Merge branch 'release/2.5.1' into 'stable'

release: 2.5.1

See merge request pleroma/pleroma!3841

CHANGELOG.md

@@ -14,6 +14,24 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ### Removed
 
+## 2.5.1
+
+### Added
+- Allow customizing instance languages
+
+### Fixed
+- Security: uploading HTTP endpoint can no longer create directories in the upload dir (internal APIs, like backup, still can do it.)
+- ~ character in urls in Markdown posts are handled properly
+- Exiftool upload filter will now ignore SVG files
+- Fix `block_from_stranger` setting
+- Fix rel="me"
+- Docker images will now run properly
+- Fix inproper content being cached in report content
+- Notification filter on object content will not operate on the ones that inherently have no content
+- ZWNJ and double dots in links are parsed properly for Plain-text posts
+- OTP releases will work on systems with a newer libcrypt
+- Errors when running Exiftool.ReadDescription filter will not be filled into the image description
+
 ## 2.5.0 - 2022-12-23
 
 ### Removed

Dockerfile

@@ -1,4 +1,8 @@
-FROM elixir:1.11.4-alpine as build
+ARG ELIXIR_VER=1.11.4
+ARG ERLANG_VER=24.2.1
+ARG ALPINE_VER=3.17.0
+
+FROM hexpm/elixir:${ELIXIR_VER}-erlang-${ERLANG_VER}-alpine-${ALPINE_VER} as build
 
 COPY . .
 
@@ -12,7 +16,7 @@ RUN apk add git gcc g++ musl-dev make cmake file-dev &&\
 	mkdir release &&\
 	mix release --path release
 
-FROM alpine
+FROM alpine:${ALPINE_VER}
 
 ARG BUILD_DATE
 ARG VCS_REF

config/description.exs

@@ -1052,6 +1052,15 @@
         description:
           "Minimum required age (in days) for users to create account. Only used if birthday is required.",
         suggestions: [6570]
+      },
+      %{
+        key: :languages,
+        type: {:list, :string},
+        description:
+          "Languages to be exposed in /api/v1/instance. Should be in the format of BCP47 language codes.",
+        suggestions: [
+          "en"
+        ]
       }
     ]
   },

lib/pleroma/application.ex

@@ -209,7 +209,8 @@ defp cachex_children do
       build_cachex("chat_message_id_idempotency_key",
         expiration: chat_message_id_idempotency_key_expiration(),
         limit: 500_000
-      )
+      ),
+      build_cachex("rel_me", limit: 2500)
     ]
   end
 

lib/pleroma/notification.ex

@@ -178,6 +178,7 @@ defp exclude_filtered(query, user) do
         from([_n, a, o] in query,
           where:
             fragment("not(?->>'content' ~* ?)", o.data, ^regex) or
+              fragment("?->>'content' is null", o.data) or
               fragment("?->>'actor' = ?", o.data, ^user.ap_id)
         )
     end
@@ -679,7 +680,7 @@ def skip?(
     cond do
       opts[:type] == "poll" -> false
       user.ap_id == actor -> false
-      !User.following?(follower, user) -> true
+      !User.following?(user, follower) -> true
       true -> false
     end
   end

lib/pleroma/upload/filter/exiftool/read_description.ex

@@ -33,7 +33,10 @@ defp read_when_empty(current_description, _, _) when is_binary(current_descripti
   defp read_when_empty(_, file, tag) do
     try do
       {tag_content, 0} =
-        System.cmd("exiftool", ["-b", "-s3", tag, file], stderr_to_stdout: true, parallelism: true)
+        System.cmd("exiftool", ["-b", "-s3", tag, file],
+          stderr_to_stdout: false,
+          parallelism: true
+        )
 
       tag_content = String.trim(tag_content)
 

lib/pleroma/upload/filter/exiftool/strip_location.ex

@@ -14,6 +14,7 @@ defmodule Pleroma.Upload.Filter.Exiftool.StripLocation do
   # Formats not compatible with exiftool at this time
   def filter(%Pleroma.Upload{content_type: "image/heic"}), do: {:ok, :noop}
   def filter(%Pleroma.Upload{content_type: "image/webp"}), do: {:ok, :noop}
+  def filter(%Pleroma.Upload{content_type: "image/svg" <> _}), do: {:ok, :noop}
 
