Commit graph

1230 commits

Author SHA1 Message Date
Eugen Rochko
25d3dc4373
Add ability to mark statuses as sensitive from reports in admin UI (#17668)
* Add ability to mark statuses as sensitive from reports in admin UI

* Allow mark as sensitive action on statuses with preview cards
2022-03-01 22:20:29 +01:00
Claire
14919fe11e
Change old moderation strikes to be displayed in a separate page (#17566)
* Change old moderation strikes to be displayed in a separate page

Fixes #17552

This changes the moderation strikes displayed on `/auth/edit` to be those from
the past 3 months, and make all moderation strikes targeting the current user
available in `/disputes`.

* Add short description of what the strikes page is for

* Move link to list of strikes to “Account status” instead of navigation item

* Normalize i18n file

* Fix layout and styling of strikes link

* Revert highlights_on regexp

* Reintroduce account status summary

- this way, “Account status” is never empty
- account status is not necessarily bound to strikes, or recent strikes
2022-03-01 19:37:47 +01:00
Eugen Rochko
50ea54b3ed
Change authorized applications page (#17656)
* Change authorized applications page

* Hide revoke button for superapps and suspended accounts

* Clean up db/schema.rb
2022-03-01 16:48:58 +01:00
Claire
57814a98a9
Fix remote reports with comments revealing remote reporter (#17652)
* Display username rather than display name in report comment

For consistency with report notes and appeals

* Fix remote reports with comments revealing remote reporter

* Display instance name in placeholder

* Make instance name in report comment a link to the federation admin page

* Normalize i18n file
2022-02-26 21:14:12 +01:00
Eugen Rochko
27965ce5ed
Add trending statuses (#17431)
* Add trending statuses

* Fix dangling items with stale scores in localized sets

* Various fixes and improvements

- Change approve_all/reject_all to approve_accounts/reject_accounts
- Change Trends::Query methods to not mutate the original query
- Change Trends::Query#skip to offset
- Change follow recommendations to be refreshed in a transaction

* Add tests for trending statuses filtering behaviour

* Fix not applying filtering scope in controller
2022-02-25 00:34:14 +01:00
Eugen Rochko
a29a982eaa
Change e-mail domain blocks to block IPs dynamically (#17635)
* Change e-mail domain blocks to block IPs dynamically

* Update app/workers/scheduler/email_domain_block_refresh_scheduler.rb

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>

* Update app/workers/scheduler/email_domain_block_refresh_scheduler.rb

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2022-02-24 17:28:23 +01:00
noiob
0db101ede2
Fix link in new hashtag notification email (#17624)
It's currently https://example.org/admin/trends/tags?pending_review=1 but should be https://example.org/admin/trends/tags?status=pending_review
2022-02-23 16:51:09 +01:00
Eugen Rochko
51e67f3243
Fix link colors in report and strike details (#17616) 2022-02-22 15:27:25 +01:00
Eugen Rochko
8338826963
Fix wrong styles on strike page (#17615) 2022-02-22 06:20:04 +01:00
Claire
793da08995
Change dasbhoard links for “new users” and “active users” (#17570)
Make them filter for local accounts by default
2022-02-16 13:17:28 +01:00
Eugen Rochko
564efd0651
Add appeals (#17364)
* Add appeals

* Add ability to reject appeals and ability to browse pending appeals in admin UI

* Add strikes to account page in settings

* Various fixes and improvements

- Add separate notification setting for appeals, separate from reports
- Fix style of links in report/strike header
- Change approving an appeal to not restore statuses (due to federation complexities)
- Change style of successfully appealed strikes on account settings page
- Change account settings page to only show unappealed or recently appealed strikes

* Change appealed_at to overruled_at

* Fix missing method error
2022-02-14 21:27:53 +01:00
Eugen Rochko
bbd3474416
Fix privacy policy link not being visible on small screens (#17533)
Fix #17482
2022-02-13 02:52:34 +01:00
Jeong Arm
ee47e2028b
Enable domain purge button on suspended domains too (#17209)
* Enable domain purge button on suspended domains too

* Change unless to if
2022-02-11 22:23:19 +01:00
Eugen Rochko
d0fcf07436
Change actions in reports to require only one click (#17487) 2022-02-11 21:51:57 +01:00
Eugen Rochko
3aebe711fd
Change languages to be listed under standard instead of native name in admin UI (#17485) 2022-02-09 04:15:38 +01:00
Eugen Rochko
b6d7726ecb
Remove language detection through cld3 (#17478)
* Remove language detection through cld3

* Update app/helpers/languages_helper.rb

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>

Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2022-02-08 02:41:17 +01:00
Eugen Rochko
35850f8195
Fix localization of cold-start follow recommendations (#17479) 2022-02-08 01:53:49 +01:00
Eugen Rochko
e03e7ac290
Fix error on account relationships page in admin UI (#17444) 2022-02-05 05:06:34 +01:00
Claire
bddd9ba36d
Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288)
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN

Fixes #15959

Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.

However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228.

As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.

