Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into features/validators_use_ectotypes

CHANGELOG.md

@@ -17,6 +17,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Configuration: `:media_proxy, whitelist` format changed to host with scheme (e.g. `http://example.com` instead of `example.com`). Domain format is deprecated.
 - **Breaking:** Configuration: `:instance, welcome_user_nickname` moved to `:welcome, :direct_message, :sender_nickname`, `:instance, :welcome_message` moved to `:welcome, :direct_message, :message`. Old config namespace is deprecated.
 - **Breaking:** LDAP: Fallback to local database authentication has been removed for security reasons and lack of a mechanism to ensure the passwords are synchronized when LDAP passwords are updated.
+- **Breaking** Changed defaults for `:restrict_unauthenticated` so that when `:instance, :public` is set to `false` then all `:restrict_unauthenticated` items be effectively set to `true`. If you'd like to allow unauthenticated access to specific API endpoints on a private instance, please explicitly set `:restrict_unauthenticated` to non-default value in `config/prod.secret.exs`. 
 
 <details>
   <summary>API Changes</summary>
@@ -105,6 +106,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Fix edge case where MediaProxy truncates media, usually caused when Caddy is serving content for the other Federated instance.
 - Emoji Packs could not be listed when instance was set to `public: false`
 - Fix whole_word always returning false on filter get requests
+- Migrations not working on OTP releases if the database was connected over ssl
 
 ## [Unreleased (patch)]
 

config/config.exs

@@ -725,10 +725,12 @@
     timeout: 300_000
   ]
 
+private_instance? = :if_instance_is_private
+
 config :pleroma, :restrict_unauthenticated,
-  timelines: %{local: false, federated: false},
-  profiles: %{local: false, remote: false},
-  activities: %{local: false, remote: false}
+  timelines: %{local: private_instance?, federated: private_instance?},
+  profiles: %{local: private_instance?, remote: private_instance?},
+  activities: %{local: private_instance?, remote: private_instance?}
 
 config :pleroma, Pleroma.Web.ApiSpec.CastAndValidate, strict: false
 

docs/API/admin_api.md

@@ -1266,11 +1266,14 @@ Loads json generated from `config/descriptions.exs`.
 - Params:
 - *optional* `page`: **integer** page number
 - *optional* `page_size`: **integer** number of log entries per page (default is `50`)
+- *optional* `query`: **string** search term
 
 - Response:
 
 ``` json
 {
+  "page_size": integer,
+  "count": integer,
   "urls": [
     "http://example.com/media/a688346.jpg",
     "http://example.com/media/fb1f4d.jpg"
@@ -1290,12 +1293,7 @@ Loads json generated from `config/descriptions.exs`.
 - Response:
 
 ``` json
-{
-  "urls": [
-    "http://example.com/media/a688346.jpg",
-    "http://example.com/media/fb1f4d.jpg"
-  ]
-}
+{ }
 
 ```
 
@@ -1311,11 +1309,6 @@ Loads json generated from `config/descriptions.exs`.
 - Response:
 
 ``` json
-{
-  "urls": [
-    "http://example.com/media/a688346.jpg",
-    "http://example.com/media/fb1f4d.jpg"
-  ]
-}
+{ }
 
 ```

docs/administration/CLI_tasks/config.md

@@ -11,15 +11,18 @@
     config :pleroma, configurable_from_database: true
     ```
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl config migrate_to_db
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.config migrate_to_db
     ```
 
-
 ## Transfer config from DB to `config/env.exported_from_db.secret.exs`
 
 !!! note
@@ -31,10 +34,12 @@ mix pleroma.config migrate_to_db
 
 To delete transfered settings from database optional flag `-d` can be used. `<env>` is `prod` by default.
 
-```sh tab="OTP"
+=== "OTP"
+    ```sh
      ./bin/pleroma_ctl config migrate_from_db [--env=<env>] [-d]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+    ```sh
     mix pleroma.config migrate_from_db [--env=<env>] [-d]
     ```

docs/administration/CLI_tasks/database.md

@@ -9,14 +9,19 @@
 
 Replaces embedded objects with references to them in the `objects` table. Only needs to be ran once if the instance was created before Pleroma 1.0.5. The reason why this is not a migration is because it could significantly increase the database size after being ran, however after this `VACUUM FULL` will be able to reclaim about 20% (really depends on what is in the database, your mileage may vary) of the db size before the migration.
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl database remove_embedded_objects [option ...]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.database remove_embedded_objects [option ...]
     ```
 
+
 ### Options
 - `--vacuum` - run `VACUUM FULL` after the embedded objects are replaced with their references
 
@@ -27,11 +32,15 @@ This will prune remote posts older than 90 days (configurable with [`config :ple
 !!! danger
     The disk space will only be reclaimed after `VACUUM FULL`. You may run out of disk space during the execution of the task or vacuuming if you don't have about 1/3rds of the database size free.
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl database prune_objects [option ...]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.database prune_objects [option ...]
     ```
 
@@ -42,31 +51,43 @@ mix pleroma.database prune_objects [option ...]
 