   def filter(%Pleroma.Upload{tempfile: file, content_type: "image" <> _}) do
     try do

lib/pleroma/web/activity_pub/activity_pub.ex

@@ -1453,13 +1453,22 @@ def fetch_activities_bounded(
 
   @spec upload(Upload.source(), keyword()) :: {:ok, Object.t()} | {:error, any()}
   def upload(file, opts \\ []) do
-    with {:ok, data} <- Upload.store(file, opts) do
+    with {:ok, data} <- Upload.store(sanitize_upload_file(file), opts) do
       obj_data = Maps.put_if_present(data, "actor", opts[:actor])
 
       Repo.insert(%Object{data: obj_data})
     end
   end
 
+  defp sanitize_upload_file(%Plug.Upload{filename: filename} = upload) when is_binary(filename) do
+    %Plug.Upload{
+      upload
+      | filename: Path.basename(filename)
+    }
+  end
+
+  defp sanitize_upload_file(upload), do: upload
+
   @spec get_actor_url(any()) :: binary() | nil
   defp get_actor_url(url) when is_binary(url), do: url
   defp get_actor_url(%{"href" => href}) when is_binary(href), do: href

lib/pleroma/web/admin_api/report.ex

@@ -31,7 +31,7 @@ def extract_report_info(
 
   defp make_fake_activity(act, user) do
     %Activity{
-      id: "pleroma:fake",
+      id: "pleroma:fake:#{act["id"]}",
       data: %{
         "actor" => user.ap_id,
         "type" => "Create",

lib/pleroma/web/mastodon_api/views/instance_view.ex

@@ -27,7 +27,7 @@ def render("show.json", _) do
       thumbnail:
         URI.merge(Pleroma.Web.Endpoint.url(), Keyword.get(instance, :instance_thumbnail))
         |> to_string,
-      languages: ["en"],
+      languages: Keyword.get(instance, :languages, ["en"]),
       registrations: Keyword.get(instance, :registrations_open),
       approval_required: Keyword.get(instance, :account_approval_required),
       # Extra (not present in Mastodon):

lib/pleroma/web/rel_me.ex

@@ -9,17 +9,13 @@ defmodule Pleroma.Web.RelMe do
     recv_timeout: 2_000
   ]
 
-  if Pleroma.Config.get(:env) == :test do
-    def parse(url) when is_binary(url), do: parse_url(url)
-  else
-    @cachex Pleroma.Config.get([:cachex, :provider], Cachex)
-    def parse(url) when is_binary(url) do
-      @cachex.fetch!(:rel_me_cache, url, fn _ ->
-        {:commit, parse_url(url)}
-      end)
-    rescue
-      e -> {:error, "Cachex error: #{inspect(e)}"}
-    end
+  @cachex Pleroma.Config.get([:cachex, :provider], Cachex)
+  def parse(url) when is_binary(url) do
+    @cachex.fetch!(:rel_me_cache, url, fn _ ->
+      {:commit, parse_url(url)}
+    end)
+  rescue
+    e -> {:error, "Cachex error: #{inspect(e)}"}
   end
 
   def parse(_), do: {:error, "No URL provided"}

mix.exs

@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
   def project do
     [
       app: :pleroma,
-      version: version("2.5.0"),
+      version: version("2.5.1"),
       elixir: "~> 1.11",
       elixirc_paths: elixirc_paths(Mix.env()),
       compilers: [:phoenix, :gettext] ++ Mix.compilers(),
@@ -148,11 +148,9 @@ defp deps do
       {:ex_aws, "~> 2.1.6"},
       {:ex_aws_s3, "~> 2.0"},
       {:sweet_xml, "~> 0.7.2"},
-      {:earmark, "~> 1.4.15"},
+      {:earmark, "~> 1.4.22"},
       {:bbcode_pleroma, "~> 0.2.0"},
-      {:crypt,
-       git: "https://github.com/msantos/crypt.git",
-       ref: "f75cd55325e33cbea198fb41fe41871392f8fb76"},
+      {:crypt, "~> 1.0"},
       {:cors_plug, "~> 2.0"},
       {:web_push_encryption, "~> 0.3.1"},
       {:swoosh, "~> 1.0"},
@@ -162,7 +160,7 @@ defp deps do
       {:floki, "~> 0.27"},
       {:timex, "~> 3.6"},
       {:ueberauth, "~> 0.4"},
-      {:linkify, "~> 0.5.2"},
+      {:linkify, "~> 0.5.3"},
       {:http_signatures, "~> 0.1.1"},
       {:telemetry, "~> 1.0.0", override: true},
       {:poolboy, "~> 1.5"},

