closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9877 Commits
4 Branches
567 MiB
Tree: 1045549f85
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1045549f85'
${ noResults }
mastodon/app/controllers/application_controller.rb

150 lines
4.0 KiB
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
Initial commit
8 years ago
Fixing FanOutOnWriteService, fixing Sidekiq not having enough DB connections in the pool, adding a throttle of 60rpm per IP, adding mini profiler, adding admin status to users
8 years ago
Return force_ssl to the controller (#2380)
7 years ago
Fix #1165 - before_action was called before protect_from_forgery
7 years ago
Extract user tracking into concern (#2600)
7 years ago
Update session activation time (fixes #5605) (#7408)
6 years ago
Add (back) rails-level JSON caching (#11333)
4 years ago
Add whitelist mode (#11291)
4 years ago
Make file attachment on MediaAttachment optional (#1865) Create MediaAttachment but without actual file download when domain is blocked with reject_media set to true Clean up old media files when creating a new domain block with reject_media set to true Return remote_url in media attachments API if local file is not present Undo domain block action in admin UI Ability to enable reject_media from admin UI
7 years ago
Bind web UI access tokens to sessions (#3940) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test * Fix #2347 - Bind web UI access token to session When you logout, session also destroys the access token, so it's no longer valid. If access token is destroyed some other way, the session is also destroyed, requiring a re-login. Fix #1681 - Add scheduler to remove revoked access tokens and grants * Fix test
6 years ago
Add support for multiple themes (#4959) * Add support for selecting a theme * Fix codeclimate issues * Look up site default style if current user is not available due to e.g. not being logged in * Remove outdated comment in common.js * Address requested changes in themes PR * Fix codeclimate issues * Explicitly check current_account in application controller and only check theme availability if non-nil * codeclimate * explicit precedence with && * Fix code style in application_controller according to @nightpool's suggestion, use default style in embedded.html.haml * codeclimate: indentation + return
6 years ago
Make file attachment on MediaAttachment optional (#1865) Create MediaAttachment but without actual file download when domain is blocked with reject_media set to true Clean up old media files when creating a new domain block with reject_media set to true Return remote_url in media attachments API if local file is not present Undo domain block action in admin UI Ability to enable reject_media from admin UI
7 years ago
Fix #942: Seamless LDAP login (#6556)
6 years ago
Add whitelist mode (#11291)
4 years ago
Adding React.js, Redux, revamping dashboard
7 years ago
Fix local follows, 404 in logs
7 years ago
Add nice error page for CSRF errors/cookie issue, and fix error page handling altogether
7 years ago
Catch ActionController::UnknownFormat and return HTTP 406 (#7621) An error like that should not appear in production error log.
6 years ago
Fix uncaught parameter missing exceptions and missing error templates (#11702)
4 years ago
Fix base64-encoded file uploads not being possible (#12748) Fix #3804, Fix #5776
4 years ago
Fix uncaught parameter missing exceptions and missing error templates (#11702)
4 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
6 years ago
Fix uncaught 422 and 500 errors (#11590)
4 years ago
Add stoplight for object storage failures, return HTTP 503 (#13043)
3 years ago
Add specific rate limits for posting and following (#13172)
4 years ago
Fix local follows, 404 in logs
7 years ago
Fix sign-in redirecting "back" to a missing image because missing static files hit the raise_not_found method
7 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Redirect after sign in to previous page (unless it's a sign in/up/etc page)
7 years ago
Fix 422 being returned instead of 404 when POSTing (#11574)
4 years ago
Fix local follows, 404 in logs
7 years ago
Improve code style
7 years ago
Fix local follows, 404 in logs
7 years ago
Redirect after sign in to previous page (unless it's a sign in/up/etc page)
7 years ago
Return force_ssl to the controller (#2380)
7 years ago
Add healthcheck endpoint for web (#11770)
4 years ago
Return force_ssl to the controller (#2380)
7 years ago
