akkoma/CHANGELOG.md
rinpatch 4baea6e6d9 Fix leaking private configuration parameters in Mastodon and Twitter APIs, and add new configuration parameters to Mastodon API
This patch:
- Fixes `rights` in twitterapi ignoring `show_role`
- Fixes exposing default scope of the user to anyone in Mastodon API
- Extends Mastodon API to be able to show and set `no_rich_text`, `default_scope`, `hide_follows`, `hide_followers`, `hide_favorites` (requested by the FE in #674)

Sorry in advance for 500 line one commit diff, I should have split it up to separate MRs
2019-04-24 20:01:42 +03:00

5.9 KiB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog.

[unreleased]

Added

  • LDAP authentication
  • External OAuth provider authentication
  • A job queue for federation, emails, web push, etc.
  • Prometheus metrics
  • Support for Mastodon's remote interaction
  • Mix Tasks: mix pleroma.database remove_embedded_objects
  • Federation: Support for reports
  • Configuration: safe_dm_mentions option
  • Configuration: link_name option
  • Configuration: fetch_initial_posts option
  • Configuration: notify_email option
  • Pleroma API: User subscriptions
  • Pleroma API: Healthcheck endpoint
  • Admin API: Endpoints for listing/revoking invite tokens
  • Admin API: Endpoints for making users follow/unfollow each other
  • Mastodon API: Scheduled statuses
  • Mastodon API: /api/v1/notifications/destroy_multiple (glitch-soc extension)
  • Mastodon API: /api/v1/pleroma/accounts/:id/favourites (API extension)
  • Mastodon API: Reports
  • ActivityPub C2S: OAuth endpoints
  • Metadata RelMe provider
  • Emoji packs and emoji pack manager

Changed

  • Breaking: Configuration: move from Pleroma.Mailer to Pleroma.Emails.Mailer
  • Enforcement of OAuth scopes
  • Add multiple use/time expiring invite token
  • Restyled OAuth pages to fit with Pleroma's default theme
  • Link/mention/hashtag detection is now handled by auto_linker
  • NodeInfo: Return safe_dm_mentions feature flag
  • Federation: Expand the audience of delete activities to all recipients of the deleted object
  • Federation: Removed inReplyToStatusId from objects
  • Configuration: Dedupe enabled by default
  • Configuration: Added extra_cookie_attrs for setting non-standard cookie attributes. Defaults to ["SameSite=Lax"] so that remote follows work.
  • Pleroma API: Support for emoji tags in /api/pleroma/emoji resulting in a breaking API change
  • Mastodon API: Support for exclude_types, limit and min_id in /api/v1/notifications
  • Mastodon API: Add languages and registrations to /api/v1/instance
  • Mastodon API: Provide plaintext versions of cw/content in the Status entity
  • Mastodon API: Add pleroma.conversation_id, pleroma.in_reply_to_account_acct fields to the Status entity
  • Mastodon API: Add pleroma.tags, pleroma.relationship{}, pleroma.is_moderator, pleroma.is_admin, pleroma.confirmation_pending, pleroma.hide_followers, pleroma.hide_follows, pleroma.hide_favorites fields to the User entity
  • Mastodon API: Add pleroma.show_role, pleroma.no_rich_text fields to the User entity (when the user is requesting themselves)
  • Mastodon API: Add support for updating no_rich_text, hide_followers, hide_follows, hide_favorites, show_role in PATCH /api/v1/update_credentials
  • Mastodon API: Add pleroma.is_seen to the Notification entity
  • Mastodon API: Add pleroma.local to the Status entity
  • Mastodon API: Add preview parameter to POST /api/v1/statuses
  • Mastodon API: Add with_muted parameter to timeline endpoints
  • Mastodon API: Actual reblog hiding instead of a dummy
  • Mastodon API: Remove attachment limit in the Status entity
  • Deps: Updated Cowboy to 2.6
  • Deps: Updated Ecto to 3.0.7
  • Don't ship finmoji by default, they can be installed as an emoji pack

Fixed

  • Followers counter not being updated when a follower is blocked
  • Deactivated users being able to request an access token
  • Limit on request body in rich media/relme parsers being ignored resulting in a possible memory leak
  • proper Twitter Card generation instead of a dummy
  • NodeInfo: Include admins in staffAccounts
  • ActivityPub: Crashing when requesting empty local user's outbox
  • Federation: Handling of objects without summary property
  • Federation: Add a language tag to activities as required by ActivityStreams 2.0
  • Federation: Do not federate avatar/banner if set to default allowing other servers/clients to use their defaults
  • Federation: Cope with missing or explicitly nulled address lists
  • Federation: Explicitly ensure activities addressed to as:Public become addressed to the followers collection
  • Federation: Better cope with actors which do not declare a followers collection and use as:Public with these semantics
  • MediaProxy: Parse name from content disposition headers even for non-whitelisted types
  • MediaProxy: S3 link encoding
  • Rich Media: Reject any data which cannot be explicitly encoded into JSON
  • Pleroma API: Importing follows from Mastodon 2.8+
  • Twitter API: Exposing default scope, no_rich_text of the user to anyone
  • Twitter API: Returning the role object in user entity despite show_role = false
  • Mastodon API: /api/v1/favourites serving only public activities
  • Mastodon API: Reblogs having in_reply_to_id - null even when they are replies
  • Mastodon API: Streaming API broadcasting wrong activity id
  • Mastodon API: 500 errors when requesting a card for a private conversation
  • Mastodon API: Handling of reblogs in /api/v1/accounts/:id/follow
  • Mastodon API: Correct reblogged, favourited, and bookmarked values in the reblog status JSON
  • Mastodon API: Exposing default scope of the user to anyone

[0.9.9999] - 2019-04-05

Security

  • Mastodon API: Fix content warnings skipping HTML sanitization

[0.9.999] - 2019-03-13

Frontend changes only.

Added

  • Added floating action button for posting status on mobile

Changed

  • Changed user-settings icon to a pencil

Fixed

  • Keyboard shortcuts activating when typing a message
  • Gaps when scrolling down on a timeline after showing new

[0.9.99] - 2019-03-08

Changed

  • Update the frontend to the 0.9.99 tag

Fixed

  • Sign the date header in federation to fix Mastodon federation.

[0.9.9] - 2019-02-22

This is our first stable release.