mix.lock

@@ -21,13 +21,13 @@
   "cowlib": {:hex, :cowlib, "2.11.0", "0b9ff9c346629256c42ebe1eeb769a83c6cb771a6ee5960bd110ab0b9b872063", [:make, :rebar3], [], "hexpm", "2b3e9da0b21c4565751a6d4901c20d1b4cc25cbb7fd50d91d2ab6dd287bc86a9"},
   "credo": {:hex, :credo, "1.6.7", "323f5734350fd23a456f2688b9430e7d517afb313fbd38671b8a4449798a7854", [:mix], [{:bunt, "~> 0.2.1", [hex: :bunt, repo: "hexpm", optional: false]}, {:file_system, "~> 0.2.8", [hex: :file_system, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "41e110bfb007f7eda7f897c10bf019ceab9a0b269ce79f015d54b0dcf4fc7dd3"},
   "crontab": {:hex, :crontab, "1.1.8", "2ce0e74777dfcadb28a1debbea707e58b879e6aa0ffbf9c9bb540887bce43617", [:mix], [{:ecto, "~> 1.0 or ~> 2.0 or ~> 3.0", [hex: :ecto, repo: "hexpm", optional: true]}], "hexpm"},
-  "crypt": {:git, "https://github.com/msantos/crypt.git", "f75cd55325e33cbea198fb41fe41871392f8fb76", [ref: "f75cd55325e33cbea198fb41fe41871392f8fb76"]},
+  "crypt": {:hex, :crypt, "1.0.1", "a3567e1c651a2ec42c6650d9f3ab789e0f12a508c060653a9bbb5fafe60f043c", [:rebar3], [], "hexpm", "968dffe321c7a5d9f9b4577c4a4ff56a1c26d1a8a2270eb22c7636a0b43d3982"},
   "custom_base": {:hex, :custom_base, "0.2.1", "4a832a42ea0552299d81652aa0b1f775d462175293e99dfbe4d7dbaab785a706", [:mix], [], "hexpm", "8df019facc5ec9603e94f7270f1ac73ddf339f56ade76a721eaa57c1493ba463"},
   "db_connection": {:hex, :db_connection, "2.4.2", "f92e79aff2375299a16bcb069a14ee8615c3414863a6fef93156aee8e86c2ff3", [:mix], [{:connection, "~> 1.0", [hex: :connection, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "4fe53ca91b99f55ea249693a0229356a08f4d1a7931d8ffa79289b145fe83668"},
   "decimal": {:hex, :decimal, "2.0.0", "a78296e617b0f5dd4c6caf57c714431347912ffb1d0842e998e9792b5642d697", [:mix], [], "hexpm", "34666e9c55dea81013e77d9d87370fe6cb6291d1ef32f46a1600230b1d44f577"},
   "deep_merge": {:hex, :deep_merge, "1.0.0", "b4aa1a0d1acac393bdf38b2291af38cb1d4a52806cf7a4906f718e1feb5ee961", [:mix], [], "hexpm", "ce708e5f094b9cd4e8f2be4f00d2f4250c4095be93f8cd6d018c753894885430"},
-  "earmark": {:hex, :earmark, "1.4.18", "618c4ff1563450d1832b7fb41dc6755e470f91a6fd4c70f350a58b14f64a7db8", [:mix], [{:earmark_parser, ">= 1.4.17", [hex: :earmark_parser, repo: "hexpm", optional: false]}], "hexpm", "57ac3b6da3958ed09c669a9b159e86377fcccda56bacde8a209fa4dcdef52560"},
-  "earmark_parser": {:hex, :earmark_parser, "1.4.17", "6f3c7e94170377ba45241d394389e800fb15adc5de51d0a3cd52ae766aafd63f", [:mix], [], "hexpm", "f93ac89c9feca61c165b264b5837bf82344d13bebc634cd575cb711e2e342023"},
+  "earmark": {:hex, :earmark, "1.4.22", "ea3e45c6359446dc308be0a64ce82a03260d973de7d0625a762e6d352ff57958", [:mix], [{:earmark_parser, "~> 1.4.23", [hex: :earmark_parser, repo: "hexpm", optional: false]}], "hexpm", "1caf5145665a42fd76d5317286b0c171861fb1c04f86ab103dde76868814fdfb"},
+  "earmark_parser": {:hex, :earmark_parser, "1.4.29", "149d50dcb3a93d9f3d6f3ecf18c918fb5a2d3c001b5d3305c926cddfbd33355b", [:mix], [], "hexpm", "4902af1b3eb139016aed210888748db8070b8125c2342ce3dcae4f38dcc63503"},
