describe 'GET #index' do
describe 'GET /api/v1/admin/trends/links/publishers' do
it 'returns http success' do
get :index, params: { account_id: account.id, limit: 2 }
get '/api/v1/admin/trends/links/publishers', params: { account_id: account.id, limit: 2 }, headers: headers
expect(response).to have_http_status(200)
end
end
describe 'POST #approve' do
describe 'POST /api/v1/admin/trends/links/publishers/:id/approve' do
before do
post :approve, params: { id: preview_card_provider.id }
post "/api/v1/admin/trends/links/publishers/#{preview_card_provider.id}/approve", headers: headers
end
it_behaves_like 'forbidden for wrong scope', 'write:statuses'
@ -37,9 +32,9 @@ describe Api::V1::Admin::Trends::Links::PreviewCardProvidersController do
end
end
describe 'POST #reject' do
describe 'POST /api/v1/admin/trends/links/publishers/:id/reject' do
before do
post :reject, params: { id: preview_card_provider.id }
post "/api/v1/admin/trends/links/publishers/#{preview_card_provider.id}/reject", headers: headers
end
it_behaves_like 'forbidden for wrong scope', 'write:statuses'

View File

@ -2,23 +2,18 @@
require 'rails_helper'
describe Api::V1::Statuses::HistoriesController do
render_views
describe 'API V1 Statuses Histories' do
let(:user) { Fabricate(:user) }
let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses', application: app) }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
let(:scopes) { 'read:statuses' }
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
context 'with an oauth token' do
before do
allow(controller).to receive(:doorkeeper_token) { token }
end
describe 'GET #show' do
describe 'GET /api/v1/statuses/:status_id/history' do
let(:status) { Fabricate(:status, account: user.account) }
before do
get :show, params: { status_id: status.id }
get "/api/v1/statuses/#{status.id}/history", headers: headers
end
it 'returns http success' do

View File

@ -2,23 +2,18 @@
require 'rails_helper'
describe Api::V1::Statuses::MutesController do
render_views
describe 'API V1 Statuses Mutes' do
let(:user) { Fabricate(:user) }
let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:mutes', application: app) }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
let(:scopes) { 'write:mutes' }
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
context 'with an oauth token' do
before do
allow(controller).to receive(:doorkeeper_token) { token }
end
describe 'POST #create' do
describe 'POST /api/v1/statuses/:status_id/mute' do
let(:status) { Fabricate(:status, account: user.account) }
before do
post :create, params: { status_id: status.id }
post "/api/v1/statuses/#{status.id}/mute", headers: headers
end
it 'creates a conversation mute', :aggregate_failures do
@ -27,12 +22,12 @@ describe Api::V1::Statuses::MutesController do
end
end
describe 'POST #destroy' do
describe 'POST /api/v1/statuses/:status_id/unmute' do
let(:status) { Fabricate(:status, account: user.account) }
before do
user.account.mute_conversation!(status.conversation)
post :destroy, params: { status_id: status.id }
post "/api/v1/statuses/#{status.id}/unmute", headers: headers
end
it 'destroys the conversation mute', :aggregate_failures do

View File

@ -2,23 +2,18 @@
require 'rails_helper'
describe Api::V1::Statuses::ReblogsController do
render_views
describe 'API V1 Statuses Reblogs' do
let(:user) { Fabricate(:user) }
let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:statuses', application: app) }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
let(:scopes) { 'write:statuses' }
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
context 'with an oauth token' do
before do
allow(controller).to receive(:doorkeeper_token) { token }
end
describe 'POST #create' do
describe 'POST /api/v1/statuses/:status_id/reblog' do
let(:status) { Fabricate(:status, account: user.account) }
before do
post :create, params: { status_id: status.id }
post "/api/v1/statuses/#{status.id}/reblog", headers: headers
end
context 'with public status' do
@ -46,13 +41,13 @@ describe Api::V1::Statuses::ReblogsController do
end
end
describe 'POST #destroy', :sidekiq_inline do
describe 'POST /api/v1/statuses/:status_id/unreblog', :sidekiq_inline do
context 'with public status' do
let(:status) { Fabricate(:status, account: user.account) }
before do
ReblogService.new.call(user.account, status)
post :destroy, params: { status_id: status.id }
post "/api/v1/statuses/#{status.id}/unreblog", headers: headers
end
it 'destroys the reblog', :aggregate_failures do
@ -76,7 +71,7 @@ describe Api::V1::Statuses::ReblogsController do
before do
ReblogService.new.call(user.account, status)
status.account.block!(user.account)
post :destroy, params: { status_id: status.id }
post "/api/v1/statuses/#{status.id}/unreblog", headers: headers
end
it 'destroys the reblog', :aggregate_failures do
@ -98,7 +93,7 @@ describe Api::V1::Statuses::ReblogsController do
let(:status) { Fabricate(:status, visibility: :private) }
before do
post :destroy, params: { status_id: status.id }
post "/api/v1/statuses/#{status.id}/unreblog", headers: headers
end
it 'returns http not found' do

