Commit Graph

421 Commits

Author SHA1 Message Date
Eugen Rochko 555c4e11ba
Add validations to admin settings ()
* Add validations to admin settings

- Validate correct HTML markup
- Validate presence of contact username & e-mail
- Validate that all usernames are valid
- Validate that enums have expected values

* Fix code style issue

* Fix tests
2019-03-23 14:07:04 +01:00
ThibG 66d9452092 Do not try fetching keys of unknown accounts on a Delete from them () 2019-03-20 17:20:16 +01:00
Eugen Rochko 9c4cbdbafb
Add Keybase integration ()
* create account_identity_proofs table

* add endpoint for keybase to check local proofs

* add async task to update validity and liveness of proofs from keybase

* first pass keybase proof CRUD

* second pass keybase proof creation

* clean up proof list and add badges

* add avatar url to keybase api

* Always highlight the “Identity Proofs” navigation item when interacting with proofs.

* Update translations.

* Add profile URL.

* Reorder proofs.

* Add proofs to bio.

* Update settings/identity_proofs front-end.

* Use `link_to`.

* Only encode query params if they exist.

URLs without params had a trailing `?`.

* Only show live proofs.

* change valid to active in proof list and update liveness before displaying

* minor fixes

* add keybase config at well-known path

* extremely naive feature flagging off the identity proof UI

* fixes for rubocop

* make identity proofs page resilient to potential keybase issues

* normalize i18n

* tweaks for brakeman

* remove two unused translations

* cleanup and add more localizations

* make keybase_contacts an admin setting

* fix ExternalProofService my_domain

* use Addressable::URI in identity proofs

* use active model serializer for keybase proof config

* more cleanup of keybase proof config

* rename proof is_valid and is_live to proof_valid and proof_live

* cleanup

* assorted tweaks for more robust communication with keybase

* Clean up

* Small fixes

* Display verified identity identically to verified links

* Clean up unused CSS

* Add caching for Keybase avatar URLs

* Remove keybase_contacts setting
2019-03-18 21:00:55 +01:00
Eugen Rochko 1c113fd72d
Add relationship manager UI () 2019-03-16 11:23:22 +01:00
Eugen Rochko 51e154f5e8
Admission-based registrations mode ()
Fix 
Fix 
2019-03-14 05:28:30 +01:00
Eugen Rochko 230a012f00
Add polls ()
* Add polls

Fix 

* Add tests

* Fixes

* Change API for creating polls

* Use name instead of content for votes

* Remove poll validation for remote polls

* Add polls to public pages

* When updating the poll, update options just in case they were changed

* Fix public pages showing both poll and other media
2019-03-03 22:18:23 +01:00
Eugen Rochko bc642ac24b
Redesign public hashtag page to use a masonry layout () 2019-01-16 19:47:46 +01:00
ysksn 61ecda1575 Not to skip executable specs ()
* Not to skip executable specs

* Combine specs

Combine specs to one to reduce multiple slow http post.
2019-01-10 15:12:31 +01:00
Eugen Rochko 1c6588accc
Redesign admin instances area () 2019-01-08 13:39:49 +01:00
Eugen Rochko a49d43d112
Add scheduled statuses ()
Fix 
2019-01-05 12:43:28 +01:00
Eugen Rochko 5d2fc6de32
Add REST API for creating an account ()
* Add REST API for creating an account

The method is available to apps with a token obtained via the client
credentials grant. It creates a user and account records, as well as
an access token for the app that initiated the request. The user is
unconfirmed, and an e-mail is sent as usual.

The method returns the access token, which the app should save for
later. The REST API is not available to users with unconfirmed
accounts, so the app must be smart to wait for the user to click a
link in their e-mail inbox.

The method is rate-limited by IP to 5 requests per 30 minutes.

* Redirect users back to app from confirmation if they were created with an app

* Add tests

* Return 403 on the method if registrations are not open

* Require agreement param to be true in the API when creating an account
2018-12-24 19:12:38 +01:00
Eugen Rochko 3c033c4352
Add moderation warnings ()
* Add moderation warnings

Replace individual routes for disabling, silencing, and suspending
a user, as well as the report update route, with a unified account
action controller that allows you to select an action (none,
disable, silence, suspend) as well as whether it should generate an
e-mail notification with optional custom text. That notification,
with the optional custom text, is saved as a warning.

