Commit Graph

1336 Commits (4e7a3a2faff95b1a62633a49ec5c4eaca6b240dd)

Author SHA1 Message Date
ThibG 50d0c1e95f Add configuration option to filter replies in lists (#9205)
* Add database support for list show-reply preferences

* Add backend support to read and update list-specific show_replies settings

* Add basic UI to set list replies setting

* Add specs for list replies policy

* Switch "cycling" reply policy link to a set of radio inputs

* Capitalize replies_policy strings

* Change radio button design to be consistent with that of the directory explorer
2020-09-01 13:31:28 +02:00
dependabot[bot] 61b768572e Bump rubocop from 0.86.0 to 0.88.0 (#14412)
* Bump rubocop from 0.86.0 to 0.88.0

Bumps [rubocop](https://github.com/rubocop-hq/rubocop) from 0.86.0 to 0.88.0.
- [Release notes](https://github.com/rubocop-hq/rubocop/releases)
- [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop-hq/rubocop/compare/v0.86.0...v0.88.0)

Signed-off-by: dependabot[bot] <support@github.com>

* Fix for latest RuboCop

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2020-09-01 03:04:00 +02:00
Akihiko Odaki b096ad1c0f Make Array-creation behavior of Paginable more predictable (#14687)
* Make Array-creation behavior of Paginable more predictable

Paginable.paginate_by_id usually returns ActiveRecord::Relation, but it
returns an Array if min_id option is present. The behavior caused problems
fixed with the following commits:
- 976938bf30
- 5a8fa3ad95
- 1c70d8189c

To prevent from recurring similar problems, this commit introduces two
changes:
- The scope now always returns an Array whether min_id option is present
  or not.
- The scope is renamed to to_a_paginated_by_id to clarify it returns an
  Array.

* Transform Paginable.to_a_paginated_by_id from a scope to a class method

https://api.rubyonrails.org/classes/ActiveRecord/Scoping/Named/ClassMethods.html#method-i-scope
> The method is intended to return an ActiveRecord::Relation object, which
> is composable with other scopes.

Paginable.to_a_paginated_by_id returns an Array and is not appropriate
as a scope.
2020-08-31 12:47:09 +02:00
Akihiko Odaki 1c70d8189c Introduce ApplicationController#cache_collection_paginated_by_id (#14677)
* Replace incorrect use of distinct with group

Some uses of ActiveRecord::QueryMethods#distinct pass field names but they
are incorrect for the current version of Rails.

ActiveRecord::QueryMethods#group provides the expected behavior and
benefits performance. See commit 6da24aad4cafdef8d8a2c92bac2002a5fc2fe9c8.

* Introduce ApplicationController#cache_collection_paginated_by_id

ApplicationController#cache_collection_paginated_by_id fuses
ApplicationController#cache_collection and Paginable.paginate_by_id.

An advantage of this method is that it prevents from modifying scope which
Paginable.paginate_by_id may provide.
ApplicationController#cache_collection always return an array and there
is no possibility of the scope modification. It is also clear for a
programmer, considering the implication of "cache".

This method can also emit more efficient queries by using
Cacheable.cache_ids before calling Paginable.paginate_by_id.
2020-08-28 12:31:56 +02:00
Akihiko Odaki 5a8fa3ad95 Eagerly load statuses with the main query in Api::V1::BookmarksController (#14674)
This is same with commit 976938bf30 except
that it was for Api::V1::FavouritesController while this is for
Api::V1::BookmarksController.
2020-08-28 12:30:23 +02:00
Akihiko Odaki 81666b26a6 Replace incorrect use of distinct with group (#14675)
Some uses of ActiveRecord::QueryMethods#distinct pass field names but they
are incorrect for the current version of Rails.

ActiveRecord::QueryMethods#group provides the expected behavior and
benefits performance. See commit 6da24aad4cafdef8d8a2c92bac2002a5fc2fe9c8.
2020-08-28 12:29:59 +02:00
Akihiko Odaki 976938bf30 Eagerly load statuses with the main query in Api::V1::FavouritesController (#14673)
The old implementation had two queries:
1. The query constructed in Api::V1::FavouritesController#results
2. The query constructed in #cached_favourites, which is merged with 1.

Both of them are issued againt PostgreSQL. The combination of the two
queries caused the following problems:
- The small window between the two queries involves race conditions.
- Minor performance inefficiency.

Moreover, the construction of query 2, which involves merging with query
1 has a bug. Query 1 is finalized with paginate_by_id, but paginate_by_id
returns an array when min_id parameter is specified. The behavior prevents
from merging the query, and in the real world, ActiveRecord simply ignores
the merge (!), which results in querying the entire scan of statuses and
favourites table.

This change fixes these issues by simply letting query 1 get all the works
done.
2020-08-28 09:27:33 +02:00
Akihiko Odaki 44df785077 Use Status.group instead of Status.distinct in HashQueryService (#14662)
DISTINCT clause removes duplicated records according to all the selected
attributes. In reality, it can remove duplicated records only looking at
statuses.id, but the clause confuses the query planner and yields
insufficient performance.
The behavior is also problematic if the scope produced by HashQueryService
is used to query columns without id (using pluck method, for example). The
scope is expected to contain unique statuses, but the uniquness will be
evaluated with some arbitrary columns other than id.

GROUP BY clause resolves those problem by explicitly specifying the
column to take into account for the record distinction.

A workaround for the problem of DISTINCT clause in
Api::V1::Timelines::TagController is no longer necessary and removed.
2020-08-25 13:39:35 +02:00
ThibG d480442e58 Add support for latest HTTP Signatures spec draft (#14556)
* Add support for latest HTTP Signatures spec draft

https://www.ietf.org/id/draft-ietf-httpbis-message-signatures-00.html

- add support for the “hs2019” signature algorithm (assumed to be equivalent
  to RSA-SHA256, since we do not have a mechanism to specify the algorithm
  within the key metadata yet)
- add support for (created) and (expires) pseudo-headers and related
  signature parameters, when using the hs2019 signature algorithm
- adjust default “headers” parameter while being backwards-compatible with
  previous implementation
- change the acceptable time window logic from 12 hours surrounding the “date”
  header to accepting signatures created up to 1 hour in the future and
  expiring up to 1 hour in the past (but only allowing expiration dates up to
  12 hours after the creation date)
  This doesn't conform with the current draft, as it doesn't permit accounting
  for clock skew.
  This, however, should be addressed in a next version of the draft:
  https://github.com/httpwg/http-extensions/pull/1235

* Add additional signature requirements

* Rewrite signature params parsing using Parslet

* Make apparent which signature algorithm Mastodon on verification failure

Mastodon uses RSASSA-PKCS1-v1_5, which is not recommended for new applications,
and new implementers may thus unknowingly use RSASSA-PSS.

* Add workaround for PeerTube's invalid signature header

The previous parser allowed incorrect Signature headers, such as
those produced by old versions of the `http-signature` node.js package,
and seemingly used by PeerTube.

This commit adds a workaround for that.

* Fix `signature_key_id` raising an exception

Previously, parsing failures would result in `signature_key_id` being nil,
but the parser changes made that result in an exception.

This commit changes the `signature_key_id` method to return `nil` in case
of parsing failures.

* Move extra HTTP signature helper methods to private methods

* Relax (request-target) requirement to (request-target) || digest

This lets requests from Plume work without lowering security significantly.
2020-08-24 18:21:07 +02:00
santiagorodriguez96 f142983484 Add WebAuthn as an alternative 2FA method (#14466)
* feat: add possibility of adding WebAuthn security keys to use as 2FA

This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor
to the Settings page for editing the 2FA methods – now it will list the
methods that are available to the user (TOTP and WebAuthn) and from
there they'll be able to add or remove any of them.
Also, it's worth mentioning that for enabling WebAuthn it's required to
have TOTP enabled, so the first time that you go to the 2FA Settings
page, you'll be asked to set it up.
This work was inspired by the one donde by Github in their platform, and
despite it could be approached in different ways, we decided to go with
this one given that we feel that this gives a great UX.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add request for WebAuthn as second factor at login if enabled

This commits adds the feature for using WebAuthn as a second factor for
login when enabled.
If users have WebAuthn enabled, now a page requesting for the use of a
WebAuthn credential for log in will appear, although a link redirecting
to the old page for logging in using a two-factor code will also be
present.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add possibility of deleting WebAuthn Credentials

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: disable WebAuthn when an Admin disables 2FA for a user

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: remove ability to disable TOTP leaving only WebAuthn as 2FA

Following examples form other platforms like Github, we decided to make
Webauthn 2FA secondary to 2FA with TOTP, so that we removed the
possibility of removing TOTP authentication only, leaving users with
just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA'
in order to remove second factor auth.
The reason for WebAuthn being secondary to TOPT is that in that way,
users will still be able to log in using their code from their phone's
application if they don't have their security keys with them – or maybe
even lost them.

* We had to change a little the flow for setting up TOTP, given that now
  it's possible to setting up again if you already had TOTP, in order to
  let users modify their authenticator app – given that now it's not
  possible for them to disable TOTP and set it up again with another
  authenticator app.
  So, basically, now instead of storing the new `otp_secret` in the
  user, we store it in the session until the process of set up is
  finished.
  This was because, as it was before, when users clicked on 'Edit' in
  the new two-factor methods lists page, but then went back without
  finishing the flow, their `otp_secret` had been changed therefore
  invalidating their previous authenticator app, making them unable to
  log in again using TOTP.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* refactor: fix eslint errors

The PR build was failing given that linting returning some errors.
This commit attempts to fix them.

* refactor: normalize i18n translations

The build was failing given that i18n translations files were not
normalized.
This commits fixes that.

* refactor: avoid having the webauthn gem locked to a specific version

* refactor: use symbols for routes without '/'

* refactor: avoid sending webauthn disabled email when 2FA is disabled

When an admins disable 2FA for users, we were sending two mails
to them, one notifying that 2FA was disabled and the other to notify
that WebAuthn was disabled.
As the second one is redundant since the first email includes it, we can
remove it and send just one email to users.

* refactor: avoid creating new env variable for webauthn_origin config

* refactor: improve flash error messages for webauthn pages

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-24 16:46:27 +02:00
ThibG 4e292c23d6 Fix not being able to unbookmark toots when blocked by their author (#14604)
* Fix not being able to unbookmark toots when blocked by their author

* Add tests
2020-08-19 19:02:06 +02:00
ThibG 8baad22f68 Improve email address validation (#14565)
* Increase DNS timeout from 1 second to 5 seconds for MX check

1 seconds is rather short when using a recursive DNS resolver which
hasn't got a cached result already available. Use 5 seconds instead,
which is the timeout value we use for outgoing HTTP queries.

* Add more precise error messages for invalid e-mail addresses
2020-08-12 12:40:25 +02:00
ThibG 7792bab1cd Fix RSS feeds not being cachable (#14368)
* Add tests for some cachable responses

This only covers responses that we should have managed to make cachable
so far. It's not the case of all responses that should be cachable in
the end.

