closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9078 Commits
4 Branches
567 MiB
Tree: 72a7cfaa39
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '72a7cfaa39'
${ noResults }
mastodon/app/models/user.rb

417 lines
12 KiB
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
annotate models (#2697) * add annotate to Gemfile * rails g annotate:install * configure annotate_models * add schema info to models * fix rubocop to add frozen_string_literal
7 years ago
Update dependencies for Ruby (2018-04-23) (#7237) * Update annotate to version 2.7.3 * Update aws-sdk-s3 to version 1.9.2 * Update browser to version 2.5.3 * Update capistrano to version 3.10.2 * Update domain_name to version 0.5.20180417 * Update http to version 3.2.0 * Update lograge to version 0.10.0 * Update oj to version 3.5.1 * Update parallel_tests to version 2.21.3 * Update puma to version 3.11.4 * Update rubocop to version 0.55.0 * Update scss_lint to version 0.57.0 * Update simplecov to version 0.16.1 * Update tty-command to version 0.8.0 * Update tty-prompt to version 0.16.0 * Update pkg-config to version 1.3.0 * Update fog-local to version 0.5.0 * Update fog-openstack to version 0.1.25 * Update devise-two-factor to version 3.0.3 * bundle update
6 years ago
annotate models (#2697) * add annotate to Gemfile * rails g annotate:install * configure annotate_models * add schema info to models * fix rubocop to add frozen_string_literal
7 years ago
Fix boolean columns sometimes having a null value (#4162) * Fix boolean columns sometimes having a null value * Fix wrong value being set instead of null
6 years ago
annotate models (#2697) * add annotate to Gemfile * rails g annotate:install * configure annotate_models * add schema info to models * fix rubocop to add frozen_string_literal
7 years ago
Fix boolean columns sometimes having a null value (#4162) * Fix boolean columns sometimes having a null value * Fix wrong value being set instead of null
6 years ago
annotate models (#2697) * add annotate to Gemfile * rails g annotate:install * configure annotate_models * add schema info to models * fix rubocop to add frozen_string_literal
7 years ago
Filter languages with opt out (#3175) * Remove allowed_languages and add filtered_languages * Use filtered_languages instead of allowed_languages
7 years ago
Update dependencies for Ruby (2018-04-23) (#7237) * Update annotate to version 2.7.3 * Update aws-sdk-s3 to version 1.9.2 * Update browser to version 2.5.3 * Update capistrano to version 3.10.2 * Update domain_name to version 0.5.20180417 * Update http to version 3.2.0 * Update lograge to version 0.10.0 * Update oj to version 3.5.1 * Update parallel_tests to version 2.21.3 * Update puma to version 3.11.4 * Update rubocop to version 0.55.0 * Update scss_lint to version 0.57.0 * Update simplecov to version 0.16.1 * Update tty-command to version 0.8.0 * Update tty-prompt to version 0.16.0 * Update pkg-config to version 1.3.0 * Update fog-local to version 0.5.0 * Update fog-openstack to version 0.1.25 * Update devise-two-factor to version 3.0.3 * bundle update
6 years ago
Add ability to disable login and mark accounts as memorial (#5615) Fix #5597
6 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
6 years ago
Update dependencies for Ruby (2018-04-23) (#7237) * Update annotate to version 2.7.3 * Update aws-sdk-s3 to version 1.9.2 * Update browser to version 2.5.3 * Update capistrano to version 3.10.2 * Update domain_name to version 0.5.20180417 * Update http to version 3.2.0 * Update lograge to version 0.10.0 * Update oj to version 3.5.1 * Update parallel_tests to version 2.21.3 * Update puma to version 3.11.4 * Update rubocop to version 0.55.0 * Update scss_lint to version 0.57.0 * Update simplecov to version 0.16.1 * Update tty-command to version 0.8.0 * Update tty-prompt to version 0.16.0 * Update pkg-config to version 1.3.0 * Update fog-local to version 0.5.0 * Update fog-openstack to version 0.1.25 * Update devise-two-factor to version 3.0.3 * bundle update
6 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Change language opt-out to language opt-in (#7823) * Switch filtered_languages to chosen_languages * Adjust interface * Remove unused translations
6 years ago
Add REST API for creating an account (#9572) * Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
5 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Add e-mail-based sign in challenge for users with disabled 2FA (#14013)
3 years ago
annotate models (#2697) * add annotate to Gemfile * rails g annotate:install * configure annotate_models * add schema info to models * fix rubocop to add frozen_string_literal
7 years ago
Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
Upgrade to Rails 5.0.0.1
7 years ago
Extend rails-settings-cached to merge db-saved hash values with defaults
7 years ago
Refactor User model, extract PamAuthenticable, LdapAuthenticable (#10217)
5 years ago
Add ability to disable login and mark accounts as memorial (#5615) Fix #5597
6 years ago
Reduce user active duration from 7 days to 2 days (#8282) To minimize fanout work and redis home feed storage space when there are lots of recent sign-ups
5 years ago
Improve e-mail digest (#9689) - Reduce time-to-digest from 20 to 7 days - Fetch mentions starting from +1 day since last login - Fix case when last login is more recent than last e-mail - Do not render all mentions, only 40, but show number in subject - Do not send digest to moved accounts - Do send digest to silenced accounts
5 years ago
Migrate from ledermann/rails-settings to rails-settings-cached which allows global settings with YAML-defined defaults. Add admin page for editing global settings. Add "site_description" setting that would show as a paragraph on the frontpage
7 years ago
Add confirmation step for email changes (#6071) * Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
6 years ago
Provide default OTP_SECRET value for development environment (#6617)
6 years ago
Add confirmation step for email changes (#6071) * Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
6 years ago
Add recovery code support for two-factor auth (#1773) * Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names
7 years ago
Removing grape and adding devise
8 years ago
Add confirmation step for email changes (#6071) * Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
6 years ago
Refactor User model, extract PamAuthenticable, LdapAuthenticable (#10217)
5 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Change belongs_to_required_by_default to true (#5888)
6 years ago
Add REST API for creating an account (#9572) * Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
5 years ago
Customizing devise views and controllers
8 years ago
Removing grape and adding devise
8 years ago
Application prefs section (#2758) * Add code for creating/managing apps to settings section * Add specs for app changes * Fix controller spec * Fix view file I pasted over by mistake * Add locale strings. Add 'my apps' to nav * Add Client ID/Secret to App page. Add some visual separation * Fix rubocop warnings * Fix embarrassing typo I lost an `end` statement while fixing a merge conflict. * Add code for creating/managing apps to settings section - Add specs for app changes - Add locale strings. Add 'my apps' to nav - Add Client ID/Secret to App page. Add some visual separation - Fix some bugs/warnings * Update to match code standards * Trigger notification * Add warning about not sharing API secrets * Tweak spec a bit * Cleanup fixture creation by using let! * Remove unused key * Add foreign key for application<->user
6 years ago
Account archive download (#6460) * Fix #201: Account archive download * Export actor and private key in the archive * Optimize BackupService - Add conversation to cached associations of status, because somehow it was forgotten and is source of N+1 queries - Explicitly call GC between batches of records being fetched (Model class allocations are the worst offender) - Stream media files into the tar in 1MB chunks (Do not allocate media file (up to 8MB) as string into memory) - Use #bytesize instead of #size to calculate file size for JSON (Fix FileOverflow error) - Segment media into subfolders by status ID because apparently GIF-to-MP4 media are all named "media.mp4" for some reason * Keep uniquely generated filename in Paperclip::GifTranscoder * Ensure dumped files do not overwrite each other by maintaing directory partitions * Give tar archives a good name * Add scheduler to remove week-old backups * Fix code style issue
6 years ago
Fix invites not being disabled upon account suspension (#11412) * Disable invite links from disabled/suspended users * Add has_many invites relationship to users * Destroy unused invites when suspending an account
4 years ago
Add timeline read markers API (#11762) Fix #4093
4 years ago
Application prefs section (#2758) * Add code for creating/managing apps to settings section * Add specs for app changes * Fix controller spec * Fix view file I pasted over by mistake * Add locale strings. Add 'my apps' to nav * Add Client ID/Secret to App page. Add some visual separation * Fix rubocop warnings * Fix embarrassing typo I lost an `end` statement while fixing a merge conflict. * Add code for creating/managing apps to settings section - Add specs for app changes - Add locale strings. Add 'my apps' to nav - Add Client ID/Secret to App page. Add some visual separation - Fix some bugs/warnings * Update to match code standards * Trigger notification * Add warning about not sharing API secrets * Tweak spec a bit * Cleanup fixture creation by using let! * Remove unused key * Add foreign key for application<->user