Additionally, there are warning presets you can configure to save
time when performing the above.

* Use Account#local_username_and_domain
2018-12-22 20:02:09 +01:00
ysksn dd85700a3e Add spec for AccountableConcern#log_action () 2018-12-18 16:43:03 +01:00
ysksn 0c80715235 Add spec for Api::V1::Timelines::DirectController () 2018-12-17 11:36:20 +01:00
ysksn 351938520d Add specs for Api::V1::Instances::PeersController () 2018-12-17 11:35:55 +01:00
ysksn 2d871feb10 Add spec for Api::V1::EndorsementsController () 2018-12-17 11:32:44 +01:00
ysksn 3fa9615cb3 Add spec for Api::V1::Instances::ActivityController () 2018-12-17 11:32:24 +01:00
ysksn a3dcbfddd6 Add specs for Accounts::PinsController () 2018-12-17 06:03:51 +01:00
ysksn 3c31c28605 Add spec for Admin::ActionLogsController#index () 2018-12-14 20:37:01 +01:00
ysksn 458e2b0c5b Add specs for RemoteInteractionController () 2018-12-14 20:36:40 +01:00
ysksn c1600a0f69 Add spec for Admin::DashboardController#index () 2018-12-14 20:36:18 +01:00
Sumit Khanna 769c2d2680 Error message for avatar image that's too large. ()
* Error message for avatar image that's too large. 

* Code climate/formatting

* Removed avatar error message

* Moved valid image dimentions check to update service

* removed unnescessary begin block

* code climate formatting

* code climate indent fix
2018-12-14 05:07:21 +01:00
ysksn 795bac44fd Add spec for Settings::ExportsController#create () 2018-12-13 02:53:52 +01:00
ysksn ed24bb2c3e Add specs for activitypub collections controller ()
* Add specs for ActivityPub::CollectionsController#show

* Raise ActiveRecord::RecordNotFound

Raising ActiveRecord::NotFound raises NameError: uninitialized constant
ActiveRecord::NotFound.
2018-12-10 21:39:25 +01:00
ysksn 6eae8f77af Add spec for Admin::SuspentionsController#new () 2018-12-10 21:38:21 +01:00
ysksn 361818e931 Fix Admin::TagsController#unhide () 2018-12-10 21:37:38 +01:00
ysksn ae3d2f446a Add specs for Admin::InvitesController () 2018-12-10 01:19:28 +09:00
ysksn d3547fa005 Add specs for ActivityPub::InboxesController () 2018-12-07 16:40:01 +01:00
ThibG e88c6a5c3c Fix thread depth computation in statuses_controller ()
* Add test that should currently fail

* Fix depth computation (will still fail if statuses have been filtered out)

* Fix handling of broken threads
2018-12-05 02:12:29 +01:00
Eugen Rochko 73faadad28
Redesign admin accounts index ()
* Improve overview of accounts in admin UI

- Display suspended status, role, last activity and IP prominently
- Default to showing local accounts
- Default to not showing suspended accounts

* Remove unused strings

* Fix tests

* Allow filtering accounts by IP mask
2018-11-26 15:53:27 +01:00
Eugen Rochko 6d59dfa15d
Optimize the process of following someone ()
* Eliminate extra accounts select query from FollowService

* Optimistically update follow state in web UI and hide loading bar

Fix 

* Asynchronize NotifyService in FollowService

And fix failing test

* Skip Webfinger resolve routine when called from FollowService if possible

If an account is ActivityPub, then webfinger re-resolving is not necessary
when called from FollowService. Improve options of ResolveAccountService
2018-11-08 21:05:42 +01:00
takayamaki 33976c8ecc fix: Execute PAM authentication tests on CircleCI ()
and use 'if' option of context block
2018-10-20 17:28:04 +02:00
Eugen Rochko d5bfba3262
Do not test PAM authentication by default ()
* Do not test PAM authentication by default

* Disable PAM tests if PAM is not enabled
2018-10-20 07:32:26 +02:00
Eugen Rochko 21ad21cb50
Improve signature verification safeguards ()
* Downcase signed_headers string before building the signed string

The HTTP Signatures draft does not mandate the “headers” field to be downcased,
but mandates the header field names to be downcased in the signed string, which
means that prior to this patch, Mastodon could fail to process signatures from
some compliant clients. It also means that it would not actually check the
Digest of non-compliant clients that wouldn't use a lowercased Digest field
name.

