3107a9410c 
								
							 
						 
						
							
							
								
								Silence deprecation warning about secrets/credentials with Devise patch ( #27578 )  
							
							
							
						 
						
							2023-10-31 11:10:15 +00:00  
				
					
						
							
							
								 
						
							
								eae5c7334a 
								
							 
						 
						
							
							
								
								Extract class from CSP configuration/initialization ( #26905 )  
							
							
							
						 
						
							2023-10-27 16:20:40 +00:00  
				
					
						
							
							
								 
						
							
								4aa05d45fc 
								
							 
						 
						
							
							
								
								Capture minimum postgres version 12 ( #27528 )  
							
							
							
						 
						
							2023-10-26 20:35:15 +00:00  
				
					
						
							
							
								 
						
							
								9a3d047f3e 
								
							 
						 
						
							
							
								
								Run `bin/rails app:update` with Rails 7.1 ( #27522 )  
							
							
							
						 
						
							2023-10-25 13:56:09 +00:00  
				
					
						
							
							
								 
						
							
								379115e601 
								
							 
						 
						
							
							
								
								Add SELF_DESTRUCT env variable to process self-destructions in the background ( #26439 )  
							
							
							
						 
						
							2023-10-23 15:46:21 +00:00  
				
					
						
							
							
								 
						
							
								c3e0eb3699 
								
							 
						 
						
							
							
								
								Change Content-Security-Policy to be tighter on media paths ( #26889 )  
							
							
							
						 
						
							2023-10-23 14:27:07 +02:00  
				
					
						
							
							
								 
						
							
								bcd0171e5e 
								
							 
						 
						
							
							
								
								Fix `Lint/UselessAssignment` cop ( #27472 )  
							
							
							
						 
						
							2023-10-19 16:55:06 +02:00  
				
					
						
							
							
								 
						
							
								23f8e93c64 
								
							 
						 
						
							
							
								
								Fixes   #23135  - Allow cross origin request for /nodeinfo/2.0 API ( #27413 )  
							
							
							
						 
						
							2023-10-16 13:39:25 +02:00  
				
					
						
							
							
								 
						
							
								e0da64bb4e 
								
							 
						 
						
							
							
								
								Fix empty ENV variables not using default nil value ( #27400 )  
							
							
							
						 
						
							2023-10-13 19:00:53 +02:00  
				
					
						
							
							
								 
						
							
								85db392464 
								
							 
						 
						
							
							
								
								Autofix Rubocop cops for config/ ( #24145 )  
							
							
							
						 
						
							2023-10-03 15:24:12 +02:00  
				
					
						
							
							
								 
						
							
								56c0babc0b 
								
							 
						 
						
							
							
								
								Fix rubocop `Layout/ArgumentAlignment` cop ( #26060 )  
							
							
							
						 
						
							2023-09-28 15:48:47 +02:00  
				
					
						
							
							
								 
						
							
								8acc75435b 
								
							 
						 
						
							
							
								
								Change S3 checksum mode to be disabled by default ( #27007 )  
							
							
							
						 
						
							2023-09-21 14:00:51 +02:00  
				
					
						
							
							
								 
						
							
								a04ae16201 
								
							 
						 
						
							
							
								
								Fix CSP when using `ONE_CLICK_SSO_LOGIN` ( #26901 )  
							
							
							
						 
						
							2023-09-13 19:54:04 +02:00  
				
					
						
							
							
								 
						
							
								9a70cac9de 
								
							 
						 
						
							
							
								
								Fix   #26849  by adding the domain of the current SSO provider to the form-action CSP ( #26857 )  
							
							
							
						 
						
							2023-09-12 13:04:51 +02:00  
				
					
						
							
							
								 
						
							
								ea31929776 
								
							 
						 
						
							
							
								
								Fix invalid Content-Type header for WebP images ( #26773 )  
							
							
							
						 
						
							2023-09-04 09:46:33 +02:00  
				
					
						
							
							
								 
						
							
								9e26cd5503 
								
							 
						 
