Age | Commit message (Collapse) | Author |
|
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.
We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.
In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
of them
This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
|
|
|
|
Save preview cards under their canonical URL
Increase max redirects to follow from 2 to 3
|
|
Broken since #15827
|
|
|
|
|
|
On notifications page, in settings, "Show" for quick filter bar and
unread notifications markers use the same string, while being placed in
the separate contexts - under different settings categories.
This commit splits the contexts, creating new strings:
- "Show filter bar" in place of "Show" for filter bar;
- "Highlight unread notifications" in place of "Show" for unread
notification markers, which are now simply called "Highlighting";
- There's also "Unread notifications" in place of "Unread notification
markers" string to accompany the changes to "Show" string under that
category.
All new strings have new IDs, which will cause previous strings to
invalidate on the next translation update and new strings to be created.
This will help Mastodon translators to know that there are changes and
improve translation in accordance to the source string update.
|
|
(#16885)
* Add tests
* Fix some link previews being incorrectly generated from different prior links
PR #12403 added a cache to avoid redundant queries when the OEmbed endpoint can
be guessed from the URL. This caching mechanism is not perfectly correct as
there is no guarantee that all pages from a given domain share the same
OEmbed provider endpoint.
This PR prevents the FetchOEmbedService from caching OEmbed endpoint that
cannot be generalized by replacing a fully-qualified URL from the endpoint's
parameters, greatly reducing the number of incorrect cached generalizations.
|
|
* Display sparkline graph on Chrome
* Heatmap auto overflow
* Change grid columns number on small screen
* Please codeclimate bot
* Remove graph height
|
|
* Add support for fetching Create and Announce activities by URI
This should improve compatibility with ZAP and offer a way to fetch boosts,
which is currently not possible.
* Add tests
|
|
* Add followed_by? to account_interactions
* Add RemoveFromFollowersService
* Fix AccountBatch to use RemoveFromFollowersService
* Add remove from followers API
|
|
* New translations en.json (Latvian)
[ci skip]
* New translations en.json (Hebrew)
[ci skip]
* New translations en.json (Hebrew)
[ci skip]
* New translations simple_form.en.yml (Breton)
[ci skip]
* New translations simple_form.en.yml (Breton)
[ci skip]
* New translations simple_form.en.yml (Breton)
[ci skip]
* New translations simple_form.en.yml (Breton)
[ci skip]
* New translations en.json (Icelandic)
[ci skip]
* New translations en.json (Icelandic)
[ci skip]
* New translations en.json (Chinese Simplified)
[ci skip]
* New translations en.yml (Chinese Simplified)
[ci skip]
* New translations en.yml (Chinese Simplified)
[ci skip]
* New translations simple_form.en.yml (Chinese Simplified)
[ci skip]
* New translations devise.en.yml (Chinese Simplified)
[ci skip]
* New translations en.yml (Chinese Simplified)
[ci skip]
* New translations devise.en.yml (Chinese Simplified)
[ci skip]
* New translations en.json (Persian)
[ci skip]
* New translations en.json (Finnish)
[ci skip]
* New translations doorkeeper.en.yml (Finnish)
[ci skip]
* New translations doorkeeper.en.yml (Finnish)
[ci skip]
* New translations doorkeeper.en.yml (Finnish)
[ci skip]
* New translations doorkeeper.en.yml (Finnish)
[ci skip]
* New translations doorkeeper.en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (French)
[ci skip]
* New translations en.yml (French)
[ci skip]
* New translations en.json (Russian)
[ci skip]
* New translations en.json (Russian)
[ci skip]
* New translations en.json (Russian)
[ci skip]
* New translations activerecord.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations doorkeeper.en.yml (Latvian)
[ci skip]
* New translations en.yml (Slovak)
[ci skip]
* New translations doorkeeper.en.yml (Latvian)
[ci skip]
* New translations en.yml (Slovak)
[ci skip]
* New translations doorkeeper.en.yml (Latvian)
[ci skip]
* New translations doorkeeper.en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Esperanto)
[ci skip]