6 years ago
Add "why do you want to join" field to invite requests (#10524) * Add "why do you want to join" field to invite requests Fix #10512 * Remove unused translations * Fix broken registrations when no invite request text is submitted
5 years ago
Conditional validations no longer accept strings for if/unless (#3124)
7 years ago
Change e-mail whitelist/blacklist to not be checked when invited (#10683) * Change e-mail whitelist/blacklist to not be checked when invited And only when creating an account, not when updating it later Fix #10648 * Fix test
5 years ago
Improve e-mail MX validator and add tests (#9489)
5 years ago
Add REST API for creating an account (#9572) * Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
5 years ago
Bind oauth applications to users
8 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
6 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Add digest e-mails
7 years ago
Improve e-mail digest (#9689) - Reduce time-to-digest from 20 to 7 days - Fetch mentions starting from +1 day since last login - Fix case when last login is more recent than last e-mail - Do not render all mentions, only 40, but show number in subject - Do not send digest to moved accounts - Do send digest to silenced accounts
5 years ago
Add moderation API (#9387) Fix #8580 Fix #7143
4 years ago
Specs for cleanup workers (#3235) * Add spec files for feed and media cleanup workers * Add coverage for feed and media cleanup schedulers * Clean up feed and media cleanup workers
7 years ago
Fix User#active scope only returning suspended users (#11111) Fix a regression from #10660
4 years ago
Add coverage for ReportFilter and AccountFilter (#3236)
7 years ago
Fix search by IP not using alternative browser sessions in admin UI (#12904)
4 years ago
Improve e-mail digest (#9689) - Reduce time-to-digest from 20 to 7 days - Fetch mentions starting from +1 day since last login - Fix case when last login is more recent than last e-mail - Do not render all mentions, only 40, but show number in subject - Do not send digest to moved accounts - Do send digest to silenced accounts
5 years ago
Adding user settings (model and mailer), no form yet
7 years ago
Improve allowed language handling (#2897) * Dont allow empty value in user allowed languages * Sanitize language input to reject blank values in array
7 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Fix “Email changed” notification sometimes having wrong e-mail (#13475) * Fix “Email changed” notification sometimes having wrong e-mail Fixes #6778 The root of the issue is that `send_devise_notification` was called before the changes were properly commited to the database, causing the mailer to pick previous values if running too early. Devise's documentation provides guidance on how to handle that[1][2], however, I have found it to not be working, as the following happens, in that order: - `send_devise_notification` is called for the `email_changed` notification. In that case, `changed?` is false and `saved_changes?` is true, so if we use the former, we have the same issue. - the `after_commit` hook is called - `send_devise_notification` is called for the `confirmation_instructions` notification. In that case, `changed?` is still false, and `saved_changes?` still true, so if we use the latter, that second notification email is simply not going to be sent (as we would be queuing the notification *after* executing the after_commit hook). This is because it may be called from either an `after_update` or `after_commit` hook, the difference not being a call to `save` but the transaction actually being committed to the database. This may arguably be a bug in Devise, or Devise's notification. The proposed workaround is inspired by Devise's documentation but checks whether a transaction is open to make the call whether to immediately send the notification or defer it to the `after_commit` hook. [1]: https://www.rubydoc.info/github/plataformatec/devise/Devise%2FModels%2FAuthenticatable:send_devise_notification [2]: https://github.com/heartcombo/devise/blob/406915cb781e38255a30ad2a0609e33952b9ec50/lib/devise/models/authenticatable.rb#L133-L194 * Fix cases when sending notifications without changing the model * Defer sending if and only if in transaction including current record
4 years ago
Improve allowed language handling (#2897) * Dont allow empty value in user allowed languages * Sanitize language input to reject blank values in array
7 years ago
Update Rails to version 5.1.1 (#3121) * Update rails to version 5.1.1 * Run `rails app:update` * Remove the override of polymorphic activity relationship * Silence warning about otp_secret attribute being unknown to rails * We will only introduce form_with where we want to use remote data
7 years ago
Revocable sessions (#3616) * feat: Revocable sessions * fix: Tests using sign_in * feat: Configuration entry for the maximum number of session activations
7 years ago
Delegate some methods of User to @settings (#5706) * Move some tests of User into Settings::ScopedSettings * Add a test for User@settings
6 years ago
Add a new preference to always hide all media (#8569)
5 years ago
Add responsive panels to the single-column layout (#10820) * Add responsive panels to the single-column layout * Fixes * Fix not being able to save the preference * Fix code style issues * Set max-height on the compose textarea and add a link to relationship manager
5 years ago
Add setting for whether to crop images in unexpanded toots (#12126)
4 years ago
Add trends UI with admin and user settings (#11502)
4 years ago
Delegate some methods of User to @settings (#5706) * Move some tests of User into Settings::ScopedSettings * Add a test for User@settings
6 years ago
Add e-mail-based sign in challenge for users with disabled 2FA (#14013)
3 years ago
Fix LDAP/PAM/SAML/CAS users not being approved instantly (#10621)
5 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Admin UI for confirming users (#2245) * Shows confirmed status in list. * Adds ability to confirm users in admin UI. * Added new english translations. * Addresses feedback from #2245. * More feedback.
7 years ago
Improve admin UI for account view (#9643)
5 years ago
Fix “invited by” not showing up for invited accounts in admin interface (#10791)
5 years ago
Check that an invite link is valid before bypassing approval mode (#10657) * Check that an invite link is valid before bypassing approval mode Fixes #10656 * Add tests * Only consider valid invite links in registration controller * fixup
5 years ago
Improve admin UI for account view (#9643)
5 years ago
Add ability to disable login and mark accounts as memorial (#5615) Fix #5597
6 years ago
Fix user disabling changing activity timestamps, fix nil error (#12943)
4 years ago
Add ability to disable login and mark accounts as memorial (#5615) Fix #5597
6 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
If registrations have been re-opened when user confirms account, approve (#10349)
5 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
Refactor User model, extract PamAuthenticable, LdapAuthenticable (#10217)
5 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
6 years ago
If registrations have been re-opened when user confirms account, approve (#10349)
5 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
6 years ago
Refactor User model, extract PamAuthenticable, LdapAuthenticable (#10217)
5 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Add e-mail-based sign in challenge for users with disabled 2FA (#14013)
3 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Add account migration UI (#11846) Fix #10736 - Change data export to be available for non-functional accounts - Change non-functional accounts to include redirecting accounts
4 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Change deletes to preserve soft-deleted statuses in unresolved reports (#11805) Change all account actions except "none" to resolve all unresolved reports Refactor `SuspendAccountService` to be more readable
4 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Fix #6331 (#6341) UserTrackingConcern is circumvented by SessionsController#create because it calls warden, which calls the User#update_tracked_fields! method directly. Move returning user logic to that method.
6 years ago
Add moderator role and add pundit policies for admin actions (#5635) * Add moderator role and add pundit policies for admin actions * Add rake task for turning user into mod and revoking it again * Fix handling of unauthorized exception * Deliver new report e-mails to staff, not just admins * Add promote/demote to admin UI, hide some actions conditionally * Fix unused i18n
6 years ago
Add option to disable two factor auth in admin accounts panel. (#2584) * Add option to disable two factor auth in admin accounts panel. Closes #2578 * Add @mjankowski's suggestions. * Moves destroy actions behind User#disable_two_factor! * Adds spec coverage for Admin:TwoFactorAuthenticationsController and User#disable_two_factor!
7 years ago
