Merge branch 'hometown-dev' into hometown-dev-max-chars-patch

2020-06-30 21:11:37 -07:00
parent 6bd0dadcfd 6fd1e464a5
commit 7c5f812c92
2110 changed files with 48360 additions and 15273 deletions
--- a/app/chewy/statuses_index.rb
+++ b/app/chewy/statuses_index.rb
@ -47,6 +47,11 @@ class StatusesIndex < Chewy::Index
      data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
    end

+    crutch :bookmarks do |collection|
+      data = ::Bookmark.where(status_id: collection.map(&:id)).where(account: Account.local).pluck(:status_id, :account_id)
+      data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
+    end
+
    root date_detection: false do
      field :id, type: 'long'
      field :account_id, type: 'long'
--- a/app/controllers/account_follow_controller.rb
+++ b/app/controllers/account_follow_controller.rb
@ -6,7 +6,7 @@ class AccountFollowController < ApplicationController
  before_action :authenticate_user!

  def create
-    FollowService.new.call(current_user.account, @account.acct)
+    FollowService.new.call(current_user.account, @account, with_rate_limit: true)
    redirect_to account_path(@account)
  end
 end
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@ -9,7 +9,7 @@ class AccountsController < ApplicationController
  before_action :set_cache_headers
  before_action :set_body_classes

-  skip_around_action :set_locale, if: -> { [:json, :rss].include?(request.format) }
+  skip_around_action :set_locale, if: -> { [:json, :rss].include?(request.format&.to_sym) }
  skip_before_action :require_functional!

  def show
@ -26,8 +26,12 @@ class AccountsController < ApplicationController
          return
        end

-        @pinned_statuses = cache_collection(@account.pinned_statuses, Status) if show_pinned_statuses?
-        @statuses        = filtered_status_page(params)
+        if current_user.nil?
+          @pinned_statuses = cache_collection(@account.pinned_statuses.without_local_only, Status) if show_pinned_statuses?
+        else
+          @pinned_statuses = cache_collection(@account.pinned_statuses, Status) if show_pinned_statuses?
+        end
+        @statuses        = filtered_status_page
        @statuses        = cache_collection(@statuses, Status)
        @rss_url         = rss_url

@ -40,7 +44,7 @@ class AccountsController < ApplicationController
      format.rss do
        expires_in 1.minute, public: true

-        @statuses = filtered_statuses.without_local_only.without_reblogs.without_replies.limit(PAGE_SIZE)
+        @statuses = filtered_statuses.without_reblogs.without_local_only.limit(PAGE_SIZE)
        @statuses = cache_collection(@statuses, Status)
        render xml: RSS::AccountSerializer.render(@account, @statuses, params[:tag])
      end
@ -133,23 +137,23 @@ class AccountsController < ApplicationController
  end

  def media_requested?
-    request.path.ends_with?('/media') && !tag_requested?
+    request.path.split('.').first.ends_with?('/media') && !tag_requested?
  end

  def replies_requested?
-    request.path.ends_with?('/with_replies') && !tag_requested?
+    request.path.split('.').first.ends_with?('/with_replies') && !tag_requested?
  end

  def tag_requested?
    request.path.split('.').first.ends_with?(Addressable::URI.parse("/tagged/#{params[:tag]}").normalize)
  end

-  def filtered_status_page(params)
-    if params[:min_id].present?
-      filtered_statuses.paginate_by_min_id(PAGE_SIZE, params[:min_id]).reverse
-    else
-      filtered_statuses.paginate_by_max_id(PAGE_SIZE, params[:max_id], params[:since_id]).to_a
-    end
+  def filtered_status_page
+    filtered_statuses.paginate_by_id(PAGE_SIZE, params_slice(:max_id, :min_id, :since_id))
+  end
+
+  def params_slice(*keys)
+    params.slice(*keys).permit(*keys)
  end

  def restrict_fields_to
--- a/app/controllers/activitypub/collections_controller.rb
+++ b/app/controllers/activitypub/collections_controller.rb
@ -24,20 +24,23 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
  def set_size
    case params[:id]
    when 'featured'
-      @account.pinned_statuses.count
+      @size = @account.pinned_statuses.count
    else
-      raise ActiveRecord::RecordNotFound
+      not_found
    end
  end

  def scope_for_collection
    case params[:id]
    when 'featured'
-      return Status.none if @account.blocking?(signed_request_account)
-
-      @account.pinned_statuses
-    else
-      raise ActiveRecord::RecordNotFound
+      # Because in public fetch mode we cache the response, there would be no
+      # benefit from performing the check below, since a blocked account or domain
+      # would likely be served the cache from the reverse proxy anyway
+      if authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+        Status.none
+      else
+        @account.pinned_statuses
+      end
    end
  end

--- a/app/controllers/activitypub/inboxes_controller.rb
+++ b/app/controllers/activitypub/inboxes_controller.rb
@ -7,6 +7,7 @@ class ActivityPub::InboxesController < ActivityPub::BaseController

  before_action :skip_unknown_actor_delete
  before_action :require_signature!
+  skip_before_action :authenticate_user!

  def create
    upgrade_account
@ -48,7 +49,7 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
      ResolveAccountWorker.perform_async(signed_request_account.acct)
    end

-    DeliveryFailureTracker.track_inverse_success!(signed_request_account)
+    DeliveryFailureTracker.reset!(signed_request_account.inbox_url)
  end

  def process_payload
--- a/app/controllers/activitypub/outboxes_controller.rb
+++ b/app/controllers/activitypub/outboxes_controller.rb
@ -11,7 +11,7 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
  before_action :set_cache_headers

  def show
-    expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode?)
+    expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode? && !(signed_request_account.present? && page_requested?))
    render json: outbox_presenter, serializer: ActivityPub::OutboxSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
  end

@ -50,12 +50,12 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
    return unless page_requested?

    @statuses = @account.statuses.permitted_for(@account, signed_request_account)
-    @statuses = params[:min_id].present? ? @statuses.paginate_by_min_id(LIMIT, params[:min_id]).reverse : @statuses.paginate_by_max_id(LIMIT, params[:max_id])
+    @statuses = @statuses.paginate_by_id(LIMIT, params_slice(:max_id, :min_id, :since_id))
    @statuses = cache_collection(@statuses, Status)
  end

  def page_requested?
-    params[:page] == 'true'
+    truthy_param?(:page)
  end

  def page_params
--- a/app/controllers/activitypub/replies_controller.rb
+++ b/app/controllers/activitypub/replies_controller.rb
@ -1,7 +1,7 @@
 # frozen_string_literal: true

 class ActivityPub::RepliesController < ActivityPub::BaseController
-  include SignatureAuthentication
+  include SignatureVerification
  include Authorization
  include AccountOwnedConcern

@ -19,15 +19,19 @@ class ActivityPub::RepliesController < ActivityPub::BaseController

  private

+  def pundit_user
+    signed_request_account
+  end
+
  def set_status
    @status = @account.statuses.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def set_replies
-    @replies = page_params[:only_other_accounts] ? Status.where.not(account_id: @account.id) : @account.statuses
+    @replies = only_other_accounts? ? Status.where.not(account_id: @account.id) : @account.statuses
    @replies = @replies.where(in_reply_to_id: @status.id, visibility: [:public, :unlisted])
    @replies = @replies.paginate_by_min_id(DESCENDANTS_LIMIT, params[:min_id])
  end
@ -38,7 +42,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
      type: :unordered,
      part_of: account_status_replies_url(@account, @status),
      next: next_page,
-      items: @replies.map { |status| status.local ? status : status.uri }
+      items: @replies.map { |status| status.local? ? status : status.uri }
    )

    return page if page_requested?
@ -51,16 +55,21 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
  end

  def page_requested?
-    params[:page] == 'true'
+    truthy_param?(:page)
+  end
+
+  def only_other_accounts?
+    truthy_param?(:only_other_accounts)
  end

  def next_page
    only_other_accounts = !(@replies&.last&.account_id == @account.id && @replies.size == DESCENDANTS_LIMIT)
+
    account_status_replies_url(
      @account,
      @status,
      page: true,
-      min_id: only_other_accounts && !page_params[:only_other_accounts] ? nil : @replies&.last&.id,
+      min_id: only_other_accounts && !only_other_accounts? ? nil : @replies&.last&.id,
      only_other_accounts: only_other_accounts
    )
  end
--- a/app/controllers/admin/accounts_controller.rb
+++ b/app/controllers/admin/accounts_controller.rb
@ -109,21 +109,7 @@ module Admin
    end

    def filter_params
-      params.permit(
-        :local,
-        :remote,
-        :by_domain,
-        :active,
-        :pending,
-        :disabled,
-        :silenced,
-        :suspended,
-        :username,
-        :display_name,
-        :email,
-        :ip,
-        :staff
-      )
+      params.slice(*AccountFilter::KEYS).permit(*AccountFilter::KEYS)
    end
  end
 end
--- a/app/controllers/admin/action_logs_controller.rb
+++ b/app/controllers/admin/action_logs_controller.rb
@ -2,8 +2,18 @@

