OpenCloud
/
mastodon
mirror of https://github.com/tootsuite/mastodon
1
1
Fork 0
Code Issues Releases Wiki Activity
mastodon/app/controllers/auth/registrations_controller.rb

146 lines
3.6 KiB
Ruby
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
2016-11-15 16:56:29 +01:00
# frozen_string_literal: true
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
class Auth::RegistrationsController < Devise::RegistrationsController
Add support for invite codes in the registration API (#27805)
2023-11-13 14:27:00 +01:00
include RegistrationHelper
File cleanup/organization in `controllers/concerns` (#27846)
2023-11-30 15:39:41 +01:00
include Auth::RegistrationSpamConcern
Fix other sessions not being logged out on password change (#14252) While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
2020-07-07 15:26:31 +02:00
Fix #611 - Layout setting in registrations controller
2017-02-08 03:04:29 +01:00
layout :determine_layout
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
Add autofollow option to invites (#7805) * Add autofollow option to invites * Trigger CodeClimate rebuild
2018-06-15 18:00:23 +02:00
before_action :set_invite, only: [:new, :create]
New admin setting: open/close registrations, with custom message, from the admin UI
2017-04-04 15:26:57 +02:00
before_action :check_enabled_registrations, only: [:new, :create]
Improve code style
2016-09-29 21:28:21 +02:00
before_action :configure_sign_up_params, only: [:create]
Add overview of active sessions (#3929) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
2017-06-25 16:54:30 +02:00
before_action :set_sessions, only: [:edit, :update]
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2022-02-14 21:27:53 +01:00
before_action :set_strikes, only: [:edit, :update]
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
before_action :require_not_suspended!, only: [:update]
Fix settings pages being cacheable by the browser (#12714) Fix #12255
2019-12-30 04:38:30 +01:00
before_action :set_cache_headers, only: [:edit, :update]
Add server rules to sign-up flow (#19296)
2022-10-05 18:57:33 +02:00
before_action :set_rules, only: :new
before_action :require_rules_acceptance!, only: :new
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-10 06:27:26 +01:00
before_action :set_registration_form_time, only: :new
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
Add SELF_DESTRUCT env variable to process self-destructions in the background (#26439)
2023-10-23 17:46:21 +02:00
skip_before_action :check_self_destruct!, only: [:edit, :update]
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
skip_before_action :require_functional!, only: [:edit, :update]
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
Add "why do you want to join" field to invite requests (#10524) * Add "why do you want to join" field to invite requests Fix #10512 * Remove unused translations * Fix broken registrations when no invite request text is submitted
2019-04-09 16:06:30 +02:00
def new
super(&:build_invite_request)
end
Remove exclusion for `Rails/LexicallyScopedActionFilter` cop (#30697)
2024-06-21 17:34:13 +02:00
def edit # rubocop:disable Lint/UselessMethodDefinition
super
end
def create # rubocop:disable Lint/UselessMethodDefinition
super
end
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
2020-01-24 00:20:38 +01:00
def update
super do |resource|
Autofix Rubocop Style/IfUnlessModifier (#23697)
2023-02-18 12:37:47 +01:00
resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
2020-01-24 00:20:38 +01:00
end
end
Fix Rails/ActionOrder cop (#24692)
2023-04-30 06:46:39 +02:00
def destroy
not_found
end
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
protected
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
2018-02-02 10:18:55 +01:00
def update_resource(resource, params)
params[:password] = nil if Devise.pam_authentication && resource.encrypted_password.blank?
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
2020-01-24 00:20:38 +01:00
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
2018-02-02 10:18:55 +01:00
super
end
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
def build_resource(hash = nil)
Fix `Style/SuperArguments` cop (#30406)
2024-05-24 10:36:21 +02:00
super
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
2017-11-27 16:07:59 +01:00
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-10 06:27:26 +01:00
resource.locale = I18n.locale
Fix invalid/expired invites being processed on sign-up (#24337)
2023-03-31 21:42:28 +02:00
resource.invite_code = @invite&.code if resource.invite_code.blank?
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2020-12-10 06:27:26 +01:00
resource.registration_form_time = session[:registration_form_time]
resource.sign_up_ip = request.remote_ip
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
2017-11-27 16:07:59 +01:00
Improve code style
2016-09-29 21:28:21 +02:00
resource.build_account if resource.account.nil?
