about summary refs log tree commit diff
AgeCommit message (Collapse)Author
2022-01-25Bump rails from 6.1.4.1 to 6.1.4.4 (#17159)dependabot[bot]
* Bump rails from 6.1.4.1 to 6.1.4.4 Bumps [rails](https://github.com/rails/rails) from 6.1.4.1 to 6.1.4.4. - [Release notes](https://github.com/rails/rails/releases) - [Commits](https://github.com/rails/rails/compare/v6.1.4.1...v6.1.4.4) --- updated-dependencies: - dependency-name: rails dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Revert marcel to 1.0.1 Avoid some regression that need to be investigated Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2022-01-24disable legacy XSS filtering (#17289)Wonderfall
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
2022-01-24Fix link_to_login argument handling when a block is passed (#17345)Claire
2022-01-23Fix error-prone SQL queries (#15828)Claire
* Fix error-prone SQL queries in Account search While this code seems to not present an actual vulnerability, one could easily be introduced by mistake due to how the query is built. This PR parameterises the `to_tsquery` input to make the query more robust. * Harden code for Status#tagged_with_all and Status#tagged_with_none Those two scopes aren't used in a way that could be vulnerable to an SQL injection, but keeping them unchanged might be a hazard. * Remove unneeded spaces surrounding tsquery term * Please CodeClimate * Move advanced_search_for SQL template to its own function This avoids one level of indentation while making clearer that the SQL template isn't build from all the dynamic parameters of advanced_search_for. * Add tests covering tagged_with, tagged_with_all and tagged_with_none * Rewrite tagged_with_none to avoid multiple joins and make it more robust * Remove obsolete brakeman warnings * Revert "Remove unneeded spaces surrounding tsquery term" The two queries are not strictly equivalent. This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-01-23Change `percent` to `rate` in retention metrics API (#16910)Claire
2022-01-23Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288)Claire
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being. * Add OMNIAUTH_ONLY environment variable to enforce external log-in only * Disable user registration when OMNIAUTH_ONLY is set to true * Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2022-01-23Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)Claire
Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being.
2022-01-23Remove leftover database columns from Devise::Models::Rememberable (#17191)Claire
* Remove leftover database columns from Devise::Models::Rememberable * Update fix-duplication maintenance script * Improve errors/warnings in the fix-duplicates maintenance script
2022-01-23Remove old duplicate index (#17245)Claire
Some Mastodon versions (v1.1 and v1.2) had a duplicate index in `db/schema.rb` without any migration script creating it. #2224 (included in v1.3) removed the duplicate index from the file but did not provide a migration script to remove it. This means that any instance that was installed from v1.1 or v1.2's source code has a duplicate index and a corresponding warning in PgHero. Instances set up using an earlier or later Mastodon version do not have this issue. This PR removes the duplicate index if it is present.
2022-01-20Fix text being incorrectly pre-selected in composer textarea on /share (#17339)Claire
Fixes #17295
2022-01-20Change mastodon:webpush:generate_vapid_key task to not require functional ↵Claire
env (#17338) Fixes #17297
2022-01-20Add post edited notice in admin and public UIs (#17335)Claire
* Add edited toot flag on public pages * Add toot edit flag to admin pages
2022-01-19Fix error when using raw distribution worker (#17334)Eugen Rochko
Regression from #16697
2022-01-19Fix error when processing poll updates (#17333)Eugen Rochko
Regression from #16697
2022-01-19Add support for editing for published statuses (#16697)Eugen Rochko
* Add support for editing for published statuses * Fix references to stripped-out code * Various fixes and improvements * Further fixes and improvements * Fix updates being potentially sent to unauthorized recipients * Various fixes and improvements * Fix wrong words in test * Fix notifying accounts that were tagged but were not in the audience * Fix mistake
2022-01-19Fix NameError on ActivityPub::FetchFeaturedCollectionService (#17326)Jeong Arm
Related: #16954
2022-01-19Bump json-ld from 3.1.10 to 3.2.0 (#17224)dependabot[bot]
Bumps [json-ld](https://github.com/ruby-rdf/json-ld) from 3.1.10 to 3.2.0. - [Release notes](https://github.com/ruby-rdf/json-ld/releases) - [Commits](https://github.com/ruby-rdf/json-ld/compare/3.1.10...3.2.0) --- updated-dependencies: - dependency-name: json-ld dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump thor from 1.1.0 to 1.2.1 (#17250)dependabot[bot]
Bumps [thor](https://github.com/rails/thor) from 1.1.0 to 1.2.1. - [Release notes](https://github.com/rails/thor/releases) - [Commits](https://github.com/rails/thor/compare/v1.1.0...v1.2.1) --- updated-dependencies: - dependency-name: thor dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump nokogiri from 1.12.5 to 1.13.1 (#17306)dependabot[bot]