* Add OMNIAUTH_ONLY environment variable to enforce external log-in only

* Disable user registration when OMNIAUTH_ONLY is set to true

* Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2022-01-23 15:52:58 +01:00
Claire
6eea3f8f9c
Add post edited notice in admin and public UIs (#17335)
* Add edited toot flag on public pages

* Add toot edit flag to admin pages
2022-01-20 13:37:31 +01:00
Eugen Rochko
14f436c457
Add notifications for statuses deleted by moderators (#17204) 2022-01-17 09:41:33 +01:00
Eugen Rochko
8e84ebf0cb
Remove IP tracking columns from users table (#16409) 2022-01-16 13:23:50 +01:00
Claire
76761d5fc0
Add ability for admins to delete canonical email blocks (#16644)
* Add admin option to remove canonical email blocks from a deleted account

* Add tootctl canonical_email_blocks to inspect and remove canonical email blocks
2021-12-17 23:02:14 +01:00
Claire
7f803c41e2
Add ability to purge undeliverable domains from admin interface (#16686)
* Add ability to purge undeliverable domains from admin interface

* Add tests
2021-12-17 23:01:21 +01:00
Eugen Rochko
0fb9536d38
Add batch suspend for accounts in admin UI (#17009) 2021-12-05 21:48:39 +01:00
Eugen Rochko
7de0ee7aba
Remove Keybase integration (#17045) 2021-11-26 05:58:18 +01:00
Eugen Rochko
12b3ff6c6d
Fix error on trending hashtags/links pages in admin UI due to missing constant (#17044) 2021-11-26 01:12:39 +01:00
Eugen Rochko
6e50134a42
Add trending links (#16917)
* Add trending links

* Add overriding specific links trendability

* Add link type to preview cards and only trend articles

Change trends review notifications from being sent every 5 minutes to being sent every 2 hours

Change threshold from 5 unique accounts to 15 unique accounts

* Fix tests
2021-11-25 13:07:38 +01:00
Eugen Rochko
07341e7aa6
Add graphs and retention metrics to admin dashboard (#16829) 2021-10-14 20:44:59 +02:00
Claire
db57bff11d
Stop setting a shortcode to newly-created media attachments (#16730)
* Stop setting a shortcode to newly-created media attachments

The WebUI has stopped using the “short media URL” in ages. This isn't used
anywhere except for mail notifications.

Deprecating it would allow us to eventually get rid of at least a database
column and corruption-prone index, as well as a controller.

* Fix tests
2021-09-13 18:59:37 +02:00
Claire
3c45dfa0fe
Fix “discoverable” account setting being tied to profile directory (#16637) 2021-08-20 16:11:58 +02:00
Claire
4ac78e2a06
Add feature to automatically delete old toots (#16529)
* Add account statuses cleanup policy model

* Record last inspected toot to delete to speed up successive calls to statuses_to_delete

* Add service to cleanup a given account's statuses within a budget

* Add worker to go through account policies and delete old toots

* Fix last inspected status id logic

All existing statuses older or equal to last inspected status id must be
kept by the current policy. This is an invariant that must be kept so that
resuming deletion from the last inspected status remains sound.

* Add tests

* Refactor scheduler and add tests

* Add user interface

* Add support for discriminating based on boosts/favs

* Add UI support for min_reblogs and min_favs, rework UI

* Address first round of review comments

* Replace Snowflake#id_at_start with with_random parameter

* Add tests

* Add tests for StatusesCleanupController

* Rework settings page

* Adjust load-avoiding mechanisms

* Please CodeClimate
2021-08-09 23:11:50 +02:00
Eugen Rochko
7095c80373
Add ability to filter reports by origin of target account (#16487) 2021-07-11 11:01:38 +02:00
Eugen Rochko
771c9d4ba8
Add ability to skip sign-in token authentication for specific users (#16427)
Remove "active within last two weeks" exception for sign in token requirement

Change admin reset password to lock access until the password is reset
2021-07-08 05:31:28 +02:00
Claire
e2844b7e58
Change number_to_human calls to always use 3-digits precision (#16469)
Fixes #16435
2021-07-07 21:13:08 +02:00
David Sterry
7c27ccb8d8
Fix #16407 (#16432) 2021-06-27 22:31:28 +02:00
Claire
262c7bcb57
Add full user agent in tooltips for login activities (#16428)
Also adds timestamp in HTML itself to not rely on javascript
2021-06-23 16:42:23 +02:00
Eugen Rochko
d174d12c83
Add authentication history (#16408) 2021-06-21 17:07:30 +02:00
Eugen Rochko
74081433d0
Change trending hashtags to be affected be reblogs (#16164)
If a status with a hashtag becomes very popular, it stands to
reason that the hashtag should have a chance at trending

Fix no stats being recorded for hashtags that are not allowed
to trend, and stop ignoring bots

Remove references to hashtags in profile directory from the code
and the admin UI
2021-05-07 14:33:43 +02:00
Claire
566fc90913
Add Ruby 3.0 support (#16046)
* Fix issues with POSIX::Spawn, Terrapin and Ruby 3.0

Also improve the Terrapin monkey-patch for the stderr/stdout issue.

