r3g_5z
f90552f62e
Drop XSS auditor
...
It's deprecated, removed in some, by all modern browsers and is known
to create XSS vulnerabilities in itself.
Signed-off-by: r3g_5z <june@terezi.dev>
2022-11-19 20:40:20 -05:00
FloatingGhost
89dbc7177b
Chores for 2022.11
2022-11-11 16:12:04 +00:00
FloatingGhost
ac0c00cdee
Add media sources to connect-src if media proxy is enabled
2022-11-10 17:26:51 +00:00
FloatingGhost
bab1ab5b6c
strip \r and \r from content-disposition filenames
2022-11-10 11:54:12 +00:00
Thomas Citharel
4d0a51221a
Fix typo in CSP Report-To header name
...
The header name was Report-To, not Reply-To.
In any case, that's now being changed to the Reporting-Endpoints HTTP
Response Header.
https://w3c.github.io/reporting/#header
https://github.com/w3c/reporting/issues/177
CanIUse says the Report-To header is still supported by current Chrome
and friends.
https://caniuse.com/mdn-http_headers_report-to
It doesn't have any data for the Reporting-Endpoints HTTP header, but
this article says Chrome 96 supports it.
https://web.dev/reporting-api/
(Even though that's come out one year ago, that's not compatible with
Network Error Logging which's still using the Report-To version of the
API)
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-11-04 15:02:13 +01:00
FloatingGhost
03662501c3
Check that the signature matches the creator
2022-10-14 11:48:32 +01:00
Hélène
1acd38fe7f
OAuthPlug: use user cache instead of joining
...
As this plug is called on every request, this should reduce load on the
database by not requiring to select on the users table every single
time, and to instead use the by-ID user cache whenever possible.
2022-09-11 19:55:55 +01:00
floatingghost
772c209914
GTS: cherry-picks and collection usage ( #186 )
...
https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3725?commit_id=61254111e59f02118cad15de49d1e0704c07030e
what is this, a yoink of a yoink? good times
Co-authored-by: Hélène <pleroma-dev@helene.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/186
2022-08-27 18:05:48 +00:00
FloatingGhost
8d7b63a766
Revert "Fix oauth2 (for real) ( #179 )"
...
This reverts commit aa681d7e15
.
2022-08-21 17:52:02 +01:00
floatingghost
aa681d7e15
Fix oauth2 (for real) ( #179 )
...
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/179
2022-08-21 16:24:37 +00:00
FloatingGhost
b0130bfa7b
Revert "oauth2 fixes ( #177 )"
...
This reverts commit 429e2ac832
.
2022-08-21 16:22:15 +01:00
floatingghost
429e2ac832
oauth2 fixes ( #177 )
...
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/177
2022-08-21 14:46:52 +00:00
FloatingGhost
55179d4214
set soapbox-fe v2 by default
...
fixes #157
2022-08-11 10:25:03 +01:00
floatingghost
ec162b496b
/notice signing checks on redirect ( #150 )
...
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/150
2022-08-05 19:31:32 +00:00
FloatingGhost
d598c7a834
remove anonymous function from plug
2022-07-14 11:17:14 +01:00
floatingghost
37ae047e16
Add swaggerUI options ( #66 )
...
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/66
2022-07-13 15:09:35 +00:00
floatingghost
364b6969eb
Use finch everywhere ( #33 )
...
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/33
2022-07-04 16:30:38 +00:00
Tusooa Zhu
3fd87b6a75
Skip cache when /objects or /activities is authenticated
...
Ref: fix-local-public
2022-06-29 20:47:27 +01:00
Tusooa Zhu
932e5df19e
Allow to skip cache in Cache plug
...
Ref: fix-local-public
2022-06-29 20:47:26 +01:00
Tusooa Zhu
07bd35227a
Support multiple locales from userLanguage cookie
2022-06-29 20:47:10 +01:00
Tusooa Zhu
fa95bc8725
Support multiple locales formally
...
elixir gettext current does not fully support fallback to another language [0].
But it might in the future. We adapt it so that all languages in Accept-Language
headers are received by Pleroma.Web.Gettext. User.languages is now a comma-separated
list.
[0]: https://github.com/elixir-gettext/gettext/issues/303
2022-06-29 20:47:10 +01:00
Tusooa Zhu
ef73f61b07
Fallback to a variant if the language in general is not supported
...