						
							
							
								
								Add `authorized_fetch` server setting in addition to env var ( #25798 )  
							
							
							
						 
						
							2023-09-01 15:41:10 +02:00  
				
					
						
							
							
								 
						
							
								286a21afdc 
								
							 
						 
						
							
							
								
								Support webpacker live-reloading on Docker ( #26419 )  
							
							
							
						 
						
							2023-08-29 10:17:57 +02:00  
				
					
						
							
							
								 
						
							
								b95867ad1f 
								
							 
						 
						
							
							
								
								Allow setting a custom HTTP method in CacheBuster ( #26528 )  
							
							... 
							
							
							
							Co-authored-by: Jorijn Schrijvershof <jorijn@jorijn.com> 
							
						 
						
							2023-08-18 08:18:40 +02:00  
				
					
						
							
							
								 
						
							
								dd049fc37a 
								
							 
						 
						
							
							
								
								Fix ES_PRESET not being applied to Chewy's internal index ( #26489 )  
							
							
							
						 
						
							2023-08-14 19:00:56 +02:00  
				
					
						
							
							
								 
						
							
								f5778caa3a 
								
							 
						 
						
							
							
								
								Add `ES_PRESET` option to customize numbers of shards and replicas ( #26483 )  
							
							... 
							
							
							
							Co-authored-by: Eugen Rochko <eugen@zeonfederated.com> 
							
						 
						
							2023-08-14 17:46:16 +02:00  
				
					
						
							
							
								 
						
							
								4bc0dd751c 
								
							 
						 
						
							
							
								
								Add `S3_DISABLE_CHECKSUM_MODE` environment variable for compatibility with some S3-compatible providers ( #26435 )  
							
							
							
						 
						
							2023-08-10 14:15:18 +02:00  
				
					
						
							
							
								 
						
							
								12c43e4ab5 
								
							 
						 
						
							
							
								
								Re-add StatsD support through the `nsa` gem ( #26310 )  
							
							
							
						 
						
							2023-08-03 20:28:14 +02:00  
				
					
						
							
							
								 
						
							
								e258b4cb64 
								
							 
						 
						
							
							
								
								Refactor: replace whitelist_mode mentions with limited_federation_mode ( #26252 )  
							
							
							
						 
						
							2023-08-02 19:32:48 +02:00  
				
					
						
							
							
								 
						
							
								ad81be6c8e 
								
							 
						 
						
							
							
								
								Update rubocop rules for linelength ( #26190 )  
							
							
							
						 
						
							2023-07-28 23:11:45 +02:00  
				
					
						
							
							
								 
						
							
								bada7a65aa 
								
							 
						 
						
							
							
								
								Ignore long line in regex initializer ( #26182 )  
							
							
							
						 
						
							2023-07-26 09:45:27 +02:00  
				
					
						
							
							
								 
						
							
								e5f1000ad1 
								
							 
						 
						
							
							
								
								Fix CSP headers being unintendedly wide ( #26105 )  
							
							
							
						 
						
							2023-07-21 13:34:15 +02:00  
				
					
						
							
							
								 
						
							
								934c7b33d1 
								
							 
						 
						
							
							
								
								Change default KeyGenerator digest to SHA1 to fix cookies in rolling upgrades ( #26023 )  
							
							
							
						 
						
							2023-07-21 13:17:43 +02:00  
				
					
						
							
							
								 
						
							
								b848ba3867 
								
							 
						 
						
							
							
								
								Paperclip: add support for Azure blob storage ( #23607 )  
							
							
							
						 
						
							2023-07-19 09:02:49 +02:00  
				
					
						
							
							
								 
						
							
								ce43ed144c 
								
							 
						 
						
							
							
								
								Rails 7.0 update ( #25668 )  
							
							
							
						 
						
							2023-07-13 09:36:07 +02:00  
				
					
						
							
							
								 
						
							
								2e1391fdd2 
								
							 
						 
						
							
							
								
