Merge commit '45ba9ada34' into kb_migration_development

2023-05-17 20:06:53 +09:00 · 2023-05-17 20:06:53 +09:00 · 922c936ef1
commit 922c936ef1
parent 644db0adc5 45ba9ada34
26 changed files with 336 additions and 18 deletions
--- a/app/controllers/api/v1/emails/confirmations_controller.rb
+++ b/app/controllers/api/v1/emails/confirmations_controller.rb
@ -1,9 +1,10 @@
 # frozen_string_literal: true

 class Api::V1::Emails::ConfirmationsController < Api::BaseController
-  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }
-  before_action :require_user_owned_by_application!
-  before_action :require_user_not_confirmed!
+  before_action -> { authorize_if_got_token! :read, :'read:accounts' }, only: :check
+  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, except: :check
+  before_action :require_user_owned_by_application!, except: :check
+  before_action :require_user_not_confirmed!, except: :check

  def create
    current_user.update!(email: params[:email]) if params.key?(:email)
@ -12,6 +13,10 @@ class Api::V1::Emails::ConfirmationsController < Api::BaseController
    render_empty
  end

+  def check
+    render json: current_user.confirmed?
+  end
+
  private

  def require_user_owned_by_application!
--- a/app/controllers/api/v1/statuses/reblogs_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogs_controller.rb
@ -2,6 +2,8 @@

 class Api::V1::Statuses::ReblogsController < Api::BaseController
  include Authorization
+  include Redisable
+  include Lockable

  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }
  before_action :require_user!
@ -10,7 +12,9 @@ class Api::V1::Statuses::ReblogsController < Api::BaseController
  override_rate_limit_headers :create, family: :statuses

  def create
-    @status = ReblogService.new.call(current_account, @reblog, reblog_params)
+    with_redis_lock("reblog:#{current_account.id}:#{@reblog.id}") do
+      @status = ReblogService.new.call(current_account, @reblog, reblog_params)
+    end

    render json: @status, serializer: REST::StatusSerializer
  end
--- a/app/controllers/auth/confirmations_controller.rb
+++ b/app/controllers/auth/confirmations_controller.rb
@ -1,21 +1,63 @@
 # frozen_string_literal: true

 class Auth::ConfirmationsController < Devise::ConfirmationsController
+  include CaptchaConcern
+
  layout 'auth'

  before_action :set_body_classes
+  before_action :set_confirmation_user!, only: [:show, :confirm_captcha]
  before_action :require_unconfirmed!

+  before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]
+  before_action :require_captcha_if_needed!, only: [:show]
+
  skip_before_action :require_functional!

+  def show
+    old_session_values = session.to_hash
+    reset_session
+    session.update old_session_values.except('session_id')
+
+    super
+  end
+
  def new
    super

    resource.email = current_user.unconfirmed_email || current_user.email if user_signed_in?
  end

+  def confirm_captcha
+    check_captcha! do |message|
+      flash.now[:alert] = message
+      render :captcha
+      return
+    end
+
+    show
+  end
+
  private

+  def require_captcha_if_needed!
+    render :captcha if captcha_required?
+  end
+
+  def set_confirmation_user!
+    # We need to reimplement looking up the user because
+    # Devise::ConfirmationsController#show looks up and confirms in one
+    # step.
+    confirmation_token = params[:confirmation_token]
+    return if confirmation_token.nil?
+
+    @confirmation_user = User.find_first_by_auth_conditions(confirmation_token: confirmation_token)
+  end
+
+  def captcha_user_bypass?
+    return true if @confirmation_user.nil? || @confirmation_user.confirmed?
+  end
+
  def require_unconfirmed!
    if user_signed_in? && current_user.confirmed? && current_user.unconfirmed_email.blank?
      redirect_to(current_user.approved? ? root_path : edit_user_registration_path)
--- a/app/controllers/concerns/captcha_concern.rb
+++ b/app/controllers/concerns/captcha_concern.rb
@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module CaptchaConcern
+  extend ActiveSupport::Concern
+  include Hcaptcha::Adapters::ViewMethods
+
+  included do
+    helper_method :render_captcha
+  end
+
+  def captcha_available?
+    ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present?
+  end
+
+  def captcha_enabled?
+    captcha_available? && Setting.captcha_enabled
+  end
+
+  def captcha_user_bypass?
+    false
+  end
+
+  def captcha_required?
+    captcha_enabled? && !captcha_user_bypass?
+  end
+
+  def check_captcha!
+    return true unless captcha_required?
+
+    if verify_hcaptcha
+      true
+    else
+      if block_given?
+        message = flash[:hcaptcha_error]
+        flash.delete(:hcaptcha_error)
+        yield message
+      end
+      false
+    end
+  end
+
+  def extend_csp_for_captcha!
+    policy = request.content_security_policy
+    return unless captcha_required? && policy.present?
+
+    %w(script_src frame_src style_src connect_src).each do |directive|
+      values = policy.send(directive)
+      values << 'https://hcaptcha.com' unless values.include?('https://hcaptcha.com') || values.include?('https:')
+      values << 'https://*.hcaptcha.com' unless values.include?('https://*.hcaptcha.com') || values.include?('https:')
+      policy.send(directive, *values)
+    end
+  end
+
+  def render_captcha
+    return unless captcha_required?
+
+    hcaptcha_tags
+  end
+end
--- a/app/helpers/admin/settings_helper.rb
+++ b/app/helpers/admin/settings_helper.rb
@ -1,4 +1,7 @@
 # frozen_string_literal: true