Add API modifiers to limit returned toots from public/hashtag timelines to only those from local users; Add link to "extended information" to getting started in the UI; Add defaults for posting privacy; Change how publish button looks depending on posting privacy chosen
7 years ago
Allow user to disable the boost confirm dialog in preferences
7 years ago
Move e-mail digest task to sidekiq, reduce workload, improve hint (#6252)
6 years ago
Add preference for report notification e-mails, skip for duplicates (#8559) If an unresolved report for the same target account already exists, no new notification is generated
5 years ago
Add preference to disable e-mails about new pending accounts (#10529)
5 years ago
Change admin UI for hashtags and add back whitelisted trends (#11490) Fix #271 Add back the `GET /api/v1/trends` API with the caveat that it does not return tags that have not been allowed to trend by the staff. When a hashtag begins to trend (internally) and that hashtag has not been previously reviewed by the staff, the staff is notified. The new admin UI for hashtags allows filtering hashtags by where they are used (e.g. in the profile directory), whether they have been reviewed or are pending reviewal, they show by how many people the hashtag is used in the directory, how many people used it today, how many statuses with it have been created today, and it allows fixing the name of the hashtag to make it more readable. The disallowed hashtags feature has been reworked. It is now controlled from the admin UI for hashtags instead of from the file `config/settings.yml`
4 years ago
Add preference to hide following/followers lists (#7532) * Add preference to hide following/followers lists - Public pages - ActivityPub collections (does not return pages but does give total) - REST API (unless it's your own) (does not federate) Fix #6901 * Add preference * Add delegation * Fix issue * Fix issue
6 years ago
Add setting to not aggregate reblogs (#9248) * Add setting to not aggregate reblogs Fixes #9222 * Handle cases where user is nil in add_to_home and add_to_list * Add hint for setting_aggregate_reblogs option * Reword setting_aggregate_reblogs label
5 years ago
Make displaying application used to toot opt-in (#9897) * Make storing and displaying application used to toot opt-in * Revert to storing application info, and display it to the author via API
5 years ago
correct opt-out showing application (#10086) * correct opt-out showing application refs #9994 * Revert "correct opt-out showing application" This reverts commit 0e9bb70f145be42962416a6b87c08d59a2896486. * User#shows_application? calls wrong value
5 years ago
Make displaying application used to toot opt-in (#9897) * Make storing and displaying application used to toot opt-in * Revert to storing application info, and display it to the author via API
5 years ago
Application prefs section (#2758) * Add code for creating/managing apps to settings section * Add specs for app changes * Fix controller spec * Fix view file I pasted over by mistake * Add locale strings. Add 'my apps' to nav * Add Client ID/Secret to App page. Add some visual separation * Fix rubocop warnings * Fix embarrassing typo I lost an `end` statement while fixing a merge conflict. * Add code for creating/managing apps to settings section - Add specs for app changes - Add locale strings. Add 'my apps' to nav - Add Client ID/Secret to App page. Add some visual separation - Fix some bugs/warnings * Update to match code standards * Trigger notification * Add warning about not sharing API secrets * Tweak spec a bit * Cleanup fixture creation by using let! * Remove unused key * Add foreign key for application<->user
6 years ago
Add overview of active sessions (#3929) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
6 years ago
Use request.remote_ip instead of request.ip (#4744)
6 years ago
Revocable sessions (#3616) * feat: Revocable sessions * fix: Tests using sign_in * feat: Configuration entry for the maximum number of session activations
7 years ago
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
4 years ago
Revocable sessions (#3616) * feat: Revocable sessions * fix: Tests using sign_in * feat: Configuration entry for the maximum number of session activations
7 years ago
Web Push Notifications (#3243) * feat: Register push subscription * feat: Notify when mentioned * feat: Boost, favourite, reply, follow, follow request * feat: Notification interaction * feat: Handle change of public key * feat: Unsubscribe if things go wrong * feat: Do not send normal notifications if push is enabled * feat: Focus client if open * refactor: Move push logic to WebPushSubscription * feat: Better title and body * feat: Localize messages * chore: Fix lint errors * feat: Settings * refactor: Lazy load * fix: Check if push settings exist * feat: Device-based preferences * refactor: Simplify logic * refactor: Pull request feedback * refactor: Pull request feedback * refactor: Create /api/web/push_subscriptions endpoint * feat: Spec PushSubscriptionController * refactor: WebPushSubscription => Web::PushSubscription * feat: Spec Web::PushSubscription * feat: Display first media attachment * feat: Support direction * fix: Stuff broken while rebasing * refactor: Integration with session activations * refactor: Cleanup * refactor: Simplify implementation * feat: Set VAPID keys via environment * chore: Comments * fix: Crash when no alerts * fix: Set VAPID keys in testing environment * fix: Follow link * feat: Notification actions * fix: Delete previous subscription * chore: Temporary logs * refactor: Move migration to a later date * fix: Fetch the correct session activation and misc bugs * refactor: Move migration to a later date * fix: Remove follow request (no notifications) * feat: Send administrator contact to push service * feat: Set time-to-live * fix: Do not show sensitive images * fix: Reducer crash in error handling * feat: Add badge * chore: Fix lint error * fix: Checkbox label overlap * fix: Check for payload support * fix: Rename action "type" (crash in latest Chrome) * feat: Action to expand notification * fix: Lint errors * fix: Unescape notification body * fix: Do not allow boosting if the status is hidden * feat: Add VAPID keys to the production sample environment * fix: Strip HTML tags from status * refactor: Better error messages * refactor: Handle browser not implementing the VAPID protocol (Samsung Internet) * fix: Error when target_status is nil * fix: Handle lack of image * fix: Delete reference to invalid subscriptions * feat: Better error handling * fix: Unescape HTML characters after tags are striped * refactor: Simpify code * fix: Modify to work with #4091 * Sort strings alphabetically * i18n: Updated Polish translation it annoys me that it's not fully localized :P * refactor: Use current_session in PushSubscriptionController * fix: Rebase mistake * fix: Set cacheName to mastodon * refactor: Pull request feedback * refactor: Remove logging statements * chore(yarn): Fix conflicts with master * chore(yarn): Copy latest from master * chore(yarn): Readd offline-plugin * refactor: Use save! and update! * refactor: Send notifications async * fix: Allow retry when push fails * fix: Save track for failed pushes * fix: Minify sw.js * fix: Remove account_id from fabricator
6 years ago
Add REST API for Web Push Notifications subscriptions (#7445) - POST /api/v1/push/subscription - PUT /api/v1/push/subscription - DELETE /api/v1/push/subscription - New OAuth scope: "push" (required for the above methods)
6 years ago
Web Push Notifications (#3243) * feat: Register push subscription * feat: Notify when mentioned * feat: Boost, favourite, reply, follow, follow request * feat: Notification interaction * feat: Handle change of public key * feat: Unsubscribe if things go wrong * feat: Do not send normal notifications if push is enabled * feat: Focus client if open * refactor: Move push logic to WebPushSubscription * feat: Better title and body * feat: Localize messages * chore: Fix lint errors * feat: Settings * refactor: Lazy load * fix: Check if push settings exist * feat: Device-based preferences * refactor: Simplify logic * refactor: Pull request feedback * refactor: Pull request feedback * refactor: Create /api/web/push_subscriptions endpoint * feat: Spec PushSubscriptionController * refactor: WebPushSubscription => Web::PushSubscription * feat: Spec Web::PushSubscription * feat: Display first media attachment * feat: Support direction * fix: Stuff broken while rebasing * refactor: Integration with session activations * refactor: Cleanup * refactor: Simplify implementation * feat: Set VAPID keys via environment * chore: Comments * fix: Crash when no alerts * fix: Set VAPID keys in testing environment * fix: Follow link * feat: Notification actions * fix: Delete previous subscription * chore: Temporary logs * refactor: Move migration to a later date * fix: Fetch the correct session activation and misc bugs * refactor: Move migration to a later date * fix: Remove follow request (no notifications) * feat: Send administrator contact to push service * feat: Set time-to-live * fix: Do not show sensitive images * fix: Reducer crash in error handling * feat: Add badge * chore: Fix lint error * fix: Checkbox label overlap * fix: Check for payload support * fix: Rename action "type" (crash in latest Chrome) * feat: Action to expand notification * fix: Lint errors * fix: Unescape notification body * fix: Do not allow boosting if the status is hidden * feat: Add VAPID keys to the production sample environment * fix: Strip HTML tags from status * refactor: Better error messages * refactor: Handle browser not implementing the VAPID protocol (Samsung Internet) * fix: Error when target_status is nil * fix: Handle lack of image * fix: Delete reference to invalid subscriptions * feat: Better error handling * fix: Unescape HTML characters after tags are striped * refactor: Simpify code * fix: Modify to work with #4091 * Sort strings alphabetically * i18n: Updated Polish translation it annoys me that it's not fully localized :P * refactor: Use current_session in PushSubscriptionController * fix: Rebase mistake * fix: Set cacheName to mastodon * refactor: Pull request feedback * refactor: Remove logging statements * chore(yarn): Fix conflicts with master * chore(yarn): Copy latest from master * chore(yarn): Readd offline-plugin * refactor: Use save! and update! * refactor: Send notifications async * fix: Allow retry when push fails * fix: Save track for failed pushes * fix: Minify sw.js * fix: Remove account_id from fabricator
