Merge remote-tracking branch 'parent/main' into upstream-20231116

app/controllers/api/v1/accounts_controller.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class Api::V1::AccountsController < Api::BaseController
+  include RegistrationHelper
+
   before_action -> { authorize_if_got_token! :read, :'read:accounts' }, except: [:create, :follow, :unfollow, :remove_from_followers, :block, :unblock, :mute, :unmute]
   before_action -> { doorkeeper_authorize! :follow, :write, :'write:follows' }, only: [:follow, :unfollow, :remove_from_followers]
   before_action -> { doorkeeper_authorize! :follow, :write, :'write:mutes' }, only: [:mute, :unmute]
@@ -90,18 +92,14 @@ class Api::V1::AccountsController < Api::BaseController
   end
 
   def account_params
-    params.permit(:username, :email, :password, :agreement, :locale, :reason, :time_zone)
+    params.permit(:username, :email, :password, :agreement, :locale, :reason, :time_zone, :invite_code)
+  end
+
+  def invite
+    Invite.find_by(code: params[:invite_code]) if params[:invite_code].present?
   end
 
   def check_enabled_registrations
-    forbidden if single_user_mode? || omniauth_only? || !allowed_registrations?
-  end
-
-  def allowed_registrations?
-    Setting.registrations_mode != 'none'
-  end
-
-  def omniauth_only?
-    ENV['OMNIAUTH_ONLY'] == 'true'
+    forbidden unless allowed_registration?(request.remote_ip, invite)
   end
 end

app/controllers/api/v1/conversations_controller.rb

@@ -41,10 +41,10 @@ class Api::V1::ConversationsController < Api::BaseController
                          account: :account_stat,
                          last_status: [
                            :media_attachments,
-                           :preview_cards,
                            :status_stat,
                            :tags,
                            {
+                             preview_cards_status: :preview_card,
                              active_mentions: [account: :account_stat],
                              account: :account_stat,
                            },

app/controllers/api/v1/invites_controller.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class Api::V1::InvitesController < Api::BaseController
+  include RegistrationHelper
+
+  skip_before_action :require_authenticated_user!
+  skip_around_action :set_locale
+
+  before_action :set_invite
+  before_action :check_enabled_registrations!
+
+  # Override `current_user` to avoid reading session cookies
+  def current_user; end
+
+  def show
+    render json: { invite_code: params[:invite_code], instance_api_url: api_v2_instance_url }, status: 200
+  end
+
+  private
+
+  def set_invite
+    @invite = Invite.find_by!(code: params[:invite_code])
+  end
+
+  def check_enabled_registrations!
+    return render json: { error: I18n.t('invites.invalid') }, status: 401 unless @invite.valid_for_use?
+
+    raise Mastodon::NotPermittedError unless allowed_registration?(request.remote_ip, @invite)
+  end
+end

app/controllers/api/v1/statuses/base_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class Api::V1::Statuses::BaseController < Api::BaseController
+  include Authorization
+
+  before_action :set_status
+
+  private
+
+  def set_status
+    @status = Status.find(params[:status_id])
+    authorize @status, :show?
+  rescue Mastodon::NotPermittedError
+    not_found
+  end
+end

app/controllers/api/v1/statuses/bookmarks_controller.rb

@@ -1,11 +1,9 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::BookmarksController < Api::BaseController
-  include Authorization
-
+class Api::V1::Statuses::BookmarksController < Api::V1::Statuses::BaseController
   before_action -> { doorkeeper_authorize! :write, :'write:bookmarks' }
   before_action :require_user!
-  before_action :set_status, only: [:create]
+  skip_before_action :set_status, only: [:destroy]
 
   def create
     current_account.bookmarks.find_or_create_by!(account: current_account, status: @status)
@@ -28,13 +26,4 @@ class Api::V1::Statuses::BookmarksController < Api::BaseController
   rescue Mastodon::NotPermittedError
     not_found
   end
-
-  private
-
-  def set_status
-    @status = Status.find(params[:status_id])
-    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
-    not_found
-  end
 end

app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb

@@ -1,10 +1,7 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
-  include Authorization
-
+class Api::V1::Statuses::FavouritedByAccountsController < Api::V1::Statuses::BaseController
   before_action -> { authorize_if_got_token! :read, :'read:accounts' }
-  before_action :set_status
   after_action :insert_pagination_headers
 
   def index
@@ -61,13 +58,6 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
     @accounts.size == limit_param(DEFAULT_ACCOUNTS_LIMIT)
   end
 
