Merge tag 'v3.0.1' into instance_only_statuses

2019-10-21 09:14:53 +02:00
parent fbaaf24be8 c4118ba71b
commit a42a98bc67
1034 changed files with 32987 additions and 15887 deletions
--- a/app/controllers/settings/aliases_controller.rb
+++ b/app/controllers/settings/aliases_controller.rb
@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class Settings::AliasesController < Settings::BaseController
+  layout 'admin'
+
+  before_action :authenticate_user!
+  before_action :set_aliases, except: :destroy
+  before_action :set_alias, only: :destroy
+
+  def index
+    @alias = current_account.aliases.build
+  end
+
+  def create
+    @alias = current_account.aliases.build(resource_params)
+
+    if @alias.save
+      ActivityPub::UpdateDistributionWorker.perform_async(current_account.id)
+      redirect_to settings_aliases_path, notice: I18n.t('aliases.created_msg')
+    else
+      render :index
+    end
+  end
+
+  def destroy
+    @alias.destroy!
+    redirect_to settings_aliases_path, notice: I18n.t('aliases.deleted_msg')
+  end
+
+  private
+
+  def resource_params
+    params.require(:account_alias).permit(:acct)
+  end
+
+  def set_alias
+    @alias = current_account.aliases.find(params[:id])
+  end
+
+  def set_aliases
+    @aliases = current_account.aliases.order(id: :desc).reject(&:new_record?)
+  end
+end
--- a/app/controllers/settings/deletes_controller.rb
+++ b/app/controllers/settings/deletes_controller.rb
@ -5,18 +5,20 @@ class Settings::DeletesController < Settings::BaseController

  before_action :check_enabled_deletion
  before_action :authenticate_user!
+  before_action :require_not_suspended!
+
+  skip_before_action :require_functional!

  def show
    @confirmation = Form::DeleteConfirmation.new
  end

  def destroy
-    if current_user.valid_password?(delete_params[:password])
-      Admin::SuspensionWorker.perform_async(current_user.account_id, true)
-      sign_out
+    if challenge_passed?
+      destroy_account!
      redirect_to new_user_session_path, notice: I18n.t('deletes.success_msg')
    else
-      redirect_to settings_delete_path, alert: I18n.t('deletes.bad_password_msg')
+      redirect_to settings_delete_path, alert: I18n.t('deletes.challenge_not_passed')
    end
  end

@ -26,7 +28,25 @@ class Settings::DeletesController < Settings::BaseController
    redirect_to root_path unless Setting.open_deletion
  end

-  def delete_params
-    params.require(:form_delete_confirmation).permit(:password)
+  def resource_params
+    params.require(:form_delete_confirmation).permit(:password, :username)
+  end
+
+  def require_not_suspended!
+    forbidden if current_account.suspended?
+  end
+
+  def challenge_passed?
+    if current_user.encrypted_password.blank?
+      current_account.username == resource_params[:username]
+    else
+      current_user.valid_password?(resource_params[:password])
+    end
+  end
+
+  def destroy_account!
+    current_account.suspend!
+    Admin::SuspensionWorker.perform_async(current_user.account_id, true)
+    sign_out
  end
 end
--- a/app/controllers/settings/exports_controller.rb
+++ b/app/controllers/settings/exports_controller.rb
@ -6,6 +6,9 @@ class Settings::ExportsController < Settings::BaseController
  layout 'admin'

  before_action :authenticate_user!
+  before_action :require_not_suspended!
+
+  skip_before_action :require_functional!