 Can be safely re-run
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl database bump_all_conversations
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.database bump_all_conversations
     ```
 
 ## Remove duplicated items from following and update followers count for all users
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl database update_users_following_followers_counts
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.database update_users_following_followers_counts
     ```
 
 ## Fix the pre-existing "likes" collections for all objects
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl database fix_likes_collections
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.database fix_likes_collections
     ```
 
@@ -76,11 +97,15 @@ mix pleroma.database fix_likes_collections
 
 Running an `analyze` vacuum job can improve performance by updating statistics used by the query planner. **It is safe to cancel this.**
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl database vacuum analyze
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.database vacuum analyze
     ```
 
@@ -91,20 +116,28 @@ and more compact files with an optimized layout. This process will take a long t
 it builds the files side-by-side the existing database files. It can make your database faster and use less disk space,
 but should only be run if necessary. **It is safe to cancel this.**
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl database vacuum full
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.database vacuum full
     ```
 
 ## Add expiration to all local statuses
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl database ensure_expiration
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.database ensure_expiration
     ```

docs/administration/CLI_tasks/digest.md

@@ -4,22 +4,30 @@
 
 ## Send digest email since given date (user registration date by default) ignoring user activity status.
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl digest test <nickname> [since_date]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.digest test <nickname> [since_date]
     ```
 
 
 Example: 
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl digest test donaldtheduck 2019-05-20
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.digest test donaldtheduck 2019-05-20
     ```
 

docs/administration/CLI_tasks/email.md

@@ -4,21 +4,29 @@
 
 ## Send test email (instance email by default)
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl email test [--to <destination email address>]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.email test [--to <destination email address>]
     ```
 
 
 Example: 
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl email test --to root@example.org
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.email test --to root@example.org
     ```

docs/administration/CLI_tasks/emoji.md

@@ -4,11 +4,13 @@
 
 ## Lists emoji packs and metadata specified in the manifest
 
-```sh tab="OTP"
+=== "OTP"
+    ```sh
     ./bin/pleroma_ctl emoji ls-packs [option ...]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+    ```sh
     mix pleroma.emoji ls-packs [option ...]
     ```
 
@@ -18,11 +20,13 @@ mix pleroma.emoji ls-packs [option ...]
 
 ## Fetch, verify and install the specified packs from the manifest into `STATIC-DIR/emoji/PACK-NAME`
 
-```sh tab="OTP"
+=== "OTP"
+    ```sh
     ./bin/pleroma_ctl emoji get-packs [option ...] <pack ...>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+    ```sh
     mix pleroma.emoji get-packs [option ...] <pack ...>
     ```
 
@@ -31,11 +35,13 @@ mix pleroma.emoji get-packs [option ...] <pack ...>
 
 ## Create a new manifest entry and a file list from the specified remote pack file
 
-```sh tab="OTP"
+=== "OTP"
+    ```sh
     ./bin/pleroma_ctl emoji gen-pack PACK-URL
     ```
 
-```sh tab="From Source"
+=== "From Source"
+    ```sh
     mix pleroma.emoji gen-pack PACK-URL
     ```
 
@@ -47,7 +53,8 @@ Currently, only .zip archives are recognized as remote pack files and packs are
 