* New translations en.yml (Esperanto)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations doorkeeper.en.yml (Latvian)
[ci skip]
* New translations doorkeeper.en.yml (Latvian)
[ci skip]
* New translations doorkeeper.en.yml (Latvian)
[ci skip]
* New translations doorkeeper.en.yml (Latvian)
[ci skip]
* New translations devise.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations en.yml (Slovak)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Slovak)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations simple_form.en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Armenian)
[ci skip]
* New translations en.json (Danish)
[ci skip]
* New translations en.yml (Arabic)
[ci skip]
* New translations en.yml (Catalan)
[ci skip]
* New translations en.yml (Czech)
[ci skip]
* New translations en.yml (Danish)
[ci skip]
* New translations en.yml (Spanish)
[ci skip]
* New translations en.yml (German)
[ci skip]
* New translations en.yml (Greek)
[ci skip]
* New translations en.yml (Basque)
[ci skip]
* New translations en.yml (Hungarian)
[ci skip]
* New translations en.yml (Slovak)
[ci skip]
* New translations en.yml (Persian)
[ci skip]
* New translations en.yml (Swedish)
[ci skip]
* New translations en.yml (French)
[ci skip]
* New translations en.yml (Chinese Simplified)
[ci skip]
* New translations en.yml (Finnish)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Italian)
[ci skip]
* New translations en.yml (Sinhala)
[ci skip]
* New translations en.yml (Sardinian)
[ci skip]
* New translations en.yml (Esperanto)
[ci skip]
* New translations en.yml (Vietnamese)
[ci skip]
* New translations en.yml (Turkish)
[ci skip]
* New translations en.yml (Ukrainian)
[ci skip]
* New translations en.yml (Chinese Traditional)
[ci skip]
* New translations en.yml (Galician)
[ci skip]
* New translations en.yml (Icelandic)
[ci skip]
* New translations en.yml (Portuguese, Brazilian)
[ci skip]
* New translations en.yml (Indonesian)
[ci skip]
* New translations en.yml (Tamil)
[ci skip]
* New translations en.yml (Spanish, Argentina)
[ci skip]
* New translations en.yml (Serbian (Cyrillic))
[ci skip]
* New translations en.yml (Albanian)
[ci skip]
* New translations en.yml (Japanese)
[ci skip]
* New translations en.yml (Georgian)
[ci skip]
* New translations en.yml (Korean)
[ci skip]
* New translations en.yml (Lithuanian)
[ci skip]
* New translations en.yml (Dutch)
[ci skip]
* New translations en.yml (Norwegian)
[ci skip]
* New translations en.yml (Polish)
[ci skip]
* New translations en.yml (Portuguese)
[ci skip]
* New translations en.yml (Russian)
[ci skip]
* New translations en.yml (Slovenian)
[ci skip]
* New translations en.yml (Spanish, Mexico)
[ci skip]
* New translations en.yml (Norwegian Nynorsk)
[ci skip]
* New translations en.yml (Estonian)
[ci skip]
* New translations en.yml (Kazakh)
[ci skip]
* New translations en.json (Norwegian Nynorsk)
[ci skip]
* New translations en.yml (Thai)
[ci skip]
* New translations en.yml (Bengali)
[ci skip]
* New translations en.yml (Asturian)
[ci skip]
* New translations en.yml (Scottish Gaelic)
[ci skip]
* New translations en.yml (Occitan)
[ci skip]
* New translations en.json (Kurmanji (Kurdish))
[ci skip]
* New translations en.yml (Kurmanji (Kurdish))
[ci skip]
* New translations en.json (Sorani (Kurdish))
[ci skip]
* New translations en.yml (Breton)
[ci skip]
* New translations en.yml (Malay)
[ci skip]
* New translations en.yml (Welsh)
[ci skip]
* New translations en.yml (Chinese Traditional, Hong Kong)
[ci skip]
* New translations en.yml (Tatar)
[ci skip]
* New translations en.yml (Malayalam)
[ci skip]
* New translations en.yml (Sorani (Kurdish))
[ci skip]
* New translations en.yml (Corsican)
[ci skip]
* New translations en.yml (Kabyle)
[ci skip]
* New translations en.yml (Catalan)
[ci skip]
* New translations en.yml (Polish)
[ci skip]
* New translations en.yml (Russian)
[ci skip]
* New translations en.yml (Russian)
[ci skip]
* New translations en.yml (Catalan)
[ci skip]
* New translations en.yml (Kurmanji (Kurdish))
[ci skip]
* New translations en.json (Russian)
[ci skip]
* New translations en.yml (Czech)
[ci skip]
* New translations en.json (Russian)
[ci skip]
* New translations en.yml (Czech)
[ci skip]
* New translations en.yml (Czech)
[ci skip]
* New translations en.yml (Turkish)
[ci skip]
* New translations en.yml (Occitan)
[ci skip]
* New translations en.yml (Czech)
[ci skip]
* New translations en.yml (Kurmanji (Kurdish))
