Remove the ability to authenticate to the API with the `login` and
`password_hash` url parameters. This is a legacy authentication method
from Danbooru 1. How to actually generate the password_hash for this
method hasn't been fully documented for many years now. It required
taking the SHA1 hash of your password combined with an undocumented salt
value (i.e., password_hash = sha1("choujin-steiner--#{password}")).
This authentication method was also slow because it required checking
the password on every API call. Checking passwords is deliberately slow
because passwords are hashed with BCrypt. BCrypt takes about ~200ms per
request, so using this method effectively limited you to ~5 requests per
second in a single thread.
* Make authentication methods into User instance methods instead of
class methods.
* Fix API key authentication to use a secure string comparison. Fixes a
hypothetical (unlikely to be exploitable) timing attack.
* Move login logic from SessionCreator to SessionLoader.
Require users who signup using proxies to verify their email addresses
before they can perform any edits. For verification purposes, the email
must be a nondisposable address from a whitelist of trusted email
providers.
Pull the password reauthentication logic out of the user model and put
it in the password update controller where it belongs.
This fixes an issue where when a new user was created the user model had
an incorrect password error set on it by `encrypt_password_on_update`.
It was trying to verify the old password even though we don't have one
when creating a new user. This error caused the user create action to
redirect back to the signup page because `respond_with` thought that
creating the user failed.
Reject email addresses that known to be undeliverable during signup.
Some users signup with invalid email addresses, which causes the welcome
email (which contains the email confirmation link) to bounce. Too many
bounces hurt our ability to send mail.
We check that an email address is undeliverable by checking if the
domain has a mail server and if the server returns an invalid address
error when attempting to send mail. This isn't foolproof since some
servers don't return an error if the address doesn't exist. If the
checks fail we know the address is bad, but if the checks pass that
doesn't guarantee the address is good. However, this is still good
enough to filter out bad addresses for popular providers like Gmail and
Microsoft that do return nonexistent address errors.
The address existence check requires being able to connect to mail
servers over port 25. This may fail if your network blocks port 25,
which many home ISPs and hosting providers do by default.
Side effects:
* The data-current-user-is-voter <body> attribute has been removed.
* {{upvote:self}} no longer works. {{upvote:<name>}} should be used instead.
- Use the current comparison type for post versions instead
- Also add the note versions as a report
- No other versions are meaningful as reports since it is expected
for them to be modified by other users, or they don't have version
numbers as is the case with artist commentaries
- The types are:
-- Previous: The default and the previously used type
-- Subsequent: Compares against the next version
-- Current: Compares against the current version
- Allow switching between comparison types in index and diff views
-- Have links vary depending upon current comparison type
* Move emails from users table to email_addresses table.
* Validate that addresses are formatted correctly and are unique across
users. Existing invalid emails are grandfathered in.
* Add is_verified flag (the address has been confirmed by the user).
* Add is_deliverable flag (an undeliverable address is an address that bounces).
* Normalize addresses to prevent registering multiple accounts with the
same email address (using tricks like Gmail's plus addressing).
Remove code for updating forum topics when an alias or implication is
approved or rejected. This code was only used when approving single
alias or implication requests. This is no longer used now that all
alias/implication requests are done through BURs.
The old password reset flow:
* User requests a password reset.
* Danbooru generates a password reset nonce.
* Danbooru emails user a password reset confirmation link.
* User follows link to password reset confirmation page.
* The link contains a nonce authenticating the user.
* User confirms password reset.
* Danbooru resets user's password to a random string.
* Danbooru emails user their new password in plaintext.
The new password reset flow:
* User requests a password reset.
* Danbooru emails user a password reset link.
* User follows link to password edit page.
* The link contains a signed_user_id param authenticating the user.
* User changes their own password.
* Support negated wildcards in searches (e.g. "holding -holding_*")
* Raise wildcard limit to matching 25 tags regardless of user level.
* Fix wildcards potentially matching empty tags.
* Fix wildcard tags being sorted by post count only, and therefore not
having a stable ordering when tags have equal post counts.
* Fix sidebar to calculate wildcards tags the same way the search does.
Bug: if there was a timeout when calculating the page count, the timeout
wouldn't be cached, so we would hit multiple timeouts trying to
calculate the page count multiple times.
Rename is_active to is_deleted. This is for better consistency with
other models, and to reduce confusion over what "active" means for
artists. Sometimes users think active is for whether the artist is
actively producing work.
This meant that both functions had to return two separate values,
which need to be destructured by the function calling them. This
isn't so much a huge issue as its more something just to be made
aware of in case either function needs to be used elsewhere.
Regardless of category or query. This meant that the category value
had to be passed in as either null or the value itself for both types
of functions. It also fixes an issue where the category wasn't settable
on the pattern matching type.
This information is already available, so there's no extra processing.
To avoid conflicting with the current tags field, it was made into its
own field, and it uses a hash so that values can be quickly looked up.
* Add options for changing the order of the modqueue (newest first,
oldest first, highest scoring first, lowest scoring first).
* Change the default order from oldest posts first to most recently
flagged or uploaded posts first.
* Add an order:modqueue metatag to order by most recently flagged or
uploaded in standard searches.
Add a sidebar to the modqueue page that shows the following information:
* Number of pending and flagged posts.
* Number of posts disapproved for poor quality or breaking rules.
* Top uploaders in the queue.
* Top artist, copyright, and character tags in the queue.
* Change the `disapproval:<reason>` metatag to `disapproved:<reason>`.
* Change `disapproved:<reason>` to show all posts disapproved for a
given reason, not just those disapproved by the current user.
* Allow searching for your own disapprovals with `disapproved:<my_name>`.
* Drop the `disapproved:<any|none>` metatags. `disapproved:any` is
equivalent to `disapproved:<my_name>` and `disapproved:none` is
equivalent to `-disapproved:<my_name>`.
These changes are so that you can search e.g. disapproved:poor_quality
to find all posts disapproved for poor quality.
Send weekly warning dmails to approvers in danger of losing their
approver permissions. Don't send warnings if we're more than three weeks
away from demotion so that approvers aren't warned prematurely.