 ## Reload emoji packs
 
-```sh tab="OTP"
+=== "OTP"
+    ```sh
     ./bin/pleroma_ctl emoji reload
     ```
 

docs/administration/CLI_tasks/instance.md

@@ -3,11 +3,15 @@
 {! backend/administration/CLI_tasks/general_cli_task_info.include !}
 
 ## Generate a new configuration file
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl instance gen [option ...]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.instance gen [option ...]
     ```
 

docs/administration/CLI_tasks/oauth_app.md

@@ -7,10 +7,14 @@
 Optional params:
   * `-s SCOPES` - scopes for app, e.g. `read,write,follow,push`.
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl app create -n APP_NAME -r REDIRECT_URI
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.app create -n APP_NAME -r REDIRECT_URI
     ```

docs/administration/CLI_tasks/relay.md

@@ -4,30 +4,42 @@
 
 ## Follow a relay
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl relay follow <relay_url>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.relay follow <relay_url>
     ```
 
 ## Unfollow a remote relay
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl relay unfollow <relay_url>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.relay unfollow <relay_url>
     ```
 
 ## List relay subscriptions
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl relay list
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.relay list
     ```

docs/administration/CLI_tasks/robots_txt.md

@@ -8,10 +8,14 @@ The `robots.txt` that ships by default is permissive. It allows well-behaved sea
 
 If you want to generate a restrictive `robots.txt`, you can run the following mix task. The generated `robots.txt` will be written in your instance [static directory](../../../configuration/static_dir/).
 
-```elixir tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl robots_txt disallow_all
     ```
 
-```elixir tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.robots_txt disallow_all
     ```

docs/administration/CLI_tasks/uploads.md

@@ -3,11 +3,15 @@
 {! backend/administration/CLI_tasks/general_cli_task_info.include !}
 
 ## Migrate uploads from local to remote storage
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl uploads migrate_local <target_uploader> [option ...]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.uploads migrate_local <target_uploader> [option ...]
     ```
 

docs/administration/CLI_tasks/user.md

@@ -4,11 +4,15 @@
 
 ## Create a user
 
-```sh tab="OTP"
+=== "OTP"
+
+    ```sh
     ./bin/pleroma_ctl user new <nickname> <email> [option ...]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user new <nickname> <email> [option ...]
     ```
 
@@ -22,21 +26,31 @@ mix pleroma.user new <nickname> <email> [option ...]
 - `-y`, `--assume-yes`/`--no-assume-yes` - whether to assume yes to all questions
 
 ## List local users
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user list
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user list
     ```
 
 
 ## Generate an invite link
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user invite [option ...]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user invite [option ...]
     ```
 
@@ -46,111 +60,166 @@ mix pleroma.user invite [option ...]
 - `--max-use NUMBER` - maximum numbers of token uses
 
 ## List generated invites
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user invites
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user invites
     ```
 
 
 ## Revoke invite
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user revoke_invite <token>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user revoke_invite <token>
     ```
 
 
 ## Delete a user
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user rm <nickname>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user rm <nickname>
     ```
 
 
 ## Delete user's posts and interactions
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user delete_activities <nickname>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user delete_activities <nickname>
     ```
 
 
 ## Sign user out from all applications (delete user's OAuth tokens and authorizations)
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user sign_out <nickname>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user sign_out <nickname>
     ```
 
 
 ## Deactivate or activate a user
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user toggle_activated <nickname>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user toggle_activated <nickname>
     ```
 
 
 ## Deactivate a user and unsubscribes local users from the user
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user deactivate NICKNAME
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user deactivate NICKNAME
     ```
 
 
 ## Deactivate all accounts from an instance and unsubscribe local users on it
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user deactivate_all_from_instance <instance>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user deactivate_all_from_instance <instance>
     ```
 
 
 ## Create a password reset link for user
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user reset_password <nickname>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user reset_password <nickname>
     ```
 
 
 ## Disable Multi Factor Authentication (MFA/2FA) for a user
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user reset_mfa <nickname>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user reset_mfa <nickname>
     ```
 
 
 ## Set the value of the given user's settings
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user set <nickname> [option ...]
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user set <nickname> [option ...]
     ```
 
@@ -160,30 +229,45 @@ mix pleroma.user set <nickname> [option ...]
 - `--admin`/`--no-admin` - whether the user should be an admin
 
 ## Add tags to a user
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user tag <nickname> <tags>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user tag <nickname> <tags>
     ```
 
 
 ## Delete tags from a user
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user untag <nickname> <tags>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user untag <nickname> <tags>
     ```
 
 
 ## Toggle confirmation status of the user
-```sh tab="OTP"
+
+=== "OTP"
+
+    ```sh
      ./bin/pleroma_ctl user toggle_confirmed <nickname>
     ```
 
-```sh tab="From Source"
+=== "From Source"
+
+    ```sh
     mix pleroma.user toggle_confirmed <nickname>
     ```