6 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Fix low-hanging rubocop gripes (#8458) * rubocop: quit being so picky * rubocop: miscellany * rubocop: prefer present to blank
5 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Add password challenge to 2FA settings, e-mail notifications (#11878) Fix #3961
4 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Add e-mail-based sign in challenge for users with disabled 2FA (#14013)
3 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Add password challenge to 2FA settings, e-mail notifications (#11878) Fix #3961
4 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Add password challenge to 2FA settings, e-mail notifications (#11878) Fix #3961
4 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Add a new preference to always hide all media (#8569)
5 years ago
Fix not all of account's active IPs showing up in admin UI (#12909)
4 years ago
Fix user disabling changing activity timestamps, fix nil error (#12943)
4 years ago
Fix not all of account's active IPs showing up in admin UI (#12909)
4 years ago
Add e-mail-based sign in challenge for users with disabled 2FA (#14013)
3 years ago
Refactor User and spec (#3431) * Protect send_devise_notification of User * Improve spec for User
7 years ago
Fix “Email changed” notification sometimes having wrong e-mail (#13475) * Fix “Email changed” notification sometimes having wrong e-mail Fixes #6778 The root of the issue is that `send_devise_notification` was called before the changes were properly commited to the database, causing the mailer to pick previous values if running too early. Devise's documentation provides guidance on how to handle that[1][2], however, I have found it to not be working, as the following happens, in that order: - `send_devise_notification` is called for the `email_changed` notification. In that case, `changed?` is false and `saved_changes?` is true, so if we use the former, we have the same issue. - the `after_commit` hook is called - `send_devise_notification` is called for the `confirmation_instructions` notification. In that case, `changed?` is still false, and `saved_changes?` still true, so if we use the latter, that second notification email is simply not going to be sent (as we would be queuing the notification *after* executing the after_commit hook). This is because it may be called from either an `after_update` or `after_commit` hook, the difference not being a call to `save` but the transaction actually being committed to the database. This may arguably be a bug in Devise, or Devise's notification. The proposed workaround is inspired by Devise's documentation but checks whether a transaction is open to make the call whether to immediately send the notification or defer it to the `after_commit` hook. [1]: https://www.rubydoc.info/github/plataformatec/devise/Devise%2FModels%2FAuthenticatable:send_devise_notification [2]: https://github.com/heartcombo/devise/blob/406915cb781e38255a30ad2a0609e33952b9ec50/lib/devise/models/authenticatable.rb#L133-L194 * Fix cases when sending notifications without changing the model * Defer sending if and only if in transaction including current record
4 years ago
Refactor User and spec (#3431) * Protect send_devise_notification of User * Improve spec for User
7 years ago
Improve allowed language handling (#2897) * Dont allow empty value in user allowed languages * Sanitize language input to reject blank values in array
7 years ago
Add e-mail-based sign in challenge for users with disabled 2FA (#14013)
3 years ago
Fix “Email changed” notification sometimes having wrong e-mail (#13475) * Fix “Email changed” notification sometimes having wrong e-mail Fixes #6778 The root of the issue is that `send_devise_notification` was called before the changes were properly commited to the database, causing the mailer to pick previous values if running too early. Devise's documentation provides guidance on how to handle that[1][2], however, I have found it to not be working, as the following happens, in that order: - `send_devise_notification` is called for the `email_changed` notification. In that case, `changed?` is false and `saved_changes?` is true, so if we use the former, we have the same issue. - the `after_commit` hook is called - `send_devise_notification` is called for the `confirmation_instructions` notification. In that case, `changed?` is still false, and `saved_changes?` still true, so if we use the latter, that second notification email is simply not going to be sent (as we would be queuing the notification *after* executing the after_commit hook). This is because it may be called from either an `after_update` or `after_commit` hook, the difference not being a call to `save` but the transaction actually being committed to the database. This may arguably be a bug in Devise, or Devise's notification. The proposed workaround is inspired by Devise's documentation but checks whether a transaction is open to make the call whether to immediately send the notification or defer it to the `after_commit` hook. [1]: https://www.rubydoc.info/github/plataformatec/devise/Devise%2FModels%2FAuthenticatable:send_devise_notification [2]: https://github.com/heartcombo/devise/blob/406915cb781e38255a30ad2a0609e33952b9ec50/lib/devise/models/authenticatable.rb#L133-L194 * Fix cases when sending notifications without changing the model * Defer sending if and only if in transaction including current record
4 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Fix “invited by” not showing up for invited accounts in admin interface (#10791)
5 years ago
If registrations have been re-opened when user confirms account, approve (#10349)
5 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Fix LDAP/PAM/SAML/CAS users not being approved instantly (#10621)
5 years ago
Fix approved column being set to nil instead of false (#10642) Fix https://github.com/tootsuite/mastodon/pull/10621#issuecomment-487316619
5 years ago
Fix LDAP/PAM/SAML/CAS users not being approved instantly (#10621)
5 years ago
Improve allowed language handling (#2897) * Dont allow empty value in user allowed languages * Sanitize language input to reject blank values in array
7 years ago
Change language opt-out to language opt-in (#7823) * Switch filtered_languages to chosen_languages * Adjust interface * Remove unused translations
6 years ago
Improve allowed language handling (#2897) * Dont allow empty value in user allowed languages * Sanitize language input to reject blank values in array
7 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
Fix #6331 (#6341) UserTrackingConcern is circumvented by SessionsController#create because it calls warden, which calls the User#update_tracked_fields! method directly. Move returning user logic to that method.
6 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
Replace tutorial modal with welcome e-mail (#6273) * Remove onboarding modal * Welcome e-mail * Send welcome e-mail after confirmation * Remove obsolete translations
6 years ago
Add more instance stats APIs (#6125) * Add GET /api/v1/instance/peers API to reveal known domains * Add GET /api/v1/instance/activity API * Make new APIs disableable, exclude private statuses from activity stats * Fix code style issue * Fix week timestamps
6 years ago
Fix #6331 (#6341) UserTrackingConcern is circumvented by SessionsController#create because it calls warden, which calls the User#update_tracked_fields! method directly. Move returning user logic to that method.
6 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Add preference to disable e-mails about new pending accounts (#10529)
5 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Fix #6331 (#6341) UserTrackingConcern is circumvented by SessionsController#create because it calls warden, which calls the User#update_tracked_fields! method directly. Move returning user logic to that method.
6 years ago
Fix code style of regeneration-related code (#9843)
5 years ago
Fix #6331 (#6341) UserTrackingConcern is circumvented by SessionsController#create because it calls warden, which calls the User#update_tracked_fields! method directly. Move returning user logic to that method.
6 years ago
Improve e-mail MX validator and add tests (#9489)
5 years ago
Made some progress
8 years ago
 
