closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9435 Commits
4 Branches
567 MiB
Tree: 6c0428b7d8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6c0428b7d8'
${ noResults }
mastodon/app/controllers/application_controller.rb

238 lines
7.2 KiB
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
8 years ago
Initial commit
8 years ago
Fixing FanOutOnWriteService, fixing Sidekiq not having enough DB connections in the pool, adding a throttle of 60rpm per IP, adding mini profiler, adding admin status to users
8 years ago
Return force_ssl to the controller (#2380)
7 years ago
Fix #1165 - before_action was called before protect_from_forgery
7 years ago
Extract user tracking into concern (#2600)
7 years ago
Update session activation time (fixes #5605) (#7408)
6 years ago
Make file attachment on MediaAttachment optional (#1865) Create MediaAttachment but without actual file download when domain is blocked with reject_media set to true Clean up old media files when creating a new domain block with reject_media set to true Return remote_url in media attachments API if local file is not present Undo domain block action in admin UI Ability to enable reject_media from admin UI
7 years ago
Bind web UI access tokens to sessions (#3940) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test * Fix #2347 - Bind web UI access token to session When you logout, session also destroys the access token, so it's no longer valid. If access token is destroyed some other way, the session is also destroyed, requiring a re-login. Fix #1681 - Add scheduler to remove revoked access tokens and grants * Fix test
7 years ago
Rename themes -> flavours ? ?
7 years ago
Skins support
7 years ago
Make file attachment on MediaAttachment optional (#1865) Create MediaAttachment but without actual file download when domain is blocked with reject_media set to true Clean up old media files when creating a new domain block with reject_media set to true Return remote_url in media attachments API if local file is not present Undo domain block action in admin UI Ability to enable reject_media from admin UI
7 years ago
Fix #942: Seamless LDAP login (#6556)
6 years ago
Adding React.js, Redux, revamping dashboard
8 years ago
Fix local follows, 404 in logs
8 years ago
Add nice error page for CSRF errors/cookie issue, and fix error page handling altogether
7 years ago
Catch ActionController::UnknownFormat and return HTTP 406 (#7621) An error like that should not appear in production error log.
6 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
7 years ago
Fix local follows, 404 in logs
8 years ago
Fix sign-in redirecting "back" to a missing image because missing static files hit the raise_not_found method
8 years ago
Allow mods to disable login, improve message when login disabled (#8329) * Allow moderators to disable/enable login * Instead of rejecting login, show forbidden error when login disabled Avoid confusion because when login is rejected, the message is that the account is not activated, which is wrong. * Fix tests
6 years ago
Redirect after sign in to previous page (unless it's a sign in/up/etc page)
8 years ago
Fix local follows, 404 in logs
8 years ago
Improve code style
8 years ago
Fix local follows, 404 in logs
8 years ago
Redirect after sign in to previous page (unless it's a sign in/up/etc page)
8 years ago
Return force_ssl to the controller (#2380)
7 years ago
Fix force_ssl conditional (#6201)
6 years ago
Return force_ssl to the controller (#2380)
7 years ago
Redirect after sign in to previous page (unless it's a sign in/up/etc page)
8 years ago
Fix #6526: Only store redirect location if not in JSON format (#6528)
6 years ago
Redirect after sign in to previous page (unless it's a sign in/up/etc page)
8 years ago
Add simple admin overview of PuSH subscriptions
8 years ago
Improve require_admin! and require_staff! filters (#7018) Previously these returns 302 redirects instead of 403s, which meant posting links to admin pages in slack caused them to unfurl, rather than stay as a link. Additionally, require_admin! doesn't appear to be actively used, on require_staff!
6 years ago
Add simple admin overview of PuSH subscriptions
8 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
7 years ago