docs/configuration/cheatsheet.md

@@ -38,7 +38,7 @@ To add configuration to your config file, you can copy it from the base config.
 * `federation_incoming_replies_max_depth`: Max. depth of reply-to activities fetching on incoming federation, to prevent out-of-memory situations while fetching very long threads. If set to `nil`, threads of any depth will be fetched. Lower this value if you experience out-of-memory crashes.
 * `federation_reachability_timeout_days`: Timeout (in days) of each external federation target being unreachable prior to pausing federating to it.
 * `allow_relay`: Enable Pleroma’s Relay, which makes it possible to follow a whole instance.
-* `public`: Makes the client API in authenticated mode-only except for user-profiles. Useful for disabling the Local Timeline and The Whole Known Network. See also: `restrict_unauthenticated`.
+* `public`: Makes the client API in authenticated mode-only except for user-profiles. Useful for disabling the Local Timeline and The Whole Known Network. Note that there is a dependent setting restricting or allowing unauthenticated access to specific resources, see `restrict_unauthenticated` for more details.
 * `quarantined_instances`: List of ActivityPub instances where private (DMs, followers-only) activities will not be send.
 * `managed_config`: Whenether the config for pleroma-fe is configured in [:frontend_configurations](#frontend_configurations) or in ``static/config.json``.
 * `allowed_post_formats`: MIME-type list of formats allowed to be posted (transformed into HTML).
@@ -1051,6 +1051,8 @@ Restrict access for unauthenticated users to timelines (public and federated), u
   * `local`
   * `remote`
 
+Note: when `:instance, :public` is set to `false`, all `:restrict_unauthenticated` items be effectively set to `true` by default. If you'd like to allow unauthenticated access to specific API endpoints on a private instance, please explicitly set `:restrict_unauthenticated` to non-default value in `config/prod.secret.exs`.
+
 Note: setting `restrict_unauthenticated/timelines/local` to `true` has no practical sense if `restrict_unauthenticated/timelines/federated` is set to `false` (since local public activities will still be delivered to unauthenticated users as part of federated timeline).
 
 ## Pleroma.Web.ApiSpec.CastAndValidate

docs/configuration/static_dir.md

@@ -4,14 +4,18 @@ Static frontend files are shipped with pleroma. If you want to overwrite or upda
 
 You can find the location of the static directory in the [configuration](../cheatsheet/#instance).
 
-```elixir tab="OTP"
+=== "OTP"
+
+    ```elixir
     config :pleroma, :instance,
-  static_dir: "/var/lib/pleroma/static/",
+      static_dir: "/var/lib/pleroma/static/"
     ```
 
-```elixir tab="From Source"
+=== "From Source"
+
+    ```elixir
     config :pleroma, :instance,
-  static_dir: "instance/static/",
+    static_dir: "instance/static/"
     ```
 
 Alternatively, you can overwrite this value in your configuration to use a different static instance directory.

docs/installation/migrating_from_source_otp_en.md

@@ -8,11 +8,13 @@ You will be running commands as root. If you aren't root already, please elevate
 
 The system needs to have `curl` and `unzip` installed for downloading and unpacking release builds.
 
-```sh tab="Alpine"
+=== "Alpine"
+    ```sh
     apk add curl unzip
     ```
 
-```sh tab="Debian/Ubuntu"
+=== "Debian/Ubuntu"
+    ```sh
     apt install curl unzip
     ```
 
@@ -110,7 +112,8 @@ OTP releases have different service files than from-source installs so they need
 
 **Warning:** The service files assume pleroma user's home directory is `/opt/pleroma`, please make sure all paths fit your installation.
 
-```sh tab="Alpine"
+=== "Alpine"
+    ```sh
     # Copy the service into a proper directory
     cp -f ~pleroma/installation/init.d/pleroma /etc/init.d/pleroma
 
@@ -118,7 +121,8 @@ cp -f ~pleroma/installation/init.d/pleroma /etc/init.d/pleroma
     rc-service pleroma start
     ```
 
-```sh tab="Debian/Ubuntu"
+=== "Debian/Ubuntu"
+    ```sh
     # Copy the service into a proper directory
     cp ~pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service
 

docs/installation/otp_en.md

@@ -28,13 +28,15 @@ Other than things bundled in the OTP release Pleroma depends on:
 * nginx (could be swapped with another reverse proxy but this guide covers only it)
 * certbot (for Let's Encrypt certificates, could be swapped with another ACME client, but this guide covers only it)
 
-```sh tab="Alpine"
+=== "Alpine"
+    ```
     echo "http://nl.alpinelinux.org/alpine/latest-stable/community" >> /etc/apk/repositories
     apk update
     apk add curl unzip ncurses postgresql postgresql-contrib nginx certbot
     ```
 
-```sh tab="Debian/Ubuntu"
+=== "Debian/Ubuntu"
+    ```
     apt install curl unzip libncurses5 postgresql postgresql-contrib nginx certbot
     ```
 
@@ -47,7 +49,8 @@ apt install curl unzip libncurses5 postgresql postgresql-contrib nginx certbot
 
 RUM indexes are an alternative indexing scheme that is not included in PostgreSQL by default. You can read more about them on the [Configuration page](../configuration/cheatsheet.md#rum-indexing-for-full-text-search). They are completely optional and most of the time are not worth it, especially if you are running a single user instance (unless you absolutely need ordered search results).
 
