Add `authorized_fetch` server setting in addition to env var (#25798)
This commit is contained in:
parent
6c4c72497a
commit
9e26cd5503
|
@ -11,6 +11,7 @@ class ApplicationController < ActionController::Base
|
||||||
include CacheConcern
|
include CacheConcern
|
||||||
include DomainControlHelper
|
include DomainControlHelper
|
||||||
include DatabaseHelper
|
include DatabaseHelper
|
||||||
|
include AuthorizedFetchHelper
|
||||||
|
|
||||||
helper_method :current_account
|
helper_method :current_account
|
||||||
helper_method :current_session
|
helper_method :current_session
|
||||||
|
@ -51,10 +52,6 @@ class ApplicationController < ActionController::Base
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def authorized_fetch_mode?
|
|
||||||
ENV['AUTHORIZED_FETCH'] == 'true' || Rails.configuration.x.limited_federation_mode
|
|
||||||
end
|
|
||||||
|
|
||||||
def public_fetch_mode?
|
def public_fetch_mode?
|
||||||
!authorized_fetch_mode?
|
!authorized_fetch_mode?
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module AuthorizedFetchHelper
|
||||||
|
def authorized_fetch_mode?
|
||||||
|
ENV.fetch('AUTHORIZED_FETCH') { Setting.authorized_fetch } == 'true' || Rails.configuration.x.limited_federation_mode
|
||||||
|
end
|
||||||
|
|
||||||
|
def authorized_fetch_overridden?
|
||||||
|
ENV.key?('AUTHORIZED_FETCH') || Rails.configuration.x.limited_federation_mode
|
||||||
|
end
|
||||||
|
end
|
|
@ -188,6 +188,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
.information-badge,
|
.information-badge,
|
||||||
|
.simple_form .overridden,
|
||||||
.simple_form .recommended,
|
.simple_form .recommended,
|
||||||
.simple_form .not_recommended {
|
.simple_form .not_recommended {
|
||||||
display: inline-block;
|
display: inline-block;
|
||||||
|
@ -204,6 +205,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
.information-badge,
|
.information-badge,
|
||||||
|
.simple_form .overridden,
|
||||||
.simple_form .recommended,
|
.simple_form .recommended,
|
||||||
.simple_form .not_recommended {
|
.simple_form .not_recommended {
|
||||||
background-color: rgba($ui-secondary-color, 0.1);
|
background-color: rgba($ui-secondary-color, 0.1);
|
||||||
|
|
|
@ -103,6 +103,7 @@ code {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
.overridden,
|
||||||
.recommended,
|
.recommended,
|
||||||
.not_recommended {
|
.not_recommended {
|
||||||
position: absolute;
|
position: absolute;
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
class Form::AdminSettings
|
class Form::AdminSettings
|
||||||
include ActiveModel::Model
|
include ActiveModel::Model
|
||||||
|
|
||||||
|
include AuthorizedFetchHelper
|
||||||
|
|
||||||
KEYS = %i(
|
KEYS = %i(
|
||||||
site_contact_username
|
site_contact_username
|
||||||
site_contact_email
|
site_contact_email
|
||||||
|
@ -34,6 +36,7 @@ class Form::AdminSettings
|
||||||
backups_retention_period
|
backups_retention_period
|
||||||
status_page_url
|
status_page_url
|
||||||
captcha_enabled
|
captcha_enabled
|
||||||
|
authorized_fetch
|
||||||
).freeze
|
).freeze
|
||||||
|
|
||||||
INTEGER_KEYS = %i(
|
INTEGER_KEYS = %i(
|
||||||
|
@ -54,6 +57,7 @@ class Form::AdminSettings
|
||||||
noindex
|
noindex
|
||||||
require_invite_text
|
require_invite_text
|
||||||
captcha_enabled
|
captcha_enabled
|
||||||
|
authorized_fetch
|
||||||
).freeze
|
).freeze
|
||||||
|
|
||||||
UPLOAD_KEYS = %i(
|
UPLOAD_KEYS = %i(
|
||||||
|
@ -61,6 +65,10 @@ class Form::AdminSettings
|
||||||
mascot
|
mascot
|
||||||
).freeze
|
).freeze
|
||||||
|
|
||||||
|
OVERRIDEN_SETTINGS = {
|
||||||
|
authorized_fetch: :authorized_fetch_mode?,
|
||||||
|
}.freeze
|
||||||
|
|
||||||
attr_accessor(*KEYS)
|
attr_accessor(*KEYS)
|
||||||
|
|
||||||
validates :registrations_mode, inclusion: { in: %w(open approved none) }, if: -> { defined?(@registrations_mode) }
|
validates :registrations_mode, inclusion: { in: %w(open approved none) }, if: -> { defined?(@registrations_mode) }
|
||||||
|
@ -80,6 +88,8 @@ class Form::AdminSettings
|
||||||
|
|
||||||
stored_value = if UPLOAD_KEYS.include?(key)
|
stored_value = if UPLOAD_KEYS.include?(key)
|
||||||
SiteUpload.where(var: key).first_or_initialize(var: key)
|
SiteUpload.where(var: key).first_or_initialize(var: key)
|
||||||
|
elsif OVERRIDEN_SETTINGS.include?(key)
|
||||||
|
public_send(OVERRIDEN_SETTINGS[key])
|
||||||
else
|
else
|
||||||
Setting.public_send(key)
|
Setting.public_send(key)
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
module Payloadable
|
module Payloadable
|
||||||
|
include AuthorizedFetchHelper
|
||||||
|
|
||||||
# @param [ActiveModelSerializers::Model] record
|
# @param [ActiveModelSerializers::Model] record
|
||||||
# @param [ActiveModelSerializers::Serializer] serializer
|
# @param [ActiveModelSerializers::Serializer] serializer
|
||||||
# @param [Hash] options
|
# @param [Hash] options
|
||||||
|
@ -23,6 +25,6 @@ module Payloadable
|
||||||
end
|
end
|
||||||
|
|
||||||
def signing_enabled?
|
def signing_enabled?
|
||||||
ENV['AUTHORIZED_FETCH'] != 'true' && !Rails.configuration.x.limited_federation_mode
|
!authorized_fetch_mode?