* Fix keyword argument handling throughout the codebase

* Monkey-patch Paperclip to fix keyword arguments handling in validators

* Change validation_extensions to please CodeClimate

* Bump microformats from 4.2.1 to 4.3.1

* Allow Ruby 3.0

* Add Ruby 3.0 test target to CircleCI

* Add test for admin dashboard warnings

* Fix admin dashboard warnings on Ruby 3.0
2021-05-06 14:22:54 +02:00
Takeshi Umeda
7cb34b32f8
Add management of delivery availability in Federation settings (#15771)
* Add management of delivery availavility in Federation settings

* fix translate

* Remove useless object creation

* Fix DeepSource issue

* Add shortcut for all

* Fix DeepSource(skipcq)

* Change 'remove' to 'clear'

* Fix style

* Change class method name (exhausted_deliveries_key_by)
2021-05-05 23:39:02 +02:00
Eugen Rochko
351c744590
Fix error when trying to render component for media without meta (#16112) 2021-05-05 21:16:55 +02:00
Eugen Rochko
daccc07dc1
Change auto-following admin-selected accounts, show in recommendations (#16078) 2021-04-24 17:01:43 +02:00
Eugen Rochko
23b102f661
Add "recommended" label to activity/peers API toggles in admin UI (#16081) 2021-04-20 13:57:45 +02:00
Eugen Rochko
480d7c9478
Fix missing source strings and inconsistent lead text style in admin UI (#16052) 2021-04-17 11:12:49 +02:00
Eugen Rochko
f7117646af
Add cold-start follow recommendations (#15945) 2021-04-12 12:37:14 +02:00
Eugen Rochko
619fad6cf8
Remove spam check and dependency on nilsimsa gem (#16011) 2021-04-11 11:22:50 +02:00
Claire
117f6638d0
Fix SVG files not being correctly included in templates (#16001)
In Rails 6.1, raw file inclusion in templates have to be explicitly marked as
HTML-safe, otherwise it's rendered as text.
2021-04-05 13:05:49 +02:00
Eugen Rochko
487e37d6d4
Add system checks to dashboard in admin UI (#15989) 2021-04-03 14:12:30 +02:00
Claire
876840e9ef
Fix brakeman warning (#15870)
As far as I understand, the brakeman warning was a false-positive as
`content_tag` properly escapes untrusted HTML. Furthermore, the interpolated
string values are built from the “username” part of accounts, which is
restricted to a small subset of ASCII that precludes any XML entity or HTML
code.

This proposed change should be functionally equivalent to the current code,
however it is slightly more robust, it's more idiomatic, and Brakeman will
stop complaining about it.
2021-03-19 23:48:59 +01:00
Claire
39a490c70e
Fix custom CSS when CDN_HOST is set (#15927) 2021-03-19 20:23:08 +01:00
Filipe Rodrigues
3dc94d9f91
Fix reference to non-existing translation in the exports page. (#15894)
The exports page showed a different "CSV" capitalisation in the
"Bookmarks" row ("Csv") compared to the other rows ("CSV").
This was due to a referece to a translation string that does not exist,
`bookmarks.csv`, defaulting to the key's last segment in title case.

This issue was introduced in commit dcd86204 (PR #14956).

(h/t @meqif for helping with figuring out the bug)
2021-03-15 02:17:29 +01:00
Claire
1b02d29be5
Fix not being able to change world filter expiration back to “Never” (#15858)
Fixes #15849
2021-03-12 05:25:50 +01:00
Claire
67c5cdea40
Fix some ignored brakeman warnings (#15829) 2021-03-07 07:06:56 +01:00
Claire
4f19504986
Add inline description of moderation actions in moderation interface (#15792) 2021-02-24 16:53:16 +01:00
Claire
1b50ac08c1
Fix server rules not being displayed if extended server discription isn't set (#15778) 2021-02-22 18:26:24 +01:00
Eugen Rochko
8331fdf7e0
Add server rules (#15769) 2021-02-21 19:50:12 +01:00
Jeong Arm
d499bb031f
Use custom mascot on static share page (#15687)
* Use custom mascot on static share page

* Use full_asset_url
2021-02-11 02:18:56 +01:00
ThibG
7d0031a515
Fix Google Translate breaking web interface (#15610)
- marks the page as a whole as untranslatable
- still marks user text as translatable

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2021-01-21 14:29:54 +01:00
Takeshi Umeda
cb5bb2313b
Fix expand video on public page (#15469) 2020-12-30 23:18:11 +01:00
Eugen Rochko
59343ef4d1
Fix missing description on enable bootstrap timeline accounts toggle in admin UI (#15367) 2020-12-19 00:19:15 +01:00
Eugen Rochko
8a95867693
Add option to obfuscate domain name in public list of domain blocks (#15355)
- Replace the middle of the domain with * characters (except for periods)
- Add SHA-256 digest of the domain name in tooltip
2020-12-18 08:30:41 +01:00
ThibG
8357969559
Fix admins being able to suspend their instance actor (#14567)
* Fix admin being able to suspend their own instance account

* Add text about the instance's own actor in admin view

* Change instance actor notice from flash message to template

* Do not list local instance actor in account moderation list
2020-12-15 17:23:58 +01:00
Eugen Rochko
1f564051b6
Change RTL detection to rely on unicode-bidi paragraph by paragraph (#14573) 2020-12-15 12:56:43 +01:00
Mashiro
75d2762fdf
Add "invite request content" display in user account admin page (#15265)
* feat: display `invite_request_text` in admin's user account page

