Kay Faraday 3 months ago
parent
commit
a0c818309d
  1. 5
      .eslintrc.js
  2. 95
      CHANGELOG.md
  3. 16
      Gemfile
  4. 207
      Gemfile.lock
  5. 1
      SECURITY.md
  6. 5
      app/chewy/statuses_index.rb
  7. 8
      app/controllers/admin/dashboard_controller.rb
  8. 27
      app/controllers/admin/sign_in_token_authentications_controller.rb
  9. 2
      app/controllers/api/v1/accounts/lookup_controller.rb
  10. 2
      app/controllers/api/v1/admin/account_actions_controller.rb
  11. 5
      app/controllers/api/v1/admin/accounts_controller.rb
  12. 2
      app/controllers/api/v1/admin/dimensions_controller.rb
  13. 2
      app/controllers/api/v1/admin/measures_controller.rb
  14. 2
      app/controllers/api/v1/admin/reports_controller.rb
  15. 2
      app/controllers/api/v1/admin/retention_controller.rb
  16. 2
      app/controllers/api/v1/admin/trends/links_controller.rb
  17. 2
      app/controllers/api/v1/admin/trends/statuses_controller.rb
  18. 2
      app/controllers/api/v1/admin/trends/tags_controller.rb
  19. 2
      app/controllers/api/v1/bookmarks_controller.rb
  20. 2
      app/controllers/api/v1/favourites_controller.rb
  21. 6
      app/controllers/api/v1/statuses_controller.rb
  22. 6
      app/controllers/api/v1/trends/links_controller.rb
  23. 6
      app/controllers/api/v1/trends/statuses_controller.rb
  24. 8
      app/controllers/api/v1/trends/tags_controller.rb
  25. 4
      app/controllers/api/v2/search_controller.rb
  26. 9
      app/controllers/auth/sessions_controller.rb
  27. 8
      app/controllers/authorize_interactions_controller.rb
  28. 57
      app/controllers/concerns/sign_in_token_authentication_concern.rb
  29. 5
      app/controllers/following_accounts_controller.rb
  30. 3
      app/controllers/media_proxy_controller.rb
  31. 3
      app/controllers/oauth/tokens_controller.rb
  32. 3
      app/controllers/settings/exports_controller.rb
  33. 3
      app/controllers/settings/preferences_controller.rb
  34. 7
      app/helpers/application_helper.rb
  35. 10
      app/javascript/core/admin.js
  36. 17
      app/javascript/flavours/glitch/actions/streaming.js
  37. 22
      app/javascript/flavours/glitch/actions/timelines.js
  38. 2
      app/javascript/flavours/glitch/components/common_counter.js
  39. 10
      app/javascript/flavours/glitch/components/status.js
  40. 2
      app/javascript/flavours/glitch/components/status_prepend.js
  41. 2
      app/javascript/flavours/glitch/components/status_visibility_icon.js
  42. 2
      app/javascript/flavours/glitch/features/account/components/header.js
  43. 4
      app/javascript/flavours/glitch/features/account_timeline/components/header.js
  44. 4
      app/javascript/flavours/glitch/features/account_timeline/index.js
  45. 2
      app/javascript/flavours/glitch/features/bookmarked_statuses/index.js
  46. 8
      app/javascript/flavours/glitch/features/compose/components/privacy_dropdown.js
  47. 6
      app/javascript/flavours/glitch/features/compose/components/search_results.js
  48. 4
      app/javascript/flavours/glitch/features/compose/containers/warning_container.js
  49. 2
      app/javascript/flavours/glitch/features/compose/index.js
  50. 7
      app/javascript/flavours/glitch/features/direct_timeline/components/column_settings.js
  51. 32
      app/javascript/flavours/glitch/features/direct_timeline/index.js
  52. 2
      app/javascript/flavours/glitch/features/directory/components/account_card.js
  53. 2
      app/javascript/flavours/glitch/features/favourited_statuses/index.js
  54. 2
      app/javascript/flavours/glitch/features/favourites/index.js
  55. 2
      app/javascript/flavours/glitch/features/getting_started_misc/index.js
  56. 2
      app/javascript/flavours/glitch/features/keyboard_shortcuts/index.js
  57. 2
      app/javascript/flavours/glitch/features/notifications/components/column_settings.js
  58. 2
      app/javascript/flavours/glitch/features/pinned_statuses/index.js
  59. 2
      app/javascript/flavours/glitch/features/reblogs/index.js
  60. 18
      app/javascript/flavours/glitch/features/report/category.js
  61. 2
      app/javascript/flavours/glitch/features/status/components/card.js
  62. 9
      app/javascript/flavours/glitch/features/status/components/detailed_status.js
  63. 16
      app/javascript/flavours/glitch/features/ui/components/boost_modal.js
  64. 16
      app/javascript/flavours/glitch/features/ui/components/favourite_modal.js
  65. 2
      app/javascript/flavours/glitch/features/ui/index.js
  66. 2
      app/javascript/flavours/glitch/features/video/index.js
  67. 60
      app/javascript/flavours/glitch/reducers/timelines.js
  68. 2
      app/javascript/flavours/glitch/styles/components/columns.scss
  69. 7
      app/javascript/flavours/glitch/styles/components/composer.scss
  70. 2
      app/javascript/flavours/glitch/styles/components/index.scss
  71. 2
      app/javascript/flavours/glitch/styles/components/status.scss
  72. 2
      app/javascript/flavours/glitch/util/emoji/emoji_mart_search_light.js
  73. BIN
      app/javascript/images/alert_badge.png
  74. BIN
      app/javascript/images/icon_bookmarks.png
  75. BIN
      app/javascript/images/icon_developers.png
  76. BIN
      app/javascript/images/icon_direct.png
  77. BIN
      app/javascript/images/icon_docs.png
  78. BIN
      app/javascript/images/icon_domain_blocks.png
  79. BIN
      app/javascript/images/icon_invite.png
  80. BIN
      app/javascript/images/icon_mobile_apps.png
  81. BIN
      app/javascript/images/icon_notifications.png
  82. BIN
      app/javascript/images/icon_profile_directory.png
  83. BIN
      app/javascript/images/icon_tos.png
  84. 17
      app/javascript/mastodon/actions/streaming.js
  85. 22
      app/javascript/mastodon/actions/timelines.js
  86. 54
      app/javascript/mastodon/actions/trends.js
  87. 2
      app/javascript/mastodon/components/common_counter.js
  88. 4
      app/javascript/mastodon/components/status.js
  89. 2
      app/javascript/mastodon/features/account/components/header.js
  90. 4
      app/javascript/mastodon/features/account_timeline/components/header.js
  91. 4
      app/javascript/mastodon/features/account_timeline/index.js
  92. 2
      app/javascript/mastodon/features/bookmarked_statuses/index.js
  93. 2
      app/javascript/mastodon/features/compose/components/action_bar.js
  94. 10
      app/javascript/mastodon/features/compose/components/privacy_dropdown.js
  95. 6
      app/javascript/mastodon/features/compose/components/search_results.js
  96. 4
      app/javascript/mastodon/features/compose/containers/warning_container.js
  97. 2
      app/javascript/mastodon/features/compose/index.js
  98. 3
      app/javascript/mastodon/features/direct_timeline/index.js
  99. 2
      app/javascript/mastodon/features/directory/components/account_card.js
  100. 2
      app/javascript/mastodon/features/emoji/emoji_mart_search_light.js
  101. Some files were not shown because too many files have changed in this diff Show More