 module Admin
  class ActionLogsController < BaseController
-    def index
-      @action_logs = Admin::ActionLog.page(params[:page])
+    before_action :set_action_logs
+
+    def index; end
+
+    private
+
+    def set_action_logs
+      @action_logs = Admin::ActionLogFilter.new(filter_params).results.page(params[:page])
+    end
+
+    def filter_params
+      params.slice(:page, *Admin::ActionLogFilter::KEYS).permit(:page, *Admin::ActionLogFilter::KEYS)
    end
  end
 end
--- a/app/controllers/admin/announcements_controller.rb
+++ b/app/controllers/admin/announcements_controller.rb
@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+class Admin::AnnouncementsController < Admin::BaseController
+  before_action :set_announcements, only: :index
+  before_action :set_announcement, except: [:index, :new, :create]
+
+  def index
+    authorize :announcement, :index?
+  end
+
+  def new
+    authorize :announcement, :create?
+
+    @announcement = Announcement.new
+  end
+
+  def create
+    authorize :announcement, :create?
+
+    @announcement = Announcement.new(resource_params)
+
+    if @announcement.save
+      PublishScheduledAnnouncementWorker.perform_async(@announcement.id) if @announcement.published?
+      log_action :create, @announcement
+      redirect_to admin_announcements_path, notice: @announcement.published? ? I18n.t('admin.announcements.published_msg') : I18n.t('admin.announcements.scheduled_msg')
+    else
+      render :new
+    end
+  end
+
+  def edit
+    authorize :announcement, :update?
+  end
+
+  def update
+    authorize :announcement, :update?
+
+    if @announcement.update(resource_params)
+      PublishScheduledAnnouncementWorker.perform_async(@announcement.id) if @announcement.published?
+      log_action :update, @announcement
+      redirect_to admin_announcements_path, notice: I18n.t('admin.announcements.updated_msg')
+    else
+      render :edit
+    end
+  end
+
+  def publish
+    authorize :announcement, :update?
+    @announcement.publish!
+    PublishScheduledAnnouncementWorker.perform_async(@announcement.id)
+    log_action :update, @announcement
+    redirect_to admin_announcements_path, notice: I18n.t('admin.announcements.published_msg')
+  end
+
+  def unpublish
+    authorize :announcement, :update?
+    @announcement.unpublish!
+    UnpublishAnnouncementWorker.perform_async(@announcement.id)
+    log_action :update, @announcement
+    redirect_to admin_announcements_path, notice: I18n.t('admin.announcements.unpublished_msg')
+  end
+
+  def destroy
+    authorize :announcement, :destroy?
+    @announcement.destroy!
+    UnpublishAnnouncementWorker.perform_async(@announcement.id) if @announcement.published?
+    log_action :destroy, @announcement
+    redirect_to admin_announcements_path, notice: I18n.t('admin.announcements.destroyed_msg')
+  end
+
+  private
+
+  def set_announcements
+    @announcements = AnnouncementFilter.new(filter_params).results.page(params[:page])
+  end
+
+  def set_announcement
+    @announcement = Announcement.find(params[:id])
+  end
+
+  def filter_params
+    params.slice(*AnnouncementFilter::KEYS).permit(*AnnouncementFilter::KEYS)
+  end
+
+  def resource_params
+    params.require(:announcement).permit(:text, :scheduled_at, :starts_at, :ends_at, :all_day)
+  end
+end
--- a/app/controllers/admin/custom_emojis_controller.rb
+++ b/app/controllers/admin/custom_emojis_controller.rb
@ -2,10 +2,6 @@

 module Admin
  class CustomEmojisController < BaseController
-    include ObfuscateFilename
-
-    obfuscate_filename [:custom_emoji, :image]
-
    def index
      authorize :custom_emoji, :index?

@ -52,7 +48,7 @@ module Admin
    end

    def filter_params
-      params.slice(:local, :remote, :by_domain, :shortcode, :page).permit(:local, :remote, :by_domain, :shortcode, :page)
+      params.slice(:page, *CustomEmojiFilter::KEYS).permit(:page, *CustomEmojiFilter::KEYS)
    end

    def action_from_button
--- a/app/controllers/admin/email_domain_blocks_controller.rb
+++ b/app/controllers/admin/email_domain_blocks_controller.rb
@ -6,12 +6,12 @@ module Admin

    def index
      authorize :email_domain_block, :index?
-      @email_domain_blocks = EmailDomainBlock.page(params[:page])
+      @email_domain_blocks = EmailDomainBlock.where(parent_id: nil).includes(:children).order(id: :desc).page(params[:page])
    end

    def new
      authorize :email_domain_block, :create?
-      @email_domain_block = EmailDomainBlock.new
+      @email_domain_block = EmailDomainBlock.new(domain: params[:_domain])
    end

    def create
@ -21,6 +21,28 @@ module Admin

      if @email_domain_block.save
        log_action :create, @email_domain_block
+
+        if @email_domain_block.with_dns_records?
+          hostnames = []
+          ips       = []
+
+          Resolv::DNS.open do |dns|
+            dns.timeouts = 1
+
+            hostnames = dns.getresources(@email_domain_block.domain, Resolv::DNS::Resource::IN::MX).to_a.map { |e| e.exchange.to_s }
+
+            ([@email_domain_block.domain] + hostnames).uniq.each do |hostname|
+              ips.concat(dns.getresources(hostname, Resolv::DNS::Resource::IN::A).to_a.map { |e| e.address.to_s })
+              ips.concat(dns.getresources(hostname, Resolv::DNS::Resource::IN::AAAA).to_a.map { |e| e.address.to_s })
+            end
+          end
+
+          (hostnames + ips).each do |hostname|
+            another_email_domain_block = EmailDomainBlock.new(domain: hostname, parent: @email_domain_block)
+            log_action :create, another_email_domain_block if another_email_domain_block.save
+          end
+        end
+
        redirect_to admin_email_domain_blocks_path, notice: I18n.t('admin.email_domain_blocks.created_msg')
      else
        render :new
@ -41,7 +63,7 @@ module Admin
    end

    def resource_params
-      params.require(:email_domain_block).permit(:domain)
+      params.require(:email_domain_block).permit(:domain, :with_dns_records)
    end
  end
 end
--- a/app/controllers/admin/followers_controller.rb
+++ b/app/controllers/admin/followers_controller.rb
@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-module Admin
-  class FollowersController < BaseController
-    before_action :set_account
-
-    PER_PAGE = 40
-
-    def index
-      authorize :account, :index?
-      @followers = @account.followers.local.recent.page(params[:page]).per(PER_PAGE)
-    end
-
-    def set_account
-      @account = Account.find(params[:account_id])
-    end
-  end
-end
--- a/app/controllers/admin/instances_controller.rb
+++ b/app/controllers/admin/instances_controller.rb
@ -19,7 +19,7 @@ module Admin
      @followers_count = Follow.where(target_account: Account.where(domain: params[:id])).count
      @reports_count   = Report.where(target_account: Account.where(domain: params[:id])).count
      @blocks_count    = Block.where(target_account: Account.where(domain: params[:id])).count
-      @available       = DeliveryFailureTracker.available?(Account.select(:shared_inbox_url).where(domain: params[:id]).first&.shared_inbox_url)
+      @available       = DeliveryFailureTracker.available?(params[:id])
      @media_storage   = MediaAttachment.where(account: Account.where(domain: params[:id])).sum(:file_file_size)
      @private_comment = @domain_block&.private_comment
      @public_comment  = @domain_block&.public_comment
@ -62,7 +62,7 @@ module Admin
    end

    def filter_params
-      params.permit(:limited, :by_domain)
+      params.slice(*InstanceFilter::KEYS).permit(*InstanceFilter::KEYS)
    end
  end
 end
--- a/app/controllers/admin/invites_controller.rb
+++ b/app/controllers/admin/invites_controller.rb
@ -47,7 +47,7 @@ module Admin
    end

    def filter_params
-      params.permit(:available, :expired)
+      params.slice(*InviteFilter::KEYS).permit(*InviteFilter::KEYS)
    end
  end
 end
--- a/app/controllers/admin/relationships_controller.rb
+++ b/app/controllers/admin/relationships_controller.rb
@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Admin
+  class RelationshipsController < BaseController
+    before_action :set_account
+
+    PER_PAGE = 40
+
+    def index
+      authorize :account, :index?
+
+      @accounts = RelationshipFilter.new(@account, filter_params).results.page(params[:page]).per(PER_PAGE)
+    end
+
+    private
+
+    def set_account
+      @account = Account.find(params[:account_id])
+    end
+
+    def filter_params
+      params.slice(*RelationshipFilter::KEYS).permit(*RelationshipFilter::KEYS)
+    end
+  end
+end
--- a/app/controllers/admin/reports_controller.rb
+++ b/app/controllers/admin/reports_controller.rb
@ -52,11 +52,7 @@ module Admin
    end

    def filter_params
-      params.permit(
-        :account_id,
-        :resolved,
-        :target_account_id
-      )
+      params.slice(*ReportFilter::KEYS).permit(*ReportFilter::KEYS)
    end

    def set_report
--- a/app/controllers/admin/site_uploads_controller.rb
+++ b/app/controllers/admin/site_uploads_controller.rb
@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Admin
+  class SiteUploadsController < BaseController
+    before_action :set_site_upload
+
+    def destroy
+      authorize :settings, :destroy?
+
+      @site_upload.destroy!
+
+      redirect_to edit_admin_settings_path, notice: I18n.t('admin.site_uploads.destroyed_msg')
+    end
+
+    private
+
+    def set_site_upload
+      @site_upload = SiteUpload.find(params[:id])
+    end
+  end
+end
--- a/app/controllers/admin/tags_controller.rb
+++ b/app/controllers/admin/tags_controller.rb
@ -73,7 +73,7 @@ module Admin
    end

    def filter_params
-      params.slice(:directory, :reviewed, :unreviewed, :pending_review, :page, :popular, :active, :name).permit(:directory, :reviewed, :unreviewed, :pending_review, :page, :popular, :active, :name)
+      params.slice(:page, *TagFilter::KEYS).permit(:page, *TagFilter::KEYS)
    end

    def tag_params
--- a/app/controllers/admin/warning_presets_controller.rb
+++ b/app/controllers/admin/warning_presets_controller.rb
@ -7,7 +7,7 @@ module Admin
    def index
      authorize :account_warning_preset, :index?