   "eblurhash": {:hex, :eblurhash, "1.2.2", "7da4255aaea984b31bb71155f673257353b0e0554d0d30dcf859547e74602582", [:rebar3], [], "hexpm", "8c20ca00904de023a835a9dcb7b7762fed32264c85a80c3cafa85288e405044c"},
   "ecto": {:hex, :ecto, "3.9.2", "017db3bc786ff64271108522c01a5d3f6ba0aea5c84912cfb0dd73bf13684108", [:mix], [{:decimal, "~> 1.6 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "21466d5177e09e55289ac7eade579a642578242c7a3a9f91ad5c6583337a9d15"},
   "ecto_enum": {:hex, :ecto_enum, "1.4.0", "d14b00e04b974afc69c251632d1e49594d899067ee2b376277efd8233027aec8", [:mix], [{:ecto, ">= 3.0.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:ecto_sql, "> 3.0.0", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:mariaex, ">= 0.0.0", [hex: :mariaex, repo: "hexpm", optional: true]}, {:postgrex, ">= 0.0.0", [hex: :postgrex, repo: "hexpm", optional: true]}], "hexpm", "8fb55c087181c2b15eee406519dc22578fa60dd82c088be376d0010172764ee4"},
@@ -64,7 +64,7 @@
   "joken": {:hex, :joken, "2.3.0", "62a979c46f2c81dcb8ddc9150453b60d3757d1ac393c72bb20fc50a7b0827dc6", [:mix], [{:jose, "~> 1.10", [hex: :jose, repo: "hexpm", optional: false]}], "hexpm", "57b263a79c0ec5d536ac02d569c01e6b4de91bd1cb825625fe90eab4feb7bc1e"},
   "jose": {:hex, :jose, "1.11.1", "59da64010c69aad6cde2f5b9248b896b84472e99bd18f246085b7b9fe435dcdb", [:mix, :rebar3], [], "hexpm", "078f6c9fb3cd2f4cfafc972c814261a7d1e8d2b3685c0a76eb87e158efff1ac5"},
   "jumper": {:hex, :jumper, "1.0.1", "3c00542ef1a83532b72269fab9f0f0c82bf23a35e27d278bfd9ed0865cecabff", [:mix], [], "hexpm", "318c59078ac220e966d27af3646026db9b5a5e6703cb2aa3e26bcfaba65b7433"},
-  "linkify": {:hex, :linkify, "0.5.2", "fb66be139fdf1656ecb31f78a93592724d1b78d960a1b3598bd661013ea0e3c7", [:mix], [], "hexpm", "8d71ac690218d8952c90cbeb63cb8cc33738bb230d8a56d487d9447f2a5eab86"},
+  "linkify": {:hex, :linkify, "0.5.3", "5f8143d8f61f5ff08d3aeeff47ef6509492b4948d8f08007fbf66e4d2246a7f2", [:mix], [], "hexpm", "3ef35a1377d47c25506e07c1c005ea9d38d700699d92ee92825f024434258177"},
   "majic": {:hex, :majic, "1.0.0", "37e50648db5f5c2ff0c9fb46454d034d11596c03683807b9fb3850676ffdaab3", [:make, :mix], [{:elixir_make, "~> 0.6.1", [hex: :elixir_make, repo: "hexpm", optional: false]}, {:mime, "~> 1.0", [hex: :mime, repo: "hexpm", optional: false]}, {:nimble_pool, "~> 0.2", [hex: :nimble_pool, repo: "hexpm", optional: false]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "7905858f76650d49695f14ea55cd9aaaee0c6654fa391671d4cf305c275a0a9e"},
   "makeup": {:hex, :makeup, "1.0.5", "d5a830bc42c9800ce07dd97fa94669dfb93d3bf5fcf6ea7a0c67b2e0e4a7f26c", [:mix], [{:nimble_parsec, "~> 0.5 or ~> 1.0", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "cfa158c02d3f5c0c665d0af11512fed3fba0144cf1aadee0f2ce17747fba2ca9"},
   "makeup_elixir": {:hex, :makeup_elixir, "0.14.1", "4f0e96847c63c17841d42c08107405a005a2680eb9c7ccadfd757bd31dabccfb", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm", "f2438b1a80eaec9ede832b5c41cd4f373b38fd7aa33e3b22d9db79e640cbde11"},

