| Age | Commit message (Collapse) | Author |
|---|
|
Conflicts:
- `config/environments/production.rb`:
Upstream changed a header but we had different default headers.
Applied the same change, and also dropped HSTS headers redundant with
Rails'.
|
|
Because `FanOutOnWriteService#update?` was broken, edits were considered as new
toots and a regular `update` payload was sent.
|
|
Fix #17344
|
|
|
|
This simplifies the implementation considerably, and while not providing
ideal UX, it's the most flexible approach.
|
|
Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band
registration API.
|
|
This is to avoid apps trying and failing at using the registrations API,
which does not let us require a CAPTCHA and cannot be clearly signaled as
unavailable.
|
|
|
|
|
|
|
|
Fixes #1649
This requires setting `HCAPTCHA_SECRET_KEY` and `HCAPTCHA_SITE_KEY`, then
enabling the admin setting at
`/admin/settings/edit#form_admin_settings_captcha_enabled`
Subsequently, a hCaptcha widget will be displayed on `/about` and
`/auth/sign_up` unless:
- the user is already signed-up already
- the user has used an invite link
- the user has already solved the captcha (and registration failed for another
reason)
The Content-Security-Policy headers are altered automatically to allow the
third-party hCaptcha scripts on `/about` and `/auth/sign_up` following the same
rules as above.
|
|
|
|
Port a63495230a3a28e022504f36356cd75b17b635ba to glitch-soc
Signed-off-by: Claire <claire.github-309c@sitedethib.com>
|
|
Port 3a103cd317fd56aca27fca01e03647df44e3ffd2 to glitch-soc
Signed-off-by: Claire <claire.github-309c@sitedethib.com>
|
|
Conflicts:
- `spec/models/status_spec.rb`:
Upstream added tests too close to glitch-soc-specific tests.
Kept both tests.
|
|
* Fix error-prone SQL queries in Account search
While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.
This PR parameterises the `to_tsquery` input to make the query more robust.
* Harden code for Status#tagged_with_all and Status#tagged_with_none
Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.
* Remove unneeded spaces surrounding tsquery term
* Please CodeClimate
* Move advanced_search_for SQL template to its own function
This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.
* Add tests covering tagged_with, tagged_with_all and tagged_with_none
* Rewrite tagged_with_none to avoid multiple joins and make it more robust
* Remove obsolete brakeman warnings
* Revert "Remove unneeded spaces surrounding tsquery term"
The two queries are not strictly equivalent.
This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
|
|
|
|
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN
Fixes #15959
Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.
However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228.
As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
* Add OMNIAUTH_ONLY environment variable to enforce external log-in only
* Disable user registration when OMNIAUTH_ONLY is set to true
* Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
|
|
Fixes #15959
Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.
However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228.
As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
|
|
* Remove leftover database columns from Devise::Models::Rememberable
* Update fix-duplication maintenance script
* Improve errors/warnings in the fix-duplicates maintenance script
|
|
Fixes #17295
|
|
* Add edited toot flag on public pages
* Add toot edit flag to admin pages
|
|
|
|
Port front-end changes from 1060666c583670bb3b89ed5154e61038331e30c3 to glitch-soc
Signed-off-by: Claire <claire.github-309c@sitedethib.com>
|
|
|
|
Conflicts:
- `app/lib/activitypub/activity/create.rb`:
Upstream refactored how `Create` activities are handled and how values are
extracted from `Create`d objects. This conflicted with how glitch-soc
supported the `directMessage` flag to explicitly distinguish between
limited and direct messages.
Ported glitch-soc's changes to latest upstream changes.
- `app/services/fan_out_on_write_service.rb`:
Upstream largely refactored that file and changed some of the logic.
This conflicted with glitch-soc's handling of the direct timeline and
the options to allow replies and boosts in public feeds.
Ported those glitch-soc changes on top of latest upstream changes.
- `app/services/process_mentions_service.rb`:
Upstream refactored to move mention-related ActivityPub deliveries to
`ActivityPub::DeliveryWorker`, while glitch-soc contained an extra check
to not send local-only toots to remote mentioned users.
Took upstream's version, as the check is not needed anymore, since it is
performed at the `ActivityPub::DeliveryWorker` call site already.
- `app/workers/feed_insert_worker.rb`:
Upstream added support for `update` toot events, while glitch-soc had
support for an extra timeline support, `direct`.
Ported upstream changes and extended them to the `direct` timeline.
Additional changes:
- `app/lib/activitypub/parser/status_parser.rb`:
Added code to handle the `directMessage` flag and take it into account
to compute visibility.
- `app/lib/feed_manager.rb`:
Extended upstream's support of `update` toot events to glitch-soc's
`direct` timeline.
|
|
Regression from #16697
|
|
Regression from #16697
|
|
* Add support for editing for published statuses
* Fix references to stripped-out code
* Various fixes and improvements
* Further fixes and improvements
* Fix updates being potentially sent to unauthorized recipients
* Various fixes and improvements
* Fix wrong words in test
* Fix notifying accounts that were tagged but were not in the audience
* Fix mistake
|
|
Merge upstream changes
|
|
|
|
Related: #16954
|
|
ClearlyClaire/glitch-soc/features/themes-multiple-packs
Refactor glitch-soc's theme handling
|
|
|
|
|
|
|
|
Port front-end changes from 14f436c457560862fafabd753eb314c8b8a8e674 to glitch-soc
Signed-off-by: Claire <claire.github-309c@sitedethib.com>
|
|
Conflicts:
- `app/views/admin/reports/show.html.haml`:
Conflicts due to glitch-soc's theming system.
|
|
|
|
|
|
Port JS changes from d5c9feb7b7fc489afbd0a287431fe07b42451ef0 to glitch-soc
Signed-off-by: Claire <claire.github-309c@sitedethib.com>
|
|
Conflicts:
- `app/controllers/accounts_controller.rb`:
Upstream introduced support for private pinned toots, but glitch-soc's query
was a bit different as it filtered out local-only toots.
Used upstream's query, while adding local-only filtering back.
- `app/controllers/activitypub/collections_controller.rb`:
Same thing with regards to local-only posts.
- `app/validators/status_pin_validator.rb`:
Not a real conflict, but the line below was different in glitch-soc due to
the configurable pinned toots limit.
|
|
* Add support for private pinned toots
* Allow local user to pin private toots
* Change wording to avoid "direct message"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