Thankfully, I don't know of any such client.

* Revert "Remove dead code ()"

This reverts commit a00ce8c92c.

* Restore time window checking, change it to 12 hours

By checking the Date header, we can prevent replaying old vulnerable
signatures. The focus is to prevent replaying old vulnerable requests
from software that has been fixed in the meantime, so a somewhat long
window should be fine and accounts for timezone misconfiguration.

* Escape users' URLs when formatting them

Fixes possible HTML injection

* Escape all string interpolations in Formatter class

Slightly improve performance by reducing class allocations
from repeated Formatter#encode calls

* Fix code style issues
2018-10-12 00:15:55 +02:00
ashleyhull-versent f194857ac9 rubocop issues - Cleaning up ()
* cleanup pass

* undo mistakes

* fixed.

* revert
2018-10-08 04:50:11 +02:00
Eugen Rochko 774ac47373
Add conversations API ()
* Add conversations API

* Add web UI for conversations

* Add test for conversations API

* Add tests for ConversationAccount

* Improve web UI

* Rename ConversationAccount to AccountConversation

* Remove conversations on block and mute

* Change last_status_id to be a denormalization of status_ids

* Add optimistic locking
2018-10-07 23:44:58 +02:00
aus-social 0a4739c732 lint pass 2 ()
* Code quality pass

* Typofix

* Update applications_controller_spec.rb

* Update applications_controller_spec.rb
2018-10-04 17:38:04 +02:00
Eugen Rochko e645ae9561
Change admin accounts default sort to most recent () 2018-10-04 16:05:38 +02:00
aus-social 1f98eae1cf Lint pass () 2018-10-04 12:36:53 +02:00
Eugen Rochko f0fff3eb10
Support min_id-based pagination in REST API ()
* Allow min_id pagination in Feed#get

* Add min_id pagination to home and list timeline APIs

* Add min_id pagination to account statuses, public and tag APIs

* Remove unused stub in reports API

* Use min_id pagination in notifications, favourites, and fix order

* Fix HomeFeed#from_database not using paginate_by_id
2018-09-28 02:23:45 +02:00
luzpaz 40dd19be37 Misc. typos ()
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-14 00:53:09 +02:00
Eugen Rochko 2288d50a7b
Add force_login option to OAuth authorize page ()
* Add force_login option to OAuth authorize page

For when a user needs to sign into an app from multiple accounts
on the same server

* When logging out from modal header, redirect back after re-login
2018-09-09 04:10:44 +02:00
Jakub Mendyk f3a12ddfd0 Make Api::V1::MutesController paginate properly ()
Fixes 
2018-08-26 21:30:17 +02:00
Jakub Mendyk 6cb3514d64 Add ability to change an instance default theme from the administration panel () ()
* Add default_settings class method to ScopedSettings

ScopedSettings was extended to use value of unscoped setting instead of
only using defaults set in config/settings.yml for selected settings.
This adds possibility for admins to set default values of users' settings,
for example default theme (as requested in ).

* Add ability to change an instance default theme

Closes 
2018-08-23 14:17:35 +02:00
Eugen Rochko 2374a00c10
Add confirmation step to account suspensions ()
* Add confirmation page for suspensions

* Suspension confirmation closes reports, linked from report UI

* Fix tests
2018-08-22 11:53:41 +02:00
Eugen Rochko 78fa926ed5
Add remote interaction dialog for toots ()
* Add remote interaction dialog for toots

* Change AuthorizeFollow into AuthorizeInteraction, support statuses

* Update brakeman.ignore

* Adjust how interaction buttons are display on public pages

* Fix tests
2018-08-18 03:03:12 +02:00
S.H 2aeeffc3ec Update Rails ()
* Update Rails

