1. 09 Feb, 2016 1 commit
    • mmn's avatar
      Either use or don't use HTTPS · ec257d94
      mmn authored
      The risk of injection attacks using HTTP is too great to allow a
      site that allows both HTTP and HTTPS...
      ec257d94
  2. 04 Jan, 2016 1 commit
  3. 10 Jul, 2015 1 commit
    • mmn's avatar
      ShowstreamAction tidying up · 9a92b580
      mmn authored
      Lots of these changes mean that we're requiring certain values to
      either by typed properly or return the expected value. If it doesn't
      there should be a fatal exception thrown which we can followup in the
      logs and won't go silently suppressed.
      9a92b580
  4. 06 Jun, 2015 1 commit
  5. 03 Jun, 2015 2 commits
  6. 19 Feb, 2015 1 commit
  7. 07 Nov, 2014 1 commit
  8. 09 Mar, 2014 1 commit
  9. 01 Nov, 2013 1 commit
  10. 20 Oct, 2013 1 commit
  11. 06 Oct, 2013 1 commit
  12. 30 Sep, 2013 1 commit
    • mmn's avatar
      Implemented WebFinger and replaced our XRD with PEAR XML_XRD · a0e107f1
      mmn authored
      New plugins:
      * LRDD
          LRDD implements client-side RFC6415 and RFC7033 resource descriptor
          discovery procedures. I.e. LRDD, host-meta and WebFinger stuff.
      
          OStatus and OpenID now depend on the LRDD plugin (XML_XRD).
      
      * WebFinger
          This plugin implements the server-side of RFC6415 and RFC7033. Note:
          WebFinger technically doesn't handle XRD, but we serve both that and
          JRD (JSON Resource Descriptor), depending on Accept header and one
          ugly hack to check for old StatusNet installations.
      
          WebFinger depends on LRDD.
      
      We might make this even prettier by using Net_WebFinger, but it is not
      currently RFC7033 compliant (no /.well-known/webfinger resource GETs).
      
      Disabling the WebFinger plugin would effectively render your site non-
      federated (which might be desired on a private site).
      
      Disabling the LRDD plugin would make your site unable to do modern web
      URI lookups (making life just a little bit harder).
      a0e107f1
  13. 28 Aug, 2013 1 commit
    • mmn's avatar
      plugins onAutoload now only overloads if necessary (extlibs etc.) · de55d8f8
      mmn authored
      lib/plugin.php now has a parent onAutoload function that finds most common
      files that are used in plugins (actions, dataobjects, forms, libs etc.) if
      they are put in the standardised directories ('actions', 'classes', 'forms',
      'lib' and perhaps some others in the future).
      de55d8f8
  14. 21 Aug, 2013 1 commit
    • mmn's avatar
      IMPORTANT: Making prev. Memcached_DataObject working again with schemaDef · 3a7261f7
      mmn authored
      Lots of the Memcached_DataObject classes stopped working when upgraded to
      Managed_DataObject because they lacked schemaDef().
      
      I have _hopefully_ made it so that all the references to the table uses
      each class' schemaDef, rather than the more manual ColumnDef stuff. Not
      all plugins have been tested thoroughly yet.
      
      NOTE: This is applied with getKV calls instead of staticGet, as it was
      important for PHP Strict Standards compliance to avoid calling the non-
      static functions statically. (unfortunately DB and DB_DataObject still do
      this within themselves...)
      3a7261f7
  15. 18 Aug, 2013 1 commit
    • mmn's avatar
      The overloaded DB_DataObject function staticGet is now called getKV · 2a4dc77a
      mmn authored
      I used this hacky sed-command (run it from your GNU Social root, or change the first grep's path to where it actually lies) to do a rough fix on all ::staticGet calls and rename them to ::getKV
      
         sed -i -s -e '/DataObject::staticGet/I!s/::staticGet/::getKV/Ig' $(grep -R ::staticGet `pwd`/* | grep -v -e '^extlib' | grep -v DataObject:: |grep -v "function staticGet"|cut -d: -f1 |sort |uniq)
      
      If you're applying this, remember to change the Managed_DataObject and Memcached_DataObject function definitions of staticGet to getKV!
      
      This might of course take some getting used to, or modification fo StatusNet plugins, but the result is that all the static calls (to staticGet) are now properly made without breaking PHP Strict Standards. Standards are there to be followed (and they caused some very bad confusion when used with get_called_class)
      
      Reasonably any plugin or code that tests for the definition of 'GNUSOCIAL' or similar will take this change into consideration.
      2a4dc77a
  16. 09 Jul, 2012 3 commits
    • Evan Prodromou's avatar
      Squashed commit of the following: · ec3f9b19
      Evan Prodromou authored
      commit 90620124a20d8c9da19b26920b02b521766c42e4
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 16:50:05 2012 -0400
      
          Add a checkbox to hide OpenID links
      
      commit 47a4a5824208868bd5f4f163456f8e08380e5f36
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 16:35:15 2012 -0400
      
          Don't show the profile links if the hide_profile_link flag is set
      
      commit eafd4b8ba1f7c06c92e5279b1a703c5534aa7255
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 16:30:23 2012 -0400
      
          class for user_openid_prefs table
      
      commit 60e3e3825b20745c08b4d30dbbcac2d7ce604a2f
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 16:29:15 2012 -0400
      
          add User_openid_prefs table and class
      ec3f9b19
    • Evan Prodromou's avatar
      Fix formatting of header · 51687cd4
      Evan Prodromou authored
      51687cd4
    • Evan Prodromou's avatar
      Squashed commit of the following: · 206c0906
      Evan Prodromou authored
      commit 7ef19ab918cc9805abb8d01e8220ae4ed63155d7
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 12:53:29 2012 -0400
      