-      @warning_presets = AccountWarningPreset.all
+      @warning_presets = AccountWarningPreset.alphabetic
      @warning_preset  = AccountWarningPreset.new
    end

@ -19,7 +19,7 @@ module Admin
      if @warning_preset.save
        redirect_to admin_warning_presets_path
      else
-        @warning_presets = AccountWarningPreset.all
+        @warning_presets = AccountWarningPreset.alphabetic
        render :index
      end
    end
@ -52,7 +52,7 @@ module Admin
    end

    def warning_preset_params
-      params.require(:account_warning_preset).permit(:text)
+      params.require(:account_warning_preset).permit(:title, :text)
    end
  end
 end
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@ -20,6 +20,10 @@ class Api::BaseController < ApplicationController
    render json: { error: e.to_s }, status: 422
  end

+  rescue_from ActiveRecord::RecordNotUnique do
+    render json: { error: 'Duplicate record' }, status: 422
+  end
+
  rescue_from ActiveRecord::RecordNotFound do
    render json: { error: 'Record not found' }, status: 404
  end
@ -40,6 +44,10 @@ class Api::BaseController < ApplicationController
    render json: { error: 'There was a temporary problem serving your request, please try again' }, status: 503
  end

+  rescue_from Mastodon::RateLimitExceededError do
+    render json: { error: I18n.t('errors.429') }, status: 429
+  end
+
  rescue_from ActionController::ParameterMissing do |e|
    render json: { error: e.to_s }, status: 400
  end
@ -81,7 +89,7 @@ class Api::BaseController < ApplicationController
  end

  def require_authenticated_user!
-    render json: { error: 'This API requires an authenticated user' }, status: 401 unless current_user
+    render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
  end

  def require_user!
--- a/app/controllers/api/oembed_controller.rb
+++ b/app/controllers/api/oembed_controller.rb
@ -1,15 +1,25 @@
 # frozen_string_literal: true

 class Api::OEmbedController < Api::BaseController
-  respond_to :json
+  skip_before_action :require_authenticated_user!
+
+  before_action :set_status
+  before_action :require_public_status!

  def show
-    @status = status_finder.status
    render json: @status, serializer: OEmbedSerializer, width: maxwidth_or_default, height: maxheight_or_default
  end

  private

+  def set_status
+    @status = status_finder.status
+  end
+
+  def require_public_status!
+    not_found if @status.hidden?
+  end
+
  def status_finder
    StatusFinder.new(params[:url])
  end
--- a/app/controllers/api/proofs_controller.rb
+++ b/app/controllers/api/proofs_controller.rb
@ -3,6 +3,8 @@
 class Api::ProofsController < Api::BaseController
  include AccountOwnedConcern

+  skip_before_action :require_authenticated_user!
+
  before_action :set_provider

  def index
--- a/app/controllers/api/v1/accounts/credentials_controller.rb
+++ b/app/controllers/api/v1/accounts/credentials_controller.rb
@ -25,7 +25,7 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
  end

  def user_settings_params
-    return nil unless params.key?(:source)
+    return nil if params[:source].blank?

    source_params = params.require(:source)

--- a/app/controllers/api/v1/accounts/follower_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/follower_accounts_controller.rb
@ -5,8 +5,6 @@ class Api::V1::Accounts::FollowerAccountsController < Api::BaseController
  before_action :set_account
  after_action :insert_pagination_headers

-  respond_to :json
-
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
@ -21,11 +19,13 @@ class Api::V1::Accounts::FollowerAccountsController < Api::BaseController
  def load_accounts
    return [] if hide_results?

-    default_accounts.merge(paginated_follows).to_a
+    scope = default_accounts
+    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil? || current_account.id == @account.id
+    scope.merge(paginated_follows).to_a
  end

  def hide_results?
-    (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account))
+    (@account.hides_followers? && current_account&.id != @account.id) || (current_account && @account.blocking?(current_account))
  end

  def default_accounts
--- a/app/controllers/api/v1/accounts/following_accounts_controller.rb
+++ b/app/controllers/api/v1/accounts/following_accounts_controller.rb
@ -5,8 +5,6 @@ class Api::V1::Accounts::FollowingAccountsController < Api::BaseController
  before_action :set_account
  after_action :insert_pagination_headers

-  respond_to :json
-
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
@ -21,11 +19,13 @@ class Api::V1::Accounts::FollowingAccountsController < Api::BaseController
  def load_accounts
    return [] if hide_results?

-    default_accounts.merge(paginated_follows).to_a
+    scope = default_accounts
+    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil? || current_account.id == @account.id
+    scope.merge(paginated_follows).to_a
  end

  def hide_results?
-    (@account.user_hides_network? && current_account.id != @account.id) || (current_account && @account.blocking?(current_account))
+    (@account.hides_following? && current_account&.id != @account.id) || (current_account && @account.blocking?(current_account))
  end

  def default_accounts
--- a/app/controllers/api/v1/accounts/identity_proofs_controller.rb
+++ b/app/controllers/api/v1/accounts/identity_proofs_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Accounts::IdentityProofsController < Api::BaseController
  before_action :require_user!
  before_action :set_account

-  respond_to :json
-
  def index
    @proofs = @account.identity_proofs.active
    render json: @proofs, each_serializer: REST::IdentityProofSerializer
--- a/app/controllers/api/v1/accounts/lists_controller.rb
+++ b/app/controllers/api/v1/accounts/lists_controller.rb
@ -5,8 +5,6 @@ class Api::V1::Accounts::ListsController < Api::BaseController
  before_action :require_user!
  before_action :set_account

-  respond_to :json
-
  def index
    @lists = @account.lists.where(account: current_account)
    render json: @lists, each_serializer: REST::ListSerializer
--- a/app/controllers/api/v1/accounts/pins_controller.rb
+++ b/app/controllers/api/v1/accounts/pins_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Accounts::PinsController < Api::BaseController
  before_action :require_user!
  before_action :set_account

-  respond_to :json
-
  def create
    AccountPin.create!(account: current_account, target_account: @account)
    render json: @account, serializer: REST::RelationshipSerializer, relationships: relationships_presenter
--- a/app/controllers/api/v1/accounts/relationships_controller.rb
+++ b/app/controllers/api/v1/accounts/relationships_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Accounts::RelationshipsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:follows' }
  before_action :require_user!

-  respond_to :json
-
  def index
    accounts = Account.where(id: account_ids).select('id')
    # .where doesn't guarantee that our results are in the same order
--- a/app/controllers/api/v1/accounts/search_controller.rb
+++ b/app/controllers/api/v1/accounts/search_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Accounts::SearchController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }
  before_action :require_user!

-  respond_to :json
-
  def show
    @accounts = account_search
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/accounts/statuses_controller.rb
+++ b/app/controllers/api/v1/accounts/statuses_controller.rb
@ -6,8 +6,6 @@ class Api::V1::Accounts::StatusesController < Api::BaseController

  after_action :insert_pagination_headers, unless: -> { truthy_param?(:pinned) }

-  respond_to :json
-
  def index
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@ -14,7 +14,7 @@ class Api::V1::AccountsController < Api::BaseController

  skip_before_action :require_authenticated_user!, only: :create

-  respond_to :json
+  override_rate_limit_headers :follow, family: :follows

  def show
    render json: @account, serializer: REST::AccountSerializer
@ -31,7 +31,7 @@ class Api::V1::AccountsController < Api::BaseController
  end

  def follow
-    FollowService.new.call(current_user.account, @account, reblogs: truthy_param?(:reblogs))
+    FollowService.new.call(current_user.account, @account, reblogs: truthy_param?(:reblogs), with_rate_limit: true)

    options = @account.locked? || current_user.account.silenced? ? {} : { following_map: { @account.id => { reblogs: truthy_param?(:reblogs) } }, requested_map: { @account.id => false } }

