From 48fee1a800a262ce26171d724c15738d083eb6d6 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 4 Jun 2019 20:10:26 +0200 Subject: Fix poll API not requiring authentication on non-public polls (#10960) * Fix poll API not requiring authentication on non-public polls That API does not reveal the content of the status, i.e. the question itself, nor who the author is, nor which status it belongs to, but it does reveal the poll options and how many answers they got Fix #10959 * Add test --- app/controllers/api/v1/polls_controller.rb | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/api/v1/polls_controller.rb b/app/controllers/api/v1/polls_controller.rb index 4f4a6858d..031e6d42d 100644 --- a/app/controllers/api/v1/polls_controller.rb +++ b/app/controllers/api/v1/polls_controller.rb @@ -1,13 +1,28 @@ # frozen_string_literal: true class Api::V1::PollsController < Api::BaseController + include Authorization + before_action -> { authorize_if_got_token! :read, :'read:statuses' }, only: :show + before_action :set_poll + before_action :refresh_poll respond_to :json def show + render json: @poll, serializer: REST::PollSerializer, include_results: true + end + + private + + def set_poll @poll = Poll.attached.find(params[:id]) + authorize @poll.status, :show? + rescue Mastodon::NotPermittedError + raise ActiveRecord::RecordNotFound + end + + def refresh_poll ActivityPub::FetchRemotePollService.new.call(@poll, current_account) if user_signed_in? && @poll.possibly_stale? - render json: @poll, serializer: REST::PollSerializer, include_results: true end end -- cgit From 7fa23ec697e9e2c5f0434b9682de7017133df8dc Mon Sep 17 00:00:00 2001 From: ThibG Date: Wed, 5 Jun 2019 13:40:20 +0200 Subject: Fix potential private status leak (#10969) --- app/controllers/statuses_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb index e60646ba3..b8f4e675e 100644 --- a/app/controllers/statuses_controller.rb +++ b/app/controllers/statuses_controller.rb @@ -27,7 +27,7 @@ class StatusesController < ApplicationController def show respond_to do |format| format.html do - unless user_signed_in? + if current_account.nil? skip_session! expires_in 10.seconds, public: true end -- cgit From cac9110533374d5d508b62ab5d35136e859b944c Mon Sep 17 00:00:00 2001 From: ThibG Date: Wed, 5 Jun 2019 14:02:59 +0200 Subject: Cleanup various controllers (#10972) * Remove skip_session! as it is not supported in Rails 5 * Minor cleanup in StreamEntriesController * Remove redundant mark_cacheable! calls --- app/controllers/accounts_controller.rb | 2 -- app/controllers/activitypub/collections_controller.rb | 2 -- app/controllers/activitypub/outboxes_controller.rb | 5 +---- app/controllers/application_controller.rb | 5 ----- app/controllers/concerns/account_controller_concern.rb | 1 - app/controllers/custom_css_controller.rb | 1 - app/controllers/emojis_controller.rb | 2 -- app/controllers/follower_accounts_controller.rb | 5 +---- app/controllers/following_accounts_controller.rb | 5 +---- app/controllers/statuses_controller.rb | 12 +----------- app/controllers/stream_entries_controller.rb | 14 ++++---------- 11 files changed, 8 insertions(+), 46 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index abc68d2a4..73a4b1859 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -46,8 +46,6 @@ class AccountsController < ApplicationController end format.json do - mark_cacheable! - render_cached_json(['activitypub', 'actor', @account], content_type: 'application/activity+json') do ActiveModelSerializers::SerializableResource.new(@account, serializer: ActivityPub::ActorSerializer, adapter: ActivityPub::Adapter) end diff --git a/app/controllers/activitypub/collections_controller.rb b/app/controllers/activitypub/collections_controller.rb index 853f4f907..012c3c538 100644 --- a/app/controllers/activitypub/collections_controller.rb +++ b/app/controllers/activitypub/collections_controller.rb @@ -9,8 +9,6 @@ class ActivityPub::CollectionsController < Api::BaseController before_action :set_cache_headers def show - skip_session! - render_cached_json(['activitypub', 'collection', @account, params[:id]], content_type: 'application/activity+json') do ActiveModelSerializers::SerializableResource.new( collection_presenter, diff --git a/app/controllers/activitypub/outboxes_controller.rb b/app/controllers/activitypub/outboxes_controller.rb