View File

@ -2,19 +2,14 @@
require 'rails_helper'
describe Api::V1::Statuses::TranslationsController do
render_views
describe 'API V1 Statuses Translations' do
let(:user) { Fabricate(:user) }
let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses', application: app) }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
let(:scopes) { 'read:statuses' }
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
context 'with an oauth token' do
before do
allow(controller).to receive(:doorkeeper_token) { token }
end
describe 'POST #create' do
describe 'POST /api/v1/statuses/:status_id/translate' do
let(:status) { Fabricate(:status, account: user.account, text: 'Hola', language: 'es') }
before do
@ -22,7 +17,7 @@ describe Api::V1::Statuses::TranslationsController do
service = instance_double(TranslationService::DeepL, translate: [translation])
allow(TranslationService).to receive_messages(configured?: true, configured: service)
Rails.cache.write('translation_service/languages', { 'es' => ['en'] })
post :create, params: { status_id: status.id }
post "/api/v1/statuses/#{status.id}/translate", headers: headers
end
it 'returns http success' do

View File

@ -2,15 +2,13 @@
require 'rails_helper'
RSpec.describe Api::V1::Trends::LinksController do
render_views
describe 'GET #index' do
RSpec.describe 'API V1 Trends Links' do
describe 'GET /api/v1/trends/links' do
context 'when trends are disabled' do
before { Setting.trends = false }
it 'returns http success' do
get :index
get '/api/v1/trends/links'
expect(response).to have_http_status(200)
end
@ -22,7 +20,7 @@ RSpec.describe Api::V1::Trends::LinksController do
it 'returns http success' do
prepare_trends
stub_const('Api::V1::Trends::LinksController::DEFAULT_LINKS_LIMIT', 2)
get :index
get '/api/v1/trends/links'
expect(response).to have_http_status(200)
expect(response.headers).to include('Link')

View File

@ -2,15 +2,13 @@
require 'rails_helper'
RSpec.describe Api::V1::Trends::StatusesController do
render_views
describe 'GET #index' do
RSpec.describe 'API V1 Trends Statuses' do
describe 'GET /api/v1/trends/statuses' do
context 'when trends are disabled' do
before { Setting.trends = false }
it 'returns http success' do
get :index
get '/api/v1/trends/statuses'
expect(response).to have_http_status(200)
end
@ -22,7 +20,7 @@ RSpec.describe Api::V1::Trends::StatusesController do
it 'returns http success' do
prepare_trends
stub_const('Api::BaseController::DEFAULT_STATUSES_LIMIT', 2)
get :index
get '/api/v1/trends/statuses'
expect(response).to have_http_status(200)
expect(response.headers).to include('Link')

View File

@ -2,15 +2,13 @@
require 'rails_helper'
RSpec.describe Api::V1::Trends::TagsController do
render_views
describe 'GET #index' do
RSpec.describe 'API V1 Trends Tags' do
describe 'GET /api/v1/trends/tags' do
context 'when trends are disabled' do
before { Setting.trends = false }
it 'returns http success' do
get :index
get '/api/v1/trends/tags'
expect(response).to have_http_status(200)
expect(response.headers).to_not include('Link')
@ -23,7 +21,7 @@ RSpec.describe Api::V1::Trends::TagsController do
it 'returns http success' do
prepare_trends
stub_const('Api::V1::Trends::TagsController::DEFAULT_TAGS_LIMIT', 2)
get :index
get '/api/v1/trends/tags'
expect(response).to have_http_status(200)
expect(response.headers).to include('Link')

View File

@ -2,19 +2,14 @@
require 'rails_helper'
RSpec.describe Api::V2::Admin::AccountsController do
render_views
RSpec.describe 'API V2 Admin Accounts' do
let(:role) { UserRole.find_by(name: 'Moderator') }
let(:user) { Fabricate(:user, role: role) }
let(:scopes) { 'admin:read admin:write' }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
let(:account) { Fabricate(:account) }
before do
allow(controller).to receive(:doorkeeper_token) { token }
end
describe 'GET #index' do
let!(:remote_account) { Fabricate(:account, domain: 'example.org') }
let!(:other_remote_account) { Fabricate(:account, domain: 'foo.bar') }
@ -28,7 +23,8 @@ RSpec.describe Api::V2::Admin::AccountsController do
before do
pending_account.user.update(approved: false)
get :index, params: params
get '/api/v2/admin/accounts', params: params, headers: headers
end
it_behaves_like 'forbidden for wrong scope', 'write:statuses'

