From b65eb00c53af939444e0e891c0a3a4563f4897ac Mon Sep 17 00:00:00 2001
From: Alda Marteau-Hardi <github@ltch.fr>
Date: Sat, 7 Apr 2018 21:33:01 +0200
Subject: Prevent admins and moderators eavesdropping in private and direct
 toots (#7067)

Fix #6986
---
 app/controllers/admin/statuses_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/controllers')

diff --git a/app/controllers/admin/statuses_controller.rb b/app/controllers/admin/statuses_controller.rb
index 5d4325f57..d5787acfb 100644
--- a/app/controllers/admin/statuses_controller.rb
+++ b/app/controllers/admin/statuses_controller.rb
@@ -12,7 +12,7 @@ module Admin
     def index
       authorize :status, :index?
 
-      @statuses = @account.statuses
+      @statuses = @account.statuses.where(visibility: [:public, :unlisted])
 
       if params[:media]
         account_media_status_ids = @account.media_attachments.attached.reorder(nil).select(:status_id).distinct
-- 
cgit 


From 1364e9e4ae1fb12a1c970795f1d0afd651c7cfe2 Mon Sep 17 00:00:00 2001
From: ThibG <thib@sitedethib.com>
Date: Sun, 8 Apr 2018 13:40:22 +0200
Subject: Fix follow/unfollow buttons on public profile (fixes #7036) (#7040)

* Fix follow/unfollow buttons on public profile

- Present non-logged users with web+mastodon:// URLs for remote accounts
- Present logged-in users with appropriate links (authorize_follows and
  remote_unfollows) for remote accounts

* Do not cache rendered cards if user is logged in
---
 .../concerns/remote_account_controller_concern.rb  | 21 ++++++++++++
 app/controllers/remote_unfollows.rb                | 39 ++++++++++++++++++++++
 app/views/accounts/_follow_button.html.haml        |  6 ++--
 app/views/accounts/_follow_grid.html.haml          |  2 +-
 app/views/remote_unfollows/_card.html.haml         | 13 ++++++++
 .../_post_follow_actions.html.haml                 |  4 +++
 app/views/remote_unfollows/error.html.haml         |  3 ++
 app/views/remote_unfollows/success.html.haml       | 10 ++++++
 config/routes.rb                                   |  1 +
 9 files changed, 95 insertions(+), 4 deletions(-)
 create mode 100644 app/controllers/concerns/remote_account_controller_concern.rb
 create mode 100644 app/controllers/remote_unfollows.rb
 create mode 100644 app/views/remote_unfollows/_card.html.haml
 create mode 100644 app/views/remote_unfollows/_post_follow_actions.html.haml
 create mode 100644 app/views/remote_unfollows/error.html.haml
 create mode 100644 app/views/remote_unfollows/success.html.haml

(limited to 'app/controllers')

diff --git a/app/controllers/concerns/remote_account_controller_concern.rb b/app/controllers/concerns/remote_account_controller_concern.rb
new file mode 100644
index 000000000..e17910642
--- /dev/null
+++ b/app/controllers/concerns/remote_account_controller_concern.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module RemoteAccountControllerConcern
+  extend ActiveSupport::Concern
+
+  included do
+    layout 'public'
+    before_action :set_account
+    before_action :check_account_suspension
+  end
+
+  private
+
+  def set_account
+    @account = Account.find_remote!(params[:acct])
+  end
+
+  def check_account_suspension
+    gone if @account.suspended?
+  end
+end
diff --git a/app/controllers/remote_unfollows.rb b/app/controllers/remote_unfollows.rb
new file mode 100644
index 000000000..af5943363
--- /dev/null
+++ b/app/controllers/remote_unfollows.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class RemoteUnfollowsController < ApplicationController
+  layout 'modal'
+
+  before_action :authenticate_user!
+  before_action :set_body_classes
+
+  def create
+    @account = unfollow_attempt.try(:target_account)
+
+    if @account.nil?
+      render :error
+    else
+      render :success
+    end
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
+    render :error
+  end
+
+  private
+
+  def unfollow_attempt
+    username, domain = acct_without_prefix.split('@')
+    UnfollowService.new.call(current_account, Account.find_remote!(username, domain))
+  end
+
+  def acct_without_prefix
+    acct_params.gsub(/\Aacct:/, '')
+  end
+
+  def acct_params
+    params.fetch(:acct, '')
+  end
+
+  def set_body_classes
+    @body_classes = 'modal-layout'
+  end
+end
diff --git a/app/views/accounts/_follow_button.html.haml b/app/views/accounts/_follow_button.html.haml
index e476e0aff..96ae23234 100644
--- a/app/views/accounts/_follow_button.html.haml
+++ b/app/views/accounts/_follow_button.html.haml
@@ -8,16 +8,16 @@
   - if user_signed_in? && current_account.id != account.id && !requested
     .controls
       - if following
-        = link_to account_unfollow_path(account), data: { method: :post }, class: 'icon-button' do
+        = link_to (account.local? ? account_unfollow_path(account) : remote_unfollow_path(acct: account.acct)), data: { method: :post }, class: 'icon-button' do
           = fa_icon 'user-times'
           = t('accounts.unfollow')
       - else
-        = link_to account_follow_path(account), data: { method: :post }, class: 'icon-button' do
+        = link_to (account.local? ? account_follow_path(account) : authorize_follow_path(acct: account.acct)), data: { method: :post }, class: 'icon-button' do
           = fa_icon 'user-plus'
           = t('accounts.follow')
   - elsif !user_signed_in?
     .controls
       .remote-follow
-        = link_to account_remote_follow_path(account), class: 'icon-button' do
+        = link_to (account.local? ? account_remote_follow_path(account) : "web+mastodon://follow?uri=#{account.uri}"), class: 'icon-button' do
           = fa_icon 'user-plus'
           = t('accounts.remote_follow')
diff --git a/app/views/accounts/_follow_grid.html.haml b/app/views/accounts/_follow_grid.html.haml
index 10fbfa546..a6d0ee817 100644
--- a/app/views/accounts/_follow_grid.html.haml
+++ b/app/views/accounts/_follow_grid.html.haml
@@ -2,6 +2,6 @@
   - if accounts.empty?
     = render partial: 'accounts/nothing_here'
   - else
-    = render partial: 'accounts/grid_card', collection: accounts, as: :account, cached: true
+    = render partial: 'accounts/grid_card', collection: accounts, as: :account, cached: !user_signed_in?
 
