Update to main #7
Conversation
edited two files
Fixes #2801 Related to #2794 It is legitimate to use any url for the user's key id. We have been assuming this id is the user id plus a fragment (#key-id) but this is not always the case, notably in the case of GoToSocial it is at /key-id. This commit instead checks the remote user's information to see if the key id listed matches the key id of the message allegedly received from them. Whilst troubleshooting this it also became apparent that there is a mismatch between Bookwyrm users' keyId and the KeyId we claim to be using in signed requests (there is a forward slash missing). Since everything after the slash is a fragment, this usually slips through but we should be consistent so I updated that.
Previously the 'tag' value in an activitypub object was assumed to be a List (array). Some AP software sends 'tag' as a Dict (object) if there is only a single tag value. It's somewhat debatable whether this is spec compliant but we should aim to be robust. This commit puts an individual mention tag inside a list if necessary.
GoToSocial expects the 'name' value of a mention tag to have an initial '@' symbol. Mastodon doesn't seem to mind either way.
Bookwyrm keyIds are at `userpath/#main-key`, however when signing AP objects we have claimed in the headers that the keyId is at `userpath#main-key`. This is incorrect, and makes GoToSocial's strict checking break. Simply updating the signatures to use the correct KeyId breaks legacy Bookwyrm's signature checks, becuase it assumes that the keyId path is the same as the user path plus a fragment. This commit allows for either option, by sending the request a second time with the incorrect keyId if sending with the correct one causes an error.
GoToSocial sends 'tag' values as a single object if there is only one user mentioned, rather than an array with an object inside it. This causes Bookwyrm to reject the tag since it comes through as a dict rather than a list. This commit fixes this at the point the incoming AP object is transformed so that "mention" tags are turned into a mention_user.
…r instead of main page
Only trigger add_status_task when status is first created
Fixes for create-book
revert last commit because prettier was run with the wrong version This reverts commit 5d3883c.
Type annotations and related changes for connectors
Add copy button for ISBN
Adds management command to repair editions in bad state
Include Dutch locale
On readthrough, progressupdate or status delete return to previous page
Isbn hyphenation
Convert description from Markdown when importing from Open Library
Record report actions
Adds breadcrumbs and better titles to followers/following pages
| else: | ||
| description = markdown(description_blob) | ||
|
|
||
| if ( |
There was a problem hiding this comment.
Wow I'm not a fan of this at all
There was a problem hiding this comment.
Is there an alternative you'd prefer?
| from bookwyrm import settings | ||
|
|
||
|
|
||
| class IsbnHyphenator: |
There was a problem hiding this comment.
This whole thing makes me sad, but I'll deal with it later
There was a problem hiding this comment.
This is one where we should likely submit our proposed change to upstream and then merge down from there, rather than just changing for our fork.
| help = "Repairs an edition that is in a broken state" | ||
|
|
||
| # pylint: disable=unused-argument | ||
| def handle(self, *args, **options): |
There was a problem hiding this comment.
This is neat we should run this
There was a problem hiding this comment.
I don't think we've seen any broken editions yet, but it doesn't seem like it would hurt!
| @@ -529,7 +537,7 @@ async def async_broadcast(recipients: List[str], sender, data: str): | |||
|
|
|||
|
|
|||
| async def sign_and_send( | |||
| @@ -363,8 +372,34 @@ def save(self, *args, **kwargs): | |||
| for author_id in self.authors.values_list("id", flat=True): | |||
| cache.delete(f"author-books-{author_id}") | |||
|
|
|||
| # Create sort title by removing articles from title | |||
| if self.sort_title in [None, ""]: | |||
There was a problem hiding this comment.
Hmm... this is kiiiinda weird? if it's well-tested probably fine
|
I've started reviewing this, but I'm pausing for the night at 126/141 files viewed. Leaving this comment mostly so I can see if there's anything I need to look at again because of changes before I finish. |
No new commits since then! Picking up my review where I left off. |
There was a problem hiding this comment.
Overall, there are a couple things I don't love in here, but nothing we should block a merge over. There are a few security changes we've discussed OOB that I'd like us to test after merging but before deploying this, and if they work out for us we can also propose them upstream.
Overall, let's merge this!
| @@ -17,7 +17,7 @@ jobs: | |||
| - uses: actions/checkout@v3 | |||
|
|
|||
| - name: Install modules | |||
| run: npm install prettier | |||
| run: npm install prettier@2.5.1 | |||
There was a problem hiding this comment.
We should consider pinning a newer version; current is 3.0.1. I'm guessing this pinning was triggered by a bad version accidentally published of 2.5.7, but there are some pretty nice improvements since then, and it was fixed.
| @@ -312,6 +313,9 @@ | |||
| ("zh-hant", _("繁體中文 (Traditional Chinese)")), | |||
| ] | |||
|
|
|||
| LANGUAGE_ARTICLES = { | |||
There was a problem hiding this comment.