[ci skip]
* New translations en.yml (Czech)
[ci skip]
* New translations en.yml (Danish)
[ci skip]
* New translations en.yml (Danish)
[ci skip]
* New translations en.yml (Kurmanji (Kurdish))
[ci skip]
* New translations en.yml (Norwegian)
[ci skip]
* New translations en.yml (Kurmanji (Kurdish))
[ci skip]
* New translations en.yml (Chinese Traditional)
[ci skip]
* New translations en.yml (Galician)
[ci skip]
* New translations en.yml (Galician)
[ci skip]
* New translations en.yml (French)
[ci skip]
* New translations en.yml (French)
[ci skip]
* New translations en.yml (Chinese Traditional)
[ci skip]
* New translations en.yml (Hungarian)
[ci skip]
* New translations en.yml (Albanian)
[ci skip]
* New translations en.yml (Albanian)
[ci skip]
* New translations en.yml (Ukrainian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Portuguese)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.json (Portuguese)
[ci skip]
* New translations en.yml (Portuguese)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Latvian)
[ci skip]
* New translations en.yml (Spanish)
[ci skip]
* New translations en.yml (Hungarian)
[ci skip]
* New translations en.yml (Italian)
[ci skip]
* New translations en.yml (Indonesian)
[ci skip]
* New translations en.yml (Indonesian)
[ci skip]
* New translations devise.en.yml (French)
[ci skip]
* Run `i18n-tasks normalize`
* Run `yarn manage:translations`
* Trim unnecessary line breaks
Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
|
|
|
|
* Allow keeping 1 boosts/favs on auto deleting posts
* Fix tests
|
|
Reduce constant memory usage by ~100kB and further reduce boot-up memory
allocations and temporary memory use by a further ~200kB.
|
|
|
|
project started on Crowdin. (#16548)
|
|
account (#16643)
Currently, there is no way for an admin to delete an account record. However,
should that happen in the future, or should an admin mistype an account id,
`/admin/action_logs?target_account_id=<non-existent-account-id>` currently
returns a 404 instead of an empty list.
With this commit, the aforementioned page returns a correct list instead
(potentially non-empty if the account has been manually deleted)
|
|
|
|
* Add tests
* Fix scheduled statuses decreasing statuses counts
Fixes #16774
|
|
* Add tests
* Fix error when rendering public pages with media attachments
* Add tests
* Fix tests
* Please CodeClimate
|
|
Adds a tooltip when hovering over the percentages in a poll showing how
many votes were cast for that option.
Also removes descriptions from messages here since they are not picked
up by Crowdin anyway and might be confusing to other developers :)
Fixes #16820
|
|
(#16819)
* Fix media attachment size validation not correctly accounting for file type
Fixes a regression introduced in #16724 caused by the fact that kt-paperclip
now correctly runs validations before processing, meaning that file size
verification could not rely on our before_post_processing hook.
Moved the `before_post_processing` hooks to `before_validate` to make sure
the media attachment type is set correctly before the file gets validated.
* Add tests
|
|
* Make focus visible on switches and text buttons in columns settings
* Make hover/focus visible on left/right arrows in columns settings
Use same style as for station action bar (reply/boost/fav/etc.)
* Tab first to “Pin/Unpin” before left/right arrows in columns settings
|
|
* Add tests
* Fix webauthn secure key authentication
Fixes #16769
|
|
|
|
* Switch from unmaintained paperclip to kt-paperclip
* Drop some compatibility monkey-patches not required by kt-paperclip
* Drop media spoof check monkey-patching
It's broken with kt-paperclip and hopefully it won't be needed anymore
* Fix regression introduced by paperclip 6.1.0
* Do not rely on pathname to call FastImage
* Add test for ogg vorbis file with cover art
* Add audio/vorbis to the accepted content-types
This seems erroneous as this would be the content-type for a vorbis stream
without an ogg container, but that's what the `marcel` gem outputs, so…
* Restore missing for_as_default method
* Refactor Attachmentable concern and delay Paperclip's content-type spoof check
Check for content-type spoofing *after* setting the extension ourselves, this
fixes a regression with kt-paperclip's validations being more strict than
paperclip 6.0.0 and rejecting some Pleroma uploads because of unknown
extensions.