5
.eslintrc.js

@ -79,6 +79,11 @@ module.exports = {
'no-irregular-whitespace': 'error',
'no-mixed-spaces-and-tabs': 'warn',
'no-nested-ternary': 'warn',
'no-restricted-properties': [
'error',
{ property: 'substring', message: 'Use .slice instead of .substring.' },
{ property: 'substr', message: 'Use .slice instead of .substr.' },
],
'no-trailing-spaces': 'warn',
'no-undef': 'error',
'no-unreachable': 'error',

95
CHANGELOG.md

@ -3,6 +3,101 @@ Changelog
All notable changes to this project will be documented in this file.
## [3.5.2] - 2022-05-04
### Added
- Add warning on direct messages screen in web UI ([Gargron](https://github.com/mastodon/mastodon/pull/18289))
- We already had a warning when composing a direct message, it has now been reworded to be more clear
- Same warning is now displayed when viewing sent and received direct messages
- Add ability to set approval-based registration through tootctl ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18248))
- Add pre-filling of domain from search filter in domain allow/block admin UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18172))
## Changed
- Change name of “Direct” visibility to “Mentioned people only” in web UI ([Gargron](https://github.com/mastodon/mastodon/pull/18146), [Gargron](https://github.com/mastodon/mastodon/pull/18289), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/18291))
- Change trending posts to only show one post from each account ([Gargron](https://github.com/mastodon/mastodon/pull/18181))
- Change half-life of trending posts from 6 hours to 2 hours ([Gargron](https://github.com/mastodon/mastodon/pull/18182))
- Change full-text search feature to also include polls you have voted in ([tribela](https://github.com/mastodon/mastodon/pull/18070))
- Change Redis from using one connection per process, to using a connection pool ([Gargron](https://github.com/mastodon/mastodon/pull/18135), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/18160), [Gargron](https://github.com/mastodon/mastodon/pull/18171))
- Different threads no longer have to wait on a mutex over a single connection
- However, this does increase the number of Redis connections by a fair amount
- We are planning to optimize Redis use so that the pool can be made smaller in the future
## Removed
- Remove IP matching from e-mail domain blocks ([Gargron](https://github.com/mastodon/mastodon/pull/18190))
- The IPs of the blocked e-mail domain or its MX records are no longer checked
- Previously it was too easy to block e-mail providers by mistake
## Fixed
- Fix compatibility with Friendica's pinned posts ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18254), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/18260))
- Fix error when looking up handle with surrounding spaces in REST API ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18225))
- Fix double render error when authorizing interaction ([Gargron](https://github.com/mastodon/mastodon/pull/18203))
- Fix error when a post references an invalid media attachment ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18211))
- Fix error when trying to revoke OAuth token without supplying a token ([Gargron](https://github.com/mastodon/mastodon/pull/18205))
- Fix error caused by missing subject in Webfinger response ([Gargron](https://github.com/mastodon/mastodon/pull/18204))
- Fix error on attempting to delete an account moderation note ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18196))
- Fix light-mode emoji borders in web UI ([Gaelan](https://github.com/mastodon/mastodon/pull/18131))
- Fix being able to scroll away from the loading bar in web UI ([Gargron](https://github.com/mastodon/mastodon/pull/18170))
- Fix error when a bookmark or favorite has been reported and deleted ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18174))
- Fix being offered empty “Server rules violation” report option in web UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18165))
- Fix temporary network errors preventing from authorizing interactions with remote accounts ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18161))
- Fix incorrect link in "new trending tags" email ([cdzombak](https://github.com/mastodon/mastodon/pull/18156))
- Fix missing indexes on some foreign keys ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18157))
- Fix n+1 query on feed merge and populate operations ([Gargron](https://github.com/mastodon/mastodon/pull/18111))
- Fix feed unmerge worker being exceptionally slow in some conditions ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18110))
- Fix PeerTube videos appearing with an erroneous “Edited at” marker ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18100))
- Fix instance actor being created incorrectly when running through migrations ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18109))
- Fix web push notifications containing HTML entities ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18071))
- Fix inconsistent parsing of `TRUSTED_PROXY_IP` ([ykzts](https://github.com/mastodon/mastodon/pull/18051))
- Fix error when fetching pinned posts ([tribela](https://github.com/mastodon/mastodon/pull/18030))
- Fix wrong optimization in feed populate operation ([dogelover911](https://github.com/mastodon/mastodon/pull/18009))
- Fix error in alias settings page ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18004))
## [3.5.1] - 2022-04-08
### Added
- Add pagination for trending statuses in web UI ([Gargron](https://github.com/mastodon/mastodon/pull/17976))
### Changed
- Change e-mail notifications to only be sent when recipient is offline ([Gargron](https://github.com/mastodon/mastodon/pull/17984))
- Send e-mails for mentions and follows by default again
- But only when recipient does not have push notifications through an app
- Change `website` attribute to be nullable on `Application` entity in REST API ([rinsuki](https://github.com/mastodon/mastodon/pull/17962))
### Removed
- Remove sign-in token authentication, instead send e-mail about new sign-in ([Gargron](https://github.com/mastodon/mastodon/pull/17970))
- You no longer need to enter a security code sent through e-mail
- Instead you get an e-mail about a new sign-in from an unfamiliar IP address
### Fixed
- Fix error resposes for `from` search prefix ([single-right-quote](https://github.com/mastodon/mastodon/pull/17963))
- Fix dangling language-specific trends ([Gargron](https://github.com/mastodon/mastodon/pull/17997))
- Fix extremely rare race condition when deleting a status or account ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17994))
- Fix trends returning less results per page when filtered in REST API ([Gargron](https://github.com/mastodon/mastodon/pull/17996))
- Fix pagination header on empty trends responses in REST API ([Gargron](https://github.com/mastodon/mastodon/pull/17986))
- Fix cookies secure flag being set when served over Tor ([Gargron](https://github.com/mastodon/mastodon/pull/17992))
- Fix migration error handling ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17991))
- Fix error when re-running some migrations if they get interrupted at the wrong moment ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17989))
- Fix potentially missing statuses when reconnecting to streaming API in web UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17981), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17987), [ClearlyClaire](https://github.com/mastodon/mastodon/pull/17980))
- Fix error when sending warning emails with custom text ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17983))
- Fix unset `SMTP_RETURN_PATH` environment variable causing e-mail not to send ([Gargron](https://github.com/mastodon/mastodon/pull/17982))
- Fix possible duplicate statuses in timelines in some edge cases in web UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17971))
- Fix spurious edits and require incoming edits to be explicitly marked as such ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17918))
- Fix error when encountering invalid pinned statuses ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17964))
- Fix inconsistency in error handling when removing a status ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17974))
- Fix admin API unconditionally requiring CSRF token ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17975))
- Fix trending tags endpoint missing `offset` param in REST API ([Gargron](https://github.com/mastodon/mastodon/pull/17973))
- Fix unusual number formatting in some locales ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17929))
- Fix `S3_FORCE_SINGLE_REQUEST` environment variable not working ([HolgerHuo](https://github.com/mastodon/mastodon/pull/17922))
- Fix failure to build assets with OpenSSL 3 ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17930))
- Fix PWA manifest using outdated routes ([HolgerHuo](https://github.com/mastodon/mastodon/pull/17921))
- Fix error when indexing statuses into Elasticsearch ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/17912))
## [3.5.0] - 2022-03-30
### Added