* fix: move invite_request to the bottom of accounts page

* fix: remove time display, remove formate, change code terminology

* fix: remove escape
2020-12-15 06:28:14 +01:00
ThibG
1390cc194b
Add indication to admin UI of whether a report has been forwarded (#13237)
* Add indication to admin UI of whether a report has been forwarded

* Rework how forwarded status is displayed

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-15 04:30:15 +01:00
ThibG
47e507fa61
Add ability to require invite request text (#15326)
Fixes #15273

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-14 10:03:09 +01:00
Eugen Rochko
216b85b053
Fix performance on instances list in admin UI (#15282)
- Reduce duplicate queries
- Remove n+1 queries
- Add accounts count to detailed view
- Add separate action log entry for updating existing domain blocks
2020-12-14 09:06:34 +01:00
Eugen Rochko
a3b5675aa8
Change number format on about page from full to shortened (#15327) 2020-12-14 05:09:14 +01:00
ThibG
49eb4d4ddf
Add honeypot fields and minimum fill-out time for sign-up form (#15276)
* Add honeypot fields to limit non-specialized spam

Add two honeypot fields: a fake website input and a fake password confirmation
one. The label/placeholder/aria-label tells not to fill them, and they are
hidden in CSS, so legitimate users should not fall into these.

This should cut down on some non-Mastodon-specific spambots.

* Require a 3 seconds delay before submitting the registration form

* Fix tests

* Move registration form time check to model validation

* Give people a chance to clear the honeypot fields

* Refactor honeypot translation strings

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-10 06:27:26 +01:00
ThibG
d849aad852
Change public thread view to hide "Show thread" link (#15266)
Fixes #15262
2020-12-02 21:21:44 +01:00
Eugen Rochko
13b07b88f1
Fix omniauth (SAML/CAS) sign-in routes not having CSRF protection (#15228) 2020-11-28 05:17:53 +01:00
ThibG
96c1e71329
Add import/export feature for bookmarks (#14956)
* Add ability to export bookmarks

* Add support for importing bookmarks

* Add bookmark import tests

* Add bookmarks export test
2020-11-19 17:48:13 +01:00
Takeshi Umeda
148ce97e21
Add interrelationship icon (#15149)
* Add interrelationship icon

* Fix arrow for rtl

* Fix to predefined color
2020-11-12 17:43:12 +01:00
Takeshi Umeda
2b1a6e734f
Add follow selected followers button (#15148)
* Add follow selected followers button

* Fix unused variable

* Fix i18n normalize
2020-11-12 16:58:00 +01:00
Eugen Rochko
9b1f2a4b61
Add subresource integrity for JS and CSS assets (#15096)
Fix #2744
2020-11-06 11:56:31 +01:00
Mélanie Chauvel
68d4b2b83e
Display “Show newer” and “Show older” instead of “Show more” in public pages (#15052) 2020-11-04 21:15:45 +01:00
Takeshi Umeda
d6fe0c94ca
Add account sensitized (#14361)
* Add account sensitized

* Fix i18n normalize

* Fix description and spec

* Fix spec

* Fix wording
2020-11-04 20:45:01 +01:00
Mélanie Chauvel
1d07f51039
Make visibility icon clickable as part of the time of a toot (#15053)
- Makes permalink to a toot more easily clickable
- Fix clicking between icon and time in fact clicking the display name
- Fix clicking slightly under time in fact clicking the display name
2020-10-27 03:00:47 +01:00
ThibG
4c45b43cb8
Change how CDN_HOST is passed down to make assets build reproducible (#14381)
* Change how CDN_HOST is passed down to make assets build reproducible

* Change webpacker/webpack configuration to dynamically load publicPath based on meta header

* Fix embedded layout missing the cdn-host meta header
2020-10-13 01:19:35 +02:00
Eugen Rochko
5e1364c448
Add IP-based rules (#14963) 2020-10-12 16:33:49 +02:00
Eugen Rochko
7d985f2aac
Remove dependency on goldfinger gem (#14919)
There are edge cases where requests to certain hosts timeout when
using the vanilla HTTP.rb gem, which the goldfinger gem uses. Now
that we no longer need to support OStatus servers, webfinger logic
is so simple that there is no point encapsulating it in a gem, so
we can just use our own Request class. With that, we benefit from
more robust timeout code and IPv4/IPv6 resolution.

Fix #14091
2020-10-08 00:34:57 +02:00
Eugen Rochko
a549415868
Fix regressions in icon buttons in web UI (#14915) 2020-10-04 15:02:36 +02:00
ThibG
78e45a5285
Add option to disable swiping motions across the WebUI (#13885)
Fixes #13882
2020-09-30 19:31:03 +02:00
Jeremy Rose
03b6b034b9
add og:published_time to opengraph meta tags (#14865) 2020-09-24 23:32:13 +02:00
Takeshi Umeda
070026e634
Fix method of the DELETE DATA button (#14855) 2020-09-21 20:37:19 +02:00
Eugen Rochko
ed099d8bdc
Change account suspensions to be reversible by default (#14726) 2020-09-15 14:37:58 +02:00
Eugen Rochko
4e4b3a0c8e
Refactor settings controllers (#14767)
- Disallow suspended accounts from revoking sessions and apps
- Allow suspended accounts to access exports
2020-09-11 20:56:35 +02:00
abcang
e79d719e92
Changed tag most_used to recently_used (#14760) 2020-09-07 17:47:41 +02:00
santiagorodriguez96
e8d41bc2fe
Add WebAuthn as an alternative 2FA method (#14466)
* feat: add possibility of adding WebAuthn security keys to use as 2FA

