Skip to content
Extraits de code Groupes Projets
  1. fév. 02, 2022
  2. jan. 31, 2022
  3. nov. 26, 2021
  4. nov. 06, 2021
  5. nov. 05, 2021
    • Eugen Rochko's avatar
      Bump version to 3.4.2 · 8a74d851
      Eugen Rochko a rédigé
      8a74d851
    • Claire's avatar
      Fix AccountNote not having a maximum length (#16942) · 76c20288
      Claire a rédigé
      76c20288
    • Claire's avatar
      Fix reviving revoked sessions and invalidating login (#16943) · 3251b8ee
      Claire a rédigé
      Up until now, we have used Devise's Rememberable mechanism to re-log users
      after the end of their browser sessions. This mechanism relies on a signed
      cookie containing a token. That token was stored on the user's record,
      meaning it was shared across all logged in browsers, meaning truly revoking
      a browser's ability to auto-log-in involves revoking the token itself, and
      revoking access from *all* logged-in browsers.
      
      We had a session mechanism that dynamically checks whether a user's session
      has been disabled, and would log out the user if so. However, this would only
      clear a session being actively used, and a new one could be respawned with
      the `remember_user_token` cookie.
      
      In practice, this caused two issues:
      - sessions could be revived after being closed from /auth/edit (security issue)
      - auto-log-in would be disabled for *all* browsers after logging out from one
        of them
      
      This PR removes the `remember_token` mechanism and treats the `_session_id`
      cookie/token as a browser-specific `remember_token`, fixing both issues.
      3251b8ee
    • Claire's avatar
      Fix handling announcements with links (#16941) · f60bb078
      Claire a rédigé
      Broken since #15827
      f60bb078
    • Claire's avatar
      Fix user email address being banned on self-deletion (#16503) · c3a6f7b9
      Claire a rédigé
      * Add tests
      
      * Fix user email address being banned on self-deletion
      
      Fixes #16498
      c3a6f7b9
    • Claire's avatar
      Improve modal flow and back button handling (#16499) · 986397b3
      Claire a rédigé
      * Refactor shouldUpdateScroll passing
      
      So far, shouldUpdateScroll has been manually passed down from the very top of
      the React component hierarchy even though it is a static function common to
      all ScrollContainer instances, so replaced that with a custom class extending
      ScrollContainer.
      
      * Generalize “press back to close modal” to any modal and to public pages
      
      * Fix boost confirmation modal closing media modal
      986397b3
    • Claire's avatar
      Change references to tootsuite/mastodon to mastodon/mastodon (#16491) · c79d4711
      Claire a rédigé
      * Change references to tootsuite/mastodon to mastodon/mastodon
      
      * Remove obsolete test fixture
      
      * Replace occurrences of tootsuite/mastodon with mastodon/mastodon in CHANGELOG
      
      And a few other places
      c79d4711
    • Claire's avatar
      Change number_to_human calls to always use 3-digits precision (#16469) · be560337
      Claire a rédigé
      Fixes #16435
      be560337
    • Claire's avatar
    • Claire's avatar
      Fix anonymous access to outbox not being cached by the reverse proxy (#16458) · 4bc1fde1
      Claire a rédigé
      * Fix anonymous access to outbox not being cached by the reverse proxy
      
      Up until now, anonymous access to outbox was marked as public, but with a
      0 duration for caching, which means remote proxies would only serve from cache
      when the server was completely overwhelmed.
      
      Changed that cache duration to one minute, so that repeated anonymous access
      to one account's outbox can be appropriately cached.
      
      Also added `Signature` to the `Vary` header in case a page is requested, so
      that authenticated fetches are never served from cache (which only contains
      public toots).
      
      * Remove Vary: Accept header from webfinger controller
      
      Indeed, we have stopped returning xrd, and only ever return jrd, so the
      Accept request header does not matter anymore.
      
      * Cache negative webfinger hits for 3 minutes
      4bc1fde1
    • Claire's avatar
      Fix WebUI crash when a toot with a playing video gets deleted (#16384) · 34ab4111
      Claire a rédigé
      * Fix WebUI crash when a toot with a playing video gets deleted
      
      * Fix pop-up player not closing the moment a status is deleted
      34ab4111
Chargement en cours