jyt94
/
closedSocialMastodon
forked from closed-social/mastodon
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
闭社主体 forked from https://github.com/tootsuite/mastodon
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10747 Commits
3 Branches
123 MiB
Tree: bd03963e8c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bd03963e8c'
${ noResults }
closedSocialMastodon/app/controllers/auth/registrations_controller.rb

129 lines
3.3 KiB
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
Customizing devise views and controllers
8 years ago
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Fix other sessions not being logged out on password change (#14252) While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
3 years ago
Fix #611 - Layout setting in registrations controller
7 years ago
Customizing devise views and controllers
8 years ago
Add autofollow option to invites (#7805) * Add autofollow option to invites * Trigger CodeClimate rebuild
6 years ago
New admin setting: open/close registrations, with custom message, from the admin UI
7 years ago
Improve code style
7 years ago
Add overview of active sessions (#3929) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
6 years ago
Set InstancePresenter to `Auth::RegistrationsController#create` (#5366)
6 years ago
Fix styling in /auth/edit (#9117)
5 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Fix settings pages being cacheable by the browser (#12714) Fix #12255
4 years ago
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Customizing devise views and controllers
8 years ago
Add "why do you want to join" field to invite requests (#10524) * Add "why do you want to join" field to invite requests Fix #10512 * Remove unused translations * Fix broken registrations when no invite request text is submitted
5 years ago
Fix Devise destroy method being available to delete user record (#3266) (You may think that we need account deletions, but this way would've just orphaned the db records)
7 years ago
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
4 years ago
Fix other sessions not being logged out on password change (#14252) While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
3 years ago
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
4 years ago
Customizing devise views and controllers
8 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
4 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Customizing devise views and controllers
8 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Improve code style
7 years ago
Customizing devise views and controllers
8 years ago
Upgrade to Rails 5.0.0.1
7 years ago
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Customizing devise views and controllers
8 years ago
Moving Salmon notifications to background processing, fixing mini-profiler behaviour with Turbolinks enabled, optimizing Rabl for production
8 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Customizing devise views and controllers
8 years ago
Add single user mode
7 years ago
If signed in, redirect autofollow invite to profile page (#7956) Fix #7944
5 years ago
Fix #390 - fix redirect after sign-up (to login page instead of homepage)
7 years ago
Add confirmation step for email changes (#6071) * Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
6 years ago
New admin setting: open/close registrations, with custom message, from the admin UI
7 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Add single user mode
7 years ago
New admin setting: open/close registrations, with custom message, from the admin UI
7 years ago
Fix #611 - Layout setting in registrations controller
7 years ago
New admin setting: open/close registrations, with custom message, from the admin UI
7 years ago
sign_in and sign_up views present og meta infos (#5308)
6 years ago
Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo
5 years ago
Fix styling in /auth/edit (#9117)
5 years ago
Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo
5 years ago
Add autofollow option to invites (#7805) * Add autofollow option to invites * Trigger CodeClimate rebuild
6 years ago
Check that an invite link is valid before bypassing approval mode (#10657) * Check that an invite link is valid before bypassing approval mode Fixes #10656 * Add tests * Only consider valid invite links in registration controller * fixup
5 years ago
Add autofollow option to invites (#7805) * Add autofollow option to invites * Trigger CodeClimate rebuild
6 years ago
Fix #611 - Layout setting in registrations controller
7 years ago
Add overview of active sessions (#3929) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
6 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Fix settings pages being cacheable by the browser (#12714) Fix #12255
4 years ago
Customizing devise views and controllers
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. class Auth::RegistrationsController < Devise::RegistrationsController
  4.   include RegistrationSpamConcern
  5. 

  6.   layout :determine_layout
  7. 

