1
0
Commit Graph

2144 Commits

Author SHA1 Message Date
Claire
3a6451c867
Add support for incoming rich text () 2023-03-03 20:19:29 +01:00
Matt Jankowski
af578e8ce0
Fix deprecation warning about merging conditions () 2023-03-02 16:21:04 +01:00
Matt Jankowski
9da52ac044
Update rspec-rails to version 6.0.1 () 2023-03-02 15:55:37 +01:00
Matt Jankowski
35dff48edf
Add spec coverage for Admin::Trends::StatusesHelper () 2023-03-02 15:30:40 +01:00
Stanislav Dobrovolschii
d9271126ce
Add rspecs for FollowRecommendationsScheduler () 2023-03-02 10:05:05 +01:00
Matt Jankowski
b6602f68eb
Spec coverage for HomeHelper () 2023-03-02 10:04:14 +01:00
Matt Jankowski
6185efbc3c
Admin mailer spec coverage improvement () 2023-02-28 22:33:34 +09:00
Matt Jankowski
9ee83a9f3b
Add policies and serializers groups to simplecov output () 2023-02-27 16:35:47 +01:00
Matt Jankowski
4bb39ac3c3
Fix single-record invalid condition on PollVote () 2023-02-27 09:31:15 +01:00
Nick Schonning
19614ba247
Rename ActivityPub Serializer Specs () 2023-02-23 23:17:48 +01:00
Claire
20b80c62ff
Change auto-deletion throttling constants to better scale with server size () 2023-02-23 16:52:40 +01:00
Nick Schonning
6bd7003799
Fix mispelled spec filenames () 2023-02-23 11:28:56 +01:00
Claire
3ed1b9ebb6
Fix rack:attack flaky tests and test end of throttle period () 2023-02-22 10:28:52 +01:00
Nick Schonning
8fd3fc404d
Autofix Rubocop Rails/RootPathnameMethods () 2023-02-22 09:57:15 +09:00
Nick Schonning
84cc805cae
Enable Style/FrozenStringLiteralComment for specs () 2023-02-22 09:55:31 +09:00
Nick Schonning
0cfdd1a401
Enable Rubocop Style/StringConcatenation defaults () 2023-02-22 09:54:36 +09:00
Nick Schonning
35d032500b
Autofix Rubocop Security/IoMethods () 2023-02-21 03:21:19 +09:00
Nick Schonning
2c3c734bcc
Autofix Rubocop Style/SymbolProc () 2023-02-20 07:58:46 +01:00
Nick Schonning
717683d1c3
Autofix Rubocop remaining Layout rules () 2023-02-20 06:58:28 +01:00
Nick Schonning
5116347eb7
Autofix Rubocop RSpec/BeEq () 2023-02-20 06:14:50 +01:00
Nick Schonning
bf785df9fe
Audofix Rubocop Style/WordArray () 2023-02-20 06:14:10 +01:00
Nick Schonning
4552685f6b
Autofix Rubocop RSpec/LeadingSubject () 2023-02-20 13:24:14 +09:00
Nick Schonning
4ea1e0fceb
Enable Rubocop RSpec/ExpectActual () 2023-02-20 05:00:59 +01:00
Nick Schonning
38a1d8bb85
Autofix Rubocop RSpec/ImplicitSubject () 2023-02-20 05:00:48 +01:00
Nick Schonning
5179c47087
Autofix Rubocops RSpec/ScatteredLet () 2023-02-20 11:17:41 +09:00
Nick Schonning
aef0051fd0
Enable Rubocop HTTP status rules () 2023-02-20 11:16:40 +09:00
Nick Schonning
bd1d57c230
Autofix Rubocop RSpec/EmptyLineAfterSubject () 2023-02-20 02:46:00 +01:00
Nick Schonning
dbc6d7b276
Autofix Rubocop Lint/UnusedBlockArgument () 2023-02-20 02:45:50 +01:00
Nick Schonning
65ba0d92ef
Enable Rubocop RSpec/NotToNot () 2023-02-20 02:33:27 +01:00
Nick Schonning
a2fdb388eb
Autofix Rubocop RSpec/ReturnFromStub () 2023-02-20 02:32:10 +01:00
Nick Schonning
21bf326356
Autofix Rubocop Rails/Pluck () 2023-02-20 02:28:40 +01:00
Nick Schonning
e0e63b73ee
Autofix Rubocop RSpec/EmptyLineAfterHook () 2023-02-19 14:54:34 +09:00
Nick Schonning
81ad6c2e39
Autofix Rubocop Style/StringLiterals () 2023-02-19 07:38:14 +09:00
Nick Schonning
ac3561098e
Autofix Rubocop RSpec/LetBeforeExamples () 2023-02-19 07:17:59 +09:00
Nick Schonning
1a02101100
Autofix Rubocop Style/EmptyLambdaParameter () 2023-02-19 07:12:06 +09:00
Nick Schonning
3680e032b4
Autofix Rubocop RSpec/EmptyLineAfterFinalLet () 2023-02-19 07:10:19 +09:00
Nick Schonning
167709f6b0
Autofix Rubocop Style/BlockDelimiters () 2023-02-19 07:00:17 +09:00
Nick Schonning
c0d7c855b3
Autofix Rubocop RSpec/Capybara/FeatureMethods () 2023-02-19 06:59:00 +09:00
Nick Schonning
08289a38fa
Autofix Rubocop Style/TrailingCommaInArrayLiteral () 2023-02-19 06:54:30 +09:00
Nick Schonning
5069769cbe
Autofix Rubocop Style/TrailingCommaInHashLiteral () 2023-02-18 23:33:41 +09:00
Nick Schonning
b4cbfff3eb
Autofix Rubocop RSpec/ExcessiveDocstringSpacing () 2023-02-18 12:47:37 +01:00
Nick Schonning
c38bd17657
Autofix Rubocop Style/TrailingCommaInArguments () 2023-02-18 12:39:58 +01:00
Nick Schonning
e2a3ebb271
Autofix Rubocop Style/IfUnlessModifier () 2023-02-18 12:37:47 +01:00
Nick Schonning
d65b2c1924
Apply Rubocop Style/RedundantConstantBase () 2023-02-18 04:30:03 +01:00
Nick Schonning
a7db0b41cd
Autofix Rubocop Lint/ParenthesesAsGroupedExpression () 2023-02-18 04:00:05 +01:00
Nick Schonning
e5cf23cf3a
Enable Rubocop RSpec/HooksBeforeExamples () 2023-02-18 03:59:57 +01:00
Nick Schonning
efd424506a
Autofix Rubocop Style/RedundantPercentQ () 2023-02-18 03:32:57 +01:00
Nick Schonning
c0a645f647
Autofix Rubocop RSpec/ExampleWording () 2023-02-18 03:26:20 +01:00
Nick Schonning
7a3d4c3d4b
Enable Rubocop RSpec/MultipleDescribes () 2023-02-18 03:25:47 +01:00
Nick Schonning
54318dcd6d
Autofix Rubocop RSpec/ClassCheck () 2023-02-18 03:24:16 +01:00
Nick Schonning
634368c491
Autofix Rubocop Lint/SymbolConversion () 2023-02-18 03:23:49 +01:00
Nick Schonning
6d42820e5d
Autofix Rubocop Lint/AmbiguousOperator () 2023-02-18 03:22:01 +01:00
Nick Schonning
ac59d6f19f
Enable Rubocop Style/NumericLiterals () 2023-02-18 11:05:57 +09:00
Nick Schonning
669f6d2c0a
Run rubocop formatting except line length () 2023-02-18 06:56:20 +09:00
Nick Schonning
6ed6c41724
Autofix Rubocop RSpec/EmptyLineAfterExample () 2023-02-17 21:46:00 +09:00
Nick Schonning
68b1071f86
Autofix Rubocop RSpec/BeNil () 2023-02-17 21:45:27 +09:00
Nick Schonning
936204b9ea
Autofix Rubocop Style/NestedParenthesizedCalls () 2023-02-17 21:43:10 +09:00
Nick Schonning
37914c8757
Autofix Rubocop Style/MethodCallWithoutArgsParentheses () 2023-02-17 21:36:14 +09:00
Claire
66f715550e
Add memorial attribute to REST API () 2023-02-14 13:50:55 +01:00
Claire
d6930b3847
Add API parameter to safeguard unexpect mentions in new posts () 2023-02-13 16:36:29 +01:00
Varun Sharma
45e2936c89
Add tests to indicate inclusion of self replies in statuses endpoint () 2023-02-13 16:04:26 +01:00
Claire
c55568c75a
Add tests for REST::AccountSerializer () 2023-02-13 13:23:59 +01:00
Claire
0c9eac80d8
Fix unbounded recursion in post discovery ()
* Add a limit to how many posts can get fetched as a result of a single request

* Add tests

* Always pass `request_id` when processing `Announce` activities

---------

Co-authored-by: nametoolong <nametoolong@users.noreply.github.com>
2023-02-10 22:16:37 +01:00
Nick Schonning
0592937264
Apply Rubocop Rails/WhereNot ()
* Apply Rubocop Rails/WhereNot

* Update spec for where.not
2023-02-08 10:39:57 +01:00
Nick Schonning
1487fcde93
Apply Rubocop Style/ExpandPathArguments () 2023-02-08 07:06:20 +01:00
Nick Schonning
ed570050c6
Autofix Rails/EagerEvaluationLogMessage ()
* Autofix Rails/EagerEvaluationLogMessage

* Update spec for debug block syntax
2023-02-07 03:44:36 +01:00
Claire
9edefc779f
Fix UserCleanupScheduler crash when an unconfirmed account has a moderation note ()
* Fix `UserCleanupScheduler` crash when an unconfirmed account has a moderation note

* Add tests
2023-02-07 01:14:44 +01:00
Claire
20a479ff7c
Change POST /settings/applications/:id to regenerate token on scopes change ()
Fixes 
2023-02-02 12:03:49 +01:00
Claire
13a2abacc8
Add roles attribute to Account entities in REST API () 2023-01-25 19:55:40 +01:00
Claire
a5a00d7f7a
Fix email with empty domain name labels passing validation ()
* Fix email with empty domain name labels passing validation

`EmailMxValidator` would allow empty labels because `Resolv::DNS` is
particularly lenient about them, but the email would be invalid and
unusable.

* Add tests
2023-01-24 20:18:41 +01:00
Claire
6883fddb19
Fix account activation being triggered before email confirmation ()
* Add tests

* Fix account activation being triggered before email confirmation

Fixes 
2023-01-24 19:40:21 +01:00
Markus Unterwaditzer
f2a6e71bb6
Suppress AddressFamilyError in link verification ()
* Suppress AddressFamilyError

* clarify comment
2023-01-23 13:05:54 +01:00
Claire
448be26b34
Add missing policy attribute to WebPushSubscriptionSerializer ()
* Add missing `policy` attribute to `WebPushSubscriptionSerializer`

Fixes 

* Add tests
2023-01-23 13:05:30 +01:00
Claire
68dcbcb7bf
Add more specific error messages to HTTP signature verification ()
* Return specific error on failure to parse Date header

* Add error message when preferredUsername is not set

* Change error report to be JSON and include more details

* Change error report to differentiate unknown account and failed refresh

* Add tests
2023-01-18 16:47:56 +01:00
Claire
343e1fe8e9
Add confirmation screen when handling reports ()
* Add confirmation screen on moderation actions

* Add flash notice when a report has been processed

* Refactor tests

* Add tests
2023-01-18 16:40:09 +01:00
Claire
4b92e59f4f
Add support for editing media description and focus point of already-posted statuses ()
* Add backend support for editing media attachments of existing posts

* Allow editing media attachments of already-posted toots

* Add tests
2023-01-18 16:33:55 +01:00
Claire
fcc4c9b34a
Change domain block CSV parsing to be more robust and handle more lists ()
* Change domain block CSV parsing to be more robust and handle more lists

* Add some tests

* Improve domain block import validation and reporting
2023-01-18 16:20:52 +01:00
Claire
21a1a8ee88
Fix crash when marking statuses as sensitive while some statuses are deleted ()
* Do not offer to mark statuses as sensitive if there is no undeleted status with media attachments

* Fix crash when marking statuses as sensitive while some statuses are deleted

Fixes 

* Fix multiple strikes being created for a single report when selecting “Mark as sensitive”

* Add tests
2023-01-13 10:46:52 +01:00
Claire
15b88a83ab
Fix sanitizer parsing link text as HTML when stripping unsupported links () 2023-01-11 22:21:10 +01:00
Markus Unterwaditzer
0c689b9d01
fix: allow verification when page size exceeds 1MB (using HTML5 parser) ()
* fix: allow verification when page size exceeds 1MB
Truncates the page after 1MB instead

Closes 

* switch to HTML5 parser, fix rubocop errors

* undo rubocop fixes

Co-authored-by: Chris Zubak-Skees <chriszs@gmail.com>
2023-01-11 21:59:13 +01:00
Claire
18fb01ef7c
Fix possible race conditions when suspending/unsuspending accounts ()
* Fix possible race conditions when suspending/unsuspending accounts

* Fix tests

Tests were assuming SuspensionWorker and UnsuspensionWorker would do the
suspending/unsuspending themselves, but this has changed.
2023-01-05 13:47:21 +01:00
Jeong Arm
fdd1facba1
Fix home TL could contain post from who blocked me ()
* Fix home tl contains post from who blocked me

* Add test

* Fix feed_manager's build_crutches

blocked_by was not includes status' owner

* Add test for status from I blocked

* Fix typo
2023-01-05 13:30:38 +01:00
Partho Ghosh
115ab2869b
Fix ・ detection in hashtag regex to construct hashtag correctly ()
* Fix ・ detection in hashtag regex to construct hashtag correctly

* Fixed rubocop liniting issues

* More rubocop linting fix
2023-01-04 02:12:48 +01:00
Claire
70415714f1
Add follow request banner on account header ()
* Add requested_by to relationship maps

* Display whether an account has requested to follow you on their profile
2022-12-15 18:50:11 +01:00
Claire
8556a649d5
Fix changing domain block severity not undoing individual account effects ()
* Fix changing domain block severity not undoing individual account effects

Fixes 

* Add tests
2022-12-15 17:45:02 +01:00
Jeong Arm
d412147d02
Save avatar or header correctly even if other one fails ()
* Save avatar or header correctly if other one fails

* Fix test
2022-12-15 17:11:14 +01:00
Neil Matatall
1f5740e65c
Use Rails tag API to build RSS feed for spoilers and polls ()
* Use Rails tag API to build RSS feed for spoilers and polls

While the previous method did not contain a bug or a potential issue,
the tag API can be very resilient against future problems and reduces the
amount of manual management of the escape status of the content.

I've added tests to ensure that the formatting is broken and still
escapes control characters correctly.

* this seems cleaner and passes

* Incorporate feedback by moving the br to its own line and using the tag helper over the string constant for the br tag itself

* whoops, tag helper doesn't use a self-closing tag
2022-12-15 16:39:41 +01:00
Ikko Ashimine
baecdf2882
Fix typo in application_helper_spec.rb ()
enviroment -> environment
2022-12-15 16:20:55 +01:00
Francis Murillo
5fb1c3e934
Revoke all authorized applications on password reset ()
* Clear sessions on password change

* Rename User::clear_sessions to revoke_access for a clearer meaning

* Add reset paassword controller test

* Use User.find instead of User.find_for_authentication for reset password test

* Use redirect and render for better test meaning in reset password

Co-authored-by: Effy Elden <effy@effy.space>
2022-12-15 15:47:06 +01:00
Meisam
6cdbc345f4
Validate nodeinfo response by schema ()
* add json-schema to :test in Gemfile

* Create node_info_2.0_schema.json

* test match_response_schema

* Create match_response_schema.rb

* Update nodeinfo_controller_spec.rb

* Rename spec/support/node_info_2.0_schema.json to spec/support/schema/node_info_2.0_schema.json

* Update match_response_schema.rb

* cleanup

* additionally validate the json schema itself

disable throwing errors

test the schema matcher

* rename nodeinfo schema to nodeinfo_2.0

* use Rails.root.join to construct the path

* prettify json

* sync Gemfile.lock
2022-12-15 15:43:05 +01:00
Claire
b59fb28e90
Fix 500 error when trying to migrate to an invalid address ()
* Fix 500 error when trying to migrate to an invalid address

* Add tests
2022-12-07 02:35:39 +01:00
Francis Murillo
f6492a7c4d
Log admin approve and reject account ()
* Log admin approve and reject account

* Add unit tests for approve and reject logging
2022-12-07 00:25:18 +01:00
Claire
c8849d6cee
Fix unbounded recursion in account discovery ()
* Fix trying to fetch posts from other users when fetching featured posts

* Rate-limit discovery of new subdomains

* Put a limit on recursively discovering new accounts
2022-12-07 00:15:24 +01:00
Claire
69137f4a90
Fix irreversible and whole_word parameters handling in /api/v1/filters ()
Fixes 
2022-12-07 00:10:53 +01:00
Claire
625216d8e1
Fix attachments of edited statuses not being fetched ()
* Fix attachments of edited statuses not being fetched

* Fix tests
2022-11-27 20:39:05 +01:00
Claire
51a33ce77a
Fix not being able to follow more than one hashtag ()
Fixes regression from 
2022-11-21 10:35:09 +01:00
David Leadbeater
69378eac99
Don't allow URLs that contain non-normalized paths to be verified ()
* Don't allow URLs that contain non-normalized paths to be verified

This stops things like https://example.com/otheruser/../realuser where
"/otheruser" appears to be the verified URL, but the actual URL being
verified is "/realuser" due to the "/../".

Also fix a test to use 'https', so it is testing the right thing, now
that since  https is required.

* missing do
2022-11-20 19:28:13 +01:00
Rose
4f15fd0ba1
Fix style for hashes ()
* Fix style for hashes

Make the style for hashes consistent.

* New style

More consistency
2022-11-17 11:05:39 +01:00
lenore gilbert
c373148b3d
Support for import/export of instance-level domain blocks/allows for 4.x w/ additional fixes ()
* Allow import/export of instance-level domain blocks/allows ()

* Allow import/export of instance-level domain blocks/allows.
Fixes 

* Pacify circleci

* Address simple code review feedback

* Add headers to exported CSV

* Extract common import/export functionality to
AdminExportControllerConcern

* Add additional fields to instance-blocked domain export

* Address review feedback

* Split instance domain block/allow import/export into separate pages/controllers

* Address code review feedback

* Pacify DeepSource

* Work around Paperclip::HasAttachmentFile for Rails 6

* Fix deprecated API warning in export tests

* Remove after_commit workaround

(cherry picked from commit 94e98864e3)

* Add confirmation page when importing blocked domains ()

* Move glitch-soc-specific strings to glitch-soc-specific locale files

* Add confirmation page when importing blocked domains

(cherry picked from commit b91196f4b7)

* Fix authorization check in domain blocks controller

(cherry picked from commit 7527937758)

* Fix error strings for domain blocks and email-domain blocks

Corrected issue with non-error message used for Mastodon:NotPermittedError in Domain Blocks
Corrected issue Domain Blocks using the Email Domain Blocks message on ActionContoller::ParameterMissing
Corrected issue with Email Domain Blocks using the not_permitted string from "custom emojii's"

* Ran i18n-tasks normalize to address test failure

* Removed unused admin.export_domain_blocks.not_permitted string

Removing unused string as indicated by Check i18n

* Fix tests

(cherry picked from commit 9094c2f52c)

* Fix domain block export not exporting blocks with only media rejection

(cherry picked from commit 26ff48ee48)

* Fix various issues with domain block import

- stop using Paperclip for processing domain allow/block imports
- stop leaving temporary files
- better error handling
- assume CSV files are UTF-8-encoded

(cherry picked from commit cad824d8f501b95377e4f0a957e5a00d517a1902)

Co-authored-by: Levi Bard <taktaktaktaktaktaktaktaktaktak@gmail.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2022-11-17 11:05:09 +01:00
Joshua Wood
daf6f3453e
Handle links with no href in VerifyLinkService ()
Before this change, the following error would cause VerifyAccountLinksWorker to fail:

NoMethodError: undefined method `downcase' for nil:NilClass
  [PROJECT_ROOT]/app/services/verify_link_service.rb:31 :in `block in link_back_present?`
2022-11-17 10:59:35 +01:00
Eugen Rochko
21fd25a269
Fix rate limiting for paths with formats () 2022-11-14 20:26:31 +01:00
trwnh
b59ce0a60f
Move V2 Filter methods under /api/v2 prefix ()
* Move V2 Filter methods under /api/v2 prefix

* move over the tests too
2022-11-14 08:34:07 +01:00
Eugen Rochko
552d69ad96
Fix error when invalid domain name is submitted ()
Fix 
2022-11-14 08:07:14 +01:00
Eugen Rochko
b31afc6294
Fix error when passing unknown filter param in REST API ()
Fix 
2022-11-14 08:06:06 +01:00
Hampton Lintorn-Catlin
147d8bd8fc
Support UTF-8 Characters in Domains During CSV Import ()
* Support UTF-8 Characters in Domains During Import

* Update Changelong
2022-11-14 05:52:13 +01:00
Emily Strickland
c2231539c7
Test blank account field verifiability ()
* Test blank account field verifiability

This change tests the need for , which ensures that we guard against a situation in which `at_xpath` returns `nil`.