								Fix `Naming/MemoizedInstanceVariableName` cop ( #25928 )  
							
							
							
						 
						
							2023-07-12 10:08:51 +02:00  
				
					
						
							
							
								 
						
							
								1d557305d2 
								
							 
						 
						
							
							
								
								Enable Rubocop Style/FrozenStringLiteralComment ( #23793 )  
							
							
							
						 
						
							2023-07-12 09:47:08 +02:00  
				
					
						
							
							
								 
						
							
								e4cfe4b3db 
								
							 
						 
						
							
							
								
								First pass at multi-database for read replica using Rails native adapter ( #25693 )  
							
							... 
							
							
							
							Co-authored-by: emilweth <7402764+emilweth@users.noreply.github.com> 
							
						 
						
							2023-07-08 19:45:36 +02:00  
				
					
						
							
							
								 
						
							
								dc8f1fbd97 
								
							 
						 
						
							
							
								
								Merge pull request from GHSA-9928-3cp5-93fm  
							
							... 
							
							
							
							* Fix attachments getting processed despite failing content-type validation
* Add a restrictive ImageMagick security policy tailored for Mastodon
* Fix misdetection of MP3 files with large cover art
* Reject unprocessable audio/video files instead of keeping them unchanged 
							
						 
						
							2023-07-06 15:05:05 +02:00  
				
					
						
							
							
								 
						
							
								ba06a2f104 
								
							 
						 
						
							
							
								
								Revert "Rails 7 update" ( #25667 )  
							
							
							
						 
						
							2023-07-02 11:14:22 +02:00  
				
					
						
							
							
								 
						
							
								50c2a03695 
								
							 
						 
						
							
							
								
								Rails 7 update ( #24241 )  
							
							
							
						 
						
							2023-07-02 10:38:53 +02:00  
				
					
						
							
							
								 
						
							
								f378f10404 
								
							 
						 
						
							
							
								
								Fix compatibility of recent migration with PostgreSQL 10 ( #25324 )  
							
							
							
						 
						
							2023-06-07 01:53:50 +02:00  
				
					
						
							
							
								 
						
							
								c66250abf1 
								
							 
						 
						
							
							
								
								Autofix Rubocop Regex Style rules ( #23690 )  
							
							... 
							
							
							
							Co-authored-by: Claire <claire.github-309c@sitedethib.com> 
							
						 
						
							2023-06-06 14:50:51 +02:00  
				
					
						
							
							
								 
						
							
								e428670e61 
								
							 
						 
						
							
							
								
								Fix CSP headers when S3_ALIAS_HOST includes a path component ( #25273 )  
							
							
							
						 
						
							2023-06-05 17:35:05 +02:00  
				
					
						
							
							
								 
						
							
								e49819142f 
								
							 
						 
						
							
							
								
								Remove unmaintained `nsa` gem ( #25265 )  
							
							
							
						 
						
							2023-06-05 01:57:05 +02:00  
				
					
						
							
							
								 
						
							
								94329f28e1 
								
							 
						 
						
							
							
								
								Change wording of “Content cache retention period” setting to highlight destructive implications ( #23261 )  
							
							
							
						 
						
							2023-06-02 18:09:08 +02:00  
				
					
						
							
							
								 
						
							
								942d850b0a 
								
							 
						 
						
							
							
								
								Allow carets in URL search params ( #25216 )  
							
							
							
						 
						
							2023-06-01 12:14:49 +02:00  
				
					
						
							
							
								 
						
							
								c0b9664a31 
								
							 
						 
						
							
							
								
								Autofix Rubocop spacing in config ( #25022 )  
							
							
							
						 
						
							2023-05-22 13:17:56 +02:00  
				
					
						
							
							
								 
						
							
								cee4369cf5 
								
							 
						 
						
							
							
								
								Autofix Rubocop Lint/AmbiguousOperatorPrecedence ( #25002 )  
							
							
							
						 
						
							2023-05-16 10:51:59 +02:00  
				
					
						
							
							