--- a/app/controllers/api/v1/announcements/reactions_controller.rb
+++ b/app/controllers/api/v1/announcements/reactions_controller.rb
@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class Api::V1::Announcements::ReactionsController < Api::BaseController
+  before_action -> { doorkeeper_authorize! :write, :'write:favourites' }
+  before_action :require_user!
+
+  before_action :set_announcement
+  before_action :set_reaction, except: :update
+
+  def update
+    @announcement.announcement_reactions.create!(account: current_account, name: params[:id])
+    render_empty
+  end
+
+  def destroy
+    @reaction.destroy!
+    render_empty
+  end
+
+  private
+
+  def set_reaction
+    @reaction = @announcement.announcement_reactions.where(account: current_account).find_by!(name: params[:id])
+  end
+
+  def set_announcement
+    @announcement = Announcement.published.find(params[:announcement_id])
+  end
+end
--- a/app/controllers/api/v1/announcements_controller.rb
+++ b/app/controllers/api/v1/announcements_controller.rb
@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class Api::V1::AnnouncementsController < Api::BaseController
+  before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: :dismiss
+  before_action :require_user!
+  before_action :set_announcements, only: :index
+  before_action :set_announcement, except: :index
+
+  def index
+    render json: @announcements, each_serializer: REST::AnnouncementSerializer
+  end
+
+  def dismiss
+    AnnouncementMute.find_or_create_by!(account: current_account, announcement: @announcement)
+    render_empty
+  end
+
+  private
+
+  def set_announcements
+    @announcements = begin
+      Announcement.published.chronological
+    end
+  end
+
+  def set_announcement
+    @announcement = Announcement.published.find(params[:id])
+  end
+end
--- a/app/controllers/api/v1/apps/credentials_controller.rb
+++ b/app/controllers/api/v1/apps/credentials_controller.rb
@ -3,8 +3,6 @@
 class Api::V1::Apps::CredentialsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read }

-  respond_to :json
-
  def show
    render json: doorkeeper_token.application, serializer: REST::ApplicationSerializer, fields: %i(name website vapid_key)
  end
--- a/app/controllers/api/v1/blocks_controller.rb
+++ b/app/controllers/api/v1/blocks_controller.rb
@ -5,8 +5,6 @@ class Api::V1::BlocksController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers

-  respond_to :json
-
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/bookmarks_controller.rb
+++ b/app/controllers/api/v1/bookmarks_controller.rb
@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+class Api::V1::BookmarksController < Api::BaseController
+  before_action -> { doorkeeper_authorize! :read, :'read:bookmarks' }
+  before_action :require_user!
+  after_action :insert_pagination_headers
+
+  def index
+    @statuses = load_statuses
+    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
+  end
+
+  private
+
+  def load_statuses
+    cached_bookmarks
+  end
+
+  def cached_bookmarks
+    cache_collection(
+      Status.reorder(nil).joins(:bookmarks).merge(results),
+      Status
+    )
+  end
+
+  def results
+    @_results ||= account_bookmarks.paginate_by_id(
+      limit_param(DEFAULT_STATUSES_LIMIT),
+      params_slice(:max_id, :since_id, :min_id)
+    )
+  end
+
+  def account_bookmarks
+    current_account.bookmarks
+  end
+
+  def insert_pagination_headers
+    set_pagination_headers(next_path, prev_path)
+  end
+
+  def next_path
+    api_v1_bookmarks_url pagination_params(max_id: pagination_max_id) if records_continue?
+  end
+
+  def prev_path
+    api_v1_bookmarks_url pagination_params(min_id: pagination_since_id) unless results.empty?
+  end
+
+  def pagination_max_id
+    results.last.id
+  end
+
+  def pagination_since_id
+    results.first.id
+  end
+
+  def records_continue?
+    results.size == limit_param(DEFAULT_STATUSES_LIMIT)
+  end
+
+  def pagination_params(core_params)
+    params.slice(:limit).permit(:limit).merge(core_params)
+  end
+end
--- a/app/controllers/api/v1/conversations_controller.rb
+++ b/app/controllers/api/v1/conversations_controller.rb
@ -9,8 +9,6 @@ class Api::V1::ConversationsController < Api::BaseController
  before_action :set_conversation, except: :index
  after_action :insert_pagination_headers, only: :index

-  respond_to :json
-
  def index
    @conversations = paginated_conversations
    render json: @conversations, each_serializer: REST::ConversationSerializer
--- a/app/controllers/api/v1/custom_emojis_controller.rb
+++ b/app/controllers/api/v1/custom_emojis_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true

 class Api::V1::CustomEmojisController < Api::BaseController
-  respond_to :json
-
  skip_before_action :set_cache_headers

  def index
--- a/app/controllers/api/v1/domain_blocks_controller.rb
+++ b/app/controllers/api/v1/domain_blocks_controller.rb
@ -8,8 +8,6 @@ class Api::V1::DomainBlocksController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers, only: :show

-  respond_to :json
-
  def show
    @blocks = load_domain_blocks
    render json: @blocks.map(&:domain)
--- a/app/controllers/api/v1/endorsements_controller.rb
+++ b/app/controllers/api/v1/endorsements_controller.rb
@ -5,8 +5,6 @@ class Api::V1::EndorsementsController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers

-  respond_to :json
-
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/favourites_controller.rb
+++ b/app/controllers/api/v1/favourites_controller.rb
@ -5,8 +5,6 @@ class Api::V1::FavouritesController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers

-  respond_to :json
-
  def index
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
--- a/app/controllers/api/v1/featured_tags/suggestions_controller.rb
+++ b/app/controllers/api/v1/featured_tags/suggestions_controller.rb
@ -2,12 +2,9 @@

 class Api::V1::FeaturedTags::SuggestionsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }, only: :index
-
  before_action :require_user!
  before_action :set_most_used_tags, only: :index

-  respond_to :json
-
  def index
    render json: @most_used_tags, each_serializer: REST::TagSerializer
  end
--- a/app/controllers/api/v1/filters_controller.rb
+++ b/app/controllers/api/v1/filters_controller.rb
@ -7,8 +7,6 @@ class Api::V1::FiltersController < Api::BaseController
  before_action :set_filters, only: :index
  before_action :set_filter, only: [:show, :update, :destroy]

-  respond_to :json
-
  def index
    render json: @filters, each_serializer: REST::FilterSerializer
  end
--- a/app/controllers/api/v1/instances/activity_controller.rb
+++ b/app/controllers/api/v1/instances/activity_controller.rb
@ -6,8 +6,6 @@ class Api::V1::Instances::ActivityController < Api::BaseController
  skip_before_action :set_cache_headers
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?

-  respond_to :json
-
  def show
    expires_in 1.day, public: true
    render_with_cache json: :activity, expires_in: 1.day
--- a/app/controllers/api/v1/instances/peers_controller.rb
+++ b/app/controllers/api/v1/instances/peers_controller.rb
@ -6,8 +6,6 @@ class Api::V1::Instances::PeersController < Api::BaseController
  skip_before_action :set_cache_headers
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?

-  respond_to :json
-
  def index
    expires_in 1.day, public: true
    render_with_cache(expires_in: 1.day) { Account.remote.domains }
--- a/app/controllers/api/v1/instances_controller.rb
+++ b/app/controllers/api/v1/instances_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true

 class Api::V1::InstancesController < Api::BaseController
-  respond_to :json
-
  skip_before_action :set_cache_headers
  skip_before_action :require_authenticated_user!, unless: :whitelist_mode?

--- a/app/controllers/api/v1/media_controller.rb
+++ b/app/controllers/api/v1/media_controller.rb
@ -3,30 +3,42 @@
 class Api::V1::MediaController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:media' }
  before_action :require_user!
-
-  include ObfuscateFilename
-  obfuscate_filename :file
-
-  respond_to :json
+  before_action :set_media_attachment, except: [:create]
+  before_action :check_processing, except: [:create]

  def create
-    @media = current_account.media_attachments.create!(media_params)
-    render json: @media, serializer: REST::MediaAttachmentSerializer
+    @media_attachment = current_account.media_attachments.create!(media_attachment_params)
+    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer
  rescue Paperclip::Errors::NotIdentifiedByImageMagickError
    render json: file_type_error, status: 422
  rescue Paperclip::Error
    render json: processing_error, status: 500
  end

+  def show
+    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: status_code_for_media_attachment
+  end
+
  def update
-    @media = current_account.media_attachments.where(status_id: nil).find(params[:id])
-    @media.update!(media_params)
-    render json: @media, serializer: REST::MediaAttachmentSerializer
+    @media_attachment.update!(media_attachment_params)
+    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: status_code_for_media_attachment
  end

  private

-  def media_params
+  def status_code_for_media_attachment
+    @media_attachment.not_processed? ? 206 : 200
+  end
+
+  def set_media_attachment
+    @media_attachment = current_account.media_attachments.unattached.find(params[:id])
+  end
+
+  def check_processing
+    render json: processing_error, status: 422 if @media_attachment.processing_failed?
+  end
+
+  def media_attachment_params
    params.permit(:file, :description, :focus)
  end

--- a/app/controllers/api/v1/mutes_controller.rb
+++ b/app/controllers/api/v1/mutes_controller.rb
@ -5,8 +5,6 @@ class Api::V1::MutesController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers

-  respond_to :json
-
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
--- a/app/controllers/api/v1/notifications_controller.rb
+++ b/app/controllers/api/v1/notifications_controller.rb
@ -6,8 +6,6 @@ class Api::V1::NotificationsController < Api::BaseController
  before_action :require_user!
  after_action :insert_pagination_headers, only: :index

-  respond_to :json
-
  DEFAULT_NOTIFICATIONS_LIMIT = 15

  def index
--- a/app/controllers/api/v1/polls/votes_controller.rb
+++ b/app/controllers/api/v1/polls/votes_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Polls::VotesController < Api::BaseController
  before_action :require_user!
  before_action :set_poll

-  respond_to :json
-
  def create
    VoteService.new.call(current_account, @poll, vote_params[:choices])
    render json: @poll, serializer: REST::PollSerializer
@ -20,7 +18,7 @@ class Api::V1::Polls::VotesController < Api::BaseController
    @poll = Poll.attached.find(params[:poll_id])
    authorize @poll.status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def vote_params
--- a/app/controllers/api/v1/polls_controller.rb
+++ b/app/controllers/api/v1/polls_controller.rb
@ -7,8 +7,6 @@ class Api::V1::PollsController < Api::BaseController
  before_action :set_poll
  before_action :refresh_poll

-  respond_to :json
-
  def show
    render json: @poll, serializer: REST::PollSerializer, include_results: true
  end
@ -19,7 +17,7 @@ class Api::V1::PollsController < Api::BaseController
    @poll = Poll.attached.find(params[:id])
    authorize @poll.status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def refresh_poll
--- a/app/controllers/api/v1/preferences_controller.rb
+++ b/app/controllers/api/v1/preferences_controller.rb
@ -4,8 +4,6 @@ class Api::V1::PreferencesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:accounts' }
  before_action :require_user!