-  def set_status
-    @status = Status.find(params[:status_id])
-    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
-    not_found
-  end
-
   def pagination_params(core_params)
     params.slice(:limit).permit(:limit).merge(core_params)
   end

app/controllers/api/v1/statuses/favourites_controller.rb

@@ -1,11 +1,9 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::FavouritesController < Api::BaseController
-  include Authorization
-
+class Api::V1::Statuses::FavouritesController < Api::V1::Statuses::BaseController
   before_action -> { doorkeeper_authorize! :write, :'write:favourites' }
   before_action :require_user!
-  before_action :set_status, only: [:create]
+  skip_before_action :set_status, only: [:destroy]
 
   def create
     FavouriteService.new.call(current_account, @status)
@@ -30,13 +28,4 @@ class Api::V1::Statuses::FavouritesController < Api::BaseController
   rescue Mastodon::NotPermittedError
     not_found
   end
-
-  private
-
-  def set_status
-    @status = Status.find(params[:status_id])
-    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
-    not_found
-  end
 end

app/controllers/api/v1/statuses/histories_controller.rb

@@ -1,10 +1,7 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::HistoriesController < Api::BaseController
-  include Authorization
-
+class Api::V1::Statuses::HistoriesController < Api::V1::Statuses::BaseController
   before_action -> { authorize_if_got_token! :read, :'read:statuses' }
-  before_action :set_status
 
   def show
     cache_if_unauthenticated!
@@ -16,11 +13,4 @@ class Api::V1::Statuses::HistoriesController < Api::BaseController
   def status_edits
     @status.edits.includes(:account, status: [:account]).to_a.presence || [@status.build_snapshot(at_time: @status.edited_at || @status.created_at)]
   end
-
-  def set_status
-    @status = Status.find(params[:status_id])
-    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
-    not_found
-  end
 end

app/controllers/api/v1/statuses/mutes_controller.rb

@@ -1,11 +1,8 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::MutesController < Api::BaseController
-  include Authorization
-
+class Api::V1::Statuses::MutesController < Api::V1::Statuses::BaseController
   before_action -> { doorkeeper_authorize! :write, :'write:mutes' }
   before_action :require_user!
-  before_action :set_status
   before_action :set_conversation
 
   def create
@@ -24,13 +21,6 @@ class Api::V1::Statuses::MutesController < Api::BaseController
 
   private
 
-  def set_status
-    @status = Status.find(params[:status_id])
-    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
-    not_found
-  end
-
   def set_conversation
     @conversation = @status.conversation
     raise Mastodon::ValidationError if @conversation.nil?

app/controllers/api/v1/statuses/pins_controller.rb

@@ -1,11 +1,8 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::PinsController < Api::BaseController
-  include Authorization
-
+class Api::V1::Statuses::PinsController < Api::V1::Statuses::BaseController
   before_action -> { doorkeeper_authorize! :write, :'write:accounts' }
   before_action :require_user!
-  before_action :set_status
 
   def create
     StatusPin.create!(account: current_account, status: @status)
@@ -26,10 +23,6 @@ class Api::V1::Statuses::PinsController < Api::BaseController
 
   private
 
-  def set_status
-    @status = Status.find(params[:status_id])
-  end
-
   def distribute_add_activity!
     json = ActiveModelSerializers::SerializableResource.new(
       @status,

app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb

@@ -1,10 +1,7 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
-  include Authorization
-
+class Api::V1::Statuses::RebloggedByAccountsController < Api::V1::Statuses::BaseController
   before_action -> { authorize_if_got_token! :read, :'read:accounts' }
-  before_action :set_status
   after_action :insert_pagination_headers
 
   def index
@@ -57,13 +54,6 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
     @accounts.size == limit_param(DEFAULT_ACCOUNTS_LIMIT)
   end
 
-  def set_status
-    @status = Status.find(params[:status_id])
-    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
-    not_found
-  end
-
   def pagination_params(core_params)
     params.slice(:limit).permit(:limit).merge(core_params)
   end

app/controllers/api/v1/statuses/reblogs_controller.rb

@@ -1,13 +1,13 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::ReblogsController < Api::BaseController
-  include Authorization
+class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
   include Redisable
   include Lockable
 
   before_action -> { doorkeeper_authorize! :write, :'write:statuses' }
   before_action :require_user!
   before_action :set_reblog, only: [:create]
+  skip_before_action :set_status
 
   override_rate_limit_headers :create, family: :statuses
 

app/controllers/api/v1/statuses/sources_controller.rb

@@ -1,21 +1,9 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::SourcesController < Api::BaseController
-  include Authorization
-
+class Api::V1::Statuses::SourcesController < Api::V1::Statuses::BaseController
   before_action -> { doorkeeper_authorize! :read, :'read:statuses' }
-  before_action :set_status
 
   def show
     render json: @status, serializer: REST::StatusSourceSerializer
   end
-
-  private
-
-  def set_status
-    @status = Status.find(params[:status_id])
-    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
-    not_found
-  end
 end

app/controllers/api/v1/statuses/translations_controller.rb

@@ -1,10 +1,7 @@
 # frozen_string_literal: true
 
-class Api::V1::Statuses::TranslationsController < Api::BaseController
-  include Authorization
-
+class Api::V1::Statuses::TranslationsController < Api::V1::Statuses::BaseController
   before_action -> { doorkeeper_authorize! :read, :'read:statuses' }
-  before_action :set_status
   before_action :set_translation
 
   rescue_from TranslationService::NotConfiguredError, with: :not_found
@@ -24,13 +21,6 @@ class Api::V1::Statuses::TranslationsController < Api::BaseController
 
   private
 
-  def set_status
-    @status = Status.find(params[:status_id])
-    authorize @status, :show?
-  rescue Mastodon::NotPermittedError
-    not_found
-  end
-
   def set_translation
     @translation = TranslateStatusService.new.call(@status, content_locale)
   end