* Please CodeClimate
* Add audio/vorbis to the unreliable set
It doesn't correspond to a file format and thus has no extension associated.
|
|
* Fix incorrect use of old WebUI paths
PR #16171 renamed some routes but missed some occurrences.
Without #16772, this leads to unreachable routes in those cases.
* Fix floating action button being displayed on statuses and compose screen
|
|
* Add aliases for some WebUI routes that were renamed in #16171
Accounts and statuses routes need more work as they use different parameters.
* Add aliases for /statuses/* routes
* Add aliases for /accounts/* WebUI routes
Does not correctly set the “active” state on the navigation tabs but this is
a minor issue.
* Fix some routes
* Fix /accounts/:id/{media,followers,following} not loading on legacy routes
|
|
Eliminate need to have custom notifications filtering logic in the
streaming API code by publishing notifications into a separate stream
and then simply using the multi-stream capability to subscribe to that
stream when necessary
|
|
|
|
(#16744)
Follow-up to #16510, forgot the controller exposing the actual followers…
|
|
* Stop setting a shortcode to newly-created media attachments
The WebUI has stopped using the “short media URL” in ages. This isn't used
anywhere except for mail notifications.
Deprecating it would allow us to eventually get rid of at least a database
column and corruption-prone index, as well as a controller.
* Fix tests
|
|
Use relative path for `scope` in web manifest to allow users use PWA correctly via alternate domains.
|
|
Fixes #16699
|
|
Fixes #16602
|
|
|
|
(#16607)
* Add tests
* Add security-related tests
My first (unpublished) attempt at fixing the issues introduced (extremely
hard-to-exploit) security vulnerabilities, addressing them in a test.
* Fix authentication failures after going halfway through a sign-in attempt
* Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
|
|
|
|
The addition of authentication history broke the omniauth login with
the following error:
method=GET path=/auth/auth/cas/callback format=html
controller=Auth::OmniauthCallbacksController action=cas status=500
error='NameError: undefined local variable or method `user' for
#<Auth::OmniauthCallbacksController:0x00000000036290>
Did you mean? @user' duration=435.93 view=0.00 db=36.19
* app/controllers/auth/omniauth_callbacks_controller.rb: fix variable
name to `@user`
|
|
|
|
* Fix remotely-suspended accounts' toots being merged back into timelines
* Mark remotely-deleted accounts as remotely suspended
|
|
Fix issue #16603 undefined method `serialize_payload' for Unsuspend Account Service error.
It seems that this service forgot to `include Payloadable` so that `serialize_payload` could not be found in this service.
|
|
* Refactor AttachmentList
* Do not crash if a notification contains an unprocessed media attachment
Fixes #16530
* Fix spacing in compact form
|
|
Fixes #16571
|
|
(#16510)
* Fix followers synchronization mechanism not working when URI has empty path
To my knowledge, there is no current implementation on the fediverse
that can use bare domains (e.g., actor is at https://example.org instead of
something like https://example.org/actor) that also plans to support the
followers synchronization mechanism. However, Mastodon's current implementation
would exclude such accounts from followers list.
Also adds tests and rename them to reflect the proper method names.
* Move url prefix regexp to its own constant
|
|
* Add test
* Fix crash when encountering invalid account fields
|
|
* Add account statuses cleanup policy model
* Record last inspected toot to delete to speed up successive calls to statuses_to_delete
* Add service to cleanup a given account's statuses within a budget
* Add worker to go through account policies and delete old toots
* Fix last inspected status id logic
All existing statuses older or equal to last inspected status id must be
kept by the current policy. This is an invariant that must be kept so that
resuming deletion from the last inspected status remains sound.
* Add tests
* Refactor scheduler and add tests
* Add user interface
* Add support for discriminating based on boosts/favs
* Add UI support for min_reblogs and min_favs, rework UI
* Address first round of review comments
* Replace Snowflake#id_at_start with with_random parameter
* Add tests
* Add tests for StatusesCleanupController
* Rework settings page
* Adjust load-avoiding mechanisms
* Please CodeClimate
|
|
|
|
|