  1. # frozen_string_literal: true
  2. # == Schema Information
  3. #
  4. # Table name: users
  5. #
  6. #  id                        :bigint(8)        not null, primary key
  7. #  email                     :string           default(""), not null
  8. #  created_at                :datetime         not null
  9. #  updated_at                :datetime         not null
  10. #  encrypted_password        :string           default(""), not null
  11. #  reset_password_token      :string
  12. #  reset_password_sent_at    :datetime
  13. #  remember_created_at       :datetime
  14. #  sign_in_count             :integer          default(0), not null
  15. #  current_sign_in_at        :datetime
  16. #  last_sign_in_at           :datetime
  17. #  current_sign_in_ip        :inet
  18. #  last_sign_in_ip           :inet
  19. #  admin                     :boolean          default(FALSE), not null
  20. #  confirmation_token        :string
  21. #  confirmed_at              :datetime
  22. #  confirmation_sent_at      :datetime
  23. #  unconfirmed_email         :string
  24. #  locale                    :string
  25. #  encrypted_otp_secret      :string
  26. #  encrypted_otp_secret_iv   :string
  27. #  encrypted_otp_secret_salt :string
  28. #  consumed_timestep         :integer
  29. #  otp_required_for_login    :boolean          default(FALSE), not null
  30. #  last_emailed_at           :datetime
  31. #  otp_backup_codes          :string           is an Array
  32. #  filtered_languages        :string           default([]), not null, is an Array
  33. #  account_id                :bigint(8)        not null
  34. #  disabled                  :boolean          default(FALSE), not null
  35. #  moderator                 :boolean          default(FALSE), not null
  36. #  invite_id                 :bigint(8)
  37. #  remember_token            :string
  38. #  chosen_languages          :string           is an Array
  39. #  created_by_application_id :bigint(8)
  40. #  approved                  :boolean          default(TRUE), not null
  41. #  sign_in_token             :string
  42. #  sign_in_token_sent_at     :datetime
  43. #
  44. 

