Mikael Nordfeldth
5f7032dfee
Verify that authenticated API calls are made from our domain name.
...
Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json " or
whatever. XHR is already blocked with CORS stuff.
Really, why do browsers allow cross domain POSTs at all? Sigh. The web.
2016-02-22 15:19:10 +01:00
Mikael Nordfeldth
c67b89e56b
Make WebFinger fancyurlfix configurable
2016-02-21 20:05:32 +01:00
Mikael Nordfeldth
ce803f6d06
WebFinger aliases with 'index.php/'
2016-02-21 20:00:07 +01:00
Mikael Nordfeldth
1edb1bbc17
Claim that we are the URL without index.php/ in webfinger response
2016-02-21 19:09:39 +01:00
Mikael Nordfeldth
893d117309
throw new, not just throw
2016-02-21 19:01:37 +01:00
Mikael Nordfeldth
0c17c32267
Let the WebFingerPlugin lookup profile resources with index.php/ too
2016-02-21 18:48:48 +01:00
Mikael Nordfeldth
23e66bef64
common_fake_local_fancy_url to remove index.php/ from a local URL
2016-02-21 18:48:18 +01:00
Mikael Nordfeldth
d16a883e17
Allow lookup of User->getByUri (throws NoResultException)
2016-02-21 18:47:47 +01:00
Mikael Nordfeldth
b23cc7465f
Keep a unique set of WebFingerResource aliases
2016-02-21 18:47:32 +01:00
Mikael Nordfeldth
afbdcf8938
Don't publish mbox_sha1sum in FOAF by default.
...
We say the email is private data, so reasonably we shouldn't reveal it
indirectly through a hash sum: http://xmlns.com/foaf/spec/#term_mbox_sha1sum
2016-02-19 00:10:05 +01:00
Mikael Nordfeldth
a838c90951
Only show "public:site" in ToSelector if notice/allowprivate is true
2016-02-18 00:33:16 +01:00
Mikael Nordfeldth
f68d1ade3f
Put "Everyone" and "Everyone at [local instance]" at the top of ToSelector
2016-02-18 00:32:09 +01:00
Mikael Nordfeldth
543d968b81
NoAcctUriException->profile not $e directly
2016-02-18 00:13:59 +01:00
Mikael Nordfeldth
a361fdbd77
Sort ToSelector by AcctUri
2016-02-18 00:05:09 +01:00
Mikael Nordfeldth
73dbc5ca1b
Use ToSelector choice again.
2016-02-17 23:44:15 +01:00
Mikael Nordfeldth
d9b649642d
Show notice feed URLs (and author)
2016-02-17 23:32:56 +01:00
Mikael Nordfeldth
d2c11925bf
To-selector padlock only shown if site config notice/allowprivate is true
2016-02-17 23:06:11 +01:00
Mikael Nordfeldth
5fbb01130a
By default, disallow users to set private_stream
2016-02-17 22:58:31 +01:00
Mikael Nordfeldth
47dc15c9f6
Describe that we don't allow empty fullnames.
2016-02-17 22:48:32 +01:00
Mikael Nordfeldth
d6bf90cfb7
If profile fullname is 0 chars use nickname
2016-02-17 22:43:45 +01:00
Mikael Nordfeldth
ade4518ae4
Make the Link header give URI for WebFinger lookup
2016-02-17 22:36:33 +01:00
Mikael Nordfeldth
422d475e44
Differentiate two similar log warning messages
2016-02-17 21:57:52 +01:00
Mikael Nordfeldth
d2507a6266
Gotta declare FullNoticeStream as abstract class
2016-02-16 02:24:38 +01:00
Mikael Nordfeldth
46829c6d3c
FullNoticeStream selects all verbs.
2016-02-16 02:21:39 +01:00
Mikael Nordfeldth
2d1b70c94d
created column was ambigououuuouuus
2016-02-15 09:59:34 +01:00
Mikael Nordfeldth
2301862ae6
We only want POST and SHARE in the inbox/home timeline right?
