Merge remote-tracking branch 'parent/main' into upstream-20231116

.github/workflows/test-ruby.yml

@@ -94,7 +94,7 @@ jobs:
       DB_HOST: localhost
       DB_USER: postgres
       DB_PASS: postgres
-      DISABLE_SIMPLECOV: true
+      DISABLE_SIMPLECOV: ${{ matrix.ruby-version != '.ruby-version' }}
       RAILS_ENV: test
       ALLOW_NOPAM: true
       PAM_ENABLED: true
@@ -138,6 +138,12 @@ jobs:
 
       - run: bin/rspec
 
+      - name: Upload coverage reports to Codecov
+        if: matrix.ruby-version == '.ruby-version'
+        uses: codecov/codecov-action@v3
+        with:
+          files: coverage/lcov/mastodon.lcov
+
   test-e2e:
     name: End to End testing
     runs-on: ubuntu-latest

.rubocop_todo.yml

@@ -41,23 +41,6 @@ Metrics/CyclomaticComplexity:
 Metrics/PerceivedComplexity:
   Max: 27
 
-RSpec/AnyInstance:
-  Exclude:
-    - 'spec/controllers/activitypub/inboxes_controller_spec.rb'
-    - 'spec/controllers/admin/accounts_controller_spec.rb'
-    - 'spec/controllers/admin/resets_controller_spec.rb'
-    - 'spec/controllers/auth/sessions_controller_spec.rb'
-    - 'spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb'
-    - 'spec/controllers/settings/two_factor_authentication/recovery_codes_controller_spec.rb'
-    - 'spec/lib/request_spec.rb'
-    - 'spec/lib/status_filter_spec.rb'
-    - 'spec/models/account_spec.rb'
-    - 'spec/models/setting_spec.rb'
-    - 'spec/services/activitypub/process_collection_service_spec.rb'
-    - 'spec/validators/follow_limit_validator_spec.rb'
-    - 'spec/workers/activitypub/delivery_worker_spec.rb'
-    - 'spec/workers/web/push_notification_worker_spec.rb'
-
 # Configuration parameters: CountAsOne.
 RSpec/ExampleLength:
   Max: 22

Gemfile

@@ -139,6 +139,7 @@ group :test do
 
   # Coverage formatter for RSpec test if DISABLE_SIMPLECOV is false
   gem 'simplecov', '~> 0.22', require: false
+  gem 'simplecov-lcov', '~> 0.8', require: false
 
   # Stub web requests for specs
   gem 'webmock', '~> 3.18'

Gemfile.lock

@@ -727,6 +727,7 @@ GEM
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
+    simplecov-lcov (0.8.0)
     simplecov_json_formatter (0.1.4)
     smart_properties (1.17.0)
     sprockets (3.7.2)
@@ -939,6 +940,7 @@ DEPENDENCIES
   simple-navigation (~> 4.4)
   simple_form (~> 5.2)
   simplecov (~> 0.22)
+  simplecov-lcov (~> 0.8)
   sprockets (~> 3.7.2)
   sprockets-rails (~> 3.4)
   stackprof

Procfile.dev

@@ -1,4 +1,4 @@
 web: env PORT=3000 RAILS_ENV=development bundle exec puma -C config/puma.rb
 sidekiq: env PORT=3000 RAILS_ENV=development bundle exec sidekiq
-stream: env PORT=4000 yarn run start
+stream: env PORT=4000 yarn workspace @mastodon/streaming start
 webpack: bin/webpack-dev-server

app/controllers/api/base_controller.rb

@@ -7,6 +7,7 @@ class Api::BaseController < ApplicationController
   include RateLimitHeaders
   include AccessTokenTrackingConcern
   include ApiCachingConcern
+  include Api::ContentSecurityPolicy
 
   skip_before_action :require_functional!, unless: :limited_federation_mode?
 