priv/static/index.html

@@ -1 +1 @@
-<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,user-scalable=no"><!--server-generated-meta--><link rel=icon type=image/png href=/favicon.png><script defer=defer src=/static/js/9169.335214f6ab57538eae0b.js></script><script defer=defer src=/static/js/app.4c23e08cf351a54f4177.js></script><link href=/static/css/app.86977512e08af1f17d78.css rel=stylesheet></head><body class=hidden><noscript>To use Pleroma, please enable JavaScript.</noscript><div id=app></div><div id=popovers></body></html>
+<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,user-scalable=no"><!--server-generated-meta--><link rel=icon type=image/png href=/favicon.png><script defer=defer src=/static/js/2724.e4840c73281069ba54ab.js></script><script defer=defer src=/static/js/app.8d2126d35dba9482db51.js></script><link href=/static/css/app.48e52505beba5b9ab69b.css rel=stylesheet></head><body class=hidden><noscript>To use Pleroma, please enable JavaScript.</noscript><div id=app></div><div id=modal></div><div id=popovers></body></html>

priv/static/static/css/1325.715a7f40cdd53f460ef4.css.map

@@ -1 +0,0 @@
-{"version":3,"file":"static/css/1325.715a7f40cdd53f460ef4.css","mappings":"AACA,uBAGE,mBAFA,aACA,YAEA,uBACA,4BACE,YACA,iBCPJ,gBACE,gBAEA,2DAEE,qBACA,iBACA,iEACE,mBAEF,mFACE,gBAKF,2CASE,8CAEA,yBAXF,2CAeI,yCAKN,sCAOE,YADA,eALA,gBACA,qBAEA,wBADA,uCAEA,YAEA,CAEA,yBATF,sCAWI,YADA,eACA,EAGF,kDACE,YACA,kBAEA,uDACE,eACA,eACA,cAKN,iCACE,aACA,mCACE,kBAGF,gDACE,aACA","sources":["webpack://pleroma_fe/./src/components/async_component_error/async_component_error.vue","webpack://pleroma_fe/./src/components/settings_modal/settings_modal.scss"],"sourcesContent":["\n.async-component-error {\n  display: flex;\n  height: 100%;\n  align-items: center;\n  justify-content: center;\n  .btn {\n    margin: .5em;\n    padding: .5em 2em;\n  }\n}\n","@import 'src/_variables.scss';\n.settings-modal {\n  overflow: hidden;\n\n  .setting-list,\n  .option-list {\n    list-style-type: none;\n    padding-left: 2em;\n    li {\n      margin-bottom: 0.5em;\n    }\n    .suboptions {\n      margin-top: 0.3em\n    }\n  }\n\n  &.peek {\n    .settings-modal-panel {\n      /* Explanation:\n       * Modal is positioned vertically centered.\n       * 100vh - 100% = Distance between modal's top+bottom boundaries and screen\n       * (100vh - 100%) / 2 = Distance between bottom (or top) boundary and screen\n       * + 100% - we move modal completely off-screen, it's top boundary touches\n       *   bottom of the screen\n       * - 50px - leaving tiny amount of space so that titlebar + tiny amount of modal is visible\n       */\n      transform: translateY(calc(((100vh - 100%) / 2 + 100%) - 50px));\n\n      @media all and (max-width: 800px) {\n        /* For mobile, the modal takes 100% of the available screen.\n           This ensures the minimized modal is always 50px above the browser bottom bar regardless of whether or not it is visible.\n        */\n        transform: translateY(calc(100% - 50px));\n      }\n    }\n  }\n\n  .settings-modal-panel {\n    overflow: hidden;\n    transition: transform;\n    transition-timing-function: ease-in-out;\n    transition-duration: 300ms;\n    width: 1000px;\n    max-width: 90vw;\n    height: 90vh;\n\n    @media all and (max-width: 800px) {\n      max-width: 100vw;\n      height: 100%;\n    }\n\n    >.panel-body {\n      height: 100%;\n      overflow-y: hidden;\n\n      .btn {\n        min-height: 2em;\n        min-width: 10em;\n        padding: 0 2em;\n      }\n    }\n  }\n\n  .settings-footer {\n    display: flex;\n    >* {\n      margin-right: 0.5em;\n    }\n\n    .extra-content {\n      display: flex;\n      flex-grow: 1;\n    }\n  }\n}\n"],"names":[],"sourceRoot":""}