* Test verifiability of blank fields for remote account profiles

This adds a counterpart test for remote account profiles' fields' verifiability when those fields are blank. I previously added the same test for local accounts.
2022-11-13 21:02:09 +01:00
F
d4f973227c
Test the native_locale_name of a non-standard locale ()
`:en` is English for both `standard_locale_name` and
`native_locale_name`, and so makes for a poor test candidate for
differentiating between them.
2022-11-11 00:06:18 +01:00
Eugen Rochko
9965a23b04
Change link verification to ignore IDN domains ()
Fix 
2022-11-10 06:27:45 +01:00
Eugen Rochko
e98833748e
Fix being able to spoof link verification ()
- Change verification to happen in `default` queue
- Change verification worker to only be queued if there's something to do
- Add `link` tags from metadata fields to page header of profiles
2022-11-09 08:24:21 +01:00
luzpaz
6ba52306f9
Fix typos ()
Found via `codespell -q 3 -S ./yarn.lock,./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,followings,keypair,medias,pattens,pixelx,rememberable,ro,te`
2022-11-08 17:32:03 +01:00
Roni Laukkarinen
36b0ff57b7
Fix grammar () 2022-11-08 16:35:42 +01:00
Claire
bbf74498f5
Fix validation error in SynchronizeFeaturedTagsCollectionWorker ()
* Fix followers count not being updated when migrating follows

Fixes 

* Fix validation error in SynchronizeFeaturedTagsCollectionWorker

Also saves remote user's chosen case for hashtags

* Limit remote featured tags before validation
2022-11-07 22:35:53 +01:00
Claire
3114c826a7
Fix filter handling in status cache hydration () 2022-11-07 19:47:48 +01:00
Claire
5925a31b78
Fix followers count not being updated when migrating follows ()
Fixes 
2022-11-07 15:38:55 +01:00
Claire
bb89f83cc0
Fix additional issues with status cache hydration ()
* Spare one SQL query when hydrating polls

* Improve tests

* Fix more discrepancies

* Fix possible crash when the status has no application set
2022-11-04 20:01:33 +01:00
Claire
03b991de6c
Fix various issues with store hydration ()
- Improve tests
- Fix possible crash when application of a reblogged post isn't set
- Fix discrepancies around favourited and reblogged attributes
- Fix discrepancies around pinned attribute
- Fix polls not being hydrated
2022-11-04 19:33:16 +01:00
Eugen Rochko
5f9e47be34
Add caching for payload serialization during fan-out () 2022-11-04 13:21:06 +01:00
Claire
4fb0aae636
Change mentions of blocked users to not be processed ()
Fixes 
2022-11-04 13:19:12 +01:00
Claire
9387beb3b3
Change flaky AccountSearchService test () 2022-11-03 23:12:08 +01:00
Claire
1dca08b76f
Fix admin action logs page ()
* Add tests

* Fix crash when trying to display orphaned action logs

* Add migration for older admin action logs
2022-11-03 16:06:42 +01:00
pea-sys
c68e6b52d9
png optimization(loss less) () 2022-11-01 15:06:52 +01:00
Eugen Rochko
d0ba77047e
Change max. thumbnail dimensions to 640x360px (360p) () 2022-11-01 13:01:39 +01:00
Eugen Rochko
40c7f3e830
Fix account action type validation ()
* Fix account action type validation

Fix 

* Fix 

* Fix code style issues
2022-10-30 02:44:32 +02:00
Eugen Rochko
f8ca3bb2a1
Add ability to view previous edits of a status in admin UI ()
* Add ability to view previous edits of a status in admin UI

* Change moderator access to posts to be controlled by a separate policy
2022-10-26 13:42:29 +02:00
Eugen Rochko
bf0ab3e0fa
Fix vacuum scheduler missing lock, locks never expiring ()
Remove vacuuming of orphaned preview cards
2022-10-26 12:10:48 +02:00
Eugen Rochko
1ae508bf2f
Change unauthenticated search to not support pagination in REST API ()
- Only exact search matches for queries with < 5 characters
- Do not support queries with `offset` (pagination)
- Return HTTP 401 on truthy `resolve` instead of overriding to false
2022-10-26 12:10:02 +02:00
Eugen Rochko
7c152acb2c
Change settings area to be separated into categories in admin UI ()
And update all descriptions
2022-10-22 11:44:41 +02:00
Yamagishi Kazutoshi
94feb2b93f
Fix FetchFeaturedCollectionService spec ()
Regression from 
2022-10-21 11:48:22 +02:00
Eugen Rochko
839f893168
Change public accounts pages to mount the web UI ()
* Change public accounts pages to mount the web UI

* Fix handling of remote usernames in routes

- When logged in, serve web app
- When logged out, redirect to permalink
- Fix `app-body` class not being set sometimes due to name conflict

* Fix missing `multiColumn` prop

* Fix failing test

* Use `discoverable` attribute to control indexing directives

* Fix `<ColumnLoading />` not using `multiColumn`

* Add `noindex` to accounts in REST API

* Change noindex directive to not be rendered by default before a route is mounted

* Add loading indicator for detailed status in web UI

* Fix missing indicator appearing while account is loading in web UI
2022-10-20 14:35:29 +02:00
Eugen Rochko
1bd00036c2
Change about page to be mounted in the web UI () 2022-10-13 14:42:37 +02:00
Eugen Rochko
b04633a961
Add image processing and generate blurhash for server thumbnail ()
Remove separate server hero setting
2022-10-13 11:29:19 +02:00
Yamagishi Kazutoshi
7afc6a630c
Redirect non-logged-in user to owner statuses on single user mode () 2022-10-12 21:07:30 +02:00
Eugen Rochko
45ebdb72ca
Add support for language preferences for trending statuses and links () 2022-10-08 16:45:40 +02:00
Eugen Rochko
93f340a4bf
Remove setting that disables account deletes () 2022-10-06 10:16:47 +02:00
Eugen Rochko
62782babd0
Change public statuses pages to mount the web UI () 2022-10-06 02:26:34 +02:00
Eugen Rochko
58d5b28cb0
Remove previous landing page () 2022-10-06 02:19:45 +02:00
Eugen Rochko
9f65909f42
Change public timelines to be filtered by current locale by default ()
In the absence of an opt-in to multiple specific languages in the
preferences, it makes more sense to filter by the user's presumed
language only (interface language or `lang` override)
2022-10-05 03:48:06 +02:00
Eugen Rochko
d2528b26b6
Add server banner to web app, add GET /api/v2/instance to REST API () 2022-10-05 03:47:56 +02:00
Eugen Rochko
02ba9cfa35
Remove code for rendering public and hashtag timelines outside the web UI () 2022-10-04 20:13:46 +02:00
Eugen Rochko
36f4c32a38
Change path of privacy policy page () 2022-09-29 06:22:12 +02:00
Eugen Rochko
43b5d5e38d
Add logged-out access to the web UI () 2022-09-29 04:39:33 +02:00
Eugen Rochko
5c9abdeff1
Add retention policy for cached content and media () 2022-09-27 03:08:19 +02:00
Claire
7165e89362
Add tests to ActivityPub::FetchRemoteKeyService () 2022-09-24 08:33:27 +02:00
Claire
26c51cfa07
Fix various rspec warnings in ReportService tests ()
* Fix various rspec warnings in ReportService tests

* Add tests to ReportService
2022-09-21 22:46:35 +02:00
Claire
8cf7006d4e
Refactor ActivityPub handling to prepare for non-Account actors ()
* Move ActivityPub::FetchRemoteAccountService to ActivityPub::FetchRemoteActorService

ActivityPub::FetchRemoteAccountService is kept as a wrapper for when the actor is
specifically required to be an Account

* Refactor SignatureVerification to allow non-Account actors

* fixup! Move ActivityPub::FetchRemoteAccountService to ActivityPub::FetchRemoteActorService

* Refactor ActivityPub::FetchRemoteKeyService to potentially return non-Account actors

* Refactor inbound ActivityPub payload processing to accept non-Account actors

* Refactor inbound ActivityPub processing to accept activities relayed through non-Account

* Refactor how Account key URIs are built

* Refactor Request and drop unused key_id_format parameter

* Rename ActivityPub::Dereferencer `signature_account` to `signature_actor`
2022-09-21 22:45:57 +02:00
Eugen Rochko
50948b46aa
Add ability to filter followed accounts' posts by language () 2022-09-20 23:51:21 +02:00
Claire
1145dbd327
Improve error reporting and logging when processing remote accounts ()
* Add a more descriptive PrivateNetworkAddressError exception class

* Remove unnecessary exception class to rescue clause

* Remove unnecessary include to JsonLdHelper

* Give more neutral error message when too many webfinger redirects

* Remove unnecessary guard condition

* Rework how “ActivityPub::FetchRemoteAccountService” handles errors

Add “suppress_errors” keyword argument to avoid raising errors in
ActivityPub::FetchRemoteAccountService#call (default/previous behavior).

* Rework how “ActivityPub::FetchRemoteKeyService” handles errors

Add “suppress_errors” keyword argument to avoid raising errors in
ActivityPub::FetchRemoteKeyService#call (default/previous behavior).

* Fix Webfinger::RedirectError not being a subclass of Webfinger::Error

* Add suppress_errors option to ResolveAccountService

Defaults to true (to preserve previous behavior). If set to false,
errors will be raised instead of caught, allowing the caller to be
informed of what went wrong.

* Return more precise error when failing to fetch account signing AP payloads

* Add tests

* Fixes

* Refactor error handling a bit

* Fix various issues

* Add specific error when provided Digest is not 256 bits of base64-encoded data

* Please CodeClimate

* Improve webfinger error reporting
2022-09-20 23:30:26 +02:00
luzpaz
4aa3b9bd01
Fix typos ()
* Fix typos

Found via `codespell -q 3 -S ./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,keypair,medias,pixelx,ro`

* Follow-up typo fix
2022-08-28 17:44:34 +02:00
Eugen Rochko
0b3e4fd5de
Remove digest e-mails ()
* Remove digest e-mails

* Remove digest-related code
2022-08-25 23:38:22 +02:00
Eugen Rochko
0396acf39e
Add audit log entries for user roles ()
* Refactor audit log schema

* Add audit log entries for user roles
2022-08-25 20:39:40 +02:00
Claire
50487db122
Add ability to filter individual posts ()
* Add database table for status-specific filters

* Add REST endpoints, entities and attributes

* Show status filters in /filters interface

* Perform server-side filtering for individual posts filters

* Fix filtering on context mismatch

* Refactor `toServerSideType` by moving it to its own module

* Move loupe and delete icons to their own module

* Add ability to filter individual posts from WebUI

* Replace keyword list by warnings (expired, context mismatch)

* Refactor server-side filtering code

* Add tests
2022-08-25 04:27:47 +02:00
Eugen Rochko
0412a4d03e
Change e-mail domain blocks to match subdomains of blocked domains () 2022-08-24 19:00:55 +02:00
Eugen Rochko
d83faa1a89
Add ability to block sign-ups from IP () 2022-08-24 19:00:37 +02:00
Claire
461239db5d
Fix backend compatibility with OpenSSL 3.0 ()
* Update webpush to fork with OpenSSL 3 compatibility

* Fix tests with OpenSSL 3.0

* Update webauthn gem to latest release and update dependencies
2022-08-17 22:06:48 +01:00
Eugen Rochko
c3f0621a59
Add ability to follow hashtags () 2022-07-17 13:49:29 +02:00
Eugen Rochko
e7aa2be828
Change how hashtags are normalized ()
* Change how hashtags are normalized

* Fix tests
2022-07-13 15:03:28 +02:00
Eugen Rochko
44b2ee3485
Add customizable user roles ()
* Add customizable user roles

* Various fixes and improvements

* Add migration for old settings and fix tootctl role management
2022-07-05 02:41:40 +02:00
Claire
1b4054256f
Fix crash when a remote Flag activity mentions a private post ()
* Add tests

* Fix crash when a remote Flag activity mentions a private post
2022-07-04 11:08:30 +02:00
Claire
02851848e9
Revamp post filtering system ()
* Add model for custom filter keywords

* Use CustomFilterKeyword internally

Does not change the API

* Fix /filters/edit and /filters/new

* Add migration tests

* Remove whole_word column from custom_filters (covered by custom_filter_keywords)

* Redesign /filters

Instead of a list, present a card that displays more information and handles
multiple keywords per filter.

* Redesign /filters/new and /filters/edit to add and remove keywords

This adds a new gem dependency: cocoon, as well as a npm dependency:
cocoon-js-vanilla. Those are used to easily populate and remove form fields
from the user interface when manipulating multiple keyword filters at once.

* Add /api/v2/filters to edit filter with multiple keywords

Entities:
- `Filter`: `id`, `title`, `filter_action` (either `hide` or `warn`), `context`
  `keywords`
- `FilterKeyword`: `id`, `keyword`, `whole_word`

API endpoits:
- `GET /api/v2/filters` to list filters (including keywords)
- `POST /api/v2/filters` to create a new filter
  `keywords_attributes` can also be passed to create keywords in one request
- `GET /api/v2/filters/:id` to read a particular filter
- `PUT /api/v2/filters/:id` to update a new filter
  `keywords_attributes` can also be passed to edit, delete or add keywords in
   one request
- `DELETE /api/v2/filters/:id` to delete a particular filter
- `GET /api/v2/filters/:id/keywords` to list keywords for a filter
- `POST /api/v2/filters/:filter_id/keywords/:id` to add a new keyword to a
   filter
- `GET /api/v2/filter_keywords/:id` to read a particular keyword
- `PUT /api/v2/filter_keywords/:id` to edit a particular keyword
- `DELETE /api/v2/filter_keywords/:id` to delete a particular keyword

* Change from `irreversible` boolean to `action` enum

* Remove irrelevent `irreversible_must_be_within_context` check

* Fix /filters/new and /filters/edit with update for filter_action

* Fix Rubocop/Codeclimate complaining about task names

* Refactor FeedManager#phrase_filtered?

This moves regexp building and filter caching to the `CustomFilter` class.

This does not change the functional behavior yet, but this changes how the
cache is built, doing per-custom_filter regexps so that filters can be matched
independently, while still offering caching.

* Perform server-side filtering and output result in REST API

* Fix numerous filters_changed events being sent when editing multiple keywords at once

* Add some tests

* Use the new API in the WebUI

- use client-side logic for filters we have fetched rules for.
  This is so that filter changes can be retroactively applied without
  reloading the UI.
- use server-side logic for filters we haven't fetched rules for yet
  (e.g. network error, or initial timeline loading)

* Minor optimizations and refactoring

* Perform server-side filtering on the streaming server

* Change the wording of filter action labels

* Fix issues pointed out by linter

* Change design of “Show anyway” link in accordence to review comments

* Drop “irreversible” filtering behavior

* Move /api/v2/filter_keywords to /api/v1/filters/keywords

* Rename `filter_results` attribute to `filtered`

* Rename REST::LegacyFilterSerializer to REST::V1::FilterSerializer

* Fix systemChannelId value in streaming server

* Simplify code by removing client-side filtering code

The simplifcation comes at a cost though: filters aren't retroactively
applied anymore.
2022-06-28 09:42:13 +02:00
Claire
35588d09e2
Add /api/v1/admin/domain_allows ()
- `GET /api/v1/admin/domain_allows` lists allowed domains
- `GET /api/v1/admin/domain_allows/:id` shows one by ID
- `DELETE /api/v1/admin/domain_allows/:id` deletes a given domain from the list
  of allowed domains
- `POST /api/v1/admin/domain_allows` to allow a new domain:
  if that domain is already allowed, the existing DomainAllow will be returned
2022-06-23 23:12:01 +02:00
Claire
327eed0076
Fix suspicious sign-in mails never being sent ()
* Add tests

* Fix suspicious sign-in mails never being sent
2022-06-21 15:16:22 +02:00
Eugen Rochko
45aa5781ce
Change brand color and logotypes ()
- Add rake task for generating Apple/Android icons and favicons from SVG
- Add rake task for generating PNG icons and logos for e-mails from SVG
- Remove obsolete Microsoft icons and configuration
- Remove PWA shortcut icons
2022-06-09 22:25:23 +02:00
Eugen Rochko
a2871cd747
Add administrative webhooks ()
* Add administrative webhooks

* Fix error when webhook is deleted before delivery worker runs
2022-06-09 21:57:36 +02:00
Claire
3f14260574
Add StatusRelationshipsPresenter specs () 2022-06-01 19:09:37 +02:00
Claire
28329ba62f
Add /api/v1/admin/domain_blocks ()
* Add /api/v1/admin/domain_blocks

Fixes 

- `GET /api/v1/admin/domain_blocks` lists domain blocks
- `GET /api/v1/admin/domain_blocks/:id` shows one by ID
- `DELETE /api/v1/admin/domain_blocks/:id` deletes a given domain block
- `POST /api/v1/admin/domain_blocks` to create a new domain block:
  if it conflicts with an existing one, returns an error with
  an attribute `existing_domain_block` with the rendered domain block

* Simplify conflict handling as suggested in review
2022-06-01 17:31:36 +02:00
Claire
e34dd3644c
Remove unused filtered_languages column ()
* Remove unused `filtered_languages` column

Fixes 

* Fix tests
2022-05-27 20:05:22 +02:00
Claire
440eb71310
Change unapproved and unconfirmed account to not be accessible in the REST API ()
* Change unapproved and unconfirmed account to not be accessible in the REST API

* Change Account#searchable? to reject unconfirmed and unapproved users

* Disable search for unapproved and unconfirmed users in Account.search_for

* Disable search for unapproved and unconfirmed users in Account.advanced_search_for

* Remove unconfirmed and unapproved accounts from Account.searchable scope

* Prevent mentions to unapproved/unconfirmed accounts

* Fix some old tests for Account.advanced_search_for

* Add some Account.advanced_search_for tests for existing behaviors

* Add some tests for Account.search_for

* Add Account.advanced_search_for tests unconfirmed and unapproved accounts

* Add Account.searchable tests

* Fix Account.without_unapproved scope potentially messing with previously-applied scopes

* Allow lookup of unconfirmed/unapproved accounts through /api/v1/accounts/lookup

This is so that the API can still be used to check whether an username is free
to use.
2022-05-26 15:50:33 +02:00
Claire
e0bdaeab65
Fix NoMethodError when resolving a link that redirects to a local post ()
* Fix NoMethodError when resolving a link that redirects to a local post

* Fix tests
2022-05-17 14:52:26 +02:00
luzpaz
898fe2fa8e
Fix typo in source setted->set ()
Found via `codespell -q 3 -S ./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,keypair,medias,ro`
2022-05-10 04:58:04 +02:00
Eugen Rochko
2b8dc58b7f
Change RSS feeds ()
* Change RSS feeds

- Use date and time for titles instead of ellipsized text
- Use full content in body, even when there is a content warning
- Use media extensions

* Change feed icons and add width and height attributes to custom emojis

* Fix custom emoji animate on hover breaking

* Fix tests
2022-05-09 07:43:08 +02:00
Claire
71d02ffcf3
Fix compatibility with Friendica regarding pinned posts ()
* Fix multiple database queries when fetching pinned posts for remote account

* Fix compatibility with Friendica regarding pinned posts

Fixes 

* Add tests
2022-05-02 17:41:01 +02:00
Eugen Rochko
f6d35ed57d
Remove IP matching from e-mail domain blocks ()
Clear out e-mail domain blocks created from automatically resolved DNS records
2022-04-29 23:27:03 +02:00
Eugen Rochko
7b0fe4aef9
Fix opening and closing Redis connections instead of using a pool ()
* Fix opening and closing Redis connections instead of using a pool

* Fix Redis connections not being returned to the pool in CLI commands
2022-04-29 22:43:07 +02:00
Claire
84d991988e
Fix temporary network/remote server error prevent from interactions with remote accounts ()
* Fix temporary network/remote server error prevent from interactions with remote accounts

* Fix and add tests
2022-04-28 20:19:10 +02:00
Eugen Rochko
3917353645
Fix single Redis connection being used across all threads ()
* Fix single Redis connection being used across all Sidekiq threads

* Fix tests
2022-04-28 17:47:34 +02:00
Claire
0360135d4d
Fix PeerTube videos appearing with an erroneous “Edited at” marker ()
* Fix PeerTube videos appearing with an erroneous “Edited at” marker

PeerTube videos have an `updated` field equal to `published`.
When processing an incoming activity that has the same value for `updated` and
`published`, assume this doesn't represent an actual edit.

* Please CodeClimate
2022-04-26 21:25:26 +02:00
Claire
ce9dcbea32
Fix failure when sending warning emails with custom text ()
* Add tests

* Fix failure when sending warning emails with custom text
2022-04-07 14:47:30 +02:00
Claire
8f91e304a5
Fix spurious edits and require incoming edits to be explicitly marked as such ()
* Change post text edit to not be considered significant if it's identical after reformatting

* We don't need to clear previous change information anymore

* Require status edits to be explicit, except for poll tallies

* Fix tests

* Add some tests

* Add poll-related tests

* Add HTML-formatting related tests
2022-04-06 21:01:02 +02:00
Eugen Rochko
6221b36b27
Remove sign-in token authentication, instead send e-mail about new sign-in () 2022-04-06 20:58:12 +02:00
Eugen Rochko
bbc7afa2a2
Fix being able to post URLs longer than 4096 characters () 2022-03-30 14:46:03 +02:00
Claire
894956e20c
Fix /api/v1/admin/accounts ()
* Fix /api/v1/admin/accounts

Compatibility was broken since  which changed the underlying filter class
without changing the controller.

This commits restore support for the old parameters.

* Add /api/v2/admin/accounts with the new parameters

* Add tests

* Add missing filter for `silenced` status

Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>

Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2022-03-28 23:57:38 +02:00
Claire
30658924a8
Fix test-related issues ()
* Remove obsolete RSS::Serializer test

Since , RSS::Serializer no longer has specific code for deleted statuses,
but it is never called on deleted statuses anyway.

* Rename erroneously-named test files

* Fix failing test

* Fix test deprecation warnings

* Update CircleCI Ruby orb

1.4.0 has a bug that does not match all the test files due to incorrect
globbing
2022-03-28 12:43:58 +02:00
Eugen Rochko
cefa526c6d
Refactor formatter ()
* Refactor formatter

* Move custom emoji pre-rendering logic to view helpers

* Move more methods out of Formatter

* Fix code style issues

* Remove Formatter

* Add inline poll options to RSS feeds

* Remove unused helper method

* Fix code style issues

* Various fixes and improvements

* Fix test
2022-03-26 02:53:34 +01:00
Eugen Rochko
71f2b95106
Fix edits with no actual changes being allowed ()
* Fix edits with no actual changes being allowed locally

* Fix edits with no actual changes being allowed through ActivityPub

* Fix false positive changes caused by description processing in model

* Fix not recording poll expiration update

* Fix test

* Revert changes to ProcessStatusUpdateService

* Various fixes and improvements

* Fix code style issues

* Various changes and improvements

* Add guard clause
2022-03-26 00:38:44 +01:00
Eugen Rochko
b58db8f12e
Add workaround for YouTube Shorts links ()
* Add workaround for YouTube Shorts links

* Update link_details_extractor_spec.rb
2022-03-25 19:31:35 +01:00
Eugen Rochko
e6ffbfb5e7
Add types param to GET /api/v1/notifications in REST API ()
* Add `types` param to `GET /api/v1/notifications` in REST API

* Improve tests
2022-03-15 04:11:29 +01:00
Claire
92a86b958e
Fix issues with processing toot edits ()
* Fix searching for an already-known status by URL not working

* Fix Update processing from statuses prior to 20220302232632

`ordered_media_attachment_ids_changed?` would return `true` when going from
`nil` to anything (including `[]`).

* Add tests
2022-03-12 19:33:10 +01:00
Eugen Rochko
ddbe906c25
Fix not updating a status when newer version is fetched manually () 2022-03-12 09:11:36 +01:00
Eugen Rochko
bc320d6cec
Fix POST /api/v1/emails/confirmations not being available after sign-up () 2022-03-12 04:14:25 +01:00
Claire
5ccd6cbfda
Add test for reblog race condition fix ()
Follow-up to 
2022-03-10 00:11:49 +01:00
Claire
63c9d2bc28
Add tests for CVE-2022-24307 ()
Follow-up to 
2022-03-10 00:11:40 +01:00
Eugen Rochko
d17fb70131
Change how changes to media attachments are stored for edits ()
* Change how changes to media attachments are stored for edits

Fix not being able to re-order media attachments

* Fix not broadcasting updates when polls/media is changed through ActivityPub

* Various fixes and improvements

* Update app/models/report.rb

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

* Add tracking of media attachment description changes

* Change poll in status edit to have a structure closer to the real one

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2022-03-09 09:06:17 +01:00
Eugen Rochko
bd53dd5210
Change design of federation pages in admin UI ()
* Change design of federation pages in admin UI

* Fix query performance in instance media attachments measure

* Fix reblogs being included in instance languages dimension
2022-03-09 08:52:32 +01:00
Eugen Rochko
8f6c67bfde
Fix performance of account timelines ()
* Fix performance of account timelines

* Various fixes and improvements

* Fix duplicate results being returned

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

* Fix grouping for pinned statuses scope

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2022-03-08 09:14:39 +01:00
Eugen Rochko
edf09ec747
Add /api/v1/accounts/familiar_followers to REST API ()
* Add `/api/v1/accounts/familiar_followers` to REST API

* Change hide network preference to be stored consistently for local and remote accounts

* Add dummy classes to migration

* Apply suggestions from code review

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2022-03-07 09:36:47 +01:00
Josh Soref
b5329e0035
Spelling ()
* spelling: account

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: affiliated

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: appearance

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: autosuggest

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: cacheable

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: component

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: conversations

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: domain.example

Clarify what's distinct and use RFC friendly domain space.