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -39,6 +39,11 @@
|
||||||
.fields-group
|
.fields-group
|
||||||
= f.input :peers_api_enabled, as: :boolean, wrapper: :with_label, recommended: :recommended
|
= f.input :peers_api_enabled, as: :boolean, wrapper: :with_label, recommended: :recommended
|
||||||
|
|
||||||
|
%h4= t('admin.settings.security.federation_authentication')
|
||||||
|
|
||||||
|
.fields-group
|
||||||
|
= f.input :authorized_fetch, as: :boolean, wrapper: :with_label, label: t('admin.settings.security.authorized_fetch'), warning_hint: authorized_fetch_overridden? ? t('admin.settings.security.authorized_fetch_overridden_hint') : nil, hint: t('admin.settings.security.authorized_fetch_hint'), disabled: authorized_fetch_overridden?, recommended: authorized_fetch_overridden? ? :overridden : nil
|
||||||
|
|
||||||
%h4= t('admin.settings.discovery.follow_recommendations')
|
%h4= t('admin.settings.discovery.follow_recommendations')
|
||||||
|
|
||||||
.fields-group
|
.fields-group
|
||||||
|
|
|
@ -50,7 +50,7 @@ ignore_unused:
|
||||||
- 'activerecord.errors.*'
|
- 'activerecord.errors.*'
|
||||||
- '{devise,pagination,doorkeeper}.*'
|
- '{devise,pagination,doorkeeper}.*'
|
||||||
- '{date,datetime,time,number}.*'
|
- '{date,datetime,time,number}.*'
|
||||||
- 'simple_form.{yes,no,recommended,not_recommended}'
|
- 'simple_form.{yes,no,recommended,not_recommended,overridden}'
|
||||||
- 'simple_form.{placeholders,hints,labels}.*'
|
- 'simple_form.{placeholders,hints,labels}.*'
|
||||||
- 'simple_form.{error_notification,required}.:'
|
- 'simple_form.{error_notification,required}.:'
|
||||||
- 'errors.messages.*'
|
- 'errors.messages.*'
|
||||||
|
|
|
@ -97,6 +97,7 @@ SimpleForm.setup do |config|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] }
|
||||||
b.use :hint, wrap_with: { tag: :span, class: :hint }
|
b.use :hint, wrap_with: { tag: :span, class: :hint }
|
||||||
b.use :error, wrap_with: { tag: :span, class: :error }
|
b.use :error, wrap_with: { tag: :span, class: :error }
|
||||||
end
|
end
|
||||||
|
@ -111,8 +112,8 @@ SimpleForm.setup do |config|
|
||||||
config.wrappers :with_block_label, class: [:input, :with_block_label], hint_class: :field_with_hint, error_class: :field_with_errors do |b|
|
config.wrappers :with_block_label, class: [:input, :with_block_label], hint_class: :field_with_hint, error_class: :field_with_errors do |b|
|
||||||
b.use :html5
|
b.use :html5
|
||||||
b.use :label
|
b.use :label
|
||||||
b.use :hint, wrap_with: { tag: :span, class: :hint }
|
|
||||||
b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] }
|
b.use :warning_hint, wrap_with: { tag: :span, class: [:hint, 'warning-hint'] }
|
||||||
|
b.use :hint, wrap_with: { tag: :span, class: :hint }
|
||||||
b.use :input, wrap_with: { tag: :div, class: :label_input }
|
b.use :input, wrap_with: { tag: :div, class: :label_input }
|
||||||
b.use :error, wrap_with: { tag: :span, class: :error }
|
b.use :error, wrap_with: { tag: :span, class: :error }
|
||||||
end
|
end
|
||||||
|
|
|
@ -770,6 +770,11 @@ en:
|
||||||
approved: Approval required for sign up
|
approved: Approval required for sign up
|
||||||
none: Nobody can sign up
|
none: Nobody can sign up
|
||||||
open: Anyone can sign up
|
open: Anyone can sign up
|
||||||
|
security:
|
||||||
|
authorized_fetch: Require authentication from federated servers
|
||||||
|
authorized_fetch_hint: Requiring authentication from federated servers enables stricter enforcement of both user-level and server-level blocks. However, this comes at the cost of a performance penalty, reduces the reach of your replies, and may introduce compatibility issues with some federated services. In addition, this will not prevent dedicated actors from fetching your public posts and accounts.
|
||||||
|
authorized_fetch_overridden_hint: You are currently unable to change this setting because it is overridden by an environment variable.
|
||||||
|
federation_authentication: Federation authentication enforcement
|
||||||
title: Server settings
|
title: Server settings
|
||||||
site_uploads:
|
site_uploads:
|
||||||
delete: Delete uploaded file
|
delete: Delete uploaded file
|
||||||
|
|
|
@ -317,6 +317,7 @@ en:
|
||||||
url: Endpoint URL
|
url: Endpoint URL
|
||||||
'no': 'No'
|
'no': 'No'
|
||||||
not_recommended: Not recommended
|
not_recommended: Not recommended
|
||||||
|
overridden: Overridden
|
||||||
recommended: Recommended
|
recommended: Recommended
|
||||||
required:
|
required:
|
||||||
mark: "*"
|
mark: "*"
|
||||||
|
|
Loading…
Reference in New Issue