about summary refs log tree commit diff
path: root/app/models
AgeCommit message (Collapse)Author
2022-02-01Fix requiring an extra restart after recent post-deployment migrations (#17422)Claire
Follow-up to #16409
2022-01-28Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `Gemfile.lock`: Upstream-updated lib textually too close to glitch-soc-only dep. Updated like upstream.
2022-01-28Fix Sidekiq warnings about JSON serialization (#17381)Claire
* Fix Sidekiq warnings about JSON serialization This occurs on every symbol argument we pass, and every symbol key in hashes, because Sidekiq expects strings instead. See https://github.com/mperham/sidekiq/pull/5071 We do not need to change how workers parse their arguments because this has not changed and we were already converting to symbols adequately or using `with_indifferent_access`. * Set Sidekiq to raise on unsafe arguments in test mode In order to more easily catch issues that would produce warnings in production code.
2022-01-25Change CAPTCHA handling to be only on email verificationClaire
This simplifies the implementation considerably, and while not providing ideal UX, it's the most flexible approach.
2022-01-25Add ability to set hCaptcha either on registration form or on e-mail validationClaire
Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band registration API.
2022-01-24Add optional hCaptcha supportClaire
Fixes #1649 This requires setting `HCAPTCHA_SECRET_KEY` and `HCAPTCHA_SITE_KEY`, then enabling the admin setting at `/admin/settings/edit#form_admin_settings_captcha_enabled` Subsequently, a hCaptcha widget will be displayed on `/about` and `/auth/sign_up` unless: - the user is already signed-up already - the user has used an invite link - the user has already solved the captcha (and registration failed for another reason) The Content-Security-Policy headers are altered automatically to allow the third-party hCaptcha scripts on `/about` and `/auth/sign_up` following the same rules as above.
2022-01-23Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `spec/models/status_spec.rb`: Upstream added tests too close to glitch-soc-specific tests. Kept both tests.
2022-01-23Fix error-prone SQL queries (#15828)Claire
* Fix error-prone SQL queries in Account search While this code seems to not present an actual vulnerability, one could easily be introduced by mistake due to how the query is built. This PR parameterises the `to_tsquery` input to make the query more robust. * Harden code for Status#tagged_with_all and Status#tagged_with_none Those two scopes aren't used in a way that could be vulnerable to an SQL injection, but keeping them unchanged might be a hazard. * Remove unneeded spaces surrounding tsquery term * Please CodeClimate * Move advanced_search_for SQL template to its own function This avoids one level of indentation while making clearer that the SQL template isn't build from all the dynamic parameters of advanced_search_for. * Add tests covering tagged_with, tagged_with_all and tagged_with_none * Rewrite tagged_with_none to avoid multiple joins and make it more robust * Remove obsolete brakeman warnings * Revert "Remove unneeded spaces surrounding tsquery term" The two queries are not strictly equivalent. This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-01-23Remove leftover database columns from Devise::Models::Rememberable (#17191)Claire
* Remove leftover database columns from Devise::Models::Rememberable * Update fix-duplication maintenance script * Improve errors/warnings in the fix-duplicates maintenance script
2022-01-19Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/lib/activitypub/activity/create.rb`: Upstream refactored how `Create` activities are handled and how values are extracted from `Create`d objects. This conflicted with how glitch-soc supported the `directMessage` flag to explicitly distinguish between limited and direct messages. Ported glitch-soc's changes to latest upstream changes. - `app/services/fan_out_on_write_service.rb`: Upstream largely refactored that file and changed some of the logic. This conflicted with glitch-soc's handling of the direct timeline and the options to allow replies and boosts in public feeds. Ported those glitch-soc changes on top of latest upstream changes. - `app/services/process_mentions_service.rb`: Upstream refactored to move mention-related ActivityPub deliveries to `ActivityPub::DeliveryWorker`, while glitch-soc contained an extra check to not send local-only toots to remote mentioned users. Took upstream's version, as the check is not needed anymore, since it is performed at the `ActivityPub::DeliveryWorker` call site already. - `app/workers/feed_insert_worker.rb`: Upstream added support for `update` toot events, while glitch-soc had support for an extra timeline support, `direct`. Ported upstream changes and extended them to the `direct` timeline. Additional changes: - `app/lib/activitypub/parser/status_parser.rb`: Added code to handle the `directMessage` flag and take it into account to compute visibility. - `app/lib/feed_manager.rb`: Extended upstream's support of `update` toot events to glitch-soc's `direct` timeline.