Improve require_admin! and require_staff! filters (#7018) Previously these returns 302 redirects instead of 403s, which meant posting links to admin pages in slack caused them to unfurl, rather than stay as a link. Additionally, require_admin! doesn't appear to be actively used, on require_staff!
6 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
7 years ago
Allow mods to disable login, improve message when login disabled (#8329) * Allow moderators to disable/enable login * Instead of rejecting login, show forbidden error when login disabled Avoid confusion because when login is rejected, the message is that the account is not activated, which is wrong. * Fix tests
6 years ago
Add filters for suspended accounts
8 years ago
Add "signed in as" header to some pages (#4523)
7 years ago
Skins support
7 years ago
Finalized theme loading and stuff
7 years ago
Fix common packs when other pack also there
7 years ago
Rename themes -> flavours ? ?
7 years ago
Finalized theme loading and stuff
7 years ago
Skins support
7 years ago
Javascript intl8n flavour support
7 years ago
Finalized theme loading and stuff
7 years ago
Skins support
7 years ago
Finalized theme loading and stuff
7 years ago
Skins support
7 years ago
Finalized theme loading and stuff
7 years ago
Rename themes -> flavours ? ?
7 years ago
Finalized theme loading and stuff
7 years ago
Skins support
7 years ago
Javascript intl8n flavour support
7 years ago
Finalized theme loading and stuff
7 years ago
Skins support
7 years ago
Finalized theme loading and stuff
7 years ago
Skins support
7 years ago
Rename themes -> flavours ? ?
7 years ago
Skins shouldn't apply to fallback flavours
7 years ago
Finalized theme loading and stuff
7 years ago
Skins shouldn't apply to fallback flavours
7 years ago
Finalized theme loading and stuff
7 years ago
Skins support
7 years ago
Finalized theme loading and stuff
7 years ago
Skins shouldn't apply to fallback flavours
7 years ago
Finalized theme loading and stuff
7 years ago
Rename themes -> flavours ? ?
7 years ago
Finalized theme loading and stuff
7 years ago
Fix tests
8 years ago
Add force_login option to OAuth authorize page (#8655) * Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
6 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
Fix local follows, 404 in logs
8 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
Add nice error page for CSRF errors/cookie issue, and fix error page handling altogether
7 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
ActivityPub: Add basic, read-only support for Outboxes, Notes, and Create/Announce Activities (#2197) * Clean up collapsible components * Expose user Outboxes and AS2 representations of statuses * Save work thus far. * Fix bad merge. * Save my work * Clean up pagination. * First test working. * Add tests. * Add Forbidden error template. * Revert yarn.lock changes. * Fix code style deviations and use localized instead of hardcoded English text.
7 years ago
Add nice error page for CSRF errors/cookie issue, and fix error page handling altogether
7 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
Catching more exceptions that slipped through, removing AR logging from production as it's very verbose and not very useful
8 years ago
Catch ActionController::UnknownFormat and return HTTP 406 (#7621) An error like that should not appear in production error log.
6 years ago
Give SINGLE_USER a chance to register (#1820) An attempt to open a brand new Mastodon instance configured as SINGLE_USER_MODE=true will cause an exception. Enable temporary registration if we have no users in the database Fixes #1817
7 years ago
Change "Account.any?" to "Account.exists?" (#3217)
7 years ago
Give SINGLE_USER a chance to register (#1820) An attempt to open a brand new Mastodon instance configured as SINGLE_USER_MODE=true will cause an exception. Enable temporary registration if we have no users in the database Fixes #1817
7 years ago
Fix #942: Seamless LDAP login (#6556)
6 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Fix tests
8 years ago
Rename "publish" to "toot" in english locale, fix lightbox showing old image before loading new one, cache notifications API, fix missing follow button on public profiles
8 years ago
Fix tests
8 years ago
Unify collection caching code
8 years ago