-  respond_to :json
-
  def index
    render json: current_account, serializer: REST::PreferencesSerializer
  end
--- a/app/controllers/api/v1/push/subscriptions_controller.rb
+++ b/app/controllers/api/v1/push/subscriptions_controller.rb
@ -4,6 +4,7 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :push }
  before_action :require_user!
  before_action :set_web_push_subscription
+  before_action :check_web_push_subscription, only: [:show, :update]

  def create
    @web_subscription&.destroy!
@ -21,16 +22,11 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
  end

  def show
-    raise ActiveRecord::RecordNotFound if @web_subscription.nil?
-
    render json: @web_subscription, serializer: REST::WebPushSubscriptionSerializer
  end

  def update
-    raise ActiveRecord::RecordNotFound if @web_subscription.nil?
-
    @web_subscription.update!(data: data_params)
-
    render json: @web_subscription, serializer: REST::WebPushSubscriptionSerializer
  end

@ -45,12 +41,17 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
    @web_subscription = ::Web::PushSubscription.find_by(access_token_id: doorkeeper_token.id)
  end

+  def check_web_push_subscription
+    not_found if @web_subscription.nil?
+  end
+
  def subscription_params
    params.require(:subscription).permit(:endpoint, keys: [:auth, :p256dh])
  end

  def data_params
    return {} if params[:data].blank?
-    params.require(:data).permit(alerts: [:follow, :favourite, :reblog, :mention, :poll])
+
+    params.require(:data).permit(alerts: [:follow, :follow_request, :favourite, :reblog, :mention, :poll])
  end
 end
--- a/app/controllers/api/v1/reports_controller.rb
+++ b/app/controllers/api/v1/reports_controller.rb
@ -4,7 +4,7 @@ class Api::V1::ReportsController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:reports' }, only: [:create]
  before_action :require_user!

-  respond_to :json
+  override_rate_limit_headers :create, family: :reports

  def create
    @report = ReportService.new.call(
--- a/app/controllers/api/v1/statuses/bookmarks_controller.rb
+++ b/app/controllers/api/v1/statuses/bookmarks_controller.rb
@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class Api::V1::Statuses::BookmarksController < Api::BaseController
+  include Authorization
+
+  before_action -> { doorkeeper_authorize! :write, :'write:bookmarks' }
+  before_action :require_user!
+  before_action :set_status
+
+  def create
+    current_account.bookmarks.find_or_create_by!(account: current_account, status: @status)
+    render json: @status, serializer: REST::StatusSerializer
+  end
+
+  def destroy
+    bookmark = current_account.bookmarks.find_by(status: @status)
+    bookmark&.destroy!
+
+    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false })
+  end
+
+  private
+
+  def set_status
+    @status = Status.find(params[:status_id])
+    authorize @status, :show?
+  rescue Mastodon::NotPermittedError
+    not_found
+  end
+end
--- a/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
  before_action :set_status
  after_action :insert_pagination_headers

-  respond_to :json
-
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
@ -17,7 +15,9 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
  private

  def load_accounts
-    default_accounts.merge(paginated_favourites).to_a
+    scope = default_accounts
+    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil?
+    scope.merge(paginated_favourites).to_a
  end

  def default_accounts
@ -67,8 +67,7 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController
    @status = Status.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    # Reraise in order to get a 404 instead of a 403 error code
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def pagination_params(core_params)
--- a/app/controllers/api/v1/statuses/favourites_controller.rb
+++ b/app/controllers/api/v1/statuses/favourites_controller.rb
@ -5,34 +5,24 @@ class Api::V1::Statuses::FavouritesController < Api::BaseController

  before_action -> { doorkeeper_authorize! :write, :'write:favourites' }
  before_action :require_user!
-
-  respond_to :json
+  before_action :set_status

  def create
-    @status = favourited_status
+    FavouriteService.new.call(current_account, @status)
    render json: @status, serializer: REST::StatusSerializer
  end

  def destroy
-    @status = requested_status
-    @favourites_map = { @status.id => false }
-
-    UnfavouriteWorker.perform_async(current_user.account_id, @status.id)
-
-    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, favourites_map: @favourites_map)
+    UnfavouriteWorker.perform_async(current_account.id, @status.id)
+    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false })
  end

  private

-  def favourited_status
-    service_result.status.reload
-  end
-
-  def service_result
-    FavouriteService.new.call(current_user.account, requested_status)
-  end
-
-  def requested_status
-    Status.find(params[:status_id])
+  def set_status
+    @status = Status.find(params[:status_id])
+    authorize @status, :show?
+  rescue Mastodon::NotPermittedError
+    not_found
  end
 end
--- a/app/controllers/api/v1/statuses/mutes_controller.rb
+++ b/app/controllers/api/v1/statuses/mutes_controller.rb
@ -8,8 +8,6 @@ class Api::V1::Statuses::MutesController < Api::BaseController
  before_action :set_status
  before_action :set_conversation

-  respond_to :json
-
  def create
    current_account.mute_conversation!(@conversation)
    @mutes_map = { @conversation.id => true }
@ -30,8 +28,7 @@ class Api::V1::Statuses::MutesController < Api::BaseController
    @status = Status.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    # Reraise in order to get a 404 instead of a 403 error code
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def set_conversation
--- a/app/controllers/api/v1/statuses/pins_controller.rb
+++ b/app/controllers/api/v1/statuses/pins_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Statuses::PinsController < Api::BaseController
  before_action :require_user!
  before_action :set_status

-  respond_to :json
-
  def create
    StatusPin.create!(account: current_account, status: @status)
    distribute_add_activity!
--- a/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogged_by_accounts_controller.rb
@ -7,8 +7,6 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
  before_action :set_status
  after_action :insert_pagination_headers

-  respond_to :json
-
  def index
    @accounts = load_accounts
    render json: @accounts, each_serializer: REST::AccountSerializer
@ -17,7 +15,9 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
  private

  def load_accounts
-    default_accounts.merge(paginated_statuses).to_a
+    scope = default_accounts
+    scope = scope.where.not(id: current_account.excluded_from_timeline_account_ids) unless current_account.nil?
+    scope.merge(paginated_statuses).to_a
  end

  def default_accounts
@ -64,8 +64,7 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController
    @status = Status.find(params[:status_id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    # Reraise in order to get a 404 instead of a 403 error code
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def pagination_params(core_params)
--- a/app/controllers/api/v1/statuses/reblogs_controller.rb
+++ b/app/controllers/api/v1/statuses/reblogs_controller.rb
@ -5,33 +5,35 @@ class Api::V1::Statuses::ReblogsController < Api::BaseController

  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }
  before_action :require_user!
+  before_action :set_reblog

-  respond_to :json
+  override_rate_limit_headers :create, family: :statuses

  def create
-    @status = ReblogService.new.call(current_user.account, status_for_reblog, reblog_params)
+    @status = ReblogService.new.call(current_account, @reblog, reblog_params)
+
    render json: @status, serializer: REST::StatusSerializer
  end

  def destroy
-    @status = status_for_destroy.reblog
-    @reblogs_map = { @status.id => false }
+    @status = current_account.statuses.find_by(reblog_of_id: @reblog.id)

-    authorize status_for_destroy, :unreblog?
-    status_for_destroy.discard
-    RemovalWorker.perform_async(status_for_destroy.id)
+    if @status
+      authorize @status, :unreblog?
+      @status.discard
+      RemovalWorker.perform_async(@status.id)
+    end

-    render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_user&.account_id, reblogs_map: @reblogs_map)
+    render json: @reblog, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, reblogs_map: { @reblog.id => false })
  end

  private

-  def status_for_reblog
-    Status.find params[:status_id]
-  end
-
-  def status_for_destroy
-    @status_for_destroy ||= current_user.account.statuses.where(reblog_of_id: params[:status_id]).first!
+  def set_reblog
+    @reblog = Status.find(params[:status_id])
+    authorize @reblog, :show?
+  rescue Mastodon::NotPermittedError
+    not_found
  end

  def reblog_params
--- a/app/controllers/api/v1/statuses_controller.rb
+++ b/app/controllers/api/v1/statuses_controller.rb
@ -7,8 +7,9 @@ class Api::V1::StatusesController < Api::BaseController
  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only:   [:create, :destroy]
  before_action :require_user!, except:  [:show, :context]
  before_action :set_status, only:       [:show, :context]
+  before_action :set_thread, only:       [:create]

