about summary refs log tree commit diff
path: root/app/views
AgeCommit message (Collapse)Author
2021-04-05Fix SVG files not being correctly included in templates (#16001)Claire
In Rails 6.1, raw file inclusion in templates have to be explicitly marked as HTML-safe, otherwise it's rendered as text.
2021-04-03Add system checks to dashboard in admin UI (#15989)Eugen Rochko
2021-03-19Fix brakeman warning (#15870)Claire
As far as I understand, the brakeman warning was a false-positive as `content_tag` properly escapes untrusted HTML. Furthermore, the interpolated string values are built from the “username” part of accounts, which is restricted to a small subset of ASCII that precludes any XML entity or HTML code. This proposed change should be functionally equivalent to the current code, however it is slightly more robust, it's more idiomatic, and Brakeman will stop complaining about it.
2021-03-19Fix custom CSS when CDN_HOST is set (#15927)Claire
2021-03-15Fix reference to non-existing translation in the exports page. (#15894)Filipe Rodrigues
The exports page showed a different "CSV" capitalisation in the "Bookmarks" row ("Csv") compared to the other rows ("CSV"). This was due to a referece to a translation string that does not exist, `bookmarks.csv`, defaulting to the key's last segment in title case. This issue was introduced in commit dcd86204 (PR #14956). (h/t @meqif for helping with figuring out the bug)
2021-03-12Fix not being able to change world filter expiration back to “Never” ↵Claire
(#15858) Fixes #15849
2021-03-07Fix some ignored brakeman warnings (#15829)Claire
2021-02-24Add inline description of moderation actions in moderation interface (#15792)Claire
2021-02-22Fix server rules not being displayed if extended server discription isn't ↵Claire
set (#15778)
2021-02-21Add server rules (#15769)Eugen Rochko
2021-02-11Use custom mascot on static share page (#15687)Jeong Arm
* Use custom mascot on static share page * Use full_asset_url
2021-01-21Fix Google Translate breaking web interface (#15610)ThibG
- marks the page as a whole as untranslatable - still marks user text as translatable Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-30Fix expand video on public page (#15469)Takeshi Umeda
2020-12-19Fix missing description on enable bootstrap timeline accounts toggle in ↵Eugen Rochko
admin UI (#15367)
2020-12-18Add option to obfuscate domain name in public list of domain blocks (#15355)Eugen Rochko
- Replace the middle of the domain with * characters (except for periods) - Add SHA-256 digest of the domain name in tooltip
2020-12-15Fix admins being able to suspend their instance actor (#14567)ThibG
* Fix admin being able to suspend their own instance account * Add text about the instance's own actor in admin view * Change instance actor notice from flash message to template * Do not list local instance actor in account moderation list
2020-12-15Change RTL detection to rely on unicode-bidi paragraph by paragraph (#14573)Eugen Rochko
2020-12-15Add "invite request content" display in user account admin page (#15265)Mashiro
* feat: display `invite_request_text` in admin's user account page * fix: move invite_request to the bottom of accounts page * fix: remove time display, remove formate, change code terminology * fix: remove escape
2020-12-15Add indication to admin UI of whether a report has been forwarded (#13237)ThibG
* Add indication to admin UI of whether a report has been forwarded * Rework how forwarded status is displayed Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-14Add ability to require invite request text (#15326)ThibG
Fixes #15273 Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-14Fix performance on instances list in admin UI (#15282)Eugen Rochko
- Reduce duplicate queries - Remove n+1 queries - Add accounts count to detailed view - Add separate action log entry for updating existing domain blocks
2020-12-14Change number format on about page from full to shortened (#15327)Eugen Rochko
2020-12-10Add honeypot fields and minimum fill-out time for sign-up form (#15276)ThibG
* Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-02Change public thread view to hide "Show thread" link (#15266)ThibG
Fixes #15262
2020-11-28Fix omniauth (SAML/CAS) sign-in routes not having CSRF protection (#15228)Eugen Rochko
2020-11-19Add import/export feature for bookmarks (#14956)ThibG
* Add ability to export bookmarks * Add support for importing bookmarks * Add bookmark import tests * Add bookmarks export test
2020-11-12Add interrelationship icon (#15149)Takeshi Umeda
* Add interrelationship icon * Fix arrow for rtl * Fix to predefined color
2020-11-12Add follow selected followers button (#15148)Takeshi Umeda
* Add follow selected followers button * Fix unused variable * Fix i18n normalize
2020-11-06Add subresource integrity for JS and CSS assets (#15096)Eugen Rochko
Fix #2744
2020-11-04Display “Show newer” and “Show older” instead of “Show more” in ↵Mélanie Chauvel
public pages (#15052)
2020-11-04Add account sensitized (#14361)Takeshi Umeda
* Add account sensitized * Fix i18n normalize * Fix description and spec * Fix spec * Fix wording
2020-10-27Make visibility icon clickable as part of the time of a toot (#15053)Mélanie Chauvel
- Makes permalink to a toot more easily clickable - Fix clicking between icon and time in fact clicking the display name - Fix clicking slightly under time in fact clicking the display name
2020-10-13Change how CDN_HOST is passed down to make assets build reproducible (#14381)ThibG
* Change how CDN_HOST is passed down to make assets build reproducible * Change webpacker/webpack configuration to dynamically load publicPath based on meta header * Fix embedded layout missing the cdn-host meta header
2020-10-12Add IP-based rules (#14963)Eugen Rochko
2020-10-08Remove dependency on goldfinger gem (#14919)Eugen Rochko