* fix Update Rails
2018-08-12 12:25:23 +02:00
Eugen Rochko 60df87f6f0
Compensate for scrollbar disappearing when media modal visible ()
* Compensate for scrollbar disappearing when media modal visible

Make auth pages backgrounds lighter

* Fix typo
2018-07-31 01:14:33 +02:00
Eugen Rochko 1f6ed4f86a
Add more granular OAuth scopes ()
* Add more granular OAuth scopes

* Add human-readable descriptions of the new scopes

* Ensure new scopes look good on the app UI

* Add tests

* Group scopes in screen and color-code dangerous ones

* Fix wrong extra scope
2018-07-05 18:31:35 +02:00
Eugen Rochko da8fe8079e
Re-add follow recommendations API ()
* Re-add follow recommendations API

    GET /api/v1/suggestions

Removed in 8efa081f21 due to Neo4J
dependency. The algorithm uses triadic closures, takes into account
suspensions, blocks, mutes, domain blocks, excludes locked and moved
accounts, and prefers more recently updated accounts.

* Track interactions with people you don't follow

Replying to, favouriting and reblogging someone you're not following
will make them show up in follow recommendations. The interactions
have different weights:

- Replying is 1
- Favouriting is 10 (decidedly positive interaction, but private)
- Reblogging is 20

Following them, muting or blocking will remove them from the list,
obviously.

* Remove triadic closures, ensure potential friendships are trimmed
2018-07-03 01:47:56 +02:00
Eugen Rochko cdb101340a
Keyword/phrase filtering ()
* Add keyword filtering

    GET|POST       /api/v1/filters
    GET|PUT|DELETE /api/v1/filters/:id

- Irreversible filters can drop toots from home or notifications
- Other filters can hide toots through the client app
- Filters use a phrase valid in particular contexts, expiration

* Make sure expired filters don't get applied client-side

* Add missing API methods

* Remove "regex filter" from column settings

* Add tests

* Add test for FeedManager

* Add CustomFilter test

* Add UI for managing filters

* Add streaming API event to allow syncing filters

* Fix tests
2018-06-29 15:34:36 +02:00
Shuhei Kitagawa 23955d956e Add tests for remote_unfollows_controller () 2018-06-24 19:55:55 +09:00
Shuhei Kitagawa 459394a020 Add missing tests for confirmations controller () 2018-06-21 10:40:23 +09:00
Shuhei Kitagawa 63b05096c7 Add tests for shares_controller () 2018-06-18 10:45:20 +09:00
Eugen Rochko 7eec279c7f
Change language opt-out to language opt-in ()
* Switch filtered_languages to chosen_languages

* Adjust interface

* Remove unused translations
2018-06-17 13:54:02 +02:00
Shuhei Kitagawa ad8814232f Add tests for following accounts controller () 2018-06-14 10:49:17 +09:00
Shuhei Kitagawa 5b47774ab8 Add tests for followers_accounts_controller () 2018-06-13 10:28:39 +09:00
Shuhei Kitagawa 6151308c47 Add missing tests for admin/accounts_controller () 2018-06-12 21:24:46 +09:00
Shuhei Kitagawa 7086aa598b Add tests for intents_controller () 2018-06-09 22:47:50 +02:00
Shuhei Kitagawa 12fa2500c4 Add missing tests for sessions controller () 2018-06-06 10:23:22 +09:00
Shuhei Kitagawa 22caa32ba2 Add tests for embeds controller ()
* Small refactoring of status_finder_spec

* Add tests for embeds_controller
2018-06-04 10:35:56 +09:00
Shuhei Kitagawa 00512ecf87 Add tests for migrations_controller () 2018-06-02 18:52:16 +09:00
Shuhei Kitagawa b0b34a5e38 Add a test for emojis_controller () 2018-05-28 22:56:58 +09:00
Yamagishi Kazutoshi 6d99a0b652 Fix tests for invites controller (regression from 4d81809f36) () 2018-05-23 06:32:10 +02:00
Shuhei Kitagawa 12e590edd7 Add tests for report notes controller () 2018-05-22 14:45:10 +02:00
Eugen Rochko 8378b72eba
Ensure push subscription is immediately removed when application is revoked ()
* Ensure push subscription is immediately removed when application is revoked