Add ActivityPub secure mode (#11269) * Add HTTP signature requirement for served ActivityPub resources * Change `SECURE_MODE` to `AUTHORIZED_FETCH` * Add 'Signature' to 'Vary' header and improve code style * Improve code style by adding `public_fetch_mode?` method
4 years ago
Add whitelist mode (#11291)
4 years ago
Add ActivityPub secure mode (#11269) * Add HTTP signature requirement for served ActivityPub resources * Change `SECURE_MODE` to `AUTHORIZED_FETCH` * Add 'Signature' to 'Vary' header and improve code style * Improve code style by adding `public_fetch_mode?` method
4 years ago
Redirect after sign in to previous page (unless it's a sign in/up/etc page)
7 years ago
Fix RSS feeds not being cachable (#14368) * Add tests for some cachable responses This only covers responses that we should have managed to make cachable so far. It's not the case of all responses that should be cachable in the end. * Fix RSS feeds not being cachable
3 years ago
Redirect after sign in to previous page (unless it's a sign in/up/etc page)
7 years ago
Add simple admin overview of PuSH subscriptions
7 years ago
Improve require_admin! and require_staff! filters (#7018) Previously these returns 302 redirects instead of 403s, which meant posting links to admin pages in slack caused them to unfurl, rather than stay as a link. Additionally, require_admin! doesn't appear to be actively used, on require_staff!
6 years ago
Add simple admin overview of PuSH subscriptions
7 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
6 years ago
Improve require_admin! and require_staff! filters (#7018) Previously these returns 302 redirects instead of 403s, which meant posting links to admin pages in slack caused them to unfurl, rather than stay as a link. Additionally, require_admin! doesn't appear to be actively used, on require_staff!
6 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
6 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Add filters for suspended accounts
7 years ago
Add "signed in as" header to some pages (#4523)
6 years ago
Fix tests
7 years ago
Add force_login option to OAuth authorize page (#8655) * Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
5 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
Fix local follows, 404 in logs
7 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
Add nice error page for CSRF errors/cookie issue, and fix error page handling altogether
7 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
ActivityPub: Add basic, read-only support for Outboxes, Notes, and Create/Announce Activities (#2197) * Clean up collapsible components * Expose user Outboxes and AS2 representations of statuses * Save work thus far. * Fix bad merge. * Save my work * Clean up pagination. * First test working. * Add tests. * Add Forbidden error template. * Revert yarn.lock changes. * Fix code style deviations and use localized instead of hardcoded English text.
7 years ago
Add nice error page for CSRF errors/cookie issue, and fix error page handling altogether
7 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
Catching more exceptions that slipped through, removing AR logging from production as it's very verbose and not very useful
7 years ago
Catch ActionController::UnknownFormat and return HTTP 406 (#7621) An error like that should not appear in production error log.
6 years ago
Fix uncaught parameter missing exceptions and missing error templates (#11702)
4 years ago
Fix uncaught 422 and 500 errors (#11590)
4 years ago
Fix uncaught parameter missing exceptions and missing error templates (#11702)
4 years ago
Add specific rate limits for posting and following (#13172)
4 years ago
Give SINGLE_USER a chance to register (#1820) An attempt to open a brand new Mastodon instance configured as SINGLE_USER_MODE=true will cause an exception. Enable temporary registration if we have no users in the database Fixes #1817
7 years ago