@@ -17,26 +18,6 @@ class Api::BaseController < ApplicationController
 
   protect_from_forgery with: :null_session
 
-  content_security_policy do |p|
-    # Set every directive that does not have a fallback
-    p.default_src :none
-    p.frame_ancestors :none
-    p.form_action :none
-
-    # Disable every directive with a fallback to cut on response size
-    p.base_uri false
-    p.font_src false
-    p.img_src false
-    p.style_src false
-    p.media_src false
-    p.frame_src false
-    p.manifest_src false
-    p.connect_src false
-    p.script_src false
-    p.child_src false
-    p.worker_src false
-  end
-
   rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e|
     render json: { error: e.to_s }, status: 422
   end

app/controllers/api/v1/instances/domain_blocks_controller.rb

@@ -13,7 +13,7 @@ def index
       cache_if_unauthenticated!
     end
 
-    render json: @domain_blocks, each_serializer: REST::DomainBlockSerializer, with_comment: (Setting.show_domain_blocks_rationale == 'all' || (Setting.show_domain_blocks_rationale == 'users' && user_signed_in?))
+    render json: @domain_blocks, each_serializer: REST::DomainBlockSerializer, with_comment: show_rationale_in_response?
   end
 
   private
@@ -26,4 +26,16 @@ def set_domain_blocks
     @domain_blocks = DomainBlock.with_user_facing_limitations.by_severity
     @domain_blocks = @domain_blocks.filter { |block| !block.hidden_anonymous } unless user_signed_in?
   end
+
+  def show_rationale_in_response?
+    always_show_rationale? || show_rationale_for_user?
+  end
+
+  def always_show_rationale?
+    Setting.show_domain_blocks_rationale == 'all'
+  end
+
+  def show_rationale_for_user?
+    Setting.show_domain_blocks_rationale == 'users' && user_signed_in?
+  end
 end

app/controllers/api/v1/timelines/base_controller.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+class Api::V1::Timelines::BaseController < Api::BaseController
+  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+
+  private
+
+  def insert_pagination_headers
+    set_pagination_headers(next_path, prev_path)
+  end
+
+  def pagination_max_id
+    @statuses.last.id
+  end
+
+  def pagination_since_id
+    @statuses.first.id
+  end
+
+  def next_path_params
+    permitted_params.merge(max_id: pagination_max_id)
+  end
+
+  def prev_path_params
+    permitted_params.merge(min_id: pagination_since_id)
+  end
+
+  def permitted_params
+    params
+      .slice(*self.class::PERMITTED_PARAMS)
+      .permit(*self.class::PERMITTED_PARAMS)
+  end
+end

app/controllers/api/v1/timelines/home_controller.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
-class Api::V1::Timelines::HomeController < Api::BaseController
+class Api::V1::Timelines::HomeController < Api::V1::Timelines::BaseController
   before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: [:show]
   before_action :require_user!, only: [:show]
-  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+
+  PERMITTED_PARAMS = %i(local limit).freeze
 
   def show
     with_read_replica do
@@ -42,27 +43,11 @@ def account_home_feed
     HomeFeed.new(current_account)
   end
 
-  def insert_pagination_headers
-    set_pagination_headers(next_path, prev_path)
-  end
-
-  def pagination_params(core_params)
-    params.slice(:local, :limit).permit(:local, :limit).merge(core_params)
-  end
-
   def next_path
-    api_v1_timelines_home_url pagination_params(max_id: pagination_max_id)
+    api_v1_timelines_home_url next_path_params
   end
 
   def prev_path
-    api_v1_timelines_home_url pagination_params(min_id: pagination_since_id)
-  end
-
-  def pagination_max_id
-    @statuses.last.id
-  end
-
-  def pagination_since_id
-    @statuses.first.id
+    api_v1_timelines_home_url prev_path_params
   end
 end

app/controllers/api/v1/timelines/list_controller.rb

@@ -1,12 +1,12 @@
 # frozen_string_literal: true
 
-class Api::V1::Timelines::ListController < Api::BaseController
+class Api::V1::Timelines::ListController < Api::V1::Timelines::BaseController
   before_action -> { doorkeeper_authorize! :read, :'read:lists' }
   before_action :require_user!
   before_action :set_list
   before_action :set_statuses
 
-  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+  PERMITTED_PARAMS = %i(limit).freeze
 
   def show
     render json: @statuses,
@@ -41,27 +41,11 @@ def list_feed
     ListFeed.new(@list)
   end
 