Bind web UI access tokens to sessions (#3940) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test * Fix #2347 - Bind web UI access token to session When you logout, session also destroys the access token, so it's no longer valid. If access token is destroyed some other way, the session is also destroyed, requiring a re-login. Fix #1681 - Add scheduler to remove revoked access tokens and grants * Fix test
7 years ago
Fix #4058 - Use a long-lived cookie to keep track of user-level sessions (#4091) * Fix #4058 - Use a long-lived cookie to keep track of user-level sessions * Fix tests, smooth migrate from previous session-based identifier
7 years ago
Bind web UI access tokens to sessions (#3940) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test * Fix #2347 - Bind web UI access token to session When you logout, session also destroys the access token, so it's no longer valid. If access token is destroyed some other way, the session is also destroyed, requiring a re-login. Fix #1681 - Add scheduler to remove revoked access tokens and grants * Fix test
7 years ago
Rename themes -> flavours ? ?
7 years ago
Merge branch 'master' into glitch-soc/merge-upstream Conflicts: app/controllers/application_controller.rb Changed instance theme selection by instance flavour selection.
6 years ago
Rename themes -> flavours ? ?
7 years ago
Skins support
7 years ago
Merge branch 'master' into glitch-soc/merge-upstream Conflicts: app/controllers/application_controller.rb Changed instance theme selection by instance flavour selection.
6 years ago
Skins support
7 years ago
Unify collection caching code
8 years ago
Further abstract caching for includes
8 years ago
Fix #248 - Reload all accounts when fetching from cache
8 years ago
Unuse ActiveRecord::Base#cache_key (#8185) * Unuse ActiveRecord::Base#cache_key * Enable cache_versioning * Call cache_collection
6 years ago
Unify collection caching code
8 years ago
Fix #248 - Reload all accounts when fetching from cache
8 years ago
Unify collection caching code
8 years ago
Remove intermediary arrays when creating hash maps from results (#9291)
6 years ago
Unify collection caching code
8 years ago
Fix some rubocop style issues (#5730)
7 years ago
Unuse ActiveRecord::Base#cache_key (#8185) * Unuse ActiveRecord::Base#cache_key * Enable cache_versioning * Call cache_collection
6 years ago
Unify collection caching code
8 years ago
Unuse ActiveRecord::Base#cache_key (#8185) * Unuse ActiveRecord::Base#cache_key * Enable cache_versioning * Call cache_collection
6 years ago
Unify collection caching code
8 years ago
Fix #2195 - Set locale to error pages (#2255) * Fix #2195 - Set locale to error pages * Fix #2195 - Cut duplicate process into one method
7 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
Include preview cards in status entity in REST API (#9120) * Include preview cards in status entity in REST API * Display preview card in-stream * Improve in-stream display of preview cards
6 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
Use error pack when rendering error pages. Fixes #305.
6 years ago
Error responses cleanup (#2692) * Use respond_with_error for forbidden errors * Wrap up common error code into single method
7 years ago
Fix #2195 - Set locale to error pages (#2255) * Fix #2195 - Set locale to error pages * Fix #2195 - Cut duplicate process into one method
7 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
Cache JSON of immutable ActivityPub representations (#6171)
6 years ago
Fix unintended cache
6 years ago
Cache JSON of immutable ActivityPub representations (#6171)
6 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
Fix unintended cache
6 years ago
Cache JSON of immutable ActivityPub representations (#6171)
6 years ago
Reduce server load caused by anonymous viewing. (#9059) Do not start a session if the current user is not logged in for public-facing pages. Mark pages that don't care about sessions as publicly cacheable. Keep the max age as 0 so proxies and browsers will still try to retrieve an updated version but can still fall back to the stale version if the site is down or too slow. Fixes #9035.
5 years ago
Cache JSON of immutable ActivityPub representations (#6171)
6 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
Initial commit
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. class ApplicationController < ActionController::Base
  4.   # Prevent CSRF attacks by raising an exception.
  5.   # For APIs, you may want to use :null_session instead.
  6.   protect_from_forgery with: :exception
  7. 