priv/static/static/css/159.1d523a00378ebd68c5b3.css.map

@@ -0,0 +1 @@
+{"version":3,"file":"static/css/159.1d523a00378ebd68c5b3.css","mappings":"AAGA,gBACE,WAEA,0BACE,iBAEA,kDACE,aACA,eACA,cAEA,2DACE,aACA,cAGA,YAFA,WACA,UACA,CAEA,+DACE,YAEA,qEACE","sources":["webpack://pleroma_fe/./src/components/sticker_picker/sticker_picker.vue"],"sourcesContent":["\n@import \"../../variables\";\n\n.sticker-picker {\n  width: 100%;\n\n  .contents {\n    min-height: 250px;\n\n    .sticker-picker-content {\n      display: flex;\n      flex-wrap: wrap;\n      padding: 0 4px;\n\n      .sticker {\n        display: flex;\n        flex: 1 1 auto;\n        margin: 4px;\n        width: 56px;\n        height: 56px;\n\n        img {\n          height: 100%;\n\n          &:hover {\n            filter: drop-shadow(0 0 5px var(--accent, $fallback--link));\n          }\n        }\n      }\n    }\n  }\n}\n\n"],"names":[],"sourceRoot":""}

priv/static/static/css/5948.06d2a0d84620cba6a4fb.css.map

@@ -0,0 +1 @@
+{"version":3,"file":"static/css/5948.06d2a0d84620cba6a4fb.css","mappings":"AACA,uBAGE,mBAFA,aACA,YAEA,uBAEA,4BACE,YACA,iBCPJ,gBACE,gBAEA,2DAEE,qBACA,iBAEA,iEACE,mBAGF,mFACE,gBAIJ,sCAOE,YADA,eALA,gBACA,qBAEA,wBADA,uCAEA,YAEA,CAEA,yBATF,sCAWI,YADA,eACA,EAGF,kDACE,YACA,kBAEA,uDACE,eACA,eACA,cAKN,iCACE,aAEA,mCACE,kBAGF,gDACE,aACA,YAKF,2CASE,8CAEA,yBAXF,2CAgBI","sources":["webpack://pleroma_fe/./src/components/async_component_error/async_component_error.vue","webpack://pleroma_fe/./src/components/settings_modal/settings_modal.scss"],"sourcesContent":["\n.async-component-error {\n  display: flex;\n  height: 100%;\n  align-items: center;\n  justify-content: center;\n\n  .btn {\n    margin: 0.5em;\n    padding: 0.5em 2em;\n  }\n}\n","@import \"src/variables\";\n\n.settings-modal {\n  overflow: hidden;\n\n  .setting-list,\n  .option-list {\n    list-style-type: none;\n    padding-left: 2em;\n\n    li {\n      margin-bottom: 0.5em;\n    }\n\n    .suboptions {\n      margin-top: 0.3em;\n    }\n  }\n\n  .settings-modal-panel {\n    overflow: hidden;\n    transition: transform;\n    transition-timing-function: ease-in-out;\n    transition-duration: 300ms;\n    width: 1000px;\n    max-width: 90vw;\n    height: 90vh;\n\n    @media all and (max-width: 800px) {\n      max-width: 100vw;\n      height: 100%;\n    }\n\n    >.panel-body {\n      height: 100%;\n      overflow-y: hidden;\n\n      .btn {\n        min-height: 2em;\n        min-width: 10em;\n        padding: 0 2em;\n      }\n    }\n  }\n\n  .settings-footer {\n    display: flex;\n\n    >* {\n      margin-right: 0.5em;\n    }\n\n    .extra-content {\n      display: flex;\n      flex-grow: 1;\n    }\n  }\n\n  &.peek {\n    .settings-modal-panel {\n      /* Explanation:\n       * Modal is positioned vertically centered.\n       * 100vh - 100% = Distance between modal's top+bottom boundaries and screen\n       * (100vh - 100%) / 2 = Distance between bottom (or top) boundary and screen\n       * + 100% - we move modal completely off-screen, it's top boundary touches\n       *   bottom of the screen\n       * - 50px - leaving tiny amount of space so that titlebar + tiny amount of modal is visible\n       */\n      transform: translateY(calc(((100vh - 100%) / 2 + 100%) - 50px));\n\n      @media all and (max-width: 800px) {\n        /* For mobile, the modal takes 100% of the available screen.\n           This ensures the minimized modal is always 50px above the browser bottom\n           bar regardless of whether or not it is visible.\n        */\n        transform: translateY(calc(100% - 50px));\n      }\n    }\n  }\n}\n"],"names":[],"sourceRoot":""}