* When token is revoked from app, unsubscribe too
2018-05-19 21:05:08 +02:00
Shuhei Kitagawa b48a166c82 Add tests for account_moderation_notes_controller () 2018-05-17 04:26:51 +02:00
Shuhei Kitagawa 50491e0d92 Add tests for invites controller ()
* Add tests for invites controller

* Small refactoring and fix for invites controller
2018-05-11 13:14:33 +02:00
Eugen Rochko b4fb766b23
Add REST API for Web Push Notifications subscriptions ()
- POST /api/v1/push/subscription
- PUT /api/v1/push/subscription
- DELETE /api/v1/push/subscription
- New OAuth scope: "push" (required for the above methods)
2018-05-11 11:49:12 +02:00
Shuhei Kitagawa ce35d81db7 Add tests for admin/roles_controller () 2018-05-09 08:41:46 +02:00
Shuhei Kitagawa 35eff337d5 Add tests for admin/invites_controller () 2018-05-09 08:41:26 +02:00
Shuhei Kitagawa bd10a7e480 Add resend confirmation for admin ()
* Add confirmations_controller#resend

* Add tests for confirmations_controller#resend

* Add translations
2018-05-06 10:59:03 +02:00
Eugen Rochko c7d1a2e400
Improve admin UI for accounts ()
* Improve design of account statuses admin UI (consistent with reports)

* Make account moderation notes look consistent with report notes

* i18n-tasks remove-unused

* Fix code style issues

* Fix tests
2018-05-05 23:06:29 +02:00
Shuhei Kitagawa 661f7e6d9d Add tests for admin/custom_emojis_controller () 2018-05-05 15:53:59 +02:00
Eugen Rochko 28bd4b9800
Serialize webfinger XML with Ox instead of Nokogiri ()
25ms -> 0.5ms
2018-05-02 22:28:46 +02:00
Akihiko Odaki 1258efa882 Paginate descendant statuses in public page () 2018-04-23 19:27:35 +02:00
Yamagishi Kazutoshi 648d645c2f Fix randomly fail (similar ) () 2018-04-22 11:41:39 +02:00
Yamagishi Kazutoshi 3f6893c641 Reset locale on registration tests () 2018-04-21 23:37:07 +02:00
Yamagishi Kazutoshi d10447c3a8 Use raw status code on have_http_status () 2018-04-21 21:35:07 +02:00
Eugen Rochko a9c440637c
Improve report layout ()
* Use table for statuses in report

* Display reported account and reporter in the same table

* Split accounts and general report info into two tables again

* Redesign report statuses table, notes, merge notes and action log

* Remove unused translations

* Fix code style issue

* Fix code style issue

* Fix code style issue
2018-04-20 02:28:48 +02:00
Akihiko Odaki a1049e9380 Redirect to account status page for page of status stream entry ()
Commit 519119f657 missed a change for
stream entry page. Instead of duplicating the change, redirect to account
status page. It would also help crawlers (of search engines, for example)
to understand a stream entry URL and its corresponding status URL points
to the same page.
2018-04-16 10:04:31 +02:00
Alexander 8e88a18316 update gem, test pam authentication ()
* update gem, test pam authentication

* add description for test parameters

* fix inclusion of optional group
2018-04-11 21:40:38 +02:00
Emelia Smith 219a4423d8 Feature: Allow staff to change user emails ()
* Admin: Show unconfirmed email address on account page

* Admin: Allow staff to change user email addresses

* ActionLog: On change_email, log current email address and new unconfirmed email address
2018-04-10 09:16:06 +02:00
Levi Bard cd0eaa349c Enable updating additional account information from user preferences via rest api ()
* Enable updating additional account information from user preferences via rest api
Resolves 

* Pacify rubocop

* Decoerce incoming settings in UserSettingsDecorator

* Create user preferences hash directly from incoming credentials instead of going through ActionController::Parameters