* Fix RSS feeds not being cachable
2020-07-22 11:44:02 +02:00
Ariel ac1a3386bd Fix/14021 behaviour on add or remove toots (#14212)
* Add toot send by current user at local state after send a new toot

Related to #14021

* Decrement toot counter at profile when remove a toot

Related to #14021

* Remove semicolon at end of line
2020-07-19 17:04:02 +02:00
ThibG c9fbf47a23 Fix being unable to unboost when blocked by their author (#14308)
Fixes #14307
2020-07-15 14:43:19 +02:00
abcang aca93fa882 Fix rubocop warning (#14288)
* Fix rubocop warning

* use limit variable

* use ContextCreatingMethods option
2020-07-14 19:05:07 +02:00
Eugen Rochko 0edde9d6c8 Fix media attachments enumeration (#14254)
* Fix media attachment enumeration

* Switch media_attachments id to snowflake ids

Co-authored-by: Thibaut Girka <thib@sitedethib.com>
2020-07-07 15:26:51 +02:00
Eugen Rochko a79c5e5e63 Fix other sessions not being logged out on password change (#14252)
While OAuth tokens were immediately revoked, accessing the home
controller immediately generated new OAuth tokens and "revived"
the session due to a combination of using remember_me tokens and
overwriting the `authenticate_user!` method
2020-07-07 15:26:31 +02:00
ThibG 3afc7977b1 Add user notes on accounts (#14148)
* Add UserNote model

* Add UI for user notes

* Put comment in relationships entity

* Add API to create user notes

* Copy user notes to new account when receiving a Move activity

* Address some of the review remarks

* Replace modal by inline edition

* Please CodeClimate

* Button design changes

* Change design again

* Cancel note edition when pressing Escape

* Fixes

* Tweak design again

* Move “Add note” item, and allow users to add notes to themselves

* Rename UserNote into AccountNote, rename “comment” Relationship attribute to “note”
2020-06-30 19:19:50 +02:00
Eugen Rochko a3ce01a102 Add customizable thumbnails for audio and video attachments (#14145)
- Change audio files to not be stripped of metadata
- Automatically extract cover art from audio if it exists
- Add `thumbnail` parameter to `POST /api/v1/media`, `POST /api/v2/media` and `PUT /api/v1/media/:id`
- Add `icon` to represent it in attachments in ActivityPub
- Fix `preview_url` containing URL of missing missing image when there is no thumbnail instead of null
- Fix duration of audio not being displayed on public pages until the file is loaded
2020-06-29 13:56:55 +02:00
fuyu ad1dfea4fa Fix not working I18n on 2FA and Sign in token page (#14087) 2020-06-20 13:30:13 +02:00
ThibG 6a3e2b0fe5 Fix functional user requirements in whitelist mode (#14093)
Fixes #14092
2020-06-19 19:18:47 +02:00
Eugen Rochko 2dbf6bc5ad Add e-mail-based sign in challenge for users with disabled 2FA (#14013) 2020-06-09 10:23:06 +02:00
Takeshi Umeda 654c13ecfb Add limit parameter to rss (#13743) 2020-06-09 00:18:47 +02:00
ThibG 8b552d6f0c Fix unpermitted operations on custom emojis leading to cryptic errors (#13951)
* Display appropriate error when performing unpermitted operation on custom emoji

Fixes #13897

* Remove links to custom emoji actions not performable by moderators
2020-06-05 15:23:27 +02:00
Eugen Rochko 9de5c70980 Fix wrong route helper in encrypted messages controller (#13952)
And add `created_at` to encrypted message serializer
2020-06-03 20:32:15 +02:00
ThibG 8d57f6c4b4 Fix account redirect confirmation message talking about moved followers (#13950)
Fixes #13949
2020-06-03 20:18:19 +02:00
Eugen Rochko b864e78db8 Add E2EE API (#13820) 2020-06-02 19:24:53 +02:00
ThibG 60bb6ac6f4 Fix webfinger returning wrong status code on malformed or missing param (#13759)
Fixes #13757
2020-05-14 23:28:06 +02:00
ThibG f48e191e8e Fix sr locale being selected over sr-Latn (#13693)
* Fix sr locale being selected over sr-Latn

* Update tests
2020-05-11 01:09:21 +02:00
Eugen Rochko fc7cad8b2d Add ability to remove identity proofs from account (#13682)
Fix #12613
2020-05-10 11:21:10 +02:00
Takeshi Umeda 861661100c Add remote only to public timeline (#13504)
* Add remote only to public timeline

* Fix code style
2020-05-10 10:36:18 +02:00
ThibG e9227d8c10 Remove confusing “You are already signed in.” flash message (#13547)
When attempting to access the log-in page while already logged in,
Devise's `require_no_authentication` kicks in and sets a flash
message “You are already signed in.”

In almost all cases, this also causes a redirect to /web, which
does not display or clear flash messages, thus leaving the message
to a potentially much later date, like for instance, accessing
/preferences several minutes after being redirected to /web.
2020-05-10 10:16:39 +02:00
ThibG 5479d33843 Fix own following/followers not showing muted users (#13614)
Fixes #13612
2020-05-08 20:36:34 +02:00
Eugen Rochko e80d4479c7 Add more ActivityPub controller tests (#13590) 2020-05-03 22:19:24 +02:00
Eugen Rochko 0ca06d0ba9 Add more tests for ActivityPub controllers (#13585) 2020-05-03 16:30:36 +02:00
sternenseemann 674005c08e Allow users to delete their header and avatar (#13234)
This is achieved by sending a DELETE request to
/settings/profile/pictures/{avatar,header} via a link that is part of
the upload form's hint of the respective picture.
2020-04-20 14:03:03 +02:00
Takeshi Umeda f5606cdab4 Add local only to hashtag timeline (#13502) 2020-04-18 21:52:39 +02:00
Eugen Rochko 2d3219549b Change delivery failure tracking to work with hostnames instead of URLs (#13437) 2020-04-15 20:33:24 +02:00
Eugen Rochko 50fa554899 Add rate limit for reporting (#13390) 2020-04-05 14:40:08 +02:00
Eugen Rochko 6932e0e2af Add ability to filter audit log in admin UI (#13381) 2020-04-03 13:06:34 +02:00
Takeshi Umeda 1c2a286244 Fix ImportsController param to permit :mode (#13347) 2020-03-31 12:43:42 +02:00
ThibG 1a993f9675 Fix 404 and 410 API errors being silently discarded in WebUI (#13279)
* Fix 404 and 410 API errors being silently discarded in WebUI

Fixes #13278

* Return more appropriate error when user replies to a deleted toot

* Please CodeClimate

* Fix 404/410 errors on fetching account timelines & identity proofs

* Refactor error handling

* Move error message string to statuses.errors
2020-03-28 17:59:45 +01:00
Eugen Rochko 9ced8b6dd5 Add option to include resolved DNS records when blacklisting e-mail domains in admin UI (#13254)
* Add shortcuts to blacklist a user's e-mail domain in admin UI

* Add option to blacklist resolved MX and IP records for e-mail domains
2020-03-12 22:35:20 +01:00
Eugen Rochko da9d81c4ac Add titles to warning presets in admin UI (#13252) 2020-03-12 17:57:59 +01:00
ThibG cd7c22da32 Add federation support for the "hide network" preference (#11673)
* Change ActivityPub follower/following collections to not link first page

* Add support for hiding followers and following of remote users

* Switch to using a single `hide_collections` column

* Address code style remarks
2020-03-09 00:10:29 +01:00
Eugen Rochko f459919552 Change local media attachments to perform heavy processing asynchronously (#13210)
Fix #9106
2020-03-08 23:56:18 +01:00
ThibG cb93be3b88 Add ability to delete files uploaded for settings in admin UI (#13192)
* Allow deleting site uploads

* Refactor and move links into hints

* Fix i18n tests

* Fix HTML output of site_upload_delete_hint
2020-03-08 16:00:24 +01:00
Eugen Rochko a4668d994b Add specific rate limits for posting and following (#13172) 2020-03-08 15:17:39 +01:00
Eugen Rochko 9619521459 Remove useless `respond_to` calls (#13208) 2020-03-06 01:29:38 +01:00
Eugen Rochko e0db9f37f5 Fix leak of arbitrary statuses through unfavourite action in REST API (#13161) 2020-02-27 12:32:54 +01:00
ThibG c004399975 Fix dismissing an announcement twice raising an obscure error (#13124) 2020-02-24 22:21:40 +01:00
ThibG 8e8d9b3727 Fix account JSON/RSS not being cacheable due to wrong mime type comparison (#13116)
`request.format` is not a symbol but a `Mime::Type`, so the condition actually
never matched, and a session was created even for those requests, preventing
caching.
2020-02-19 22:31:53 +01:00
ThibG ddd9bad7f1 Fix sign-ups without checked user agreement being accepted through the web form (#13088)
* Fix user agreement not being verified

* Fix tests

* Fix up agreement field being dismissed
2020-02-16 12:56:53 +01:00
Eugen Rochko f1317633b5 Fix unfiltered params error when generating ActivityPub tag pagination (#13049) 2020-02-08 17:29:40 +01:00
Eugen Rochko bf4fb26b9d Fix malformed HTML causing uncaught error (#13042)
Fix OEmbed preview API leaking existence of private statuses (see #12930)
2020-02-07 15:24:22 +01:00
Eugen Rochko 5c4b1db54a Change signature verification to ignore signatures with invalid host (#13033)
Instead of returning a signature verification error, pretend there
was no signature (i.e., this does not allow access to resources that
need a valid signature), so public resources can still be fetched

Fix #13011
2020-02-03 17:48:23 +01:00
ThibG 99cf92a3cf Change how unread announcements are handled (#13020)
* Change meaning of /api/v1/announcements/:id/dismiss to mark an announcement as read

* Change how unread announcements are counted in UI

* Add unread marker to announcements and mark announcements as unread as they are displayed

* Fixups
2020-02-03 01:53:09 +01:00
Eugen Rochko 9fb8165712 Add publish/unpublish controls to announcements in admin UI (#12967) 2020-01-27 11:05:33 +01:00
Eugen Rochko dd68e44cfa Add streaming API updates for announcements being modified or deleted (#12963)
Change `all_day` to be a visual client-side cue only

Publish immediately if `scheduled_at` is in the past

Add `published_at` and `updated_at` to announcements JSON
2020-01-26 20:07:26 +01:00
Eugen Rochko 669f1f5e7f Fix OEmbed leaking information about existence of non-public statuses (#12930) 2020-01-24 00:20:51 +01:00
Eugen Rochko e4aa4a1c28 Fix password change/reset not immediately invalidating other sessions (#12928)
While making browser requests in the other sessions after a password
change or reset does not allow you to be logged in and correctly
invalidates the session making the request, sessions have API tokens
associated with them, which can still be used until that session
is invalidated.