index 438fa226e..5147afbf7 100644 --- a/app/controllers/activitypub/outboxes_controller.rb +++ b/app/controllers/activitypub/outboxes_controller.rb @@ -10,10 +10,7 @@ class ActivityPub::OutboxesController < Api::BaseController before_action :set_cache_headers def show - unless page_requested? - skip_session! - expires_in 1.minute, public: true - end + expires_in 1.minute, public: true unless page_requested? render json: outbox_presenter, serializer: ActivityPub::OutboxSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json' end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 990aff857..9274d85a9 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -152,11 +152,6 @@ class ApplicationController < ActionController::Base end def mark_cacheable! - skip_session! expires_in 0, public: true end - - def skip_session! - request.session_options[:skip] = true - end end diff --git a/app/controllers/concerns/account_controller_concern.rb b/app/controllers/concerns/account_controller_concern.rb index 4f28941ae..1c422096c 100644 --- a/app/controllers/concerns/account_controller_concern.rb +++ b/app/controllers/concerns/account_controller_concern.rb @@ -70,7 +70,6 @@ module AccountControllerConcern def check_account_suspension if @account.suspended? - skip_session! expires_in(3.minutes, public: true) gone end diff --git a/app/controllers/custom_css_controller.rb b/app/controllers/custom_css_controller.rb index 31e501609..be768c089 100644 --- a/app/controllers/custom_css_controller.rb +++ b/app/controllers/custom_css_controller.rb @@ -4,7 +4,6 @@ class CustomCssController < ApplicationController before_action :set_cache_headers def show - skip_session! render plain: Setting.custom_css || '', content_type: 'text/css' end end diff --git a/app/controllers/emojis_controller.rb b/app/controllers/emojis_controller.rb index 5d306e600..3feb08132 100644 --- a/app/controllers/emojis_controller.rb +++ b/app/controllers/emojis_controller.rb @@ -7,8 +7,6 @@ class EmojisController < ApplicationController def show respond_to do |format| format.json do - skip_session! - render_cached_json(['activitypub', 'emoji', @emoji], content_type: 'application/activity+json') do ActiveModelSerializers::SerializableResource.new(@emoji, serializer: ActivityPub::EmojiSerializer, adapter: ActivityPub::Adapter) end diff --git a/app/controllers/follower_accounts_controller.rb b/app/controllers/follower_accounts_controller.rb index 713365ea5..415abe10c 100644 --- a/app/controllers/follower_accounts_controller.rb +++ b/app/controllers/follower_accounts_controller.rb @@ -19,10 +19,7 @@ class FollowerAccountsController < ApplicationController format.json do raise Mastodon::NotPermittedError if params[:page].present? && @account.user_hides_network? - if params[:page].blank? - skip_session! - expires_in 3.minutes, public: true - end + expires_in 3.minutes, public: true if params[:page].blank? render json: collection_presenter, serializer: ActivityPub::CollectionSerializer, diff --git a/app/controllers/following_accounts_controller.rb b/app/controllers/following_accounts_controller.rb index 1bfd901cf..948725664 100644 --- a/app/controllers/following_accounts_controller.rb +++ b/app/controllers/following_accounts_controller.rb @@ -19,10 +19,7 @@ class FollowingAccountsController < ApplicationController format.json do raise Mastodon::NotPermittedError if params[:page].present? && @account.user_hides_network? - if params[:page].blank? - skip_session! - expires_in 3.minutes, public: true - end + expires_in 3.minutes, public: true if params[:page].blank? render json: collection_presenter, serializer: ActivityPub::CollectionSerializer, diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb index b8f4e675e..ef26691b2 100644 --- a/app/controllers/statuses_controller.rb +++ b/app/controllers/statuses_controller.rb @@ -27,10 +27,7 @@ class StatusesController < ApplicationController def show respond_to do |format| format.html do - if current_account.nil? - skip_session! - expires_in 10.seconds, public: true - end + expires_in 10.seconds, public: true if current_account.nil? @body_classes = 'with-modals' @@ -41,8 +38,6 @@ class StatusesController < ApplicationController end format.json do - mark_cacheable! unless @stream_entry.hidden? - render_cached_json(['activitypub', 'note', @status], content_type: 'application/activity+json', public: !