  8.   force_ssl if: :https_enabled?
  9. 

  10.   include Localized
  11.   include UserTrackingConcern
  12.   include SessionTrackingConcern
  13. 

  14.   helper_method :current_account
  15.   helper_method :current_session
  16.   helper_method :current_flavour
  17.   helper_method :current_skin
  18.   helper_method :single_user_mode?
  19.   helper_method :use_seamless_external_login?
  20. 

  21.   rescue_from ActionController::RoutingError, with: :not_found
  22.   rescue_from ActiveRecord::RecordNotFound, with: :not_found
  23.   rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_entity
  24.   rescue_from ActionController::UnknownFormat, with: :not_acceptable
  25.   rescue_from Mastodon::NotPermittedError, with: :forbidden
  26. 

  27.   before_action :store_current_location, except: :raise_not_found, unless: :devise_controller?
  28.   before_action :check_user_permissions, if: :user_signed_in?
  29. 

  30.   def raise_not_found
  31.     raise ActionController::RoutingError, "No route matches #{params[:unmatched_route]}"
  32.   end
  33. 

  34.   private
  35. 

  36.   def https_enabled?
  37.     Rails.env.production?
  38.   end
  39. 

  40.   def store_current_location
  41.     store_location_for(:user, request.url) unless request.format == :json
  42.   end
  43. 

  44.   def require_admin!
  45.     forbidden unless current_user&.admin?
  46.   end
  47. 

  48.   def require_staff!
  49.     forbidden unless current_user&.staff?
  50.   end
  51. 

  52.   def check_user_permissions
  53.     forbidden if current_user.disabled? || current_user.account.suspended?
  54.   end
  55. 

  56.   def after_sign_out_path_for(_resource_or_scope)
  57.     new_user_session_path
  58.   end
  59. 

  60.   def pack(data, pack_name, skin = 'default')
  61.     return nil unless pack?(data, pack_name)
  62.     pack_data = {
  63.       common: pack_name == 'common' ? nil : resolve_pack(data['name'] ? Themes.instance.flavour(current_flavour) : Themes.instance.core, 'common', skin),
  64.       flavour: data['name'],
  65.       pack: pack_name,
  66.       preload: nil,
  67.       skin: nil,
  68.       supported_locales: data['locales'],
  69.     }
  70.     if data['pack'][pack_name].is_a?(Hash)
  71.       pack_data[:common] = nil if data['pack'][pack_name]['use_common'] == false
  72.       pack_data[:pack] = nil unless data['pack'][pack_name]['filename']
  73.       if data['pack'][pack_name]['preload']
  74.         pack_data[:preload] = [data['pack'][pack_name]['preload']] if data['pack'][pack_name]['preload'].is_a?(String)
  75.         pack_data[:preload] = data['pack'][pack_name]['preload'] if data['pack'][pack_name]['preload'].is_a?(Array)
  76.       end
  77.       if skin != 'default' && data['skin'][skin]
  78.         pack_data[:skin] = skin if data['skin'][skin].include?(pack_name)
  79.       else  #  default skin
  80.         pack_data[:skin] = 'default' if data['pack'][pack_name]['stylesheet']
  81.       end
  82.     end
  83.     pack_data
  84.   end
  85. 

  86.   def pack?(data, pack_name)
  87.     if data['pack'].is_a?(Hash) && data['pack'].key?(pack_name)
  88.       return true if data['pack'][pack_name].is_a?(String) || data['pack'][pack_name].is_a?(Hash)
  89.     end
  90.     false
  91.   end
  92. 

  93.   def nil_pack(data, pack_name, skin = 'default')
  94.     {
  95.       common: pack_name == 'common' ? nil : resolve_pack(data['name'] ? Themes.instance.flavour(current_flavour) : Themes.instance.core, 'common', skin),
  96.       flavour: data['name'],
  97.       pack: nil,
  98.       preload: nil,
  99.       skin: nil,
  100.       supported_locales: data['locales'],
  101.     }
  102.   end
  103. 

  104.   def resolve_pack(data, pack_name, skin = 'default')
  105.     result = pack(data, pack_name, skin)
  106.     unless result
  107.       if data['name'] && data.key?('fallback')
  108.         if data['fallback'].nil?
  109.           return nil_pack(data, pack_name, skin)
  110.         elsif data['fallback'].is_a?(String) && Themes.instance.flavour(data['fallback'])
  111.           return resolve_pack(Themes.instance.flavour(data['fallback']), pack_name)
  112.         elsif data['fallback'].is_a?(Array)
  113.           data['fallback'].each do |fallback|
  114.             return resolve_pack(Themes.instance.flavour(fallback), pack_name) if Themes.instance.flavour(fallback)
  115.           end
  116.         end
  117.         return nil_pack(data, pack_name, skin)
  118.       end
  119.       return data.key?('name') && data['name'] != Setting.default_settings['flavour'] ? resolve_pack(Themes.instance.flavour(Setting.default_settings['flavour']), pack_name) : nil_pack(data, pack_name, skin)
  120.     end
  121.     result
  122.   end
  123. 