2022-01-19Add support for editing for published statuses (#16697)Eugen Rochko
* Add support for editing for published statuses * Fix references to stripped-out code * Various fixes and improvements * Further fixes and improvements * Fix updates being potentially sent to unauthorized recipients * Various fixes and improvements * Fix wrong words in test * Fix notifying accounts that were tagged but were not in the audience * Fix mistake
2022-01-17Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/views/admin/reports/show.html.haml`: Conflicts due to glitch-soc's theming system.
2022-01-17Add notifications for statuses deleted by moderators (#17204)Eugen Rochko
2022-01-16Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: Upstream added some text, but our README is completely different. Kept our README unchanged.
2022-01-16Remove IP tracking columns from users table (#16409)Eugen Rochko
2021-12-27Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: We have completely different contents. Kept our version. - `package.json`: Not a real conflict, just an upstream dependency udpated textually too close to a glitch-soc-only dependency. Updated dependencies like upstream. - `streaming/index.js`: Conflict due to code style changes on parts that were modified in glitch-soc to handle local-only toots. Changed style according to upstream.
2021-12-21Fix duplicate record on admin/accounts when searching with IP (#17150)Jeong Arm
2021-12-18Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-12-17Add ability for admins to delete canonical email blocks (#16644)Claire
* Add admin option to remove canonical email blocks from a deleted account * Add tootctl canonical_email_blocks to inspect and remove canonical email blocks
2021-12-17Add ability to purge undeliverable domains from admin interface (#16686)Claire
* Add ability to purge undeliverable domains from admin interface * Add tests
2021-12-16Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/views/admin/pending_accounts/index.html.haml`: Removed upstream, while it had glitch-soc-specific changes to accomodate for glitch-soc's theming system. Removed the file. Additional changes: - `app/views/admin/accounts/index.html.haml': Accomodate for glitch-soc's theming system.
2021-12-13Change trending hashtags threshold back from 15 to 5 (#17122)Eugen Rochko
2021-12-05Add batch suspend for accounts in admin UI (#17009)Eugen Rochko
2021-11-26Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `.env.production.sample`: Copied upstream changes. - `app/controllers/settings/identity_proofs_controller.rb`: Minor conflict due to glitch-soc's extra “enable_keybase” setting. Upstream removed keybase support altogether, so did the same. - `app/controllers/well_known/keybase_proof_config_controller.rb`: Minor conflict due to glitch-soc's extra “enable_keybase” setting. Upstream removed keybase support altogether, so did the same. - `lib/mastodon/statuses_cli.rb`: Minor conflict due to an optimization that wasn't shared between the two versions. Copied upstream's version.
2021-11-26Remove Keybase integration (#17045)Eugen Rochko
2021-11-26Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-11-26Revert "Fix trends admin page crashing"Claire
This reverts commit 5f10e64330635bfd609ba5acdd78fa505c12f5b1.