-```sh tab="Alpine"
+=== "Alpine"
+    ```
     apk add git build-base postgresql-dev
     git clone https://github.com/postgrespro/rum /tmp/rum
     cd /tmp/rum
@@ -57,7 +60,8 @@ cd
     rm -r /tmp/rum
     ```
 
-```sh tab="Debian/Ubuntu"
+=== "Debian/Ubuntu"
+    ```
     # Available only on Buster/19.04
     apt install postgresql-11-rum
     ```
@@ -65,11 +69,13 @@ apt install postgresql-11-rum
 #### (Optional) Performance configuration
 It is encouraged to check [Optimizing your PostgreSQL performance](../configuration/postgresql.md) document, for tips on PostgreSQL tuning.
 
-```sh tab="Alpine"
+=== "Alpine"
+    ```
     rc-service postgresql restart
     ```
 
-```sh tab="Debian/Ubuntu"
+=== "Debian/Ubuntu"
+    ```
     systemctl restart postgresql
     ```
 
@@ -151,11 +157,13 @@ certbot certonly --standalone --preferred-challenges http -d yourinstance.tld
 
 The location of nginx configs is dependent on the distro
 
-```sh tab="Alpine"
+=== "Alpine"
+    ```
     cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/conf.d/pleroma.conf
     ```
 
-```sh tab="Debian/Ubuntu"
+=== "Debian/Ubuntu"
+    ```
     cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.conf
     ln -s /etc/nginx/sites-available/pleroma.conf /etc/nginx/sites-enabled/pleroma.conf
     ```
@@ -175,11 +183,13 @@ nginx -t
 ```
 #### Start nginx
 
-```sh tab="Alpine"
+=== "Alpine"
+    ```
     rc-service nginx start
     ```
 
-```sh tab="Debian/Ubuntu"
+=== "Debian/Ubuntu"
+    ```
     systemctl start nginx
     ```
 
@@ -187,7 +197,8 @@ At this point if you open your (sub)domain in a browser you should see a 502 err
 
 ### Setting up a system service
 
-```sh tab="Alpine"
+=== "Alpine"
+    ```
     # Copy the service into a proper directory
     cp /opt/pleroma/installation/init.d/pleroma /etc/init.d/pleroma
 
@@ -196,7 +207,8 @@ rc-service pleroma start
     rc-update add pleroma
     ```
 
-```sh tab="Debian/Ubuntu"
+=== "Debian/Ubuntu"
+    ```
     # Copy the service into a proper directory
     cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service
 
@@ -223,7 +235,8 @@ $EDITOR path-to-nginx-config
 nginx -t
 ```
 
-```sh tab="Alpine"
+=== "Alpine"
+    ```
     # Restart nginx
     rc-service nginx restart
 
@@ -244,7 +257,8 @@ chmod +x /etc/periodic/daily/renew-pleroma-cert
     run-parts --test /etc/periodic/daily
     ```
 
-```sh tab="Debian/Ubuntu"
+=== "Debian/Ubuntu"
+    ```
     # Restart nginx
     systemctl restart nginx
 

lib/mix/tasks/pleroma/ecto/migrate.ex

@@ -41,6 +41,10 @@ def run(args \\ []) do
     load_pleroma()
     {opts, _} = OptionParser.parse!(args, strict: @switches, aliases: @aliases)
 
+    if Application.get_env(:pleroma, Pleroma.Repo)[:ssl] do
+      Application.ensure_all_started(:ssl)
+    end
+
     opts =
       if opts[:to] || opts[:step] || opts[:all],
         do: opts,

lib/mix/tasks/pleroma/ecto/rollback.ex

@@ -40,6 +40,10 @@ def run(args \\ []) do
     load_pleroma()
     {opts, _} = OptionParser.parse!(args, strict: @switches, aliases: @aliases)
 
+    if Application.get_env(:pleroma, Pleroma.Repo)[:ssl] do
+      Application.ensure_all_started(:ssl)
+    end
+
     opts =
       if opts[:to] || opts[:step] || opts[:all],
         do: opts,

lib/pleroma/config.ex

@@ -81,6 +81,16 @@ def delete(key) do
     Application.delete_env(:pleroma, key)
   end
 