We should probably commit the equivalent articles for the other languages our server uses frequently to upstream directly; I think Spanish and Dutch are the biggest ones we see, but maybe also French would be worth adding?
| @@ -4,7 +4,7 @@ | |||
| {% block filter %} | |||
| <div class="control"> | |||
| <label class="label" for="id_search">{% trans "Search editions" %}</label> | |||
| <input type="text" class="input" name="q" value="{{ request.GET.q|default:'' }}" id="id_search"> | |||
| <input type="text" class="input" name="q" value="{{ request.GET.q|default:'' }}" id="id_search" spellcheck="false"> | |||
There was a problem hiding this comment.
Feels like actually spellcheck might be useful here???
| @@ -6,7 +6,7 @@ | |||
| <h2 class="title is-4">{% trans "What are you reading?" %}</h2> | |||
| <form class="field has-addons" method="get" action="{% url 'get-started-books' %}"> | |||
| <div class="control"> | |||
| <input type="text" name="query" value="{{ request.GET.query }}" class="input" placeholder="{% trans 'Search for a book' %}" aria-label="{% trans 'Search for a book' %}"> | |||
| <input type="text" name="query" value="{{ request.GET.query }}" class="input" placeholder="{% trans 'Search for a book' %}" aria-label="{% trans 'Search for a book' %}" spellcheck="false"> | |||
There was a problem hiding this comment.
As mentioned on previous: Feels like actually spellcheck might be useful here???
| @@ -38,7 +38,7 @@ | |||
| {% else %} | |||
| {% trans "Search for a book" as search_placeholder %} | |||
| {% endif %} | |||
| <input aria-label="{{ search_placeholder }}" id="tour-search" class="input" type="text" name="q" placeholder="{{ search_placeholder }}" value="{{ query }}"> | |||
| <input aria-label="{{ search_placeholder }}" id="tour-search" class="input" type="text" name="q" placeholder="{{ search_placeholder }}" value="{{ query }}" spellcheck="false"> | |||
There was a problem hiding this comment.
Another place spellcheck seems potentially nice?
| @@ -210,7 +210,7 @@ <h2 class="title is-5 mt-6"> | |||
| <form name="search" action="{% url 'list' list_id=list.id slug=list.name|slugify %}" method="GET" class="block"> | |||
| <div class="field has-addons"> | |||
| <div class="control"> | |||
| <input aria-label="{% trans 'Search for a book' %}" class="input" type="text" name="q" placeholder="{% trans 'Search for a book' %}" value="{{ query }}"> | |||
| <input aria-label="{% trans 'Search for a book' %}" class="input" type="text" name="q" placeholder="{% trans 'Search for a book' %}" value="{{ query }}" spellcheck="false"> | |||
There was a problem hiding this comment.
Spellchecking human names is bad, but spellchecking book titles seems convenient?
| @@ -6,7 +6,7 @@ | |||
| QUERY_TIMEOUT = env.int("CELERY_QUERY_TIMEOUT", env.int("QUERY_TIMEOUT", 30)) | |||
|
|
|||
| # pylint: disable=line-too-long | |||
| REDIS_BROKER_PASSWORD = requests.utils.quote(env("REDIS_BROKER_PASSWORD", "")) | |||
| REDIS_BROKER_PASSWORD = requests.compat.quote(env("REDIS_BROKER_PASSWORD", "")) | |||
There was a problem hiding this comment.
@phildini I'm not familiar with this, but it has the general vibe that I should maybe have feelings about it. Is this change likely to have security implications, or is requests.compat equally fine for passwords?
| else: | ||
| description = markdown(description_blob) | ||
|
|
||
| if ( |
There was a problem hiding this comment.
Is there an alternative you'd prefer?
| from bookwyrm import settings | ||
|
|
||
|
|
||
| class IsbnHyphenator: |
There was a problem hiding this comment.
This is one where we should likely submit our proposed change to upstream and then merge down from there, rather than just changing for our fork.
| help = "Repairs an edition that is in a broken state" | ||
|
|
||
| # pylint: disable=unused-argument | ||
| def handle(self, *args, **options): |
There was a problem hiding this comment.
I don't think we've seen any broken editions yet, but it doesn't seem like it would hurt!
| @@ -93,6 +95,10 @@ def post(self, request, user): | |||
| form = forms.UserGroupForm(request.POST, instance=user) | |||
| if form.is_valid(): | |||
| form.save(request) | |||
|
|
|||
| if report_id: | |||
There was a problem hiding this comment.
It maybe sucks you can save the formgroup without recording the action.
No description provided.