2021-11-26Fix error on trending hashtags/links pages in admin UI due to missing ↵Eugen Rochko
constant (#17044)
2021-11-26Fix trends admin page crashingClaire
2021-11-25Disable trending links review request emailsClaire
2021-11-25Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/views/admin/tags/index.html.haml`: Removed upstream while it had changes in glitch-soc to accomodate for the theming system. Additional changes to accomodate for the theming system: - `app/views/admin/trends/links/preview_card_providers/index.html.haml` - `app/views/admin/trends/links/index.html.haml` - `app/views/admin/trends/tags/index.html.haml` - `app/views/admin/tags/show.html.haml`
2021-11-25Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-11-25Add trending links (#16917)Eugen Rochko
* Add trending links * Add overriding specific links trendability * Add link type to preview cards and only trend articles Change trends review notifications from being sent every 5 minutes to being sent every 2 hours Change threshold from 5 unique accounts to 15 unique accounts * Fix tests
2021-11-24Fix error when suspending user with an already-existing canonical email ↵Claire
block (#17036) * Fix error when suspending user with an already-existing canonical email block Fixes #17033 While attempting to create a `CanonicalEmailBlock` with an existing hash would raise an `ActiveRecord::RecordNotUnique` error, this being done within a transaction would cancel the whole transaction. For this reason, checking for uniqueness in Rails would query the database within the transaction and avoid invalidating the whole transaction for this reason. A race condition is still possible, where multiple accounts sharing a canonical email would be blocked in concurrent transactions, in which only one would succeed, but that is way less likely to happen that the current issue, and can always be retried after the first failure, unlike the current situation. * Add tests
2021-11-19Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-11-18Bump chewy from 5.2.0 to 7.2.3 (supports Elasticsearch 7.x) (#16915)Takeshi Umeda
* Bump chewy from 5.2.0 to 7.2.2 * fix style (codeclimate) * fix style * fix style * Bump chewy from 7.2.2 to 7.2.3
2021-11-06Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06Fix AccountNote not having a maximum length (#16942)Claire
2021-11-05Fix handling announcements with links (#16941)Claire
Broken since #15827
2021-10-25Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `.env.production.sample`: Upstream added new configuration options, uncommented by default. Commented them. - `Gemfile.lock`: Upstream updated dependencies textually close to glitch-soc-specific dependencies. Updated those upstream dependencies.
2021-10-18Add remove from followers api (#16864)Takeshi Umeda
* Add followed_by? to account_interactions * Add RemoveFromFollowersService * Fix AccountBatch to use RemoveFromFollowersService * Add remove from followers API
2021-10-14Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: Upstream added some documentation in the README, but our README is pretty different and barebone. Kept our README.
2021-10-14Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `app/controllers/admin/dashboard_controller.rb`: Upstream completely redesigned the admin dashboard. glitch-soc tracked extra features, but that list is gone. Followed upstram. - `app/views/admin/dashboard/index.html.haml` Upstream completely redesigned the admin dashboard. glitch-soc tracked extra features, but that list is gone. Followed upstram.
2021-10-14Allow keeping only 1 boosts/favs on auto deleting posts (#16653)Jeong Arm
* Allow keeping 1 boosts/favs on auto deleting posts * Fix tests
2021-10-14Fix 404 error when filtering admin action logs by non-existent target ↵Claire
account (#16643) Currently, there is no way for an admin to delete an account record. However, should that happen in the future, or should an admin mistype an account id, `/admin/action_logs?target_account_id=<non-existent-account-id>` currently returns a 404 instead of an empty list. With this commit, the aforementioned page returns a correct list instead (potentially non-empty if the account has been manually deleted)
2021-10-14Fix scheduled statuses decreasing statuses counts (#16791)Claire
* Add tests * Fix scheduled statuses decreasing statuses counts Fixes #16774
2021-10-13Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `package.json`: Not really a conflict, just a glitch-soc-only dependency textually too close to an updated upstream one. - `yarn.lock`: Not really a conflict, just a glitch-soc-only dependency textually too close to an updated upstream one.
2021-10-13Fix error when rendering public pages with media attachments (#16763)Claire
* Add tests * Fix error when rendering public pages with media attachments * Add tests * Fix tests * Please CodeClimate
2021-10-06Merge branch 'main' into glitch-soc/merge-upstreamClaire