priv/static/static/css/6464.169260b661120cc50815.css.map

@@ -0,0 +1 @@
+{"version":3,"file":"static/css/6464.169260b661120cc50815.css","mappings":"AAEA,oBACE,gBAGF,yBACE,mBAAoB,CACpB,sBAAuB,CACvB,oBAAqB,CAErB,eACA,kBACA,qBAEA,wBADA,sCACA,CAEA,+BACE,eACA,iBAGF,yBAhBF,yBAqBI,aAGF,0BAxBF,yBAyBI,cAGF,kCAGE,8CACA,4CAFA,wCADA,eAGA,CAGE,iDACE,oCAKN,qCAGE,gCADA,mBADA,oBAEA,CAGF,uCAGE,eACA,2BAFA,kBADA,UAGA,CAGF,sCAWE,gDAJA,YANA,qCACA,2CAUA,oBAHA,kBACA,kBAPA,+DAEA,wBADA,uCAEA,WAEA,UAIA,CAGF,qCACE,+BAGF,wCACE,kCAGF,2CAKE,6GACE,CADF,sGADA,gBAHA,qCAEA,wBADA,kCAIE,CAIJ,qCACE,iBAGF,+BAKE,uCAEA,4CACE,YAEA,0BADA,UACA,CAGF,iDACE","sources":["webpack://pleroma_fe/./src/components/update_notification/update_notification.scss"],"sourcesContent":["@import \"src/variables\";\n\n.UpdateNotification {\n  overflow: hidden;\n}\n\n.UpdateNotificationModal {\n  --__top-fringe: 15em; // how much pleroma-tan should stick her head above\n  --__bottom-fringe: 80em; // just reserving as much as we can, number is mostly irrelevant\n  --__right-fringe: 8em;\n\n  font-size: 15px;\n  position: relative;\n  transition: transform;\n  transition-timing-function: ease-in-out;\n  transition-duration: 500ms;\n\n  .text {\n    max-width: 40em;\n    padding-left: 1em;\n  }\n\n  @media all and (max-width: 800px) {\n    /* For mobile, the modal takes 100% of the available screen.\n       This ensures the minimized modal is always 50px above the browser\n       bottom bar regardless of whether or not it is visible.\n   */\n    width: 100vw;\n  }\n\n  @media all and (max-height: 600px) {\n    display: none;\n  }\n\n  .content {\n    overflow: hidden;\n    margin-top: calc(-1 * var(--__top-fringe));\n    margin-bottom: calc(-1 * var(--__bottom-fringe));\n    margin-right: calc(-1 * var(--__right-fringe));\n\n    &.-noImage {\n      .text {\n        padding-right: var(--__right-fringe);\n      }\n    }\n  }\n\n  .panel-body {\n    border-width: 0 0 1px;\n    border-style: solid;\n    border-color: var(--border, $fallback--border);\n  }\n\n  .panel-footer {\n    z-index: 22;\n    position: relative;\n    border-width: 0;\n    grid-template-columns: auto;\n  }\n\n  .pleroma-tan {\n    object-fit: cover;\n    object-position: top;\n    transition: position, left, right, top, bottom, max-width, max-height;\n    transition-timing-function: ease-in-out;\n    transition-duration: 500ms;\n    width: 25em;\n    float: right;\n    z-index: 20;\n    position: relative;\n    shape-margin: 0.5em;\n    filter: drop-shadow(5px 5px 10px rgb(0 0 0 / 50%));\n    pointer-events: none;\n  }\n\n  .spacer-top {\n    min-height: var(--__top-fringe);\n  }\n\n  .spacer-bottom {\n    min-height: var(--__bottom-fringe);\n  }\n\n  .extra-info-group {\n    transition: max-height, padding, height;\n    transition-timing-function: ease-in;\n    transition-duration: 700ms;\n    max-height: 70vh;\n    mask:\n      linear-gradient(to top, white, transparent) bottom/100% 2px no-repeat,\n      linear-gradient(to top, white, white);\n  }\n\n  .art-credit {\n    text-align: right;\n  }\n\n  &.-peek {\n    /* Explanation:\n   * 100vh - 100% = Distance between modal's top+bottom boundaries and screen\n   * (100vh - 100%) / 2 = Distance between bottom (or top) boundary and screen\n   */\n    transform: translateY(calc(((100vh - 100%) / 2)));\n\n    .pleroma-tan {\n      float: right;\n      z-index: 10;\n      shape-image-threshold: 70%;\n    }\n\n    .extra-info-group {\n      max-height: 0;\n    }\n  }\n}\n"],"names":[],"sourceRoot":""}