+  def restrict_unauthenticated_access?(resource, kind) do
+    setting = get([:restrict_unauthenticated, resource, kind])
+
+    if setting in [nil, :if_instance_is_private] do
+      !get!([:instance, :public])
+    else
+      setting
+    end
+  end
+
   def oauth_consumer_strategies, do: get([:auth, :oauth_consumer_strategies], [])
 
   def oauth_consumer_enabled?, do: oauth_consumer_strategies() != []

lib/pleroma/upload/filter/mogrifun.ex

@@ -6,6 +6,10 @@ defmodule Pleroma.Upload.Filter.Mogrifun do
   @behaviour Pleroma.Upload.Filter
   alias Pleroma.Upload.Filter
 
+  @moduledoc """
+  This module is just an example of an Upload filter. It's not supposed to be used in production.
+  """
+
   @filters [
     {"implode", "1"},
     {"-raise", "20"},

lib/pleroma/user.ex

@@ -311,10 +311,12 @@ def visible_for(%User{} = user, for_user) do
 
   def visible_for(_, _), do: :invisible
 
-  defp restrict_unauthenticated?(%User{local: local}) do
-    config_key = if local, do: :local, else: :remote
+  defp restrict_unauthenticated?(%User{local: true}) do
+    Config.restrict_unauthenticated_access?(:profiles, :local)
+  end
 
-    Config.get([:restrict_unauthenticated, :profiles, config_key], false)
+  defp restrict_unauthenticated?(%User{local: _}) do
+    Config.restrict_unauthenticated_access?(:profiles, :remote)
   end
 
   defp visible_account_status(user) do

lib/pleroma/web/activity_pub/visibility.ex

@@ -59,12 +59,9 @@ def visible_for_user?(%{data: %{"listMessage" => list_ap_id}} = activity, %User{
   end
 
   def visible_for_user?(%{local: local} = activity, nil) do
-    cfg_key =
-      if local,
-        do: :local,
-        else: :remote
+    cfg_key = if local, do: :local, else: :remote
 
-    if Pleroma.Config.get([:restrict_unauthenticated, :activities, cfg_key]),
+    if Pleroma.Config.restrict_unauthenticated_access?(:activities, cfg_key),
       do: false,
       else: is_public?(activity)
   end

lib/pleroma/web/admin_api/controllers/media_proxy_cache_controller.ex

@@ -26,29 +26,40 @@ defmodule Pleroma.Web.AdminAPI.MediaProxyCacheController do
   defdelegate open_api_operation(action), to: Spec.MediaProxyCacheOperation
 
   def index(%{assigns: %{user: _}} = conn, params) do
-    cursor =
-      :banned_urls_cache
-      |> :ets.table([{:traverse, {:select, Cachex.Query.create(true, :key)}}])
-      |> :qlc.cursor()
+    entries = fetch_entries(params)
+    urls = paginate_entries(entries, params.page, params.page_size)
 
-    urls =
-      case params.page do
-        1 ->
-          :qlc.next_answers(cursor, params.page_size)
-
-        _ ->
-          :qlc.next_answers(cursor, (params.page - 1) * params.page_size)
-          :qlc.next_answers(cursor, params.page_size)
+    render(conn, "index.json",
+      urls: urls,
+      page_size: params.page_size,
+      count: length(entries)
+    )
   end
 
-    :qlc.delete_cursor(cursor)
+  defp fetch_entries(params) do
+    MediaProxy.cache_table()
+    |> Cachex.stream!(Cachex.Query.create(true, :key))
+    |> filter_entries(params[:query])
+  end
 
-    render(conn, "index.json", urls: urls)
+  defp filter_entries(stream, query) when is_binary(query) do
+    regex = ~r/#{query}/i
+
+    stream
+    |> Enum.filter(fn url -> String.match?(url, regex) end)
+    |> Enum.to_list()
+  end
+
+  defp filter_entries(stream, _), do: Enum.to_list(stream)
+
+  defp paginate_entries(entries, page, page_size) do
+    offset = page_size * (page - 1)
+    Enum.slice(entries, offset, page_size)
   end
 
   def delete(%{assigns: %{user: _}, body_params: %{urls: urls}} = conn, _) do
     MediaProxy.remove_from_banned_urls(urls)
-    render(conn, "index.json", urls: urls)
+    json(conn, %{})
   end
 
   def purge(%{assigns: %{user: _}, body_params: %{urls: urls, ban: ban}} = conn, _) do
@@ -58,6 +69,6 @@ def purge(%{assigns: %{user: _}, body_params: %{urls: urls, ban: ban}} = conn, _
       MediaProxy.put_in_banned_urls(urls)
     end
 
-    render(conn, "index.json", urls: urls)
+    json(conn, %{})
   end
 end

lib/pleroma/web/admin_api/views/media_proxy_cache_view.ex

@@ -5,7 +5,11 @@
 defmodule Pleroma.Web.AdminAPI.MediaProxyCacheView do
   use Pleroma.Web, :view
 
