about summary refs log tree commit diff
path: root/config/initializers
AgeCommit message (Collapse)Author
2022-02-21Merge branch 'main' into glitch-soc/merge-upstreamClaire
2022-02-21Fix error when trying to register (#17600)Claire
2022-02-19Merge branch 'main' into glitch-soc/merge-upstreamClaire
2022-02-18Avoid return within block (#17590)zunda
This prevents the error: LocalJumpError (unexpected return)
2022-02-18Throttle IPv6 signup for subnet (#17588)Jeong Arm
2022-01-23Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `spec/models/status_spec.rb`: Upstream added tests too close to glitch-soc-specific tests. Kept both tests.
2022-01-23Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)Claire
Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being.
2022-01-16Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: Upstream added some text, but our README is completely different. Kept our README unchanged.
2022-01-16Remove IP tracking columns from users table (#16409)Eugen Rochko
2022-01-10Fix media API limit (#17272)Jeong Arm
2021-12-27Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: We have completely different contents. Kept our version. - `package.json`: Not a real conflict, just an upstream dependency udpated textually too close to a glitch-soc-only dependency. Updated dependencies like upstream. - `streaming/index.js`: Conflict due to code style changes on parts that were modified in glitch-soc to handle local-only toots. Changed style according to upstream.
2021-12-27Fix warnings on Rails boot (#16946)Eugen Rochko
2021-11-26Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `.env.production.sample`: Copied upstream changes. - `app/controllers/settings/identity_proofs_controller.rb`: Minor conflict due to glitch-soc's extra “enable_keybase” setting. Upstream removed keybase support altogether, so did the same. - `app/controllers/well_known/keybase_proof_config_controller.rb`: Minor conflict due to glitch-soc's extra “enable_keybase” setting. Upstream removed keybase support altogether, so did the same. - `lib/mastodon/statuses_cli.rb`: Minor conflict due to an optimization that wasn't shared between the two versions. Copied upstream's version.
2021-11-26Fix ElasticSearch to Elasticsearch (#17050)Takeshi Umeda
2021-11-19Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-11-18Bump chewy from 5.2.0 to 7.2.3 (supports Elasticsearch 7.x) (#16915)Takeshi Umeda
* Bump chewy from 5.2.0 to 7.2.2 * fix style (codeclimate) * fix style * fix style * Bump chewy from 7.2.2 to 7.2.3
2021-11-06Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-11-06Fix reviving revoked sessions and invalidating login (#16943)Claire
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-10-25Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `.env.production.sample`: Upstream added new configuration options, uncommented by default. Commented them. - `Gemfile.lock`: Upstream updated dependencies textually close to glitch-soc-specific dependencies. Updated those upstream dependencies.
2021-10-24Support authentication for ElasticSearch (#16890)Jeong Arm
* Support authentication for ElasticSearch * Fix chewy auth settings
2021-10-14Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: Upstream added some documentation in the README, but our README is pretty different and barebone. Kept our README.
2021-10-14Minor memory optimizations (#16507)Claire
Reduce constant memory usage by ~100kB and further reduce boot-up memory allocations and temporary memory use by a further ~200kB.
2021-08-27Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-08-25New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED (#16655)Daniel
When using a CAS server, the users only have a temporary email `change@me-foo-cas.com` which can't be changed but by an administrator. We need a new environment variable like for SAML to assume the email from CAS is verified. * config/initializers/omniauth.rb: define CAS option for assuming email are always verified. * .env.nanobox: add new variable as an example.
2021-07-17Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-07-15Fix inefficiencies in auto-linking code (#16506)Claire
The auto-linking code basically rewrote the whole string escaping non-ascii characters in an inefficient way, and building a full character offset map between the unescaped and escaped texts before sending the contents to TwitterText's extractor. Instead of doing that, this commit changes the TwitterText regexps to include valid IRI characters in addition to valid URI characters.
2021-05-27Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: Upstream's README got updated, but we have a completely different one. Kept ours.
2021-05-24Fix mailer jobs for deleted notifications erroring out (#16294)Claire
Fixes an oversight in the Rails 6 migration
2021-05-18Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-05-17Fix host check on healthcheck path not being disabled (#16270)Claire
Fixes #16251 There was a typo in #16243
2021-05-17Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: our READMEs are entirely different and upstream's has been updated. Kept our README.