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: environment

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: exceeds

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: functional

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: inefficiency

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: not

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: notifications

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: occurring

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: position

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: progress

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: promotable

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: reblogging

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: repetitive

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: resolve

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: saturated

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: similar

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: strategies

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: success

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: targeting

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: thumbnails

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: unauthorized

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: unsensitizes

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: validations

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

* spelling: various

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
2022-03-06 22:51:40 +01:00
Claire
6d3fa7828e
Redesign /about when already logged in ()
* Redesign /about when already logged in

* Fix sign up form still showing when OMNIAUTH_ONLY is set

* Fix tests

* Change wording based on suggestions

Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>

Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2022-03-03 16:14:44 +01:00
Eugen Rochko
02b8d63fce
Fix report category not being saved in REST API () 2022-03-02 18:57:08 +01:00
Eugen Rochko
50ea54b3ed
Change authorized applications page ()
* Change authorized applications page

* Hide revoke button for superapps and suspended accounts

* Clean up db/schema.rb
2022-03-01 16:48:58 +01:00
Eugen Rochko
27965ce5ed
Add trending statuses ()
* Add trending statuses

* Fix dangling items with stale scores in localized sets

* Various fixes and improvements

- Change approve_all/reject_all to approve_accounts/reject_accounts
- Change Trends::Query methods to not mutate the original query
- Change Trends::Query#skip to offset
- Change follow recommendations to be refreshed in a transaction

* Add tests for trending statuses filtering behaviour

* Fix not applying filtering scope in controller
2022-02-25 00:34:14 +01:00
Eugen Rochko
a29a982eaa
Change e-mail domain blocks to block IPs dynamically ()
* Change e-mail domain blocks to block IPs dynamically

* Update app/workers/scheduler/email_domain_block_refresh_scheduler.rb

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>

* Update app/workers/scheduler/email_domain_block_refresh_scheduler.rb

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2022-02-24 17:28:23 +01:00
Sumak
91cc8d1e63
fix change :keys to :attribute_names () 2022-02-24 14:46:21 +01:00
luzpaz
73f5e4a1d9
Fix various typos ()
Found via `codespell -q 3 -S ./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,keypair,medias,ro`
2022-02-22 20:14:17 +01:00
Claire
8f537a1168
Change relays handling to not record boosts ()
* Change relays handling to not record boosts

* Update tests
2022-02-16 14:36:44 +01:00
Jeong Arm
2fd2666eea
Add test for user matching ip () 2022-02-16 13:14:53 +01:00
Eugen Rochko
564efd0651
Add appeals ()
* Add appeals

* Add ability to reject appeals and ability to browse pending appeals in admin UI

* Add strikes to account page in settings

* Various fixes and improvements

- Add separate notification setting for appeals, separate from reports
- Fix style of links in report/strike header
- Change approving an appeal to not restore statuses (due to federation complexities)
- Change style of successfully appealed strikes on account settings page
- Change account settings page to only show unappealed or recently appealed strikes

* Change appealed_at to overruled_at

* Fix missing method error
2022-02-14 21:27:53 +01:00
Claire
d4e6774a0c
Fix Undo Announce sometimes inlining the originally Announced status ()
* Change tests to have more specific expectations on sent ActivityPub payloads

* Check that payload doesn't actually contain the contents of the boosted toot

* Fix Undo Announce sometimes inlining the originally Announced status
2022-02-11 14:52:07 +01:00
Claire
472bc89611
Fix some flaky tests that randomly failed because of item ordering () 2022-02-10 22:00:10 +01:00
Claire
2af03164cb
Improve tests involving push_bulk ()
sidekiq-bulk's push_bulk can either accept arguments directly or run them
through a block.

Setting expectations on the result of evaluating the blocks allows testing
more code (the block itself) and the test is moved closer to the *interface*
of the tested code than its precise implementation.
2022-02-10 19:42:45 +01:00
Claire
da91b18a8b
Fix NoMethodError in StatusUpdateDistributionWorker ()
* Add tests

* Fix NoMethodError in StatusUpdateDistributionWorker

* Fix tests
2022-02-10 14:57:10 +01:00
Claire
63854bee6c
Fix poll votes not being properly reset on poll change ()
* Fix poll votes not being properly reset on poll change

* Fix and add tests

* Fix poll update handling when the number of options changes
2022-02-10 14:26:54 +01:00
Eugen Rochko
63002cde03
Add editing for published statuses ()
* Add editing for published statuses

* Fix change of multiple-choice boolean in poll not resetting votes

* Remove the ability to update existing media attachments for now
2022-02-10 00:15:30 +01:00
Eugen Rochko
3aebe711fd
Change languages to be listed under standard instead of native name in admin UI () 2022-02-09 04:15:38 +01:00
Eugen Rochko
b6d7726ecb
Remove language detection through cld3 ()
* Remove language detection through cld3

* Update app/helpers/languages_helper.rb

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2022-02-08 02:41:17 +01:00
Eugen Rochko
f1f6ddd536
Fix structured data parsing from links choking on bad data ()
* Fix structured data parsing from links choking on bad data

- Fix og:url meta tag being prioritized over canonical link tag
- Fix structured data parsing choking on commented-out CDATA declarations
- Fix HTML entities in title, description, provider_name, author_name
- Change structured data parsing to attempt every JSON-LD script tag

* Remove unnecessary slash escapes from CDATA regex pattern
2022-02-07 18:16:31 +01:00
Claire
73a782391c
Fix replies collection incorrectly looping ()
* Refactor tests

* Add tests

* Fix replies collection incorrectly looping
2022-02-07 17:06:43 +01:00
Claire
92658f0fb0
Fix instance actor not being dereferenceable ()
* Add tests

* Fix instance actor not being dereferenceable

* Fix tests

* Fix tests for real
2022-02-06 15:31:03 +01:00
Claire
c8b1e72a4f
Fix compacted JSON-LD possibly causing compatibility issues on forwarding () 2022-02-03 14:09:04 +01:00
Claire
f5639e1cbe
Change public profile pages to be disabled for unconfirmed users ()
Fixes 

Note that unconfirmed and unapproved accounts can still be searched for
and their (empty) account retrieved using the REST API.
2022-01-28 14:24:37 +01:00
Claire
e38fc319dc
Refactor and improve tests ()
* Change account and user fabricators to simplify and improve tests

- `Fabricate(:account)` implicitly fabricates an associated `user` if
  no `domain` attribute is given (an account with `domain: nil` is
  considered a local account, but no user record was created), unless
  `user: nil` is passed
- `Fabricate(:account, user: Fabricate(:user))` should still be possible
  but is discouraged.

* Fix and refactor tests

- avoid passing unneeded attributes to `Fabricate(:user)` or
  `Fabricate(:account)`
- avoid embedding `Fabricate(:user)` into a `Fabricate(:account)` or the other
  way around
- prefer `Fabricate(:user, account_attributes: …)` to
  `Fabricate(:user, account: Fabricate(:account, …)`
- also, some tests were using remote accounts with local user records, which is
  not representative of production code.
2022-01-28 00:46:42 +01:00
Eugen Rochko
6505b39e5d
Fix poll updates being saved as status edits ()
Fix 
2022-01-26 18:05:39 +01:00
Claire
0a120d86d2
Fix error-prone SQL queries ()
* Fix error-prone SQL queries in Account search

While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.

This PR parameterises the `to_tsquery` input to make the query more robust.

* Harden code for Status#tagged_with_all and Status#tagged_with_none

Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.

* Remove unneeded spaces surrounding tsquery term

* Please CodeClimate

* Move advanced_search_for SQL template to its own function

This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.

* Add tests covering tagged_with, tagged_with_all and tagged_with_none

* Rewrite tagged_with_none to avoid multiple joins and make it more robust

* Remove obsolete brakeman warnings

* Revert "Remove unneeded spaces surrounding tsquery term"

The two queries are not strictly equivalent.

This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-01-23 18:10:10 +01:00
Eugen Rochko
1060666c58
Add support for editing for published statuses ()
* Add support for editing for published statuses

* Fix references to stripped-out code

* Various fixes and improvements

* Further fixes and improvements

* Fix updates being potentially sent to unauthorized recipients

* Various fixes and improvements

* Fix wrong words in test

* Fix notifying accounts that were tagged but were not in the audience

* Fix mistake
2022-01-19 22:37:27 +01:00
Eugen Rochko
14f436c457
Add notifications for statuses deleted by moderators () 2022-01-17 09:41:33 +01:00
Claire
d5c9feb7b7
Add support for private pinned posts ()
* Add support for private pinned toots

* Allow local user to pin private toots

* Change wording to avoid "direct message"
2022-01-17 00:49:55 +01:00
Eugen Rochko
8e84ebf0cb
Remove IP tracking columns from users table () 2022-01-16 13:23:50 +01:00
Claire
76761d5fc0
Add ability for admins to delete canonical email blocks ()
* Add admin option to remove canonical email blocks from a deleted account

* Add tootctl canonical_email_blocks to inspect and remove canonical email blocks
2021-12-17 23:02:14 +01:00
Claire
7f803c41e2
Add ability to purge undeliverable domains from admin interface ()
* Add ability to purge undeliverable domains from admin interface

* Add tests
2021-12-17 23:01:21 +01:00
Eugen Rochko
0fb9536d38
Add batch suspend for accounts in admin UI () 2021-12-05 21:48:39 +01:00
Jeong Arm
1c826471e7
Fix admin statuses order() ()
* Fix 

* Add test for statuses order
2021-11-26 22:12:27 +01:00
Eugen Rochko
7de0ee7aba
Remove Keybase integration () 2021-11-26 05:58:18 +01:00
Claire
013bee6afb
Fix filtering DMs from non-followed users () 2021-11-25 23:46:30 +01:00
Eugen Rochko
6e50134a42
Add trending links ()
* Add trending links

* Add overriding specific links trendability

* Add link type to preview cards and only trend articles

Change trends review notifications from being sent every 5 minutes to being sent every 2 hours

Change threshold from 5 unique accounts to 15 unique accounts

* Fix tests
2021-11-25 13:07:38 +01:00
Claire
02a87431cf
Fix error when suspending user with an already-existing canonical email block ()
* Fix error when suspending user with an already-existing canonical email block

Fixes 

While attempting to create a `CanonicalEmailBlock` with an existing hash would
raise an `ActiveRecord::RecordNotUnique` error, this being done within a
transaction would cancel the whole transaction. For this reason, checking for
uniqueness in Rails would query the database within the transaction and avoid
invalidating the whole transaction for this reason.

A race condition is still possible, where multiple accounts sharing a canonical
email would be blocked in concurrent transactions, in which only one would
succeed, but that is way less likely to happen that the current issue, and can
always be retried after the first failure, unlike the current situation.

* Add tests
2021-11-24 17:41:03 +01:00
Claire
87085a5152
Fix AccountNote not having a maximum length () 2021-11-06 00:12:25 +01:00
Eugen Rochko
39cdf61ab7
Add support for structured data and more OpenGraph tags to link cards ()
Save preview cards under their canonical URL

Increase max redirects to follow from 2 to 3
2021-11-05 23:23:05 +01:00
Claire
989c67d29d
Fix handling announcements with links ()
Broken since 
2021-11-05 21:14:35 +01:00
Claire
ec059317fa
Fix some link previews being incorrectly generated from other prior links ()
* Add tests

* Fix some link previews being incorrectly generated from different prior links

PR  added a cache to avoid redundant queries when the OEmbed endpoint can
be guessed from the URL. This caching mechanism is not perfectly correct as
there is no guarantee that all pages from a given domain share the same
OEmbed provider endpoint.

This PR prevents the FetchOEmbedService from caching OEmbed endpoint that
cannot be generalized by replacing a fully-qualified URL from the endpoint's
parameters, greatly reducing the number of incorrect cached generalizations.
2021-10-21 20:39:35 +02:00
Claire
3f9b28ce26
Add support for fetching Create and Announce activities by URI ()
* Add support for fetching Create and Announce activities by URI

This should improve compatibility with ZAP and offer a way to fetch boosts,
which is currently not possible.

* Add tests
2021-10-21 01:14:04 +02:00
Takeshi Umeda
17f4e457b3
Add remove from followers api ()
* Add followed_by? to account_interactions

* Add RemoveFromFollowersService

* Fix AccountBatch to use RemoveFromFollowersService

* Add remove from followers API
2021-10-18 12:02:35 +02:00
Jeong Arm
f4081d1564
Allow keeping only 1 boosts/favs on auto deleting posts ()
* Allow keeping 1 boosts/favs on auto deleting posts

* Fix tests
2021-10-14 21:11:14 +02:00
Claire
216570ad98
Fix scheduled statuses decreasing statuses counts ()
* Add tests

* Fix scheduled statuses decreasing statuses counts

Fixes 
2021-10-14 19:59:21 +02:00
Claire
5159ba26e4
Fix error when rendering public pages with media attachments ()
* Add tests

* Fix error when rendering public pages with media attachments

* Add tests

* Fix tests

* Please CodeClimate
2021-10-13 15:27:19 +02:00
Claire
84ceebe1c4
Fix media attachment size validation not correctly accounting for file type ()
* Fix media attachment size validation not correctly accounting for file type

Fixes a regression introduced in  caused by the fact that kt-paperclip
now correctly runs validations before processing, meaning that file size
verification could not rely on our before_post_processing hook.

Moved the `before_post_processing` hooks to `before_validate` to make sure
the media attachment type is set correctly before the file gets validated.

* Add tests
2021-10-06 14:49:32 +01:00
Claire
24f9ea7818
Fix webauthn secure key authentication ()
* Add tests

* Fix webauthn secure key authentication

Fixes 
2021-09-30 05:26:29 +02:00
Claire
fc3ae1343d
Switch from unmaintained paperclip to kt-paperclip ()
* Switch from unmaintained paperclip to kt-paperclip

* Drop some compatibility monkey-patches not required by kt-paperclip

* Drop media spoof check monkey-patching

It's broken with kt-paperclip and hopefully it won't be needed anymore

* Fix regression introduced by paperclip 6.1.0

* Do not rely on pathname to call FastImage

* Add test for ogg vorbis file with cover art

* Add audio/vorbis to the accepted content-types

This seems erroneous as this would be the content-type for a vorbis stream
without an ogg container, but that's what the `marcel` gem outputs, so…

* Restore missing for_as_default method

* Refactor Attachmentable concern and delay Paperclip's content-type spoof check

Check for content-type spoofing *after* setting the extension ourselves, this
fixes a regression with kt-paperclip's validations being more strict than
paperclip 6.0.0 and rejecting some Pleroma uploads because of unknown
extensions.

* Please CodeClimate

* Add audio/vorbis to the unreliable set

It doesn't correspond to a file format and thus has no extension associated.
2021-09-29 23:52:36 +02:00
Eugen Rochko
52e5c07948
Change routing paths to use usernames in web UI () 2021-09-26 05:46:13 +02:00
Claire
e0af97164a
Fix followers synchronization mechanism not working when URI has empty path ()
Follow-up to , forgot the controller exposing the actual followers…
2021-09-15 18:51:16 +02:00
Claire
db57bff11d
Stop setting a shortcode to newly-created media attachments ()
* Stop setting a shortcode to newly-created media attachments

The WebUI has stopped using the “short media URL” in ages. This isn't used
anywhere except for mail notifications.

Deprecating it would allow us to eventually get rid of at least a database
column and corruption-prone index, as well as a controller.

* Fix tests
2021-09-13 18:59:37 +02:00
Claire
12cd097e7c
Fix addressing of remote groups' followers ()
Fixes 
2021-09-08 23:33:23 +02:00
Claire
2b18f7a943
Fix processing mentions to domains with non-ascii TLDs ()
Fixes 
2021-09-01 22:06:40 +02:00
Claire
94bcf45321
Fix authentication failures after going halfway through a sign-in attempt ()
* Add tests

* Add security-related tests

My first (unpublished) attempt at fixing the issues introduced (extremely
hard-to-exploit) security vulnerabilities, addressing them in a test.

* Fix authentication failures after going halfway through a sign-in attempt

* Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
2021-08-25 22:52:41 +02:00
Claire
6702148472
Add tests for SuspendAccountService and UnsuspendAccountService ()
* Add tests for SuspendAccountService

* Add tests for UnsuspendAccountService
2021-08-20 10:53:33 +01:00
Claire
5efb1ff337
Fix followers synchronization mechanism not working when URI has empty path ()
* Fix followers synchronization mechanism not working when URI has empty path

To my knowledge, there is no current implementation on the fediverse
that can use bare domains (e.g., actor is at https://example.org instead of
something like https://example.org/actor) that also plans to support the
followers synchronization mechanism. However, Mastodon's current implementation
would exclude such accounts from followers list.

Also adds tests and rename them to reflect the proper method names.

* Move url prefix regexp to its own constant
2021-08-11 17:48:42 +02:00
Claire
13b08610a0
Fix crash when encountering invalid account fields ()
* Add test

* Fix crash when encountering invalid account fields
2021-08-11 16:40:55 +02:00
Claire
4ac78e2a06
Add feature to automatically delete old toots ()
* Add account statuses cleanup policy model

* Record last inspected toot to delete to speed up successive calls to statuses_to_delete

* Add service to cleanup a given account's statuses within a budget

* Add worker to go through account policies and delete old toots

* Fix last inspected status id logic

All existing statuses older or equal to last inspected status id must be
kept by the current policy. This is an invariant that must be kept so that
resuming deletion from the last inspected status remains sound.

* Add tests

* Refactor scheduler and add tests

* Add user interface

* Add support for discriminating based on boosts/favs

* Add UI support for min_reblogs and min_favs, rework UI

* Address first round of review comments

* Replace Snowflake#id_at_start with with_random parameter

* Add tests

* Add tests for StatusesCleanupController

* Rework settings page

* Adjust load-avoiding mechanisms

* Please CodeClimate
2021-08-09 23:11:50 +02:00
Claire
763ab0c7eb
Fix owned account notes not being deleted when an account is deleted ()
* Add account_notes relationship

* Add tests

* Fix owned account notes not being deleted when an account is deleted

* Add post-migration to clean up orphaned account notes
2021-08-08 15:29:57 +02:00
Claire
30ce6e395c
Fix user email address being banned on self-deletion ()
* Add tests

* Fix user email address being banned on self-deletion

Fixes 
2021-07-14 05:35:49 +02:00
Claire
5a1e072517
Change references to tootsuite/mastodon to mastodon/mastodon ()
* Change references to tootsuite/mastodon to mastodon/mastodon

* Remove obsolete test fixture

* Replace occurrences of tootsuite/mastodon with mastodon/mastodon in CHANGELOG

And a few other places
2021-07-13 15:46:20 +02:00
Eugen Rochko
771c9d4ba8
Add ability to skip sign-in token authentication for specific users ()
Remove "active within last two weeks" exception for sign in token requirement

Change admin reset password to lock access until the password is reset
2021-07-08 05:31:28 +02:00
Claire
225c6582d1
Add tests for BootstrapTimelineService () 2021-07-07 21:12:43 +02:00
Ikko Ashimine
67226acf7e
Fix typo in tag_feed_spec.rb ()
existant -> existent
2021-07-05 19:16:21 +02:00
Claire
49219508bc
Fix anonymous access to outbox not being cached by the reverse proxy ()
* Fix anonymous access to outbox not being cached by the reverse proxy

Up until now, anonymous access to outbox was marked as public, but with a
0 duration for caching, which means remote proxies would only serve from cache
when the server was completely overwhelmed.

Changed that cache duration to one minute, so that repeated anonymous access
to one account's outbox can be appropriately cached.

Also added `Signature` to the `Vary` header in case a page is requested, so
that authenticated fetches are never served from cache (which only contains
public toots).

* Remove Vary: Accept header from webfinger controller

Indeed, we have stopped returning xrd, and only ever return jrd, so the
Accept request header does not matter anymore.

* Cache negative webfinger hits for 3 minutes
2021-07-03 21:13:47 +02:00
Claire
63b807cffc
Fix serialization of followers/following counts when user hides their network ()
* Add tests

* Fix serialization of followers/following counts when user hides their network

Fixes 

Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2021-06-21 20:14:47 +02:00
Eugen Rochko
d174d12c83
Add authentication history () 2021-06-21 17:07:30 +02:00
Claire
afb7882189
Fix blocking someone not clearing up list feeds () 2021-05-10 17:31:55 +02:00
Eugen Rochko
1294f9ee4f
Remove PubSubHubbub-related columns from accounts table () 2021-05-07 19:32:58 +02:00
Eugen Rochko
74081433d0
Change trending hashtags to be affected be reblogs ()
If a status with a hashtag becomes very popular, it stands to
reason that the hashtag should have a chance at trending

Fix no stats being recorded for hashtags that are not allowed
to trend, and stop ignoring bots

Remove references to hashtags in profile directory from the code
and the admin UI
2021-05-07 14:33:43 +02:00
Eugen Rochko
2c77d97e0d
Add joined date to profiles in web UI () 2021-05-07 14:33:19 +02:00
Claire
566fc90913
Add Ruby 3.0 support ()
* Fix issues with POSIX::Spawn, Terrapin and Ruby 3.0

Also improve the Terrapin monkey-patch for the stderr/stdout issue.

