Age | Commit message (Collapse) | Author |
|
* Add toot send by current user at local state after send a new toot
Related to #14021
* Decrement toot counter at profile when remove a toot
Related to #14021
* Remove semicolon at end of line
|
|
Fixes #14307
|
|
* Fix rubocop warning
* use limit variable
* use ContextCreatingMethods option
|
|
* Fix media attachment enumeration
* Switch media_attachments id to snowflake ids
Co-authored-by: Thibaut Girka <thib@sitedethib.com>
|
|
While OAuth tokens were immediately revoked, accessing the home
controller immediately generated new OAuth tokens and "revived"
the session due to a combination of using remember_me tokens and
overwriting the `authenticate_user!` method
|
|
* Add UserNote model
* Add UI for user notes
* Put comment in relationships entity
* Add API to create user notes
* Copy user notes to new account when receiving a Move activity
* Address some of the review remarks
* Replace modal by inline edition
* Please CodeClimate
* Button design changes
* Change design again
* Cancel note edition when pressing Escape
* Fixes
* Tweak design again
* Move “Add note” item, and allow users to add notes to themselves
* Rename UserNote into AccountNote, rename “comment” Relationship attribute to “note”
|
|
- Change audio files to not be stripped of metadata
- Automatically extract cover art from audio if it exists
- Add `thumbnail` parameter to `POST /api/v1/media`, `POST /api/v2/media` and `PUT /api/v1/media/:id`
- Add `icon` to represent it in attachments in ActivityPub
- Fix `preview_url` containing URL of missing missing image when there is no thumbnail instead of null
- Fix duration of audio not being displayed on public pages until the file is loaded
|
|
|
|
Fixes #14092
|
|
|
|
|
|
* Display appropriate error when performing unpermitted operation on custom emoji
Fixes #13897
* Remove links to custom emoji actions not performable by moderators
|
|
And add `created_at` to encrypted message serializer
|
|
Fixes #13949
|
|
|
|
Fixes #13757
|
|
* Fix sr locale being selected over sr-Latn
* Update tests
|
|
Fix #12613
|
|
* Add remote only to public timeline
* Fix code style
|
|
When attempting to access the log-in page while already logged in,
Devise's `require_no_authentication` kicks in and sets a flash
message “You are already signed in.”
In almost all cases, this also causes a redirect to /web, which
does not display or clear flash messages, thus leaving the message
to a potentially much later date, like for instance, accessing
/preferences several minutes after being redirected to /web.
|
|
Fixes #13612
|
|
|
|
|
|
This is achieved by sending a DELETE request to
/settings/profile/pictures/{avatar,header} via a link that is part of
the upload form's hint of the respective picture.
|
|
|
|
|
|
|
|
|
|
|
|
* Fix 404 and 410 API errors being silently discarded in WebUI
Fixes #13278
* Return more appropriate error when user replies to a deleted toot
* Please CodeClimate
* Fix 404/410 errors on fetching account timelines & identity proofs
* Refactor error handling
* Move error message string to statuses.errors
|
|
in admin UI (#13254)
* Add shortcuts to blacklist a user's e-mail domain in admin UI
* Add option to blacklist resolved MX and IP records for e-mail domains
|
|
|
|
* Change ActivityPub follower/following collections to not link first page
* Add support for hiding followers and following of remote users
* Switch to using a single `hide_collections` column
* Address code style remarks
|
|
(#13210)
Fix #9106
|
|
* Allow deleting site uploads
* Refactor and move links into hints
* Fix i18n tests
* Fix HTML output of site_upload_delete_hint
|
|
|
|
|
|
|
|
|
|
(#13116)
`request.format` is not a symbol but a `Mime::Type`, so the condition actually
never matched, and a session was created even for those requests, preventing
caching.
|
|
form (#13088)
* Fix user agreement not being verified
* Fix tests
* Fix up agreement field being dismissed
|
|
|
|
Fix OEmbed preview API leaking existence of private statuses (see #12930)
|
|
Instead of returning a signature verification error, pretend there
was no signature (i.e., this does not allow access to resources that
need a valid signature), so public resources can still be fetched
Fix #13011
|
|
* Change meaning of /api/v1/announcements/:id/dismiss to mark an announcement as read
* Change how unread announcements are counted in UI
* Add unread marker to announcements and mark announcements as unread as they are displayed
* Fixups
|
|
|
|
Change `all_day` to be a visual client-side cue only
Publish immediately if `scheduled_at` is in the past
Add `published_at` and `updated_at` to announcements JSON
|
|
|
|
While making browser requests in the other sessions after a password
change or reset does not allow you to be logged in and correctly
invalidates the session making the request, sessions have API tokens
associated with them, which can still be used until that session
is invalidated.
This is a security issue for accounts that were already compromised
some other way because it makes it harder to throw out the hijacker.
|
|
Follow-up to #12927
|