  45. class User < ApplicationRecord
  46.   include Settings::Extend
  47.   include UserRoles
  48. 

  49.   # The home and list feeds will be stored in Redis for this amount
  50.   # of time, and status fan-out to followers will include only people
  51.   # within this time frame. Lowering the duration may improve performance
  52.   # if lots of people sign up, but not a lot of them check their feed
  53.   # every day. Raising the duration reduces the amount of expensive
  54.   # RegenerationWorker jobs that need to be run when those people come
  55.   # to check their feed
  56.   ACTIVE_DURATION = ENV.fetch('USER_ACTIVE_DAYS', 7).to_i.days.freeze
  57. 

  58.   devise :two_factor_authenticatable,
  59.          otp_secret_encryption_key: Rails.configuration.x.otp_secret
  60. 

  61.   devise :two_factor_backupable,
  62.          otp_number_of_backup_codes: 10

  63. 

  64.   devise :registerable, :recoverable, :rememberable, :trackable, :validatable,
  65.          :confirmable
  66. 

  67.   include Omniauthable
  68.   include PamAuthenticable
  69.   include LdapAuthenticable
  70. 

  71.   belongs_to :account, inverse_of: :user
  72.   belongs_to :invite, counter_cache: :uses, optional: true
  73.   belongs_to :created_by_application, class_name: 'Doorkeeper::Application', optional: true
  74.   accepts_nested_attributes_for :account
  75. 

  76.   has_many :applications, class_name: 'Doorkeeper::Application', as: :owner
  77.   has_many :backups, inverse_of: :user
  78.   has_many :invites, inverse_of: :user
  79.   has_many :markers, inverse_of: :user, dependent: :destroy
  80. 

  81.   has_one :invite_request, class_name: 'UserInviteRequest', inverse_of: :user, dependent: :destroy
  82.   accepts_nested_attributes_for :invite_request, reject_if: ->(attributes) { attributes['text'].blank? }
  83. 

