Setting max-width causes notes to overflow the note body if they set a
fixed `width` or they use `white-space: nowrap` and the line is wider
than the max-width. Using `width: min-content` instead makes the note
shrink to fit but doesn't prevent it from expanding if it needs to.
If the image is blacklisted on initial page load then unblacklisted
after the image is loaded, then the notes will be mispositioned at the
bottom of the image. This is because we relied on $image.height() to
calculate the note position, but the image height is zero when the image
is hidden.
Potential fix for #4370.
The file url in the data attributes on the image container doesn't
contain the tags for performance reasons. The post data attributes are
used for thumbnails too and we don't want to include tagged filenames
for those because it requires looking up tag categories, which triggers
a lot of redis calls on the post index page.
* Fix preview images not being resized to fit the screen when using the
bookmarklet.
* Fit images to both screen width and height by default. Previously we
fit to screen width only, so tall images were hard to see.
* Allow clicking on the image or pressing Z to toggle image size.
* Move size information to above the image and add resize links:
** small: fit width and height
** large: fit width
** full: fit none
* Bind the image error handler in an onerror attribute on the image
itself so that it will always fire. Before it wouldn't fire if the image
failed immediately on pageload before we could bind the error handler.
When random mode is enabled @post_set.posts returns an array, which
caused `authorize` to try to lookup the wrong policy.
This only happens when `authorize` is given an array with more than one
element, which is why it wasn't caught by the tests.
* Add a "View original" sidebar option.
* Rename the "View large" sidebar option to "View smaller".
* Remove the "Loading..." message when switching image sizes.
* Fix the V hotkey not working after using it once.
* Change #image-resize-link to .image-view-original link (note that
there are two of these links now, one in the notice bar and one in the
sidebar).
* Add a `data-post-current-image-size` attribute on the <body> element
and use it to control visibility of links and notices.
* Add back "Resize to window" link.
* Add Z shortcut for resize to window link (mnemonic: Z for zoom image).
* Resize images to screen width by default on both desktop and mobile.
* Make it so that notes are nested directly inside the .image-container
element with the image, instead of inside a separate .note-container
element. This means .image-container and .note-container are now the
same element. This is so that the size of the .note-container is
driven by the size of the image, which ensures that notes are
automatically resized as the image is resized.
Change #image-container and #note-container from IDs to classes. This is
necessary so that we can use one container element for both the image
container and the note container. This may break custom CSS and
userscripts.
Remove the ability to authenticate to the API with the `login` and
`password_hash` url parameters. This is a legacy authentication method
from Danbooru 1. How to actually generate the password_hash for this
method hasn't been fully documented for many years now. It required
taking the SHA1 hash of your password combined with an undocumented salt
value (i.e., password_hash = sha1("choujin-steiner--#{password}")).
This authentication method was also slow because it required checking
the password on every API call. Checking passwords is deliberately slow
because passwords are hashed with BCrypt. BCrypt takes about ~200ms per
request, so using this method effectively limited you to ~5 requests per
second in a single thread.
* Make authentication methods into User instance methods instead of
class methods.
* Fix API key authentication to use a secure string comparison. Fixes a
hypothetical (unlikely to be exploitable) timing attack.
* Move login logic from SessionCreator to SessionLoader.
* Refer to it as deactivating your account, not deleting your account.
* Update explanation to clarify what is and is not deleted.
* Warn that deactivation cannot be undone.
Require users who signup using proxies to verify their email addresses
before they can perform any edits. For verification purposes, the email
must be a nondisposable address from a whitelist of trusted email
providers.
Pull the password reauthentication logic out of the user model and put
it in the password update controller where it belongs.
This fixes an issue where when a new user was created the user model had
an incorrect password error set on it by `encrypt_password_on_update`.
It was trying to verify the old password even though we don't have one
when creating a new user. This error caused the user create action to
redirect back to the signup page because `respond_with` thought that
creating the user failed.
Reject email addresses that known to be undeliverable during signup.
Some users signup with invalid email addresses, which causes the welcome
email (which contains the email confirmation link) to bounce. Too many
bounces hurt our ability to send mail.
We check that an email address is undeliverable by checking if the
domain has a mail server and if the server returns an invalid address
error when attempting to send mail. This isn't foolproof since some
servers don't return an error if the address doesn't exist. If the
checks fail we know the address is bad, but if the checks pass that
doesn't guarantee the address is good. However, this is still good
enough to filter out bad addresses for popular providers like Gmail and
Microsoft that do return nonexistent address errors.
The address existence check requires being able to connect to mail
servers over port 25. This may fail if your network blocks port 25,
which many home ISPs and hosting providers do by default.
* Make the bans, ip bans, ip addresses, and user feedbacks pages all
link to one another in the secondary links.
* Add quick search bars to the secondary links on these pages.