  124.   def use_pack(pack_name)
  125.     @core = resolve_pack(Themes.instance.core, pack_name)
  126.     @theme = resolve_pack(Themes.instance.flavour(current_flavour), pack_name, current_skin)
  127.   end
  128. 

  129.   protected
  130. 

  131.   def truthy_param?(key)
  132.     ActiveModel::Type::Boolean.new.cast(params[key])
  133.   end
  134. 

  135.   def forbidden
  136.     respond_with_error(403)
  137.   end
  138. 

  139.   def not_found
  140.     respond_with_error(404)
  141.   end
  142. 

  143.   def gone
  144.     respond_with_error(410)
  145.   end
  146. 

  147.   def unprocessable_entity
  148.     respond_with_error(422)
  149.   end
  150. 

  151.   def not_acceptable
  152.     respond_with_error(406)
  153.   end
  154. 

  155.   def single_user_mode?
  156.     @single_user_mode ||= Rails.configuration.x.single_user_mode && Account.exists?
  157.   end
  158. 

  159.   def use_seamless_external_login?
  160.     Devise.pam_authentication || Devise.ldap_authentication
  161.   end
  162. 

  163.   def current_account
  164.     @current_account ||= current_user.try(:account)
  165.   end
  166. 

  167.   def current_session
  168.     @current_session ||= SessionActivation.find_by(session_id: cookies.signed['_session_id'])
  169.   end
  170. 

  171.   def current_flavour
  172.     return Setting.flavour unless Themes.instance.flavours.include? current_user&.setting_flavour
  173.     current_user.setting_flavour
  174.   end
  175. 

  176.   def current_skin
  177.     return Setting.skin unless Themes.instance.skins_for(current_flavour).include? current_user&.setting_skin
  178.     current_user.setting_skin
  179.   end
  180. 

  181.   def cache_collection(raw, klass)
  182.     return raw unless klass.respond_to?(:with_includes)
  183. 

  184.     raw                    = raw.cache_ids.to_a if raw.is_a?(ActiveRecord::Relation)
  185.     cached_keys_with_value = Rails.cache.read_multi(*raw).transform_keys(&:id)
  186.     uncached_ids           = raw.map(&:id) - cached_keys_with_value.keys
  187. 

  188.     klass.reload_stale_associations!(cached_keys_with_value.values) if klass.respond_to?(:reload_stale_associations!)
  189. 

  190.     unless uncached_ids.empty?
  191.       uncached = klass.where(id: uncached_ids).with_includes.each_with_object({}) { |item, h| h[item.id] = item }
  192. 

  193.       uncached.each_value do |item|
  194.         Rails.cache.write(item, item)
  195.       end
  196.     end
  197. 

  198.     raw.map { |item| cached_keys_with_value[item.id] || uncached[item.id] }.compact
  199.   end
  200. 

  201.   def respond_with_error(code)
  202.     respond_to do |format|
  203.       format.any  { head code }
  204. 

  205.       format.html do
  206.         set_locale
  207.         use_pack 'error'
  208.         render "errors/#{code}", layout: 'error', status: code
  209.       end
  210.     end
  211.   end
  212. 

  213.   def render_cached_json(cache_key, **options)
  214.     options[:expires_in] ||= 3.minutes
  215.     cache_public           = options.key?(:public) ? options.delete(:public) : true
  216.     content_type           = options.delete(:content_type) || 'application/json'
  217. 

  218.     data = Rails.cache.fetch(cache_key, { raw: true }.merge(options)) do
  219.       yield.to_json
  220.     end
  221. 

  222.     expires_in options[:expires_in], public: cache_public
  223.     render json: data, content_type: content_type
  224.   end
  225. 

  226.   def set_cache_headers
  227.     response.headers['Vary'] = 'Accept'
  228.   end
  229. 

  230.   def mark_cacheable!
  231.     skip_session!
  232.     expires_in 0, public: true
  233.   end
  234. 

  235.   def skip_session!
  236.     request.session_options[:skip] = true
  237.   end
  238. end