This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor
to the Settings page for editing the 2FA methods – now it will list the
methods that are available to the user (TOTP and WebAuthn) and from
there they'll be able to add or remove any of them.
Also, it's worth mentioning that for enabling WebAuthn it's required to
have TOTP enabled, so the first time that you go to the 2FA Settings
page, you'll be asked to set it up.
This work was inspired by the one donde by Github in their platform, and
despite it could be approached in different ways, we decided to go with
this one given that we feel that this gives a great UX.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add request for WebAuthn as second factor at login if enabled

This commits adds the feature for using WebAuthn as a second factor for
login when enabled.
If users have WebAuthn enabled, now a page requesting for the use of a
WebAuthn credential for log in will appear, although a link redirecting
to the old page for logging in using a two-factor code will also be
present.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: add possibility of deleting WebAuthn Credentials

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: disable WebAuthn when an Admin disables 2FA for a user

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* feat: remove ability to disable TOTP leaving only WebAuthn as 2FA

Following examples form other platforms like Github, we decided to make
Webauthn 2FA secondary to 2FA with TOTP, so that we removed the
possibility of removing TOTP authentication only, leaving users with
just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA'
in order to remove second factor auth.
The reason for WebAuthn being secondary to TOPT is that in that way,
users will still be able to log in using their code from their phone's
application if they don't have their security keys with them – or maybe
even lost them.

* We had to change a little the flow for setting up TOTP, given that now
  it's possible to setting up again if you already had TOTP, in order to
  let users modify their authenticator app – given that now it's not
  possible for them to disable TOTP and set it up again with another
  authenticator app.
  So, basically, now instead of storing the new `otp_secret` in the
  user, we store it in the session until the process of set up is
  finished.
  This was because, as it was before, when users clicked on 'Edit' in
  the new two-factor methods lists page, but then went back without
  finishing the flow, their `otp_secret` had been changed therefore
  invalidating their previous authenticator app, making them unable to
  log in again using TOTP.

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>

* refactor: fix eslint errors

The PR build was failing given that linting returning some errors.
This commit attempts to fix them.

* refactor: normalize i18n translations

The build was failing given that i18n translations files were not
normalized.
This commits fixes that.

* refactor: avoid having the webauthn gem locked to a specific version

* refactor: use symbols for routes without '/'

* refactor: avoid sending webauthn disabled email when 2FA is disabled

When an admins disable 2FA for users, we were sending two mails
to them, one notifying that 2FA was disabled and the other to notify
that WebAuthn was disabled.
As the second one is redundant since the first email includes it, we can
remove it and send just one email to users.

* refactor: avoid creating new env variable for webauthn_origin config

* refactor: improve flash error messages for webauthn pages

Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-08-24 16:46:27 +02:00
ThibG
62a45ae26e
Fix client-side form validation not accepting handles with uppercase letters (#14599) 2020-08-19 19:00:47 +02:00
ThibG
0f38f9726a
Fix hardcoded non-breaking space in public view (#14568) 2020-08-13 12:04:28 +02:00
ThibG
7dc4c74265
Add client-side validation in password change forms (#14564)
* Fix client-side username validation at registration

It used the Account::USERNAME_RE regexp which is for *remote* users,
local user validation is stricter. Also take into account max username length.

* Add client-side form validation for password change

* Add client-side form validation to dedicated registration form

Previous changes only applied to the /about page, not the dedicated form on
/auth
2020-08-12 12:11:15 +02:00
ThibG
d70c3ab4c3
Add HTML form validation for the registration form (#14560)
* Add HTML-level validation of username in sign-up form

* Make required fields with incorrect values more visible

* Enable HTML form validation for the registration form

* Mark agreement checkbox as required client-side

* Add minimum length to password

* Add client-side password confirmation validation
2020-08-11 23:09:13 +02:00
ThibG
8ce962e148
Fix audio/video player not using CDN_HOST in media paths on public pages (#14486) 2020-08-02 19:03:10 +02:00
Eugen Rochko
5b7a93b02c
Fix videos on public pages not using custom thumbnails (#14273) 2020-07-09 12:53:16 +02:00
ThibG
a783bdf4ad
Fix hashtag column options styling (#14247)
* Enable nonces for stylesheets

* Pass nonce to react-select
2020-07-07 01:33:38 +02:00
Eugen Rochko
99f3a55540
Add color extraction for audio thumbnails (#14209) 2020-07-05 18:28:25 +02:00
ThibG
4babf5b8b5
Fix lock icon not being shown when locking account in profile settings (#14190) 2020-07-01 13:51:50 +02:00
Eugen Rochko
64aac30733
Add customizable thumbnails for audio and video attachments (#14145)
- Change audio files to not be stripped of metadata
- Automatically extract cover art from audio if it exists
- Add `thumbnail` parameter to `POST /api/v1/media`, `POST /api/v2/media` and `PUT /api/v1/media/:id`
- Add `icon` to represent it in attachments in ActivityPub
- Fix `preview_url` containing URL of missing missing image when there is no thumbnail instead of null
- Fix duration of audio not being displayed on public pages until the file is loaded
2020-06-29 13:56:55 +02:00
Mélanie Chauvel
08cf81f8c1
Improve appearence consistency of settings pages (#13938)
* Fix header button changing header size in settings pages