* Clean up user preferences update

* Use ActiveModel::Type::Boolean instead of manually checking stringified number equivalence
2018-04-08 13:43:10 +02:00
Emelia Smith 2e59751823 Improve require_admin! and require_staff! filters ()
Previously these returns 302 redirects instead of 403s, which meant posting links to admin pages in slack caused them to unfurl, rather than stay as a link. Additionally, require_admin! doesn't appear to be actively used, on require_staff!
2018-04-03 13:07:32 +02:00
Emelia Smith e85cffb236 Feature: Report improvements () ()
* Implement Assignment of Reports ()

* Change translation of admin.report.comment.label to "Report Comment" for clarity

As we'll soon add the ability for reports to have comments on them, this clarification makes sense.

* Implement notes for Reports

This enables moderators to leave comments about a report whilst they work on it

* Fix display of report moderation notes

* Allow reports to be reopened / marked as unresolved

* Redirect to reports listing upon resolution of report

* Implement "resolve with note" functionality

* Add inverse relationship for report notes

* Remove additional database querying when loading report notes

* Fix tests for reports

* Fix localisations for report notes / reports
2018-04-02 22:04:14 +02:00
Akihiko Odaki a38dbd9c8a Redirect from Web tag timeline to public tag timeline if not signed in ()
This is also implemented in Pawoo:
ceafdbd1bb
2018-03-05 19:29:36 +01:00
Akihiko Odaki 51d760960c Set the default locale in config ()
Previously the default locale was set by Localized concern for controllers,
but it was not enforced for mailers.

config is enforced throughout the application and an appropriate place to
set the default locale.
2018-03-04 09:21:35 +01:00
Eugen Rochko 4bc625166e
Fix bug in relationships API introduced by ()
It was merge when it needed to be deep_merge. And added some tests
2018-02-21 23:22:12 +01:00
abcang cf32f7da5c Fix response of signature_verification_failure_reason () 2018-02-08 05:00:45 +01:00
Akihiko Odaki 613e7c7521 Rename ResolveRemoteAccountService to ResolveAccountService ()
The service used to be named ResolveRemoteAccountService resolves local
accounts as well.
2018-01-22 14:25:09 +01:00
Aboobacker MK 112b1fa265 Redirect to 2FA creation page when otp_secret is not available () 2018-01-21 13:21:28 +01:00
Eugen Rochko 9b3b40df66
Fix regeneration marker not expiring ()
* Fix regeneration key not getting expired

* Add rake task to remove old regeneration markers
2018-01-18 20:29:56 +01:00
Eugen Rochko 7badad7797
Fix home regeneration ()
* Fix regeneration marker not being removed after completion

* Return HTTP 206 from /api/v1/timelines/home if regeneration in progress
Prioritize RegenerationWorker by putting it into default queue

* Display loading indicator and poll home timeline while it regenerates

* Add graphic to regeneration message

* Make "not found" indicator consistent with home regeneration
2018-01-17 23:56:03 +01:00
Eugen Rochko dbda87c31f
Revert () 2018-01-08 10:57:52 +01:00
Yamagishi Kazutoshi 1d92b90be9 Fix force_ssl conditional () 2018-01-07 15:19:23 +01:00
Patrick Figel 5ec25ff3e1 Fix email confirmation link not updating email ()
A change introduced in  prevents
`Devise::Models::Confirmable#confirm` from being called for existing
users, which in turn leads to `email` not being set to
`unconfirmed_email`, breaking email updates. This also adds a test
that would've caught this issue.
2018-01-05 00:15:35 +01:00
Akihiko Odaki 161c72d66d Allow to dereference Follow object for ActivityPub ()
* Allow to dereference Follow object for ActivityPub

* Accept IRI as object representation for Accept activity
2018-01-03 18:08:57 +01:00
Eugen Rochko 1356ed72cd
Fix - Add GET /api/v1/accounts/:id/lists () 2017-12-12 03:55:39 +01:00
Eugen Rochko a865b62efc
Rate limit by user instead of IP when API user is authenticated ()
* Fix  - Rate limit by user instead of IP when API user is authenticated

* Fix code style issue

* Use request decorator provided by Doorkeeper
2017-12-09 14:20:02 +01:00