16
Gemfile

@ -1,7 +1,7 @@
# frozen_string_literal: true
source 'https://rubygems.org'
ruby '>= 2.5.0', '< 3.1.0'
ruby '>= 2.6.0', '< 3.1.0'
gem 'pkg-config', '~> 1.4'
gem 'rexml', '~> 3.2'
@ -26,7 +26,7 @@ gem 'blurhash', '~> 0.1'
gem 'active_model_serializers', '~> 0.10'
gem 'addressable', '~> 2.8'
gem 'bootsnap', '~> 1.10.3', require: false
gem 'bootsnap', '~> 1.11.1', require: false
gem 'browser'
gem 'charlock_holmes', '~> 0.7.7'
gem 'chewy', '~> 7.2'
@ -40,7 +40,7 @@ end
gem 'net-ldap', '~> 0.17'
gem 'omniauth-cas', '~> 2.0'
gem 'omniauth-saml', '~> 1.10'
gem 'gitlab-omniauth-openid-connect', '~>0.5.0', require: 'omniauth_openid_connect'
gem 'gitlab-omniauth-openid-connect', '~>0.9.1', require: 'omniauth_openid_connect'
gem 'omniauth', '~> 1.9'
gem 'omniauth-rails_csrf_protection', '~> 0.1'
@ -79,7 +79,7 @@ gem 'ruby-progressbar', '~> 1.11'
gem 'sanitize', '~> 6.0'
gem 'scenic', '~> 1.6'
gem 'sidekiq', '~> 6.4'
gem 'sidekiq-scheduler', '~> 3.1'
gem 'sidekiq-scheduler', '~> 3.2'
gem 'sidekiq-unique-jobs', '~> 7.1'
gem 'sidekiq-bulk', '~>0.2.0'
gem 'simple-navigation', '~> 4.3'
@ -101,9 +101,9 @@ gem 'rdf-normalize', '~> 0.5'
gem 'redcarpet', '~> 3.5'
group :development, :test do
gem 'fabrication', '~> 2.27'
gem 'fabrication', '~> 2.28'
gem 'fuubar', '~> 2.5'
gem 'i18n-tasks', '~> 0.9', require: false
gem 'i18n-tasks', '~> 1.0', require: false
gem 'pry-byebug', '~> 3.9'
gem 'pry-rails', '~> 0.3'
gem 'rspec-rails', '~> 5.1'
@ -134,7 +134,7 @@ group :development do
gem 'letter_opener', '~> 1.8'
gem 'letter_opener_web', '~> 2.0'
gem 'memory_profiler'
gem 'rubocop', '~> 1.26', require: false
gem 'rubocop', '~> 1.28', require: false
gem 'rubocop-rails', '~> 2.14', require: false
gem 'brakeman', '~> 5.2', require: false
gem 'bundler-audit', '~> 0.9', require: false
@ -148,7 +148,7 @@ group :development do
end
group :production do
gem 'lograge', '~> 0.11'
gem 'lograge', '~> 0.12'
end
gem 'concurrent-ruby', require: false

