NOTE: All existing passwords in development no longer work after
this change! Change your users password using the rails console.
Automatically convert and ugrade old passwords to using bcrypt
Removed the seemingly pointless transformation and hashing on top
of the actual password with a static salt.
Disabled logging in using password hashes, because that's just not
secure in any way, and negates cracking passwords at all.
Disabled sending the password hash to the client as a cookie, even
if it was signed.
Disabled legacy API logins.
This simplifies the approval system to be a single user with an
auditing table. The disapproval system was confusing and outright
post deletion replaces it on e6.
Slightly changes the rules of how post approvals work to remove
a few limits that are not reflected on e6.
The distinction between file deletion and banning is pretty weird
and there are a bunch of edge cases that make this not worth
trying to maintain a distinction.
Left in the automatic implication code on banned artists because
it looked useful for automating some of the basic tasks that are
done surrounding DNP artists.
* Move the limit:<n> / order:random metatag parsing from the controller
to the post set.
* Introduce `Tag.has_metatag?` and use it to parse these metatags
instead of using a regex (#2894).
* On posts, automatically trigger "Fetch source data" when clicking the
Edit tab, instead of triggering the artist finder button. This way we
find both the artist and the translated tags in one ajax call.
* Remove the "Artist" finder button next to the source field. This isn't
necessary given that "Fetch source data" finds the artist itself.
* Remove the /artists/finder.json API endpoint. This is no longer used
after removing the "Artist" finder button.
Fail loudly if we forget to whitelist a param instead of silently
ignoring it.
misc models: convert to strong params.
artist commentaries: convert to strong params.
* Disallow changing or setting post_id to a nonexistent post.
artists: convert to strong params.
* Disallow setting `is_banned` in create/update actions. Changing it
this way instead of with the ban/unban actions would leave the artist in
a partially banned state.
bans: convert to strong params.
* Disallow changing the user_id after the ban has been created.
comments: convert to strong params.
favorite groups: convert to strong params.
news updates: convert to strong params.
post appeals: convert to strong params.
post flags: convert to strong params.
* Disallow users from setting the `is_deleted` / `is_resolved` flags.
ip bans: convert to strong params.
user feedbacks: convert to strong params.
* Disallow users from setting `disable_dmail_notification` when creating feedbacks.
* Disallow changing the user_id after the feedback has been created.
notes: convert to strong params.
wiki pages: convert to strong params.
* Also fix non-Builders being able to delete wiki pages.
saved searches: convert to strong params.
pools: convert to strong params.
* Disallow setting `post_count` or `is_deleted` in create/update actions.
janitor trials: convert to strong params.
post disapprovals: convert to strong params.
* Factor out quick-mod bar to shared partial.
* Fix quick-mod bar to use `Post#is_approvable?` to determine visibility
of Approve button.
dmail filters: convert to strong params.
password resets: convert to strong params.
user name change requests: convert to strong params.
posts: convert to strong params.
users: convert to strong params.
* Disallow setting password_hash, last_logged_in_at, last_forum_read_at,
has_mail, and dmail_filter_attributes[user_id].
* Remove initialize_default_image_size (dead code).
uploads: convert to strong params.
* Remove `initialize_status` because status already defaults to pending
in the database.
tag aliases/implications: convert to strong params.
tags: convert to strong params.
forum posts: convert to strong params.
* Disallow changing the topic_id after creating the post.
* Disallow setting is_deleted (destroy/undelete actions should be used instead).
* Remove is_sticky / is_locked (nonexistent attributes).
forum topics: convert to strong params.
* merges https://github.com/evazion/danbooru/tree/wip-rails-5.1
* lock pg gem to 0.21 (1.0.0 is incompatible with rails 5.1.4)
* switch to factorybot and change all references
Co-authored-by: r888888888 <r888888888@gmail.com>
Co-authored-by: evazion <noizave@gmail.com>
add diffs
The Rails convention is for test/helpers to be used for testing the view
helpers in app/helpers. We were using it to store certain utility
methods instead. Move these to test/test_helpers so that test/helpers
can be used for its intended purpose.
* Fix access denied error when anonymous users open /artists/show_or_new.
* When the artist doesn't exist, take user to "artist doesn't exist"
page instead of redirecting to /artists/new.
Broken in 27aa9fe. Delayed jobs have to be enabled when creating a
replacement, otherwise replacement will try to immediately delete the
existing files, which fails because they're still in use.
/wiki_pages?search[order]=post_count didn't include wiki pages that
didn't belong to a tag. This was due to doing an inner join on the tags
table instead of a left outer join.
/posts/:id/events incorrectly lists appeals as always being resolved.
This is because events UNION together appeals and flags, which doesn't
quite work because for appeals is_resolved is a method, not an
attribute. is_resolved was hardcoded to true so it'd work in the UNION.
This changes PostEvent to be a wrapper object around PostFlag /
PostAppeal, instead of a UNION. PostEvent delegates everything to the
inner flag/appeals object, so that is_resolved works correctly.
Also, this incidentally fixes a problem with /posts/:id/event.xml not
serializing correctly.
/dmails is restricted to viewing dmails for CurrentUser only (due to
Dmail.visible in the index action). Remove owner_id from subnavbar links
in /dmails, and don't support it in /dmails?search[owner_id], since it
doesn't actually do anything.
Also removes related dead methods and fixes tests that didn't test owner_id properly.
1) Failure:
PostsControllerTest#test_: The posts controller for api calls passing the api limit should work. [/home/danbooru/src/danbooru/test/functional/posts_controller_test.rb:34]:
Expected response to be a <429>, but was <200>.
Expected: 429
Actual: 200
* Add tests for finding artists using the new Pixiv URLs in Artist#find_all_by_url.
* Add tests for the artist finder JSON API in ArtistsController#finder.
* Add tests for the artist page search form in ArtistsController#index.