								 
						
							
								d9a958fcf7 
								
							 
						 
						
							
							
								
								Fix Performance/RedundantMerge cop ( #24817 )  
							
							
							
						 
						
							2023-05-04 05:25:43 +02:00  
				
					
						
							
							
								 
						
							
								d902a707a3 
								
							 
						 
						
							
							
								
								Fix Rails/CompactBlank cop ( #24690 )  
							
							
							
						 
						
							2023-04-30 14:07:21 +02:00  
				
					
						
							
							
								 
						
							
								5a2aa06a51 
								
							 
						 
						
							
							
								
								Fix Rails/Present cop ( #24688 )  
							
							
							
						 
						
							2023-04-30 06:47:50 +02:00  
				
					
						
							
							
								 
						
							
								49fad26eca 
								
							 
						 
						
							
							
								
								Drop EOL Ruby 2.7 ( #24237 )  
							
							
							
						 
						
							2023-04-27 01:46:18 +02:00  
				
					
						
							
							
								 
						
							
								4687967176 
								
							 
						 
						
							
							
								
								Autofix Rubocop Style/NumericLiterals ( #24468 )  
							
							
							
						 
						
							2023-04-23 22:30:07 +02:00  
				
					
						
							
							
								 
						
							
								5c499f54e3 
								
							 
						 
						
							
							
								
								Change root Chewy strategy to emit a warning instead of erroring out in production mode ( #24327 )  
							
							
							
						 
						
							2023-04-03 15:05:39 +02:00  
				
					
						
							
							
								 
						
							
								500d6f93be 
								
							 
						 
						
							
							
								
								Autofix Rubocop Style/IdenticalConditionalBranches ( #24322 )  
							
							
							
						 
						
							2023-03-31 09:33:52 +02:00  
				
					
						
							
							
								 
						
							
								a9b5598c97 
								
							 
						 
						
							
							
								
								Change user settings to be stored in a more optimal way ( #23630 )  
							
							... 
							
							
							
							Co-authored-by: Claire <claire.github-309c@sitedethib.com> 
							
						 
						
							2023-03-30 14:44:00 +02:00  
				
					
						
							
							
								 
						
							
								e084b5b82d 
								
							 
						 
						
							
							
								
								Fix user archive takeout when using OpenStack Swift or S3 providers with no ACL support ( #24200 )  
							
							
							
						 
						
							2023-03-27 17:07:37 +02:00  
				
					
						
							
							
								 
						
							
								f432db7b9f 
								
							 
						 
						
							
							
								
								Fix sidekiq jobs not triggering Elasticsearch index updates ( #24046 )  
							
							
							
						 
						
							2023-03-12 23:47:55 +01:00  
				
					
						
							
							
								 
						
							
								922837dc96 
								
							 
						 
						
							
							
								
								Upgrade to latest redis-rb 4.x and fix deprecations ( #23616 )  
							
							... 
							
							
							
							Co-authored-by: Jean Boussier <jean.boussier@gmail.com> 
							
						 
						
							2023-03-04 16:38:28 +01:00  
				
					
						
							
							
								 
						
							
								de137e6bb0 
								
							 
						 
						
							
							
								
								Added support for specifying S3 storage classes in environment ( #22480 )  
							
							
							
						 
						
							2023-03-03 20:53:37 +01:00  
				
					
						
							
							
								 
						
							
								c6ef56fd5e 
								
							 
						 
						
							
							
								
								Change rate limits to 1,500/5m per user, 300/5m per app ( #23347 )  
							
							
							
						 
						
							2023-02-02 00:07:49 +01:00  
				
					
						
							
							
								 
						
							
								596923da4a 
								
							 
						 
						
							
							
								
								Fix typos in source documentation ( #21046 )  
							
							... 
							
							
							
							Fixed 2 source comment/documentation typos 
							
						 
						
							2022-12-15 15:57:26 +01:00  
				
					
						
							
							
								 
						
							
								d587a268fd 
								
							 
						 
						
							
							
								
								Add logging for Rails cache timeouts ( #21667 )  
							
							... 
							