View File

@ -21,20 +21,14 @@ RSpec.describe ActivityPub::FetchRemoteAccountService, type: :service do
let(:account) { subject.call('https://example.com/alice') }
shared_examples 'sets profile data' do
it 'returns an account' do
expect(account).to be_an Account
end
it 'sets display name' do
expect(account.display_name).to eq 'Alice'
end
it 'sets note' do
expect(account.note).to eq 'Foo bar'
end
it 'sets URL' do
expect(account.url).to eq 'https://example.com/alice'
it 'returns an account with expected details' do
expect(account)
.to be_an(Account)
.and have_attributes(
display_name: eq('Alice'),
note: eq('Foo bar'),
url: eq('https://example.com/alice')
)
end
end
@ -48,18 +42,11 @@ RSpec.describe ActivityPub::FetchRemoteAccountService, type: :service do
stub_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'returns nil' do
it 'fetches resource and looks up webfinger and returns nil' do
expect(account).to be_nil
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
end
@ -71,17 +58,12 @@ RSpec.describe ActivityPub::FetchRemoteAccountService, type: :service do
stub_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
it 'fetches resource and looks up webfinger and sets attributes' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'sets username and domain from webfinger' do
expect(account.username).to eq 'alice'
expect(account.domain).to eq 'example.com'
end
@ -98,22 +80,13 @@ RSpec.describe ActivityPub::FetchRemoteAccountService, type: :service do
stub_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
it 'fetches resource and looks up webfinger and follows redirection and sets attributes' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'looks up "redirected" webfinger' do
account
expect(a_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af')).to have_been_made.once
end
it 'sets username and domain from final webfinger' do
expect(account.username).to eq 'alice'
expect(account.domain).to eq 'iscool.af'
end
@ -129,18 +102,11 @@ RSpec.describe ActivityPub::FetchRemoteAccountService, type: :service do
stub_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'does not create account' do
it 'fetches resource and looks up webfinger and does not create account' do
expect(account).to be_nil
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
end
@ -153,23 +119,12 @@ RSpec.describe ActivityPub::FetchRemoteAccountService, type: :service do
stub_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'looks up "redirected" webfinger' do
account
expect(a_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af')).to have_been_made.once
end
it 'does not create account' do
it 'fetches resource and looks up webfinger and follows redirect and does not create account' do
expect(account).to be_nil
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
expect(a_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af')).to have_been_made.once
end
end

View File

@ -21,20 +21,14 @@ RSpec.describe ActivityPub::FetchRemoteActorService, type: :service do
let(:account) { subject.call('https://example.com/alice') }
shared_examples 'sets profile data' do
it 'returns an account' do
expect(account).to be_an Account
end
it 'sets display name' do
expect(account.display_name).to eq 'Alice'
end
it 'sets note' do
expect(account.note).to eq 'Foo bar'
end
it 'sets URL' do
expect(account.url).to eq 'https://example.com/alice'
it 'returns an account and sets attributes' do
expect(account)
.to be_an(Account)
.and have_attributes(
display_name: eq('Alice'),
note: eq('Foo bar'),
url: eq('https://example.com/alice')
)
end
end
@ -48,18 +42,11 @@ RSpec.describe ActivityPub::FetchRemoteActorService, type: :service do
stub_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'returns nil' do
it 'fetches resource and looks up webfinger and returns nil' do
expect(account).to be_nil
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
end
@ -71,17 +58,12 @@ RSpec.describe ActivityPub::FetchRemoteActorService, type: :service do
stub_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
it 'fetches resource and looks up webfinger and sets values' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'sets username and domain from webfinger' do
expect(account.username).to eq 'alice'
expect(account.domain).to eq 'example.com'
end
@ -98,22 +80,13 @@ RSpec.describe ActivityPub::FetchRemoteActorService, type: :service do
stub_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
it 'fetches resource and looks up webfinger and follows redirect and sets values' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'looks up "redirected" webfinger' do
account
expect(a_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af')).to have_been_made.once
end
it 'sets username and domain from final webfinger' do
expect(account.username).to eq 'alice'
expect(account.domain).to eq 'iscool.af'
end
@ -129,18 +102,11 @@ RSpec.describe ActivityPub::FetchRemoteActorService, type: :service do
stub_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'does not create account' do
it 'fetches resource and looks up webfinger and does not create account' do
expect(account).to be_nil
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
end
@ -153,23 +119,12 @@ RSpec.describe ActivityPub::FetchRemoteActorService, type: :service do
stub_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af').to_return(body: Oj.dump(webfinger), headers: { 'Content-Type': 'application/jrd+json' })
end
it 'fetches resource' do
account
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
end
it 'looks up webfinger' do
account
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
end
it 'looks up "redirected" webfinger' do
account
expect(a_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af')).to have_been_made.once
end
it 'does not create account' do
it 'fetches resource and looks up webfinger and follows redirect and does not create account' do
expect(account).to be_nil
expect(a_request(:get, 'https://example.com/alice')).to have_been_made.once
expect(a_request(:get, 'https://example.com/.well-known/webfinger?resource=acct:alice@example.com')).to have_been_made.once
expect(a_request(:get, 'https://iscool.af/.well-known/webfinger?resource=acct:alice@iscool.af')).to have_been_made.once
end
end