  def show
    @export  = Export.new(current_account)
@ -34,4 +37,8 @@ class Settings::ExportsController < Settings::BaseController
  def lock_options
    { redis: Redis.current, key: "backup:#{current_user.id}" }
  end
+
+  def require_not_suspended!
+    forbidden if current_account.suspended?
+  end
 end
--- a/app/controllers/settings/migration/redirects_controller.rb
+++ b/app/controllers/settings/migration/redirects_controller.rb
@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+class Settings::Migration::RedirectsController < Settings::BaseController
+  layout 'admin'
+
+  before_action :authenticate_user!
+  before_action :require_not_suspended!
+
+  skip_before_action :require_functional!
+
+  def new
+    @redirect = Form::Redirect.new
+  end
+
+  def create
+    @redirect = Form::Redirect.new(resource_params.merge(account: current_account))
+
+    if @redirect.valid_with_challenge?(current_user)
+      current_account.update!(moved_to_account: @redirect.target_account)
+      ActivityPub::UpdateDistributionWorker.perform_async(current_account.id)
+      redirect_to settings_migration_path, notice: I18n.t('migrations.moved_msg', acct: current_account.moved_to_account.acct)
+    else
+      render :new
+    end
+  end
+
+  def destroy
+    if current_account.moved_to_account_id.present?
+      current_account.update!(moved_to_account: nil)
+      ActivityPub::UpdateDistributionWorker.perform_async(current_account.id)
+    end
+
+    redirect_to settings_migration_path, notice: I18n.t('migrations.cancelled_msg')
+  end
+
+  private
+
+  def resource_params
+    params.require(:form_redirect).permit(:acct, :current_password, :current_username)
+  end
+
+  def require_not_suspended!
+    forbidden if current_account.suspended?
+  end
+end
--- a/app/controllers/settings/migrations_controller.rb
+++ b/app/controllers/settings/migrations_controller.rb
@ -4,31 +4,48 @@ class Settings::MigrationsController < Settings::BaseController
  layout 'admin'

  before_action :authenticate_user!
+  before_action :require_not_suspended!
+  before_action :set_migrations
+  before_action :set_cooldown
+
+  skip_before_action :require_functional!

  def show
-    @migration = Form::Migration.new(account: current_account.moved_to_account)
+    @migration = current_account.migrations.build
  end

-  def update
-    @migration = Form::Migration.new(resource_params)
+  def create
+    @migration = current_account.migrations.build(resource_params)

-    if @migration.valid? && migration_account_changed?
-      current_account.update!(moved_to_account: @migration.account)
-      ActivityPub::UpdateDistributionWorker.perform_async(current_account.id)
-      redirect_to settings_migration_path, notice: I18n.t('migrations.updated_msg')
+    if @migration.save_with_challenge(current_user)
+      MoveService.new.call(@migration)
+      redirect_to settings_migration_path, notice: I18n.t('migrations.moved_msg', acct: current_account.moved_to_account.acct)
    else
      render :show
    end
  end

+  helper_method :on_cooldown?
+
  private

  def resource_params
-    params.require(:migration).permit(:acct)
+    params.require(:account_migration).permit(:acct, :current_password, :current_username)
  end

-  def migration_account_changed?
-    current_account.moved_to_account_id != @migration.account&.id &&
-      current_account.id != @migration.account&.id
+  def set_migrations
+    @migrations = current_account.migrations.includes(:target_account).order(id: :desc).reject(&:new_record?)
+  end
+
+  def set_cooldown
+    @cooldown = current_account.migrations.within_cooldown.first
+  end
+
+  def on_cooldown?
+    @cooldown.present?
+  end
+
+  def require_not_suspended!
+    forbidden if current_account.suspended?
  end
 end
--- a/app/controllers/settings/preferences_controller.rb
+++ b/app/controllers/settings/preferences_controller.rb
@ -55,7 +55,10 @@ class Settings::PreferencesController < Settings::BaseController
      :setting_aggregate_reblogs,
      :setting_show_application,
      :setting_advanced_layout,
-      notification_emails: %i(follow follow_request reblog favourite mention digest report pending_account),
+      :setting_use_blurhash,
+      :setting_use_pending_items,
+      :setting_trends,
+      notification_emails: %i(follow follow_request reblog favourite mention digest report pending_account trending_tag),
      interactions: %i(must_be_follower must_be_following must_be_following_dm)
    )
  end
--- a/app/controllers/settings/sessions_controller.rb
+++ b/app/controllers/settings/sessions_controller.rb
@ -4,6 +4,8 @@ class Settings::SessionsController < Settings::BaseController
  before_action :authenticate_user!
  before_action :set_session, only: :destroy