2021-05-16Disable host check on healthcheck path (#16243)Jeong Arm
2021-05-09Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-05-09Add a Redis environment variable for sidekiq (#16188)Takeshi Umeda
2021-05-07Merge branch 'main' into glitch-soc/merge-upstreamClaire
- `app/views/statuses/_simple_status.html.haml`: Small markup change in glitch-soc, on a line that has been modified by upstream. Ported upstream changes.
2021-05-06Add Ruby 3.0 support (#16046)Claire
* Fix issues with POSIX::Spawn, Terrapin and Ruby 3.0 Also improve the Terrapin monkey-patch for the stderr/stdout issue. * Fix keyword argument handling throughout the codebase * Monkey-patch Paperclip to fix keyword arguments handling in validators * Change validation_extensions to please CodeClimate * Bump microformats from 4.2.1 to 4.3.1 * Allow Ruby 3.0 * Add Ruby 3.0 test target to CircleCI * Add test for admin dashboard warnings * Fix admin dashboard warnings on Ruby 3.0
2021-04-22Fix guard against DNS rebinding attacks (#16095)Takeshi Umeda
2021-04-21Add guard against DNS rebinding attacks (#16087)Takeshi Umeda
* Add guard against DNS rebinding attacks * Fix not to apply to test environment
2021-04-20Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `README.md`: Upstream updated copyright year, we don't mention it so kept our version. - `app/controllers/admin/dashboard_controller.rb`: Not really a conflict, upstream change (removing the spam checker) too close to glitch-soc changes. Ported upstream changes. - `app/models/form/admin_settings.rb`: Same. - `app/services/remove_status_service.rb`: Same. - `app/views/admin/settings/edit.html.haml`: Same. - `config/settings.yml`: Same. - `config/environments/production.rb`: Not a real conflict, upstream added a default HTTP header, but we have extra headers in glitch-soc. Added the header.
2021-04-15Fix app name, website and redirect URIs not having a maximum length (#16042)Eugen Rochko
Fix app scopes not being validated
2021-04-09Fix autoloading deprecation warnings from Rails 6 (#16010)Eugen Rochko
2021-04-05Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-04-03Change health check (#15988)Eugen Rochko
2021-03-24Fix ActiveRecord monkey-patching migration hackClaire
2021-03-24Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-03-24Update Mastodon to Rails 6.1 (#15910)Claire
* Update devise-two-factor to unreleased fork for Rails 6 support Update tests to match new `rotp` version. * Update nsa gem to unreleased fork for Rails 6 support * Update rails to 6.1.3 and rails-i18n to 6.0 * Update to unreleased fork of pluck_each for Ruby 6 support * Run "rails app:update" * Add missing ActiveStorage config file * Use config.ssl_options instead of removed ApplicationController#force_ssl Disabled force_ssl-related tests as they do not seem to be easily testable anymore. * Fix nonce directives by removing Rails 5 specific monkey-patching * Fix fixture_file_upload deprecation warning * Fix yield-based test failing with Rails 6 * Use Rails 6's index_with when possible * Use ActiveRecord::Cache::Store#delete_multi from Rails 6 This will yield better performances when deleting an account * Disable Rails 6.1's automatic preload link headers Since Rails 6.1, ActionView adds preload links for javascript files in the Links header per default. In our case, that will bloat headers too much and potentially cause issues with reverse proxies. Furhermore, we don't need those links, as we already output them as HTML link tags. * Switch to Rails 6.0 default config * Switch to Rails 6.1 default config * Do not include autoload paths in the load path
2021-03-19Merge branch 'main' into glitch-soc/merge-upstreamClaire
2021-03-19Prepare Mastodon for zeitwerk autoloader (#15917)Claire
* Prepare Mastodon for zeitwerk autoloader (Rails 6) Add inflections and rename/move a few classes. In particular, app/lib/exceptions.rb and app/lib/sanitize_config.rb were manually loaded while still in autoload paths. * Add inflection for Url → URL
2021-03-17Prepare Mastodon for Rails 6 (#15911)Claire
* Fix misuse of foreign_type * Fix use of removed "add_template_helper" * Use response.media_type instead of response.content_type in tests * Fix CSV export controller test on Rails 6 Rails 6 sets a "filename*" field in the Content-Disposition header to explicitly encode the filename as UTF-8. This changes checks the first part of the Content-Disposition header so it matches in both Rails 5 and Rails 6. * Fix emoji formatting with Rails 6 * Make emoji output more idiomatic and robust * Switch from redis-rails gem to built-in Rails redis cache storage
2021-03-15Merge branch 'main' into glitch-soc/merge-upstreamClaire