* Fix keyword argument handling throughout the codebase

* Monkey-patch Paperclip to fix keyword arguments handling in validators

* Change validation_extensions to please CodeClimate

* Bump microformats from 4.2.1 to 4.3.1

* Allow Ruby 3.0

* Add Ruby 3.0 test target to CircleCI

* Add test for admin dashboard warnings

* Fix admin dashboard warnings on Ruby 3.0
2021-05-06 14:22:54 +02:00
Claire
8c44b723bb
Change confirmations controller to redirect to / for approved users ()
Clicking the confirmation link multiple times currently leads to entering
account settings, which can be confusing. This commit changes that so that
it redirects to the root path, so it behaves the same way as clicking only
once in most cases.
2021-05-03 15:45:19 +02:00
abcang
7f0c49c58a
Improve tag search query () 2021-04-25 06:33:28 +02:00
Eugen Rochko
daccc07dc1
Change auto-following admin-selected accounts, show in recommendations () 2021-04-24 17:01:43 +02:00
Claire
a6564d56d6
Fix edge case where accepted follow cannot be processed because of follow limit () 2021-04-23 22:51:21 +02:00
Eugen Rochko
9cc283f0b4
Change the nouns "toot" and "status" to "post" () 2021-04-21 18:31:24 +02:00
Claire
0b36e3419d
Fix processing of remote Delete activities ()
* Add tests

* Ensure deleted statuses are marked as such

* Save some redis memory by not storing URIs in delete_upon_arrival values

* Avoid possible race condition when processing incoming Deletes

* Avoid potential duplicate Delete forwards

* Lower lock durations to reduce issues in case of hard crash of the Rails process

* Check for `lock.aquired?` and improve comment

* Refactor RedisLock usage in app/lib/activitypub

* Fix using incorrect or non-existent sender for relaying Deletes
2021-04-21 04:46:09 +02:00
Eugen Rochko
b3ceb3dcc4
Add canonical e-mail blocks for suspended accounts ()
Prevent new accounts from being created using the same underlying
e-mail as a suspended account using extensions and period
permutations. Stores e-mails as a SHA256 hash
2021-04-17 03:14:25 +02:00
Eugen Rochko
3b8d085436
Fix app name, website and redirect URIs not having a maximum length ()
Fix app scopes not being validated
2021-04-15 16:28:43 +02:00
Eugen Rochko
ce2148c571
Add policy param to POST /api/v1/push/subscriptions ()
With possible values `all`, `followed`, `follower`, and `none`,
control from whom notifications will generate a Web Push alert
2021-04-15 05:00:25 +02:00
Eugen Rochko
120965eb0b
Change Web Push API deliveries to use request pooling () 2021-04-12 14:25:34 +02:00
Eugen Rochko
f7117646af
Add cold-start follow recommendations () 2021-04-12 12:37:14 +02:00
Eugen Rochko
619fad6cf8
Remove spam check and dependency on nilsimsa gem () 2021-04-11 11:22:50 +02:00
Eugen Rochko
7183d9a113
Change multiple mentions with same username to render with domain ()
Fix 
2021-04-10 11:51:02 +02:00
Claire
a650a1157d
Fix /admin/tags/:id crashing since Rails 6.1 update ()
Raw SQL passed to `pluck` now has to be explicitly marked as SQL via
Arel.sql, see https://github.com/rails/rails/pull/27947
2021-03-26 18:36:16 +01:00
Claire
cbd0ee1d07
Update Mastodon to Rails 6.1 ()
* Update devise-two-factor to unreleased fork for Rails 6 support

Update tests to match new `rotp` version.

* Update nsa gem to unreleased fork for Rails 6 support

* Update rails to 6.1.3 and rails-i18n to 6.0

* Update to unreleased fork of pluck_each for Ruby 6 support

* Run "rails app:update"

* Add missing ActiveStorage config file

* Use config.ssl_options instead of removed ApplicationController#force_ssl

Disabled force_ssl-related tests as they do not seem to be easily testable
anymore.

* Fix nonce directives by removing Rails 5 specific monkey-patching

* Fix fixture_file_upload deprecation warning

* Fix yield-based test failing with Rails 6

* Use Rails 6's index_with when possible

* Use ActiveRecord::Cache::Store#delete_multi from Rails 6

This will yield better performances when deleting an account

* Disable Rails 6.1's automatic preload link headers

Since Rails 6.1, ActionView adds preload links for javascript files
in the Links header per default.

In our case, that will bloat headers too much and potentially cause
issues with reverse proxies. Furhermore, we don't need those links,
as we already output them as HTML link tags.

* Switch to Rails 6.0 default config

* Switch to Rails 6.1 default config

* Do not include autoload paths in the load path
2021-03-24 10:44:31 +01:00
Claire
1c4dee4554
Fix Mastodon not understanding as:Public and Public ()
Fixes 
2021-03-24 10:19:40 +01:00
Claire
051efed5ed
Bypass MX validation for explicitly allowed domains ()
* Bypass MX validation for explicitly allowed domains

This spares some lookups and prevent issues in some edge cases with
local domains.

* Add tests

* Fix test
2021-03-19 23:48:47 +01:00
Claire
741d0952b1
Improve account counters handling ()
* Improve account counters handling

* Use ActiveRecord::Base::sanitize_sql to pass values instead of interpolating them

Keep using string interpolation for `key` as it is safe and using
“ActiveRecord::Base::sanitize_sql_hash_for_assignment” would require stitching
bits of SQL in a way that is not more easily checked for safety.

* Add migration hook to catch PostgreSQL versions earlier than 9.5
2021-03-19 13:14:57 +01:00
Claire
b358229834
Further preparation for Rails 6 ()
* Use ActiveRecord::Result#to_ary instead of deprecated to_hash

They do the same thing, and to_hash has been removed from Rails 6.1

* Explicitly name polymorphic indexes to workaround a bug in Rails 6.1

cf. https://github.com/rails/rails/issues/41693

* Fix incorrect usage of “foreign_key” in migration script

* Use `ActiveModel::Errors#delete` instead of deprecated clear method

* Fix link headers tests on Rails 6.1

Rails 6.1 adds values to the Link header by default, thus it is not a
LinkHeader object anymore. Fix the test to parse the Link header instead
of assuming it is a LinkHeader.
2021-03-19 02:45:34 +01:00
Claire
a4dcaef53b
Prepare Mastodon for zeitwerk autoloader ()
* Prepare Mastodon for zeitwerk autoloader (Rails 6)

Add inflections and rename/move a few classes.

In particular, app/lib/exceptions.rb and app/lib/sanitize_config.rb
were manually loaded while still in autoload paths.

* Add inflection for Url → URL
2021-03-19 02:42:43 +01:00
Claire
5027abecd1
Fix cache_collection crashing when given an empty collection ()
* Fix cache_collection crashing when given an empty collection

* Add tests
2021-03-18 00:41:32 +01:00
Claire
43eff898a0
Prepare Mastodon for Rails 6 ()
* Fix misuse of foreign_type

* Fix use of removed "add_template_helper"

* Use response.media_type instead of response.content_type in tests

* Fix CSV export controller test on Rails 6

Rails 6 sets a "filename*" field in the Content-Disposition header to
explicitly encode the filename as UTF-8.

This changes checks the first part of the Content-Disposition header so
it matches in both Rails 5 and Rails 6.

* Fix emoji formatting with Rails 6

* Make emoji output more idiomatic and robust

* Switch from redis-rails gem to built-in Rails redis cache storage
2021-03-17 10:09:55 +01:00
Claire
5cc45d22d3
Remove subscription_expires_at leftover from OStatus () 2021-03-12 05:25:24 +01:00
Claire
5614e6724e
Fix URL scanning in note length validator and preview card fetching ()
* Add tests

* Fix URL scanning in note length validator and preview card fetching
2021-03-04 00:12:26 +01:00
Claire
65db262550
Update twitter-text from 1.14 to 3.1.0 and fix toot character counting ()
* Update twitter-text from 1.14 to 3.1.0

* Disable emoji parsing

* Properly depend on twitter-text for url detection

* Fix some URLs being wrongly detected client-side

* Add test for server-side validation of non-autolinkable URLs

* Fix server-side status length counting
2021-03-02 12:02:56 +01:00
Eugen Rochko
9aa37b32c3
Add details to error response for POST /api/v1/accounts in REST API () 2021-03-01 04:59:13 +01:00
Claire
5f4c0b79c2
Change ResolveAccountService's handling of skip_webfinger ()
* Change ResolveAccountService's handling of skip_webfinger

Change it so it never makes any webfinger query, as the name would imply.

* Add tests

* Change FollowService to not take an URI for target_account

* Restore domain-block check in FollowService

* Fix tests
2021-02-24 06:32:13 +01:00
Eugen Rochko
8331fdf7e0
Add server rules () 2021-02-21 19:50:12 +01:00
Claire
be3b9f8151
Fix URI of repeat follow requests not being recorded ()
* Fix URI of repeat follow requests not being recorded

In case we receive a “repeat” or “duplicate” follow request, we automatically
fast-forward the accept with the latest received Activity `id`, but we don't
record it.

In general, a “repeat” or “duplicate” follow request may happen if for some
reason (e.g. inconsistent handling of Block or Undo Accept activities, an
instance being brought back up from the dead, etc.) the local instance thought
the remote actor were following them while the remote actor thought otherwise.

In those cases, the remote instance does not know about the older Follow
activity `id`, so keeping that record serves no purpose, but knowing the most
recent one is useful if the remote implementation at some point refers to it
by `id` without inlining it.

* Add tests
2021-02-11 01:53:44 +01:00
ThibG
a044ddac5b
Fix race conditions on account migration creation ()
* Atomically check for processing lock in Move handler

* Prevent race condition when creating account migrations

Fixes 

* Add tests

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2021-02-02 14:49:57 +01:00
Shubhendra Singh Chauhan
c8d11b8bdb
Fixed code quality issues ()
* Added .deepsource.toml

* Removed bad use of `alias`

* Fixed operand order in the binary expression

* Prefixed unused method arguments with an underscore

* Replaced the old OpenSSL algorithmic constants with the newer strings initializers.

* Removed unnecessary UTF-8 encoding comment
2021-01-31 21:26:09 +01:00
abcang
7ab53f221a
Improved performance of notification preloading ()
* Improved performance of notification preloading

* Remove Cacheable from Notification

* Fix test
2021-01-31 21:24:57 +01:00
ThibG
54d4e5252b
Use Rails' index_by where it makes sense ()
* Use Rails' index_by where it makes sense

* Fix tests

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2021-01-12 09:27:38 +01:00
Levi Bard
11d603101a
Fix muting users with duration via the REST api () 2021-01-10 12:47:21 +01:00
ThibG
f1f96ebf02
Fix being able to import more than allowed number of follows ()
* Fix being able to import more than allowed number of follows

Without this commit, if someone tries importing a second list of accounts to
follow before the first one has been processed, this will queue imports for
the two whole lists, even if they exceed the account's allowed number of
outgoing follows.

This commit changes it so the individual queued imports aren't exempt from
the follow limit check (they remain exempt from the rate-limiting check
though).

* Catch validation errors to not re-queue failed follows

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-26 23:52:46 +01:00
ThibG
3249d35bdc
Improve account deletion performances further ()
* Delete status records by batches of 50

* Do not precompute values that are only used once

* Do not generate redis events for removal of public toots older than two weeks

* Filter reported toots a priori for polls and status deletion

* Do not process reblogs when cleaning up public timelines

As in Mastodon proper, reblogs don't appear in public TLs

* Clean the deleted account's own feed in one go

* Refactor Account#clean_feed_manager and List#clean_feed_manager

* Delete instead of destroy a few more associations

* Fix preloading

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-22 23:57:46 +01:00
ThibG
1cf2c3a810
Fix external user creation failing when invite request text is required ()
* Fix external user creation failing when invite request text is required

Also fixes tootctl-based user creation.

* Add test about invites when invite request text is otherwise required

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-22 17:14:32 +01:00
Eugen Rochko
9915d11c0d
Fix unnecessary queries when batch-removing statuses, 100x faster () 2020-12-22 17:13:55 +01:00
ThibG
43961035a9
Fix some notifications not being deleted on poll/status deletion ()
* Fix deleting polls not deleting notifications

* Fix fav notification deletion when deleting a toot

* Refactor DeleteAccountService spec

* Add DeleteAccountService tests for other associations and notifications

* Add favourite handling spec in status removal

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-21 18:22:17 +01:00
ThibG
a60d9335d8
Fix resolving accounts sometimes creating duplicate records for a given AP id ()
* Fix ResolveAccountService accepting mismatching acct: URI

* Set attributes that should be updated regardless of suspension

* Fix key fetching

* Automatically merge remote accounts with duplicate `uri`

* Add tests

* Add "tootctl accounts fix-duplicates"

Finds duplicate accounts sharing a same ActivityPub `id`, re-fetch them and
merge them under the canonical `acct:` URI.

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-18 23:26:26 +01:00
Eugen Rochko
eb35be0431
Fix follow limit preventing re-following of a moved account () 2020-12-18 09:18:31 +01:00
ThibG
b1feb47055
Improve searching for private toots from URL ()
* Improve searching for private toots from URL

Most of the time, when sharing toots, people use the toot URL rather than
the toot URI, which makes sense since it is the user-facing URL.

In Mastodon's case, the URL and URI are different, and Mastodon does not
have an index on URL, which means searching a private toot by URL is done
with a slow query that will only succeed for very recent toots.

This change gets rid of the slow query, and attempts to guess the URI from
URL instead, as Mastodon's are predictable.

* Add tests

* Only return status with guessed uri if url matches

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-17 06:51:49 +01:00
ThibG
8357969559
Fix admins being able to suspend their instance actor ()
* Fix admin being able to suspend their own instance account

* Add text about the instance's own actor in admin view

* Change instance actor notice from flash message to template

* Do not list local instance actor in account moderation list
2020-12-15 17:23:58 +01:00
Eugen Rochko
1f564051b6
Change RTL detection to rely on unicode-bidi paragraph by paragraph () 2020-12-15 12:56:43 +01:00
Eugen Rochko
216b85b053
Fix performance on instances list in admin UI ()
- Reduce duplicate queries
- Remove n+1 queries
- Add accounts count to detailed view
- Add separate action log entry for updating existing domain blocks
2020-12-14 09:06:34 +01:00
ThibG
49eb4d4ddf
Add honeypot fields and minimum fill-out time for sign-up form ()
* Add honeypot fields to limit non-specialized spam

Add two honeypot fields: a fake website input and a fake password confirmation
one. The label/placeholder/aria-label tells not to fill them, and they are
hidden in CSS, so legitimate users should not fall into these.

This should cut down on some non-Mastodon-specific spambots.

* Require a 3 seconds delay before submitting the registration form

* Fix tests

* Move registration form time check to model validation

* Give people a chance to clear the honeypot fields

* Refactor honeypot translation strings

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-10 06:27:26 +01:00
trwnh
127c543a6e
rename replies_policy enumerables () 2020-12-09 04:34:17 +01:00
ThibG
c43f4cd3bb
Fix not being able to unfavorite toots one has lost access to ()
Fixes 
2020-11-21 06:18:09 +01:00
ThibG
8b8004a962
Fix webfinger redirect handling in ResolveAccountService ()
* Fix webfinger redirect handling in ResolveAccountService

ResolveAccountService#process_webfinger! handled a one-step webfinger
redirection, but only accepting the result if it matched the exact URI passed
as input, defeating the point of a redirection check.

Instead, use the same logic as in `ActivityPub::FetchRemoteAccountService`,
updating the resulting `acct:` URI with the result of the first webfinger
query.

* Add tests
2020-11-19 19:52:06 +01:00
ThibG
96c1e71329
Add import/export feature for bookmarks ()
* Add ability to export bookmarks

* Add support for importing bookmarks

* Add bookmark import tests

* Add bookmarks export test
2020-11-19 17:48:13 +01:00
Eugen Rochko
8532429af7
Fix 2FA/sign-in token sessions being valid after password change ()
If someone tries logging in to an account and is prompted for a 2FA
code or sign-in token, even if the account's password or e-mail is
updated in the meantime, the session will show the prompt and allow
the login process to complete with a valid 2FA code or sign-in token
2020-11-12 23:05:01 +01:00
Eugen Rochko
337dc6e0ad
Fix updating account counters when account_stat is not yet created () 2020-11-09 16:00:23 +01:00
Eugen Rochko
3134691948
Add support for reversible suspensions through ActivityPub () 2020-11-08 00:28:39 +01:00
Takeshi Umeda
d6fe0c94ca
Add account sensitized ()
* Add account sensitized

* Fix i18n normalize

* Fix description and spec

* Fix spec

* Fix wording
2020-11-04 20:45:01 +01:00
ThibG
ca56527140
Add follower synchronization mechanism ()
* Add support for followers synchronization on the receiving end

Check the `collectionSynchronization` attribute on `Create` and `Announce`
activities and synchronize followers from provided collection if possible.

* Add tests for followers synchronization on the receiving end

* Add support for follower synchronization on the sender's end

* Add tests for the sending end

* Switch from AS attributes to HTTP header

Replace the custom `collectionSynchronization` ActivityStreams attribute by
an HTTP header (`X-AS-Collection-Synchronization`) with the same syntax as
the `Signature` header and the following fields:
- `collectionId` to specify which collection to synchronize
- `digest` for the SHA256 hex-digest of the list of followers known on the
   receiving instance (where “receiving instance” is determined by accounts
   sharing the same host name for their ActivityPub actor `id`)
- `url` of a collection that should be fetched by the instance actor

Internally, move away from the webfinger-based `domain` attribute and use
account `uri` prefix to group accounts.

* Add environment variable to disable followers synchronization

Since the whole mechanism relies on some new preconditions that, in some
extremely rare cases, might not be met, add an environment variable
(DISABLE_FOLLOWERS_SYNCHRONIZATION) to disable the mechanism altogether and
avoid followers being incorrectly removed.

The current conditions are:
1. all managed accounts' actor `id` and inbox URL have the same URI scheme and
   netloc.
2. all accounts whose actor `id` or inbox URL share the same URI scheme and
   netloc as a managed account must be managed by the same Mastodon instance
   as well.

As far as Mastodon is concerned, breaking those preconditions require extensive
configuration changes in the reverse proxy and might also cause other issues.

Therefore, this environment variable provides a way out for people with highly
unusual configurations, and can be safely ignored for the overwhelming majority
of Mastodon administrators.

* Only set follower synchronization header on non-public statuses

This is to avoid unnecessary computations and allow Follow-related
activities to be handled by the usual codepath instead of going through
the synchronization mechanism (otherwise, any Follow/Undo/Accept activity
would trigger the synchronization mechanism even if processing the activity
itself would be enough to re-introduce synchronization)

* Change how ActivityPub::SynchronizeFollowersService handles follow requests

If the remote lists a local follower which we only know has sent a follow
request, consider the follow request as accepted instead of sending an Undo.

* Integrate review feeback

- rename X-AS-Collection-Synchronization to Collection-Synchronization
- various minor refactoring and code style changes

* Only select required fields when computing followers_hash

* Use actor URI rather than webfinger domain in synchronization endpoint

* Change hash computation to be a XOR of individual hashes

Makes it much easier to be memory-efficient, and avoid sorting discrepancy issues.

* Marginally improve followers_hash computation speed

* Further improve hash computation performances by using pluck_each
2020-10-21 18:04:09 +02:00
Eugen Rochko
5e1364c448
Add IP-based rules () 2020-10-12 16:33:49 +02:00
Eugen Rochko
7d985f2aac
Remove dependency on goldfinger gem ()
There are edge cases where requests to certain hosts timeout when
using the vanilla HTTP.rb gem, which the goldfinger gem uses. Now
that we no longer need to support OStatus servers, webfinger logic
is so simple that there is no point encapsulating it in a gem, so
we can just use our own Request class. With that, we benefit from
more robust timeout code and IPv4/IPv6 resolution.

Fix 
2020-10-08 00:34:57 +02:00
Eugen Rochko
974b1b79ce
Add option to be notified when a followed user posts ()
* Add bell button

Fix 

* Remove duplicate type from post-deployment migration

* Fix legacy class type mappings

* Improve query performance with better index

* Fix validation

* Remove redundant index from notifications
2020-09-18 17:26:45 +02:00
kawaguchi
5d3c8baa9a
Fix validates :sign_count of WebauthnCredential () 2020-09-16 20:16:46 +02:00
Eugen Rochko
ed099d8bdc
Change account suspensions to be reversible by default () 2020-09-15 14:37:58 +02:00
ThibG
cd4ec7cd74
Do not serve account actors at all in limited federation mode ()
* Do not serve account actors at all in limited federation mode

When an account is fetched without a signature from an allowed instance,
return an error.

This isn't really an improvement in security, as the only information that was
previously returned was required protocol-level info, and the only personal bit
was the existence of the account. The existence of the account can still be
checked by issuing a webfinger query, as those are accepted without signatures.

However, this change makes it so that unallowed instances won't create account
records on their end when they find a reference to an unknown account.

The previous behavior of rendering a limited list of fields, instead of not
rendering the actor at all, was in order to prevent situations in which two
instances in Authorized Fetch mode or Limited Federation mode would fail to
reach each other because resolving an account would require a signed query…
from an account which can only be fetched with a signed query itself. However,
this should now be fine as fetching accounts is done by signing on behalf of
the special instance actor, which does not require any kind of valid signature
to be fetched.

* Fix tests
2020-09-14 13:04:29 +02:00
Eugen Rochko
4e4b3a0c8e
Refactor settings controllers ()
- Disallow suspended accounts from revoking sessions and apps
- Allow suspended accounts to access exports
2020-09-11 20:56:35 +02:00
Eugen Rochko
65760f59df
Refactor feed manager () 2020-09-08 03:41:16 +02:00
ThibG
517af45e32
Fix multiple boosts of a same toot erroneously appearing in TL ()
* Check for and record reblog info atomically

Instead of using ZREVRANK to determine whether a reblog is a new reblog or not,
use ZADD's NX option to perform the check/addition option atomically.

* Replace ZREVRANK call with ZSCORE key which is more efficient

* Make tests a bit stricter

* Fix off-by-one
2020-09-07 18:00:15 +02:00
Eugen Rochko
e8bc187845
Refactor how public and tag timelines are queried () 2020-09-07 11:02:04 +02:00
Eugen Rochko
68d3b160de
Fix various warnings in rspec () 2020-09-04 20:22:26 +02:00
ThibG
79305428a7
Add configuration option to filter replies in lists ()
* Add database support for list show-reply preferences

* Add backend support to read and update list-specific show_replies settings

* Add basic UI to set list replies setting

* Add specs for list replies policy

* Switch "cycling" reply policy link to a set of radio inputs

* Capitalize replies_policy strings

* Change radio button design to be consistent with that of the directory explorer
2020-09-01 13:31:28 +02:00
Eugen Rochko
52157fdcba
Add support for dereferencing objects through bearcaps () 2020-08-30 12:34:20 +02:00
santiagorodriguez96
9cadd40cf4
refactor: add email previews for WebAuthn emails ()
This is a leftover for the work done in .
2020-08-25 01:21:11 +02:00
santiagorodriguez96
e8d41bc2fe
Add WebAuthn as an alternative 2FA method ()
* feat: add possibility of adding WebAuthn security keys to use as 2FA

This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor
to the Settings page for editing the 2FA methods – now it will list the
methods that are available to the user (TOTP and WebAuthn) and from
there they'll be able to add or remove any of them.
Also, it's worth mentioning that for enabling WebAuthn it's required to
have TOTP enabled, so the first time that you go to the 2FA Settings
page, you'll be asked to set it up.
This work was inspired by the one donde by Github in their platform, and
despite it could be approached in different ways, we decided to go with
this one given that we feel that this gives a great UX.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add request for WebAuthn as second factor at login if enabled

This commits adds the feature for using WebAuthn as a second factor for
login when enabled.
If users have WebAuthn enabled, now a page requesting for the use of a
WebAuthn credential for log in will appear, although a link redirecting
to the old page for logging in using a two-factor code will also be
present.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add possibility of deleting WebAuthn Credentials

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: disable WebAuthn when an Admin disables 2FA for a user

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: remove ability to disable TOTP leaving only WebAuthn as 2FA

Following examples form other platforms like Github, we decided to make
Webauthn 2FA secondary to 2FA with TOTP, so that we removed the
possibility of removing TOTP authentication only, leaving users with
just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA'
in order to remove second factor auth.
The reason for WebAuthn being secondary to TOPT is that in that way,
users will still be able to log in using their code from their phone's
application if they don't have their security keys with them – or maybe
even lost them.