+  skip_before_action :require_functional!
+
  def destroy
    @session.destroy!
    flash[:notice] = I18n.t('sessions.revoke_success')
--- a/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
@ -3,23 +3,30 @@
 module Settings
  module TwoFactorAuthentication
    class ConfirmationsController < BaseController
+      include ChallengableConcern
+
      layout 'admin'

      before_action :authenticate_user!
+      before_action :require_challenge!
      before_action :ensure_otp_secret

+      skip_before_action :require_functional!
+
      def new
        prepare_two_factor_form
      end

      def create
-        if current_user.validate_and_consume_otp!(confirmation_params[:code])
+        if current_user.validate_and_consume_otp!(confirmation_params[:otp_attempt])
          flash.now[:notice] = I18n.t('two_factor_authentication.enabled_success')

          current_user.otp_required_for_login = true
          @recovery_codes = current_user.generate_otp_backup_codes!
          current_user.save!

+          UserMailer.two_factor_enabled(current_user).deliver_later!
+
          render 'settings/two_factor_authentication/recovery_codes/index'
        else
          flash.now[:alert] = I18n.t('two_factor_authentication.wrong_code')
@ -31,7 +38,7 @@ module Settings
      private

      def confirmation_params
-        params.require(:form_two_factor_confirmation).permit(:code)
+        params.require(:form_two_factor_confirmation).permit(:otp_attempt)
      end

      def prepare_two_factor_form
--- a/app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb
@ -3,14 +3,22 @@
 module Settings
  module TwoFactorAuthentication
    class RecoveryCodesController < BaseController
+      include ChallengableConcern
+
      layout 'admin'

      before_action :authenticate_user!
+      before_action :require_challenge!, on: :create
+
+      skip_before_action :require_functional!

      def create
        @recovery_codes = current_user.generate_otp_backup_codes!
        current_user.save!
+
+        UserMailer.two_factor_recovery_codes_changed(current_user).deliver_later!
        flash.now[:notice] = I18n.t('two_factor_authentication.recovery_codes_regenerated')
+
        render :index
      end
    end
--- a/app/controllers/settings/two_factor_authentications_controller.rb
+++ b/app/controllers/settings/two_factor_authentications_controller.rb
@ -2,10 +2,15 @@

 module Settings
  class TwoFactorAuthenticationsController < BaseController
+    include ChallengableConcern
+
    layout 'admin'

    before_action :authenticate_user!
    before_action :verify_otp_required, only: [:create]
+    before_action :require_challenge!, only: [:create]
+
+    skip_before_action :require_functional!

    def show
      @confirmation = Form::TwoFactorConfirmation.new
@ -21,6 +26,7 @@ module Settings
      if acceptable_code?
        current_user.otp_required_for_login = false
        current_user.save!
+        UserMailer.two_factor_disabled(current_user).deliver_later!
        redirect_to settings_two_factor_authentication_path
      else
        flash.now[:alert] = I18n.t('two_factor_authentication.wrong_code')
@ -32,7 +38,7 @@ module Settings
    private

    def confirmation_params
-      params.require(:form_two_factor_confirmation).permit(:code)
+      params.require(:form_two_factor_confirmation).permit(:otp_attempt)
    end

    def verify_otp_required
@ -40,8 +46,8 @@ module Settings
    end

    def acceptable_code?
-      current_user.validate_and_consume_otp!(confirmation_params[:code]) ||
-        current_user.invalidate_otp_backup_code!(confirmation_params[:code])
+      current_user.validate_and_consume_otp!(confirmation_params[:otp_attempt]) ||
+        current_user.invalidate_otp_backup_code!(confirmation_params[:otp_attempt])
    end
  end
 end