							
							
							* Reduce redis cache store connect timeout from default 20 seconds to 5 seconds
* Log cache store errors 
							
						 
						
							2022-11-27 20:37:37 +01:00  
				
					
						
							
							
								 
						
							
								7955d4b959 
								
							 
						 
						
							
							
								
								Add form-action CSP directive ( #20781 )  
							
							
							
						 
						
							2022-11-17 10:55:03 +01:00  
				
					
						
							
							
								 
						
							
								a2931d19ae 
								
							 
						 
						
							
							
								
								Add missing admin scopes ( fix   #20892 ) ( #20918 )  
							
							
							
						 
						
							2022-11-17 10:50:21 +01:00  
				
					
						
							
							
								 
						
							
								43b0b2f3f4 
								
							 
						 
						
							
							
								
								Fix wrong directive `unsafe-wasm-eval` to `wasm-unsafe-eval` ( #20729 )  
							
							
							
						 
						
							2022-11-15 03:39:06 +01:00  
				
					
						
							
							
								 
						
							
								b46b7c3d5e 
								
							 
						 
						
							
							
								
								Use "unsafe-wasm-eval" instead of "unsafe-eval" in script-src CSP ( #20606 )  
							
							... 
							
							
							
							* Add "unsafe-eval" to script-src CSP
* Use 'unsafe-wasm-eval' instead of 'unsafe-eval' 
							
						 
						
							2022-11-15 03:22:38 +01:00  
				
					
						
							
							
								 
						
							
								21fd25a269 
								
							 
						 
						
							
							
								
								Fix rate limiting for paths with formats ( #20675 )  
							
							
							
						 
						
							2022-11-14 20:26:31 +01:00  
				
					
						
							
							
								 
						
							
								9d039209cc 
								
							 
						 
						
							
							
								
								Add `Cache-Control` header to openstack-stored files ( #20610 )  
							
							... 
							
							
							
							When storing files in S3, paperclip is configured with a Cache-Control header
indicating the file is immutable, however no such header was added when using
OpenStack storage.
Luckily Paperclip's fog integration makes this trivial, with a simple
`fog_file` `Cache-Control` default doing the trick. 
							
						 
						
							2022-11-14 05:26:49 +01:00  
				
					
						
							
							
								 
						
							
								290d78cea4 
								
							 
						 
						
							
							
								
								Allow unsetting x-amz-acl S3 Permission headers ( #20510 )  
							
							... 
							
							
							
							Some "S3 Compatible" storage providers (Cloudflare R2 is one such example) don't support setting ACLs on individual uploads with the `x-amz-acl` header, and instead just have a visibility for the whole bucket. To support uploads to such providers without getting unsupported errors back, lets use a black `S3_PERMISSION` env var to indicate that these headers shouldn't be sent.
This is tested as working with Cloudflare R2. 
							
						 
						
							2022-11-13 06:57:10 +01:00  
				
					
						
							
							
								 
						
							
								aafbc82d88 
								
							 
						 
						
							
							
								
								Add "unsafe-eval" to script-src CSP ( #18817 )  
							
							
							
						 
						
							2022-10-26 19:23:16 +02:00  
				
					
						
							
							
								 
						
							
								bf0ab3e0fa 
								
							 
						 
						
							
							
								
								Fix vacuum scheduler missing lock, locks never expiring ( #19458 )  
							
							... 
							
							
							
							Remove vacuuming of orphaned preview cards 
							
						 
						
							2022-10-26 12:10:48 +02:00  
				
					
						
							
							
								 
						
							
								0d6b878808 
								
							 
						 
						
							
							
								
								Add user content translations with configurable backends ( #19218 )  
							
							
							
						 
						
							2022-09-23 23:00:12 +02:00  
				
					
						
							
							
								 
						
							
								546672e292 
								
							 
						 
						
							
							
								
								Change "Allow trends without prior review" setting to include statuses ( #17977 )  
							
							... 
							