207
Gemfile.lock

@ -1,40 +1,40 @@
GEM
remote: https://rubygems.org/
specs:
actioncable (6.1.5)
actionpack (= 6.1.5)
activesupport (= 6.1.5)
actioncable (6.1.5.1)
actionpack (= 6.1.5.1)
activesupport (= 6.1.5.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (6.1.5)
actionpack (= 6.1.5)
activejob (= 6.1.5)
activerecord (= 6.1.5)
activestorage (= 6.1.5)
activesupport (= 6.1.5)
actionmailbox (6.1.5.1)
actionpack (= 6.1.5.1)
activejob (= 6.1.5.1)
activerecord (= 6.1.5.1)
activestorage (= 6.1.5.1)
activesupport (= 6.1.5.1)
mail (>= 2.7.1)
actionmailer (6.1.5)
actionpack (= 6.1.5)
actionview (= 6.1.5)
activejob (= 6.1.5)
activesupport (= 6.1.5)
actionmailer (6.1.5.1)
actionpack (= 6.1.5.1)
actionview (= 6.1.5.1)
activejob (= 6.1.5.1)
activesupport (= 6.1.5.1)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
actionpack (6.1.5)
actionview (= 6.1.5)
activesupport (= 6.1.5)
actionpack (6.1.5.1)
actionview (= 6.1.5.1)
activesupport (= 6.1.5.1)
rack (~> 2.0, >= 2.0.9)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (6.1.5)
actionpack (= 6.1.5)
activerecord (= 6.1.5)
activestorage (= 6.1.5)
activesupport (= 6.1.5)
actiontext (6.1.5.1)
actionpack (= 6.1.5.1)
activerecord (= 6.1.5.1)
activestorage (= 6.1.5.1)
activesupport (= 6.1.5.1)
nokogiri (>= 1.8.5)
actionview (6.1.5)
activesupport (= 6.1.5)
actionview (6.1.5.1)
activesupport (= 6.1.5.1)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
@ -45,22 +45,22 @@ GEM
case_transform (>= 0.2)
jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
active_record_query_trace (1.8)
activejob (6.1.5)
activesupport (= 6.1.5)
activejob (6.1.5.1)
activesupport (= 6.1.5.1)
globalid (>= 0.3.6)
activemodel (6.1.5)
activesupport (= 6.1.5)
activerecord (6.1.5)
activemodel (= 6.1.5)
activesupport (= 6.1.5)
activestorage (6.1.5)
actionpack (= 6.1.5)
activejob (= 6.1.5)
activerecord (= 6.1.5)
activesupport (= 6.1.5)
activemodel (6.1.5.1)
activesupport (= 6.1.5.1)
activerecord (6.1.5.1)
activemodel (= 6.1.5.1)
activesupport (= 6.1.5.1)
activestorage (6.1.5.1)
actionpack (= 6.1.5.1)
activejob (= 6.1.5.1)
activerecord (= 6.1.5.1)
activesupport (= 6.1.5.1)
marcel (~> 1.0)
mini_mime (>= 1.1.0)
activesupport (6.1.5)
activesupport (6.1.5.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
@ -81,34 +81,42 @@ GEM
attr_required (1.0.1)
awrence (1.1.1)
aws-eventstream (1.2.0)
aws-partitions (1.558.0)
aws-sdk-core (3.127.0)
aws-partitions (1.582.0)
aws-sdk-core (3.130.2)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.525.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1.0)
aws-sdk-kms (1.55.0)
aws-sdk-kms (1.56.0)
aws-sdk-core (~> 3, >= 3.127.0)
aws-sigv4 (~> 1.1)
aws-sdk-s3 (1.113.0)
aws-sdk-s3 (1.113.2)
aws-sdk-core (~> 3, >= 3.127.0)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.4)
aws-sigv4 (1.4.0)
aws-sigv4 (1.5.0)
aws-eventstream (~> 1, >= 1.0.2)
bcrypt (3.1.17)
better_errors (2.9.1)
coderay (>= 1.0.0)
erubi (>= 1.0.0)
rack (>= 0.9.0)
better_html (1.0.16)
actionview (>= 4.0)
activesupport (>= 4.0)
ast (~> 2.0)
erubi (~> 1.4)
html_tokenizer (~> 0.0.6)
parser (>= 2.4)
smart_properties
bindata (2.4.10)
binding_of_caller (1.0.0)
debug_inspector (>= 0.0.1)
blurhash (0.1.6)
ffi (~> 1.14)
bootsnap (1.10.3)
bootsnap (1.11.1)
msgpack (~> 1.2)
brakeman (5.2.1)
brakeman (5.2.3)
browser (4.2.0)
brpoplpush-redis_script (0.1.2)
concurrent-ruby (~> 1.0, >= 1.0.5)
@ -208,10 +216,10 @@ GEM
multi_json
encryptor (3.0.0)
erubi (1.10.0)
et-orbi (1.2.6)
et-orbi (1.2.7)
tzinfo
excon (0.76.0)
fabrication (2.27.0)
fabrication (2.28.0)
faker (2.20.0)
i18n (>= 1.8.11, < 2)
faraday (1.9.3)
@ -256,13 +264,13 @@ GEM
fog-json (>= 1.0)
ipaddress (>= 0.8)
formatador (0.2.5)
fugit (1.5.2)
et-orbi (~> 1.1, >= 1.1.8)
fugit (1.5.3)
et-orbi (~> 1, >= 1.2.7)
raabro (~> 1.4)
fuubar (2.5.1)
rspec-core (~> 3.0)
ruby-progressbar (~> 1.4)
gitlab-omniauth-openid-connect (0.5.0)
gitlab-omniauth-openid-connect (0.9.1)
addressable (~> 2.7)
omniauth (~> 1.9)
openid_connect (~> 1.2)
@ -278,12 +286,13 @@ GEM
hamlit (>= 1.2.0)
railties (>= 4.0.1)
hashdiff (1.0.1)
hashie (4.1.0)
hashie (5.0.0)
hcaptcha (7.1.0)
json
highline (2.0.3)
hiredis (0.6.3)
hkdf (0.3.0)
html_tokenizer (0.0.7)
htmlentities (4.3.4)
http (5.0.4)
addressable (~> 2.8)
@ -300,9 +309,10 @@ GEM
rainbow (>= 2.0.0)
i18n (1.10.0)
concurrent-ruby (~> 1.0)
i18n-tasks (0.9.37)
i18n-tasks (1.0.9)
activesupport (>= 4.0.2)
ast (>= 2.1.0)
better_html (~> 1.0)
erubi
highline (>= 2.0.0)
i18n
@ -312,7 +322,7 @@ GEM
terminal-table (>= 1.5.1)
idn-ruby (0.1.4)
ipaddress (0.8.3)
jmespath (1.6.0)
jmespath (1.6.1)
json (2.5.1)
json-canonicalization (0.3.0)
json-jwt (1.13.0)
@ -362,12 +372,12 @@ GEM
llhttp-ffi (0.4.0)
ffi-compiler (~> 1.0)
rake (~> 13.0)
lograge (0.11.2)
lograge (0.12.0)
actionpack (>= 4)
activesupport (>= 4)
railties (>= 4)
request_store (~> 1.0)
loofah (2.15.0)
loofah (2.17.0)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
mail (2.7.1)
@ -389,7 +399,7 @@ GEM
mini_mime (1.1.2)
mini_portile2 (2.8.0)
minitest (5.15.0)
msgpack (1.4.4)
msgpack (1.5.1)
multi_json (1.15.0)
multipart-post (2.1.1)
net-ldap (0.17.0)
@ -397,7 +407,7 @@ GEM
net-ssh (>= 2.6.5, < 7.0.0)
net-ssh (6.1.0)
nio4r (2.5.8)
nokogiri (1.13.3)
nokogiri (1.13.4)
mini_portile2 (~> 2.8.0)
racc (~> 1.4)
nsa (0.2.8)
@ -419,7 +429,7 @@ GEM