* We had to change a little the flow for setting up TOTP, given that now
  it's possible to setting up again if you already had TOTP, in order to
  let users modify their authenticator app – given that now it's not
  possible for them to disable TOTP and set it up again with another
  authenticator app.
  So, basically, now instead of storing the new `otp_secret` in the
  user, we store it in the session until the process of set up is
  finished.
  This was because, as it was before, when users clicked on 'Edit' in
  the new two-factor methods lists page, but then went back without
  finishing the flow, their `otp_secret` had been changed therefore
  invalidating their previous authenticator app, making them unable to
  log in again using TOTP.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* refactor: fix eslint errors

The PR build was failing given that linting returning some errors.
This commit attempts to fix them.

* refactor: normalize i18n translations

The build was failing given that i18n translations files were not
normalized.
This commits fixes that.

* refactor: avoid having the webauthn gem locked to a specific version

* refactor: use symbols for routes without '/'

* refactor: avoid sending webauthn disabled email when 2FA is disabled

When an admins disable 2FA for users, we were sending two mails
to them, one notifying that 2FA was disabled and the other to notify
that WebAuthn was disabled.
As the second one is redundant since the first email includes it, we can
remove it and send just one email to users.

* refactor: avoid creating new env variable for webauthn_origin config

* refactor: improve flash error messages for webauthn pages

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-24 16:46:27 +02:00
ThibG
720214feb0
Add support for inlined objects in activity audience ()
* Add support for inlined objects in activity audience

* Add tests
2020-08-24 14:11:47 +02:00
ThibG
f6a82cb2cd
Fix not being able to unbookmark toots when blocked by their author ()
* Fix not being able to unbookmark toots when blocked by their author

* Add tests
2020-08-19 19:02:06 +02:00
ThibG
8d217d7231
Improve email address validation ()
* Increase DNS timeout from 1 second to 5 seconds for MX check

1 seconds is rather short when using a recursive DNS resolver which
hasn't got a cached result already available. Use 5 seconds instead,
which is the timeout value we use for outgoing HTTP queries.

* Add more precise error messages for invalid e-mail addresses
2020-08-12 12:40:25 +02:00
ThibG
a1412491b7
Change content-type to be always computed from file data ()
* Change content-type to be always computed from file data

Restore previous behavior, detecting the content-type isn't very
expensive, and some instances may serve files as application/octet-stream
regardless of their true type, making fetching media from them fail, while
it used to work pre-3.2.0.

* Add test
2020-08-02 11:21:10 +02:00
ThibG
bfd5aea206
Fix handling of Reject Follow when a matching follow relationship exists ()
* Add tests

* Fix handling of Reject Follow when a matching follow relationship exists

Regression from 
2020-08-01 18:20:37 +02:00
ThibG
5d9acc0ce4
Fix not handling Undo on some activity types when they aren't inlined ()
* Fix not handling Undo on some activity types when they aren't inlined

When receiving an Undo for a non-inlined activity, try looking it up in
database using the URI. The queries are ad-hoc because we don't have a global
index of object URIs, and not all activity types are stored in database with
an index on their URI.

Announces are just statuses, and have an index on URIs, so this check can
be done efficiently.

Accepts cannot be handled at all because we don't record their URI at any
point.

Follows don't have an index on URI, but they have an index on the issuing
account, which should make such queries largely manageable.

Likes don't have an index on URI, they have an index on the issuing account,
but the number of favs per account may be very high, so I decided not to
handle that.

Blocks don't have an index on URI, but they have an index on the issuing
account, which should make such queries largely manageable.

In all cases, if an Undo could not be handled properly, we call `delete_later!`
because that does not require us to know more than the URI of the undone
property.

* Add tests

* Make newer blocks overwrite older ones

Allows re-synchronizing block info by re-blocking and un-blocking again
when the original Undo Block has been lost.
2020-07-22 11:45:35 +02:00
ThibG
f55dd193f9
Fix RSS feeds not being cachable ()
* Add tests for some cachable responses

This only covers responses that we should have managed to make cachable
so far. It's not the case of all responses that should be cachable in
the end.

* Fix RSS feeds not being cachable
2020-07-22 11:44:02 +02:00
ThibG
322d74fc2a
Fix boosted toots from blocked account not being retroactively removed from TL ()
* Fix boosted toots from blocked account not being retroactively removed from TL

Fixes 

* Add test for clear_from_timeline
2020-07-17 07:07:54 +02:00
ThibG
d658af7ff8
Fix removing allowed domains being done synchronously ()
* Fix removing allowed domains being done synchronously

* Add tests
2020-07-15 21:08:19 +02:00
ThibG
0a8a3fe595
Fix being unable to unboost when blocked by their author ()
Fixes 
2020-07-15 14:43:19 +02:00
Eugen Rochko
6e25574ce5
Fix media attachments enumeration ()
* Fix media attachment enumeration

* Switch media_attachments id to snowflake ids

Co-authored-by: Thibaut Girka <thib@sitedethib.com>
2020-07-07 15:26:51 +02:00
ThibG
e96e9cae62
Add test for removing endorsed accounts on account deletion/suspension () 2020-07-07 02:01:13 +02:00
ThibG
35cedc922c
Change move handler to carry blocks over ()
* Change move handler to carry blocks and mutes over

When user A blocks user B and B moves to a new account C, make A block C
accordingly.

Note that it only works if A's instance is aware of the Move, that is,
if B is on A's instance or has followers there.

* Also notify instances with known people blocking you when moving

* Add automatic account notes when blocking/muting an account that had no note
2020-07-01 13:51:15 +02:00
Eugen Rochko
7aaf2b44ec
Fix remote files not using Content-Type header, streaming () 2020-06-30 23:58:02 +02:00
ThibG
65506bac3f
Add user notes on accounts ()
* Add UserNote model

* Add UI for user notes

* Put comment in relationships entity

* Add API to create user notes

* Copy user notes to new account when receiving a Move activity

* Address some of the review remarks

* Replace modal by inline edition

* Please CodeClimate

* Button design changes

* Change design again

* Cancel note edition when pressing Escape

* Fixes

* Tweak design again

* Move “Add note” item, and allow users to add notes to themselves

* Rename UserNote into AccountNote, rename “comment” Relationship attribute to “note”
2020-06-30 19:19:50 +02:00
Eugen Rochko
1b198d6489
Fix trying to write non-existent image remote URL attribute on preview cards ()
Regression from 
2020-06-29 17:59:04 +02:00
Eugen Rochko
64aac30733
Add customizable thumbnails for audio and video attachments ()
- Change audio files to not be stripped of metadata
- Automatically extract cover art from audio if it exists
- Add `thumbnail` parameter to `POST /api/v1/media`, `POST /api/v2/media` and `PUT /api/v1/media/:id`
- Add `icon` to represent it in attachments in ActivityPub
- Fix `preview_url` containing URL of missing missing image when there is no thumbnail instead of null
- Fix duration of audio not being displayed on public pages until the file is loaded
2020-06-29 13:56:55 +02:00
ThibG
89f40b6c3e
Make domain block/silence/reject-media code more robust ()
* Split media cleanup from reject-media domain blocks to its own service

* Slightly improve ClearDomainMediaService error handling

* Lower DomainClearMediaWorker to lowest-priority queue

* Do not catch ActiveRecord::RecordNotFound in domain block workers

* Fix DomainBlockWorker spec labels

* Add some specs

* Change domain blocks to immediately mark accounts as suspended

Rather than doing so sequentially, account after account, while cleaning
their data. This doesn't change much about the time the block takes to
complete, but it immediately prevents interaction with the blocked domain,
while up to now, it would only be guaranteed when the process ends.
2020-06-09 10:32:00 +02:00
Eugen Rochko
72a7cfaa39
Add e-mail-based sign in challenge for users with disabled 2FA () 2020-06-09 10:23:06 +02:00
ThibG
aed3a436a2
Fix serialization of replies when some of them are URIs ()
* Fix serialization of replies when some of them are URIs

Fixes 

* Add test
2020-06-04 19:03:31 +02:00
Eugen Rochko
5d8398c8b8
Add E2EE API () 2020-06-02 19:24:53 +02:00
ThibG
a319c1e60f
Add support for summary field for media description () 2020-05-15 17:08:59 +02:00
ThibG
27ea7c13a5
Fix hashtag search performing account search as well () 2020-05-14 23:37:37 +02:00
ThibG
71fce71c94
Fix webfinger returning wrong status code on malformed or missing param ()
Fixes 
2020-05-14 23:28:06 +02:00
dependabot-preview[bot]
78202e9138
Bump doorkeeper from 5.3.3 to 5.4.0 ()
* Bump doorkeeper from 5.3.3 to 5.4.0

Bumps [doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) from 5.3.3 to 5.4.0.
- [Release notes](https://github.com/doorkeeper-gem/doorkeeper/releases)
- [Changelog](https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md)
- [Commits](https://github.com/doorkeeper-gem/doorkeeper/compare/v5.3.3...v5.4.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Fix tests

* Fix use of Doorkeeper::AccessToken.find_or_create_for

* Fix tests?

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Thibaut Girka <thib@sitedethib.com>
2020-05-12 15:25:33 +02:00
ThibG
4bcef12bad
Fix sr locale being selected over sr-Latn ()
* Fix sr locale being selected over sr-Latn

* Update tests
2020-05-11 01:09:21 +02:00
Eugen Rochko
4b766f9846
Refactor monkey-patching of Goldfinger () 2020-05-10 11:41:43 +02:00
Eugen Rochko
8be4c2ba21
Add ability to remove identity proofs from account ()
Fix 
2020-05-10 11:21:10 +02:00
Takeshi Umeda
26b08a3c54
Add remote only to public timeline ()
* Add remote only to public timeline

* Fix code style
2020-05-10 10:36:18 +02:00
ThibG
a4240fd027
Improve RSS entries for statuses ()
* Improve RSS entries for statuses

- Render polls in both accounts and tags serializers
- Refactor RSS serializers
- Change title preview to include ellipsis when truncated
- Change title preview to show CW instead of toot text
- Add tests

* Remove title from OEmbed serialization

Twitter doesn't serialize title either, and tihs allows us to move the
title formatting code to the RSS serializers.
2020-05-10 09:50:54 +02:00
ThibG
f1e0fa80f6
Fix own following/followers not showing muted users ()
Fixes 
2020-05-08 20:36:34 +02:00
Taras Gogol
6748a5acb1
Fix followings list order | Issue () 2020-05-08 20:17:16 +02:00
Eugen Rochko
5cff7910c2
Add more ActivityPub controller tests () 2020-05-03 22:19:24 +02:00
Yamagishi Kazutoshi
e223fd8c61
Revert "improve status title ()" ()
This reverts commit 05756c9a14.
2020-05-03 18:48:13 +02:00
Eugen Rochko
988b0493fe
Add more tests for ActivityPub controllers () 2020-05-03 16:30:36 +02:00
Eugen Rochko
2744f61696
Fix not being able to resolve public resources in development environment () 2020-04-25 22:01:08 +02:00
Eugen Rochko
5edff32733
Change delivery failure tracking to work with hostnames instead of URLs () 2020-04-15 20:33:24 +02:00
Eugen Rochko
f65568f1d4
Add ability to filter audit log in admin UI () 2020-04-03 13:06:34 +02:00
Eugen Rochko
9014367bd8
Fix background jobs not using locks like they are supposed to ()
Also:

- Fix locks not being removed when jobs go to the dead job queue
- Add UI for managing locks to the Sidekiq dashboard
- Remove unused Sidekiq workers

Fix 
2020-03-31 21:59:03 +02:00
ThibG
f08f880f58
Fix media not being marked sensitive when client sets a CW but no text ()
Mastodon enforces the “sensitive” flag on media attachments whenever a toot
is posted with a Content Warning. However, it does so *after* potentially
converting the Content Warning to toot text (when there is no toot text),
which leads to inconsistent and surprising behavior for API clients.
This commit fixes this inconsistency.
2020-03-25 22:40:58 +01:00
dependabot-preview[bot]
56531d646e
Bump sidekiq from 5.2.7 to 6.0.4 ()
* Bump sidekiq from 5.2.7 to 6.0.0

Bumps [sidekiq](https://github.com/mperham/sidekiq) from 5.2.7 to 6.0.0.
- [Release notes](https://github.com/mperham/sidekiq/releases)
- [Changelog](https://github.com/mperham/sidekiq/blob/master/Changes.md)
- [Commits](https://github.com/mperham/sidekiq/compare/v5.2.7...v6.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Sidekiq::Logger.logger -> Sidekiq.logger

* Drop support Ruby 2.4

* update

Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2020-03-21 12:04:54 +09:00
ThibG
61f35c1a8a
Fix reported accounts not being whitelisted when resolving a spamcheck report () 2020-03-21 03:08:09 +01:00
guigeekz
e31ba618d4
Add submit button to the top of preferences pages ()
* Move submit button to the top of the edit page

* Duplicate save button on long form

* Fix click submit on profile spec
2020-03-08 16:04:03 +01:00
Eugen Rochko
339ce1c4e9
Add specific rate limits for posting and following () 2020-03-08 15:17:39 +01:00
Eugen Rochko
0c28a505dd
Fix leak of arbitrary statuses through unfavourite action in REST API () 2020-02-27 12:32:54 +01:00
ThibG
c48d895ea7
Fix sign-ups without checked user agreement being accepted through the web form ()
* Fix user agreement not being verified

* Fix tests

* Fix up agreement field being dismissed
2020-02-16 12:56:53 +01:00
Eugen Rochko
b1349342d2
Fix rendering <a> without href when scheme unsupported ()
- Disallow links with relative paths
- Disallow iframes with non-http protocols and relative paths

Close 
2020-02-08 21:22:38 +01:00
Eugen Rochko
5265df0a8a
Change signature verification to ignore signatures with invalid host ()
Instead of returning a signature verification error, pretend there
was no signature (i.e., this does not allow access to resources that
need a valid signature), so public resources can still be fetched

Fix 
2020-02-03 17:48:23 +01:00
abcang
61a7390b66
Search account domain in lowercase ()
* Search account domain in lowercase

* fix rubocop error

* fix spec/models/account_spec.rb
2020-02-01 15:42:24 +01:00
Eugen Rochko
ae2198bd95
Fix validations of reactions limit () 2020-01-25 16:00:29 +01:00
Eugen Rochko
71921f6bc3
Fix user disabling changing activity timestamps, fix nil error () 2020-01-25 05:22:35 +01:00
Eugen Rochko
dee853f23c
Remove bad encoding middleware ()
Revert 
2020-01-24 00:20:03 +01:00
Eugen Rochko
f52c988e12
Add announcements ()
* Add announcements

Fix 

* Add reactions to announcements

* Add admin UI for announcements

* Add unit tests

* Fix issues

- Add `with_dismissed` param to announcements API
- Fix end date not being formatted when time range is given
- Fix announcement delete causing reactions to send streaming updates
- Fix announcements container growing too wide and mascot too small
- Fix `all_day` being settable when no time range is given
- Change text "Update" to "Announcement"

* Fix scheduler unpublishing announcements before they are due

* Fix filter params not being passed to announcements filter
2020-01-23 22:00:13 +01:00
Eugen Rochko
81cc86bb1f
Fix media attachments without file being uploadable ()
Fix 
2020-01-23 21:40:03 +01:00
ThibG
a8e46cf7a1 Add support for magnet: URIs () 2020-01-23 21:27:26 +01:00
ThibG
57e2833f6a Remove dependency on OStatus2 gem () 2020-01-11 21:36:53 +01:00
ThibG
ea436b355b Add support for linking XMPP URIs in toots ()
* Fix wrong grouping in Twitter valid_url regex

* Add support for xmpp URIs

Fixes 

The difficult part is autolinking, because Twitter-text's extractor does
some pretty ad-hoc stuff to find things that “look like” URLs, and XMPP
URIs do not really match the assumptions of that lib, so it doesn't sound
wise to try to shoehorn it into the existing regex.

This is why I used a specific regex (very close, although slightly more
permissive than the RFC), and a specific scan function (a simplified version
of the generalized one from Twitter).

* Remove leading “xmpp:” from auto-linked text
2020-01-11 02:15:25 +01:00
Alexander
05756c9a14 improve status title ()
* improve shown status title, useful for atom/rss

* use single quotes to satisfy codeclimate

* fix tests, make message more pretty

* fix tests

* fix codestyle

* fix codestyle

* remove atom_serializer_spec

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2020-01-11 06:58:16 +09:00
ThibG
51eb111503 Allow blocking TLDs, and fix TLD blocks not being editable ()
Fixes 

It was already possible to create domain blocks for TLDs, but those
weren't enforced, nor editable. This commit changes it so that they
are enforced and editable.
2020-01-08 22:42:05 +01:00
Eugen Rochko
49b2f7c0a2
Fix base64-encoded file uploads not being possible ()
Fix , Fix 
2020-01-04 01:54:07 +01:00
Bèr Kessels
6c1ba513ee Add feature test that tests behaviour of profile name and bio ()
* Add feature test that tests behaviour of profile name and bio

* Fix rubocop style errors in Login Spec.

* DRY log_in_spec by reusing the stories helper

Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2020-01-03 02:44:06 +01:00
ThibG
aa138ea350 Fix RefollowWorker not keeping show_reblogs setting ()
* Fix RefollowWorker not keeping show_reblogs setting

* Fix RefollowWorker
2020-01-02 20:52:39 +01:00
Eugen Rochko
09d54d1f62
Fix uncaught query param encoding errors () 2020-01-02 17:14:58 +01:00
ThibG
3b3bdc7293 Hide blocked users from more places ()
* Hide blocked, muted, and blocked-by users from toot favourite lists

* Hide blocked, muted, and blocked-by users from toot reblog lists

* Hide blocked, muted, and blocked-by users from followers/following (API)

* Fix tests

* Hide blocked, muted, and blocked-by users from followers/following on public pages
2019-12-31 00:55:32 +01:00
Eugen Rochko
f86ee4b59f
Fix IDN mentions not being processed, IDN domains not being rendered ()
This changes the REST API to return unicode domains in the `acct`
attribute instead of punycode, and to render unicode instead of
punycode on public HTML pages as well.

Fix , fix 
2019-12-30 19:20:43 +01:00
Bèr Kessels
8a347f4937 Fix typo in login feature-test. () 2019-12-18 16:54:29 +01:00
ThibG
2ee5a9d9c3 Clean up OStatus-related codepaths ()
* Remove “protocol” argument and return value, as only ActivityPub is supported

* Remove FetchRemoteAccountService, only use ActivityPub::FetchRemoteAccountService

* Fix tests
2019-12-17 13:32:57 +01:00
ThibG
da2143b308 Fixes featured hashtag setting page erroring out instead of rejecting invalid tags ()
* Revert "Fix ignoring whole status because of one invalid hashtag ()"

This reverts commit dff46b260b.

* Fix statuses being rejected because of invalid hashtag names

* Add spec for invalid hashtag names in statuses

* Add test for featured tags controller
2019-12-17 13:31:56 +01:00
Thomas Citharel
8094955461 Add Event activity-type support ()
This adds support for Event AP type in Mastodon. Events are converted
into toots by taking their title (AS name) and their URL (AP ID). Event
picture is also brought in if available.

Testable by fetching event content from https://test.mobilizon.org

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2019-12-16 23:55:28 +01:00
Yamagishi Kazutoshi
e598ce0bd9 Move rspec examples to tmp dir () 2019-12-02 19:55:08 +01:00
ThibG
911cc14481 Add follow_request notification type ()
* Add follow_request notification type

The notification type already existed in the backend but was never pushed
to the front-end. This also means translation strings were also available
for the backend, from the notification mailer.

Unlike other notification types, these are off by default, to match what
I remember of Gargron's view on the topic: that follow requests should not
clutter notifications and should instead be reviewed at the user's own
leisure in the dedicated column.

Since follow requests have their own column, I've deemed it unnecessary to
add a specific tab for them in the notification quick filter.

* Show follow request link in single-column if there are pending requests, even if account isn't locked

* Push follow requests from notifications to the follow_requests list

* Offer to accept or reject follow request from the notification

* Redesign follow request notification
2019-12-01 17:25:29 +01:00
ThibG
c656cc2191 Fix FetchLinkCardServices crashing on a tags without a target ()
* Add test for links without targets

* Fix FetchLinkCardServices crashing on a tags without a target
2019-11-21 16:04:52 +01:00
Dimitri Merejkowsky
cb3e9a2934 Store rspec statuses in .cache/rspec ()
This allows using rspec with `--only-failures`
2019-11-19 17:22:40 +01:00
Eugen Rochko
d14e74eff5
Add cache for OEmbed endpoints to avoid extra HTTP requests ()
* add youtube oembed endpoint

* add check for oembed endpoint

* change unless for a more readable if

* clear blank lines

* endpoint via https

* Fix string literal in condition

* use cache for endpoints

* use cache for endpoints

* clean up and adding check

* clean up and remove redundant return

* add html check

* add false to return

* use double quotes

* use double quotes

* Clean up
2019-11-17 18:40:33 +01:00
Gomasy
5a2c0707f1 Support min_id-based pagination for bookmarks ()
* Support min_id-based pagination for bookmarks

* Fix spec
2019-11-17 17:09:41 +01:00
Jennifer Glauche
fd93a9c871 make it not return http 400 when passing and empty source argument ()
* make it not return http 400 when passing and empty source argument

* create a spec for the empty source hash bug

* compact checks for nil, empty? parameters

* use nil.blank? instead checking for nil
2019-11-16 19:02:09 +01:00
Eugen Rochko
510e184216
Fix localization test failing due to order of locale definitions () 2019-11-15 21:00:09 +01:00
ThibG
dfea7368c9 Add bookmarks ()
* Add backend support for bookmarks

Bookmarks behave like favourites, except they aren't shared with other
users and do not have an associated counter.