* Make form buttons look more like a part of the form in settings pages

- Put buttons closer, using same distance as between inputs
- Make buton font size a bit smaller to blend a bit more
- Add the class button to button tags for consisent styling
2020-06-26 00:36:30 +02:00
Takeshi Umeda
418f0a33e9
Add a visibility icon to status (#14123)
* Add a visibility icon to status

* Change to using the icon element

* Fix RTL

* Add a public globe
2020-06-25 22:43:59 +02:00
Eugen Rochko
662a49dc3f
Fix various issues around OpenGraph representation of media (#14133)
- Fix audio attachments not being represented in OpenGraph tags
- Fix audio being represented as "1 image" in OpenGraph descriptions
- Fix video metadata being overwritten by paperclip-av-transcoder
- Fix embedded player not using Mastodon's UI
- Fix audio/video progress bars not moving smoothly
- Fix audio/video buffered bars not displaying correctly
2020-06-25 01:33:01 +02:00
Mélanie Chauvel
ac3c83ef6f
Improve wording and add titles on moderated servers section in /about/more (#13930) 2020-06-09 10:28:02 +02:00
Eugen Rochko
72a7cfaa39
Add e-mail-based sign in challenge for users with disabled 2FA (#14013) 2020-06-09 10:23:06 +02:00
ThibG
8e96510b25
Hide sensitive preview cards with blurhash (#13985)
* Use preview card blurhash in WebUI

* Handle sensitive preview cards
2020-06-06 17:41:56 +02:00
ThibG
bf6745b9c3
Fix unpermitted operations on custom emojis leading to cryptic errors (#13951)
* Display appropriate error when performing unpermitted operation on custom emoji

Fixes #13897

* Remove links to custom emoji actions not performable by moderators
2020-06-05 15:23:27 +02:00
Mélanie Chauvel
77619b1654
Put “Add new domain block” button on /admin/instances in header (#13934) 2020-06-03 20:19:14 +02:00
ThibG
48503384d0
Fix some account avatars on public pages having incorrect size (#13692)
* Fix some account avatars on public pages having incorrect size

* Remove outdated and overridden width and height attributes

* Remove more hardcoded width/height attributes
2020-05-13 21:20:34 +02:00
Eugen Rochko
8be4c2ba21
Add ability to remove identity proofs from account (#13682)
Fix #12613
2020-05-10 11:21:10 +02:00
ThibG
e1629a7758
Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)
* Make sure wicg-inert doesn't rely on inline CSS

* Remove unsafe-inline from style-src
2020-05-08 21:22:57 +02:00
ThibG
c0b849bdfd
Fix use of inline CSS in public pages (#13576)
Change `account_link_to` to use an image tag rather than some
inline CSS. Dropped the `size` parameter in the process, but it wasn't
used for anything except the default value of 36px.

Dropped CSS rules that were always overriden, and defaulted to 36px width
and height instead.
2020-05-03 22:04:18 +02:00
ThibG
b8ba977497
Fix admin-facing uses of inline CSS (#13575)
* Move .back-button inline styles to CSS file

All occurrences of the back-button CSS class used the same inline
CSS rules, so moved them over to the CSS file

* Fix “Add new domain block” button using inline CSS

* Replace common pattern of inline-styled button boxes by a CSS class

In particular, switching from `float: left/right` to a flexbox with
`justify-content: space-between`. This implied changing the order of
a few HTML tags and adding an empty `div` in one case.

Also removed a `margin-bottom` rule that wasn't needed due to the
margins of surrounding elements.

* Move account admin view inline CSS to CSS file
2020-04-28 19:39:16 +02:00
ThibG
0e362b7678
Fix end-user-facing uses of inline CSS (#13438)
* Move some inline styles to CSS files

* Move default_account_display_name span to fix useless tags with duplicate id

* Change handling of public pages spoiler text from inline CSS to dataset attribute

* Use the `dir` HTML attribute instead of inline CSS

* Move status action bar inline CSS to CSS file

* Hide logo resources from CSS file, not inline CSS

Fixes #11601

* Move translation prompt styling from inline CSS to CSS file

* Move “invited by” styling on registration form from inline to CSS file

* Use the progress tag to display poll results in JS fallback

* Fix poll results JS-less fallback when the user has voted for an option

* Change account public page “moved” notice to use img tags instead of inline CSS

* Move OTP hint inline CSS to SCSS file

* Hide JS-less fallback vote progressbars from accessibility tools

Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2020-04-28 10:16:55 +02:00
ThibG
b3d0de8b40
Fix /public showing public instead of community timeline for logged-in users (#13499) 2020-04-28 09:43:45 +02:00
sternenseemann
679980f77c
Allow users to delete their header and avatar (#13234)
This is achieved by sending a DELETE request to
/settings/profile/pictures/{avatar,header} via a link that is part of
the upload form's hint of the respective picture.
2020-04-20 14:03:03 +02:00
Takeshi Umeda
2c7128c7f0
Add local only to hashtag timeline (#13502) 2020-04-18 21:52:39 +02:00
Eugen Rochko
5edff32733
Change delivery failure tracking to work with hostnames instead of URLs (#13437) 2020-04-15 20:33:24 +02:00
ThibG
5524258da9
Fix “Email changed” notification sometimes having wrong e-mail (#13475)
* Fix “Email changed” notification sometimes having wrong e-mail

Fixes #6778

The root of the issue is that `send_devise_notification` was called before
the changes were properly commited to the database, causing the mailer to
pick previous values if running too early.