 = paginate follows
diff --git a/app/views/remote_unfollows/_card.html.haml b/app/views/remote_unfollows/_card.html.haml
new file mode 100644
index 000000000..e81e292ba
--- /dev/null
+++ b/app/views/remote_unfollows/_card.html.haml
@@ -0,0 +1,13 @@
+.account-card
+  .detailed-status__display-name
+    %div
+      = image_tag account.avatar.url(:original), alt: '', width: 48, height: 48, class: 'avatar'
+
+    %span.display-name
+      - account_url = local_assigns[:admin] ? admin_account_path(account.id) : TagManager.instance.url_for(account)
+      = link_to account_url, class: 'detailed-status__display-name p-author h-card', target: '_blank', rel: 'noopener' do
+        %strong.emojify= display_name(account)
+        %span @#{account.acct}
+
+  - if account.note?
+    .account__header__content.emojify= Formatter.instance.simplified_format(account)
diff --git a/app/views/remote_unfollows/_post_follow_actions.html.haml b/app/views/remote_unfollows/_post_follow_actions.html.haml
new file mode 100644
index 000000000..2a9c062e9
--- /dev/null
+++ b/app/views/remote_unfollows/_post_follow_actions.html.haml
@@ -0,0 +1,4 @@
+.post-follow-actions
+  %div= link_to t('authorize_follow.post_follow.web'), web_url("accounts/#{@account.id}"), class: 'button button--block'
+  %div= link_to t('authorize_follow.post_follow.return'), TagManager.instance.url_for(@account), class: 'button button--block'
+  %div= t('authorize_follow.post_follow.close')
diff --git a/app/views/remote_unfollows/error.html.haml b/app/views/remote_unfollows/error.html.haml
new file mode 100644
index 000000000..cb63f02be
--- /dev/null
+++ b/app/views/remote_unfollows/error.html.haml
@@ -0,0 +1,3 @@
+.form-container
+  .flash-message#error_explanation
+    = t('remote_unfollow.error')
diff --git a/app/views/remote_unfollows/success.html.haml b/app/views/remote_unfollows/success.html.haml
new file mode 100644
index 000000000..aa3c838a0
--- /dev/null
+++ b/app/views/remote_unfollows/success.html.haml
@@ -0,0 +1,10 @@
+- content_for :page_title do
+  = t('remote_unfollow.title', acct: @account.acct)
+
+.form-container
+  .follow-prompt
+    %h2= t('remote_unfollow.unfollowed')
+
+    = render 'card', account: @account
+
+  = render 'post_follow_actions'
diff --git a/config/routes.rb b/config/routes.rb
index 4b5ba5c96..7187fd743 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -116,6 +116,7 @@ Rails.application.routes.draw do
   get '/media_proxy/:id/(*any)', to: 'media_proxy#show', as: :media_proxy
 
   # Remote follow
+  resource :remote_unfollow, only: [:create]
   resource :authorize_follow, only: [:show, :create]
   resource :share, only: [:show, :create]
 
-- 
cgit 


From cd0eaa349ca5d7e53e2ed246e70e99fc61c98370 Mon Sep 17 00:00:00 2001
From: Levi Bard <taktaktaktaktaktaktaktaktaktak@gmail.com>
Date: Sun, 8 Apr 2018 13:43:10 +0200
Subject: Enable updating additional account information from user preferences
 via rest api (#6789)