* Add spec for bookmark endpoints

* Add front-end support for bookmarks

* Introduce OAuth scopes for bookmarks

* Add bookmarks to archive takeout

* Fix migration

* Coding style fixes

* Fix rebase issue

* Update bookmarked_statuses to latest UI changes

* Update bookmark actions to properly reflect status changes in state

* Add bookmarks item to single-column layout

* Make active bookmarks red
2019-11-13 23:02:10 +01:00
Yamagishi Kazutoshi
afb398b583 Change to always returns html document in error pages () 2019-11-13 22:53:05 +01:00
ThibG
66c1fe0495 Fix various issues with account migration ()
* Fix being able to follow oneself by moving to an account that was following the old one

* Add specs

* Add spec to catch MoveWorker issue with local followers following both accounts

* Fix move worker breaking when a local account follows both source and target accounts

* Fix migration from remote to local account not sending Undo Follow

* Fix show_reblogs not being preserved for moved account's followers
2019-11-07 09:05:07 +02:00
ThibG
650820d62d Fix remote media descriptions being cut off at 420 chars ()
* Fix remote media descriptions being cut off at 420 chars

Fixes 

* Fix tests
2019-11-04 13:00:16 +01:00
Takeshi Umeda
a6269b2f83 Split AccountsHelper from StatusesHelper () 2019-10-24 22:50:09 +02:00
BSKY
fccf83e1f2 Add noopener and/or noreferrer () 2019-10-24 22:44:42 +02:00
Eugen Rochko
b5f7e12817
Remove auto-silence behaviour from spam check ()
Fix 
2019-10-09 07:11:23 +02:00
Eugen Rochko
354fdd317e
Fix attachment not being re-downloaded even if file is not stored ()
Change the behaviour of remotable concern. Previously, it would skip
downloading an attachment if the stored remote URL is identical to
the new one. Now it would not be skipped if the attachment is not
actually currently stored by Paperclip.
2019-10-09 07:10:46 +02:00
Eugen Rochko
f665901e3c
Fix performance of home feed regeneration ()
Fetching statuses from all followed accounts at once takes too long
within Postgres. Fetching them one by one and merging in Ruby
could be a lot less resource-intensive

Because the query for dynamically fetching the home timeline is so
heavy, we can no longer offer it when the home timeline is missing
2019-10-06 22:11:17 +02:00
Eugen Rochko
eb83d6256e
Add reason param to POST /api/v1/accounts REST API ()
For approval-required registrations mode
2019-10-03 17:50:59 +02:00
Eugen Rochko
62f60e86c2
Fix account counters being overwritten by parallel writes () 2019-10-02 04:59:37 +02:00
ThibG
3a4d994c40 Fix BootstrapTimelineService crashing when bootstrapped accounts are invalid ()
* Add test to handle suspended and missing users in BootstrapTimelineService

* Fix BootstrapTimelineService crashing when bootstrapped accounts are invalid
2019-10-01 15:10:00 +02:00
Eugen Rochko
9ba40a6bfd
Remove HEAD request from fetching link previews ()
It is not really necessary and we need to reduce requests
2019-10-01 04:54:10 +02:00
Eugen Rochko
5c42f47617
Fix records not being indexed sometimes ()
It's possible that after commit callbacks were not firing when
exceptions occurred in the process. Also, the default Sidekiq
strategy does not push indexing jobs immediately, which is not
necessary and could be part of the issue too.
2019-10-01 01:19:11 +02:00
Eugen Rochko
5f69eb89e2
Add a nodeinfo endpoint ()
* Add nodeinfo endpoint

* dont commit stuff from my local dev

* consistant naming since we implimented 2.1 schema

* Add some additional node info stuff

* Add nodeinfo endpoint

* dont commit stuff from my local dev

* consistant naming since we implimented 2.1 schema

* expanding this to include federation info

* codeclimate feedback

* CC feedback

* using activeserializers seems like a good idea...

* get rid of draft 2.1 version

* Reimplement 2.1, also fix metaData -> metadata

* Fix metaData -> metadata here too

* Fix nodeinfo 2.1 tests

* Implement cache for monthly user aggregate

* Useless

* Remove ostatus from the list of supported protocols

* Fix nodeinfo's open_registration reading obsolete setting variable

* Only serialize domain blocks with user-facing limitations

* Do not needlessly list noop severity in nodeinfo

* Only serialize domain blocks info in nodeinfo when they are set to be displayed to everyone

* Enable caching for nodeinfo endpoints

* Fix rendering nodeinfo

* CodeClimate fixes

* Please CodeClimate

* Change InstancePresenter#active_user_count_months for clarity

* Refactor NodeInfoSerializer#metadata

* Remove nodeinfo 2.1 support as the schema doesn't exist

* Clean-up
2019-09-29 21:31:51 +02:00
Eugen Rochko
ab33c4df94
Add exclude_unreviewed param to GET /api/v2/search REST API ()
Make it so normal search returns even unreviewed matches, but
autosuggestions do not.

Fix 
2019-09-28 01:02:21 +02:00
ThibG
18b451c0e6 Change silences to always require approval on follow ()
* Change silenced accounts to require approval on follow

* Also require approval for follows by people explicitly muted by target accounts

* Do not auto-accept silenced or muted accounts when switching from locked to unlocked

* Add `follow_requests_count` to verify_credentials

* Show “Follow requests” menu item if needed even if account is locked

* Add tests

* Correctly reflect that follow requests weren't auto-accepted when local account is silenced

* Accept follow requests from user-muted accounts to avoid leaking mutes
2019-09-27 21:13:51 +02:00
Eugen Rochko
3ed94dcc1a
Add account migration UI ()
Fix 

- Change data export to be available for non-functional accounts
- Change non-functional accounts to include redirecting accounts
2019-09-19 20:58:19 +02:00
Eugen Rochko
e1066cd431
Add password challenge to 2FA settings, e-mail notifications ()
Fix 
2019-09-18 16:37:27 +02:00
Eugen Rochko
4f6af87906
Change spam check to apply to local accounts and add a threshold ()
Instead of detecting spam on first duplicate message, add a
threshold of 5 such messages to reduce false positives
2019-09-18 12:53:13 +02:00
Eugen Rochko
a4b60e9ba4
Fix TOTP codes not being filtered from logs during enabling/disabling ()
Not a serious issue because they are meaningless past single use
2019-09-18 02:48:40 +02:00
Eugen Rochko
c707ef49d9
Fix 2FA challenge and password challenge for non-database users ()
* Fix 2FA challenge not appearing for non-database users

Fix 

* Fix account deletion not working when using external login

Fix 
2019-09-15 21:08:39 +02:00
Eugen Rochko
18331fefa2
Remove deprecated GET /api/v1/search API ()
Use `GET /api/v2/search` instead
2019-09-13 16:11:13 +02:00
Eugen Rochko
0762258aec
Fix hashtags being split by ZWNJ character ()
Fix 
2019-09-13 16:01:26 +02:00
Eugen Rochko
c5d37f18cb
Change deletes to preserve soft-deleted statuses in unresolved reports ()
Change all account actions except "none" to resolve all unresolved reports

Refactor `SuspendAccountService` to be more readable
2019-09-11 16:32:44 +02:00
Tao Bror Bojlén
4fe127664b add admin setting for default search engine indexing (fix ) () 2019-09-11 08:44:58 +02:00
ThibG
4faaa5b25e Add updated relationship to follow request API responses ()
Fixes 
2019-09-10 20:56:42 +02:00
Eugen Rochko
1110ea1a91
Add batch actions and categories to admin UI for custom emojis () 2019-09-09 22:44:17 +02:00
Eugen Rochko
e445a8af64
Add timeline read markers API ()
Fix 
2019-09-06 13:55:51 +02:00
ThibG
692c5b439a Fix ActivityPub context not being dynamically computed ()
* Fix contexts not being dynamically included

Fixes 

* Refactor Note context in serializer

* Refactor Actor serializer
2019-09-03 22:52:32 +02:00
Eugen Rochko
70ddef2654
Change trending hashtags to not disappear instantly after midnight () 2019-09-02 18:11:13 +02:00
Eugen Rochko
b54b725d6b
Fix uncaught domain normalization error in remote follow () 2019-08-30 02:19:17 +02:00
Eugen Rochko
22ce4778eb
Fix uncaught parameter missing exceptions and missing error templates () 2019-08-30 01:34:47 +02:00
Eugen Rochko
73ca0bb925
Add option to include reported statuses in warning e-mail () 2019-08-23 22:37:23 +02:00
Eugen Rochko
97192d9a77
Fix remote and staff-removed statuses leaving media behind for a day ()
The reason for unattaching media instead of removing it is to support
delete & redraft functionality, but remote or staff-removed statuses
will never be redrafted, so the media should be deleted immediately
2019-08-22 04:17:12 +02:00
Eugen Rochko
cc0a55cf9a
Add more accurate hashtag search ()
* Add more accurate hashtag search

Using ElasticSearch to index hashtags with edge n-grams and score
them by usage within the last 7 days since last activity. Only
hashtags that have been reviewed and are listable can appear in
searches, unless they match the query exactly

* Fix search analyzer dropping non-ascii characters
2019-08-18 03:45:51 +02:00
Eugen Rochko
e5cee8062f
Fix blurhash and autoplay not working on public pages () 2019-08-16 19:15:05 +02:00
Eugen Rochko
8fdff2748f
Add more accurate account search ()
* Add more accurate account search

When ElasticSearch is available, a more accurate search is implemented:

- Using edge n-gram index for acct and display name
- Using asciifolding and cjk width normalization on display names
- Using Gaussian decay on account activity for additional scoring (recency)
- Using followers/friends ratio for additional scoring (spamminess)
- Using followers number for additional scoring (size)

The exact match precedence only takes effect when the input conforms
to the username format and the username part of it is complete, i.e.
when the user started typing the domain part.

* Support single-letter usernames

* Fix tests

* Fix not picking up account updates

* Add weights and normalization for scores, skip zero terms queries

* Use local counts for accounts index, adjust search parameters

* Fix mistakes

* Using updated_at of accounts is inadequate for remote accounts
2019-08-16 01:24:03 +02:00
ThibG
bced70469a Add domain block notes ()
* Add database columns for adding notes to domain blocks/restrctions

* Add admin UI to set private and public comments when blocking a domain

* Add text for private and public comments on domain blocks

* Show domain block comments in admin UI

* Add comments to the domain block undo page

* Make UnblockDomainService more robust regarding upgraded domain blocks

* Allow editing domain blocks

* Rename button from “undo domain block” to “view domain block” in account admin UI

* Change test to unsilence silenced users from upgraded blocks
2019-08-07 20:20:23 +02:00
Yusuke Nakamura
82d2069c75 Bump faker from 1.9.6 to 2.1.0 and update faker api ()
* Bump faker from 1.9.6 to 2.1.0

Bumps [faker](https://github.com/stympy/faker) from 1.9.6 to 2.1.0.
- [Release notes](https://github.com/stympy/faker/releases)
- [Changelog](https://github.com/stympy/faker/blob/master/CHANGELOG.md)
- [Commits](https://github.com/stympy/faker/compare/1.9.6...v2.1.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Use faker api v2

https://github.com/stympy/faker/releases/tag/2.0
2019-08-06 15:33:03 +02:00
Eugen Rochko
115dab78f1
Change admin UI for hashtags and add back whitelisted trends ()
Fix 

Add back the `GET /api/v1/trends` API with the caveat that it does
not return tags that have not been allowed to trend by the staff.

When a hashtag begins to trend (internally) and that hashtag has
not been previously reviewed by the staff, the staff is notified.

The new admin UI for hashtags allows filtering hashtags by where
they are used (e.g. in the profile directory), whether they have
been reviewed or are pending reviewal, they show by how many people
the hashtag is used in the directory, how many people used it
today, how many statuses with it have been created today, and it
allows fixing the name of the hashtag to make it more readable.

The disallowed hashtags feature has been reworked. It is now
controlled from the admin UI for hashtags instead of from
the file `config/settings.yml`
2019-08-05 19:54:29 +02:00
Eugen Rochko
8b9d0a0533
Remove XML version of Webfinger and remove links to Atom feeds ()
Fix 
2019-08-01 19:14:02 +02:00
Eugen Rochko
92de439c04
Change hashtag search to only return results that have trended in the past ()
* Change hashtag search to only return results that have trended in the past

A way to eliminate typos and other one-off "junk" results

* Fix excluding exact matches that don't have a score

* Fix tests
2019-07-30 20:29:50 +02:00
ThibG
ff789a751a Fix boosting & unboosting preventing a boost from appearing in the TL ()
* Fix boosting & unboosting preventing a boost from appearing in the TL

* Add tests

* Avoids side effects when aggregate_reblogs isn't true
2019-07-30 13:18:23 +02:00
Eugen Rochko
24552b5160
Add whitelist mode () 2019-07-30 11:10:46 +02:00
Eugen Rochko
e136112ab7
Fix tag normalization and migration not removing duplicate tags ()
Fix 
2019-07-29 20:40:21 +02:00
Eugen Rochko
b9b0313c78
Revert "Remove conversation URI ()" ()
This reverts commit 75f7f9930e.
2019-07-28 17:47:37 +02:00
Eugen Rochko
75f7f9930e
Remove conversation URI ()
It is not part of ActivityPub and will free up a lot of space
2019-07-28 17:30:12 +02:00
ysksn
d6ada2eb30 Implement pending tests () 2019-07-27 10:24:26 +02:00
Eugen Rochko
b9fbcbfe4e
Add search syntax for operators and phrases () 2019-07-27 04:42:08 +02:00
ThibG
92569ffde8 Fix invites not being disabled upon account suspension ()
* Disable invite links from disabled/suspended users

* Add has_many invites relationship to users

* Destroy unused invites when suspending an account
2019-07-26 18:55:33 +02:00
Rey Tucker
94f5c714f1 Don't delete periods when validating username uniqueness () ()
* Check to make sure usernames with '.' cannot be created

* Add test for instance actor account name conflicts

This makes sure that migration 20190715164535_add_instance_actor
won't fail if there's already an account that is named the same
as the domain (minus the .)

* Put the test into the correct context...

* Add another test to split this into two validations

* Don't delete periods when validating username uniqueness ()

The 20190715164535_add_instance_actor migration fails if there's
already a username similar to the domain name, e.g. if you are
'vulpine.club' and have a user named 'vulpineclub', validation
fails.

Upon further review, usernames with periods are dropped by the
regular expression in the Account class, so we don't need to
worry about it here.

Fixes 
2019-07-24 14:19:17 +02:00
Eugen Rochko
964ae8eee5
Change unconfirmed user login behaviour ()
Allow access to account settings, 2FA, authorized applications, and
account deletions to unconfirmed and pending users, as well as
users who had their accounts disabled. Suspended users cannot update
their e-mail or password or delete their account.

Display account status on account settings page, for example, when
an account is frozen, limited, unconfirmed or pending review.

After sign up, login users straight away and show a simple page that
tells them the status of their account with links to account settings
and logout, to reduce onboarding friction and allow users to correct
wrongly typed e-mail addresses.

Move the final sign-up step of SSO integrations to be the same
as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
ThibG
7de8c51873 Play animated custom emoji on hover ()
* Play animated custom emoji on hover in status

* Play animated custom emoji on hover in display names

* Play animated custom emoji on hover in bios/bio fields

* Add support for animation on hover on public pages emojis too

* Fix tests

* Code style cleanup
2019-07-21 18:10:40 +02:00
Eugen Rochko
bd1545de5e
Change locale detection to run once per session ()
Fix 
2019-07-21 18:08:02 +02:00
Eugen Rochko
bd87e66679
Remove WebSub subscriptions () 2019-07-21 04:08:00 +02:00
ThibG
c37c1da41e Disallow numeric-only hashtags ()
* Add spec covering numeric-only hashtags

* Fix hashtag regex
2019-07-19 23:22:35 +02:00
ThibG
fda437a020 Fix sanitizing lists contents ()
* Add test

* Fix code for sanitizing nested lists stripping all tags
2019-07-19 01:44:58 +02:00
ThibG
730c4053d6 Add ActivityPub actor representing the entire server ()
* Add support for an instance actor

* Skip username validation for local Application accounts

* Add migration script to create instance actor

* Make Codeclimate happy

* Switch to id -99 for instance actor

* Remove unused `icon` and `image` attributes from instance actor

* Use if/elsif/else instead of return + ternary operator

* Add instance actor to fresh installs

* Use instance actor as instance representative

Use instance actor for forwarding reports, relay operations, and spam
auto-reporting.

* Seed database in test environment

* Fix single-user mode

* Fix tests

* Fix specs to accomodate for an extra `Account`

* Auto-reject follows on instance actor

Following an instance actor might make sense, but we are not handling that
right now, so auto-reject.

* Fix webfinger lookup and serialization for instance actor

* Rename instance actor

* Make it clear in the HTML view that the instance actor should not be blocked

* Raise cache time for instance actor as there's no dynamic content

* Re-use /about/more with a flash message for instance actor profile
2019-07-19 01:44:42 +02:00
Eugen Rochko
84e988479e
Fix only one middle dot being recognized in hashtags ()
Fix 
2019-07-18 03:02:56 +02:00
Eugen Rochko
5bfe1e1f05
Change language detection to include hashtags as words () 2019-07-18 03:02:15 +02:00
Eugen Rochko
6ff67be0f6
Add a spam check ()
* Add a spam check

* Use Nilsimsa to generate locality-sensitive hashes and compare using Levenshtein distance

* Add more tests

* Add exemption when the message is a reply to something that mentions the sender

* Use Nilsimsa Compare Value instead of Levenshtein distance

* Use MD5 for messages shorter than 10 characters

* Add message to automated report, do not add non-public statuses to
automated report, add trust level to accounts and make unsilencing
raise the trust level to prevent repeated spam checks on that account

* Expire spam check data after 3 months

* Add support for local statuses, reduce expiration to 1 week, always create a report

* Add content warnings to the spam check and exempt empty statuses

* Change Nilsimsa threshold to 95 and make sure removed statuses are removed from the spam check

* Add all matched statuses into automatic report
2019-07-13 16:45:50 +02:00
Eugen Rochko
5bf67ca913
Add ActivityPub secure mode ()
* Add HTTP signature requirement for served ActivityPub resources

* Change `SECURE_MODE` to `AUTHORIZED_FETCH`

* Add 'Signature' to 'Vary' header and improve code style

* Improve code style by adding `public_fetch_mode?` method
2019-07-11 20:11:09 +02:00
Eugen Rochko
4e8dcc5dbb
Add HTTP signatures to all outgoing ActivityPub GET requests () 2019-07-11 14:49:55 +02:00
Eugen Rochko
5d3feed191
Refactor fetching of remote resources () 2019-07-10 18:59:28 +02:00
Eugen Rochko
4e92183227
Refactor domain block checks () 2019-07-09 03:27:35 +02:00
Eugen Rochko
ef15246397
Remove unused remote unfollow controller () 2019-07-08 12:04:06 +02:00
Eugen Rochko
63c7fe8e48
Refactor controllers for statuses, accounts, and more () 2019-07-08 12:03:45 +02:00
Eugen Rochko
b851456139
Remove Atom feeds and old URLs in the form of GET /:username/updates/:id () 2019-07-07 16:16:51 +02:00
Eugen Rochko
23aeef52cc
Remove Salmon and PubSubHubbub ()
* Remove Salmon and PubSubHubbub endpoints

* Add error when trying to follow OStatus accounts

* Fix new accounts not being created in ResolveAccountService
2019-07-06 23:26:16 +02:00
Eugen Rochko
0c1b1069c9
Remove deprecated REST API GET /api/v1/statuses/:id/card () 2019-07-05 02:15:24 +02:00
Eugen Rochko
3fd6ab99e6
Remove deprecated REST API GET /api/v1/timelines/direct () 2019-07-05 02:14:56 +02:00
Eugen Rochko
0d9ffe56fb
Add request pool to improve delivery performance ()
* Add request pool to improve delivery performance

Fix 

* Ensure connection is closed when exception interrupts execution

* Remove Timeout#timeout from socket connection

* Fix infinite retrial loop on HTTP::ConnectionError

* Close sockets on failure, reduce idle time to 90 seconds

* Add MAX_REQUEST_POOL_SIZE option to limit concurrent connections to the same server

* Use a shared pool size, 512 by default, to stay below open file limit

* Add some tests

* Add more tests

* Reduce MAX_IDLE_TIME from 90 to 30 seconds, reap every 30 seconds

* Use a shared pool that returns preferred connection but re-purposes other ones when needed

* Fix wrong connection being returned on subsequent calls within the same thread

* Reduce mutex calls on flushes from 2 to 1 and add test for reaping
2019-07-02 00:34:38 +02:00
Eugen Rochko
e64e6a03dd
Add categories for custom emojis ()
Fix 
2019-06-28 15:54:10 +02:00
ThibG
9a90ec3b3b Fix account URI in UpdatePollSerializer ()
* Fix account URI in UpdatePollSerializer

Fixes 

* Add specs
2019-06-27 19:41:55 +02:00
ThibG
915c619394 Add support for Audio activities ()
Fixes 
2019-06-26 19:32:36 +02:00
ThibG
47ef4a6c7a Apply filters to poll options ()
* Apply filters to poll options in WebUI

Fixes 

* Apply filters to poll options server-side

* Add poll options to searchable text
2019-06-25 14:45:14 +02:00
Eugen Rochko
707ddf7808
Change domain blocks to automatically support subdomains ()
* Change domain blocks to automatically support subdomains

If a more authoritative domain is blocked (example.com), then the
same block will be applied to a subdomain (foo.example.com)

* Match subdomains of existing accounts when blocking/unblocking domains

* Improve code style
2019-06-22 00:13:10 +02:00
Eugen Rochko
7696f77245
Add moderation API ()
Fix 
Fix 
2019-06-20 02:52:34 +02:00
Eugen Rochko
103a9f4466
Fix sanitizer making block level elements unreadable ()
Fix 
2019-06-16 21:46:36 +02:00
Eugen Rochko
560ec24e58
Change /settings/preferences to redirect to appearance, add /settings/preferences/other () 2019-06-07 16:51:08 +02:00
Eugen Rochko
1db4117030
Change preferences page into appearance, notifications, and other () 2019-06-07 03:39:24 +02:00
ThibG
6c464cd424 Do not misattribute inlined boosts if attributedTo isn't present ()
* Do not misattribute inlined boosts if `attributedTo` isn't present

Fixes 

* Fix tests
2019-06-04 23:24:31 +02:00
Eugen Rochko
48fee1a800
Fix poll API not requiring authentication on non-public polls ()
* Fix poll API not requiring authentication on non-public polls

That API does not reveal the content of the status, i.e. the question
itself, nor who the author is, nor which status it belongs to, but it
does reveal the poll options and how many answers they got

Fix 

* Add test
2019-06-04 20:10:26 +02:00
ThibG
a353dc6030 Fix NotifyService test with regards to reblogs ()
Fixes 
2019-06-02 18:08:26 +02:00
trwnh
e3b39ea4a4 Update remote bio test from 160 to 500 () 2019-05-21 13:29:06 +02:00
Paul Woolcock
0c933c1b8c Add account_id param to GET /api/v1/notifications ()
* Add `from_account` to notifications API

this adds the ability to filter notifications by the account they
originated from

* passing a non-existent user should cause none to be returned

* Fix codeclimate warnings

* fix more codeclimate warnings

* make requested changes:

* use account id instead of user@domain
* name the param `account_id` instead of `from_account`

* Don't use `return` in a lambda
2019-05-21 13:28:49 +02:00
trwnh
a6caf919e2 Change bio limit from 160 to 500 ()
* Change note_length validator from 160 to 500

* Change input maxlength from 160 to 500

* update bio test from 160 to 500

* Multiply a string 30 times instead of 10
2019-05-19 22:51:44 +02:00
ThibG
ae18386558 Fix “invited by” not showing up for invited accounts in admin interface () 2019-05-19 21:40:36 +02:00
ThibG
a1519a8ef5 Prevent from publicly boosting one's own private toots () 2019-05-18 00:28:51 +02:00
ThibG
14f6ce2885 Record account suspend/silence time and keep track of domain blocks ()
* Record account suspend/silence time and keep track of domain blocks

* Also unblock users who were suspended/silenced before dates were recorded

* Add tests

* Keep track of suspending date for users suspended through the CLI

* Show accurate number of accounts that would be affected by unsuspending an instance

* Change migration to set silenced_at and suspended_at

* Revert "Also unblock users who were suspended/silenced before dates were recorded"

This reverts commit a015c65d2d1e28c7b7cfab8b3f8cd5fb48b8b71c.