omniauth-saml (1.10.3)
omniauth (~> 1.3, >= 1.3.2)
ruby-saml (~> 1.9)
openid_connect (1.2.0)
openid_connect (1.3.0)
activemodel
attr_required (>= 1.0.0)
json-jwt (>= 1.5.0)
@ -432,15 +442,15 @@ GEM
openssl (2.2.0)
openssl-signature_algorithm (0.4.0)
orm_adapter (0.5.0)
ox (2.14.10)
ox (2.14.11)
parallel (1.22.1)
parser (3.1.1.0)
parser (3.1.2.0)
ast (~> 2.4.1)
parslet (2.0.0)
pastel (0.8.0)
tty-color (~> 0.5)
pg (1.3.4)
pghero (2.8.2)
pg (1.3.5)
pghero (2.8.3)
activerecord (>= 5)
pkg-config (1.4.7)
posix-spawn (0.3.15)
@ -461,18 +471,18 @@ GEM
pry-rails (0.3.9)
pry (>= 0.10.4)
public_suffix (4.0.6)
puma (5.6.2)
puma (5.6.4)
nio4r (~> 2.0)
pundit (2.2.0)
activesupport (>= 3.0.0)
raabro (1.4.0)
racc (1.6.0)
rack (2.2.3)
rack-attack (6.6.0)
rack-attack (6.6.1)
rack (>= 1.0, < 3)
rack-cors (1.1.1)
rack (>= 2.0.0)
rack-oauth2 (1.16.0)
rack-oauth2 (1.19.0)
activesupport
attr_required
httpclient
@ -482,20 +492,20 @@ GEM
rack
rack-test (1.1.0)
rack (>= 1.0, < 3)
rails (6.1.5)
actioncable (= 6.1.5)
actionmailbox (= 6.1.5)
actionmailer (= 6.1.5)
actionpack (= 6.1.5)
actiontext (= 6.1.5)
actionview (= 6.1.5)
activejob (= 6.1.5)
activemodel (= 6.1.5)
activerecord (= 6.1.5)
activestorage (= 6.1.5)
activesupport (= 6.1.5)
rails (6.1.5.1)
actioncable (= 6.1.5.1)
actionmailbox (= 6.1.5.1)
actionmailer (= 6.1.5.1)
actionpack (= 6.1.5.1)
actiontext (= 6.1.5.1)
actionview (= 6.1.5.1)
activejob (= 6.1.5.1)
activemodel (= 6.1.5.1)
activerecord (= 6.1.5.1)
activestorage (= 6.1.5.1)
activesupport (= 6.1.5.1)
bundler (>= 1.15.0)
railties (= 6.1.5)
railties (= 6.1.5.1)
sprockets-rails (>= 2.0.0)
rails-controller-testing (1.0.5)
actionpack (>= 5.0.1.rc1)
@ -511,9 +521,9 @@ GEM
railties (>= 6.0.0, < 7)
rails-settings-cached (0.6.6)
rails (>= 4.2.0)
railties (6.1.5)
actionpack (= 6.1.5)
activesupport (= 6.1.5)
railties (6.1.5.1)
actionpack (= 6.1.5.1)
activesupport (= 6.1.5.1)
method_source
rake (>= 12.2)
thor (~> 1.0)
@ -527,8 +537,8 @@ GEM
redis (4.5.1)
redis-namespace (1.8.2)
redis (>= 3.0.4)
regexp_parser (2.2.1)
request_store (1.5.0)
regexp_parser (2.3.1)
request_store (1.5.1)
rack (>= 1.4)
responders (3.0.1)
actionpack (>= 5.0)
@ -545,10 +555,10 @@ GEM
rspec-expectations (3.11.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.11.0)
rspec-mocks (3.11.0)
rspec-mocks (3.11.1)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.11.0)
rspec-rails (5.1.1)
rspec-rails (5.1.2)
actionpack (>= 5.2)
activesupport (>= 5.2)
railties (>= 5.2)
@ -562,16 +572,16 @@ GEM
rspec-support (3.11.0)
rspec_junit_formatter (0.5.1)
rspec-core (>= 2, < 4, != 2.12.0)
rubocop (1.26.1)
rubocop (1.28.2)
parallel (~> 1.10)
parser (>= 3.1.0.0)
rainbow (>= 2.2.2, < 4.0)
regexp_parser (>= 1.8, < 3.0)
rexml
rubocop-ast (>= 1.16.0, < 2.0)
rubocop-ast (>= 1.17.0, < 2.0)
ruby-progressbar (~> 1.7)
unicode-display_width (>= 1.4.0, < 3.0)
rubocop-ast (1.16.0)
rubocop-ast (1.17.0)
parser (>= 3.1.1.0)
rubocop-rails (2.14.2)
activesupport (>= 4.2.0)
@ -600,14 +610,14 @@ GEM
redis (>= 4.2.0)
sidekiq-bulk (0.2.0)
sidekiq
sidekiq-scheduler (3.1.1)
sidekiq-scheduler (3.2.0)
e2mmap
redis (>= 3, < 5)
rufus-scheduler (~> 3.2)
sidekiq (>= 3)
thwait
tilt (>= 1.4.0)
sidekiq-unique-jobs (7.1.15)
sidekiq-unique-jobs (7.1.21)
brpoplpush-redis_script (> 0.1.1, <= 2.0.0)
concurrent-ruby (~> 1.0, >= 1.0.5)
sidekiq (>= 5.0, < 8.0)
@ -623,6 +633,7 @@ GEM
simplecov_json_formatter (~> 0.1)
simplecov-html (0.12.3)
simplecov_json_formatter (0.1.2)
smart_properties (1.17.0)
sprockets (3.7.2)
concurrent-ruby (~> 1.0)
rack (> 1, < 3)
@ -638,7 +649,7 @@ GEM
stoplight (2.2.1)
strong_migrations (0.7.9)
activerecord (>= 5)
swd (1.2.0)
swd (1.3.0)
activesupport (>= 3)
attr_required (>= 0.0.5)
httpclient (>= 2.4)
@ -694,7 +705,7 @@ GEM
safety_net_attestation (~> 0.4.0)
securecompare (~> 1.0)
tpm-key_attestation (~> 0.9.0)
webfinger (1.1.0)
webfinger (1.2.0)
activesupport
httpclient (>= 2.4)
webmock (3.14.0)
@ -730,7 +741,7 @@ DEPENDENCIES
better_errors (~> 2.9)
binding_of_caller (~> 1.0)
blurhash (~> 0.1)
bootsnap (~> 1.10.3)
bootsnap (~> 1.11.1)
brakeman (~> 5.2)
browser
bullet (~> 7.0)
@ -753,14 +764,14 @@ DEPENDENCIES
doorkeeper (~> 5.5)
dotenv-rails (~> 2.7)
ed25519 (~> 1.3)
fabrication (~> 2.27)
fabrication (~> 2.28)
faker (~> 2.20)
fast_blank (~> 1.0)
fastimage
fog-core (<= 2.1.0)
fog-openstack (~> 0.3)
fuubar (~> 2.5)
gitlab-omniauth-openid-connect (~> 0.5.0)
gitlab-omniauth-openid-connect (~> 0.9.1)
hamlit-rails (~> 0.2)
hcaptcha (~> 7.1)
hiredis (~> 0.6)
@ -768,7 +779,7 @@ DEPENDENCIES
http (~> 5.0)
http_accept_language (~> 2.1)
httplog (~> 1.5.0)
i18n-tasks (~> 0.9)
i18n-tasks (~> 1.0)
idn-ruby
json-ld
json-ld-preloaded (~> 3.2)
@ -777,7 +788,7 @@ DEPENDENCIES
letter_opener (~> 1.8)
letter_opener_web (~> 2.0)
link_header (~> 0.0)
lograge (~> 0.11)
lograge (~> 0.12)
makara (~> 0.5)
mario-redis-lock (~> 1.2)
memory_profiler
@ -819,14 +830,14 @@ DEPENDENCIES
rspec-rails (~> 5.1)
rspec-sidekiq (~> 3.1)
rspec_junit_formatter (~> 0.5)
rubocop (~> 1.26)
rubocop (~> 1.28)
rubocop-rails (~> 2.14)
ruby-progressbar (~> 1.11)
sanitize (~> 6.0)
scenic (~> 1.6)
sidekiq (~> 6.4)
sidekiq-bulk (~> 0.2.0)
sidekiq-scheduler (~> 3.1)
sidekiq-scheduler (~> 3.2)
sidekiq-unique-jobs (~> 7.1)
simple-navigation (~> 4.3)
simple_form (~> 5.1)