2016-02-15 09:59:18 +01:00
Mikael Nordfeldth
dcb7ce36d8
Show shares in public timeline
...
Also, the unselect rule for DELETE was useless anyway since it would
already have been filtered out by not having true.
(the => false stuff are for when you want ALL _except_ that)
2016-02-14 20:53:26 +01:00
Mikael Nordfeldth
e2a090c9cc
Use NoticeStream::filterVerbs for filtering in noticestreams
2016-02-14 20:46:13 +01:00
Mikael Nordfeldth
c23c3a4f53
Might as well put a FILTER_SANITIZE_EMAIL there
...
Not that I think we could break out of the directory since
we use basename, but you never know... maybe there's a unicode
bug in PHP or something.
2016-02-13 14:06:05 +01:00
Mikael Nordfeldth
4bf26eff4c
socialfy-your-domain updated for webfinger (not tested)
2016-02-13 13:57:15 +01:00
Mikael Nordfeldth
be14e15dac
Hide attachments in notices by silenced profiles
2016-02-13 13:17:39 +01:00
Mikael Nordfeldth
fbcca62ae1
listGet was not meant for that really
2016-02-13 01:19:47 +01:00
Mikael Nordfeldth
8ef2abf30b
Render RegiserThrottle extra profile data properly
2016-02-13 01:16:34 +01:00
Mikael Nordfeldth
799c2e47fe
Don't depend on ModLog
2016-02-13 01:10:01 +01:00
Mikael Nordfeldth
be35975b12
RegisterThrottle list-profiles-by-ip
2016-02-13 01:02:18 +01:00
Mikael Nordfeldth
557ad2d1fd
Show user registration IP to users who can see ModLog
2016-02-13 00:51:43 +01:00
Mikael Nordfeldth
c7c34ec05a
Only administrators can delete other privileged users.
2016-02-12 15:00:18 +01:00
Mikael Nordfeldth
83f679fb57
Profile->isPrivileged() to check if users have more rights than to post etc.
2016-02-12 14:47:49 +01:00
Mikael Nordfeldth
3cef75bcac
Update the comment on silencing privileged users in ModHelper
2016-02-12 14:47:44 +01:00
Mikael Nordfeldth
e5ad98e601
Silence action can only be used on non-priviliged users
2016-02-12 14:22:25 +01:00
Mikael Nordfeldth
5dce08d068
Add Profile::ensureCurrent() to verify we _certainly_ got a Profile.
2016-02-12 13:52:48 +01:00
Mikael Nordfeldth
f10625f8bc
file and avatar dirs on instances with no such dirs in filesystem
2016-02-12 02:29:33 +01:00
Mikael Nordfeldth
338df7e35b
Fix Nickname::isSystemPath() work properly for routes
2016-02-12 02:21:11 +01:00
Mikael Nordfeldth
c8753353ed
Do not delete_orphan_files on an instance with Qvitter
2016-02-12 01:45:47 +01:00
Mikael Nordfeldth
913595780f
And LEFT JOIN to actually get all results
2016-02-12 00:05:36 +01:00
Mikael Nordfeldth
1471defff3
...and avoid duplicate results...
2016-02-11 23:38:12 +01:00
Mikael Nordfeldth
05fea4cdc6
Aurhg, and get all the properties, not just id
2016-02-11 22:54:29 +01:00
Mikael Nordfeldth
2198f39597
Haha, it essentially became a NOOP with the last commit
2016-02-11 22:49:45 +01:00
Mikael Nordfeldth
6f2fbd448d
Fixed the delete orphan script to include deleted notices
...
The file_to_post table sometimes had post_id with values that did not
exist in the notice table.
2016-02-11 22:43:26 +01:00
Mikael Nordfeldth
38a187b93e
Delete orphan files maintenance script
...
When deleting a profile it'll delete its notices and the coupling to
file entries, but not the file entries themselves (and thus not the
files). So if one to delete a person uploading offending images, then
the images are left behind and can be hotlinked. This will remove it.
2016-02-11 22:19:56 +01:00