* Switch from using suspended and silenced to suspended_at and silenced_at

* Add post-deployment migration script to remove `suspended` and `silenced` columns

* Use Account#silence! and Account#suspend! instead of updating the underlying property

* Add silenced_at and suspended_at migration to post-migration

* Change account fabricator to translate suspended and silenced attributes

* Minor fixes

* Make unblocking domains always retroactive
2019-05-14 19:05:02 +02:00
ThibG
62f5235b6f Prevent silenced local users from notifying remote users not following them ()
* Prevent silenced local users from notifying remote users not following them

This is an attempt to extend the local restrictions of silenced users to the
federation.

* Add tests

* Add tests for making sure private status don't get sent over OStatus
2019-05-09 22:05:43 +02:00
Eugen Rochko
7cb369d4c6
Change e-mail whitelist/blacklist to not be checked when invited ()
* Change e-mail whitelist/blacklist to not be checked when invited

And only when creating an account, not when updating it later

Fix 

* Fix test
2019-05-03 23:44:44 +02:00
ThibG
011b032300 Provide a link to existing domain block when trying to block an already-blocked domain ()
* When trying to block an already-blocked domain, provide a link to the block

* Fix styling for links in flash messages

* Allow blocks to be upgraded but not downgraded
2019-05-03 20:36:36 +02:00
ThibG
21a73c52a7 Check that an invite link is valid before bypassing approval mode ()
* Check that an invite link is valid before bypassing approval mode

Fixes 

* Add tests

* Only consider valid invite links in registration controller

* fixup
2019-05-02 04:30:12 +02:00
Eugen Rochko
a9f130b8d8
Fix Keybase verification using wrong domain for remote accounts () 2019-04-10 20:28:43 +02:00
Alex Gessner
154106c0c3 compare usernames case-insensitively on new proof creation flow ()
* compare usernames case-insensitively on new proof creation flow

* Fix code style issue
2019-04-10 18:05:11 +02:00
Eugen Rochko
46cb36fd2c
Add invite request to pending account notification e-mail ()
Fix sorting of the pending accounts page
2019-04-10 00:36:01 +02:00
Hinaloe
48f466daf1 Allow set the voting period to just 5 minutes ()
* Add spec of PollValidator for 

* Raise fraction less than 1 second

* format

* simplify time initialize
2019-04-09 17:02:12 +02:00
Eugen Rochko
8b69a66380 Add "why do you want to join" field to invite requests ()
* Add "why do you want to join" field to invite requests

Fix 

* Remove unused translations

* Fix broken registrations when no invite request text is submitted
2019-04-09 23:06:30 +09:00
ThibG
cb71c95e22 Export and import show_reblogs together with following list ()
* Refactor imports

* Export show_reblogs when exporting list of followed users

* Add support for importing show_reblogs with following collection

* Fix tests
2019-04-08 07:28:27 +02:00
Eugen Rochko
67b3b62b98
Improve blocked view of profiles ()
* Revert "Fix filtering of favourited_by, reblogged_by, followers and following ()"

This reverts commit 120544067f.

* Revert "Hide blocking accounts from blocked users ()"

This reverts commit 62bafa20a1.

* Improve blocked view of profiles

- Change "You are blocked" to "Profile unavailable"
- Hide following/followers in API when blocked
- Disable follow button and show "Profile unavailable" on public profile as well
2019-04-07 04:59:13 +02:00
ThibG
d4882aa64a Export and import hide_notifications alongside user mutes ()
* Export hide_notifications along with user mutes

* Import hide_notifications along with muted users list

* Add headers for CSV exports
2019-04-03 18:17:43 +02:00
ThibG
62bafa20a1 Hide blocking accounts from blocked users ()
* Revert "Add indication that you have been blocked in web UI ()"

This reverts commit bd02ec6daa.

* Revert "Add `blocked_by` relationship to the REST API ()"

This reverts commit 9745de883b.

* Hide blocking accounts from search results

* Filter blocking accouts from account followers

* Filter blocking accouts from account's following accounts

* Filter blocking accounts from “reblogged by” and “favourited by” lists

* Remove blocking account from URL search

* Return 410 on trying to fetch user data from a user who blocked us

* Return 410 in /api/v1/account/statuses for suspended or blocking accounts

* Fix status filtering when performing URL search

* Restore some React improvements

Restore some cleanup from bd02ec6daa

* Refactor by adding `without_blocking` scope
2019-04-01 20:06:13 +02:00
ThibG
2acd8940de Fix more keybase-related test failures () 2019-04-01 19:10:44 +02:00
slice
85973f4f37 Improvements to image upload validation and creation ()
* Check if image value is nil? before creating an image

Check if uploaded images aren't nil before creating SiteUpload models
for them.

* Validate presence of file in SiteUpload

* Fix file presence validation

* Fabricate SiteUpload#file

* Add link to Creative Commons license
2019-04-01 07:30:46 +02:00
ThibG
abecaba317 Fix failing keybase-related test () 2019-03-30 18:15:23 +01:00
Eugen Rochko
1714ea5978
Add ActivityPub representation for identity proofs ()
* Add ActivityPub representation for identity proofs

* Add tests
2019-03-30 02:12:06 +01:00
Alex Gessner
69141dca26 squashed identity proof updates () 2019-03-28 18:01:09 +01:00
Eugen Rochko
f1bc90ab50
Rename :poll to :preloadable_poll and :owned_poll to :poll on Status ()
Also, fix some n+1 queries

Resolve 
2019-03-28 04:44:59 +01:00
Eugen Rochko
11fe293e1b
Remove unused ActivityPub @context values depending on response ()
Fix 
2019-03-27 15:55:23 +01:00
Eugen Rochko
555c4e11ba
Add validations to admin settings ()
* Add validations to admin settings

- Validate correct HTML markup
- Validate presence of contact username & e-mail
- Validate that all usernames are valid
- Validate that enums have expected values

* Fix code style issue

* Fix tests
2019-03-23 14:07:04 +01:00
ThibG
66d9452092 Do not try fetching keys of unknown accounts on a Delete from them () 2019-03-20 17:20:16 +01:00
Eugen Rochko
9c4cbdbafb
Add Keybase integration ()
* create account_identity_proofs table

* add endpoint for keybase to check local proofs

* add async task to update validity and liveness of proofs from keybase

* first pass keybase proof CRUD

* second pass keybase proof creation

* clean up proof list and add badges

* add avatar url to keybase api

* Always highlight the “Identity Proofs” navigation item when interacting with proofs.

* Update translations.

* Add profile URL.

* Reorder proofs.

* Add proofs to bio.

* Update settings/identity_proofs front-end.

* Use `link_to`.

* Only encode query params if they exist.

URLs without params had a trailing `?`.

* Only show live proofs.

* change valid to active in proof list and update liveness before displaying

* minor fixes

* add keybase config at well-known path

* extremely naive feature flagging off the identity proof UI

* fixes for rubocop

* make identity proofs page resilient to potential keybase issues

* normalize i18n

* tweaks for brakeman

* remove two unused translations

* cleanup and add more localizations

* make keybase_contacts an admin setting

* fix ExternalProofService my_domain

* use Addressable::URI in identity proofs

* use active model serializer for keybase proof config

* more cleanup of keybase proof config

* rename proof is_valid and is_live to proof_valid and proof_live

* cleanup

* assorted tweaks for more robust communication with keybase

* Clean up

* Small fixes

* Display verified identity identically to verified links

* Clean up unused CSS

* Add caching for Keybase avatar URLs

* Remove keybase_contacts setting
2019-03-18 21:00:55 +01:00
ThibG
a20354a20b Set and store report URIs ()
Fixes 
2019-03-17 15:34:56 +01:00
ThibG
5e38ef87a7 Fix reblogs privacy ()
* Fix reblogs privacy

* Fix Announce processing specs
2019-03-17 14:54:09 +01:00
Eugen Rochko
1c113fd72d
Add relationship manager UI () 2019-03-16 11:23:22 +01:00
ysksn
782b622f5f Add specs for action log helper ()
* Add specs for ActionLogHelper

* Make some methods private

methods below never referenced from outside of their module:

- #linkable_log_target
- #log_target_from_history
2019-03-16 00:57:23 +09:00
Eugen Rochko
1b167707c2
Fix language detection of non-latin alphabets even at few characters () 2019-03-15 05:07:09 +01:00
Eugen Rochko
51e154f5e8
Admission-based registrations mode ()
Fix 
Fix 
2019-03-14 05:28:30 +01:00
Eugen Rochko
65fffeac3f
Redesign landing page () 2019-03-12 17:34:00 +01:00
Aurélien Reeves
85537b0069 Squish username before validation ()
* Squish username before validation ()

Fix 

* Move before_validation hook to a private method

Also add Unicode wite-spaces to the spec to support the use of squish
over strip.
2019-03-11 20:48:24 +01:00
ThibG
c11dff5049 Reject existing Follows when suspending a remote account ()
* Reject existing Follows when suspending a remote account

Partial fix to 

* Add tests
2019-03-10 16:18:58 +01:00
ThibG
3aaac4f134 Do not allow adding votes to expired polls ()
* Do not allow adding votes to expired polls

* Only validate expires_at on create
2019-03-08 00:54:50 +01:00
Eugen Rochko
0a39c81dd8 Add test ensuring that unknown object types are rejected () 2019-03-05 11:46:36 +09:00
ThibG
833ffce2df Store remote votes URI ()
* Store remote votes URI

* Add spec for accepting remote votes

* Make poll vote id generation work the same way as follows
2019-03-04 22:51:23 +01:00
Eugen Rochko
0e6998da3c
Add tests for ActivityPub poll processing () 2019-03-04 01:13:42 +01:00
Eugen Rochko
230a012f00
Add polls ()
* Add polls

Fix 

* Add tests

* Fixes

* Change API for creating polls

* Use name instead of content for votes

* Remove poll validation for remote polls

* Add polls to public pages

* When updating the poll, update options just in case they were changed

* Fix public pages showing both poll and other media
2019-03-03 22:18:23 +01:00
ThibG
9d3c6f1849 Improved remote thread fetching ()
* Fetch up to 5 replies when discovering a new remote status

This is used for resolving threads downwards. The originating
server must add a “replies” attributes with such replies for it to
be useful.

* Add some tests for ActivityPub::FetchRepliesWorker

* Add specs for ActivityPub::FetchRepliesService

* Serialize up to 5 public self-replies for ActivityPub notes

* Add specs for ActivityPub::NoteSerializer

* Move exponential backoff logic to a worker concern

* Fetch first page of paginated collections when fetching thread replies

* Add specs for paginated collections in replies

* Move Note replies serialization to a first CollectionPage

The collection isn't actually paginable yet as it has no id nor
a `next` field. This may come in another PR.

* Use pluck(:uri) instead of map(&:uri) to improve performances

* Fix fetching replies when they are in a CollectionPage
2019-02-28 15:22:21 +01:00
Eugen Rochko
e7f20cc43f
Add type, limit, offset, min_id, max_id, account_id to search API ()
* Add type, limit, offset, min_id, max_id, account_id to search API

Fix 

* Make the offset work on accounts and hashtags search as well

* Assure brakeman we are not doing mass assignment here

* Do not allow paginating unless a type is chosen

* Fix search query and index id field on statuses instead of created_at
2019-02-26 15:21:36 +01:00
Eugen Rochko
1a1b8170bb
Fix Announce activities of unknown statuses not fetching those statuses ()
Regression from 
2019-02-17 15:16:36 +01:00
Eugen Rochko
147b4c2c3a
Add logging for rejected ActivityPub payloads and add tests () 2019-02-17 03:38:25 +01:00
Eugen Rochko
c417e8c198
Filter incoming Announce activities by relation to local activity ()
* Filter incoming Announce activities by relation to local activity

Reject if announcer is not followed by local accounts, and is not
from an enabled relay, and the object is not a local status

Follow-up to 

* Fix tests
2019-02-15 18:19:45 +01:00
ThibG
6a5307a573 Alternative handling of private self-boosts ()
* When self-boosting, embed original toot into Announce serialization

* Process unknown self-boosts from Announce object if it is more than an URI

* Add some self-boost specs

* Only serialize private toots in self-Announces
2019-02-13 18:36:23 +01:00
Franck Zoccolo
4f0322dcae Add support for IPv6 only MXes in Email validation ()
* Add support for IPv6 only MXes

* Fixed email validator tests
2019-02-12 14:48:04 +01:00
Eugen Rochko
016ad37bc8
Fix URL linkifier grabbing full-width spaces and quotations ()
Fix 
Fix 
2019-02-09 20:13:11 +01:00
Hinaloe
157d3af46c Only URLs extract with pre-escaped text ()
* [test] add japanese hashtag testcase

* Only URLs extract with pre-escaped text

( https://github.com/tootsuite/mastodon/issues/9989 )
2019-02-09 03:39:38 +01:00
Eugen Rochko
364f2ff9aa
Add featured hashtags to profiles ()
* Add hashtag filter to profiles

GET /@:username/tagged/:hashtag
GET /api/v1/accounts/:id/statuses?tagged=:hashtag

* Display featured hashtags on public profile

* Use separate model for featured tags

* Update featured hashtag counters on-write

* Limit featured tags to 10
2019-02-04 04:25:59 +01:00
Eugen Rochko
d14c276e58
Add option to overwrite imported data ()
* Add option to overwrite imported data

Fix 

* Add import for domain blocks
2019-02-03 03:59:51 +01:00
Jakub Mendyk
6a5e3da6b0 Allow most kinds of characters in URL query (fixes ) ()
* Allow unicode characters in URL query strings

Fixes 

* Alternative approach to unicode support in urls

Adds PoC/idea to approch this problem.
2019-02-02 19:01:18 +01:00
ThibG
e2a5be6e9a Prevent posting toots with media attachments from someone else () 2019-01-26 23:59:39 +01:00
ThibG
061feb63ed Fix scheduled toot with media immediately creating a toot ()
* Add test for not persisting status when attaching media to scheduled toot

* Prevent status used for validation from being persisted to the database

Fixes 

Thanks to tateisu for the help investigating this.
2019-01-21 20:03:04 +01:00
ThibG
aeb124491d Reject existing Follow in addition to sending a Block ()
Mastodon expects remote servers to remove follow relationships upon receiving
a Block. However, the spec only evokes Block activities in a C2S context, never
in a S2S context.

This PR, in addition to federating the Block, explicitly sends a Reject for any
affected follow relationship, which makes a bit more sense with regards to the
spec.
2019-01-18 15:57:19 +01:00
Eugen Rochko
bc642ac24b
Redesign public hashtag page to use a masonry layout () 2019-01-16 19:47:46 +01:00
Moritz Heiber
ecf40d09ed Disable Same-Site cookie implementation to fix SSO issues on WebKit browsers () 2019-01-15 23:11:46 +01:00
Renato "Lond" Cerqueira
5c5e14c816 Fix undefined method error in sidekiq ()
* Fix undefined method error in sidekiq

Body can be not nil but still be empty, which causes a
`NoMethodError: undefined method `[]' for nil:NilClass` further in the
code. This checks for an empty body to avoid the issue.

* Fix codeclimate issue
2019-01-14 17:28:41 +01:00
ysksn
c059999ab3 Add a spec for Admin::ActionLog () 2019-01-11 07:28:09 +00:00
ysksn
09c3c96607 Add specs for Admin::AccountAction () 2019-01-11 07:26:03 +00:00
ysksn
61ecda1575 Not to skip executable specs ()
* Not to skip executable specs

* Combine specs

Combine specs to one to reduce multiple slow http post.
2019-01-10 15:12:31 +01:00
Eugen Rochko
1c6588accc
Redesign admin instances area () 2019-01-08 13:39:49 +01:00
ysksn
9a38357111 Remove pending ()
Some specs have already been added.
2019-01-08 09:42:56 +01:00
ysksn
274109e9f3 Remove spec files ()
Nothing to test.
2019-01-08 12:18:46 +09:00
ysksn
88deca16ca Add pending specs for jsonld helper ()
* Add specs for JsonLdHelper#first_of_value

* Add specs for JsonLdHelper#supported_context?
2019-01-08 12:18:27 +09:00
Eugen Rochko
a49d43d112
Add scheduled statuses ()
Fix 
2019-01-05 12:43:28 +01:00
ysksn
5efedb5d5e Add specs for UrlValidator () 2019-01-03 13:10:20 +09:00
ysksn
19abf4ef0b Add specs for UnreservedUsernameValidator ()
* Add specs for UnreservedUsernameValidator

* Use instance variable
2019-01-03 13:10:02 +09:00
Eugen Rochko
66436d0895
Improve e-mail digest ()
- Reduce time-to-digest from 20 to 7 days
- Fetch mentions starting from +1 day since last login
- Fix case when last login is more recent than last e-mail
- Do not render all mentions, only 40, but show number in subject
- Do not send digest to moved accounts
- Do send digest to silenced accounts
2019-01-02 10:47:32 +01:00
ThibG
70be301d69 Ensure blocked user unfollows blocker if Block/Undo Block are processed out of order ()
* Ensure blocked user unfollows blocker if Block/Undo Block are processed out of order

* Add specs for Block causing unfollow and for out-of-order Block + Undo
2019-01-02 01:12:02 +01:00
ThibG
290932602b Reduce usage of LD signatures ()
* Do not LDS-sign Follow, Accept, Reject, Undo, Block

* Do not use LDS for Create activities of private toots

* Minor cleanup

* Ignore unsigned activities instead of misattributing them

* Use status.distributable? instead of querying visibility directly
2018-12-30 09:48:59 +01:00
ysksn
fb08039de5 Add specs for FollowLimitValidator () 2018-12-29 08:24:52 +01:00
ysksn
05edec6917 Add specs for BlackListedEmailValidator ()
* Add specs for BlackListedEmailValidator

* Use instance variable
2018-12-29 07:23:44 +01:00
ysksn
4725aeec9f Add specs for DisallowedHashtagsValidator ()
In order to implement tests easier, `#select_tags` created.
2018-12-29 07:22:51 +01:00
Eugen Rochko
0f938ff29c
Add handler for Move activity () 2018-12-29 02:24:36 +01:00
ysksn
d01c840e14 Add specs for StatusPinValidator () 2018-12-28 18:09:32 +09:00
ysksn
ccb9c1b952 Add pending specs for StatusLengthValidator ()
* Add pending specs of StatusLengthValidator

* Use instance variable
2018-12-28 08:18:47 +01:00
Eugen Rochko
5d2fc6de32
Add REST API for creating an account ()
* Add REST API for creating an account

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.

* Redirect users back to app from confirmation if they were created with an app

* Add tests

* Return 403 on the method if registrations are not open

* Require agreement param to be true in the API when creating an account
2018-12-24 19:12:38 +01:00
ThibG
5f387995d9 Limit maximum visibility of local silenced users to unlisted ()
Fixes 
2018-12-24 19:06:14 +01:00
Eugen Rochko
3c033c4352
Add moderation warnings ()
* Add moderation warnings

Replace individual routes for disabling, silencing, and suspending
a user, as well as the report update route, with a unified account
action controller that allows you to select an action (none,
disable, silence, suspend) as well as whether it should generate an
e-mail notification with optional custom text. That notification,
with the optional custom text, is saved as a warning.

Additionally, there are warning presets you can configure to save
time when performing the above.

* Use Account#local_username_and_domain
2018-12-22 20:02:09 +01:00
ysksn
eee2b05ea2 Add specs for CustomEmojiFilter () 2018-12-21 18:52:57 +01:00
ysksn
de3cecf37a Add specs for AdminMailer () 2018-12-21 09:34:34 +01:00
ysksn
1bc78ec50e Add specs for InstancePresenter () 2018-12-21 08:59:56 +01:00
ysksn
6a2d030c2f Add specs for ReportNotePolicy () 2018-12-20 17:52:18 +01:00
ysksn
b93e317886 Add specs for policies ()
* Add spec for RelayPolicy

* Add specs for SubscriptionPolicy

* Add specs for SettingsPolicy

* Add specs for TagPolicy

* Add specs for ReportPolicy
2018-12-20 17:52:07 +01:00
ysksn
be9640bfc2 Add specs for UserPolicy () 2018-12-20 17:51:55 +01:00
ysksn
d649d84594 Add specs for InvitePolicy () 2018-12-20 04:23:09 +01:00
ysksn
44189c33d1 Add specs for EmailDomainBlockPolicy () 2018-12-20 03:51:41 +01:00
ysksn
08cb8a1ff3 Add specs for InstancePolicy () 2018-12-20 03:51:31 +01:00
ysksn
e181f99739 Add specs for DomainBlockPolicy () 2018-12-20 03:47:51 +01:00
ysksn
5088213f5e Add specs for CustomEmojiPolicy () 2018-12-20 03:24:28 +01:00
ysksn
5d724aa129 Add specs for BackupPolicy () 2018-12-19 18:24:15 +01:00
ysksn
af56efdec5 Add specs for AccountPolicy () 2018-12-19 08:56:59 +01:00
ysksn
0a1ade4f02 Add specs for AccountModerationNotePolicy () 2018-12-19 07:24:03 +01:00
ysksn
102e4cfa32 Add specs for StatusPolicy () 2018-12-19 05:19:20 +01:00
ysksn
dd85700a3e Add spec for AccountableConcern#log_action () 2018-12-18 16:43:03 +01:00
ThibG
e709b8da0d Ignore low-confidence CharlockHolmes guesses when parsing link cards ()
* Add failing test for windows-1251 link cards

* Ignore low-confidence CharlockHolmes guesses

Fixes 

* Fix no method error when charlock holmes cannot detect charset
2018-12-17 19:19:45 +01:00
ysksn
0c80715235 Add spec for Api::V1::Timelines::DirectController () 2018-12-17 11:36:20 +01:00
ysksn
351938520d Add specs for Api::V1::Instances::PeersController () 2018-12-17 11:35:55 +01:00
ysksn
2d871feb10 Add spec for Api::V1::EndorsementsController () 2018-12-17 11:32:44 +01:00
ysksn
3fa9615cb3 Add spec for Api::V1::Instances::ActivityController () 2018-12-17 11:32:24 +01:00
ysksn
a3dcbfddd6 Add specs for Accounts::PinsController () 2018-12-17 06:03:51 +01:00
ysksn
3c31c28605 Add spec for Admin::ActionLogsController#index () 2018-12-14 20:37:01 +01:00
ysksn
458e2b0c5b Add specs for RemoteInteractionController () 2018-12-14 20:36:40 +01:00
ysksn
c1600a0f69 Add spec for Admin::DashboardController#index () 2018-12-14 20:36:18 +01:00
Sumit Khanna
769c2d2680 Error message for avatar image that's too large. ()
* Error message for avatar image that's too large. 