  84.   validates :locale, inclusion: I18n.available_locales.map(&:to_s), if: :locale?
  85.   validates_with BlacklistedEmailValidator, on: :create
  86.   validates_with EmailMxValidator, if: :validate_email_dns?
  87.   validates :agreement, acceptance: { allow_nil: false, accept: [true, 'true', '1'] }, on: :create
  88. 

  89.   scope :recent, -> { order(id: :desc) }
  90.   scope :pending, -> { where(approved: false) }
  91.   scope :approved, -> { where(approved: true) }
  92.   scope :confirmed, -> { where.not(confirmed_at: nil) }
  93.   scope :enabled, -> { where(disabled: false) }
  94.   scope :disabled, -> { where(disabled: true) }
  95.   scope :inactive, -> { where(arel_table[:current_sign_in_at].lt(ACTIVE_DURATION.ago)) }
  96.   scope :active, -> { confirmed.where(arel_table[:current_sign_in_at].gteq(ACTIVE_DURATION.ago)).joins(:account).where(accounts: { suspended_at: nil }) }
  97.   scope :matches_email, ->(value) { where(arel_table[:email].matches("#{value}%")) }
  98.   scope :matches_ip, ->(value) { left_joins(:session_activations).where('users.current_sign_in_ip <<= ?', value).or(left_joins(:session_activations).where('users.last_sign_in_ip <<= ?', value)).or(left_joins(:session_activations).where('session_activations.ip <<= ?', value)) }
  99.   scope :emailable, -> { confirmed.enabled.joins(:account).merge(Account.searchable) }
  100. 

  101.   before_validation :sanitize_languages
  102.   before_create :set_approved
  103.   after_commit :send_pending_devise_notifications
  104. 

  105.   # This avoids a deprecation warning from Rails 5.1
  106.   # It seems possible that a future release of devise-two-factor will
  107.   # handle this itself, and this can be removed from our User class.
  108.   attribute :otp_secret
  109. 

  110.   has_many :session_activations, dependent: :destroy
  111. 

  112.   delegate :auto_play_gif, :default_sensitive, :unfollow_modal, :boost_modal, :delete_modal,
  113.            :reduce_motion, :system_font_ui, :noindex, :theme, :display_media, :hide_network,
  114.            :expand_spoilers, :default_language, :aggregate_reblogs, :show_application,
  115.            :advanced_layout, :use_blurhash, :use_pending_items, :trends, :crop_images,
  116.            to: :settings, prefix: :setting, allow_nil: false
  117. 

  118.   attr_reader :invite_code, :sign_in_token_attempt
  119.   attr_writer :external
  120. 

  121.   def confirmed?
  122.     confirmed_at.present?
  123.   end
  124. 

  125.   def invited?
  126.     invite_id.present?
  127.   end
  128. 

  129.   def valid_invitation?
  130.     invite_id.present? && invite.valid_for_use?
  131.   end
  132. 

  133.   def disable!
  134.     update!(disabled: true)
  135.   end
  136. 

  137.   def enable!
  138.     update!(disabled: false)
  139.   end
  140. 

  141.   def confirm
  142.     new_user      = !confirmed?
  143.     self.approved = true if open_registrations?
  144. 

  145.     super
  146. 

  147.     if new_user && approved?
  148.       prepare_new_user!
  149.     elsif new_user
  150.       notify_staff_about_pending_account!
  151.     end
  152.   end
  153. 

  154.   def confirm!
  155.     new_user      = !confirmed?
  156.     self.approved = true if open_registrations?
  157. 

  158.     skip_confirmation!
  159.     save!
  160. 

  161.     prepare_new_user! if new_user && approved?
  162.   end
  163. 

  164.   def pending?
  165.     !approved?
  166.   end
  167. 

  168.   def active_for_authentication?
  169.     true
  170.   end
  171. 

  172.   def suspicious_sign_in?(ip)
  173.     !otp_required_for_login? && current_sign_in_at.present? && current_sign_in_at < 2.weeks.ago && !recent_ip?(ip)
  174.   end
  175. 

  176.   def functional?
  177.     confirmed? && approved? && !disabled? && !account.suspended? && account.moved_to_account_id.nil?
  178.   end
  179. 

  180.   def unconfirmed_or_pending?
  181.     !(confirmed? && approved?)
  182.   end
  183. 

  184.   def inactive_message
  185.     !approved? ? :pending : super
  186.   end
  187. 

  188.   def approve!
  189.     return if approved?
  190. 

  191.     update!(approved: true)
  192.     prepare_new_user!
  193.   end
  194. 

  195.   def update_tracked_fields!(request)
  196.     super
  197.     prepare_returning_user!
  198.   end
  199. 

  200.   def disable_two_factor!
  201.     self.otp_required_for_login = false
  202.     otp_backup_codes&.clear
  203.     save!
  204.   end
  205. 

  206.   def setting_default_privacy
  207.     settings.default_privacy || (account.locked? ? 'private' : 'public')
  208.   end
  209. 

  210.   def allows_digest_emails?
  211.     settings.notification_emails['digest']
  212.   end
  213. 

  214.   def allows_report_emails?
  215.     settings.notification_emails['report']
  216.   end
  217. 

  218.   def allows_pending_account_emails?
  219.     settings.notification_emails['pending_account']
  220.   end
  221. 

  222.   def allows_trending_tag_emails?
  223.     settings.notification_emails['trending_tag']
  224.   end
  225. 

  226.   def hides_network?
  227.     @hides_network ||= settings.hide_network
  228.   end
  229. 

  230.   def aggregates_reblogs?
  231.     @aggregates_reblogs ||= settings.aggregate_reblogs
  232.   end
  233. 

  234.   def shows_application?
  235.     @shows_application ||= settings.show_application
  236.   end
  237. 

  238.   def token_for_app(a)
  239.     return nil if a.nil? || a.owner != self
  240.     Doorkeeper::AccessToken
  241.       .find_or_create_by(application_id: a.id, resource_owner_id: id) do |t|
  242. 

