Commits · 5f7032dfee1fd202c14e76a9f8b37af35d584901 · gnu.io / gnu-social

22 Feb, 2016 1 commit

Verify that authenticated API calls are made from our domain name. · 5f7032df

mattl authored Feb 22, 2016

Evil forms on other websites could otherwise potentially be configured
to have action="https://gnusocial.example/api/statuses/update.json" or
whatever. XHR is already blocked with CORS stuff.

Really, why do browsers allow cross domain POSTs at all? Sigh. The web.

5f7032df

21 Feb, 2016 8 commits
- Make WebFinger fancyurlfix configurable · c67b89e5
  mattl authored Feb 21, 2016
  
  c67b89e5
- WebFinger aliases with 'index.php/' · ce803f6d
  mattl authored Feb 21, 2016
  
  ce803f6d
- Claim that we are the URL without index.php/ in webfinger response · 1edb1bbc
  mattl authored Feb 21, 2016
  
  1edb1bbc
- throw new, not just throw · 893d1173
  mattl authored Feb 21, 2016
  
  893d1173
- Let the WebFingerPlugin lookup profile resources with index.php/ too · 0c17c322
  mattl authored Feb 21, 2016
  
  0c17c322
- common_fake_local_fancy_url to remove index.php/ from a local URL · 23e66bef
  mattl authored Feb 21, 2016
  
  23e66bef
- Allow lookup of User->getByUri (throws NoResultException) · d16a883e
  mattl authored Feb 21, 2016
  
  d16a883e
- Keep a unique set of WebFingerResource aliases · b23cc746
  mattl authored Feb 21, 2016
  
  b23cc746
18 Feb, 2016 1 commit

Don't publish mbox_sha1sum in FOAF by default. · afbdcf89

mattl authored Feb 19, 2016

We say the email is private data, so reasonably we shouldn't reveal it
indirectly through a hash sum: http://xmlns.com/foaf/spec/#term_mbox_sha1sum

afbdcf89

17 Feb, 2016 12 commits
- Only show "public:site" in ToSelector if notice/allowprivate is true · a838c909
  mattl authored Feb 18, 2016
  
  a838c909
- Put "Everyone" and "Everyone at [local instance]" at the top of ToSelector · f68d1ade
  mattl authored Feb 18, 2016
  
  f68d1ade
- NoAcctUriException->profile not $e directly · 543d968b
  mattl authored Feb 18, 2016
  
  543d968b
- Sort ToSelector by AcctUri · a361fdbd
  mattl authored Feb 18, 2016
  
  a361fdbd
- Use ToSelector choice again. · 73dbc5ca
  mattl authored Feb 17, 2016
  
  73dbc5ca
- Show notice feed URLs (and author) · d9b64964
  mattl authored Feb 17, 2016
  
  d9b64964
- To-selector padlock only shown if site config notice/allowprivate is true · d2c11925
  mattl authored Feb 17, 2016
  
  d2c11925
- By default, disallow users to set private_stream · 5fbb0113
  mattl authored Feb 17, 2016
  
  5fbb0113
- Describe that we don't allow empty fullnames. · 47dc15c9
  mattl authored Feb 17, 2016
  
  47dc15c9
- If profile fullname is 0 chars use nickname · d6bf90cf
  mattl authored Feb 17, 2016
  
  d6bf90cf
- Make the Link header give URI for WebFinger lookup · ade4518a
  mattl authored Feb 17, 2016
  
  ade4518a
- Differentiate two similar log warning messages · 422d475e
  mattl authored Feb 17, 2016
  
  422d475e
16 Feb, 2016 2 commits
- Gotta declare FullNoticeStream as abstract class · d2507a62
  mattl authored Feb 16, 2016
  
  d2507a62
- FullNoticeStream selects all verbs. · 46829c6d
  mattl authored Feb 16, 2016
  
  46829c6d
15 Feb, 2016 2 commits
- created column was ambigououuuouuus · 2d1b70c9
  mattl authored Feb 15, 2016
  
  2d1b70c9
- We only want POST and SHARE in the inbox/home timeline right? · 2301862a
  mattl authored Feb 15, 2016
  
  2301862a
14 Feb, 2016 2 commits

Show shares in public timeline · dcb7ce36

mattl authored Feb 14, 2016

Also, the unselect rule for DELETE was useless anyway since it would
already have been filtered out by not having true.

(the => false stuff are for when you want ALL _except_ that)

dcb7ce36

Use NoticeStream::filterVerbs for filtering in noticestreams · e2a090c9
mattl authored Feb 14, 2016

e2a090c9

13 Feb, 2016 7 commits
- Might as well put a FILTER_SANITIZE_EMAIL there · c23c3a4f
  mattl authored Feb 13, 2016
```
Not that I think we could break out of the directory since
we use basename, but you never know... maybe there's a unicode
bug in PHP or something.
```
  c23c3a4f
- socialfy-your-domain updated for webfinger (not tested) · 4bf26eff
  mattl authored Feb 13, 2016
  
  4bf26eff
- Hide attachments in notices by silenced profiles · be14e15d
  mattl authored Feb 13, 2016
  
  be14e15d
- listGet was not meant for that really · fbcca62a
  mattl authored Feb 13, 2016
  
  fbcca62a
- Render RegiserThrottle extra profile data properly · 8ef2abf3
  mattl authored Feb 13, 2016
  
  8ef2abf3
- Don't depend on ModLog · 799c2e47
  mattl authored Feb 13, 2016
  
  799c2e47
- RegisterThrottle list-profiles-by-ip · be35975b
  mattl authored Feb 13, 2016
  
  be35975b
12 Feb, 2016 5 commits
- Show user registration IP to users who can see ModLog · 557ad2d1
  mattl authored Feb 13, 2016
  
  557ad2d1
- Only administrators can delete other privileged users. · c7c34ec0
  mattl authored Feb 12, 2016
  
  c7c34ec0
- Profile->isPrivileged() to check if users have more rights than to post etc. · 83f679fb
  mattl authored Feb 12, 2016
  
  83f679fb
- Update the comment on silencing privileged users in ModHelper · 3cef75bc
  mattl authored Feb 12, 2016
  
  3cef75bc
- Silence action can only be used on non-priviliged users · e5ad98e6
  mattl authored Feb 12, 2016
  
  e5ad98e6