@stream_entry.hidden?) do ActiveModelSerializers::SerializableResource.new(@status, serializer: ActivityPub::NoteSerializer, adapter: ActivityPub::Adapter) end @@ -51,8 +46,6 @@ class StatusesController < ApplicationController end def activity - skip_session! - render_cached_json(['activitypub', 'activity', @status], content_type: 'application/activity+json', public: !@stream_entry.hidden?) do ActiveModelSerializers::SerializableResource.new(@status, serializer: ActivityPub::ActivitySerializer, adapter: ActivityPub::Adapter) end @@ -61,7 +54,6 @@ class StatusesController < ApplicationController def embed raise ActiveRecord::RecordNotFound if @status.hidden? - skip_session! expires_in 180, public: true response.headers['X-Frame-Options'] = 'ALLOWALL' @autoplay = ActiveModel::Type::Boolean.new.cast(params[:autoplay]) @@ -70,8 +62,6 @@ class StatusesController < ApplicationController end def replies - skip_session! - render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, diff --git a/app/controllers/stream_entries_controller.rb b/app/controllers/stream_entries_controller.rb index b75cefa74..0f7e9e0f5 100644 --- a/app/controllers/stream_entries_controller.rb +++ b/app/controllers/stream_entries_controller.rb @@ -15,19 +15,13 @@ class StreamEntriesController < ApplicationController def show respond_to do |format| format.html do - unless user_signed_in? - skip_session! - expires_in 5.minutes, public: true - end + expires_in 5.minutes, public: true unless @stream_entry.hidden? - redirect_to short_account_status_url(params[:account_username], @stream_entry.activity) if @type == 'status' + redirect_to short_account_status_url(params[:account_username], @stream_entry.activity) end format.atom do - unless @stream_entry.hidden? - skip_session! - expires_in 3.minutes, public: true - end + expires_in 3.minutes, public: true unless @stream_entry.hidden? render xml: OStatus::AtomSerializer.render(OStatus::AtomSerializer.new.entry(@stream_entry, true)) end @@ -55,7 +49,7 @@ class StreamEntriesController < ApplicationController def set_stream_entry @stream_entry = @account.stream_entries.where(activity_type: 'Status').find(params[:id]) - @type = @stream_entry.activity_type.downcase + @type = 'status' raise ActiveRecord::RecordNotFound if @stream_entry.activity.nil? authorize @stream_entry.activity, :show? if @stream_entry.hidden? -- cgit From a60364ca7d26c82c9353980d0966d37e9aa66014 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Fri, 7 Jun 2019 03:24:10 +0200 Subject: Add waiting time to list of pending accounts in admin UI (#10985) --- app/controllers/admin/accounts_controller.rb | 4 ++-- app/views/admin/pending_accounts/_account.html.haml | 2 ++ config/locales/en.yml | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/admin/accounts_controller.rb b/app/controllers/admin/accounts_controller.rb index e7795e95c..b0d45ce47 100644 --- a/app/controllers/admin/accounts_controller.rb +++ b/app/controllers/admin/accounts_controller.rb @@ -48,13 +48,13 @@ module Admin def approve authorize @account.user, :approve? @account.user.approve! - redirect_to admin_accounts_path(pending: '1') + redirect_to admin_pending_accounts_path end def reject authorize @account.user, :reject? SuspendAccountService.new.call(@account, including_user: true, destroy: true, skip_distribution: true) - redirect_to admin_accounts_path(pending: '1') + redirect_to admin_pending_accounts_path end def unsilence diff --git a/app/views/admin/pending_accounts/_account.html.haml b/app/views/admin/pending_accounts/_account.html.haml index 1ed5dafdd..7a9796a67 100644 --- a/app/views/admin/pending_accounts/_account.html.haml +++ b/app/views/admin/pending_accounts/_account.html.haml @@ -8,6 +8,8 @@ = "(@#{account.username})" %br/ = account.user_current_sign_in_ip + • + = t 'admin.accounts.time_in_queue', time: time_ago_in_words(account.user&.created_at) - if account.user&.invite_request&.text&.present? .pending-account__body diff --git a/config/locales/en.yml b/config/locales/en.yml index 4acea6dc0..3b32e41a6 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -174,6 +174,7 @@ en: statuses: Statuses subscribe: Subscribe suspended: Suspended + time_in_queue: Waiting in queue %{time} title: Accounts unconfirmed_email: Unconfirmed email undo_silenced: Undo silence -- cgit