-  respond_to :json
+  override_rate_limit_headers :create, family: :statuses

  # This API was originally unlimited, pagination cannot be introduced without
  # breaking backwards-compatibility. Arbitrarily high number to cover most
@ -36,7 +37,7 @@ class Api::V1::StatusesController < Api::BaseController
  def create
    @status = PostStatusService.new.call(current_user.account,
                                         text: status_params[:status],
-                                         thread: status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id]),
+                                         thread: @thread,
                                         media_ids: status_params[:media_ids],
                                         sensitive: status_params[:sensitive],
                                         spoiler_text: status_params[:spoiler_text],
@ -45,7 +46,8 @@ class Api::V1::StatusesController < Api::BaseController
                                         application: doorkeeper_token.application,
                                         poll: status_params[:poll],
                                         idempotency: request.headers['Idempotency-Key'],
-                                         local_only: status_params[:local_only])
+                                         local_only: status_params[:local_only],
+                                         with_rate_limit: true)

    render json: @status, serializer: @status.is_a?(ScheduledStatus) ? REST::ScheduledStatusSerializer : REST::StatusSerializer
  end
@ -66,7 +68,13 @@ class Api::V1::StatusesController < Api::BaseController
    @status = Status.find(params[:id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
+  end
+
+  def set_thread
+    @thread = status_params[:in_reply_to_id].blank? ? nil : Status.find(status_params[:in_reply_to_id])
+  rescue ActiveRecord::RecordNotFound
+    render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
  end

  def status_params
--- a/app/controllers/api/v1/streaming_controller.rb
+++ b/app/controllers/api/v1/streaming_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true

 class Api::V1::StreamingController < Api::BaseController
-  respond_to :json
-
  def index
    if Rails.configuration.x.streaming_api_base_url != request.host
      redirect_to streaming_api_url, status: 301
--- a/app/controllers/api/v1/suggestions_controller.rb
+++ b/app/controllers/api/v1/suggestions_controller.rb
@ -7,8 +7,6 @@ class Api::V1::SuggestionsController < Api::BaseController
  before_action :require_user!
  before_action :set_accounts

-  respond_to :json
-
  def index
    render json: @accounts, each_serializer: REST::AccountSerializer
  end
--- a/app/controllers/api/v1/timelines/home_controller.rb
+++ b/app/controllers/api/v1/timelines/home_controller.rb
@ -5,8 +5,6 @@ class Api::V1::Timelines::HomeController < Api::BaseController
  before_action :require_user!, only: [:show]
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }

-  respond_to :json
-
  def show
    @statuses = load_statuses

--- a/app/controllers/api/v1/timelines/public_controller.rb
+++ b/app/controllers/api/v1/timelines/public_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Timelines::PublicController < Api::BaseController
  before_action :require_user!, only: [:show], if: :require_auth?
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }

-  respond_to :json
-
  def show
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
@ -41,7 +39,7 @@ class Api::V1::Timelines::PublicController < Api::BaseController
  end

  def public_timeline_statuses
-    Status.as_public_timeline(current_account, truthy_param?(:local))
+    Status.as_public_timeline(current_account, truthy_param?(:remote) ? :remote : truthy_param?(:local))
  end

  def insert_pagination_headers
@ -49,7 +47,7 @@ class Api::V1::Timelines::PublicController < Api::BaseController
  end

  def pagination_params(core_params)
-    params.slice(:local, :limit, :only_media).permit(:local, :limit, :only_media).merge(core_params)
+    params.slice(:local, :remote, :limit, :only_media).permit(:local, :remote, :limit, :only_media).merge(core_params)
  end

  def next_path
--- a/app/controllers/api/v1/timelines/tag_controller.rb
+++ b/app/controllers/api/v1/timelines/tag_controller.rb
@ -4,8 +4,6 @@ class Api::V1::Timelines::TagController < Api::BaseController
  before_action :load_tag
  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }

-  respond_to :json
-
  def show
    @statuses = load_statuses
    render json: @statuses, each_serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new(@statuses, current_user&.account_id)
--- a/app/controllers/api/v1/trends_controller.rb
+++ b/app/controllers/api/v1/trends_controller.rb
@ -3,8 +3,6 @@
 class Api::V1::TrendsController < Api::BaseController
  before_action :set_tags

-  respond_to :json
-
  def index
    render json: @tags, each_serializer: REST::TagSerializer
  end
--- a/app/controllers/api/v2/media_controller.rb
+++ b/app/controllers/api/v2/media_controller.rb
@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class Api::V2::MediaController < Api::V1::MediaController
+  def create
+    @media_attachment = current_account.media_attachments.create!({ delay_processing: true }.merge(media_attachment_params))
+    render json: @media_attachment, serializer: REST::MediaAttachmentSerializer, status: 202
+  rescue Paperclip::Errors::NotIdentifiedByImageMagickError
+    render json: file_type_error, status: 422
+  rescue Paperclip::Error
+    render json: processing_error, status: 500
+  end
+end
--- a/app/controllers/api/v2/search_controller.rb
+++ b/app/controllers/api/v2/search_controller.rb
@ -8,8 +8,6 @@ class Api::V2::SearchController < Api::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:search' }
  before_action :require_user!

-  respond_to :json
-
  def index
    @search = Search.new(search_results)
    render json: @search, serializer: REST::SearchSerializer
--- a/app/controllers/api/web/embeds_controller.rb
+++ b/app/controllers/api/web/embeds_controller.rb
@ -1,21 +1,25 @@
 # frozen_string_literal: true

 class Api::Web::EmbedsController < Api::Web::BaseController
-  respond_to :json
-
  before_action :require_user!

  def create
    status = StatusFinder.new(params[:url]).status
+
+    return not_found if status.hidden?
+
    render json: status, serializer: OEmbedSerializer, width: 400
  rescue ActiveRecord::RecordNotFound
    oembed = FetchOEmbedService.new.call(params[:url])
-    oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?

-    if oembed
-      render json: oembed
-    else
-      render json: {}, status: :not_found
+    return not_found if oembed.nil?
+
+    begin
+      oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED)
+    rescue ArgumentError
+      return not_found
    end
+
+    render json: oembed
  end
 end
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true

 class Api::Web::PushSubscriptionsController < Api::Web::BaseController
-  respond_to :json
-
  before_action :require_user!

  def create
@ -19,6 +17,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
    data = {
      alerts: {
        follow: alerts_enabled,
+        follow_request: false,
        favourite: alerts_enabled,
        reblog: alerts_enabled,
        mention: alerts_enabled,
@ -58,6 +57,6 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
  end

  def data_params
-    @data_params ||= params.require(:data).permit(alerts: [:follow, :favourite, :reblog, :mention, :poll])
+    @data_params ||= params.require(:data).permit(alerts: [:follow, :follow_request, :favourite, :reblog, :mention, :poll])
  end
 end
--- a/app/controllers/api/web/settings_controller.rb
+++ b/app/controllers/api/web/settings_controller.rb
@ -1,8 +1,6 @@
 # frozen_string_literal: true

 class Api::Web::SettingsController < Api::Web::BaseController
-  respond_to :json
-
  before_action :require_user!

  def update
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -24,10 +24,12 @@ class ApplicationController < ActionController::Base
  rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_entity
  rescue_from ActionController::UnknownFormat, with: :not_acceptable
  rescue_from ActionController::ParameterMissing, with: :bad_request
+  rescue_from Paperclip::AdapterRegistry::NoHandlerError, with: :bad_request
  rescue_from ActiveRecord::RecordNotFound, with: :not_found
  rescue_from Mastodon::NotPermittedError, with: :forbidden
  rescue_from HTTP::Error, OpenSSL::SSL::SSLError, with: :internal_server_error
  rescue_from Mastodon::RaceConditionError, with: :service_unavailable
+  rescue_from Mastodon::RateLimitExceededError, with: :too_many_requests

  before_action :store_current_location, except: :raise_not_found, unless: :devise_controller?
  before_action :require_functional!, if: :user_signed_in?
@ -110,6 +112,10 @@ class ApplicationController < ActionController::Base
    respond_with_error(503)
  end

+  def too_many_requests
+    respond_with_error(429)
+  end
+
  def single_user_mode?
    @single_user_mode ||= Rails.configuration.x.single_user_mode && Account.where('id > 0').exists?
  end
@ -137,8 +143,8 @@ class ApplicationController < ActionController::Base

  def respond_with_error(code)
    respond_to do |format|
-      format.any  { head code }
-      format.html { render "errors/#{code}", layout: 'error', status: code }
+      format.any  { render "errors/#{code}", layout: 'error', status: code, formats: [:html] }
+      format.json { render json: { error: Rack::Utils::HTTP_STATUS_CODES[code] }, status: code }
    end
  end
 end
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@ -6,6 +6,12 @@ class Auth::PasswordsController < Devise::PasswordsController

  layout 'auth'

+  def update
+    super do |resource|
+      resource.session_activations.destroy_all if resource.errors.empty?
+    end
+  end
+
  private

  def check_validity_of_reset_password_token
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -10,6 +10,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  before_action :set_instance_presenter, only: [:new, :create, :update]
  before_action :set_body_classes, only: [:new, :create, :edit, :update]
  before_action :require_not_suspended!, only: [:update]
+  before_action :set_cache_headers, only: [:edit, :update]

  skip_before_action :require_functional!, only: [:edit, :update]

@ -21,10 +22,17 @@ class Auth::RegistrationsController < Devise::RegistrationsController
    not_found
  end