-  def render("index.json", %{urls: urls}) do
-    %{urls: urls}
+  def render("index.json", %{urls: urls, page_size: page_size, count: count}) do
+    %{
+      urls: urls,
+      count: count,
+      page_size: page_size
+    }
   end
 end

lib/pleroma/web/api_spec/operations/admin/media_proxy_cache_operation.ex

@@ -21,6 +21,12 @@ def index_operation do
       operationId: "AdminAPI.MediaProxyCacheController.index",
       security: [%{"oAuth" => ["read:media_proxy_caches"]}],
       parameters: [
+        Operation.parameter(
+          :query,
+          :query,
+          %Schema{type: :string, default: nil},
+          "Page"
+        ),
         Operation.parameter(
           :page,
           :query,
@@ -36,7 +42,26 @@ def index_operation do
         | admin_api_params()
       ],
       responses: %{
-        200 => success_response()
+        200 =>
+          Operation.response(
+            "Array of banned MediaProxy URLs in Cachex",
+            "application/json",
+            %Schema{
+              type: :object,
+              properties: %{
+                count: %Schema{type: :integer},
+                page_size: %Schema{type: :integer},
+                urls: %Schema{
+                  type: :array,
+                  items: %Schema{
+                    type: :string,
+                    format: :uri,
+                    description: "MediaProxy URLs"
+                  }
+                }
+              }
+            }
+          )
       }
     }
   end
@@ -61,7 +86,7 @@ def delete_operation do
           required: true
         ),
       responses: %{
-        200 => success_response(),
+        200 => empty_object_response(),
         400 => Operation.response("Error", "application/json", ApiError)
       }
     }
@@ -88,25 +113,9 @@ def purge_operation do
           required: true
         ),
       responses: %{
-        200 => success_response(),
+        200 => empty_object_response(),
         400 => Operation.response("Error", "application/json", ApiError)
       }
     }
   end
-
-  defp success_response do
-    Operation.response("Array of banned MediaProxy URLs in Cachex", "application/json", %Schema{
-      type: :object,
-      properties: %{
-        urls: %Schema{
-          type: :array,
-          items: %Schema{
-            type: :string,
-            format: :uri,
-            description: "MediaProxy URLs"
-          }
-        }
-      }
-    })
-  end
 end

lib/pleroma/web/mastodon_api/controllers/timeline_controller.ex

@@ -8,6 +8,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineController do
   import Pleroma.Web.ControllerHelper,
     only: [add_link_headers: 2, add_link_headers: 3]
 
+  alias Pleroma.Config
   alias Pleroma.Pagination
   alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug
   alias Pleroma.Plugs.OAuthScopesPlug
@@ -89,11 +90,11 @@ def direct(%{assigns: %{user: user}} = conn, params) do
   end
 
   defp restrict_unauthenticated?(true = _local_only) do
-    Pleroma.Config.get([:restrict_unauthenticated, :timelines, :local])
+    Config.restrict_unauthenticated_access?(:timelines, :local)
   end
 
   defp restrict_unauthenticated?(_) do
-    Pleroma.Config.get([:restrict_unauthenticated, :timelines, :federated])
+    Config.restrict_unauthenticated_access?(:timelines, :federated)
   end
 
   # GET /api/v1/timelines/public

lib/pleroma/web/media_proxy/media_proxy.ex

@@ -9,28 +9,31 @@ defmodule Pleroma.Web.MediaProxy do
   alias Pleroma.Web.MediaProxy.Invalidation
 
   @base64_opts [padding: false]
+  @cache_table :banned_urls_cache
+
+  def cache_table, do: @cache_table
 
   @spec in_banned_urls(String.t()) :: boolean()
-  def in_banned_urls(url), do: elem(Cachex.exists?(:banned_urls_cache, url(url)), 1)
+  def in_banned_urls(url), do: elem(Cachex.exists?(@cache_table, url(url)), 1)
 
   def remove_from_banned_urls(urls) when is_list(urls) do
-    Cachex.execute!(:banned_urls_cache, fn cache ->
+    Cachex.execute!(@cache_table, fn cache ->
       Enum.each(Invalidation.prepare_urls(urls), &Cachex.del(cache, &1))
     end)
   end
 
   def remove_from_banned_urls(url) when is_binary(url) do
-    Cachex.del(:banned_urls_cache, url(url))
+    Cachex.del(@cache_table, url(url))
   end
 
   def put_in_banned_urls(urls) when is_list(urls) do
-    Cachex.execute!(:banned_urls_cache, fn cache ->
+    Cachex.execute!(@cache_table, fn cache ->
       Enum.each(Invalidation.prepare_urls(urls), &Cachex.put(cache, &1, true))
     end)
   end
 