  243.       t.scopes = a.scopes
  244.       t.expires_in = Doorkeeper.configuration.access_token_expires_in
  245.       t.use_refresh_token = Doorkeeper.configuration.refresh_token_enabled?
  246.     end
  247.   end
  248. 

  249.   def activate_session(request)
  250.     session_activations.activate(session_id: SecureRandom.hex,
  251.                                  user_agent: request.user_agent,
  252.                                  ip: request.remote_ip).session_id
  253.   end
  254. 

  255.   def clear_other_sessions(id)
  256.     session_activations.exclusive(id)
  257.   end
  258. 

  259.   def session_active?(id)
  260.     session_activations.active? id
  261.   end
  262. 

  263.   def web_push_subscription(session)
  264.     session.web_push_subscription.nil? ? nil : session.web_push_subscription
  265.   end
  266. 

  267.   def invite_code=(code)
  268.     self.invite  = Invite.find_by(code: code) if code.present?
  269.     @invite_code = code
  270.   end
  271. 

  272.   def password_required?
  273.     return false if external?
  274. 

  275.     super
  276.   end
  277. 

  278.   def external_or_valid_password?(compare_password)
  279.     # If encrypted_password is blank, we got the user from LDAP or PAM,
  280.     # so credentials are already valid
  281. 

  282.     encrypted_password.blank? || valid_password?(compare_password)
  283.   end
  284. 

  285.   def send_reset_password_instructions
  286.     return false if encrypted_password.blank?
  287. 

  288.     super
  289.   end
  290. 

  291.   def reset_password!(new_password, new_password_confirmation)
  292.     return false if encrypted_password.blank?
  293. 

  294.     super
  295.   end
  296. 

  297.   def show_all_media?
  298.     setting_display_media == 'show_all'
  299.   end
  300. 

  301.   def hide_all_media?
  302.     setting_display_media == 'hide_all'
  303.   end
  304. 

  305.   def recent_ips
  306.     @recent_ips ||= begin
  307.       arr = []
  308. 

  309.       session_activations.each do |session_activation|
  310.         arr << [session_activation.updated_at, session_activation.ip]
  311.       end
  312. 

  313.       arr << [current_sign_in_at, current_sign_in_ip] if current_sign_in_ip.present?
  314.       arr << [last_sign_in_at, last_sign_in_ip] if last_sign_in_ip.present?
  315. 

  316.       arr.sort_by { |pair| pair.first || Time.now.utc }.uniq(&:last).reverse!
  317.     end
  318.   end
  319. 

  320.   def sign_in_token_expired?
  321.     sign_in_token_sent_at.nil? || sign_in_token_sent_at < 5.minutes.ago
  322.   end
  323. 

  324.   def generate_sign_in_token
  325.     self.sign_in_token         = Devise.friendly_token(6)
  326.     self.sign_in_token_sent_at = Time.now.utc
  327.   end
  328. 

  329.   protected
  330. 

  331.   def send_devise_notification(notification, *args)
  332.     # This method can be called in `after_update` and `after_commit` hooks,
  333.     # but we must make sure the mailer is actually called *after* commit,
  334.     # otherwise it may work on stale data. To do this, figure out if we are
  335.     # within a transaction.
  336.     if ActiveRecord::Base.connection.current_transaction.try(:records)&.include?(self)
  337.       pending_devise_notifications << [notification, args]
  338.     else
  339.       render_and_send_devise_message(notification, *args)
  340.     end
  341.   end
  342. 

  343.   private
  344. 

  345.   def recent_ip?(ip)
  346.     recent_ips.any? { |(_, recent_ip)| recent_ip == ip }
  347.   end
  348. 

  349.   def send_pending_devise_notifications
  350.     pending_devise_notifications.each do |notification, args|
  351.       render_and_send_devise_message(notification, *args)
  352.     end
  353. 

  354.     # Empty the pending notifications array because the
  355.     # after_commit hook can be called multiple times which
  356.     # could cause multiple emails to be sent.
  357.     pending_devise_notifications.clear
  358.   end
  359. 

  360.   def pending_devise_notifications
  361.     @pending_devise_notifications ||= []
  362.   end
  363. 

  364.   def render_and_send_devise_message(notification, *args)
  365.     devise_mailer.send(notification, self, *args).deliver_later
  366.   end
  367. 

  368.   def set_approved
  369.     self.approved = open_registrations? || valid_invitation? || external?
  370.   end
  371. 

  372.   def open_registrations?
  373.     Setting.registrations_mode == 'open'
  374.   end
  375. 

  376.   def external?
  377.     !!@external
  378.   end
  379. 

  380.   def sanitize_languages
  381.     return if chosen_languages.nil?
  382.     chosen_languages.reject!(&:blank?)
  383.     self.chosen_languages = nil if chosen_languages.empty?
  384.   end
  385. 

  386.   def prepare_new_user!
  387.     BootstrapTimelineWorker.perform_async(account_id)
  388.     ActivityTracker.increment('activity:accounts:local')
  389.     UserMailer.welcome(self).deliver_later
  390.   end
  391. 

  392.   def prepare_returning_user!
  393.     ActivityTracker.record('activity:logins', id)
  394.     regenerate_feed! if needs_feed_update?
  395.   end
  396. 

  397.   def notify_staff_about_pending_account!
  398.     User.staff.includes(:account).each do |u|
  399.       next unless u.allows_pending_account_emails?
  400.       AdminMailer.new_pending_account(u.account, self).deliver_later
  401.     end
  402.   end
  403. 

  404.   def regenerate_feed!
  405.     return unless Redis.current.setnx("account:#{account_id}:regeneration", true)
  406.     Redis.current.expire("account:#{account_id}:regeneration", 1.day.seconds)
  407.     RegenerationWorker.perform_async(account_id)
  408.   end
  409. 

  410.   def needs_feed_update?
  411.     last_sign_in_at < ACTIVE_DURATION.ago
  412.   end
  413. 

  414.   def validate_email_dns?
  415.     email_changed? && !(Rails.env.test? || Rails.env.development?)
  416.   end
  417. end