Merge remote-tracking branch 'mastodon/stable-4.2' into lets-bump-hometown-to-mastodon-4.2

2 years ago · 74ff8df528
5 changed files with 109 additions and 10 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -212,7 +212,7 @@ GEM
    climate_control (0.2.0)
    cocoon (1.2.15)
    color_diff (0.1)
-    concurrent-ruby (1.2.2)
+    concurrent-ruby (1.2.3)
    connection_pool (2.4.1)
    cose (1.3.0)
      cbor (~> 0.5.9)
@ -457,7 +457,7 @@ GEM
      mime-types-data (~> 3.2015)
    mime-types-data (3.2023.0808)
    mini_mime (1.1.5)
-    mini_portile2 (2.8.4)
+    mini_portile2 (2.8.5)
    minitest (5.19.0)
    msgpack (1.7.1)
    multi_json (1.15.0)
@ -480,7 +480,7 @@ GEM
      net-protocol
    net-ssh (7.1.0)
    nio4r (2.7.0)
-    nokogiri (1.15.4)
+    nokogiri (1.16.2)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    oj (3.16.1)
@ -539,7 +539,7 @@ GEM
    pundit (2.3.0)
      activesupport (>= 3.0.0)
    raabro (1.4.0)
-    racc (1.7.1)
+    racc (1.7.3)
    rack (2.2.8)
    rack-attack (6.7.0)
      rack (>= 1.0, < 4)
@ -693,7 +693,7 @@ GEM
      rubyzip (>= 1.2.2, < 3.0)
      websocket (~> 1.0)
    semantic_range (3.0.0)
-    sidekiq (6.5.10)
+    sidekiq (6.5.12)
      connection_pool (>= 2.2.5, < 3)
      rack (~> 2.0)
      redis (>= 4.5.0, < 5)
@ -703,7 +703,7 @@ GEM
      rufus-scheduler (~> 3.2)
      sidekiq (>= 6, < 8)
      tilt (>= 1.4.0)
-    sidekiq-unique-jobs (7.1.29)
+    sidekiq-unique-jobs (7.1.33)
      brpoplpush-redis_script (> 0.1.1, <= 2.0.0)
      concurrent-ruby (~> 1.0, >= 1.0.5)
      redis (< 5.0)
@ -748,7 +748,7 @@ GEM
    terrapin (0.6.0)
      climate_control (>= 0.0.3, < 1.0)
    test-prof (1.2.3)
-    thor (1.2.2)
+    thor (1.3.0)
    tilt (2.2.0)
    timeout (0.4.0)
    tpm-key_attestation (0.12.0)
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@ -21,9 +21,14 @@ Doorkeeper.configure do
    user unless user&.otp_required_for_login?
  end

-  # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
+  # Doorkeeper provides some administrative interfaces for managing OAuth
+  # Applications, allowing creation, edit, and deletion of applications from the
+  # server. At present, these administrative routes are not integrated into
+  # Mastodon, and as such, we've disabled them by always return a 403 forbidden
+  # response for them. This does not affect the ability for users to manage
+  # their own OAuth Applications.
  admin_authenticator do
-    current_user&.admin? || redirect_to(new_user_session_url)
+    head 403
  end

  # Authorization Code expiration time (default 10 minutes).
--- a/config/routes.rb
+++ b/config/routes.rb
@ -1,6 +1,6 @@
 # frozen_string_literal: true

-require 'sidekiq_unique_jobs/web'
+require 'sidekiq_unique_jobs/web' if ENV['ENABLE_SIDEKIQ_UNIQUE_JOBS_UI'] == true
 require 'sidekiq-scheduler/web'

 class RedirectWithVary < ActionDispatch::Routing::PathRedirect
--- a/lib/tasks/sidekiq_unique_jobs.rake
+++ b/lib/tasks/sidekiq_unique_jobs.rake
@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+namespace :sidekiq_unique_jobs do
+  task delete_all_locks: :environment do
+    digests = SidekiqUniqueJobs::Digests.new
+    digests.delete_by_pattern('*', count: digests.count)
+
+    expiring_digests = SidekiqUniqueJobs::ExpiringDigests.new
+    expiring_digests.delete_by_pattern('*', count: expiring_digests.count)
+  end
+end
--- a/spec/requests/disabled_oauth_endpoints_spec.rb
+++ b/spec/requests/disabled_oauth_endpoints_spec.rb
@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'Disabled OAuth routes' do
+  # These routes are disabled via the doorkeeper configuration for
+  # `admin_authenticator`, as these routes should only be accessible by server
+  # administrators. For now, these routes are not properly designed and
+  # integrated into Mastodon, so we're disabling them completely
+  describe 'GET /oauth/applications' do
+    it 'returns 403 forbidden' do
+      get oauth_applications_path
+
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  describe 'POST /oauth/applications' do
+    it 'returns 403 forbidden' do
+      post oauth_applications_path
+
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  describe 'GET /oauth/applications/new' do
+    it 'returns 403 forbidden' do
+      get new_oauth_application_path
+
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  describe 'GET /oauth/applications/:id' do
+    let(:application) { Fabricate(:application, scopes: 'read') }
+
+    it 'returns 403 forbidden' do
+      get oauth_application_path(application)
+
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  describe 'PATCH /oauth/applications/:id' do
+    let(:application) { Fabricate(:application, scopes: 'read') }
+
+    it 'returns 403 forbidden' do
+      patch oauth_application_path(application)
+
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  describe 'PUT /oauth/applications/:id' do
+    let(:application) { Fabricate(:application, scopes: 'read') }
+
+    it 'returns 403 forbidden' do
+      put oauth_application_path(application)
+
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  describe 'DELETE /oauth/applications/:id' do
+    let(:application) { Fabricate(:application, scopes: 'read') }
+
+    it 'returns 403 forbidden' do
+      delete oauth_application_path(application)
+
+      expect(response).to have_http_status(403)
+    end
+  end
+
+  describe 'GET /oauth/applications/:id/edit' do
+    let(:application) { Fabricate(:application, scopes: 'read') }
+
+    it 'returns 403 forbidden' do
+      get edit_oauth_application_path(application)
+
+      expect(response).to have_http_status(403)
+    end
+  end
+end