Our previous list visibility resolver grabbed posts if either follower
collection of the user in a list who is followed is in `to` or if
follower collection of the user in a list was in `cc`. This not only
missed unlisted posts but also lead to leaking private posts when
`fix_explicit_addressing` mistakingly started putting follower collections
to `cc` (also fixed in this MR).
Reported by @kurisu@iscute.moe via a DM
As discussed on irc. Unlike Mastodon our web interface for registrations
is using the same APIs regular apps would be using, so 5 requests per 30
minutes per IP could hurt valid use-cases when Pleroma-FE switches to
it. Also enable the endpoint by default, it makes no sense to
have it disabled when
1. TwitterAPI endpoint is there and always enabled
2. Unlike Mastodon, there is no way to get an account without using the APIs (makes me wonder why the setting is even there)
Also in this commit: minor changelog improvements.
Fix leaking private configuration parameters in Mastodon and Twitter APIs, and add new configuration parameters to Mastodon API
This patch:
- Fixes `rights` in TwitterAPI ignoring `show_role`
- Fixes exposing default scope of the user to anyone in Mastodon API
- Extends Mastodon API to be able to show and set `no_rich_text`, `default_scope`, `hide_follows`, `hide_followers`, `hide_favorites` (requested by the FE in #674)
Sorry in advance for 500 line one commit diff, I should have split it up to separate MRs
See merge request pleroma/pleroma!1093
This patch:
- Fixes `rights` in twitterapi ignoring `show_role`
- Fixes exposing default scope of the user to anyone in Mastodon API
- Extends Mastodon API to be able to show and set `no_rich_text`, `default_scope`, `hide_follows`, `hide_followers`, `hide_favorites` (requested by the FE in #674)
Sorry in advance for 500 line one commit diff, I should have split it up to separate MRs