This is a security issue for accounts that were already compromised
some other way because it makes it harder to throw out the hijacker.
2020-01-24 00:20:38 +01:00
Eugen Rochko 36b1dd934d Fix relationships page not showing results in admin UI (#12934)
Follow-up to #12927
2020-01-24 00:20:23 +01:00
Eugen Rochko f95fd62bac Add announcements (#12662)
* Add announcements

Fix #11006

* Add reactions to announcements

* Add admin UI for announcements

* Add unit tests

* Fix issues

- Add `with_dismissed` param to announcements API
- Fix end date not being formatted when time range is given
- Fix announcement delete causing reactions to send streaming updates
- Fix announcements container growing too wide and mascot too small
- Fix `all_day` being settable when no time range is given
- Change text "Update" to "Announcement"

* Fix scheduler unpublishing announcements before they are due

* Fix filter params not being passed to announcements filter
2020-01-23 22:00:13 +01:00
Eugen Rochko 67172aa4f9 Change followers page to relationships page in admin UI (#12927)
Allow browsing and filtering all relationships instead of just
followers, unify the codebase with the user-facing relationship
manager, add ability to see who the user invited
2020-01-23 20:33:20 +01:00
Eugen Rochko 9ebfb23e87 Various fixes and improvements (#12878)
* Fix unused role routes being generated

* Remove unused JavaScript code

* Refactor filters code to be DRYer

* Fix `.count == 0` comparisons to `.empty?` in views

* Fix filters in views
2020-01-20 15:55:03 +01:00
Eugen Rochko 61320da638 Fix access to OEmbed endpoint in secure mode (#12864) 2020-01-14 08:52:32 +01:00
Eugen Rochko 413cb7e861 Fix base64-encoded file uploads not being possible (#12748)
Fix #3804, Fix #5776
2020-01-04 01:54:07 +01:00
Eugen Rochko e066de9a3c Fix missing authentication call in filters controller (#12746) 2020-01-03 05:29:08 +01:00
Eugen Rochko 91422d35ed Fix uncaught unknown format errors in host meta controller (#12747) 2020-01-03 05:28:56 +01:00
ThibG f0cca7a79f Hide blocked users from more places (#12733)
* Hide blocked, muted, and blocked-by users from toot favourite lists

* Hide blocked, muted, and blocked-by users from toot reblog lists

* Hide blocked, muted, and blocked-by users from followers/following (API)

* Fix tests

* Hide blocked, muted, and blocked-by users from followers/following on public pages
2019-12-31 00:55:32 +01:00
Eugen Rochko c3ef5d7628 Fix error when fetching followers/following from REST API when user has network hidden (#12716)
Fix #12510
2019-12-31 00:54:38 +01:00
ThibG 6b20921c88 Remove unused AccountRelationshipsPresenter call in public pages (#12734)
Those were used to show a “follow” or “unfollow” button on account grid on
public pages, but that got removed a while ago.
2019-12-30 19:13:02 +01:00
Eugen Rochko 49b6881379 Fix settings pages being cacheable by the browser (#12714)
Fix #12255
2019-12-30 04:38:30 +01:00
Eugen Rochko 7cca47919f Fix HTML error pages being returned when JSON is expected (#12713)
Fix #12509
See also #12214
2019-12-30 04:38:18 +01:00
Eugen Rochko af95252d4c Fix missing error templates for non-HTML requests (#12593) 2019-12-10 07:39:54 +01:00
Eugen Rochko 2eda06b768 Fix generic HTTP 500 error on duplicate records (#12563)
Fix #12551
Fix #12547
2019-12-06 22:40:06 +01:00
ThibG 60d26cabf0 Add follow_request notification type (#12198)
* Add follow_request notification type

The notification type already existed in the backend but was never pushed
to the front-end. This also means translation strings were also available
for the backend, from the notification mailer.

Unlike other notification types, these are off by default, to match what
I remember of Gargron's view on the topic: that follow requests should not
clutter notifications and should instead be reviewed at the user's own
leisure in the dedicated column.

Since follow requests have their own column, I've deemed it unnecessary to
add a specific tab for them in the notification quick filter.

* Show follow request link in single-column if there are pending requests, even if account isn't locked

* Push follow requests from notifications to the follow_requests list

* Offer to accept or reject follow request from the notification

* Redesign follow request notification
2019-12-01 17:25:29 +01:00
ThibG 4b0a6d79dd Add ability to filter reports by target account domain (#12154)
* Add ability to filter reports by target account domain

* Reword by_target_domain label
2019-11-30 19:53:58 +01:00
Eugen Rochko 5761622a1e Fix proofs API being inaccessible in secure mode (#12495) 2019-11-28 04:07:49 +01:00
Gomasy d13e680f74 Support min_id-based pagination for bookmarks (#12381)
* Support min_id-based pagination for bookmarks

* Fix spec
2019-11-17 17:09:41 +01:00
Jennifer Glauche 0aae35e310 make it not return http 400 when passing and empty source argument (#12259)
* make it not return http 400 when passing and empty source argument

* create a spec for the empty source hash bug

* compact checks for nil, empty? parameters

* use nil.blank? instead checking for nil
2019-11-16 19:02:09 +01:00
ThibG 517c1cd062 Add bookmarks (#7107)
* Add backend support for bookmarks

Bookmarks behave like favourites, except they aren't shared with other
users and do not have an associated counter.

* Add spec for bookmark endpoints

* Add front-end support for bookmarks

* Introduce OAuth scopes for bookmarks

* Add bookmarks to archive takeout

* Fix migration

* Coding style fixes

* Fix rebase issue

* Update bookmarked_statuses to latest UI changes

* Update bookmark actions to properly reflect status changes in state

* Add bookmarks item to single-column layout

* Make active bookmarks red
2019-11-13 23:02:10 +01:00
Yamagishi Kazutoshi 2ede35e843 Change to always returns html document in error pages (#12214) 2019-11-13 22:53:05 +01:00
Faye Duxovni 6bca6dbc2d Add setting for whether to crop images in unexpanded toots (#12126) 2019-10-24 22:51:41 +02:00
ThibG 795144fbbb Fix incoming federation in whitelist mode (#12185)
… posting to the AP inbox required a logged-in local user…
2019-10-24 22:45:35 +02:00
Eugen Rochko 2e07a901c5 Fix attachment not being re-downloaded even if file is not stored (#12125)
Change the behaviour of remotable concern. Previously, it would skip
downloading an attachment if the stored remote URL is identical to
the new one. Now it would not be skipped if the attachment is not
actually currently stored by Paperclip.
2019-10-09 07:10:46 +02:00
Eugen Rochko 6b96a6dd15 Fix `GET /api/v1/instance` REST APIs being unavailable in secure mode (#12089) 2019-10-06 22:11:29 +02:00
Eugen Rochko c453888616 Fix performance of home feed regeneration (#12084)
Fetching statuses from all followed accounts at once takes too long
within Postgres. Fetching them one by one and merging in Ruby
could be a lot less resource-intensive

Because the query for dynamically fetching the home timeline is so
heavy, we can no longer offer it when the home timeline is missing
2019-10-06 22:11:17 +02:00
Eugen Rochko 059287ad08 Add `reason` param to `POST /api/v1/accounts` REST API (#12064)
For approval-required registrations mode
2019-10-03 17:50:59 +02:00
ThibG be13fc919c Fix RSS caching (but disable localization) (#12054) 2019-10-02 18:30:33 +02:00
Eugen Rochko 28c19c66ba Fix featured hashtag URL being interpreted as media or with_replies (#12048)
Fix #12034
2019-10-02 04:53:17 +02:00
Eugen Rochko 51a72a802f Add a nodeinfo endpoint (#12002)
* Add nodeinfo endpoint

* dont commit stuff from my local dev

* consistant naming since we implimented 2.1 schema

* Add some additional node info stuff

* Add nodeinfo endpoint

* dont commit stuff from my local dev

* consistant naming since we implimented 2.1 schema

* expanding this to include federation info

* codeclimate feedback

* CC feedback

* using activeserializers seems like a good idea...

* get rid of draft 2.1 version

* Reimplement 2.1, also fix metaData -> metadata

* Fix metaData -> metadata here too

* Fix nodeinfo 2.1 tests

* Implement cache for monthly user aggregate

* Useless

* Remove ostatus from the list of supported protocols

* Fix nodeinfo's open_registration reading obsolete setting variable

* Only serialize domain blocks with user-facing limitations

* Do not needlessly list noop severity in nodeinfo

* Only serialize domain blocks info in nodeinfo when they are set to be displayed to everyone

* Enable caching for nodeinfo endpoints

* Fix rendering nodeinfo

* CodeClimate fixes

* Please CodeClimate

* Change InstancePresenter#active_user_count_months for clarity

* Refactor NodeInfoSerializer#metadata

* Remove nodeinfo 2.1 support as the schema doesn't exist

* Clean-up
2019-09-29 21:31:51 +02:00
Eugen Rochko ae03161ad9 Fix account migration not affecting followers on origin server (#11980) 2019-09-29 16:23:13 +02:00
Eugen Rochko f5c71a6cd2 Add (back) option to set redirect notice on account without moving followers (#11994)
Fix #11913
2019-09-29 05:03:19 +02:00
Eugen Rochko 561b0509c3 Fix redirecting non-functional accounts on public pages (#11978)
Fix #11969
2019-09-28 01:33:27 +02:00
Eugen Rochko 66d3e13777 Add `exclude_unreviewed` param to `GET /api/v2/search` REST API (#11977)
Make it so normal search returns even unreviewed matches, but
autosuggestions do not.

Fix #11960
2019-09-28 01:02:21 +02:00
ThibG 70990720c5 Change silences to always require approval on follow (#11975)
* Change silenced accounts to require approval on follow

* Also require approval for follows by people explicitly muted by target accounts

* Do not auto-accept silenced or muted accounts when switching from locked to unlocked

* Add `follow_requests_count` to verify_credentials

* Show “Follow requests” menu item if needed even if account is locked

* Add tests

* Correctly reflect that follow requests weren't auto-accepted when local account is silenced

* Accept follow requests from user-muted accounts to avoid leaking mutes
2019-09-27 21:13:51 +02:00
abcang 4c0da93bc7 Improve status pin query (#11972) 2019-09-27 15:23:30 +02:00
Eugen Rochko 67796a267d Fix relays UI being available in whitelist/secure mode (#11963)
Fix relays UI referencing relay that is not functional
2019-09-27 02:13:34 +02:00
Eugen Rochko 3773115066 Fix authentication before 2FA challenge (#11943)
Regression from #11831
2019-09-24 04:35:36 +02:00
Takeshi Umeda 45fe523a18 Addition of update activity distribution by alias, minor correction (#11905)
* Addition of update activity distribution by alias, minor correction

* Distribute Update activity after adding alias
* Add uniqueness verification to alias uri
* accept acct starting with @

* fix double-quoted to single-quoted
2019-09-21 09:11:21 +02:00
Takeshi Umeda 74e4abcebc Fixed an error in the aliases template of the aliases controller (#11902) 2019-09-21 02:59:37 +02:00
Eugen Rochko a2d3728c36 Add account migration UI (#11846)
Fix #10736

- Change data export to be available for non-functional accounts
- Change non-functional accounts to include redirecting accounts
2019-09-19 20:58:19 +02:00
Eugen Rochko 61442032a2 Add table of contents to about page (#11885)
Move public domain blocks information to about page
2019-09-19 11:09:05 +02:00
Eugen Rochko 1781358bd9 Add password challenge to 2FA settings, e-mail notifications (#11878)
Fix #3961
2019-09-18 16:37:27 +02:00
Eugen Rochko 8904a4eb36 Fix TOTP codes not being filtered from logs during enabling/disabling (#11877)
Not a serious issue because they are meaningless past single use
2019-09-18 02:48:40 +02:00
Eugen Rochko ae443cb6ea Fix webfinger response not returning 410 when account is suspended (#11869) 2019-09-17 14:58:02 +02:00
mayaeh 566e85716f Add search and sort functions to hashtag admin UI (#11829)
* Add search and sort functions to hashtag admin UI

* Move scope processing from tags_controller to tag_filter

* Fix based on method naming conventions

* Fixed not to get 500 errors for invalid requests
2019-09-16 14:27:29 +02:00
Eugen Rochko 8eb0d880cb Fix 2FA challenge and password challenge for non-database users (#11831)
* Fix 2FA challenge not appearing for non-database users