+  def update
+    super do |resource|
+      resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
+    end
+  end
+
  protected

  def update_resource(resource, params)
    params[:password] = nil if Devise.pam_authentication && resource.encrypted_password.blank?
+
    super
  end

@ -33,7 +41,6 @@ class Auth::RegistrationsController < Devise::RegistrationsController

    resource.locale             = I18n.locale
    resource.invite_code        = params[:invite_code] if resource.invite_code.blank?
-    resource.agreement          = true
    resource.current_sign_in_ip = request.remote_ip

    resource.build_account if resource.account.nil?
@ -41,7 +48,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController

  def configure_sign_up_params
    devise_parameter_sanitizer.permit(:sign_up) do |u|
-      u.permit({ account_attributes: [:username], invite_request_attributes: [:text] }, :email, :password, :password_confirmation, :invite_code)
+      u.permit({ account_attributes: [:username], invite_request_attributes: [:text] }, :email, :password, :password_confirmation, :invite_code, :agreement)
    end
  end

@ -109,4 +116,8 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  def require_not_suspended!
    forbidden if current_account.suspended?
  end
+
+  def set_cache_headers
+    response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
+  end
 end
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -111,6 +111,13 @@ class Auth::SessionsController < Devise::SessionsController
    render :two_factor
  end

+  def require_no_authentication
+    super
+    # Delete flash message that isn't entirely useful and may be confusing in
+    # most cases because /web doesn't display/clear flash messages.
+    flash.delete(:alert) if flash[:alert] == I18n.t('devise.failure.already_authenticated')
+  end
+
  private

  def set_instance_presenter
--- a/app/controllers/authorize_interactions_controller.rb
+++ b/app/controllers/authorize_interactions_controller.rb
@ -20,7 +20,7 @@ class AuthorizeInteractionsController < ApplicationController
  end

  def create
-    if @resource.is_a?(Account) && FollowService.new.call(current_account, @resource)
+    if @resource.is_a?(Account) && FollowService.new.call(current_account, @resource, with_rate_limit: true)
      render :success
    else
      render :error
--- a/app/controllers/concerns/localized.rb
+++ b/app/controllers/concerns/localized.rb
@ -28,18 +28,6 @@ module Localized
  end

  def request_locale
-    preferred_locale || compatible_locale
-  end
-
-  def preferred_locale
-    http_accept_language.preferred_language_from(available_locales)
-  end
-
-  def compatible_locale
-    http_accept_language.compatible_language_from(available_locales)
-  end
-
-  def available_locales
-    I18n.available_locales.reverse
+    http_accept_language.language_region_compatible_from(I18n.available_locales)
  end
 end
--- a/app/controllers/concerns/obfuscate_filename.rb
+++ b/app/controllers/concerns/obfuscate_filename.rb
@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-module ObfuscateFilename
-  extend ActiveSupport::Concern
-
-  class_methods do
-    def obfuscate_filename(path)
-      before_action do
-        file = params.dig(*path)
-        next if file.nil?
-
-        file.original_filename = SecureRandom.hex(8) + File.extname(file.original_filename)
-      end
-    end
-  end
-end
--- a/app/controllers/concerns/rate_limit_headers.rb
+++ b/app/controllers/concerns/rate_limit_headers.rb
@ -3,6 +3,20 @@
 module RateLimitHeaders
  extend ActiveSupport::Concern

+  class_methods do
+    def override_rate_limit_headers(method_name, options = {})
+      around_action(only: method_name, if: :current_account) do |_controller, block|
+        begin
+          block.call
+        ensure
+          rate_limiter = RateLimiter.new(current_account, options)
+          rate_limit_headers = rate_limiter.to_headers
+          response.headers.merge!(rate_limit_headers) unless response.headers['X-RateLimit-Remaining'].present? && rate_limit_headers['X-RateLimit-Remaining'].to_i > response.headers['X-RateLimit-Remaining'].to_i
+        end
+      end
+    end
+  end
+
  included do
    before_action :set_rate_limit_headers, if: :rate_limited_request?
  end
@ -44,7 +58,7 @@ module RateLimitHeaders
  end

  def api_throttle_data
-    most_limited_type, = request.env['rack.attack.throttle_data'].min_by { |_, v| v[:limit] }
+    most_limited_type, = request.env['rack.attack.throttle_data'].min_by { |_, v| v[:limit] - v[:count] }
    request.env['rack.attack.throttle_data'][most_limited_type]
  end

--- a/app/controllers/concerns/signature_verification.rb
+++ b/app/controllers/concerns/signature_verification.rb
@ -160,6 +160,8 @@ module SignatureVerification
      account ||= stoplight_wrap_request { ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false) }
      account
    end
+  rescue Mastodon::HostValidationError
+    nil
  end

  def stoplight_wrap_request(&block)
--- a/app/controllers/filters_controller.rb
+++ b/app/controllers/filters_controller.rb
@ -1,10 +1,9 @@
 # frozen_string_literal: true

 class FiltersController < ApplicationController
-  include Authorization
-
  layout 'admin'

+  before_action :authenticate_user!
  before_action :set_filters, only: :index
  before_action :set_filter, only: [:edit, :update, :destroy]
  before_action :set_body_classes
--- a/app/controllers/follower_accounts_controller.rb
+++ b/app/controllers/follower_accounts_controller.rb
@ -18,7 +18,6 @@ class FollowerAccountsController < ApplicationController
        next if @account.user_hides_network?

        follows
-        @relationships = AccountRelationshipsPresenter.new(follows.map(&:account_id), current_user.account_id) if user_signed_in?
      end

      format.json do
@ -29,7 +28,8 @@ class FollowerAccountsController < ApplicationController
        render json: collection_presenter,
               serializer: ActivityPub::CollectionSerializer,
               adapter: ActivityPub::Adapter,
-               content_type: 'application/activity+json'
+               content_type: 'application/activity+json',
+               fields: restrict_fields_to
      end
    end
  end
@ -37,7 +37,11 @@ class FollowerAccountsController < ApplicationController
  private

  def follows
-    @follows ||= Follow.where(target_account: @account).recent.page(params[:page]).per(FOLLOW_PER_PAGE).preload(:account)
+    return @follows if defined?(@follows)
+
+    scope = Follow.where(target_account: @account)
+    scope = scope.where.not(account_id: current_account.excluded_from_timeline_account_ids) if user_signed_in?
+    @follows = scope.recent.page(params[:page]).per(FOLLOW_PER_PAGE).preload(:account)
  end

  def page_requested?
@ -68,4 +72,12 @@ class FollowerAccountsController < ApplicationController
      )
    end
  end
+
+  def restrict_fields_to
+    if page_requested? || !@account.user_hides_network?
+      # Return all fields
+    else
+      %i(id type totalItems)
+    end
+  end
 end
--- a/app/controllers/following_accounts_controller.rb
+++ b/app/controllers/following_accounts_controller.rb
@ -18,7 +18,6 @@ class FollowingAccountsController < ApplicationController
        next if @account.user_hides_network?

        follows
-        @relationships = AccountRelationshipsPresenter.new(follows.map(&:target_account_id), current_user.account_id) if user_signed_in?
      end

      format.json do
@ -29,7 +28,8 @@ class FollowingAccountsController < ApplicationController
        render json: collection_presenter,
               serializer: ActivityPub::CollectionSerializer,
               adapter: ActivityPub::Adapter,
-               content_type: 'application/activity+json'
+               content_type: 'application/activity+json',
+               fields: restrict_fields_to
      end
    end
  end
@ -37,7 +37,11 @@ class FollowingAccountsController < ApplicationController
  private

  def follows
-    @follows ||= Follow.where(account: @account).recent.page(params[:page]).per(FOLLOW_PER_PAGE).preload(:target_account)
+    return @follows if defined?(@follows)
+
+    scope = Follow.where(account: @account)
+    scope = scope.where.not(target_account_id: current_account.excluded_from_timeline_account_ids) if user_signed_in?
+    @follows = scope.recent.page(params[:page]).per(FOLLOW_PER_PAGE).preload(:target_account)
  end

  def page_requested?
@ -68,4 +72,12 @@ class FollowingAccountsController < ApplicationController
      )
    end
  end
+
+  def restrict_fields_to
+    if page_requested? || !@account.user_hides_network?
+      # Return all fields
+    else
+      %i(id type totalItems)
+    end
+  end
 end
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@ -33,7 +33,7 @@ class MediaController < ApplicationController
  def verify_permitted_status!
    authorize @media_attachment.status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def check_playable
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@ -5,6 +5,7 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController

  before_action :store_current_location
  before_action :authenticate_resource_owner!
+  before_action :set_cache_headers

  include Localized

@ -27,4 +28,8 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
  def truthy_param?(key)
    ActiveModel::Type::Boolean.new.cast(params[key])
  end
+
+  def set_cache_headers
+    response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
+  end
 end
--- a/app/controllers/relationships_controller.rb
+++ b/app/controllers/relationships_controller.rb
@ -19,53 +19,13 @@ class RelationshipsController < ApplicationController
  rescue ActionController::ParameterMissing
    # Do nothing
  ensure
-    redirect_to relationships_path(current_params)
+    redirect_to relationships_path(filter_params)
  end