							
							
							* Change "Allow trends without prior review" setting to include posts
* Fix i18n-tasks 
							
						 
						
							2022-08-28 04:00:39 +02:00  
				
					
						
							
							
								 
						
							
								861b35dd54 
								
							 
						 
						
							
							
								
								Support "http_hidden_proxy" ENV var for hidden service only proxy ( #18427 )  
							
							... 
							
							
							
							* Support "http_hidden_proxy" ENV var for hidden service only proxy
* Fallback to http_proxy if http_hidden_proxy is not set 
							
						 
						
							2022-08-25 04:41:14 +02:00  
				
					
						
							
							
								 
						
							
								e7aa2be828 
								
							 
						 
						
							
							
								
								Change how hashtags are normalized ( #18795 )  
							
							... 
							
							
							
							* Change how hashtags are normalized
* Fix tests 
							
						 
						
							2022-07-13 15:03:28 +02:00  
				
					
						
							
							
								 
						
							
								ae4f068a84 
								
							 
						 
						
							
							
								
								Fix CAS_DISPLAY_NAME, SAML_DISPLAY_NAME and OIDC_DISPLAY_NAME being ignored ( #18568 )  
							
							
							
						 
						
							2022-06-01 19:22:55 +02:00  
				
					
						
							
							
								 
						
							
								96129c2f10 
								
							 
						 
						
							
							
								
								Fix confirmation redirect to app without `Location` header ( #18523 )  
							
							
							
						 
						
							2022-05-26 22:03:54 +02:00  
				
					
						
							
							
								 
						
							
								679b7158e3 
								
							 
						 
						
							
							
								
								Change search indexing to use batches to minimize resource usage ( #18451 )  
							
							
							
						 
						
							2022-05-18 23:29:14 +02:00  
				
					
						
							
							
								 
						
							
								7b0fe4aef9 
								
							 
						 
						
							
							
								
								Fix opening and closing Redis connections instead of using a pool ( #18171 )  
							
							... 
							
							
							
							* Fix opening and closing Redis connections instead of using a pool
* Fix Redis connections not being returned to the pool in CLI commands 
							
						 
						
							2022-04-29 22:43:07 +02:00  
				
					
						
							
							
								 
						
							
								8284110c55 
								
							 
						 
						
							
							
								
								Fix stoplight not using REDIS_NAMESPACE ( #18160 )  
							
							
							
						 
						
							2022-04-28 18:11:31 +02:00  
				
					
						
							
							
								 
						
							
								3917353645 
								
							 
						 
						
							
							
								
								Fix single Redis connection being used across all threads ( #18135 )  
							
							... 
							
							
							
							* Fix single Redis connection being used across all Sidekiq threads
* Fix tests 
							
						 
						
							2022-04-28 17:47:34 +02:00  
				
					
						
							
							
								 
						
							
								6e418bf346 
								
							 
						 
						
							
							
								
								Fix cookies secure flag being set when served over Tor ( #17992 )  
							
							
							
						 
						
							2022-04-08 12:47:18 +02:00  
				
					
						
							
							
								 
						
							
								39b489ba4c 
								
							 
						 
						
							
							
								
								fix: `s3_force_single_request` not parsed ( #17922 )  
							
							
							
						 
						
							2022-04-01 23:56:23 +02:00  
				
					
						
							
							
								 
						
							
								cefa526c6d 
								
							 
						 
						
							
							
								
								Refactor formatter ( #17828 )  
							
							... 
							
							
							
							* Refactor formatter
* Move custom emoji pre-rendering logic to view helpers
* Move more methods out of Formatter
* Fix code style issues
* Remove Formatter
* Add inline poll options to RSS feeds
* Remove unused helper method
* Fix code style issues
* Various fixes and improvements
* Fix test 
							
						 
						
							2022-03-26 02:53:34 +01:00  
				
					
						
							
							
								 
						
							
								895212bb2f 
								
							 
						 
						
							
							
								
								Fix PgHero suggesting migrations ( #17807 )  
							
							... 
							
