From 02d272cf496e12b1c7f72d46799243309d222250 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 14 Jan 2020 08:52:32 +0100 Subject: Fix access to OEmbed endpoint in secure mode (#12864) --- app/controllers/api/oembed_controller.rb | 2 ++ 1 file changed, 2 insertions(+) (limited to 'app/controllers') diff --git a/app/controllers/api/oembed_controller.rb b/app/controllers/api/oembed_controller.rb index 37a163cd3..c8c60b1cf 100644 --- a/app/controllers/api/oembed_controller.rb +++ b/app/controllers/api/oembed_controller.rb @@ -3,6 +3,8 @@ class Api::OEmbedController < Api::BaseController respond_to :json + skip_before_action :require_authenticated_user! + def show @status = status_finder.status render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default -- cgit From 6feafb8802b2759eb33968a70b6c1cb100bf3926 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Mon, 20 Jan 2020 15:55:03 +0100 Subject: Various fixes and improvements (#12878) * Fix unused role routes being generated * Remove unused JavaScript code * Refactor filters code to be DRYer * Fix `.count == 0` comparisons to `.empty?` in views * Fix filters in views --- app/controllers/admin/accounts_controller.rb | 16 +--------------- app/controllers/admin/custom_emojis_controller.rb | 2 +- app/controllers/admin/instances_controller.rb | 2 +- app/controllers/admin/invites_controller.rb | 2 +- app/controllers/admin/reports_controller.rb | 7 +------ app/controllers/admin/tags_controller.rb | 2 +- app/controllers/relationships_controller.rb | 2 +- app/helpers/admin/filter_helper.rb | 18 +++++++++--------- app/javascript/packs/public.js | 9 --------- app/models/account_filter.rb | 15 +++++++++++++++ app/models/custom_emoji_filter.rb | 7 +++++++ app/models/instance_filter.rb | 5 +++++ app/models/invite_filter.rb | 5 +++++ app/models/relationship_filter.rb | 11 +++++++++++ app/models/report_filter.rb | 7 +++++++ app/models/tag_filter.rb | 10 ++++++++++ app/views/admin/accounts/index.html.haml | 2 +- app/views/admin/custom_emojis/index.html.haml | 4 ++-- app/views/admin/email_domain_blocks/index.html.haml | 2 +- app/views/admin/instances/index.html.haml | 5 ++--- app/views/admin/reports/index.html.haml | 5 ++--- app/views/admin/tags/index.html.haml | 5 ++--- app/views/filters/index.html.haml | 2 +- app/views/relationships/show.html.haml | 7 +++---- app/views/settings/applications/index.html.haml | 2 +- config/routes.rb | 2 +- 26 files changed, 92 insertions(+), 64 deletions(-) create mode 100644 app/models/relationship_filter.rb (limited to 'app/controllers') diff --git a/app/controllers/admin/accounts_controller.rb b/app/controllers/admin/accounts_controller.rb index 68b6352f8..7b1783542 100644 --- a/app/controllers/admin/accounts_controller.rb +++ b/app/controllers/admin/accounts_controller.rb @@ -109,21 +109,7 @@ module Admin end def filter_params - params.permit( - :local, - :remote, - :by_domain, - :active, - :pending, - :disabled, - :silenced, - :suspended, - :username, - :display_name, - :email, - :ip, - :staff - ) + params.slice(*AccountFilter::KEYS).permit(*AccountFilter::KEYS) end end end diff --git a/app/controllers/admin/custom_emojis_controller.rb b/app/controllers/admin/custom_emojis_controller.rb index a446465c9..efa8f2950 100644 --- a/app/controllers/admin/custom_emojis_controller.rb +++ b/app/controllers/admin/custom_emojis_controller.rb @@ -48,7 +48,7 @@ module Admin end def filter_params - params.slice(:local, :remote, :by_domain, :shortcode, :page).permit(:local, :remote, :by_domain, :shortcode, :page) + params.slice(:page, *CustomEmojiFilter::KEYS).permit(:page, *CustomEmojiFilter::KEYS) end def action_from_button diff --git a/app/controllers/admin/instances_controller.rb b/app/controllers/admin/instances_controller.rb index b47b18f8e..2fc041207 100644 --- a/app/controllers/admin/instances_controller.rb +++ b/app/controllers/admin/instances_controller.rb @@ -62,7 +62,7 @@ module Admin end def filter_params - params.permit(:limited, :by_domain) + params.slice(*InstanceFilter::KEYS).permit(*InstanceFilter::KEYS) end end end diff --git a/app/controllers/admin/invites_controller.rb