jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
4,981 Commits 1 Branch 0 Tags
5909e8501c157a3f177ba2b8b0a3a9113bd7d992
Commit Graph

758 Commits

Author SHA1 Message Date
evazion
5909e8501c Pull upload notice, bookmarklet notice from help:upload_notice wiki page. 2016-11-21 01:17:15 -06:00
evazion
b0a0a32173 API: support PUT /maintenance/user/dmail_filter.json. 2016-11-12 01:10:14 -06:00
evazion
a16b91e2bf Fix exploit allowing dmail filters to be set on other users. 
Exploit:

    curl \
      -u $USERNAME:$API_KEY \
      -X PUT "http://danbooru.donmai.us/maintenance/user/dmail_filter.json?dmail_id=1" \
      -d "dmail_filter[words]=owned&dmail_filter[user_id]=2"

...where dmail_id is any dmail you own (doesn't matter which) and user_id is the victim.
 2016-11-12 01:10:14 -06:00
Albert Yi
eb6746a8a8 additional checks on forum topic visibility 2016-11-07 10:48:04 -08:00
Albert Yi
a22a7c3302 bulk revert 2016-11-07 10:48:04 -08:00
Albert Yi
4e48e80e1f stub in preview for bulk revert 2016-11-02 13:53:01 -07:00
evazion
00da01ea3e Remove unused NotesController#pass_html_id. 
Dead code as far as I can tell. According to `git log -p -G "X-Html-Id"`
was added in 2011 and never used. HTML id is passed to javascript in the
JSON response to `POST /notes.json` instead.
 2016-10-31 01:37:49 +00:00
evazion
9c188ff0cb Fix notes appearing unsaved after saving them. 
Bug: creating a note then saving it doesn't remove the red border
indicating it's unsaved.

Broken by 8df1496 / PR #2729.

Ref: http://danbooru.donmai.us/forum_topics/13348.
 2016-10-31 01:25:09 +00:00
evazion
6dd8ec909d Set approver of aliases/implications in BURs. 
Previously only the BUR's approver was set when a BUR was approved. Set
the approver for each alias/implication in the BUR as well.

Additionally:

* Refactor `approve!` to take a user instead of just a user id.
* Be mass-assignment permissions aware when setting approver_id.
 2016-10-26 21:52:19 -05:00
Albert Yi
79842f7a3b restrict min level constraints for forum topics to mod+admin and restrict options based on current user's level. check privileges for visiblity in forum posts and topics. deprecate serializable_hash (undocumented, internal) for as_json, refactor to use hidden_attributes and method_attributes #2658 2016-10-25 15:05:55 -07:00
Albert Yi
589df5f301 implements #2658: private forum topics 2016-10-24 16:56:18 -07:00
evazion
8df1496d28 Fix vuln allowing users to move notes between posts. 
Prevents this from working:

    PUT /notes/1.json?note[post_id]=23
    PUT /notes/1.json?note[post_id]=42
 2016-10-19 22:54:47 -05:00
Albert Yi
e78b7d2a8c fixes #2716: Wiki pages should be undeletable 2016-10-18 15:45:50 -07:00
Albert Yi
2a5343b8cf add more intelligent js for artist forms 2016-10-18 14:56:40 -07:00
Albert Yi
2424f24fcd return 429 for too many requests instead of 421 2016-10-18 13:33:04 -07:00
Albert Yi
87447a51c3 work on #2693 Separate API Limits by Writes/Reads 2016-10-17 16:37:11 -07:00
Albert Yi
86af580445 increase random post mod queue length to 12 2016-10-17 15:53:51 -07:00
evazion
7c8557dbac Make more pages publicly accessible to logged out users. 
* /artist_commentaries
* /note_versions
* /post_appeals
* /post_flags
* /posts/1/events
* /super_voters
 2016-10-17 05:57:05 -05:00
evazion
7c6ba6a7c0 Add /delayed_jobs.json. 
Leave out `handler` because it's sensitive.
 2016-10-17 05:57:05 -05:00
evazion
af7abc2b38 Add missing JSON/XML responses. 
* GET    /bans.json
* GET    /bans/1.json
* GET    /ip_bans.json
* POST   /ip_bans.json
* DELETE /ip_bans.json
* GET    /mod_actions.json
* GET    /posts/1/events.json
* POST   /saved_searches.json
* DELETE /saved_searches/1.json
* GET    /super_voters.json
 2016-10-17 05:57:05 -05:00
evazion
bd6ebceda3 Refactor post_approvers_only to approver_only. 
Don't duplicate code with post_approvers_only; use the approver_only?
method dynamically defined in `User::Roles.each do ... end`.
 2016-10-14 05:04:40 +00:00
evazion
d84184b5f1 Prevent anon/banned/member users from voting (fix #2719). 
There was a regression in 6d6d00b; `before_filter :voter_only` was a
no-op in the post vote controller because it merely returned false,
which does not halt the request. The fix is to arrange for a voter_only
method to be defined that properly redirects to the access denied page.
 2016-10-14 04:47:51 +00:00
Albert Yi
eaa0426c36 Merge pull request #2714 from evazion/fix-2704 
Fix mass assignment vuln to tag alias/implication status (partial fix for #2704).
 2016-10-11 17:48:26 -07:00
evazion
7e3284c87f Fix mass assignment vuln to tag alias/implication status (2704). 2016-10-11 08:20:28 +00:00
evazion
c46b31aa9c Prevent reverting to foreign versions (fixes #2711). 2016-10-11 06:57:46 +00:00
evazion
8c8f4a6a8f Fix mass assignment vuln in comment update action (#2704). 
Prevents mass assignment of `post_id`, `do_not_bump_post`, and
`is_deleted`.
 2016-10-06 09:39:57 +00:00
r888888888
ebff27c7c0 fixes #2700: Unvote Missing Template Exception 2016-10-04 14:42:48 -07:00
r888888888
643d06dcff remove reference to janitor_only 2016-09-29 11:54:49 -07:00
r888888888
5b48d272f2 add basic user revert functionality 2016-09-28 11:38:34 -07:00
r888888888
fc7afd44ea refactor source pixiv test 
refactor pixiv download tests
refactor upload test
refactor nico seiga test
refactor twitter tests
 2016-09-28 11:25:29 -07:00
r888888888
800f7d9e5f fix invalid reference to request.request_uri 2016-09-23 15:30:17 -07:00
r888888888
09ec2dfc08 remove anti voters, extend post vote lifetime to 90 days, add minimum score threshold for super voters 2016-09-23 11:03:09 -07:00
r888888888
b2e6a8f031 add antivoters (no behavior yet) 2016-09-19 16:47:55 -07:00
r888888888
bf2246f895 move vote similarity code into danbooru, add listing for super voters 2016-09-19 16:43:29 -07:00
Type-kun
a718560554 Initial support for #2677 2016-09-17 16:42:00 +05:00
r888888888
62582cb994 remove false constraint 2016-09-13 01:14:32 -07:00
r888888888
76c1712989 account for nothing left to moderate 2016-09-12 16:20:08 -07:00
r888888888
5d1bc8726a make moderated cookie permanent 2016-09-12 13:06:09 -07:00
r888888888
70fef49e81 add saved search category change ui 2016-09-11 01:37:10 -07:00
r888888888
2c80d7b82e more intelligent notice for mod queue 2016-09-09 15:08:23 -07:00
r888888888
3542ffe1f7 refactor inactive janitor notice 2016-09-09 14:30:35 -07:00
r888888888
1682196490 fix role 2016-09-08 16:02:51 -07:00
r888888888
de34c7fca3 fixes #2650: Add random mode to mod queue 2016-09-08 15:55:06 -07:00
r888888888
310538dd71 implement post version search report in danbooru (probably broken) 2016-09-06 18:02:58 -07:00
r888888888
73d62bbc01 expose mod dashboard to all users 2016-08-30 15:14:46 -07:00
r888888888
929d6e7ec5 add glob patten for missing routes 2016-08-30 14:42:01 -07:00
r888888888
f41c362bf4 keep better track of per-user ip addrs 2016-08-24 15:58:22 -07:00
r888888888
122970bc11 fixes #2620: Users who logged in securely should always be redirected to the HTTPS version of Danbooru 2016-07-18 16:48:10 -07:00
r888888888
f138eeef1d fixes #2619: Delete password_hash cookie on sign out 2016-07-11 16:38:00 -07:00
r888888888
14d73d0622 add member only constraint for migrating tag subscriptions 2016-06-24 14:11:44 -07:00