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.12.5 to 1.13.1. - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md) - [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.12.5...v1.13.1) --- updated-dependencies: - dependency-name: nokogiri dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump aws-sdk-s3 from 1.109.0 to 1.111.1 (#17277)dependabot[bot]
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.109.0 to 1.111.1. - [Release notes](https://github.com/aws/aws-sdk-ruby/releases) - [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-ruby/commits) --- updated-dependencies: - dependency-name: aws-sdk-s3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump prop-types from 15.7.2 to 15.8.1 (#17278)dependabot[bot]
Bumps [prop-types](https://github.com/facebook/prop-types) from 15.7.2 to 15.8.1. - [Release notes](https://github.com/facebook/prop-types/releases) - [Changelog](https://github.com/facebook/prop-types/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/prop-types/compare/v15.7.2...v15.8.1) --- updated-dependencies: - dependency-name: prop-types dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump ed25519 from 1.2.4 to 1.3.0 (#17310)dependabot[bot]
Bumps [ed25519](https://github.com/RubyCrypto/ed25519) from 1.2.4 to 1.3.0. - [Release notes](https://github.com/RubyCrypto/ed25519/releases) - [Changelog](https://github.com/RubyCrypto/ed25519/blob/main/CHANGES.md) - [Commits](https://github.com/RubyCrypto/ed25519/compare/v1.2.4...v1.3.0) --- updated-dependencies: - dependency-name: ed25519 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump bootsnap from 1.9.3 to 1.10.1 (#17311)dependabot[bot]
Bumps [bootsnap](https://github.com/Shopify/bootsnap) from 1.9.3 to 1.10.1. - [Release notes](https://github.com/Shopify/bootsnap/releases) - [Changelog](https://github.com/Shopify/bootsnap/blob/main/CHANGELOG.md) - [Commits](https://github.com/Shopify/bootsnap/compare/v1.9.3...v1.10.1) --- updated-dependencies: - dependency-name: bootsnap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump sass from 1.45.2 to 1.48.0 (#17315)dependabot[bot]
Bumps [sass](https://github.com/sass/dart-sass) from 1.45.2 to 1.48.0. - [Release notes](https://github.com/sass/dart-sass/releases) - [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md) - [Commits](https://github.com/sass/dart-sass/compare/1.45.2...1.48.0) --- updated-dependencies: - dependency-name: sass dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump babel-jest from 27.4.5 to 27.4.6 (#17280)dependabot[bot]
Bumps [babel-jest](https://github.com/facebook/jest/tree/HEAD/packages/babel-jest) from 27.4.5 to 27.4.6. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/jest/commits/v27.4.6/packages/babel-jest) --- updated-dependencies: - dependency-name: babel-jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump @babel/plugin-transform-runtime from 7.16.7 to 7.16.8 (#17314)dependabot[bot]
Bumps [@babel/plugin-transform-runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-runtime) from 7.16.7 to 7.16.8. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.16.8/packages/babel-plugin-transform-runtime) --- updated-dependencies: - dependency-name: "@babel/plugin-transform-runtime" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump ws from 8.3.0 to 8.4.2 (#17318)dependabot[bot]
Bumps [ws](https://github.com/websockets/ws) from 8.3.0 to 8.4.2. - [Release notes](https://github.com/websockets/ws/releases) - [Commits](https://github.com/websockets/ws/compare/8.3.0...8.4.2) --- updated-dependencies: - dependency-name: ws dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19Bump rubocop-rails from 2.13.0 to 2.13.2 (#17321)dependabot[bot]
Bumps [rubocop-rails](https://github.com/rubocop/rubocop-rails) from 2.13.0 to 2.13.2. - [Release notes](https://github.com/rubocop/rubocop-rails/releases) - [Changelog](https://github.com/rubocop/rubocop-rails/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop/rubocop-rails/compare/v2.13.0...v2.13.2) --- updated-dependencies: - dependency-name: rubocop-rails dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump redis from 4.0.1 to 4.0.2 (#17309)dependabot[bot]
Bumps [redis](https://github.com/redis/node-redis) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/redis/node-redis/releases) - [Changelog](https://github.com/redis/node-redis/blob/master/CHANGELOG.md) - [Commits](https://github.com/redis/node-redis/compare/redis@4.0.1...redis@4.0.2) --- updated-dependencies: - dependency-name: redis dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump bullet from 7.0.0 to 7.0.1 (#17312)dependabot[bot]
Bumps [bullet](https://github.com/flyerhzm/bullet) from 7.0.0 to 7.0.1. - [Release notes](https://github.com/flyerhzm/bullet/releases) - [Changelog](https://github.com/flyerhzm/bullet/blob/master/CHANGELOG.md) - [Commits](https://github.com/flyerhzm/bullet/compare/7.0.0...7.0.1) --- updated-dependencies: - dependency-name: bullet dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump react-select from 5.2.1 to 5.2.2 (#17313)dependabot[bot]
Bumps [react-select](https://github.com/JedWatson/react-select) from 5.2.1 to 5.2.2. - [Release notes](https://github.com/JedWatson/react-select/releases) - [Changelog](https://github.com/JedWatson/react-select/blob/master/docs/CHANGELOG.md) - [Commits](https://github.com/JedWatson/react-select/compare/react-select@5.2.1...react-select@5.2.2) --- updated-dependencies: - dependency-name: react-select dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump @babel/preset-env from 7.16.7 to 7.16.8 (#17317)dependabot[bot]
Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.16.7 to 7.16.8. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.16.8/packages/babel-preset-env) --- updated-dependencies: - dependency-name: "@babel/preset-env" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump pkg-config from 1.4.6 to 1.4.7 (#17307)dependabot[bot]
Bumps [pkg-config](https://github.com/ruby-gnome/pkg-config) from 1.4.6 to 1.4.7. - [Release notes](https://github.com/ruby-gnome/pkg-config/releases) - [Changelog](https://github.com/ruby-gnome/pkg-config/blob/master/NEWS) - [Commits](https://github.com/ruby-gnome/pkg-config/compare/1.4.6...1.4.7) --- updated-dependencies: - dependency-name: pkg-config dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump active_model_serializers from 0.10.12 to 0.10.13 (#17305)dependabot[bot]
Bumps [active_model_serializers](https://github.com/rails-api/active_model_serializers) from 0.10.12 to 0.10.13. - [Release notes](https://github.com/rails-api/active_model_serializers/releases) - [Changelog](https://github.com/rails-api/active_model_serializers/blob/v0.10.13/CHANGELOG.md) - [Commits](https://github.com/rails-api/active_model_serializers/compare/v0.10.12...v0.10.13) --- updated-dependencies: - dependency-name: active_model_serializers dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump follow-redirects from 1.14.4 to 1.14.7 (#17285)dependabot[bot]
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.4 to 1.14.7. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.14.4...v1.14.7) --- updated-dependencies: - dependency-name: follow-redirects dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump jest from 27.4.5 to 27.4.7 (#17279)dependabot[bot]
Bumps [jest](https://github.com/facebook/jest) from 27.4.5 to 27.4.7. - [Release notes](https://github.com/facebook/jest/releases) - [Changelog](https://github.com/facebook/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/jest/compare/v27.4.5...v27.4.7) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump rspec_junit_formatter from 0.5.0 to 0.5.1 (#17275)dependabot[bot]
Bumps [rspec_junit_formatter](https://github.com/sj26/rspec_junit_formatter) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/sj26/rspec_junit_formatter/releases) - [Changelog](https://github.com/sj26/rspec_junit_formatter/blob/main/CHANGELOG.md) - [Commits](https://github.com/sj26/rspec_junit_formatter/compare/v0.5.0...v0.5.1) --- updated-dependencies: - dependency-name: rspec_junit_formatter dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump rubocop-rails from 2.13.0 to 2.13.1 (#17274)dependabot[bot]
Bumps [rubocop-rails](https://github.com/rubocop/rubocop-rails) from 2.13.0 to 2.13.1. - [Release notes](https://github.com/rubocop/rubocop-rails/releases) - [Changelog](https://github.com/rubocop/rubocop-rails/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop/rubocop-rails/compare/v2.13.0...v2.13.1) --- updated-dependencies: - dependency-name: rubocop-rails dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-18Bump scenic from 1.5.4 to 1.5.5 (#17193)dependabot[bot]
Bumps [scenic](https://github.com/scenic-views/scenic) from 1.5.4 to 1.5.5. - [Release notes](https://github.com/scenic-views/scenic/releases) - [Changelog](https://github.com/scenic-views/scenic/blob/main/CHANGELOG.md) - [Commits](https://github.com/scenic-views/scenic/compare/v1.5.4...v1.5.5) --- updated-dependencies: - dependency-name: scenic dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-17Fix `pinned` attribute not being set for private self-posts (#17304)Claire
2022-01-17Add notifications for statuses deleted by moderators (#17204)Eugen Rochko
2022-01-17Add support for private pinned posts (#16954)Claire
* Add support for private pinned toots * Allow local user to pin private toots * Change wording to avoid "direct message"
2022-01-16Fix admin interface crash when displaying deleted user (#17301)Claire
2022-01-16Add line about using vagrant-hostsupdater in the Vagrant short guide (#17243)Claire
This is documented in the Vagrantfile, but not in the README. As far as I know, following the short guide without installing this plugin will not make the container accessible at mastodon.local, thus breaking the last step of the guide.
2022-01-16Remove IP tracking columns from users table (#16409)Eugen Rochko
2022-01-13Fix SMTP_ENABLE_STARTTLS_AUTO/SMTP_TLS/SMTP_SSL environment variables don't ↵tkr
work (#17216) #17215
2022-01-10Fix media API limit (#17272)Jeong Arm
2022-01-10Gradually increase retry waiting for media processing (#17271)Jeong Arm
2022-01-09helm: upgrade elasticsearch to 7.x (#17262)Alexandra Catalina
2022-01-07Fix timeline streaming stopping for multiple sessions instead of one (#17259)Claire
* Fix timeline streaming stopping for multiple sessions instead of one Fixes #17256. In updating the code for a newer version of node-redis, #17183 also broke redis subscription management when multiple streaming clients subscribe to the same channel. This commit restores the redis subscription management code. * Let node-redis actually handle the subscriptions