          Show link to facebook account on profile block
      
          If you've logged in with Facebook, show a link to that account on the profile block.
      
      commit b56967479c009d702150791944dbd80746ee3ba1
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 12:28:34 2012 -0400
      
          Add profile link from profile block to Twitter account
      
          Add a profile link to Twitter for accounts that are linked via Twitter login.
      
      commit 181e441fd03c6034e737f6a3dae115557aa3e1aa
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 11:57:56 2012 -0400
      
          OpenID shows other account links
      
      commit ef7357883dad9e34af2746e1c6a41ea826d7c992
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 11:53:12 2012 -0400
      
          Add a profile link for OpenIDs
      
          OpenID plugin now adds a profile link for each OpenID on the account.
      
      commit 093d26b95bc453686d24c42f5a8f4739cb338fd2
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 11:15:18 2012 -0400
      
          Better array access
      
      commit 49d47257efdcae2101b589a1f825872bdd70667c
      Author: Evan Prodromou <evan@status.net>
      Date:   Mon Jul 9 10:57:16 2012 -0400
      
          Show list of other accounts in profile block
      
          We add a group of "rel-me" links to other user accounts on the Web.
      
          This is mostly useful for when you've used OpenID, Twitter, or
          Facebook login to associate a remote account.
      
          There's an extension to the profileblock recipe to show the links as
          little icons; there's a new hook in accountprofileblock to get such
          links from plugins.
      
          There's a modification to the base theme to show the icons correctly
          (I think).
      206c0906
  17. 30 Sep, 2011 1 commit
  18. 22 Aug, 2011 1 commit
  19. 17 Jun, 2011 1 commit
  20. 27 Apr, 2011 1 commit
  21. 23 Jan, 2011 1 commit
    • Evan Prodromou's avatar
      make 'admin' a safe user name · e53793ed
      Evan Prodromou authored
      'admin' is a pretty common username that people try when installing;
      it was blacklisted because all of our admin panels were at /admin/*,
      which would conflict with the admin user's namespace.
      
      Changed the location of all admin panels to /panel/*, blacklisted the
      nickname 'panel', and allowed 'admin'. Tested with a fresh install;
      seems to work great.
      e53793ed
  22. 18 Jan, 2011 1 commit
    • Brion Vibber's avatar
      Cleanup stray PHP 4-style references in hook calls for navigation bars. We... · 56e2bc10
      Brion Vibber authored
      Cleanup stray PHP 4-style references in hook calls for navigation bars. We can't replace the live action from here, and don't need a reference to keep the object mutable. Dumping the references helps ensure we don't end up getting errors when things calling the hooks might forget to use the reference and the PHP error reporting settings expose this fact at us.
      56e2bc10
  23. 01 Dec, 2010 1 commit
  24. 22 Oct, 2010 2 commits
  25. 21 Oct, 2010 2 commits
  26. 20 Oct, 2010 2 commits
  27. 30 Sep, 2010 1 commit
    • Brion Vibber's avatar
      Fix for OpenID-only private sites: we were removing the 'login' and 'register'... · 93bea7ff
      Brion Vibber authored
      Fix for OpenID-only private sites: we were removing the 'login' and 'register' actions from the routing system entirely, which meant that login links & redirects from unauthenticated views on private sites (as well as various re-auth situations even on non-private sites) would break and send to the main page instead.
      
      Changed it to leave the 'login' and 'register' actions in the system; we're already taking them over and redirecting them to the OpenID login page, so they won't be reached by accident; but now those redirects can be reached on purpose. ;)
      Better long-term fix may be to allow some aliasing, so we can have common_local_url('login') actually send us straight to the OpenID login page instead of having to go through an intermediate redirect, but this'll do.
      93bea7ff
  28. 07 Sep, 2010 1 commit
  29. 27 May, 2010 1 commit
  30. 18 May, 2010 1 commit
    • Brion Vibber's avatar
      OpenID access control options: trusted provider URL, Launchpad team... · 7c828ae5
      Brion Vibber authored
      OpenID access control options: trusted provider URL, Launchpad team restrictions. Added an admin panel for setting these and OpenID-only mode, off by default.
      
      To enable the admin panel:
          $config['admin']['panels'][] = 'openid';
      
      Or to set them manually:
          $config['openid']['trusted_provider'] = 'https://login.ubuntu.net/';
          $config['openid']['required_team'] = 'my-project-cabal';
          $config['site']['openidonly'] = true;
      
      OpenID-only mode can still be set from addPlugin() parameters as well for backwards compatibility.
      Note: if it's set there, that value will override the setting from the database or config.php.
      
      Note that team restrictions are only really meaningful if a trusted provider is set; otherwise,
      any OpenID server could report back that users are members of the given team.
      
      Restrictions are checked only at OpenID authentication time and will not kick off people currently
      with a session open; existing remembered logins may also survive these changes.
      
      Using code for Launchpad team support provided by Canonical under AGPLv3, pulled from r27 of
      WordPress teams integration plugin:
          https://code.edge.launchpad.net/~canonical-isd-hackers/wordpress-teams-integration/trunk
      7c828ae5
  31. 30 Apr, 2010 1 commit
  32. 23 Mar, 2010 3 commits