* Enable updating additional account information from user preferences via rest api
Resolves #6553

* Pacify rubocop

* Decoerce incoming settings in UserSettingsDecorator

* Create user preferences hash directly from incoming credentials instead of going through ActionController::Parameters

* Clean up user preferences update

* Use ActiveModel::Type::Boolean instead of manually checking stringified number equivalence
---
 app/controllers/api/v1/accounts/credentials_controller.rb    | 12 ++++++++++++
 app/lib/user_settings_decorator.rb                           |  4 ++--
 .../api/v1/accounts/credentials_controller_spec.rb           |  6 ++++++
 spec/lib/user_settings_decorator_spec.rb                     | 11 +++++++++++
 4 files changed, 31 insertions(+), 2 deletions(-)

(limited to 'app/controllers')

diff --git a/app/controllers/api/v1/accounts/credentials_controller.rb b/app/controllers/api/v1/accounts/credentials_controller.rb
index 68af22529..062d490a7 100644
--- a/app/controllers/api/v1/accounts/credentials_controller.rb
+++ b/app/controllers/api/v1/accounts/credentials_controller.rb
@@ -13,6 +13,7 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
   def update
     @account = current_account
     UpdateAccountService.new.call(@account, account_params, raise_error: true)
+    UserSettingsDecorator.new(current_user).update(user_settings_params) if user_settings_params
     ActivityPub::UpdateDistributionWorker.perform_async(@account.id)
     render json: @account, serializer: REST::CredentialAccountSerializer
   end
@@ -22,4 +23,15 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
   def account_params
     params.permit(:display_name, :note, :avatar, :header, :locked)
   end
+
+  def user_settings_params
+    return nil unless params.key?(:source)
+
+    source_params = params.require(:source)
+
+    {
+      'setting_default_privacy' => source_params.fetch(:privacy, @account.user.setting_default_privacy),
+      'setting_default_sensitive' => source_params.fetch(:sensitive, @account.user.setting_default_sensitive),
+    }
+  end
 end
diff --git a/app/lib/user_settings_decorator.rb b/app/lib/user_settings_decorator.rb
index 4d6f19467..9260a81bc 100644
--- a/app/lib/user_settings_decorator.rb
+++ b/app/lib/user_settings_decorator.rb
@@ -83,7 +83,7 @@ class UserSettingsDecorator
   end
 
   def boolean_cast_setting(key)
-    settings[key] == '1'
+    ActiveModel::Type::Boolean.new.cast(settings[key])
   end
 
   def coerced_settings(key)
@@ -91,7 +91,7 @@ class UserSettingsDecorator
   end
 
   def coerce_values(params_hash)
-    params_hash.transform_values { |x| x == '1' }
+    params_hash.transform_values { |x| ActiveModel::Type::Boolean.new.cast(x) }
   end
 
   def change?(key)
diff --git a/spec/controllers/api/v1/accounts/credentials_controller_spec.rb b/spec/controllers/api/v1/accounts/credentials_controller_spec.rb
index 461b8b34b..87fce64eb 100644
--- a/spec/controllers/api/v1/accounts/credentials_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/credentials_controller_spec.rb
@@ -28,6 +28,10 @@ describe Api::V1::Accounts::CredentialsController do
             note: "Hi!\n\nToot toot!",
             avatar: fixture_file_upload('files/avatar.gif', 'image/gif'),
             header: fixture_file_upload('files/attachment.jpg', 'image/jpeg'),
+            source: {
+              privacy: 'unlisted',
+              sensitive: true,
+            }
           }
         end
 
@@ -42,6 +46,8 @@ describe Api::V1::Accounts::CredentialsController do
           expect(user.account.note).to eq("Hi!\n\nToot toot!")
           expect(user.account.avatar).to exist
           expect(user.account.header).to exist
+          expect(user.setting_default_privacy).to eq('unlisted')
+          expect(user.setting_default_sensitive).to eq(true)
         end
 
         it 'queues up an account update distribution' do
diff --git a/spec/lib/user_settings_decorator_spec.rb b/spec/lib/user_settings_decorator_spec.rb
index fee875373..462c5b124 100644
--- a/spec/lib/user_settings_decorator_spec.rb
+++ b/spec/lib/user_settings_decorator_spec.rb
@@ -69,5 +69,16 @@ describe UserSettingsDecorator do
       settings.update(values)
       expect(user.settings['system_font_ui']).to eq false
     end
+
+    it 'decoerces setting values before applying' do
+      values = {
+        'setting_delete_modal' => 'false',
+        'setting_boost_modal' => 'true',
+      }
+
+      settings.update(values)
+      expect(user.settings['delete_modal']).to eq false
+      expect(user.settings['boost_modal']).to eq true
+    end
   end
 end
-- 
cgit