  8.   before_action :set_invite, only: [:new, :create]
  9.   before_action :check_enabled_registrations, only: [:new, :create]
  10.   before_action :configure_sign_up_params, only: [:create]
  11.   before_action :set_sessions, only: [:edit, :update]
  12.   before_action :set_instance_presenter, only: [:new, :create, :update]
  13.   before_action :set_body_classes, only: [:new, :create, :edit, :update]
  14.   before_action :require_not_suspended!, only: [:update]
  15.   before_action :set_cache_headers, only: [:edit, :update]
  16.   before_action :set_registration_form_time, only: :new
  17. 

  18.   skip_before_action :require_functional!, only: [:edit, :update]
  19. 

  20.   def new
  21.     super(&:build_invite_request)
  22.   end
  23. 

  24.   def destroy
  25.     not_found
  26.   end
  27. 

  28.   def update
  29.     super do |resource|
  30.       if resource.saved_change_to_encrypted_password?
  31.         resource.clear_other_sessions(current_session.session_id)
  32.       end
  33.     end
  34.   end
  35. 

  36.   protected
  37. 

  38.   def update_resource(resource, params)
  39.     params[:password] = nil if Devise.pam_authentication && resource.encrypted_password.blank?
  40. 

  41.     super
  42.   end
  43. 

  44.   def build_resource(hash = nil)
  45.     super(hash)
  46. 

  47.     resource.locale                 = I18n.locale
  48.     resource.invite_code            = params[:invite_code] if resource.invite_code.blank?
  49.     resource.registration_form_time = session[:registration_form_time]
  50.     resource.sign_up_ip             = request.remote_ip
  51. 

  52.     resource.build_account if resource.account.nil?
  53.   end
  54. 

  55.   def configure_sign_up_params
  56.     devise_parameter_sanitizer.permit(:sign_up) do |u|
  57.       u.permit({ account_attributes: [:username], invite_request_attributes: [:text] }, :email, :password, :password_confirmation, :invite_code, :agreement, :website, :confirm_password)
  58.     end
  59.   end
  60. 

  61.   def after_sign_up_path_for(_resource)
  62.     auth_setup_path
  63.   end
  64. 

  65.   def after_sign_in_path_for(_resource)
  66.     set_invite
  67. 

  68.     if @invite&.autofollow?
  69.       short_account_path(@invite.user.account)
  70.     else
  71.       super
  72.     end
  73.   end
  74. 

  75.   def after_inactive_sign_up_path_for(_resource)
  76.     new_user_session_path
  77.   end
  78. 

  79.   def after_update_path_for(_resource)
  80.     edit_user_registration_path
  81.   end
  82. 

  83.   def check_enabled_registrations
  84.     redirect_to root_path if single_user_mode? || !allowed_registrations?
  85.   end
  86. 

  87.   def allowed_registrations?
  88.     Setting.registrations_mode != 'none' || @invite&.valid_for_use?
  89.   end
  90. 

  91.   def invite_code
  92.     if params[:user]
  93.       params[:user][:invite_code]
  94.     else
  95.       params[:invite_code]
  96.     end
  97.   end
  98. 

  99.   private
  100. 

  101.   def set_instance_presenter
  102.     @instance_presenter = InstancePresenter.new
  103.   end
  104. 

  105.   def set_body_classes
  106.     @body_classes = %w(edit update).include?(action_name) ? 'admin' : 'lighter'
  107.   end
  108. 

  109.   def set_invite
  110.     invite = invite_code.present? ? Invite.find_by(code: invite_code) : nil
  111.     @invite = invite&.valid_for_use? ? invite : nil
  112.   end
  113. 

  114.   def determine_layout
  115.     %w(edit update).include?(action_name) ? 'admin' : 'auth'
  116.   end
  117. 

  118.   def set_sessions
  119.     @sessions = current_user.session_activations
  120.   end
  121. 

  122.   def require_not_suspended!
  123.     forbidden if current_account.suspended?
  124.   end
  125. 

  126.   def set_cache_headers
  127.     response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
  128.   end
  129. end