Devise's documentation provides guidance on how to handle that[1][2], however,
I have found it to not be working, as the following happens, in that order:
- `send_devise_notification` is called for the `email_changed` notification.
  In that case, `changed?` is false and `saved_changes?` is true, so
  if we use the former, we have the same issue.
- the `after_commit` hook is called
- `send_devise_notification` is called for the `confirmation_instructions`
  notification.
  In that case, `changed?` is still false, and `saved_changes?` still true,
  so if we use the latter, that second notification email is simply not
  going to be sent (as we would be queuing the notification *after*
  executing the after_commit hook).

This is because it may be called from either an `after_update` or
`after_commit` hook, the difference not being a call to `save` but the
transaction actually being committed to the database. This may arguably
be a bug in Devise, or Devise's notification.

The proposed workaround is inspired by Devise's documentation but checks
whether a transaction is open to make the call whether to immediately
send the notification or defer it to the `after_commit` hook.

[1]: https://www.rubydoc.info/github/plataformatec/devise/Devise%2FModels%2FAuthenticatable:send_devise_notification
[2]: 406915cb78/lib/devise/models/authenticatable.rb (L133-L194)

* Fix cases when sending notifications without changing the model

* Defer sending if and only if in transaction including current record
2020-04-15 16:13:44 +02:00
ThibG
f7e011919e
Fix account aliases page (#13452)
* Fix error not being displayed when adding an account alias, add error for self-references

Co-Authored-By: Mélanie Chauvel (ariasuni) <perso@hack-libre.org>

* Add “You have no aliases.” note in confusing empty aliases table

Co-Authored-By: Mélanie Chauvel (ariasuni) <perso@hack-libre.org>

Co-authored-by: Mélanie Chauvel (ariasuni) <perso@hack-libre.org>
2020-04-13 06:41:43 +02:00
Leonie
f6c18e8829
Fix API footer link in Web UI (#13441)
Co-authored-by: koyu <me@koyu.spac>
2020-04-12 13:38:14 +02:00
ThibG
9d24bcc5e6
Fix styling of polls in JS-less fallback on public pages (#13436) 2020-04-07 18:21:58 +02:00
Eugen Rochko
f65568f1d4
Add ability to filter audit log in admin UI (#13381) 2020-04-03 13:06:34 +02:00
Sasha Sorokin
37b3985bfa
Improve polls: option lengths & redesign (#13257)
This commit redesign the polls and increases characters limit for the
options from 25 to 50 characters, giving pollsters more freedom.

Summarizing, the redesign is making the polls more adaptive for upcoming
changes to the options characters limit: the bar, or a "chart", is now
displayed separately from the option itself; vote check mark is moved
next to the option text, making the percentages take less space. Option
lengths are taken into account and text is wrapped to multiple lines
if necessary to avoid overflow.
2020-04-02 17:10:55 +02:00
Eugen Rochko
bea0bb39d6
Add option to include resolved DNS records when blacklisting e-mail domains in admin UI (#13254)
* Add shortcuts to blacklist a user's e-mail domain in admin UI

* Add option to blacklist resolved MX and IP records for e-mail domains
2020-03-12 22:35:20 +01:00
Eugen Rochko
f556f79b77
Add titles to warning presets in admin UI (#13252) 2020-03-12 17:57:59 +01:00
guigeekz
e31ba618d4
Add submit button to the top of preferences pages (#13068)
* Move submit button to the top of the edit page

* Duplicate save button on long form

* Fix click submit on profile spec
2020-03-08 16:04:03 +01:00
ThibG
2423d2f677
Add ability to delete files uploaded for settings in admin UI (#13192)
* Allow deleting site uploads

* Refactor and move links into hints

* Fix i18n tests

* Fix HTML output of site_upload_delete_hint
2020-03-08 16:00:24 +01:00
ThibG
4a4cd686c1
Add sorting by username, creation and last activity in moderation view (#13076)
* Add ability to order accounts in moderation view

* Display last status date in “Most recent activity” for remote users
2020-03-08 15:39:13 +01:00
Eugen Rochko
339ce1c4e9
Add specific rate limits for posting and following (#13172) 2020-03-08 15:17:39 +01:00
ThibG
cf4fe6caef
Fix misleading error when attempting to re-send a pending follow request (#13133)
Fixes #13131
2020-02-24 21:19:19 +01:00
ThibG
4dec392ea8
Fix account's bio not being shown if there are no proofs/fields in admin UI (#13075) 2020-02-17 16:38:59 +01:00
ThibG
cb28f61a6c
Fix invite request input not being shown on sign-up error if left empty (#13089)
If the “Why do you want to join?” textarea is left empty and the entered params
do not validate, the textarea isn't shown again, unlike other fields.