1
SECURITY.md

@ -12,6 +12,7 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
| Version | Supported |
| ------- | ------------------ |
| 3.5.x | Yes |
| 3.4.x | Yes |
| 3.3.x | Yes |
| < 3.3 | No |

5
app/chewy/statuses_index.rb

@ -55,6 +55,11 @@ class StatusesIndex < Chewy::Index
data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
end
crutch :votes do |collection|
data = ::PollVote.joins(:poll).where(poll: { status_id: collection.map(&:id) }).where(account: Account.local).pluck(:status_id, :account_id)
data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
end
root date_detection: false do
field :id, type: 'long'
field :account_id, type: 'long'

8
app/controllers/admin/dashboard_controller.rb

@ -2,6 +2,8 @@
module Admin
class DashboardController < BaseController
include Redisable
def index
@system_checks = Admin::SystemCheck.perform
@time_period = (29.days.ago.to_date...Time.now.utc.to_date)
@ -15,10 +17,10 @@ module Admin
def redis_info
@redis_info ||= begin
if Redis.current.is_a?(Redis::Namespace)
Redis.current.redis.info
if redis.is_a?(Redis::Namespace)
redis.redis.info
else
Redis.current.info
redis.info
end
end
end

27
app/controllers/admin/sign_in_token_authentications_controller.rb

@ -1,27 +0,0 @@
# frozen_string_literal: true
module Admin
class SignInTokenAuthenticationsController < BaseController
before_action :set_target_user
def create
authorize @user, :enable_sign_in_token_auth?
@user.update(skip_sign_in_token: false)
log_action :enable_sign_in_token_auth, @user
redirect_to admin_account_path(@user.account_id)
end
def destroy
authorize @user, :disable_sign_in_token_auth?
@user.update(skip_sign_in_token: true)
log_action :disable_sign_in_token_auth, @user
redirect_to admin_account_path(@user.account_id)
end
private
def set_target_user
@user = User.find(params[:user_id])
end
end
end

2
app/controllers/api/v1/accounts/lookup_controller.rb

@ -12,5 +12,7 @@ class Api::V1::Accounts::LookupController < Api::BaseController
def set_account
@account = ResolveAccountService.new.call(params[:acct], skip_webfinger: true) || raise(ActiveRecord::RecordNotFound)
rescue Addressable::URI::InvalidURIError
raise(ActiveRecord::RecordNotFound)
end
end

2
app/controllers/api/v1/admin/account_actions_controller.rb

@ -1,8 +1,6 @@
# frozen_string_literal: true
class Api::V1::Admin::AccountActionsController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:write', :'admin:write:accounts' }
before_action :require_staff!
before_action :set_account

5
app/controllers/api/v1/admin/accounts_controller.rb

@ -1,8 +1,6 @@
# frozen_string_literal: true
class Api::V1::Admin::AccountsController < Api::BaseController
protect_from_forgery with: :exception
include Authorization
include AccountableConcern
@ -67,8 +65,9 @@ class Api::V1::Admin::AccountsController < Api::BaseController
def destroy
authorize @account, :destroy?
json = render_to_body json: @account, serializer: REST::Admin::AccountSerializer
Admin::AccountDeletionWorker.perform_async(@account.id)
render json: @account, serializer: REST::Admin::AccountSerializer
render json: json
end
def unsensitive

2
app/controllers/api/v1/admin/dimensions_controller.rb

@ -1,8 +1,6 @@
# frozen_string_literal: true
class Api::V1::Admin::DimensionsController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff!
before_action :set_dimensions

2
app/controllers/api/v1/admin/measures_controller.rb

@ -1,8 +1,6 @@
# frozen_string_literal: true
class Api::V1::Admin::MeasuresController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff!
before_action :set_measures

2
app/controllers/api/v1/admin/reports_controller.rb

@ -1,8 +1,6 @@
# frozen_string_literal: true
class Api::V1::Admin::ReportsController < Api::BaseController
protect_from_forgery with: :exception
include Authorization
include AccountableConcern

2
app/controllers/api/v1/admin/retention_controller.rb

@ -1,8 +1,6 @@
# frozen_string_literal: true
class Api::V1::Admin::RetentionController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff!
before_action :set_cohorts