* Code climate/formatting

* Removed avatar error message

* Moved valid image dimentions check to update service

* removed unnescessary begin block

* code climate formatting

* code climate indent fix
2018-12-14 05:07:21 +01:00
ysksn
795bac44fd Add spec for Settings::ExportsController#create () 2018-12-13 02:53:52 +01:00
Adam Copp
7d00e4edbd Make custom emoji domains case insensitive ()
* Make custom emoji domains case sensitive 

* Fixup style in downcase_domain to comply with codeclimate.

* switch if! to unless

* Don't use transactions, operate in batches.

Also revert spurious schema change.
2018-12-11 05:30:57 +01:00
Eugen Rochko
dbb1ee269f
Improve e-mail MX validator and add tests () 2018-12-10 22:53:25 +01:00
ysksn
ed24bb2c3e Add specs for activitypub collections controller ()
* Add specs for ActivityPub::CollectionsController#show

* Raise ActiveRecord::RecordNotFound

Raising ActiveRecord::NotFound raises NameError: uninitialized constant
ActiveRecord::NotFound.
2018-12-10 21:39:25 +01:00
ysksn
6eae8f77af Add spec for Admin::SuspentionsController#new () 2018-12-10 21:38:21 +01:00
ysksn
361818e931 Fix Admin::TagsController#unhide () 2018-12-10 21:37:38 +01:00
ysksn
ae3d2f446a Add specs for Admin::InvitesController () 2018-12-10 01:19:28 +09:00
ysksn
dfd123d5b3 Remove pending spec () 2018-12-07 16:53:55 +01:00
ysksn
d3547fa005 Add specs for ActivityPub::InboxesController () 2018-12-07 16:40:01 +01:00
ysksn
88b3eed16f Add specs for Admin::AccountModerationNotesHelper () 2018-12-07 16:39:20 +01:00
ysksn
57bb62d5cf Remove pending spec ()
Since dots are not allowed in username,
this spec is no longer needed.
2018-12-07 16:38:50 +01:00
ysksn
51cbd045da Add specs for AccountTagStat model () 2018-12-07 16:37:56 +01:00
Eugen Rochko
73be8f38c1
Add profile directory ()
Fix 
2018-12-06 17:36:11 +01:00
ysksn
155cf12680 Remove pending spec ()
`#from_account` isn't defined.
2018-12-06 17:39:15 +09:00
ysksn
e2910dff12 Add spec for Identity.find_for_oauth () 2018-12-06 17:38:49 +09:00
ThibG
e88c6a5c3c Fix thread depth computation in statuses_controller ()
* Add test that should currently fail

* Fix depth computation (will still fail if statuses have been filtered out)

* Fix handling of broken threads
2018-12-05 02:12:29 +01:00
ThibG
395615d9f3 Allow hyphens in the middle of remote user names ()
Fixes 

This only allows hyphens in the middle of a username, much like dots,
although I don't have a compelling reason to do so other than keeping
the changes minimal.
2018-11-27 12:28:01 +01:00
Eugen Rochko
73faadad28
Redesign admin accounts index ()
* Improve overview of accounts in admin UI

- Display suspended status, role, last activity and IP prominently
- Default to showing local accounts
- Default to not showing suspended accounts

* Remove unused strings

* Fix tests

* Allow filtering accounts by IP mask
2018-11-26 15:53:27 +01:00
valerauko
db9aea34de Ensure replied-to is a status not a boost ()
* Ensure replied-to is a status not a boost

* Consider case of not a reply

* Add test case for replying to boost

* Move reblog-reply resolution to model

* Remove unnecessary comment
2018-11-25 16:35:21 +01:00
Eugen Rochko
0eaf6d7693
Sort self-replies to the top of descendants ()
Fix 
2018-11-24 20:48:50 +01:00
Eugen Rochko
fd8145d232
Fix connect timeout not being enforced ()
* Fix connect timeout not being enforced

The loop was catching the timeout exception that should stop execution, so the next IP would no longer be within a timed block, which led to requests taking much longer than 10 seconds.

* Use timeout on each IP attempt, but limit to 2 attempts

* Fix code style issue

* Do not break Request#perform if no block given

* Update method stub in spec for Request

* Move timeout inside the begin/rescue block

* Use Resolv::DNS with timeout of 1 to get IP addresses

* Update Request spec to stub Resolv::DNS instead of Addrinfo

* Fix Resolve::DNS stubs in Request spec
2018-11-22 20:12:04 +01:00
valerauko
824497fbce Ignore JSON-LD profile in mime type comparison ()
Ignore JSON-LD profile in mime type comparison
2018-11-22 12:49:07 +01:00
Eugen Rochko
d6b9a62e0a
Extract counters from accounts table to account_stats table () 2018-11-19 00:43:52 +01:00
Eugen Rochko
8069fd636b
Remove intermediary arrays when creating hash maps from results () 2018-11-16 15:02:18 +01:00
Eugen Rochko
6d59dfa15d
Optimize the process of following someone ()
* Eliminate extra accounts select query from FollowService

* Optimistically update follow state in web UI and hide loading bar

Fix 

* Asynchronize NotifyService in FollowService

And fix failing test

* Skip Webfinger resolve routine when called from FollowService if possible

If an account is ActivityPub, then webfinger re-resolving is not necessary
when called from FollowService. Improve options of ResolveAccountService
2018-11-08 21:05:42 +01:00
James Kiesel
4c03e05a4e Allow joining several hashtags in a single column ()
* Nascent tag menu on frontend

* Hook up frontend to search

* Tag intersection backend first pass

* Update yarnlock

* WIP

* Fix for tags not searching correctly

* Make radio buttons function

* Simplify radio buttons with modeOption

* Better naming

* Rearrange options

* Add all/any/none functionality on backend

* Small PR cleanup

* Move to service from scope

* Small cleanup, add proper service tests

* Don't use send with user input :D

* Set appropriate column header

* Handle auto updating timeline

* Fix up toggle function

* Use tag value correctly

* A bit more correct to use 'self' rather than 'all' in status scope

* Fix some style issues

* Fix more code style issues

* Style select dropdown more better

* Only use to_id'ed value to ensure no SQL injection

* Revamp frontend to allow for multiple selects

* Update backend / col header to account for more flexible tagging

* Update brakeman ignore

* Codeclimate suggestions

* Fix presenter tag_url

* Implement initial PR feedback

* Handle additional tag streaming

* CodeClimate tweak
2018-11-05 18:53:25 +01:00
Eugen Rochko
ce2ee68b64
Revert "Fix FetchAtomService content type handling ()" ()
This reverts commit c36a4a1617.
2018-10-31 00:43:34 +01:00
valerauko
c36a4a1617 Fix FetchAtomService content type handling ()
* Add profile to json+ld in Accept

It's required by the ActivityPub spec

* Use headers['Content-type'] instead of mime_type

mime_type strips the profile from the content type, but it's still available raw in the headers hash

* Add test for ld+json with profile
2018-10-30 15:07:57 +01:00
ThibG
33a71e8f7c Do not hide boost notifications from followed people with hidden boosts ()
* Do not hide boost notifications from followed people with hidden boosts

Not displaying boosts from a followed user in the Home timeline and not
having notifications when they reblog your own content are two very
separate concerns, tying them together seem counter-intuitive and unwanted.

* Update specs accordingly
2018-10-30 00:47:31 +01:00
Eugen Rochko
b40ea6d1d4
Bump sanitize from 4.6.6 to 5.0.0 () 2018-10-29 14:05:25 +01:00
takayamaki
33976c8ecc fix: Execute PAM authentication tests on CircleCI ()
and use 'if' option of context block
2018-10-20 17:28:04 +02:00
Eugen Rochko
d5bfba3262
Do not test PAM authentication by default ()
* Do not test PAM authentication by default

* Disable PAM tests if PAM is not enabled
2018-10-20 07:32:26 +02:00
Eugen Rochko
ddd30f331c
Improve support for aspects/circles ()
* Add silent column to mentions

* Save silent mentions in ActivityPub Create handler and optimize it

Move networking calls out of the database transaction

* Add "limited" visibility level masked as "private" in the API

Unlike DMs, limited statuses are pushed into home feeds. The access
control rules between direct and limited statuses is almost the same,
except for counter and conversation logic

* Ensure silent column is non-null, add spec

* Ensure filters don't check silent mentions for blocks/mutes

As those are "this person is also allowed to see" rather than "this
person is involved", therefore does not warrant filtering

* Clean up code

* Use Status#active_mentions to limit returned mentions

* Fix code style issues

* Use Status#active_mentions in Notification

And remove stream_entry eager-loading from Notification
2018-10-17 17:13:04 +02:00
Eugen Rochko
21ad21cb50
Improve signature verification safeguards ()
* Downcase signed_headers string before building the signed string

The HTTP Signatures draft does not mandate the “headers” field to be downcased,
but mandates the header field names to be downcased in the signed string, which
means that prior to this patch, Mastodon could fail to process signatures from
some compliant clients. It also means that it would not actually check the
Digest of non-compliant clients that wouldn't use a lowercased Digest field
name.

Thankfully, I don't know of any such client.

* Revert "Remove dead code ()"

This reverts commit a00ce8c92c.

* Restore time window checking, change it to 12 hours

By checking the Date header, we can prevent replaying old vulnerable
signatures. The focus is to prevent replaying old vulnerable requests
from software that has been fixed in the meantime, so a somewhat long
window should be fine and accounts for timezone misconfiguration.

* Escape users' URLs when formatting them

Fixes possible HTML injection

* Escape all string interpolations in Formatter class

Slightly improve performance by reducing class allocations
from repeated Formatter#encode calls

* Fix code style issues
2018-10-12 00:15:55 +02:00
ashleyhull-versent
f194857ac9 rubocop issues - Cleaning up ()
* cleanup pass

* undo mistakes

* fixed.

* revert
2018-10-08 04:50:11 +02:00
ashleyhull-versent
2dba313100 Replace SVG asset with Custom mascot () 2018-10-08 00:20:45 +02:00
Eugen Rochko
774ac47373
Add conversations API ()
* Add conversations API

* Add web UI for conversations

* Add test for conversations API

* Add tests for ConversationAccount

* Improve web UI

* Rename ConversationAccount to AccountConversation

* Remove conversations on block and mute

* Change last_status_id to be a denormalization of status_ids

* Add optimistic locking
2018-10-07 23:44:58 +02:00
Jeong Arm
144d73730d Leave unknown language as nil if account is remote ()
* Force use language detector if account is remote

* Set unknown remote toot's language as nil
2018-10-05 19:17:46 +02:00
aus-social
0a4739c732 lint pass 2 ()
* Code quality pass

* Typofix

* Update applications_controller_spec.rb

* Update applications_controller_spec.rb
2018-10-04 17:38:04 +02:00
Eugen Rochko
a46ab86adf
Limit the number of people that can be followed from one account ()
Configurable soft limit of 7,500, and above that, configurable
ratio of 1.1 * followers, controlled by:

- MAX_FOLLOWS_THRESHOLD
- MAX_FOLLOWS_RATIO

Fix 
2018-10-04 17:36:11 +02:00
Eugen Rochko
e645ae9561
Change admin accounts default sort to most recent () 2018-10-04 16:05:38 +02:00
Eugen Rochko
7fe137d2f7
Fix link verification for remote accounts () 2018-10-04 15:47:03 +02:00
aus-social
1f98eae1cf Lint pass () 2018-10-04 12:36:53 +02:00
Eugen Rochko
f0fff3eb10
Support min_id-based pagination in REST API ()
* Allow min_id pagination in Feed#get

* Add min_id pagination to home and list timeline APIs

* Add min_id pagination to account statuses, public and tag APIs

* Remove unused stub in reports API

* Use min_id pagination in notifications, favourites, and fix order

* Fix HomeFeed#from_database not using paginate_by_id
2018-09-28 02:23:45 +02:00
Eugen Rochko
3d7f68c273
Revert Font Awesome 5 upgrade ()
* Revert "Fix some icon names changed by the Font Awesome 5. ()"

This reverts commit 3f9ec3de82.

* Revert "Migrate to font-awesome 5.0. ()"

This reverts commit 8bae14591b.

* Revert "Fix some icons names, unavailable in fontawesome5 (free license). ()"

This reverts commit b9c727a945.

* Revert "Update the icon name changed by the Font Awesome 5. ()"

This reverts commit 17af4d27da.

* Revert "Add bot icon to bot avatars and migrate to newer version of Font Awesome ()"

This reverts commit 4b794e134d.
2018-09-28 02:11:14 +02:00
Naoki Kosaka
8bae14591b Migrate to font-awesome 5.0. () 2018-09-27 17:08:56 +02:00
ThibG
c39183cc62 Refactor active_nav_class for use with multiple paths () 2018-09-23 20:42:13 +02:00
Eugen Rochko
f92f1ee80a
Support link verification with redirects ()
(e.g. URL shortener)
2018-09-20 00:10:35 +02:00
Yamagishi Kazutoshi
3da1cc7d5e Fix failed profile verification when rel attribute including values other than me () 2018-09-19 16:47:31 +02:00
Eugen Rochko
f4d549d300
Redesign forms, verify link ownership with rel="me" ()
* Verify link ownership with rel="me"

* Add explanation about verification to UI

* Perform link verifications

* Add click-to-copy widget for verification HTML

* Redesign edit profile page

* Redesign forms

* Improve responsive design of settings pages

* Restore landing page sign-up form

* Fix typo

* Support <link> tags, add spec

* Fix links not being verified on first discovery and passive updates
2018-09-18 16:45:58 +02:00
luzpaz
40dd19be37 Misc. typos ()
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-14 00:53:09 +02:00
Eugen Rochko
2288d50a7b
Add force_login option to OAuth authorize page ()
* Add force_login option to OAuth authorize page

For when a user needs to sign into an app from multiple accounts
on the same server

* When logging out from modal header, redirect back after re-login
2018-09-09 04:10:44 +02:00
Sorin Davidoi
6f3d934bc1 feat(cookies): Use the same-site attribute to lax ()
CSFR-prevention is already implemented but adding this doesn't hurt.

A brief introduction to Same-Site cookies (and the difference between strict and
lax) can be found at
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

TLDR: We use lax since we want the cookies to be sent when the user navigates
safely from an external site.
2018-09-08 23:54:28 +02:00
Eugen Rochko
c593d6df9c
Add preference for report notification e-mails, skip for duplicates ()
If an unresolved report for the same target account already exists,
no new notification is generated
2018-09-02 00:11:58 +02:00
Renato "Lond" Cerqueira
fe56d26f7b Fix autoplay issue with spoiler tag ()
Add tests to avoid similar issues in the future
2018-08-31 15:16:59 +02:00
Renato "Lond" Cerqueira
11658d8653 Add animate custom emoji param to embed pages ()
* Add animate custom emoji param to embed pages

* Rename param, use it for avatars and gifs

* Fix issues pointed by codeclimate and breaking test

* Ignore brakeman warning
2018-08-30 23:14:01 +02:00
Renato "Lond" Cerqueira
5b2b493a90 Fix nil host in remotable ()
Host can be nil in urls like
'https:https://example.com/path/file.png'
2018-08-29 21:13:49 +02:00
sundevour
4bfd786550 formatter spec fixes & clarification ()
updates some "context" and "it" lines to have clearer explanations
updates "context" lines to properly describe function input, and "it" lines to describe results
2018-08-29 01:20:56 +02:00
Eugen Rochko
5e1767173f
Display pending message on admin relays UI ()
* Add missing specs for relay accept/reject

* Display pending message on admin relays UI
2018-08-28 05:39:43 +02:00
Jakub Mendyk
f3a12ddfd0 Make Api::V1::MutesController paginate properly ()
Fixes 
2018-08-26 21:30:17 +02:00
Eugen Rochko
22e46ebad8
Add theme identifier to body classes for easier custom CSS styling ()
Add forgotten custom CSS admin setting strings
2018-08-25 22:55:25 +02:00
Eugen Rochko
2f34b747b3
Allow mods to disable login, improve message when login disabled ()
* Allow moderators to disable/enable login

* Instead of rejecting login, show forbidden error when login disabled

Avoid confusion because when login is rejected, the message is that
the account is not activated, which is wrong.

* Fix tests
2018-08-23 23:26:29 +02:00
Jakub Mendyk
6cb3514d64 Add ability to change an instance default theme from the administration panel () ()
* Add default_settings class method to ScopedSettings

ScopedSettings was extended to use value of unscoped setting instead of
only using defaults set in config/settings.yml for selected settings.
This adds possibility for admins to set default values of users' settings,
for example default theme (as requested in ).

* Add ability to change an instance default theme

Closes 
2018-08-23 14:17:35 +02:00
Eugen Rochko
802cf6a4c5
Improve federated ID validation ()
* Fix URI not being sufficiently validated with prefetched JSON

* Add additional id validation to OStatus documents, when possible
2018-08-22 20:55:14 +02:00
masarakki
4bdab203ac exclude-other-silenced-accounts () 2018-08-22 13:20:50 +02:00
Eugen Rochko
2374a00c10
Add confirmation step to account suspensions ()
* Add confirmation page for suspensions

* Suspension confirmation closes reports, linked from report UI

* Fix tests
2018-08-22 11:53:41 +02:00
Eugen Rochko
6226aa83d7
Increase reach of Delete->Actor activities ()
Fix 
2018-08-20 13:28:05 +02:00
Eugen Rochko
d010816ba8
Fix error when trying to update counters for statuses that are gone () 2018-08-18 03:03:23 +02:00
Eugen Rochko
78fa926ed5
Add remote interaction dialog for toots ()
* Add remote interaction dialog for toots

* Change AuthorizeFollow into AuthorizeInteraction, support statuses

* Update brakeman.ignore

* Adjust how interaction buttons are display on public pages

* Fix tests
2018-08-18 03:03:12 +02:00
ThibG
59f7f4c923 Implement Undo { Accept { Follow } } (fixes ) ()
* Add Follow#revoke_request!

* Implement Undo { Accept { Follow } } (fixes )
2018-08-17 16:24:56 +02:00
ThibG
af912fb308 Allow accessing local private/DM messages by URL ()
* Allow accessing local private/DM messages by URL

(Provided the user pasting the URL is authorized to see the toot, obviously)

* Fix SearchServiceSpec tests
2018-08-15 19:33:36 +02:00
Eugen Rochko
aaac14b8ad
Show exact number of followers/statuses on export page/in tooltip ()
* Show exact number of followers/statuses on export page/in tooltip

* Fix tests
2018-08-14 21:56:17 +02:00
Eugen Rochko
8e111b753a
Move status counters to separate table, count replies ()
* Move status counters to separate table, count replies

* Migration to remove old counter columns from statuses table

* Fix schema file
2018-08-14 19:19:32 +02:00
S.H
2aeeffc3ec Update Rails ()
* Update Rails

* fix Update Rails
2018-08-12 12:25:23 +02:00
Eugen Rochko
0dcc1950d1
Update /terms and /about/more to use public layout () 2018-08-09 12:58:20 +02:00
Eugen Rochko
f2404de871
Public profile endorsements (accounts picked by profile owner) () 2018-08-09 09:56:53 +02:00
Eugen Rochko
cc56f2230a
Add separate setting for sidebar text (site_short_description) ()
* Add separate setting for sidebar text (site_short_description)

* Fix tests
2018-07-31 18:59:34 +02:00
Eugen Rochko
60df87f6f0
Compensate for scrollbar disappearing when media modal visible ()
* Compensate for scrollbar disappearing when media modal visible

Make auth pages backgrounds lighter

* Fix typo
2018-07-31 01:14:33 +02:00
Eugen Rochko
e7e577dd6e
Enforce username format for remote users, too ()
Initially I thought there might be valid reasons for remote users to
have a different, unpredicted username format. However, I now realize
such a difference would be unusable and unexpected within Mastodon.

Fix 
2018-07-30 22:29:52 +02:00
Eugen Rochko
bb71538bb5
Redesign public profiles and toots () 2018-07-28 19:25:33 +02:00
Eugen Rochko
0fb0037ca7
Resize images by area instead of fixed dimensions ()
To improve the way super tall or super ride images are treated, the
numbers remain the same, 1280x1280 and 400x400, but if an image
is less in one dimension than the other, the other can become larger

Thanks to @WAHa_06x36@mastodon.social for the tip
2018-07-28 03:33:00 +02:00
Eugen Rochko
2a176514be
Display full acct on public status pages, always () 2018-07-14 04:07:47 +02:00
Eugen Rochko
38e9662d78
Disable language detection for texts shorter than 140 characters ()
If the input text is blank after preparation (only mention, or
only URL, or empty as in a media post), then use nil as language,
since it's OK to show to everyone.

Otherwise, always fall back to the server's default locale
2018-07-14 04:05:36 +02:00
Eugen Rochko
e55dce3176
Add federation relay support ()
* Add federation relay support

* Add admin UI for managing relays

* Include actor on relay-related activities

* Fix i18n
2018-07-13 02:16:06 +02:00
ThibG
1ca4e51eb3 Add option to not consider word boundaries when processing keyword filtering ()
* Add option to not consider word boundaries when filtering phrases

* Add a few tests for keyword/phrase filtering
2018-07-09 02:22:09 +02:00
Eugen Rochko
cd509d2146
Remove .p-name microformat class ()
Fix 
2018-07-07 18:51:56 +02:00
Eugen Rochko
1f6ed4f86a
Add more granular OAuth scopes ()
* Add more granular OAuth scopes

* Add human-readable descriptions of the new scopes

* Ensure new scopes look good on the app UI

* Add tests

* Group scopes in screen and color-code dangerous ones

* Fix wrong extra scope
2018-07-05 18:31:35 +02:00
Eugen Rochko
da8fe8079e
Re-add follow recommendations API ()
* Re-add follow recommendations API

    GET /api/v1/suggestions

Removed in 8efa081f21 due to Neo4J
dependency. The algorithm uses triadic closures, takes into account
suspensions, blocks, mutes, domain blocks, excludes locked and moved
accounts, and prefers more recently updated accounts.

* Track interactions with people you don't follow

Replying to, favouriting and reblogging someone you're not following
will make them show up in follow recommendations. The interactions
have different weights:

- Replying is 1
- Favouriting is 10 (decidedly positive interaction, but private)
- Reblogging is 20

Following them, muting or blocking will remove them from the list,
obviously.

* Remove triadic closures, ensure potential friendships are trimmed
2018-07-03 01:47:56 +02:00
Eugen Rochko
cdb101340a
Keyword/phrase filtering ()
* Add keyword filtering

    GET|POST       /api/v1/filters
    GET|PUT|DELETE /api/v1/filters/:id

- Irreversible filters can drop toots from home or notifications
- Other filters can hide toots through the client app
- Filters use a phrase valid in particular contexts, expiration

* Make sure expired filters don't get applied client-side

* Add missing API methods

* Remove "regex filter" from column settings

* Add tests

* Add test for FeedManager

* Add CustomFilter test

* Add UI for managing filters

* Add streaming API event to allow syncing filters

* Fix tests
2018-06-29 15:34:36 +02:00