Fix #11685

* Fix account deletion not working when using external login

Fix #11691
2019-09-15 21:08:39 +02:00
Eugen Rochko 8824964836 Remove deprecated `GET /api/v1/search` API (#11823)
Use `GET /api/v2/search` instead
2019-09-13 16:11:13 +02:00
ThibG 7d2fceae9b Change /api/v1/timelines/public to require auth when public preview is off (#11802)
Fixes #11289
2019-09-13 16:03:46 +02:00
Eugen Rochko ec20fd2112 Change unlisted custom emoji to not appear in autosuggestions (#11818)
Fix #11669
2019-09-13 16:01:09 +02:00
Eugen Rochko 605a4e654a Fix uncaught errors in media proxy controller (#11811) 2019-09-12 01:51:12 +02:00
Eugen Rochko 4291b74031 Change deletes to preserve soft-deleted statuses in unresolved reports (#11805)
Change all account actions except "none" to resolve all unresolved reports

Refactor `SuspendAccountService` to be more readable
2019-09-11 16:32:44 +02:00
ThibG 875d2e2b59 Add updated relationship to follow request API responses (#11800)
Fixes #11747
2019-09-10 20:56:42 +02:00
Eugen Rochko 25fb124ee6 Add batch actions and categories to admin UI for custom emojis (#11793) 2019-09-09 22:44:17 +02:00
Eugen Rochko 7799c7c75f Add batch approve/reject for pending hashtags in admin UI (#11791) 2019-09-09 12:50:09 +02:00
Takeshi Umeda 50c2f0dcc1 Add featured tags API (#11778)
* Add featured tags API

* Remove show and update, change scope, fix code style
2019-09-09 10:50:33 +02:00
Yamagishi Kazutoshi 7544167f3c Add healthcheck endpoint for web (#11770) 2019-09-07 02:47:51 +02:00
Eugen Rochko 89989b6255 Add timeline read markers API (#11762)
Fix #4093
2019-09-06 13:55:51 +02:00
Eugen Rochko 09fe562dd6 Fix wrong variable regression from #11753 (#11763) 2019-09-05 06:13:50 +02:00
Eugen Rochko 7ef93513f7 Change account deletion page to have better explanations (#11753)
Fix deletion of unconfirmed account not freeing up the username

Add prefill of logged-in user's email in the reconfirmation form
2019-09-04 04:13:54 +02:00
Eugen Rochko 436266ca27 Change trending hashtags to not disappear instantly after midnight (#11712) 2019-09-02 18:11:13 +02:00
Eugen Rochko 76bdc01aee Fix wrong percentages in admin UI for hashtag usage breakdown (#11714) 2019-09-01 19:44:05 +02:00
Eugen Rochko b47119eb61 Change layout of public profile directory to be the same as in web UI (#11705) 2019-08-30 07:41:16 +02:00
Eugen Rochko 73d8f314a9 Fix error in REST API for an account's statuses (#11700) 2019-08-30 02:49:44 +02:00
Eugen Rochko a2a65f43b2 Fix uncaught error when resource param is missing in Webfinger request (#11701) 2019-08-30 02:49:33 +02:00
Eugen Rochko ee9d0c0f38 Fix uncaught domain normalization error in remote follow (#11703) 2019-08-30 02:19:17 +02:00
Eugen Rochko f21e27e914 Fix uncaught parameter missing exceptions and missing error templates (#11702) 2019-08-30 01:34:47 +02:00
Eugen Rochko 79922ae20f Add profile directory to web UI (#11688)
* Add profile directory to web UI

* Add a line of bio to the directory
2019-08-30 00:14:36 +02:00
Eugen Rochko 9959cdc79f Add option to include reported statuses in warning e-mail (#11639) 2019-08-23 22:37:23 +02:00
Eugen Rochko 32c781ec6b Add soft delete for statuses for instant deletes through API (#11623)
* Add soft delete for statuses to allow them to appear instant

* Allow reporting soft-deleted statuses and show them in the admin UI

* Change index for getting an account's statuses
2019-08-22 21:55:56 +02:00
Eugen Rochko e4605bbb4a Fix remote and staff-removed statuses leaving media behind for a day (#11638)
The reason for unattaching media instead of removing it is to support
delete & redraft functionality, but remote or staff-removed statuses
will never be redrafted, so the media should be deleted immediately
2019-08-22 04:17:12 +02:00
ThibG f17b0ff712 Add invite comments (#10465) 2019-08-19 11:40:42 +02:00
ThibG 867b9f3e9c Add public blocks to /about/blocks (#11298)
* Add automatic blocklist display in /about/blocks

Inspired by https://github.com/Gargron/mastodon.social-misc

* Add admin option to set who can see instance blocks

* Normalize locales files

* Rename “Sandbox” to “Silence” for consistency

* Disable /about/blocks when in whitelist mode

* Optionally display rationale for domain blocks

* Only display domain blocks that have user-facing limitations, and order them

* Redesign table of blocked domains to better handle long domain names and rationales

* Change domain blocks ordering now that rationales aren't displayed right away

* Only show explanation for block severities actually in use

* Reword instance block explanations and add disclaimer for public fetch mode
2019-08-19 11:35:48 +02:00
Takeshi Umeda 363c6e8f52 Add an RSS feed tagged to a public profile page (#10502)
* Add featured tag support to rss feed on public account page

* fix codeing style
2019-08-18 20:54:36 +02:00
Eugen Rochko dde2c17e12 Fix uncaught 422 and 500 errors (#11590) 2019-08-18 18:04:18 +02:00
Eugen Rochko dc20e1af71 Add HTTP signature keyId to request log (#11591) 2019-08-18 18:03:56 +02:00
Eugen Rochko 8e76c759c1 Add explanation to featured hashtags page and profile (#11586) 2019-08-17 18:07:52 +02:00
ThibG 404b64f5ca Fix multiple issues with replies collection for pages further than self-replies (#11582)
* Fix the replies collection returning snowflakes ids rather than URIs

Fixes #11568

* Fix min_id in replies queries once self-replies are exhausted

* Fix `next` attribute of replies collection being nil when there are no self-replies

* Rename other_accounts param to only_other_accounts
2019-08-16 22:58:51 +02:00
Eugen Rochko a8d983934e Fix blurhash and autoplay not working on public pages (#11585) 2019-08-16 19:15:05 +02:00
Eugen Rochko 88ef061da1 Fix 422 being returned instead of 404 when POSTing (#11574) 2019-08-16 02:08:35 +02:00
ThibG cfc3fc6bcd Fix reverse-proxy caching of instance actor object (#11561) 2019-08-13 15:30:37 +02:00
ThibG 93e6461e66 Fix more ActivityPub queries setting cookies and preventing caching (#11557) 2019-08-12 22:26:07 +02:00
ThibG bfa0b76a6c Fix ActivityPub and REST API queries setting cookies and preventing caching (#11539)
Regression from #8657
2019-08-11 22:59:40 +02:00
Eugen Rochko 24a5f99d10 Fix pinned statuses API returning pagination headers (#11526)
Fix #10227
2019-08-08 23:04:04 +02:00
Eugen Rochko 85466a2b9d Fix weekly usage not being displayed correctly in hashtag admin UI (#11524)
Fix percentages in usage breakdown having too many digits

Change trending hashtags to only ask for review if a hashtag enters
the top 3 position in the set, since it's the only items shown in
the default web UI
2019-08-08 23:03:28 +02:00
Eugen Rochko 10b486f627 Fix acct URIs with IDN domains not being resolved (#11520)
Fix #11494
2019-08-07 21:14:08 +02:00
Eugen Rochko cc1e24ddc7 Add breakdown of usage by source to admin UI for hashtags (#11517)
Allows determining where the majority of posts in a hashtag come
from on a given day at a glance.
2019-08-07 20:20:39 +02:00
ThibG 072e696aa1 Add domain block notes (#11515)
* Add database columns for adding notes to domain blocks/restrctions

* Add admin UI to set private and public comments when blocking a domain

* Add text for private and public comments on domain blocks

* Show domain block comments in admin UI

* Add comments to the domain block undo page

* Make UnblockDomainService more robust regarding upgraded domain blocks

* Allow editing domain blocks

* Rename button from “undo domain block” to “view domain block” in account admin UI

* Change test to unsilence silenced users from upgraded blocks
2019-08-07 20:20:23 +02:00
Eugen Rochko 25f549557b Fix trending tags returning less items than requested sometimes (#11513)
Add better sorting defaults to the hashtags admin UI

Add "not reviewed" filter to hashtags admin UI
2019-08-07 17:08:30 +02:00
Eugen Rochko bfb43d7104 Add number of pending accounts and pending hashtags to admin dashboard (#11514) 2019-08-07 16:13:34 +02:00
Eugen Rochko fd352ec288 Fix account tags not being saved correctly (#11507)
* Fix account tags not being saved correctly

Regression from b838607

Fix Tag#discoverable not returning tags where listable is nil instead of true

Add notice when saving hashtags in admin UI

Change public hashtag and directory pages to return 404 for forbidden tags

* Remove unused locale string
2019-08-07 10:01:55 +02:00
Eugen Rochko 6362ac6617 Fix admin dashboard missing latest features (#11505)
Fix redis-namespace deprecation warning about administrative commands
2019-08-06 19:40:06 +02:00
Eugen Rochko 191392e5c3 Add trends UI with admin and user settings (#11502) 2019-08-06 17:57:52 +02:00
Eugen Rochko 05e9cd13eb Change admin UI for hashtags and add back whitelisted trends (#11490)
Fix #271

Add back the `GET /api/v1/trends` API with the caveat that it does
not return tags that have not been allowed to trend by the staff.

When a hashtag begins to trend (internally) and that hashtag has
not been previously reviewed by the staff, the staff is notified.

The new admin UI for hashtags allows filtering hashtags by where
they are used (e.g. in the profile directory), whether they have
been reviewed or are pending reviewal, they show by how many people
the hashtag is used in the directory, how many people used it
today, how many statuses with it have been created today, and it
allows fixing the name of the hashtag to make it more readable.

The disallowed hashtags feature has been reworked. It is now
controlled from the admin UI for hashtags instead of from
the file `config/settings.yml`
2019-08-05 19:54:29 +02:00
Eugen Rochko 0ed96e9aee Remove XML version of Webfinger and remove links to Atom feeds (#11460)
Fix #11453
2019-08-01 19:14:02 +02:00
Eugen Rochko 825dc3ca22 Add whitelist mode (#11291) 2019-07-30 11:10:46 +02:00
ThibG 52cda33b82 Fix invites not being disabled upon account suspension (#11412)
* Disable invite links from disabled/suspended users

* Add has_many invites relationship to users

* Destroy unused invites when suspending an account
2019-07-26 18:55:33 +02:00
dependabot-preview[bot] 884e20c028 Bump active_model_serializers from 0.10.9 to 0.10.10 (#11311)
* Bump active_model_serializers from 0.10.9 to 0.10.10

Bumps [active_model_serializers](https://github.com/rails-api/active_model_serializers) from 0.10.9 to 0.10.10.
- [Release notes](https://github.com/rails-api/active_model_serializers/releases)
- [Changelog](https://github.com/rails-api/active_model_serializers/blob/v0.10.10/CHANGELOG.md)
- [Commits](https://github.com/rails-api/active_model_serializers/compare/v0.10.9...v0.10.10)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Add root option to render method
2019-07-23 11:10:42 +02:00
Eugen Rochko 6be7b414e2 Change unconfirmed user login behaviour (#11375)
Allow access to account settings, 2FA, authorized applications, and
account deletions to unconfirmed and pending users, as well as
users who had their accounts disabled. Suspended users cannot update
their e-mail or password or delete their account.

