Refactor models so that we define attribute API permissions in policy
files instead of directly in models.
This is cleaner because a) permissions are better handled by policies
and b) which attributes are visible to the API is an API-level concern
that models shouldn't have to care about.
This fixes an issue with not being able to precompile CSS/JS assets
unless the database was up and running. This was a problem when building
Docker images because we don't have a database at build time. We needed
the database because `api_attributes` was a class-level macro in some
places, which meant it ran at boot time, but this triggered a database
call because api_attributes used database introspection to get the list
of allowed API attributes.
* Inline Javascript in the <head> is a minor bottleneck because it
blocks page rendering.
* Fix antiproxying protection (proxy sites like to strip <script> tags
from the header).
Don't embed config options directly in Javascript. Including them in the
Javascript forces us to recompile the Javascript whenever these options
change, which requires us to redeploy the entire site instead of just
restarting the app server.
* Remove `banned_ip_for_download?` config option. This isn't something that usually needs
to be configured.
* Replace the `ipaddress` gem with `ipaddress_2`. The `ipaddress` gem has several methods
we need (`link_local?`, etc) that are only available in master because the gem hasn't had
an official release in several years. `ipaddress_2` is a fork that is more actively
maintained.
Try to prevent malicious sites like danbooru.me or idanbooru.com from
proxying our site and inserting ads. If we detect that we're not running
on the real site, then we redirect to the real site.
Fix regression in #4475. Fetch the commentary as html instead of
plaintext so that we don't lose links or other formatting.
Also fix it so that /jump.php redirect links are replaced with the
actual url.
Get rid of `normalized_for_artist_finder?` and `normalizable_for_artist_finder?`.
This was legacy bullshit that was originally designed to avoid API calls
when saving artist entries containing old Pixiv direct image urls that
had already been normalized, or that couldn't be normalized because they
were bad id.
Nowadays we store profile urls in artist entries instead of direct image
urls, so we don't normally need to do any API calls to normalize the
profile url. Strategies should take care to avoid triggering API calls
inside `profile_url` when possible.
Hide banned artist pages from anonymous (logged out) users. Partial
revert of 6b066f2ca. Artists sometimes ask us to remove all their
information from the site, including their artist profile. It's easier
to hide their profile than to explain to Japanese artists that a) we're
under no obligation to remove their profile and b) we need to keep it to
maintain the ban on their content that they asked for.
The issue is that the body of the embedded notes were being set to
the value which tells the script not to read the original body after
saving a note. This was a poor system prone to issues, so instead a
DOM class is now explicitly added to the notes on note creation and
cleared whenever a note gets saved.
Additionally, the embedded note bodies were standardized to use the
same initial value as non-embedded notes as well.
flash files can be quite big (the biggest on danbooru.donmai.us being
68.6MB atm). Reading it and applying complex transformations twice seems
unnecessary.
MediaFile#dimensions is called twice - in #width and in #height but
it only works on the first call because the file is read to the end and
consumed the first time so when #read is called the second time it only
returns the empty string