-  def insert_pagination_headers
-    set_pagination_headers(next_path, prev_path)
-  end
-
-  def pagination_params(core_params)
-    params.slice(:limit).permit(:limit).merge(core_params)
-  end
-
   def next_path
-    api_v1_timelines_list_url params[:id], pagination_params(max_id: pagination_max_id)
+    api_v1_timelines_list_url params[:id], next_path_params
   end
 
   def prev_path
-    api_v1_timelines_list_url params[:id], pagination_params(min_id: pagination_since_id)
-  end
-
-  def pagination_max_id
-    @statuses.last.id
-  end
-
-  def pagination_since_id
-    @statuses.first.id
+    api_v1_timelines_list_url params[:id], prev_path_params
   end
 end

app/controllers/api/v1/timelines/public_controller.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
 
-class Api::V1::Timelines::PublicController < Api::BaseController
+class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
   before_action :require_user!, only: [:show], if: :require_auth?
-  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+
+  PERMITTED_PARAMS = %i(local remote limit only_media).freeze
 
   def show
     cache_if_unauthenticated!
@@ -44,27 +45,11 @@ def public_feed
     )
   end
 
-  def insert_pagination_headers
-    set_pagination_headers(next_path, prev_path)
-  end
-
-  def pagination_params(core_params)
-    params.slice(:local, :remote, :limit, :only_media).permit(:local, :remote, :limit, :only_media).merge(core_params)
-  end
-
   def next_path
-    api_v1_timelines_public_url pagination_params(max_id: pagination_max_id)
+    api_v1_timelines_public_url next_path_params
   end
 
   def prev_path
-    api_v1_timelines_public_url pagination_params(min_id: pagination_since_id)
-  end
-
-  def pagination_max_id
-    @statuses.last.id
-  end
-
-  def pagination_since_id
-    @statuses.first.id
+    api_v1_timelines_public_url prev_path_params
   end
 end

app/controllers/api/v1/timelines/tag_controller.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
-class Api::V1::Timelines::TagController < Api::BaseController
+class Api::V1::Timelines::TagController < Api::V1::Timelines::BaseController
   before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :show, if: :require_auth?
   before_action :load_tag
-  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+
+  PERMITTED_PARAMS = %i(local limit only_media).freeze
 
   def show
     cache_if_unauthenticated!
@@ -53,27 +54,11 @@ def tag_feed
     )
   end
 
-  def insert_pagination_headers
-    set_pagination_headers(next_path, prev_path)
-  end
-
-  def pagination_params(core_params)
-    params.slice(:local, :limit, :only_media).permit(:local, :limit, :only_media).merge(core_params)
-  end
-
   def next_path
-    api_v1_timelines_tag_url params[:id], pagination_params(max_id: pagination_max_id)
+    api_v1_timelines_tag_url params[:id], next_path_params
   end
 
   def prev_path
-    api_v1_timelines_tag_url params[:id], pagination_params(min_id: pagination_since_id)
-  end
-
-  def pagination_max_id
-    @statuses.last.id
-  end
-
-  def pagination_since_id
-    @statuses.first.id
+    api_v1_timelines_tag_url params[:id], prev_path_params
   end
 end

app/controllers/concerns/api/content_security_policy.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Api::ContentSecurityPolicy
+  extend ActiveSupport::Concern
+
+  included do
+    content_security_policy do |policy|
+      # Set every directive that does not have a fallback
+      policy.default_src :none
+      policy.frame_ancestors :none
+      policy.form_action :none
+
+      # Disable every directive with a fallback to cut on response size
+      policy.base_uri false
+      policy.font_src false
+      policy.img_src false
+      policy.style_src false
+      policy.media_src false
+      policy.frame_src false
+      policy.manifest_src false
+      policy.connect_src false
+      policy.script_src false
+      policy.child_src false
+      policy.worker_src false
+    end
+  end
+end

app/javascript/mastodon/features/list_timeline/index.jsx

@@ -219,7 +219,7 @@ class ListTimeline extends PureComponent {
           </div>
 
           <div className='setting-toggle'>
-            <Toggle id={`list-${id}-exclusive`} defaultChecked={isExclusive} onChange={this.onExclusiveToggle} />
+            <Toggle id={`list-${id}-exclusive`} checked={isExclusive} onChange={this.onExclusiveToggle} />
             <label htmlFor={`list-${id}-exclusive`} className='setting-toggle__label'>
               <FormattedMessage id='lists.exclusive' defaultMessage='Hide these posts from home or STL' />
             </label>