  private

  def set_accounts
-    @accounts = relationships_scope.page(params[:page]).per(40)
-  end
-
-  def relationships_scope
-    scope = begin
-      if following_relationship?
-        current_account.following.eager_load(:account_stat).reorder(nil)
-      else
-        current_account.followers.eager_load(:account_stat).reorder(nil)
-      end
-    end
-
-    scope.merge!(Follow.recent)             if params[:order].blank? || params[:order] == 'recent'
-    scope.merge!(Account.by_recent_status)  if params[:order] == 'active'
-    scope.merge!(mutual_relationship_scope) if mutual_relationship?
-    scope.merge!(moved_account_scope)       if params[:status] == 'moved'
-    scope.merge!(primary_account_scope)     if params[:status] == 'primary'
-    scope.merge!(by_domain_scope)           if params[:by_domain].present?
-    scope.merge!(dormant_account_scope)     if params[:activity] == 'dormant'
-
-    scope
-  end
-
-  def mutual_relationship_scope
-    Account.where(id: current_account.following)
-  end
-
-  def moved_account_scope
-    Account.where.not(moved_to_account_id: nil)
-  end
-
-  def primary_account_scope
-    Account.where(moved_to_account_id: nil)
-  end
-
-  def dormant_account_scope
-    AccountStat.where(last_status_at: nil).or(AccountStat.where(AccountStat.arel_table[:last_status_at].lt(1.month.ago)))
-  end
-
-  def by_domain_scope
-    Account.where(domain: params[:by_domain])
+    @accounts = RelationshipFilter.new(current_account, filter_params).results.page(params[:page]).per(40)
  end

  def form_account_batch_params
@ -84,8 +44,8 @@ class RelationshipsController < ApplicationController
    params[:relationship] == 'followed_by'
  end

-  def current_params
-    params.slice(:page, :status, :relationship, :by_domain, :activity, :order).permit(:page, :status, :relationship, :by_domain, :activity, :order)
+  def filter_params
+    params.slice(:page, *RelationshipFilter::KEYS).permit(:page, *RelationshipFilter::KEYS)
  end

  def action_from_button
--- a/app/controllers/remote_interaction_controller.rb
+++ b/app/controllers/remote_interaction_controller.rb
@ -41,7 +41,7 @@ class RemoteInteractionController < ApplicationController
    @status = Status.find(params[:id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def set_body_classes
--- a/app/controllers/settings/base_controller.rb
+++ b/app/controllers/settings/base_controller.rb
@ -2,10 +2,15 @@

 class Settings::BaseController < ApplicationController
  before_action :set_body_classes
+  before_action :set_cache_headers

  private

  def set_body_classes
    @body_classes = 'admin'
  end
+
+  def set_cache_headers
+    response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate'
+  end
 end
--- a/app/controllers/settings/identity_proofs_controller.rb
+++ b/app/controllers/settings/identity_proofs_controller.rb
@ -21,8 +21,7 @@ class Settings::IdentityProofsController < Settings::BaseController
    if current_account.username.casecmp(params[:username]).zero?
      render layout: 'auth'
    else
-      flash[:alert] = I18n.t('identity_proofs.errors.wrong_user', proving: params[:username], current: current_account.username)
-      redirect_to settings_identity_proofs_path
+      redirect_to settings_identity_proofs_path, alert: I18n.t('identity_proofs.errors.wrong_user', proving: params[:username], current: current_account.username)
    end
  end

@ -34,11 +33,16 @@ class Settings::IdentityProofsController < Settings::BaseController
      PostStatusService.new.call(current_user.account, text: post_params[:status_text]) if publish_proof?
      redirect_to @proof.on_success_path(params[:user_agent])
    else
-      flash[:alert] = I18n.t('identity_proofs.errors.failed', provider: @proof.provider.capitalize)
-      redirect_to settings_identity_proofs_path
+      redirect_to settings_identity_proofs_path, alert: I18n.t('identity_proofs.errors.failed', provider: @proof.provider.capitalize)
    end
  end

+  def destroy
+    @proof = current_account.identity_proofs.find(params[:id])
+    @proof.destroy!
+    redirect_to settings_identity_proofs_path, success: I18n.t('identity_proofs.removed')
+  end
+
  private

  def check_required_params
--- a/app/controllers/settings/imports_controller.rb
+++ b/app/controllers/settings/imports_controller.rb
@ -29,6 +29,6 @@ class Settings::ImportsController < Settings::BaseController
  end

  def import_params
-    params.require(:import).permit(:data, :type)
+    params.require(:import).permit(:data, :type, :mode)
  end
 end
--- a/app/controllers/settings/pictures_controller.rb
+++ b/app/controllers/settings/pictures_controller.rb
@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Settings
+  class PicturesController < BaseController
+    before_action :authenticate_user!
+    before_action :set_account
+    before_action :set_picture
+
+    def destroy
+      if valid_picture
+        account_params = {
+          @picture => nil,
+          (@picture + '_remote_url') => nil,
+        }
+
+        msg = UpdateAccountService.new.call(@account, account_params) ? I18n.t('generic.changes_saved_msg') : nil
+        redirect_to settings_profile_path, notice: msg, status: 303
+      else
+        bad_request
+      end
+    end
+
+    private
+
+    def set_account
+      @account = current_account
+    end
+
+    def set_picture
+      @picture = params[:id]
+    end
+
+    def valid_picture
+      @picture == 'avatar' || @picture == 'header'
+    end
+  end
+end
--- a/app/controllers/settings/preferences_controller.rb
+++ b/app/controllers/settings/preferences_controller.rb
@ -58,6 +58,7 @@ class Settings::PreferencesController < Settings::BaseController
      :setting_use_blurhash,
      :setting_use_pending_items,
      :setting_trends,
+      :setting_crop_images,
      notification_emails: %i(follow follow_request reblog favourite mention digest report pending_account trending_tag),
      interactions: %i(must_be_follower must_be_following must_be_following_dm)
    )
--- a/app/controllers/settings/profiles_controller.rb
+++ b/app/controllers/settings/profiles_controller.rb
@ -1,16 +1,11 @@
 # frozen_string_literal: true

 class Settings::ProfilesController < Settings::BaseController
-  include ObfuscateFilename
-
  layout 'admin'

  before_action :authenticate_user!
  before_action :set_account

-  obfuscate_filename [:account, :avatar]
-  obfuscate_filename [:account, :header]
-
  def show
    @account.build_fields
  end
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@ -46,7 +46,7 @@ class StatusesController < ApplicationController
  end

  def embed
-    raise ActiveRecord::RecordNotFound if @status.hidden?
+    return not_found if @status.hidden? || @status.reblog?

    expires_in 180, public: true
    response.headers['X-Frame-Options'] = 'ALLOWALL'
@ -68,7 +68,7 @@ class StatusesController < ApplicationController
    @status = @account.statuses.find(params[:id])
    authorize @status, :show?
  rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
  end

  def set_instance_presenter
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@ -10,6 +10,7 @@ class TagsController < ApplicationController
  before_action :require_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
  before_action :authenticate_user!, if: :whitelist_mode?
  before_action :set_tag
+  before_action :set_local
  before_action :set_body_classes
  before_action :set_instance_presenter

@ -24,7 +25,7 @@ class TagsController < ApplicationController
      format.rss do
        expires_in 0, public: true

-        @statuses = HashtagQueryService.new.call(@tag, params.slice(:any, :all, :none)).limit(PAGE_SIZE)
+        @statuses = HashtagQueryService.new.call(@tag, filter_params, nil, @local).limit(PAGE_SIZE)
        @statuses = cache_collection(@statuses, Status)

        render xml: RSS::TagSerializer.render(@tag, @statuses)
@ -33,7 +34,7 @@ class TagsController < ApplicationController
      format.json do
        expires_in 3.minutes, public: public_fetch_mode?

-        @statuses = HashtagQueryService.new.call(@tag, params.slice(:any, :all, :none), current_account, params[:local]).paginate_by_max_id(PAGE_SIZE, params[:max_id])
+        @statuses = HashtagQueryService.new.call(@tag, filter_params, current_account, @local).paginate_by_max_id(PAGE_SIZE, params[:max_id])
        @statuses = cache_collection(@statuses, Status)

        render json: collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
@ -47,6 +48,10 @@ class TagsController < ApplicationController
    @tag = Tag.usable.find_normalized!(params[:id])
  end

+  def set_local
+    @local = truthy_param?(:local)
+  end
+
  def set_body_classes
    @body_classes = 'with-modals'
  end
@ -57,10 +62,14 @@ class TagsController < ApplicationController

  def collection_presenter
    ActivityPub::CollectionPresenter.new(
-      id: tag_url(@tag, params.slice(:any, :all, :none)),
+      id: tag_url(@tag, filter_params),
      type: :ordered,
      size: @tag.statuses.count,
      items: @statuses.map { |s| ActivityPub::TagManager.instance.uri_for(s) }
    )
  end
+
+  def filter_params
+    params.slice(:any, :all, :none).permit(:any, :all, :none)
+  end
 end
--- a/app/controllers/well_known/host_meta_controller.rb
+++ b/app/controllers/well_known/host_meta_controller.rb
@ -8,12 +8,8 @@ module WellKnown

    def show
      @webfinger_template = "#{webfinger_url}?resource={uri}"
-
-      respond_to do |format|
-        format.xml { render content_type: 'application/xrd+xml' }
-      end
-
      expires_in 3.days, public: true
+      render content_type: 'application/xrd+xml', formats: [:xml]
    end
  end
 end
--- a/Show More
+++ b/Show More