							
							
							* Fix PgHero suggesting migrations
Fixes  #17768 
* Keep migration suggestions in development env 
							
						 
						
							2022-03-15 20:27:49 +01:00  
				
					
						
							
							
								 
						
							
								eb9a7e3626 
								
							 
						 
						
							
							
								
								Fix LetterOpennerWeb CSP ( #17770 )  
							
							
							
						 
						
							2022-03-14 19:20:40 +01:00  
				
					
						
							
							
								 
						
							
								46ad7fea9d 
								
							 
						 
						
							
							
								
								Bump rack-attack from 6.5.0 to 6.6.0 ( #17405 )  
							
							... 
							
							
							
							* Bump rack-attack from 6.5.0 to 6.6.0
Bumps [rack-attack](https://github.com/rack/rack-attack ) from 6.5.0 to 6.6.0.
- [Release notes](https://github.com/rack/rack-attack/releases )
- [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md )
- [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0 )
---
updated-dependencies:
- dependency-name: rack-attack
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* Fix usage of deprecated API
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugen Rochko <eugen@zeonfederated.com> 
							
						 
						
							2022-03-12 09:23:53 +01:00  
				
					
						
							
							
								 
						
							
								a6ed6845c9 
								
							 
						 
						
							
							
								
								Allow login through OpenID Connect ( #16221 )  
							
							... 
							
							
							
							* added OpenID Connect as an SSO option
* minor fixes
* added comments, removed an option that shouldn't be set
* fixed Gemfile.lock
* added newline to end of Gemfile.lock
* removed tab from Gemfile.lock
* remove chomp
* codeclimate changes and small name change to make function's purpose clearer
* codeclimate fix
* added SSO buttons to /about page
* minor refactor
* minor style change
* removed spurious change
* removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth
* minor changes 
							
						 
						
							2022-03-09 12:07:35 +01:00  
				
					
						
							
							
								 
						
							
								b5329e0035 
								
							 
						 
						
							
							
								
								Spelling ( #17705 )  
							
							... 
							
							
							
							* spelling: account
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: affiliated
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: appearance
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: autosuggest
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: cacheable
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: component
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: conversations
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: domain.example
Clarify what's distinct and use RFC friendly domain space.
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: environment
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: exceeds
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: functional
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: inefficiency
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: not
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: notifications
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: occurring
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: position
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: progress
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: promotable
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: reblogging
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: repetitive
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: resolve
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: saturated
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: similar
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: strategies
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: success
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: targeting
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: thumbnails
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: unauthorized
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: unsensitizes
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: validations
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: various
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com> 
							
						 
						
							2022-03-06 22:51:40 +01:00  
				
					
						
							
							
								 
						
							
								73f5e4a1d9 
								
							 
						 
						
							
							
								
								Fix various typos ( #17621 )  
							
							... 
							
							
							
							Found via `codespell -q 3 -S ./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,keypair,medias,ro` 
							
						 
						
							2022-02-22 20:14:17 +01:00  
				
					
						
							
							
								 
						
							
								8603a07504 
								
							 
						 
						
							
							
								
								Fix error when trying to register ( #17600 )  
							
							
							
						 
						
							2022-02-21 14:55:38 +01:00  
				
					
						
							
							
								 
						
							
								f9e7f2e409 
								
							 
						 
						
							
							
								
								Avoid return within block ( #17590 )  
							
							... 
							
							
							
							This prevents the error: LocalJumpError (unexpected return) 
							
						 
						
							2022-02-18 20:21:21 +01:00  
				
					
						
							
							
								 
						
							
								1de2e3f980 
								
							 
						 
						
							
							
								
								Throttle IPv6 signup for subnet ( #17588 )  
							
							
							
						 
						
							2022-02-18 13:51:51 +01:00  
				
					
						
							
							
								 
						
							
								cfa583fa71 
								
							 
						 
						
							
							
								
								Remove support for OAUTH_REDIRECT_AT_SIGN_IN ( #17287 )  
							
							... 
							