Display account status on account settings page, for example, when
an account is frozen, limited, unconfirmed or pending review.

After sign up, login users straight away and show a simple page that
tells them the status of their account with links to account settings
and logout, to reduce onboarding friction and allow users to correct
wrongly typed e-mail addresses.

Move the final sign-up step of SSO integrations to be the same
as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
Eugen Rochko 79b9eee938 Add (back) rails-level JSON caching (#11333) 2019-07-21 22:32:16 +02:00
Eugen Rochko 2b4fa0d6fa Change locale detection to run once per session (#8657)
Fix #6462
2019-07-21 18:08:02 +02:00
ThibG 47dfcc601b Fix some flash notices/alerts staying on unrelated pages (#11364) 2019-07-19 23:13:21 +02:00
ThibG c2126e3f98 Add ActivityPub actor representing the entire server (#11321)
* Add support for an instance actor

* Skip username validation for local Application accounts

* Add migration script to create instance actor

* Make Codeclimate happy

* Switch to id -99 for instance actor

* Remove unused `icon` and `image` attributes from instance actor

* Use if/elsif/else instead of return + ternary operator

* Add instance actor to fresh installs

* Use instance actor as instance representative

Use instance actor for forwarding reports, relay operations, and spam
auto-reporting.

* Seed database in test environment

* Fix single-user mode

* Fix tests

* Fix specs to accomodate for an extra `Account`

* Auto-reject follows on instance actor

Following an instance actor might make sense, but we are not handling that
right now, so auto-reject.

* Fix webfinger lookup and serialization for instance actor

* Rename instance actor

* Make it clear in the HTML view that the instance actor should not be blocked

* Raise cache time for instance actor as there's no dynamic content

* Re-use /about/more with a flash message for instance actor profile
2019-07-19 01:44:42 +02:00
ThibG 9015b19e09 Add setting to disable the anti-spam (#11296)
* Add environment variable to disable the anti-spam

* Move antispam setting to admin settings

* Fix typo

* antispam → spam_check
2019-07-17 21:09:15 +02:00
Eugen Rochko 50caff4dc0 Change terms and privacy policy pages to always be accessible (#11334)
Fix #11328
2019-07-17 19:29:37 +02:00
ThibG 978792a112 Fix custom CSS controller (#11336) 2019-07-17 17:14:25 +02:00
ThibG a4b1083795 Fix caching headers in ActivityPub endpoints (#11331)
* Fix reverse-proxy caching in public fetch mode

* Fix caching in ActivityPub-specific controllers
2019-07-17 00:00:39 +02:00
Eugen Rochko 9dead08055 Add option to disable real-time updates in web UI (#9984)
Fix #9031
Fix #7913
2019-07-16 06:30:47 +02:00
Eugen Rochko 39719ae981 Add ActivityPub secure mode (#11269)
* Add HTTP signature requirement for served ActivityPub resources

* Change `SECURE_MODE` to `AUTHORIZED_FETCH`

* Add 'Signature' to 'Vary' header and improve code style

* Improve code style by adding `public_fetch_mode?` method
2019-07-11 20:11:09 +02:00
Eugen Rochko d0b0b63b1a Refactor domain block checks (#11268) 2019-07-09 03:27:35 +02:00
Eugen Rochko e17c937f65 Remove unused remote unfollow controller (#11250) 2019-07-08 12:04:06 +02:00
Eugen Rochko 56f0203c66 Refactor controllers for statuses, accounts, and more (#11249) 2019-07-08 12:03:45 +02:00
Eugen Rochko fbbcbd940d Remove Atom feeds and old URLs in the form of `GET /:username/updates/:id` (#11247) 2019-07-07 16:16:51 +02:00
Eugen Rochko 4931208dd8 Remove Salmon and PubSubHubbub (#11205)
* Remove Salmon and PubSubHubbub endpoints

* Add error when trying to follow OStatus accounts

* Fix new accounts not being created in ResolveAccountService
2019-07-06 23:26:16 +02:00
Eugen Rochko d9f42ba34b Remove deprecated REST API `GET /api/v1/statuses/:id/card` (#11213) 2019-07-05 02:15:24 +02:00
Eugen Rochko 6cae1b40bf Remove deprecated REST API `GET /api/v1/timelines/direct` (#11212) 2019-07-05 02:14:56 +02:00
Eugen Rochko 1c612f24e4 Add categories for custom emojis (#11196)
Fix #7940
2019-06-28 15:54:10 +02:00
ThibG 4b3d91dc2c Add option to disable blurhash previews (#11188)
* Add option to disable blurhash previews

* Update option text

* Change options order
2019-06-26 19:33:04 +02:00
Eugen Rochko 8ed78f0b85 Fix unnecessary SQL query performed on unauthenticated requests (#11179) 2019-06-25 20:18:15 +02:00
Eugen Rochko eac19f2300 Change domain blocks to automatically support subdomains (#11138)
* Change domain blocks to automatically support subdomains

If a more authoritative domain is blocked (example.com), then the
same block will be applied to a subdomain (foo.example.com)

* Match subdomains of existing accounts when blocking/unblocking domains

* Improve code style
2019-06-22 00:13:10 +02:00
Eugen Rochko 433036ab8c Add moderation API (#9387)
Fix #8580
Fix #7143
2019-06-20 02:52:34 +02:00
Acid Chicken (硫酸鶏) f2f6c5d462 Fix layout of identity proofs settings (#11126) 2019-06-20 02:18:06 +02:00
Eugen Rochko d7e2f554fb Add audio uploads (#11123)
* Add audio uploads

Fix #4827

Accept uploads of OGG, WAV, FLAC, OPUS and MP3 files, and converts
them to OGG. Media attachments get a new `audio` type. In the UI,
audio uploads are displayed identically to video uploads.

* Improve code style
2019-06-19 23:42:38 +02:00
Eugen Rochko 75ef673216 Fix login sometimes redirecting to paths that are not pages (#11019)
Fix #11016
2019-06-10 12:28:13 +02:00
Eugen Rochko b788e58ea4 Change /settings/preferences to redirect to appearance, add /settings/preferences/other (#10988) 2019-06-07 16:51:08 +02:00
Eugen Rochko 8bf8d6d9d9 Change preferences page into appearance, notifications, and other (#10977) 2019-06-07 03:39:24 +02:00
Eugen Rochko 87f5646ec3 Add waiting time to list of pending accounts in admin UI (#10985) 2019-06-07 03:24:10 +02:00
ThibG 806c2f8102 Cleanup various controllers (#10972)
* Remove skip_session! as it is not supported in Rails 5

* Minor cleanup in StreamEntriesController

* Remove redundant mark_cacheable! calls
2019-06-05 14:02:59 +02:00
ThibG e80cb67ed7 Fix potential private status leak (#10969) 2019-06-05 13:40:20 +02:00
Eugen Rochko f3a02e70a8 Fix poll API not requiring authentication on non-public polls (#10960)
* Fix poll API not requiring authentication on non-public polls

That API does not reveal the content of the status, i.e. the question
itself, nor who the author is, nor which status it belongs to, but it
does reveal the poll options and how many answers they got

Fix #10959

* Add test
2019-06-04 20:10:26 +02:00
ThibG 31b8203887 Fix web push notifications for polls (#10864)
Fixes #10861
2019-05-28 00:26:08 +02:00
Eugen Rochko a1bceb2cb6 Add responsive panels to the single-column layout (#10820)
* Add responsive panels to the single-column layout

* Fixes

* Fix not being able to save the preference

* Fix code style issues

* Set max-height on the compose textarea and add a link to relationship manager
2019-05-25 21:27:00 +02:00
ThibG f5637b174f Move signature verification stoplight to the requests themselves (#10813)
* Move signature verification stoplight to the requests themselves

This avoids blocking messages from known keys for 5 minutes when only one fails…

* Put the stoplight on the actual client IP, not a potential reverse proxy
2019-05-23 15:22:39 +02:00
Paul Woolcock 626844dfb1 Add `account_id` param to `GET /api/v1/notifications` (#10796)
* Add `from_account` to notifications API

this adds the ability to filter notifications by the account they
originated from

* passing a non-existent user should cause none to be returned

* Fix codeclimate warnings

* fix more codeclimate warnings

* make requested changes:

* use account id instead of user@domain
* name the param `account_id` instead of `from_account`

* Don't use `return` in a lambda
2019-05-21 13:28:49 +02:00
ThibG f1a3135809 Record account suspend/silence time and keep track of domain blocks (#10660)
* Record account suspend/silence time and keep track of domain blocks

* Also unblock users who were suspended/silenced before dates were recorded

* Add tests

* Keep track of suspending date for users suspended through the CLI

* Show accurate number of accounts that would be affected by unsuspending an instance

* Change migration to set silenced_at and suspended_at

* Revert "Also unblock users who were suspended/silenced before dates were recorded"

This reverts commit a015c65d2d1e28c7b7cfab8b3f8cd5fb48b8b71c.

* Switch from using suspended and silenced to suspended_at and silenced_at

* Add post-deployment migration script to remove `suspended` and `silenced` columns

* Use Account#silence! and Account#suspend! instead of updating the underlying property

* Add silenced_at and suspended_at migration to post-migration

* Change account fabricator to translate suspended and silenced attributes

* Minor fixes

* Make unblocking domains always retroactive
2019-05-14 19:05:02 +02:00
ThibG 2a917031c9 Add toot source to delete result to ease Delete & Redraft (#10669)
* Return Status with raw text in raw_content when deleting a status

* Use raw content if available on delete & redraft

* Rename raw_content to text; do not serialize formatted content when source is requested
2019-05-11 06:46:43 +02:00
ThibG 4870d7f122 Add some caching for HTML versions of statuses pages (#10701) 2019-05-09 22:03:44 +02:00
ThibG 4c4f9d78fd Explicitly disable storage of REST API results (#10655)
Fixes #10652
2019-05-03 20:39:19 +02:00
ThibG 8c716f917f Provide a link to existing domain block when trying to block an already-blocked domain (#10663)
* When trying to block an already-blocked domain, provide a link to the block

* Fix styling for links in flash messages

* Allow blocks to be upgraded but not downgraded
2019-05-03 20:36:36 +02:00
ThibG af3971a0e6 Check that an invite link is valid before bypassing approval mode (#10657)
* Check that an invite link is valid before bypassing approval mode

Fixes #10656

* Add tests

* Only consider valid invite links in registration controller

* fixup
2019-05-02 04:30:12 +02:00
Eugen Rochko 2ba12c8917 Fix not being able to save e-mail preference for new pending accounts (#10622) 2019-04-25 02:49:06 +02:00
Alex Gessner da3d516fcf compare usernames case-insensitively on new proof creation flow (#10544)
* compare usernames case-insensitively on new proof creation flow

* Fix code style issue
2019-04-10 18:05:11 +02:00
Eugen Rochko 6d5b05e3d5 Add invite request to pending account notification e-mail (#10528)
Fix sorting of the pending accounts page
2019-04-10 00:36:01 +02:00
Eugen Rochko 13c1b5bac8 Add preference to disable e-mails about new pending accounts (#10529) 2019-04-10 00:35:49 +02:00
Eugen Rochko 7eb05b8724 Add "why do you want to join" field to invite requests (#10524)
* Add "why do you want to join" field to invite requests

Fix #10512

* Remove unused translations

* Fix broken registrations when no invite request text is submitted
2019-04-09 23:06:30 +09:00
Eugen Rochko 55f25ceda3 Fix permission denied bug on approve all/reject all pending accounts (#10519) 2019-04-09 07:19:52 +02:00
ThibG a604f766e0 Fix batch actions not working on pending accounts (#10508) 2019-04-08 18:35:41 +02:00
Eugen Rochko c84c30c542 Improve blocked view of profiles (#10491)
* Revert "Fix filtering of favourited_by, reblogged_by, followers and following (#10447)"

This reverts commit 0317f37c6f.