For an example, here, zh is not supported, but zh_Hans and zh_Hant
are. If the user asks for zh, we should choose a variant for them
instead of fallbacking to default.
Some browsers (e.g. Firefox) does not allow users to customize
their language codes. For example, there is no zh-Hans, but only
zh, zh-CN, zh-TW, zh-HK, etc. This provides a workaround for
those users suffering from bad design decisions.
2022-06-29 20:47:10 +01:00
Tusooa Zhu
72bdb0640f
Allow user to register with custom language
2022-06-29 20:46:51 +01:00
Tusooa Zhu
7726148472
Send emails i18n'd using backend-stored user language
2022-06-29 20:45:19 +01:00
Tusooa Zhu
8f08c902a5
Make lint happy
2022-06-29 20:44:16 +01:00
Tusooa Zhu
775f997c40
Prefer userLanguage cookie over Accept-Language header in detecting locale
...
https://git.pleroma.social/pleroma/pleroma-meta/-/issues/60
2022-06-29 20:43:41 +01:00
FloatingGhost
502382da45
cherry-pick security from upstream
2022-06-22 16:25:05 +01:00
Alex Gleason
138f5a4517
EnsureStaffPrivilegedPlug: don't let non-moderators through
2021-12-27 17:18:26 -06:00
Alibek Omarov
f02715c4b2
Fix lint errors
2021-12-27 03:42:03 +03:00
Alibek Omarov
cd1041c3a4
API: optionally restrict moderators from accessing sensitive data
2021-12-27 02:27:48 +03:00
Alex Gleason
44ede0657f
Merge remote-tracking branch 'pleroma/develop' into staff-plug
2021-08-04 11:48:57 -05:00
Alex Gleason
9bc1e79c56
Moderators: add UserIsStaffPlug
2021-07-12 21:57:52 -05:00
Alex Gleason
595bca24ad
Merge remote-tracking branch 'pleroma/develop' into cycles-frontend-static
2021-05-30 12:12:58 -05:00
Alex Gleason
721c966842
FrontendStatic: make Router a runtime dep
...
Speeds up recompilation by removing compile-time cycles
2021-05-30 12:12:16 -05:00
Alex Gleason
39127f15eb
Merge remote-tracking branch 'pleroma/develop' into cycles-router-api-routes
2021-05-28 13:51:21 -05:00
Alex Gleason
c23b81e399
Pleroma.Web.get_api_routes/0 --> Pleroma.Web.Router.get_api_routes/0
...
Reduce recompilation time by breaking compile-time cycles
2021-05-28 13:51:01 -05:00
Sean King
2b4f958b2a
Add opting out of Google FLoC to HTTPSecurityPlug headers
2021-04-18 14:00:18 -06:00
Mark Felder
1552179792
Improved recursion through the api route list
2021-02-25 10:07:29 -06:00
Mark Felder
cea31df6a6
Attempt to filter out API calls from FrontendStatic plug
2021-02-24 15:27:53 -06:00
rinpatch
2ab9499258
OAuthScopesPlug: remove transform_scopes in favor of explicit admin scope definitions
...
Transforming scopes is no longer necessary since we are dropping
support for accessing admin api without `admin:` prefix in scopes.
2021-02-17 21:37:23 +03:00
Ivan Tashkinov
df89b5019b
[ #2510 ] Improved support for app-bound OAuth tokens. Auth-related refactoring.
2021-02-11 15:02:50 +03:00
Egor Kislitsyn
793fc77b16
Add active user count
2021-01-27 18:20:06 +04:00
eugenijm
7fcaa188a0
Allow to define custom HTTP headers per each frontend
2021-01-21 21:55:23 +03:00
eugenijm
133644dfa2
Ability to set the Service-Worker-Allowed header
2021-01-21 21:55:11 +03:00
Lain Soykaf
39f3683a06
Pbkdf2: Use it everywhere.
2021-01-14 15:06:16 +01:00
lain
9106048c61
Password: Replace Pbkdf2 with Password.
2021-01-13 15:11:11 +01:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
...
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/ >;'
2021-01-13 07:49:50 +01:00
Mark Felder
86dcfb4eb9
More places we should be using Upload.base_url
2021-01-08 17:32:42 -06:00
Mark Felder
d69c78ceb9
Remove configurability of upload proxy opts, simplify
2021-01-05 15:06:00 -06:00
lain
713612c377
Cachex: Make caching provider switchable at runtime.
...
Defaults to Cachex.
2020-12-18 17:44:46 +01:00