							
							
							Fixes  #15959 
Introduced in #6540 , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.
However, it did not prevent the log-in form on /about introduced by #10232  from
appearing, and completely broke with the introduction of #15228 .
As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being. 
						
							2022-01-23 15:50:41 +01:00  
				
					
						
							
							
								 
						
							
								8e84ebf0cb 
								
							 
						 
						
							
							
								
								Remove IP tracking columns from users table ( #16409 )  
							
							
							
						 
						
							2022-01-16 13:23:50 +01:00  
				
					
						
							
							
								 
						
							
								ea61d3acd6 
								
							 
						 
						
							
							
								
								Fix media API limit ( #17272 )  
							
							
							
						 
						
							2022-01-10 14:25:24 +01:00  
				
					
						
							
							
								 
						
							
								fe71548844 
								
							 
						 
						
							
							
								
								Fix warnings on Rails boot ( #16946 )  
							
							
							
						 
						
							2021-12-27 00:47:20 +01:00  
				
					
						
							
							
								 
						
							
								06631fdc53 
								
							 
						 
						
							
							
								
								Fix ElasticSearch to Elasticsearch ( #17050 )  
							
							
							
						 
						
							2021-11-26 08:30:02 +01:00  
				
					
						
							
							
								 
						
							
								3419d3ec84 
								
							 
						 
						
							
							
								
								Bump chewy from 5.2.0 to 7.2.3 (supports Elasticsearch 7.x) ( #16915 )  
							
							... 
							
							
							
							* Bump chewy from 5.2.0 to 7.2.2
* fix style (codeclimate)
* fix style
* fix style
* Bump chewy from 7.2.2 to 7.2.3 
							
						 
						
							2021-11-18 22:02:08 +01:00  
				
					
						
							
							
								 
						
							
								6da135a493 
								
							 
						 
						
							
							
								
								Fix reviving revoked sessions and invalidating login ( #16943 )  
							
							... 
							
							
							
							Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.
We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.
In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
  of them
This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues. 
							
						 
						
							2021-11-06 00:13:58 +01:00  
				
					
						
							
							
								 
						
							
								c8ce728705 
								
							 
						 
						
							
							
								
								Support authentication for ElasticSearch ( #16890 )  
							
							... 
							
							
							
							* Support authentication for ElasticSearch
* Fix chewy auth settings 
							
						 
						
							2021-10-24 17:20:03 +02:00  
				
					
						
							
							
								 
						
							
								b21f3aa21d 
								
							 
						 
						
							
							
								
								Minor memory optimizations ( #16507 )  
							
							... 
							
							
							
							Reduce constant memory usage by ~100kB and further reduce boot-up memory
allocations and temporary memory use by a further ~200kB. 
							
						 
						
							2021-10-14 21:04:57 +02:00  
				
					
						
							
							
								 
						
							
								2ed1c92c63 
								
							 
						 
						
							
							
								
								New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED ( #16655 )  
							
							... 
							
							
							
							When using a CAS server, the users only have a temporary email
`change@me-foo-cas.com` which can't be changed but by an
administrator.
We need a new environment variable like for SAML to assume the email
from CAS is verified.
* config/initializers/omniauth.rb: define CAS option for assuming
  email are always verified.
* .env.nanobox: add new variable as an example. 
							
						 
						
							2021-08-25 18:41:24 +02:00  
				
					
						
							
							
								 
						
							
								211d5c3c30 
								
							 
						 
						
							
							
								
								Fix inefficiencies in auto-linking code ( #16506 )  
							
							... 
							
							
							
							The auto-linking code basically rewrote the whole string escaping non-ascii
characters in an inefficient way, and building a full character offset map
between the unescaped and escaped texts before sending the contents to
TwitterText's extractor.
Instead of doing that, this commit changes the TwitterText regexps to include
valid IRI characters in addition to valid URI characters. 
							
						 
						
							2021-07-15 15:56:58 +02:00