* Revert "Hide blocking accounts from blocked users (#10442)"

This reverts commit 4cd944d364.

* Improve blocked view of profiles

- Change "You are blocked" to "Profile unavailable"
- Hide following/followers in API when blocked
- Disable follow button and show "Profile unavailable" on public profile as well
2019-04-07 04:59:13 +02:00
Eugen Rochko c34a7f5bd2 Add batch actions for approving and rejecting pending accounts (#10469) 2019-04-06 17:53:45 +02:00
Eugen Rochko d48f53cf1a Fix admin validation being too strict about usernames (#10449)
* Fix admin validation being too strict about usernames

Fix #10446

* Strip Setting.site_contact_username consistently throughout the codebase
2019-04-06 17:53:17 +02:00
ThibG 4fa0b331ae Cache featured collections, as well as outbox, followers and following (#10467) 2019-04-04 01:30:44 +02:00
ThibG 4cd944d364 Hide blocking accounts from blocked users (#10442)
* Revert "Add indication that you have been blocked in web UI (#10420)"

This reverts commit d31affe69b.

* Revert "Add `blocked_by` relationship to the REST API (#10373)"

This reverts commit a8bb10633d.

* Hide blocking accounts from search results

* Filter blocking accouts from account followers

* Filter blocking accouts from account's following accounts

* Filter blocking accounts from “reblogged by” and “favourited by” lists

* Remove blocking account from URL search

* Return 410 on trying to fetch user data from a user who blocked us

* Return 410 in /api/v1/account/statuses for suspended or blocking accounts

* Fix status filtering when performing URL search

* Restore some React improvements

Restore some cleanup from d31affe69b

* Refactor by adding `without_blocking` scope
2019-04-01 20:06:13 +02:00
ThibG 65930be714 Ensure request.body isn't emptied out before signature verification (#10432)
Fixes #10429
2019-03-31 17:27:24 +02:00
Alex Gessner be7c92061c squashed identity proof updates (#10375) 2019-03-28 18:01:09 +01:00
Eugen Rochko 7aeb50cc89 Add order options to relationship manager UI (#10404) 2019-03-28 02:16:01 +01:00
Eugen Rochko 88a85f2574 Change icons of features on admin dashboard to remove bias (#10366)
Red crosses implied that it was bad/unexpected that certain features
were not enabled. In reality, they are options, so showing a green
or grey power-off icon is more appropriate.

Add status of timeline preview as well

Fix sample accounts changing too frequently due to wrong query

Sample accounts are intended to be sorted by popularity
2019-03-26 01:24:19 +01:00
Eugen Rochko c21bdc81d3 Add validations to admin settings (#10348)
* Add validations to admin settings

- Validate correct HTML markup
- Validate presence of contact username & e-mail
- Validate that all usernames are valid
- Validate that enums have expected values

* Fix code style issue

* Fix tests
2019-03-23 14:07:04 +01:00
ThibG c967088621 Mark the 410 gone response for suspended accounts as cachable (#10339)
This will help a great deal with #9377 when a caching reverse proxy is
configured.
2019-03-21 23:33:18 +01:00
ThibG 11c3ceb56e Do not try fetching keys of unknown accounts on a Delete from them (#10326) 2019-03-20 17:20:16 +01:00
ThibG e9fc1e8ccb Do not distribute Delete when rejecting unapproved accounts (#10321) 2019-03-19 16:33:30 +01:00
Eugen Rochko a3c41f3532 Add Keybase integration (#10297)
* create account_identity_proofs table

* add endpoint for keybase to check local proofs

* add async task to update validity and liveness of proofs from keybase

* first pass keybase proof CRUD

* second pass keybase proof creation

* clean up proof list and add badges

* add avatar url to keybase api

* Always highlight the “Identity Proofs” navigation item when interacting with proofs.

* Update translations.

* Add profile URL.

* Reorder proofs.

* Add proofs to bio.

* Update settings/identity_proofs front-end.

* Use `link_to`.

* Only encode query params if they exist.

URLs without params had a trailing `?`.

* Only show live proofs.

* change valid to active in proof list and update liveness before displaying

* minor fixes

* add keybase config at well-known path

* extremely naive feature flagging off the identity proof UI

* fixes for rubocop

* make identity proofs page resilient to potential keybase issues

* normalize i18n

* tweaks for brakeman

* remove two unused translations

* cleanup and add more localizations

* make keybase_contacts an admin setting

* fix ExternalProofService my_domain

* use Addressable::URI in identity proofs

* use active model serializer for keybase proof config

* more cleanup of keybase proof config

* rename proof is_valid and is_live to proof_valid and proof_live

* cleanup

* assorted tweaks for more robust communication with keybase

* Clean up

* Small fixes

* Display verified identity identically to verified links

* Clean up unused CSS

* Add caching for Keybase avatar URLs

* Remove keybase_contacts setting
2019-03-18 21:00:55 +01:00
Eugen Rochko b1e0164848 Add dormant filter to relationship manager, rename other filters (#10308)
Rename "abandoned" to "moved", and "active" to "primary"
2019-03-18 03:53:17 +01:00
Ben Lubar 591c26dc97 Reduce server load caused by anonymous viewing. (#9059)
Do not start a session if the current user is not logged in for public-facing pages.

Mark pages that don't care about sessions as publicly cacheable.

Keep the max age as 0 so proxies and browsers will still try to retrieve an updated version but can still fall back to the stale version if the site is down or too slow.

Fixes #9035.
2019-03-17 15:39:25 +01:00
Eugen Rochko 4fa2d55d4e Add relationship manager UI (#10268) 2019-03-16 11:23:22 +01:00
Eugen Rochko 1279d85ff4 Add `visibility` param to reblog REST API (#9851)
Use async worker for creating reblog notification to improve performance
2019-03-15 04:36:41 +01:00
Eugen Rochko e1130e461e Add a preferences API so apps can share basic behaviours (#10109) 2019-03-15 02:39:20 +01:00
Eugen Rochko 73fb7bfa0f Admission-based registrations mode (#10250)
Fix #6856
Fix #6951
2019-03-14 05:28:30 +01:00
Eugen Rochko 5ff943716e Fix `tagged` param not being normalized before querying tags (#10249) 2019-03-13 13:02:13 +01:00
Eugen Rochko 56822606f4 Redesign landing page (#10232) 2019-03-12 17:34:00 +01:00
ThibG cdf5a7f854 Avoid race conditions when creating backups (#10234)
Under load, multiple backups for a single user could be planned, which
is very expensive.
2019-03-11 00:50:31 +01:00
Eugen Rochko 4a3acdc916 Add polls (#10111)
* Add polls

Fix #1629

* Add tests

* Fixes

* Change API for creating polls

* Use name instead of content for votes

* Remove poll validation for remote polls

* Add polls to public pages

* When updating the poll, update options just in case they were changed

* Fix public pages showing both poll and other media
2019-03-03 22:18:23 +01:00
ThibG 892327c686 Give the `replies` collection an identifier and enable pagination (#10128) 2019-02-28 18:16:34 +01:00
abcang affb8b1de9 Improve account media query (#10121) 2019-02-26 15:23:24 +01:00
Eugen Rochko 693f2353bc Add type, limit, offset, min_id, max_id, account_id to search API (#10091)
* Add type, limit, offset, min_id, max_id, account_id to search API

Fix #8939

* Make the offset work on accounts and hashtags search as well

* Assure brakeman we are not doing mass assignment here

* Do not allow paginating unless a type is chosen

* Fix search query and index id field on statuses instead of created_at
2019-02-26 15:21:36 +01:00
Hinaloe 7517957a91 Randomize emoji filename (#10090) 2019-02-22 16:52:04 +01:00
ThibG abfa8617f3 Do not error out when performing admin actions on no statuses (#10094)
Same as #8220 but for reports
2019-02-21 19:36:48 +01:00
ThibG 9b7de13928 Add domain search/filter to the "Federation" (/admin/instances) page (#10071) 2019-02-18 14:59:19 +01:00
Eugen Rochko 99f902f224 Add vapid_key to the application entity in the REST API (#10058)
Fix #8785
2019-02-16 05:27:05 +01:00
ThibG a60f90b078 Save IP address used for sign-up, not only sign-in (#10026)
Fixes #9995
2019-02-12 22:24:14 +01:00
Takeshi Umeda 3d54d631a4 Fix it as tagged_request of accounts_controller is not addressable_uri (#9976) 2019-02-05 15:11:11 +01:00
Eugen Rochko 06a8ca8937 Fix pinned statuses being shown in a featured hashtag (#9971) 2019-02-05 00:27:18 +01:00
rinsuki d280cc15be Fix authorized applications list page design (#9969) 2019-02-04 22:25:42 +01:00
Eugen Rochko d2d4d38f22 Add featured hashtags to profiles (#9755)
* Add hashtag filter to profiles

GET /@:username/tagged/:hashtag
GET /api/v1/accounts/:id/statuses?tagged=:hashtag

* Display featured hashtags on public profile

* Use separate model for featured tags

* Update featured hashtag counters on-write

* Limit featured tags to 10
2019-02-04 04:25:59 +01:00
ThibG dfb101cd45 Make displaying application used to toot opt-in (#9897)
* Make storing and displaying application used to toot opt-in

* Revert to storing application info, and display it to the author via API
2019-02-02 19:18:15 +01:00
Eugen Rochko f77529ca00 Fix directory showing tags that have no currently eligible accounts (#9872) 2019-01-20 12:56:53 +01:00
Eugen Rochko 83fdb7b4f4 Fix REST API showing non-public reblogs for a given status (#9850) 2019-01-18 20:58:00 +01:00
Eugen Rochko 380b246728 Redesign public hashtag page to use a masonry layout (#9822) 2019-01-16 19:47:46 +01:00
Eugen Rochko f2ec1803cb Redesign admin instances area (#9645) 2019-01-08 13:39:49 +01:00
ThibG e60999c3c5 Improvements to signature verification (#9667)
* Refactor signature verification a bit

* Rescue signature verification if recorded public key is invalid

Fixes #8822

* Always re-fetch AP signing key when HTTP Signature verification fails

But when the account is not marked as stale, avoid fetching collections and
media, and avoid webfinger round-trip.