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
end
def configure_sign_up_params
Fix single name variables on controller folder (#20092) Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com> Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com> Co-authored-by: Effy Elden <effy@effy.space>
2022-12-15 17:11:58 +01:00
devise_parameter_sanitizer.permit(:sign_up) do |user_params|
user_params.permit({ account_attributes: [:username, :display_name], invite_request_attributes: [:text] }, :email, :password, :password_confirmation, :invite_code, :agreement, :website, :confirm_password)
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
end
end
Moving Salmon notifications to background processing, fixing mini-profiler behaviour with Turbolinks enabled, optimizing Rabl for production
2016-03-26 13:42:10 +01:00
def after_sign_up_path_for(_resource)
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
auth_setup_path
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
end
Add single user mode
2016-12-06 17:19:26 +01:00
If signed in, redirect autofollow invite to profile page (#7956) Fix #7944
2018-07-05 20:57:35 +02:00
def after_sign_in_path_for(_resource)
set_invite
if @invite&.autofollow?
short_account_path(@invite.user.account)
else
super
end
end
Fix #390 - fix redirect after sign-up (to login page instead of homepage)
2017-01-04 15:31:25 +01:00
def after_inactive_sign_up_path_for(_resource)
new_user_session_path
end
Add confirmation step for email changes (#6071) * Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
2018-01-02 16:55:00 +01:00
def after_update_path_for(_resource)
edit_user_registration_path
end
New admin setting: open/close registrations, with custom message, from the admin UI
2017-04-04 15:26:57 +02:00
def check_enabled_registrations
Add support for invite codes in the registration API (#27805)
2023-11-13 14:27:00 +01:00
redirect_to root_path unless allowed_registration?(request.remote_ip, @invite)
Add ability to block sign-ups from IP (#19037)
2022-08-24 19:00:37 +02:00
end
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
2017-11-27 16:07:59 +01:00
def invite_code
if params[:user]
params[:user][:invite_code]
else
params[:invite_code]
end
Add single user mode
2016-12-06 17:19:26 +01:00
end
New admin setting: open/close registrations, with custom message, from the admin UI
2017-04-04 15:26:57 +02:00
Fix #611 - Layout setting in registrations controller
2017-02-08 03:04:29 +01:00
private
New admin setting: open/close registrations, with custom message, from the admin UI
2017-04-04 15:26:57 +02:00
Add autofollow option to invites (#7805) * Add autofollow option to invites * Trigger CodeClimate rebuild
2018-06-15 18:00:23 +02:00
def set_invite
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2022-02-14 21:27:53 +01:00
@invite = begin
invite = Invite.find_by(code: invite_code) if invite_code.present?
invite if invite&.valid_for_use?
end
Add autofollow option to invites (#7805) * Add autofollow option to invites * Trigger CodeClimate rebuild
2018-06-15 18:00:23 +02:00
end
Fix #611 - Layout setting in registrations controller
2017-02-08 03:04:29 +01:00
def determine_layout
%w(edit update).include?(action_name) ? 'admin' : 'auth'
end
Add overview of active sessions (#3929) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
2017-06-25 16:54:30 +02:00
def set_sessions
Order sessions by most-recent to least-recently updated (#25005)
2023-05-22 11:40:00 +02:00
@sessions = current_user.session_activations.order(updated_at: :desc)
Add overview of active sessions (#3929) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
2017-06-25 16:54:30 +02:00
end
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2022-02-14 21:27:53 +01:00
def set_strikes
Change old moderation strikes to be displayed in a separate page (#17566) * Change old moderation strikes to be displayed in a separate page Fixes #17552 This changes the moderation strikes displayed on `/auth/edit` to be those from the past 3 months, and make all moderation strikes targeting the current user available in `/disputes`. * Add short description of what the strikes page is for * Move link to list of strikes to “Account status” instead of navigation item * Normalize i18n file * Fix layout and styling of strikes link * Revert highlights_on regexp * Reintroduce account status summary - this way, “Account status” is never empty - account status is not necessarily bound to strikes, or recent strikes
2022-03-01 19:37:47 +01:00
@strikes = current_account.strikes.recent.latest
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2022-02-14 21:27:53 +01:00
end
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
def require_not_suspended!
Add `Account#unavailable?` and `Account#permanently_unavailable?` aliases (#28053)
2023-11-30 16:43:26 +01:00
forbidden if current_account.unavailable?
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
end
Fix settings pages being cacheable by the browser (#12714) Fix #12255
2019-12-30 04:38:30 +01:00
Add server rules to sign-up flow (#19296)
2022-10-05 18:57:33 +02:00
def set_rules
@rules = Rule.ordered
end
def require_rules_acceptance!
return if @rules.empty? || (session[:accept_token].present? && params[:accept] == session[:accept_token])
@accept_token = session[:accept_token] = SecureRandom.hex
Fix invites (#19560) Fixes #19507 Fix regression from #19296
2022-10-30 19:04:39 +01:00
@invite_code = invite_code
Add server rules to sign-up flow (#19296)
2022-10-05 18:57:33 +02:00
set_locale { render :rules }
end
Fix settings pages being cacheable by the browser (#12714) Fix #12255
2019-12-30 04:38:30 +01:00
def set_cache_headers
Refactor `Cache-Control` and `Vary` definitions (#24347)
2023-04-19 16:07:29 +02:00
response.cache_control.replace(private: true, no_store: true)
Fix settings pages being cacheable by the browser (#12714) Fix #12255
2019-12-30 04:38:30 +01:00
end
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
end