2
app/controllers/api/v1/admin/trends/links_controller.rb

@ -1,8 +1,6 @@
# frozen_string_literal: true
class Api::V1::Admin::Trends::LinksController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff!
before_action :set_links

2
app/controllers/api/v1/admin/trends/statuses_controller.rb

@ -1,8 +1,6 @@
# frozen_string_literal: true
class Api::V1::Admin::Trends::StatusesController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff!
before_action :set_statuses

2
app/controllers/api/v1/admin/trends/tags_controller.rb

@ -1,8 +1,6 @@
# frozen_string_literal: true
class Api::V1::Admin::Trends::TagsController < Api::BaseController
protect_from_forgery with: :exception
before_action -> { authorize_if_got_token! :'admin:read' }
before_action :require_staff!
before_action :set_tags

2
app/controllers/api/v1/bookmarks_controller.rb

@ -21,7 +21,7 @@ class Api::V1::BookmarksController < Api::BaseController
end
def results
@_results ||= account_bookmarks.eager_load(:status).to_a_paginated_by_id(
@_results ||= account_bookmarks.joins(:status).eager_load(:status).to_a_paginated_by_id(
limit_param(DEFAULT_STATUSES_LIMIT),
params_slice(:max_id, :since_id, :min_id)
)

2
app/controllers/api/v1/favourites_controller.rb

@ -21,7 +21,7 @@ class Api::V1::FavouritesController < Api::BaseController
end
def results
@_results ||= account_favourites.eager_load(:status).to_a_paginated_by_id(
@_results ||= account_favourites.joins(:status).eager_load(:status).to_a_paginated_by_id(
limit_param(DEFAULT_STATUSES_LIMIT),
params_slice(:max_id, :since_id, :min_id)
)

6
app/controllers/api/v1/statuses_controller.rb

@ -79,10 +79,12 @@ class Api::V1::StatusesController < Api::BaseController
authorize @status, :destroy?
@status.discard
RemovalWorker.perform_async(@status.id, { 'redraft' => true })
@status.account.statuses_count = @status.account.statuses_count - 1
json = render_to_body json: @status, serializer: REST::StatusSerializer, source_requested: true
RemovalWorker.perform_async(@status.id, { 'redraft' => true })
render json: @status, serializer: REST::StatusSerializer, source_requested: true
render json: json
end
private

6
app/controllers/api/v1/trends/links_controller.rb

@ -36,13 +36,17 @@ class Api::V1::Trends::LinksController < Api::BaseController
end
def next_path
api_v1_trends_links_url pagination_params(offset: offset_param + limit_param(DEFAULT_LINKS_LIMIT))
api_v1_trends_links_url pagination_params(offset: offset_param + limit_param(DEFAULT_LINKS_LIMIT)) if records_continue?
end
def prev_path
api_v1_trends_links_url pagination_params(offset: offset_param - limit_param(DEFAULT_LINKS_LIMIT)) if offset_param > limit_param(DEFAULT_LINKS_LIMIT)
end
def records_continue?
@links.size == limit_param(DEFAULT_LINKS_LIMIT)
end
def offset_param
params[:offset].to_i
end

6
app/controllers/api/v1/trends/statuses_controller.rb

@ -36,7 +36,7 @@ class Api::V1::Trends::StatusesController < Api::BaseController
end
def next_path
api_v1_trends_statuses_url pagination_params(offset: offset_param + limit_param(DEFAULT_STATUSES_LIMIT))
api_v1_trends_statuses_url pagination_params(offset: offset_param + limit_param(DEFAULT_STATUSES_LIMIT)) if records_continue?
end
def prev_path
@ -46,4 +46,8 @@ class Api::V1::Trends::StatusesController < Api::BaseController
def offset_param
params[:offset].to_i
end
def records_continue?
@statuses.size == limit_param(DEFAULT_STATUSES_LIMIT)
end
end

8
app/controllers/api/v1/trends/tags_controller.rb

@ -16,7 +16,7 @@ class Api::V1::Trends::TagsController < Api::BaseController
def set_tags
@tags = begin
if Setting.trends
Trends.tags.query.allowed.limit(limit_param(DEFAULT_TAGS_LIMIT))
Trends.tags.query.allowed.offset(offset_param).limit(limit_param(DEFAULT_TAGS_LIMIT))
else
[]
end
@ -32,7 +32,7 @@ class Api::V1::Trends::TagsController < Api::BaseController
end
def next_path
api_v1_trends_tags_url pagination_params(offset: offset_param + limit_param(DEFAULT_TAGS_LIMIT))
api_v1_trends_tags_url pagination_params(offset: offset_param + limit_param(DEFAULT_TAGS_LIMIT)) if records_continue?
end
def prev_path
@ -42,4 +42,8 @@ class Api::V1::Trends::TagsController < Api::BaseController
def offset_param
params[:offset].to_i
end
def records_continue?
@tags.size == limit_param(DEFAULT_TAGS_LIMIT)
end
end

4
app/controllers/api/v2/search_controller.rb

@ -11,6 +11,10 @@ class Api::V2::SearchController < Api::BaseController
def index
@search = Search.new(search_results)
render json: @search, serializer: REST::SearchSerializer
rescue Mastodon::SyntaxError
unprocessable_entity
rescue ActiveRecord::RecordNotFound
not_found
end
private

9
app/controllers/auth/sessions_controller.rb

@ -10,7 +10,6 @@ class Auth::SessionsController < Devise::SessionsController
prepend_before_action :set_pack
include TwoFactorAuthenticationConcern
include SignInTokenAuthenticationConcern
before_action :set_instance_presenter, only: [:new]
before_action :set_body_classes
@ -68,7 +67,7 @@ class Auth::SessionsController < Devise::SessionsController
end
def user_params
params.require(:user).permit(:email, :password, :otp_attempt, :sign_in_token_attempt, credential: {})
params.require(:user).permit(:email, :password, :otp_attempt, credential: {})
end
def after_sign_in_path_for(resource)
@ -148,6 +147,12 @@ class Auth::SessionsController < Devise::SessionsController
ip: request.remote_ip,
user_agent: request.user_agent
)
UserMailer.suspicious_sign_in(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later! if suspicious_sign_in?(user)
end
def suspicious_sign_in?(user)
SuspiciousSignInDetector.new(user).suspicious?(request)
end
def on_authentication_failure(user, security_measure, failure_reason)