 module Admin::SettingsHelper
+  def captcha_available?
+    ENV['HCAPTCHA_SECRET_KEY'].present? && ENV['HCAPTCHA_SITE_KEY'].present?
+  end
 end
--- a/app/javascript/mastodon/components/status_list.jsx
+++ b/app/javascript/mastodon/components/status_list.jsx
@ -26,6 +26,7 @@ export default class StatusList extends ImmutablePureComponent {
    alwaysPrepend: PropTypes.bool,
    withCounters: PropTypes.bool,
    timelineId: PropTypes.string,
+    lastId: PropTypes.string,
  };

  static defaultProps = {
@ -55,7 +56,8 @@ export default class StatusList extends ImmutablePureComponent {
  };

  handleLoadOlder = debounce(() => {
-    this.props.onLoadMore(this.props.statusIds.size > 0 ? this.props.statusIds.last() : undefined);
+    const { statusIds, lastId, onLoadMore } = this.props;
+    onLoadMore(lastId || (statusIds.size > 0 ? statusIds.last() : undefined));
  }, 300, { leading: true });

  _selectChild (index, align_top) {
--- a/app/javascript/mastodon/features/ui/containers/status_list_container.js
+++ b/app/javascript/mastodon/features/ui/containers/status_list_container.js
@ -37,6 +37,7 @@ const makeMapStateToProps = () => {

  const mapStateToProps = (state, { timelineId }) => ({
    statusIds: getStatusIds(state, { type: timelineId }),
+    lastId:    state.getIn(['timelines', timelineId, 'items'])?.last(),
    isLoading: state.getIn(['timelines', timelineId, 'isLoading'], true),
    isPartial: state.getIn(['timelines', timelineId, 'isPartial'], false),
    hasMore:   state.getIn(['timelines', timelineId, 'hasMore']),
--- a/app/javascript/packs/sign_up.js
+++ b/app/javascript/packs/sign_up.js
@ -0,0 +1,15 @@
+import './public-path';
+import ready from '../mastodon/ready';
+import axios from 'axios';
+
+ready(() => {
+  setInterval(() => {
+    axios.get('/api/v1/emails/check_confirmation').then((response) => {
+      if (response.data) {
+        window.location = '/start';
+      }
+    }).catch(error => {
+      console.error(error);
+    });
+  }, 5000);
+});
--- a/app/javascript/styles/mastodon/components.scss
+++ b/app/javascript/styles/mastodon/components.scss
@ -3172,7 +3172,7 @@ $ui-header-height: 55px;

  &.active {
    transition: none;
-    box-shadow: 0 0 0 2px rgba(lighten($highlight-text-color, 8%), 0.7);
+    box-shadow: 0 0 0 6px rgba(lighten($highlight-text-color, 8%), 0.7);
  }
 }

--- a/app/javascript/styles/mastodon/forms.scss
+++ b/app/javascript/styles/mastodon/forms.scss
@ -136,6 +136,10 @@ code {
    line-height: 22px;
    color: $secondary-text-color;
    margin-bottom: 30px;
+
+    a {
+      color: $highlight-text-color;
+    }
  }