* Apply stoplight to key/account update as well as initial key retrieval
2019-01-07 21:45:13 +01:00
Eugen Rochko defe248b1c Change remote interaction dialog to use specific actions (#9743)
* Change remote interaction dialog to use specific actions

Instead of just "interact", use different strings based on whether
it's a reply, reblog or favourite. Add explanation why the step
is necessary in the first place

* Remove obsolete strings
2019-01-07 15:36:26 +01:00
Eugen Rochko d62a2a69e4 Add locale param to sign-up API (#9747)
Fix #9627
2019-01-07 14:50:20 +01:00
Eugen Rochko f6940286f5 Add cache to custom emojis API (#9732)
Fix #9729
2019-01-06 23:52:58 +01:00
Eugen Rochko ae1aaa3b8a Add scheduled statuses (#9706)
Fix #340
2019-01-05 12:43:28 +01:00
ThibG 631a91cbc0 Add quick links to the admin interface in the WebUI (#8545)
* Allow to show a specific status in the admin interface

* Let the front-end know the current account is a moderator

* Add admin links to status and account menus

If the current logged-in user is an admin, add quick links to the admin
interface in account and toot dropdown menu. Suggestion by @ashkitten

* Use @statuses.first instead of @statuses[0]
2019-01-04 13:10:43 +01:00
Eugen Rochko 93f560423b Fix list of local followers showing remote followers in admin UI (#9700) 2019-01-03 06:40:16 +01:00
Eugen Rochko 9244a06846 Add CSV export for lists and domain blocks (#9677)
Fix #6893
Fix #9268
2019-01-01 13:44:04 +01:00
Eugen Rochko 8958e58bd4 Improve admin UI for account view (#9643) 2018-12-28 03:38:41 +01:00
chr v1.x b659f51c43 Add local followers page to admin account UI (#9610)
* Add local followers page to admin account UI

For moderation, I often find myself wondering who, locally, is following
a remote user. Currently, to see this, I have to go back to the web UI,
paste in their full handle, click their profile, and go to the
"Followers" tab (plus, this information is incidental, and if mastodon
ever decides to resolve all of the follower information, there will be
no place local followers are shown). This PR adds a new page which is
accessible via the "following" count on the admin's account view
page, which shows the local followers. (It has filter parameters for
account location to indicate that only local followers are shown, and
leave room for expansion if mastodon ever decides to store the entire
remote follow list).

* Normalize en.yml
2018-12-27 13:15:39 +01:00
Eugen Rochko d70d8321d3 Add exclude_reblogs option to account statuses API (#9640)
Fix #9606
2018-12-27 03:42:35 +01:00
Eugen Rochko 7c2340443e Redirect to reports overview instead of report after account action (#9639) 2018-12-27 03:42:29 +01:00
ThibG d75e32caa3 Fix account unsilencing and unsuspension (#9637)
Fix regression from 2e0d617b8b
2018-12-26 19:16:15 +01:00
Eugen Rochko e5ebd4df78 Fix signature verification stoplight triggering on non-timeout errors (#9617) 2018-12-26 19:15:43 +01:00
Takeshi Umeda 9f74c2b877 Add error message with invalid email confirmation (#9625) 2018-12-25 19:35:26 +01:00
Eugen Rochko bbf9f4f93b Add REST API for creating an account (#9572)
* Add REST API for creating an account

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.

* Redirect users back to app from confirmation if they were created with an app

* Add tests

* Return 403 on the method if registrations are not open

* Require agreement param to be true in the API when creating an account
2018-12-24 19:12:38 +01:00
ThibG 4bf67e9cd0 Sanitize and sandbox toot embeds (#9552) 2018-12-23 02:16:35 +01:00
Eugen Rochko 5fdfe0c4cf Show 40 profiles per directory page instead of 30 (#9609)
To better align with the list of hashtags
2018-12-22 23:31:23 +01:00
Eugen Rochko 2e0d617b8b Add moderation warnings (#9519)
* Add moderation warnings

Replace individual routes for disabling, silencing, and suspending
a user, as well as the report update route, with a unified account
action controller that allows you to select an action (none,
disable, silence, suspend) as well as whether it should generate an
e-mail notification with optional custom text. That notification,
with the optional custom text, is saved as a warning.

Additionally, there are warning presets you can configure to save
time when performing the above.

* Use Account#local_username_and_domain
2018-12-22 20:02:09 +01:00
Eugen Rochko ae8c6b892f Allow unauthenticated REST API access to GET /api/v1/accounts/:id/statuses (#9573)
Fix #7087

The same data is available over the ActivityPub outbox, RSS, and Atom, so
there is little benefit to keeping it limited in this method.
2018-12-20 01:30:43 +01:00
jomo dc9f3d2cf2 fix CSP / X-Frame-Options for media embeds (#9558) 2018-12-18 16:40:30 +01:00
ysksn 7df45c6e11 Move #set_user to Admin::BaseController (#9470)
* Move #set_user to Admin::BaseController

* Rename Admin::TwoFactorAuthenticationsController

from `#set_user` to `#set_target_user` .
2018-12-17 11:40:51 +01:00
Eugen Rochko 32bd452b56 Remove "most popular" tab from profile directory, add responsive design (#9539)
* Remove "most popular" tab from profile directory, add responsive design

* Remove unused translations
2018-12-17 03:14:28 +01:00
ysksn 8996de49df Create Settings::BaseController (#9507)
Define `Settings::BaseController#set_body_classes` so that sub classes
inherit `Settings::BaseController` don't need to define
`#set_body_classes` agein.
2018-12-12 22:32:13 +01:00
ThibG 5548049e71 Add admin ability to remove an user's header image (#9495)
* Fix markup in admin/accounts/:id table for avatar

* Add admin ability to remove an user's header image
2018-12-11 19:28:03 +01:00
ThibG 0686523e18 Add instance-wide setting to disable profile directory (#9497)
* Add instance-wide setting to disable profile directory

Fixes #9496

When the profile directory is disabled:
- The “discoverable” setting is hidden from users
- The “profile directory” link is not shown on public pages
- /explore returns 404

* Move Setting.profile_directory check to a before_action filter
2018-12-11 19:18:29 +01:00
ysksn dfd6445334 Add specs for activitypub collections controller (#9484)
* Add specs for ActivityPub::CollectionsController#show

* Raise ActiveRecord::RecordNotFound

Raising ActiveRecord::NotFound raises NameError: uninitialized constant
ActiveRecord::NotFound.
2018-12-10 21:39:25 +01:00
ysksn af123ea5e8 Remove RemoteAccountControllerConcern never used (#9482) 2018-12-10 21:38:01 +01:00
ysksn a6641d0541 Fix Admin::TagsController#unhide (#9481) 2018-12-10 21:37:38 +01:00
ThibG 097d866028 Add setting to not aggregate reblogs (#9248)
* Add setting to not aggregate reblogs

Fixes #9222

* Handle cases where user is nil in add_to_home and add_to_list

* Add hint for setting_aggregate_reblogs option

* Reword setting_aggregate_reblogs label
2018-12-09 13:03:01 +01:00
Eugen Rochko fd8ca11f19 Add profile directory (#9427)
Fix #5578
2018-12-06 17:36:11 +01:00
ThibG 5e2cd7f672 Fix thread depth computation in statuses_controller (#9426)
* Add test that should currently fail

* Fix depth computation (will still fail if statuses have been filtered out)

* Fix handling of broken threads
2018-12-05 02:12:29 +01:00
Eugen Rochko 305556274a Redesign admin accounts index (#9340)
* Improve overview of accounts in admin UI

- Display suspended status, role, last activity and IP prominently
- Default to showing local accounts
- Default to not showing suspended accounts

* Remove unused strings

* Fix tests

* Allow filtering accounts by IP mask
2018-11-26 15:53:27 +01:00
Eugen Rochko 62c0e112ea Extract counters from accounts table to account_stats table (#9295) 2018-11-19 00:43:52 +01:00
Eugen Rochko 7a939f7cfc Remove intermediary arrays when creating hash maps from results (#9291) 2018-11-16 15:02:18 +01:00
Eugen Rochko d78aed7a37 Reduce connect timeout limit and limit signature failures by source IP (#9236)
* Reduce connect timeout from 10s to 1s

* Limit failing signature verifications per source IP
2018-11-08 21:35:58 +01:00
Eugen Rochko 5f613d55e6 Optimize the process of following someone (#9220)
* Eliminate extra accounts select query from FollowService

* Optimistically update follow state in web UI and hide loading bar

Fix #6205

* Asynchronize NotifyService in FollowService

And fix failing test

* Skip Webfinger resolve routine when called from FollowService if possible

If an account is ActivityPub, then webfinger re-resolving is not necessary
when called from FollowService. Improve options of ResolveAccountService
2018-11-08 21:05:42 +01:00
James Kiesel d2a9ea58da Allow joining several hashtags in a single column (#8904)
* Nascent tag menu on frontend

* Hook up frontend to search

* Tag intersection backend first pass

* Update yarnlock

* WIP

* Fix for tags not searching correctly

* Make radio buttons function

* Simplify radio buttons with modeOption

* Better naming

* Rearrange options

* Add all/any/none functionality on backend

* Small PR cleanup

* Move to service from scope

* Small cleanup, add proper service tests

* Don't use send with user input :D

* Set appropriate column header

* Handle auto updating timeline

* Fix up toggle function

* Use tag value correctly

* A bit more correct to use 'self' rather than 'all' in status scope

* Fix some style issues

* Fix more code style issues

* Style select dropdown more better

* Only use to_id'ed value to ensure no SQL injection

* Revamp frontend to allow for multiple selects

* Update backend / col header to account for more flexible tagging

* Update brakeman ignore

* Codeclimate suggestions

* Fix presenter tag_url

* Implement initial PR feedback

* Handle additional tag streaming

* CodeClimate tweak
2018-11-05 18:53:25 +01:00
Eugen Rochko ca87d98d16 Revert "feat(auth/session_controller): Send Clear-Site-Data when logging out (8627)" (#9161)
This reverts commit 0c756cfd54.
2018-10-30 16:25:54 +01:00
Eugen Rochko cf2ab9c394 Include preview cards in status entity in REST API (#9120)
* Include preview cards in status entity in REST API

* Display preview card in-stream

* Improve in-stream display of preview cards
2018-10-28 06:35:03 +01:00
ThibG b5042bbeeb Fix styling in /auth/edit (#9117) 2018-10-26 22:49:17 +02:00
Eugen Rochko b110105a53 Allow inbox owner to view implicitly targeted ActivityPub payload (#9093)
Fix #9091
2018-10-25 18:12:22 +02:00
Yamagishi Kazutoshi cad03e69b3 Set @body_classes to admin layout (#9081) 2018-10-25 00:10:01 +02:00
Eugen Rochko 40d23fc4d1 Add option to block reports from domain (#8830) 2018-10-20 08:02:44 +02:00
Eugen Rochko 9ccae7feff Add "disable" button to report screen (#9024)
* Add "disable" button to report screen

* i18n-tasks remove-unused
2018-10-20 02:39:39 +02:00
Eugen Rochko e3b2234382 Add unread indicator to conversations (#9009) 2018-10-19 01:47:29 +02:00
Eugen Rochko 0a5b65533d Improve signature verification safeguards (#8959)
* Downcase signed_headers string before building the signed string

The HTTP Signatures draft does not mandate the “headers” field to be downcased,
but mandates the header field names to be downcased in the signed string, which
means that prior to this patch, Mastodon could fail to process signatures from
some compliant clients. It also means that it would not actually check the
Digest of non-compliant clients that wouldn't use a lowercased Digest field
name.

Thankfully, I don't know of any such client.

* Revert "Remove dead code (#8919)"

This reverts commit 65d1a2d10a.

* Restore time window checking, change it to 12 hours

By checking the Date header, we can prevent replaying old vulnerable
signatures. The focus is to prevent replaying old vulnerable requests
from software that has been fixed in the meantime, so a somewhat long
window should be fine and accounts for timezone misconfiguration.