8
app/controllers/authorize_interactions_controller.rb

@ -14,7 +14,7 @@ class AuthorizeInteractionsController < ApplicationController
if @resource.is_a?(Account)
render :show
elsif @resource.is_a?(Status)
redirect_to web_url("statuses/#{@resource.id}")
redirect_to web_url("@#{@resource.account.pretty_acct}/#{@resource.id}")
else
render :error
end
@ -26,15 +26,17 @@ class AuthorizeInteractionsController < ApplicationController
else
render :error
end
rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
rescue ActiveRecord::RecordNotFound
render :error
end
private
def set_resource
@resource = located_resource || render(:error)
@resource = located_resource
authorize(@resource, :show?) if @resource.is_a?(Status)
rescue Mastodon::NotPermittedError
not_found
end
def located_resource

57
app/controllers/concerns/sign_in_token_authentication_concern.rb

@ -1,57 +0,0 @@
# frozen_string_literal: true
module SignInTokenAuthenticationConcern
extend ActiveSupport::Concern
included do
prepend_before_action :authenticate_with_sign_in_token, if: :sign_in_token_required?, only: [:create]
end
def sign_in_token_required?
find_user&.suspicious_sign_in?(request.remote_ip)
end
def valid_sign_in_token_attempt?(user)
Devise.secure_compare(user.sign_in_token, user_params[:sign_in_token_attempt])
end
def authenticate_with_sign_in_token
if user_params[:email].present?
user = self.resource = find_user_from_params
prompt_for_sign_in_token(user) if user&.external_or_valid_password?(user_params[:password])
elsif session[:attempt_user_id]
user = self.resource = User.find_by(id: session[:attempt_user_id])
return if user.nil?
if session[:attempt_user_updated_at] != user.updated_at.to_s
restart_session
elsif user_params.key?(:sign_in_token_attempt)
authenticate_with_sign_in_token_attempt(user)
end
end
end
def authenticate_with_sign_in_token_attempt(user)
if valid_sign_in_token_attempt?(user)
on_authentication_success(user, :sign_in_token)
else
on_authentication_failure(user, :sign_in_token, :invalid_sign_in_token)
flash.now[:alert] = I18n.t('users.invalid_sign_in_token')
prompt_for_sign_in_token(user)
end
end
def prompt_for_sign_in_token(user)
if user.sign_in_token_expired?
user.generate_sign_in_token && user.save
UserMailer.sign_in_token(user, request.remote_ip, request.user_agent, Time.now.utc.to_s).deliver_later!
end
set_attempt_session(user)
use_pack 'auth'
@body_classes = 'lighter'
set_locale { render :sign_in_token }
end
end

5
app/controllers/following_accounts_controller.rb

@ -22,7 +22,10 @@ class FollowingAccountsController < ApplicationController
end
format.json do
raise Mastodon::NotPermittedError if page_requested? && @account.hide_collections?
if page_requested? && @account.hide_collections?
forbidden
next
end
expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode?)

3
app/controllers/media_proxy_controller.rb

@ -3,6 +3,7 @@
class MediaProxyController < ApplicationController
include RoutingHelper
include Authorization
include Redisable
skip_before_action :store_current_location
skip_before_action :require_functional!
@ -45,7 +46,7 @@ class MediaProxyController < ApplicationController
end
def lock_options
{ redis: Redis.current, key: "media_download:#{params[:id]}", autorelease: 15.minutes.seconds }
{ redis: redis, key: "media_download:#{params[:id]}", autorelease: 15.minutes.seconds }
end
def reject_media?

3
app/controllers/oauth/tokens_controller.rb

@ -2,7 +2,8 @@
class Oauth::TokensController < Doorkeeper::TokensController
def revoke
unsubscribe_for_token if authorized? && token.accessible?
unsubscribe_for_token if token.present? && authorized? && token.accessible?
super
end

3
app/controllers/settings/exports_controller.rb

@ -2,6 +2,7 @@
class Settings::ExportsController < Settings::BaseController
include Authorization
include Redisable
skip_before_action :require_functional!
@ -28,6 +29,6 @@ class Settings::ExportsController < Settings::BaseController
end
def lock_options
{ redis: Redis.current, key: "backup:#{current_user.id}" }
{ redis: redis, key: "backup:#{current_user.id}" }
end
end

3
app/controllers/settings/preferences_controller.rb

@ -57,7 +57,8 @@ class Settings::PreferencesController < Settings::BaseController
:setting_use_pending_items,
:setting_trends,
:setting_crop_images,
notification_emails: %i(follow follow_request reblog favourite mention digest report pending_account trending_tag trending_link trending_status),
:setting_always_send_emails,
notification_emails: %i(follow follow_request reblog favourite mention digest report pending_account trending_tag trending_link trending_status appeal),
interactions: %i(must_be_follower must_be_following must_be_following_dm)
)
end

7
app/helpers/application_helper.rb

@ -19,8 +19,11 @@ module ApplicationHelper
# is looked up from the locales definition, and rails-i18n comes with
# values that don't seem to make much sense for many languages, so
# override these values with a default of 3 digits of precision.
options[:precision] = 3
options[:strip_insignificant_zeros] = true
options = options.merge(
precision: 3,
strip_insignificant_zeros: true,
significant: true
)
number_to_human(number, **options)
end

10
app/javascript/core/admin.js

@ -101,4 +101,14 @@ ready(() => {
const registrationMode = document.getElementById('form_admin_settings_registrations_mode');
if (registrationMode) onChangeRegistrationMode(registrationMode);
document.querySelector('a#add-instance-button')?.addEventListener('click', (e) => {
const domain = document.getElementById('by_domain')?.value;
if (domain) {
const url = new URL(event.target.href);
url.searchParams.set('_domain', domain);
e.target.href = url;
}
});
});

17
app/javascript/flavours/glitch/actions/streaming.js

@ -7,6 +7,10 @@ import {
expandHomeTimeline,
connectTimeline,
disconnectTimeline,
fillHomeTimelineGaps,
fillPublicTimelineGaps,
fillCommunityTimelineGaps,
fillListTimelineGaps,
} from './timelines';
import { updateNotifications, expandNotifications } from './notifications';
import { updateConversations } from './conversations';
@ -35,6 +39,7 @@ const randomUpTo = max =>
* @param {Object.<string, string>} params
* @param {Object} options
* @param {function(Function, Function): void} [options.fallback]
* @param {function(): void} [options.fillGaps]
* @param {function(object): boolean} [options.accept]
* @return {function(): void}
*/