  .rules-list {
@ -1039,6 +1043,10 @@ code {
  }
 }

+.simple_form .h-captcha {
+  text-align: center;
+}
+
 .permissions-list {
  &__item {
    padding: 15px;
--- a/app/models/form/account_batch.rb
+++ b/app/models/form/account_batch.rb
@ -123,7 +123,18 @@ class Form::AccountBatch
      account: current_account,
      action: :suspend
    )
+
    Admin::SuspensionWorker.perform_async(account.id)
+
+    # Suspending a single account closes their associated reports, so
+    # mass-suspending would be consistent.
+    Report.where(target_account: account).unresolved.find_each do |report|
+      authorize(report, :update?)
+      log_action(:resolve, report)
+      report.resolve!(current_account)
+    rescue Mastodon::NotPermittedError
+      # This should not happen, but just in case, do not fail early
+    end
  end

  def approve_account(account)
--- a/app/models/form/admin_settings.rb
+++ b/app/models/form/admin_settings.rb
@ -33,6 +33,7 @@ class Form::AdminSettings
    content_cache_retention_period
    backups_retention_period
    status_page_url
+    captcha_enabled
  ).freeze

  INTEGER_KEYS = %i(
@ -52,6 +53,7 @@ class Form::AdminSettings
    trendable_by_default
    noindex
    require_invite_text
+    captcha_enabled
  ).freeze

  UPLOAD_KEYS = %i(
--- a/app/validators/vote_validator.rb
+++ b/app/validators/vote_validator.rb
@ -3,8 +3,8 @@
 class VoteValidator < ActiveModel::Validator
  def validate(vote)
    vote.errors.add(:base, I18n.t('polls.errors.expired')) if vote.poll_expired?
-
    vote.errors.add(:base, I18n.t('polls.errors.invalid_choice')) if invalid_choice?(vote)
+    vote.errors.add(:base, I18n.t('polls.errors.self_vote')) if self_vote?(vote)

    vote.errors.add(:base, I18n.t('polls.errors.already_voted')) if additional_voting_not_allowed?(vote)
  end
@ -27,6 +27,10 @@ class VoteValidator < ActiveModel::Validator
    vote.choice.negative? || vote.choice >= vote.poll.options.size
  end

+  def self_vote?(vote)
+    vote.account_id == vote.poll.account_id
+  end
+
  def already_voted_for_same_choice_on_multiple_poll?(vote)
    if vote.persisted?
      account_votes_on_same_poll(vote).where(choice: vote.choice).where.not(poll_votes: { id: vote }).exists?
--- a/app/views/admin/settings/registrations/show.html.haml
+++ b/app/views/admin/settings/registrations/show.html.haml
@ -20,6 +20,10 @@
    .fields-row__column.fields-row__column-6.fields-group
      = f.input :require_invite_text, as: :boolean, wrapper: :with_label, disabled: !approved_registrations?

+  - if captcha_available?
+    .fields-group
+      = f.input :captcha_enabled, as: :boolean, wrapper: :with_label, label: t('admin.settings.captcha_enabled.title'), hint: t('admin.settings.captcha_enabled.desc_html')
+
  .fields-group
    = f.input :closed_registrations_message, as: :text, wrapper: :with_block_label, input_html: { rows: 2 }

--- a/app/views/auth/confirmations/captcha.html.haml
+++ b/app/views/auth/confirmations/captcha.html.haml
@ -0,0 +1,15 @@
+- content_for :page_title do
+  = t('auth.captcha_confirmation.title')
+
+= form_tag auth_captcha_confirmation_url, method: 'POST', class: 'simple_form' do
+  = render 'auth/shared/progress', stage: 'confirm'
+
+  = hidden_field_tag :confirmation_token, params[:confirmation_token]
+
+  %p.lead= t('auth.captcha_confirmation.hint_html')
+
+  .field-group
+    = render_captcha
+
+  .actions
+    %button.button= t('challenge.confirm')
--- a/app/views/auth/setup/show.html.haml
+++ b/app/views/auth/setup/show.html.haml
@ -1,6 +1,8 @@
 - content_for :page_title do
  = t('auth.setup.title')

+= javascript_pack_tag 'sign_up', crossorigin: 'anonymous'
+
 = simple_form_for(@user, url: auth_setup_path) do |f|
  = render 'auth/shared/progress', stage: 'confirm'