   def put_in_banned_urls(url) when is_binary(url) do
-    Cachex.put(:banned_urls_cache, url(url), true)
+    Cachex.put(@cache_table, url(url), true)
   end
 
   def url(url) when is_nil(url) or url == "", do: nil

lib/pleroma/web/preload/timelines.ex

@@ -16,7 +16,7 @@ def generate_terms(params) do
   end
 
   def build_public_tag(acc, params) do
-    if Pleroma.Config.get([:restrict_unauthenticated, :timelines, :federated], true) do
+    if Pleroma.Config.restrict_unauthenticated_access?(:timelines, :federated) do
       acc
     else
       Map.put(acc, @public_url, public_timeline(params))

lib/pleroma/workers/cron/clear_oauth_token_worker.ex

@@ -16,8 +16,8 @@ defmodule Pleroma.Workers.Cron.ClearOauthTokenWorker do
   def perform(_job) do
     if Config.get([:oauth2, :clean_expired_tokens], false) do
       Token.delete_expired_tokens()
-    else
+    end
+
     :ok
   end
 end
-end

lib/pleroma/workers/cron/digest_emails_worker.ex

@@ -37,9 +37,9 @@ def perform(_job) do
       )
       |> Repo.all()
       |> send_emails
-    else
-      :ok
     end
+
+    :ok
   end
 
   def send_emails(users) do

lib/pleroma/workers/cron/new_users_digest_worker.ex

@@ -55,11 +55,9 @@ def perform(_job) do
         |> Repo.all()
         |> Enum.map(&Pleroma.Emails.NewUsersDigestEmail.new_users(&1, users_and_statuses))
         |> Enum.each(&Pleroma.Emails.Mailer.deliver/1)
-      else
-        :ok
       end
-    else
+    end
+
     :ok
   end
 end
-end

lib/pleroma/workers/cron/purge_expired_activities_worker.ex

@@ -23,9 +23,9 @@ defmodule Pleroma.Workers.Cron.PurgeExpiredActivitiesWorker do
   def perform(_job) do
     if Config.get([ActivityExpiration, :enabled]) do
       Enum.each(ActivityExpiration.due_expirations(@interval), &delete_activity/1)
-    else
-      :ok
     end
+  after
+    :ok
   end
 
   def delete_activity(%ActivityExpiration{activity_id: activity_id}) do

lib/pleroma/workers/cron/stats_worker.ex

@@ -12,5 +12,6 @@ defmodule Pleroma.Workers.Cron.StatsWorker do
   @impl Oban.Worker
   def perform(_job) do
     Pleroma.Stats.do_collect()
+    :ok
   end
 end

priv/repo/migrations/20200817120935_add_invisible_index_to_users.exs

@@ -0,0 +1,7 @@
+defmodule Pleroma.Repo.Migrations.AddInvisibleIndexToUsers do
+  use Ecto.Migration
+
+  def change do
+    create(index(:users, [:invisible]))
+  end
+end

priv/static/adminfe/index.html

@@ -1 +1 @@
-<!DOCTYPE html><html><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge,chrome=1"><meta name=renderer content=webkit><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"><title>Admin FE</title><link rel="shortcut icon" href=favicon.ico><link href=chunk-elementUI.1abbc9b8.css rel=stylesheet><link href=chunk-libs.686b5876.css rel=stylesheet><link href=app.01bdb34a.css rel=stylesheet></head><body><div id=app></div><script type=text/javascript src=static/js/runtime.0a70a9f5.js></script><script type=text/javascript src=static/js/chunk-elementUI.fba0efec.js></script><script type=text/javascript src=static/js/chunk-libs.b8c453ab.js></script><script type=text/javascript src=static/js/app.f220ac13.js></script></body></html>
+<!DOCTYPE html><html><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge,chrome=1"><meta name=renderer content=webkit><meta name=viewport content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"><title>Admin FE</title><link rel="shortcut icon" href=favicon.ico><link href=chunk-elementUI.1abbc9b8.css rel=stylesheet><link href=chunk-libs.5cf7f50a.css rel=stylesheet><link href=app.61bb0915.css rel=stylesheet></head><body><div id=app></div><script type=text/javascript src=static/js/runtime.ba9393f3.js></script><script type=text/javascript src=static/js/chunk-elementUI.2de79b84.js></script><script type=text/javascript src=static/js/chunk-libs.76802be9.js></script><script type=text/javascript src=static/js/app.86bfcdf3.js></script></body></html>