* Escape users' URLs when formatting them

Fixes possible HTML injection

* Escape all string interpolations in Formatter class

Slightly improve performance by reducing class allocations
from repeated Formatter#encode calls

* Fix code style issues
2018-10-12 00:15:55 +02:00
ThibG 51c53e709f Set Content-Security-Policy rules through RoR's config (#8957)
* Set CSP rules in RoR's configuration

* Override CSP setting in the embed controller to allow frames
2018-10-11 20:35:46 +02:00
Eugen Rochko 65d1a2d10a Remove dead code (#8919)
SignatureVerification#matches_time_window? is not called anywhere.
2018-10-08 04:48:54 +02:00
ashleyhull-versent ea57aca5e1 Replace SVG asset with Custom mascot (#8766) 2018-10-08 00:20:45 +02:00
Eugen Rochko c9b5168ebd Add conversations API (#8832)
* Add conversations API

* Add web UI for conversations

* Add test for conversations API

* Add tests for ConversationAccount

* Improve web UI

* Rename ConversationAccount to AccountConversation

* Remove conversations on block and mute

* Change last_status_id to be a denormalization of status_ids

* Add optimistic locking
2018-10-07 23:44:58 +02:00
ThibG 8b48543b77 Ensure only toots from the reported users are reported (#8916) 2018-10-07 19:45:40 +02:00
Eugen Rochko 1ae62b87ed Change admin accounts default sort to most recent (#8813) 2018-10-04 16:05:38 +02:00
Eugen Rochko 5ddcdf3753 Support min_id-based pagination in REST API (#8736)
* Allow min_id pagination in Feed#get

* Add min_id pagination to home and list timeline APIs

* Add min_id pagination to account statuses, public and tag APIs

* Remove unused stub in reports API

* Use min_id pagination in notifications, favourites, and fix order

* Fix HomeFeed#from_database not using paginate_by_id
2018-09-28 02:23:45 +02:00
ふぁぼ原 bb8afc4608 Add a new preference to always hide all media (#8569) 2018-09-25 05:09:35 +02:00
Yamagishi Kazutoshi 449edebb1c Cache instance info (#8765) 2018-09-24 16:15:49 +02:00
Matt Sweetman 674865731a Add user preference to always expand toots marked with content warnings (#8762) 2018-09-24 05:44:01 +02:00
luzpaz 1bce70d3c7 Misc. typos (#8694)
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-14 00:53:09 +02:00
Eugen Rochko 72a8ca84e0 Add force_login option to OAuth authorize page (#8655)
* Add force_login option to OAuth authorize page

For when a user needs to sign into an app from multiple accounts
on the same server

* When logging out from modal header, redirect back after re-login
2018-09-09 04:10:44 +02:00
Sorin Davidoi 0c756cfd54 feat(auth/session_controller): Send Clear-Site-Data when logging out (#8627)
Will clear the browser's cache, cookies and storage.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
https://w3c.github.io/webappsec-clear-site-data/
2018-09-07 05:42:16 +02:00
Eugen Rochko 00d1699a96 Whitelist report notification param in Settings::NotificationsController (#8560)
Bug in #8559
2018-09-02 02:05:32 +02:00
Eugen Rochko 601a0dc6cc Add preference for report notification e-mails, skip for duplicates (#8559)
If an unresolved report for the same target account already exists,
no new notification is generated
2018-09-02 00:11:58 +02:00
ThibG 108623e86d Self-notify on accepting follow requests (#8541) 2018-08-31 15:17:31 +02:00
Renato "Lond" Cerqueira c7423078ce Add animate custom emoji param to embed pages (#8507)
* Add animate custom emoji param to embed pages

* Rename param, use it for avatars and gifs

* Fix issues pointed by codeclimate and breaking test

* Ignore brakeman warning
2018-08-30 23:14:01 +02:00
Jakub Mendyk 9c11d260e1 Make Api::V1::MutesController paginate properly (#8472)
Fixes #8463
2018-08-26 21:30:17 +02:00
Quint Guvernator 476ba6e4f0 Fix low-hanging rubocop gripes (#8458)
* rubocop: quit being so picky

* rubocop: miscellany

* rubocop: prefer present to blank
2018-08-26 19:22:46 +02:00
Eugen Rochko 94b7dddeac Add admin custom CSS setting (#8399)
Fix #3894
2018-08-24 04:33:27 +02:00
Eugen Rochko 413a28499d Allow mods to disable login, improve message when login disabled (#8329)
* Allow moderators to disable/enable login

* Instead of rejecting login, show forbidden error when login disabled

Avoid confusion because when login is rejected, the message is that
the account is not activated, which is wrong.

* Fix tests
2018-08-23 23:26:29 +02:00
Eugen Rochko 335b1520bb Fix regression when suspending not from report (#8400)
Regression from #8353
2018-08-23 21:51:56 +02:00
Jakub Mendyk 289b4f2838 Add ability to change an instance default theme from the administration panel (#7092) (#8381)
* Add default_settings class method to ScopedSettings

ScopedSettings was extended to use value of unscoped setting instead of
only using defaults set in config/settings.yml for selected settings.
This adds possibility for admins to set default values of users' settings,
for example default theme (as requested in #7092).

* Add ability to change an instance default theme

Closes #7092
2018-08-23 14:17:35 +02:00
Eugen Rochko 801b0f583f Add confirmation step to account suspensions (#8353)
* Add confirmation page for suspensions

* Suspension confirmation closes reports, linked from report UI

* Fix tests
2018-08-22 11:53:41 +02:00
ThibG 09fb9fb07e Add API endpoint to list featured accounts (fixes #8315) (#8317) 2018-08-20 18:46:04 +02:00
abcang af2122bcf9 Unuse ActiveRecord::Base#cache_key (#8185)
* Unuse ActiveRecord::Base#cache_key

* Enable cache_versioning

* Call cache_collection
2018-08-19 15:52:38 +02:00
Eugen Rochko 834df855e2 Add admin function to deactivate all invites (#8279)
Fix #8261
2018-08-19 00:58:53 +02:00
Eugen Rochko 273e8f0474 Add remote interaction dialog for toots (#8202)
* Add remote interaction dialog for toots

* Change AuthorizeFollow into AuthorizeInteraction, support statuses

* Update brakeman.ignore

* Adjust how interaction buttons are display on public pages

* Fix tests
2018-08-18 03:03:12 +02:00
ThibG 8cc34321d5 Do not error out when performing admin actions on no statuses (#8220)
Fixes the other issue with #8168
2018-08-16 20:02:52 +02:00
ThibG 1d3b39e106 Ensure single user is a local user (fixes #8154) (#8157) 2018-08-11 11:53:10 +02:00
Eugen Rochko 9e8366d4cb Update /terms and /about/more to use public layout (#8142) 2018-08-09 12:58:20 +02:00
Eugen Rochko 6e3cb11f3c Public profile endorsements (accounts picked by profile owner) (#8146) 2018-08-09 09:56:53 +02:00
Yamagishi Kazutoshi 9e0015e834 Do not show pinned toots when min_id is set (#8111) 2018-08-01 17:57:02 +02:00
Eugen Rochko 934d50daf0 Add separate setting for sidebar text (site_short_description) (#8107)
* Add separate setting for sidebar text (site_short_description)

* Fix tests
2018-07-31 18:59:34 +02:00
Eugen Rochko a78672ae50 Compensate for scrollbar disappearing when media modal visible (#8100)
* Compensate for scrollbar disappearing when media modal visible

Make auth pages backgrounds lighter

* Fix typo
2018-07-31 01:14:33 +02:00
Eugen Rochko 7d51186e8e Order invites by recent first (#8091)
Fix #8085
2018-07-28 17:15:17 -04:00
Eugen Rochko 13df3889f0 Redesign public profiles and toots (#8068) 2018-07-28 19:25:33 +02:00
Eugen Rochko 2f6967913a Display trending hashtags on admin dashboard (#8038) 2018-07-16 19:21:27 +02:00
Eugen Rochko 26bd3742e9 Fix typo in Admin::DashboardController#index 2018-07-16 01:58:10 +02:00
Eugen Rochko d0b14eaee2 Add admin dashboard (#8029) 2018-07-16 01:11:53 +02:00
Eugen Rochko 171c20ce72 Add federation relay support (#7998)
* Add federation relay support

* Add admin UI for managing relays

* Include actor on relay-related activities

* Fix i18n
2018-07-13 02:16:06 +02:00
mayaeh 3dc6c216ce Fix whole-word selection and i18n: Add Japanese translation for Whole-word (#8004)
* Add Japanese translation for "Whole word" and add it's description.

* Fix to enable "Whole-word" selection.
2018-07-12 17:58:26 +02:00
ThibG 4c70bb6d6d Add option to not consider word boundaries when processing keyword filtering (#7975)
* Add option to not consider word boundaries when filtering phrases

* Add a few tests for keyword/phrase filtering
2018-07-09 02:22:09 +02:00
Eugen Rochko a7039e4fd3 Add API method to remove a suggestion (#7978)
DELETE /api/v1/suggestions/:account_id

When blocking, remove suggestion from both sides. Muting not affected,
since muting is supposed to be invisible to the target.
2018-07-07 21:09:54 +02:00
Eugen Rochko 0dbaa1badf Fix missing irreversible in filters API, expires_in param (#7976) 2018-07-07 18:51:45 +02:00
Eugen Rochko 5bec5c3e6e Add admin setting to enable OG previews for sensitive media (#7962) 2018-07-06 02:15:56 +02:00
Eugen Rochko 08ee72640b If signed in, redirect autofollow invite to profile page (#7956)
Fix #7944
2018-07-05 20:57:35 +02:00
Eugen Rochko 34fdf77f48 Add more granular OAuth scopes (#7929)
* Add more granular OAuth scopes

* Add human-readable descriptions of the new scopes

* Ensure new scopes look good on the app UI

* Add tests

* Group scopes in screen and color-code dangerous ones

* Fix wrong extra scope
2018-07-05 18:31:35 +02:00
Eugen Rochko aa4e75166b Re-add follow recommendations API (#7918)
* Re-add follow recommendations API

    GET /api/v1/suggestions

Removed in 30f9e9e624 due to Neo4J
dependency. The algorithm uses triadic closures, takes into account
suspensions, blocks, mutes, domain blocks, excludes locked and moved
accounts, and prefers more recently updated accounts.

* Track interactions with people you don't follow

Replying to, favouriting and reblogging someone you're not following
will make them show up in follow recommendations. The interactions
have different weights:

- Replying is 1
- Favouriting is 10 (decidedly positive interaction, but private)
- Reblogging is 20

Following them, muting or blocking will remove them from the list,
obviously.

* Remove triadic closures, ensure potential friendships are trimmed
2018-07-03 01:47:56 +02:00
Eugen Rochko 23624f709a Improve embeds (#7919)
* Make embeds cacheable by reverse proxy

* Make follow button on embeds open remote follow modal

Instead of web+mastodon://, also, turn the button blue, and add a
sign up prompt to the remote follow modal
2018-07-01 04:12:34 +02:00
Marty McGuire 4aa3f667fc Typo in signature verification failure logging (#7916)
`@signature_verification_failure_reason` is used in most places but`@signed_verification_failure_reason` appears in two places. Likely those errors are not returned.
2018-06-30 13:11:38 +02:00
Eugen Rochko d878e3e945 Keyword/phrase filtering (#7905)
* Add keyword filtering

    GET|POST       /api/v1/filters
    GET|PUT|DELETE /api/v1/filters/:id

- Irreversible filters can drop toots from home or notifications
- Other filters can hide toots through the client app
- Filters use a phrase valid in particular contexts, expiration

* Make sure expired filters don't get applied client-side

* Add missing API methods

* Remove "regex filter" from column settings

* Add tests

* Add test for FeedManager

* Add CustomFilter test

* Add UI for managing filters

* Add streaming API event to allow syncing filters

* Fix tests
2018-06-29 15:34:36 +02:00