- 31 Jan, 2022 1 commit
-
-
Claire authored
-
- 30 Jan, 2022 8 commits
-
-
Claire authored
-
Jeong Arm authored
Some bundle options are saved as global user config and not project local. Specially, `deployment` must be saved as local config to be run on copied environment
-
Eugen Rochko authored
-
Eugen Rochko authored
-
Yusuke Nakamura authored
* Build container image by GitHub Actions * Trigger docker build only pushed to main branch * Tweak tagging imgae - "edge" is the main branch - "latest" is the tagged latest release
-
Claire authored
- populate the database with some data when testing migrations - try both one-step and two-step migrations (`SKIP_POST_DEPLOYMENT_MIGRATIONS`)
-
Claire authored
-
Claire authored
* Fix some old migration scripts * Fix edge case in two-step migration from older releases
-
- 28 Jan, 2022 31 commits
-
-
Claire authored
-
Claire authored
Under certain conditions, files fetched from remotes trigger an error when being uploaded using OpenStack Swift. This is because in some cases, the remote server will not return a content-length, so our ResponseWithLimitAdapter will hold a `nil` value for `#size`, which will lead to an invalid value for the Content-Length header of the Swift API call. This commit fixes that by taking the size from the actually-downloaded file size rather than the upstream-provided Content-Length header value.
-
Claire authored
For some reason, some misconfigured servers return an empty document when queried over webfinger. Since an empty document does not lead to a parse error, the error is not caught properly and triggers uncaught exceptions later on. This PR fixes that by immediately erroring out with `Webfinger::Error` on getting an empty response.
-
Claire authored
-
Eugen Rochko authored
See #16943
-
Claire authored
Up until now, we have used Devise's Rememberable mechanism to re-log users after the end of their browser sessions. This mechanism relies on a signed cookie containing a token. That token was stored on the user's record, meaning it was shared across all logged in browsers, meaning truly revoking a browser's ability to auto-log-in involves revoking the token itself, and revoking access from *all* logged-in browsers. We had a session mechanism that dynamically checks whether a user's session has been disabled, and would log out the user if so. However, this would only clear a session being actively used, and a new one could be respawned with the `remember_user_token` cookie. In practice, this caused two issues: - sessions could be revived after being closed from /auth/edit (security issue) - auto-log-in would be disabled for *all* browsers after logging out from one of them This PR removes the `remember_token` mechanism and treats the `_session_id` cookie/token as a browser-specific `remember_token`, fixing both issues.
-
Claire authored
* Fix newlines in account notes added by the move handler * Make MoveWorker more robust
-
Takeshi Umeda authored
-
Takeshi Umeda authored
-
Claire authored
* Add test * Fix crash when encountering invalid account fields
-
Claire authored
* Fix remotely-suspended accounts' toots being merged back into timelines * Mark remotely-deleted accounts as remotely suspended
-
Claire authored
* Add tests * Fix webauthn secure key authentication Fixes #16769
-
Claire authored
* Add tests * Add security-related tests My first (unpublished) attempt at fixing the issues introduced (extremely hard-to-exploit) security vulnerabilities, addressing them in a test. * Fix authentication failures after going halfway through a sign-in attempt * Refactor `authenticate_with_sign_in_token` and `authenticate_with_two_factor` to make the two authentication steps more obvious
-
Claire authored
Fixes #16602
-
Claire authored
Fixes #16699
-
Claire authored
* Add tests * Fix some link previews being incorrectly generated from different prior links PR #12403 added a cache to avoid redundant queries when the OEmbed endpoint can be guessed from the URL. This caching mechanism is not perfectly correct as there is no guarantee that all pages from a given domain share the same OEmbed provider endpoint. This PR prevents the FetchOEmbedService from caching OEmbed endpoint that cannot be generalized by replacing a fully-qualified URL from the endpoint's parameters, greatly reducing the number of incorrect cached generalizations.
-
Claire authored
Fix regression from #16896
-
Claire authored
In order to work around https://github.com/mastodon/mastodon/issues/16895, add a warning to .env.production.sample, and change the mastodon:setup rake task to: - output a warning if a variable will be interpreted differently by dotenv and docker-compose - ensure the printed config is compatible with docker-compose
-
Claire authored
* Do not block existing users' emails on self-destruct That is wasteful and unintuitive * Do not close registrations when running tootctl self-destruct with --dry-run * Close registrations on self-destruct regardless of known remote accounts * Fix tootctl self-destruct not sending Deletes for recently-suspended accounts * Suspend local users even if no remote account is known * Do not show scary confirmation text if ran with --dry-run
-
Claire authored
* Add tests * Fix serialization of followers/following counts when user hides their network Fixes #16382 Signed-off-by:
Claire <claire.github-309c@sitedethib.com>
-
Claire authored
Follow-up to #16510, forgot the controller exposing the actual followers…
-
Claire authored
* Fix followers synchronization mechanism not working when URI has empty path To my knowledge, there is no current implementation on the fediverse that can use bare domains (e.g., actor is at https://example.org instead of something like https://example.org/actor) that also plans to support the followers synchronization mechanism. However, Mastodon's current implementation would exclude such accounts from followers list. Also adds tests and rename them to reflect the proper method names. * Move url prefix regexp to its own constant
-
Claire authored
* Add tests * Fix scheduled statuses decreasing statuses counts Fixes #16774
-
Holger authored
Use relative path for `scope` in web manifest to allow users use PWA correctly via alternate domains.
-
Claire authored
* Fix migration script not being able to run if it fails midway * Fix old migration script * Fix old migration script * Refactor CorruptionError
-
Claire authored
Follow-up to #16276
-
Claire authored
* Fix Delete and Create-related locks expiring too fast Fixes #16238 By default, RedisLock expires after 10 seconds, which may not be enough to process statuses, especially when those have attached media files. This commit extends those 10 seconds to 15 minutes, which should be plenty enough to handle any status, while being short enough to not waste many sidekiq job retries in the exceedingly rare case in which a sidekiq process would crash when processing a `Create` or `Delete`. * Fix other RedisLock autorelease durations Fixes #15645 - things that only perform a few simple database queries (e.g. finding and saving a record) have been left unchanged, so they'll still use the default 10s duration - things that perform significantly more complex database queries have been changed to a 5 minutes timeout - things that perform multiple HTTP queries have been changed to a 15 minutes timeout
-
Jeong Arm authored
* Remove set-cookie header on custom.css * Additional fix for set-cookie
-
Claire authored
-
Eugen Rochko authored
Fix app scopes not being validated
-
Claire authored
An uncommon but somewhat difficult to digagnose issue is dealing with improperly-seeded databases. In such cases, instance-signed fetches will fail with a ActiveRecord::RecordNotFound error, usually caught and handled as generic 404, leading people to think the remote resource itself has not been found, while it's the local instance actor that does not exist. This commit changes the code so that failure to find the instance actor automatically creates a new one, so that improperly-seeded databases do not cause any issue.
-