There are edge cases where requests to certain hosts timeout when using the vanilla HTTP.rb gem, which the goldfinger gem uses. Now that we no longer need to support OStatus servers, webfinger logic is so simple that there is no point encapsulating it in a gem, so we can just use our own Request class. With that, we benefit from more robust timeout code and IPv4/IPv6 resolution. Fix #14091
2020-10-04Fix regressions in icon buttons in web UI (#14915)Eugen Rochko
2020-09-30Add option to disable swiping motions across the WebUI (#13885)ThibG
Fixes #13882
2020-09-24add og:published_time to opengraph meta tags (#14865)Jeremy Rose
2020-09-21Fix method of the DELETE DATA button (#14855)Takeshi Umeda
2020-09-15Change account suspensions to be reversible by default (#14726)Eugen Rochko
2020-09-11Refactor settings controllers (#14767)Eugen Rochko
- Disallow suspended accounts from revoking sessions and apps - Allow suspended accounts to access exports
2020-09-07Changed tag most_used to recently_used (#14760)abcang
2020-08-24Add WebAuthn as an alternative 2FA method (#14466)santiagorodriguez96
* feat: add possibility of adding WebAuthn security keys to use as 2FA This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor to the Settings page for editing the 2FA methods – now it will list the methods that are available to the user (TOTP and WebAuthn) and from there they'll be able to add or remove any of them. Also, it's worth mentioning that for enabling WebAuthn it's required to have TOTP enabled, so the first time that you go to the 2FA Settings page, you'll be asked to set it up. This work was inspired by the one donde by Github in their platform, and despite it could be approached in different ways, we decided to go with this one given that we feel that this gives a great UX. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add request for WebAuthn as second factor at login if enabled This commits adds the feature for using WebAuthn as a second factor for login when enabled. If users have WebAuthn enabled, now a page requesting for the use of a WebAuthn credential for log in will appear, although a link redirecting to the old page for logging in using a two-factor code will also be present. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add possibility of deleting WebAuthn Credentials Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: disable WebAuthn when an Admin disables 2FA for a user Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: remove ability to disable TOTP leaving only WebAuthn as 2FA Following examples form other platforms like Github, we decided to make Webauthn 2FA secondary to 2FA with TOTP, so that we removed the possibility of removing TOTP authentication only, leaving users with just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA' in order to remove second factor auth. The reason for WebAuthn being secondary to TOPT is that in that way, users will still be able to log in using their code from their phone's application if they don't have their security keys with them – or maybe even lost them. * We had to change a little the flow for setting up TOTP, given that now it's possible to setting up again if you already had TOTP, in order to let users modify their authenticator app – given that now it's not possible for them to disable TOTP and set it up again with another authenticator app. So, basically, now instead of storing the new `otp_secret` in the user, we store it in the session until the process of set up is finished. This was because, as it was before, when users clicked on 'Edit' in the new two-factor methods lists page, but then went back without finishing the flow, their `otp_secret` had been changed therefore invalidating their previous authenticator app, making them unable to log in again using TOTP. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * refactor: fix eslint errors The PR build was failing given that linting returning some errors. This commit attempts to fix them. * refactor: normalize i18n translations The build was failing given that i18n translations files were not normalized. This commits fixes that. * refactor: avoid having the webauthn gem locked to a specific version * refactor: use symbols for routes without '/' * refactor: avoid sending webauthn disabled email when 2FA is disabled When an admins disable 2FA for users, we were sending two mails to them, one notifying that 2FA was disabled and the other to notify that WebAuthn was disabled. As the second one is redundant since the first email includes it, we can remove it and send just one email to users. * refactor: avoid creating new env variable for webauthn_origin config * refactor: improve flash error messages for webauthn pages Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-19Fix client-side form validation not accepting handles with uppercase letters ↵ThibG
(#14599)
2020-08-13Fix hardcoded non-breaking space in public view (#14568)ThibG
2020-08-12Add client-side validation in password change forms (#14564)ThibG
* Fix client-side username validation at registration It used the Account::USERNAME_RE regexp which is for *remote* users, local user validation is stricter. Also take into account max username length. * Add client-side form validation for password change * Add client-side form validation to dedicated registration form Previous changes only applied to the /about page, not the dedicated form on /auth
2020-08-11Add HTML form validation for the registration form (#14560)ThibG
* Add HTML-level validation of username in sign-up form * Make required fields with incorrect values more visible * Enable HTML form validation for the registration form * Mark agreement checkbox as required client-side * Add minimum length to password * Add client-side password confirmation validation
2020-08-02Fix audio/video player not using CDN_HOST in media paths on public pages ↵ThibG
(#14486)
2020-07-09Fix videos on public pages not using custom thumbnails (#14273)Eugen Rochko
2020-07-07Fix hashtag column options styling (#14247)ThibG
* Enable nonces for stylesheets * Pass nonce to react-select