This commit fixes that by populating an empty `UserInviteRequest` when needed.
2020-02-16 12:38:22 +01:00
Eugen Rochko
c253f5c57e
Fix punycode being rendered instead of unicode in some places (#13030) 2020-02-03 18:44:54 +01:00
Sasha Sorokin
50cd73e5d7
Add "Show thread" button to public profiles (#13000)
This adds "Show thread" button to the status view which is used in
profiles. The logic to display the button is mimicking logic in
web app available at app/javascript/mastodon/components/status.js#L439.

* The little change in components CSS required to remove enforced
  underline for all links on public pages on our button.
2020-01-29 17:35:54 +01:00
Eugen Rochko
305abc9e05
Fix design of announcements in admin UI (#12989) 2020-01-28 02:21:00 +01:00
Eugen Rochko
663ea84b08
Add publish/unpublish controls to announcements in admin UI (#12967) 2020-01-27 11:05:33 +01:00
ThibG
42d2a915e4 Change last_status_at to be a date, not datetime (#12966)
* Return last_status_at as date, not datetime

* Fix relative timestamp for dates when delay is inferior to 1 day

* Also fix public directory

* Fix error when last_status_at isn't set
2020-01-26 23:13:48 +01:00
Eugen Rochko
ce1dee85b5
Fix relationships page not showing results in admin UI (#12934)
Follow-up to #12927
2020-01-24 00:20:23 +01:00
Eugen Rochko
f52c988e12
Add announcements (#12662)
* Add announcements

Fix #11006

* Add reactions to announcements

* Add admin UI for announcements

* Add unit tests

* Fix issues

- Add `with_dismissed` param to announcements API
- Fix end date not being formatted when time range is given
- Fix announcement delete causing reactions to send streaming updates
- Fix announcements container growing too wide and mascot too small
- Fix `all_day` being settable when no time range is given
- Change text "Update" to "Announcement"

* Fix scheduler unpublishing announcements before they are due

* Fix filter params not being passed to announcements filter
2020-01-23 22:00:13 +01:00
Eugen Rochko
c0006a004d
Change followers page to relationships page in admin UI (#12927)
Allow browsing and filtering all relationships instead of just
followers, unify the codebase with the user-facing relationship
manager, add ability to see who the user invited
2020-01-23 20:33:20 +01:00
ThibG
40852b84bd Fix duplicate “description” meta tag on accounts public pages (#12923)
Fixes #12920
2020-01-22 16:26:23 +01:00
Eugen Rochko
02063c245c
Fix not all of account's active IPs showing up in admin UI (#12909) 2020-01-20 18:00:54 +01:00
ThibG
91e4955e08 Fix admin interface crashing when listing boosts with non-video media attachments (#12907)
Fix regression introduced by #12879
2020-01-20 17:39:14 +01:00
Eugen Rochko
6feafb8802
Various fixes and improvements (#12878)
* Fix unused role routes being generated

* Remove unused JavaScript code

* Refactor filters code to be DRYer

* Fix `.count == 0` comparisons to `.empty?` in views

* Fix filters in views
2020-01-20 15:55:03 +01:00
Eugen Rochko
1ded3bb752
Change reported media attachments to always be hidden in admin UI (#12879)
Also:

- Fix Mastodon logo not showing up in status embeds
- Fix blurhash not being used in status embeds
- Fix blurhash not being used in admin UI
- Fix autoplay param not working correctly on status embeds
2020-01-18 19:50:43 +01:00
Sasha Sorokin
36426ed4ad Use heading actions and placeholders in settings (#12801)
This commit:

- Refactors centered text blocks currently used for placeholders
  for empty tables and puts styles for it in separate class -
  .centered-text, simply aliasing text-align: center. Which is
  furtherly used in this commit.

- Improves applications settings page to use heading actions, moving
  "New application" button there, and displaying placeholder "You
  have no applications" in place of empty table.

- Improves custom emoji settings page to use heading action
  for "Upload" button, making it more easily accessible without
  need to scroll through all of the emojis.

- Improves email domain blocks settings page, moving "Add new" to the
  heading actions and using placeholder "No e-mail domains currently
  blacklisted" instead of showing empty table.
2020-01-11 02:14:45 +01:00
Sasha Sorokin
139f7646a7 Rename page_heading_actions variable (#12799)
Current name - page_heading_actions is long and hard to remember,
this commit shortens it to just heading_actions, which is way more
easier to remember and write, it's logical too.
2020-01-10 01:10:17 +01:00
Sasha Sorokin
345dd93310 Little improvements to filters settings page (#12793)
When you have many filters, it may be hard for you to reach the button
to create yet another one. This commit moves creation button to the
heading, leaving the page just for the list.

On the other hand, when there are no filters, page looks kind of
strange with the empty table. So text stating obvious fact that user
has no filters was added in this commit too.

Closes #11020
Closes #12790
2020-01-07 10:41:19 +01:00
Eugen Rochko
6a8c8dc6fb
Fix cache digesting log noise on status embeds (#12750) 2020-01-03 05:00:17 +01:00