b/app/controllers/admin/invites_controller.rb index 44a8eec77..dabfe9765 100644 --- a/app/controllers/admin/invites_controller.rb +++ b/app/controllers/admin/invites_controller.rb @@ -47,7 +47,7 @@ module Admin end def filter_params - params.permit(:available, :expired) + params.slice(*InviteFilter::KEYS).permit(*InviteFilter::KEYS) end end end diff --git a/app/controllers/admin/reports_controller.rb b/app/controllers/admin/reports_controller.rb index 09ce1761c..7c831b3d4 100644 --- a/app/controllers/admin/reports_controller.rb +++ b/app/controllers/admin/reports_controller.rb @@ -52,12 +52,7 @@ module Admin end def filter_params - params.permit( - :account_id, - :resolved, - :target_account_id, - :by_target_domain - ) + params.slice(*ReportFilter::KEYS).permit(*ReportFilter::KEYS) end def set_report diff --git a/app/controllers/admin/tags_controller.rb b/app/controllers/admin/tags_controller.rb index 65341bbfb..59df4470e 100644 --- a/app/controllers/admin/tags_controller.rb +++ b/app/controllers/admin/tags_controller.rb @@ -73,7 +73,7 @@ module Admin end def filter_params - params.slice(:directory, :reviewed, :unreviewed, :pending_review, :page, :popular, :active, :name).permit(:directory, :reviewed, :unreviewed, :pending_review, :page, :popular, :active, :name) + params.slice(:page, *TagFilter::KEYS).permit(:page, *TagFilter::KEYS) end def tag_params diff --git a/app/controllers/relationships_controller.rb b/app/controllers/relationships_controller.rb index e6705c327..9d0be4a00 100644 --- a/app/controllers/relationships_controller.rb +++ b/app/controllers/relationships_controller.rb @@ -85,7 +85,7 @@ class RelationshipsController < ApplicationController end def current_params - params.slice(:page, :status, :relationship, :by_domain, :activity, :order).permit(:page, :status, :relationship, :by_domain, :activity, :order) + params.slice(:page, *RelationshipFilter::KEYS).permit(:page, *RelationshipFilter::KEYS) end def action_from_button diff --git a/app/helpers/admin/filter_helper.rb b/app/helpers/admin/filter_helper.rb index fc4f15985..130686a02 100644 --- a/app/helpers/admin/filter_helper.rb +++ b/app/helpers/admin/filter_helper.rb @@ -1,15 +1,15 @@ # frozen_string_literal: true module Admin::FilterHelper - ACCOUNT_FILTERS = %i(local remote by_domain active pending silenced suspended username display_name email ip staff).freeze - REPORT_FILTERS = %i(resolved account_id target_account_id by_target_domain).freeze - INVITE_FILTER = %i(available expired).freeze - CUSTOM_EMOJI_FILTERS = %i(local remote by_domain shortcode).freeze - TAGS_FILTERS = %i(directory reviewed unreviewed pending_review popular active name).freeze - INSTANCES_FILTERS = %i(limited by_domain).freeze - FOLLOWERS_FILTERS = %i(relationship status by_domain activity order).freeze - - FILTERS = ACCOUNT_FILTERS + REPORT_FILTERS + INVITE_FILTER + CUSTOM_EMOJI_FILTERS + TAGS_FILTERS + INSTANCES_FILTERS + FOLLOWERS_FILTERS + FILTERS = [ + AccountFilter::KEYS, + CustomEmojiFilter::KEYS, + ReportFilter::KEYS, + TagFilter::KEYS, + InstanceFilter::KEYS, + InviteFilter::KEYS, + RelationshipFilter::KEYS, + ].flatten.freeze def filter_link_to(text, link_to_params, link_class_params = link_to_params) new_url = filtered_url_for(link_to_params) diff --git a/app/javascript/packs/public.js b/app/javascript/packs/public.js index 6a7f8831d..9bc6214af 100644 --- a/app/javascript/packs/public.js +++ b/app/javascript/packs/public.js @@ -142,15 +142,6 @@ function main() { return false; }); - delegate(document, '.blocks-table button.icon-button', 'click', function(e) { - e.preventDefault(); - - const classList = this.firstElementChild.classList; - classList.toggle('fa-chevron-down'); - classList.toggle('fa-chevron-up'); - this.parentElement.parentElement.nextElementSibling.classList.toggle('hidden'); - }); - delegate(document, '.modal-button', 'click', e => { e.preventDefault(); diff --git a/app/models/account_filter.rb b/app/models/account_filter.rb index c3b1fe08d..c1e6b0deb 100644 --- a/app/models/account_filter.rb +++ b/app/models/account_filter.rb @@ -1,6 +1,21 @@ # frozen_string_literal: true class AccountFilter + KEYS = %i( + local + remote + by_domain + active + pending + silenced + suspended + username + display_name + email + ip + staff + ).freeze + attr_reader :params def initialize(params) diff --git a/app/models/custom_emoji_filter.rb b/app/models/custom_emoji_filter.rb index 15b8da1d1..414e1fcdd 100644 --- a/app/models/custom_emoji_filter.rb +++ b/app/models/custom_emoji_filter.rb @@ -1,6 +1,13 @@ # frozen_string_literal: true class CustomEmojiFilter + KEYS = %i( + local + remote + by_domain + shortcode + ).freeze + attr_reader :params def initialize(params) diff --git a/app/models/instance_filter.rb b/app/models/instance_filter.rb index 8bfab826d..9c467bc27 100644 --- a/app/models/instance_filter.rb +++ b/app/models/instance_filter.rb @@ -1,6 +1,11 @@ # frozen_string_literal: true class InstanceFilter + KEYS = %i( + limited + by_domain + ).freeze + attr_reader :params def initialize(params) diff --git a/app/models/invite_filter.rb b/app/models/invite_filter.rb index 7d89bad4a..9685d4abb 100644 --- a/app/models/invite_filter.rb +++ b/app/models/invite_filter.rb @@ -1,6 +1,11 @@ # frozen_string_literal: true class InviteFilter + KEYS = %i( + available + expired + ).freeze + attr_reader :params def initialize(params) diff --git a/app/models/relationship_filter.rb b/app/models/relationship_filter.rb new file mode 100644 index 000000000..51640f494 --- /dev/null +++ b/app/models/relationship_filter.rb @@ -0,0 +1,11 @@ +# frozen_string_literal: true + +class RelationshipFilter + KEYS = %i( + relationship + status + by_domain + activity + order + ).freeze +end diff --git a/app/models/report_filter.rb b/app/models/report_filter.rb index abf53cbab..c32d4359e 100644 --- a/app/models/report_filter.rb +++ b/app/models/report_filter.rb @@ -1,6 +1,13 @@ # frozen_string_literal: true class ReportFilter + KEYS = %i( + resolved + account_id + target_account_id + by_target_domain + ).freeze + attr_reader :params def initialize(params) diff --git a/app/models/tag_filter.rb b/app/models/tag_filter.rb index 8921e186b..a9ff5b703 100644 --- a/app/models/tag_filter.rb +++ b/app/models/tag_filter.rb @@ -1,6 +1,16 @@ # frozen_string_literal: true class TagFilter + KEYS = %i( + directory + reviewed + unreviewed + pending_review + popular + active + name + ).freeze + attr_reader :params def initialize(params) diff --git a/app/views/admin/accounts/index.html.haml b/app/views/admin/accounts/index.html.haml index 7e9adb3ff..3a85324c9 100644 --- a/app/views/admin/accounts/index.html.haml +++ b/app/views/admin/accounts/index.html.haml @@ -22,7 +22,7 @@ = form_tag admin_accounts_url, method: 'GET', class: 'simple_form' do .fields-group - - Admin::FilterHelper::ACCOUNT_FILTERS.each do |key| + - AccountFilter::KEYS.each do |key| - if params[key].present? = hidden_field_tag key, params[key] diff --git a/app/views/admin/custom_emojis/index.html.haml b/app/views/admin/custom_emojis/index.html.haml index 389e9dd71..69aa5ae41 100644 --- a/app/views/admin/custom_emojis/index.html.haml +++ b/app/views/admin/custom_emojis/index.html.haml @@ -25,7 +25,7 @@ = form_tag admin_custom_emojis_url, method: 'GET', class: 'simple_form' do .fields-group - - Admin::FilterHelper::CUSTOM_EMOJI_FILTERS.each do |key| + - CustomEmojiFilter::KEYS.each do |key| = hidden_field_tag key, params[key] if params[key].present? - %i(shortcode by_domain).each do |key| @@ -39,7 +39,7 @@ = form_for(@form, url: batch_admin_custom_emojis_path) do |f| = hidden_field_tag :page, params[:page] || 1 - - Admin::FilterHelper::CUSTOM_EMOJI_FILTERS.each do |key| + - CustomEmojiFilter::KEYS.each do |key| = hidden_field_tag key, params[key] if params[key].present? .batch-table diff --git a/app/views/admin/email_domain_blocks/index.html.haml b/app/views/admin/email_domain_blocks/index.html.haml index c1cc470b6..6015cfac0 100644 --- a/app/views/admin/email_domain_blocks/index.html.haml +++ b/app/views/admin/email_domain_blocks/index.html.haml @@ -4,7 +4,7 @@ - content_for :heading_actions do = link_to t('admin.email_domain_blocks.add_new'), new_admin_email_domain_block_path, class: 'button' -- if @email_domain_blocks.count == 0 +- if @email_domain_blocks.empty? %div.muted-hint.center-text=t 'admin.email_domain_blocks.empty' - else .table-wrapper diff --git a/app/views/admin/instances/index.html.haml b/app/views/admin/instances/index.html.haml index 1d85aa75e..0b299acc5 100644 --- a/app/views/admin/instances/index.html.haml +++ b/app/views/admin/instances/index.html.haml @@ -19,9 +19,8 @@ - unless whitelist_mode? = form_tag admin_instances_url, method: 'GET', class: 'simple_form' do .fields-group - - Admin::FilterHelper::INSTANCES_FILTERS.each do |key| - - if params[key].present? - = hidden_field_tag key, params[key] + - InstanceFilter::KEYS.each do |key| + = hidden_field_tag key, params[key] if params[key].present? - %i(by_domain).each do |key| .input.string.optional diff --git a/app/views/admin/reports/index.html.haml b/app/views/admin/reports/index.html.haml index 30c7549b0..0263b80fb 100644 --- a/app/views/admin/reports/index.html.haml +++ b/app/views/admin/reports/index.html.haml @@ -10,9 +10,8 @@ = form_tag admin_reports_url, method: 'GET', class: 'simple_form' do .fields-group - - Admin::FilterHelper::REPORT_FILTERS.each do |key| - - if params[key].present? - = hidden_field_tag key, params[key] + - ReportFilter::KEYS.each do |key| + = hidden_field_tag key, params[key] if params[key].present? - %i(by_target_domain).each do |key| .input.string.optional diff --git a/app/views/admin/tags/index.html.haml b/app/views/admin/tags/index.html.haml index 7f2c53190..1ff538ba3 100644 --- a/app/views/admin/tags/index.html.haml +++ b/app/views/admin/tags/index.html.haml @@ -28,7 +28,7 @@ = form_tag admin_tags_url, method: 'GET', class: 'simple_form' do .fields-group - - Admin::FilterHelper::TAGS_FILTERS.each do |key| + - TagFilter::KEYS.each do |key| = hidden_field_tag key, params[key] if params[key].present? - %i(name).each do |key| @@ -43,9 +43,8 @@ = form_for(@form, url: batch_admin_tags_path) do |f| = hidden_field_tag :page, params[:page] || 1 - = hidden_field_tag :name, params[:name] if params[:name].present? - - Admin::FilterHelper::TAGS_FILTERS.each do |key| + - TagFilter::KEYS.each do |key| = hidden_field_tag key, params[key] if params[key].present? .batch-table.optional diff --git a/app/views/filters/index.html.haml b/app/views/filters/index.html.haml index 8ace638ca..b4d5333aa 100644 --- a/app/views/filters/index.html.haml +++ b/app/views/filters/index.html.haml @@ -4,7 +4,7 @@ - content_for :heading_actions do = link_to t('filters.new.title'), new_filter_path, class: 'button' -- if @filters.count == 0 +- if @filters.empty? %div.muted-hint.center-text= t 'filters.index.empty' - else .table-wrapper diff --git a/app/views/relationships/show.html.haml b/app/views/relationships/show.html.haml index 0da1596ce..099bb3202 100644 --- a/app/views/relationships/show.html.haml +++ b/app/views/relationships/show.html.haml @@ -33,10 +33,9 @@ = form_for(@form, url: relationships_path, method: :patch) do |f| = hidden_field_tag :page, params[:page] || 1 - = hidden_field_tag :relationship, params[:relationship] - = hidden_field_tag :status, params[:status] - = hidden_field_tag :activity, params[:activity] - = hidden_field_tag :order, params[:order] + + - RelationshipFilter::KEYS.each do |key| + = hidden_field_tag key, params[key] if params[key].present? .batch-table .batch-table__toolbar diff --git a/app/views/settings/applications/index.html.haml b/app/views/settings/applications/index.html.haml index 1cb94760f..a1f904a3a 100644 --- a/app/views/settings/applications/index.html.haml +++ b/app/views/settings/applications/index.html.haml @@ -4,7 +4,7 @@ - content_for :heading_actions do = link_to t('doorkeeper.applications.index.new'), new_settings_application_path, class: 'button' -- if @applications.count == 0 +- if @applications.empty? %div.muted-hint.center-text=t 'doorkeeper.applications.index.empty' - else .table-wrapper diff --git a/config/routes.rb b/config/routes.rb index 5411cff58..ff308699d 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -231,7 +231,7 @@ Rails.application.routes.draw do end end - resource :role do + resource :role, only: [] do member do post :promote post :demote -- cgit