Add ActivityPub actor representing the entire server (#11321) * Add support for an instance actor * Skip username validation for local Application accounts * Add migration script to create instance actor * Make Codeclimate happy * Switch to id -99 for instance actor * Remove unused `icon` and `image` attributes from instance actor * Use if/elsif/else instead of return + ternary operator * Add instance actor to fresh installs * Use instance actor as instance representative Use instance actor for forwarding reports, relay operations, and spam auto-reporting. * Seed database in test environment * Fix single-user mode * Fix tests * Fix specs to accomodate for an extra `Account` * Auto-reject follows on instance actor Following an instance actor might make sense, but we are not handling that right now, so auto-reject. * Fix webfinger lookup and serialization for instance actor * Rename instance actor * Make it clear in the HTML view that the instance actor should not be blocked * Raise cache time for instance actor as there's no dynamic content * Re-use /about/more with a flash message for instance actor profile
4 years ago
Give SINGLE_USER a chance to register (#1820) An attempt to open a brand new Mastodon instance configured as SINGLE_USER_MODE=true will cause an exception. Enable temporary registration if we have no users in the database Fixes #1817
7 years ago
Fix #942: Seamless LDAP login (#6556)
6 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Fix tests
7 years ago
Fix unnecessary SQL query performed on unauthenticated requests (#11179)
4 years ago
Fix tests
7 years ago
Unify collection caching code
7 years ago
Bind web UI access tokens to sessions (#3940) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test * Fix #2347 - Bind web UI access token to session When you logout, session also destroys the access token, so it's no longer valid. If access token is destroyed some other way, the session is also destroyed, requiring a re-login. Fix #1681 - Add scheduler to remove revoked access tokens and grants * Fix test
6 years ago
Fix unnecessary SQL query performed on unauthenticated requests (#11179)
4 years ago
Bind web UI access tokens to sessions (#3940) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test * Fix #2347 - Bind web UI access token to session When you logout, session also destroys the access token, so it's no longer valid. If access token is destroyed some other way, the session is also destroyed, requiring a re-login. Fix #1681 - Add scheduler to remove revoked access tokens and grants * Fix test
6 years ago
Add support for multiple themes (#4959) * Add support for selecting a theme * Fix codeclimate issues * Look up site default style if current user is not available due to e.g. not being logged in * Remove outdated comment in common.js * Address requested changes in themes PR * Fix codeclimate issues * Explicitly check current_account in application controller and only check theme availability if non-nil * codeclimate * explicit precedence with && * Fix code style in application_controller according to @nightpool's suggestion, use default style in embedded.html.haml * codeclimate: indentation + return
6 years ago
Add ability to change an instance default theme from the administration panel (#7092) (#8381) * Add default_settings class method to ScopedSettings ScopedSettings was extended to use value of unscoped setting instead of only using defaults set in config/settings.yml for selected settings. This adds possibility for admins to set default values of users' settings, for example default theme (as requested in #7092). * Add ability to change an instance default theme Closes #7092
5 years ago
Add support for multiple themes (#4959) * Add support for selecting a theme * Fix codeclimate issues * Look up site default style if current user is not available due to e.g. not being logged in * Remove outdated comment in common.js * Address requested changes in themes PR * Fix codeclimate issues * Explicitly check current_account in application controller and only check theme availability if non-nil * codeclimate * explicit precedence with && * Fix code style in application_controller according to @nightpool's suggestion, use default style in embedded.html.haml * codeclimate: indentation + return
6 years ago
Fix #2195 - Set locale to error pages (#2255) * Fix #2195 - Set locale to error pages * Fix #2195 - Cut duplicate process into one method
7 years ago
Fix HTML error pages being returned when JSON is expected (#12713) Fix #12509 See also #12214
4 years ago
Fix #2195 - Set locale to error pages (#2255) * Fix #2195 - Set locale to error pages * Fix #2195 - Cut duplicate process into one method
7 years ago
Initial commit
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. class ApplicationController < ActionController::Base
  4.   # Prevent CSRF attacks by raising an exception.
  5.   # For APIs, you may want to use :null_session instead.
  6.   protect_from_forgery with: :exception
  7. 

  8.   force_ssl if: :https_enabled?
  9. 

  10.   include Localized
  11.   include UserTrackingConcern
  12.   include SessionTrackingConcern
  13.   include CacheConcern
  14.   include DomainControlHelper
  15. 

  16.   helper_method :current_account
  17.   helper_method :current_session
  18.   helper_method :current_theme
  19.   helper_method :single_user_mode?
  20.   helper_method :use_seamless_external_login?
  21.   helper_method :whitelist_mode?
  22. 

  23.   rescue_from ActionController::RoutingError, with: :not_found
  24.   rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_entity
  25.   rescue_from ActionController::UnknownFormat, with: :not_acceptable
  26.   rescue_from ActionController::ParameterMissing, with: :bad_request
  27.   rescue_from Paperclip::AdapterRegistry::NoHandlerError, with: :bad_request
  28.   rescue_from ActiveRecord::RecordNotFound, with: :not_found
  29.   rescue_from Mastodon::NotPermittedError, with: :forbidden
  30.   rescue_from HTTP::Error, OpenSSL::SSL::SSLError, with: :internal_server_error
  31.   rescue_from Mastodon::RaceConditionError, Seahorse::Client::NetworkingError, Stoplight::Error::RedLight, with: :service_unavailable
  32.   rescue_from Mastodon::RateLimitExceededError, with: :too_many_requests
  33. 

  34.   before_action :store_current_location, except: :raise_not_found, unless: :devise_controller?
  35.   before_action :require_functional!, if: :user_signed_in?
  36. 

  37.   skip_before_action :verify_authenticity_token, only: :raise_not_found
  38. 

  39.   def raise_not_found
  40.     raise ActionController::RoutingError, "No route matches #{params[:unmatched_route]}"
  41.   end
  42. 

  43.   private
  44. 

  45.   def https_enabled?
  46.     Rails.env.production? && !request.path.start_with?('/health')
  47.   end
  48. 

  49.   def authorized_fetch_mode?
  50.     ENV['AUTHORIZED_FETCH'] == 'true' || Rails.configuration.x.whitelist_mode
  51.   end
  52. 

  53.   def public_fetch_mode?
  54.     !authorized_fetch_mode?
  55.   end
  56. 

  57.   def store_current_location
  58.     store_location_for(:user, request.url) unless [:json, :rss].include?(request.format&.to_sym)
  59.   end
  60. 

  61.   def require_admin!
  62.     forbidden unless current_user&.admin?
  63.   end
  64. 

  65.   def require_staff!
  66.     forbidden unless current_user&.staff?
  67.   end
  68. 

  69.   def require_functional!
  70.     redirect_to edit_user_registration_path unless current_user.functional?
  71.   end
  72. 

  73.   def after_sign_out_path_for(_resource_or_scope)
  74.     new_user_session_path
  75.   end
  76. 

  77.   protected
  78. 

  79.   def truthy_param?(key)
  80.     ActiveModel::Type::Boolean.new.cast(params[key])
  81.   end
  82. 

  83.   def forbidden
  84.     respond_with_error(403)
  85.   end
  86. 

  87.   def not_found
  88.     respond_with_error(404)
  89.   end
  90. 

  91.   def gone
  92.     respond_with_error(410)
  93.   end
  94. 

  95.   def unprocessable_entity
  96.     respond_with_error(422)
  97.   end
  98. 

  99.   def not_acceptable
  100.     respond_with_error(406)
  101.   end
  102. 

  103.   def bad_request
  104.     respond_with_error(400)
  105.   end
  106. 

  107.   def internal_server_error
  108.     respond_with_error(500)
  109.   end
  110. 

  111.   def service_unavailable
  112.     respond_with_error(503)
  113.   end
  114. 

  115.   def too_many_requests
  116.     respond_with_error(429)
  117.   end
  118. 

  119.   def single_user_mode?
  120.     @single_user_mode ||= Rails.configuration.x.single_user_mode && Account.where('id > 0').exists?
  121.   end
  122. 

  123.   def use_seamless_external_login?
  124.     Devise.pam_authentication || Devise.ldap_authentication
  125.   end
  126. 

  127.   def current_account
  128.     return @current_account if defined?(@current_account)
  129. 

  130.     @current_account = current_user&.account
  131.   end
  132. 

  133.   def current_session
  134.     return @current_session if defined?(@current_session)
  135. 

  136.     @current_session = SessionActivation.find_by(session_id: cookies.signed['_session_id']) if cookies.signed['_session_id'].present?
  137.   end
  138. 

  139.   def current_theme
  140.     return Setting.theme unless Themes.instance.names.include? current_user&.setting_theme
  141.     current_user.setting_theme
  142.   end
  143. 

  144.   def respond_with_error(code)
  145.     respond_to do |format|
  146.       format.any  { render "errors/#{code}", layout: 'error', status: code, formats: [:html] }
  147.       format.json { render json: { error: Rack::Utils::HTTP_STATUS_CODES[code] }, status: code }
  148.     end
  149.   end
  150. end