priv/static/static/css/6464.2fa2e5f1fa93842c62b1.css.map

@@ -1 +0,0 @@
-{"version":3,"file":"static/css/6464.2fa2e5f1fa93842c62b1.css","mappings":"AACA,oBACE,gBAGF,yBACE,mBAAoB,CACpB,sBAAuB,CACvB,oBAAqB,CAErB,eACA,kBACA,qBAEA,wBADA,sCACA,CAEA,+BACE,eACA,iBAGF,yBAhBF,yBAoBI,aAGF,0BAvBF,yBAwBI,cAGF,kCAGE,8CACA,4CAFA,wCADA,eAGA,CAGE,iDACE,oCAKN,qCAGE,gCADA,mBADA,oBAEA,CAGF,uCAGE,eACA,2BAFA,kBADA,UAGA,CAGF,sCAWE,gDAJA,YANA,qCACA,2CAUA,oBAHA,kBACA,kBAPA,+DAEA,wBADA,uCAEA,WAEA,UAIA,CAGF,qCACE,+BAGF,wCACE,kCAGF,2CAKE,6GACE,CADF,sGADA,gBAHA,qCAEA,wBADA,kCAIE,CAIJ,qCACE,iBAGF,+BAKE,uCAEA,4CACE,YAEA,yBADA,UACA,CAGF,iDACE","sources":["webpack://pleroma_fe/./src/components/update_notification/update_notification.scss"],"sourcesContent":["@import 'src/_variables.scss';\n.UpdateNotification {\n  overflow: hidden;\n}\n\n.UpdateNotificationModal {\n  --__top-fringe: 15em; // how much pleroma-tan should stick her head above\n  --__bottom-fringe: 80em; // just reserving as much as we can, number is mostly irrelevant\n  --__right-fringe: 8em;\n\n  font-size: 15px;\n  position: relative;\n  transition: transform;\n  transition-timing-function: ease-in-out;\n  transition-duration: 500ms;\n\n  .text {\n    max-width: 40em;\n    padding-left: 1em;\n  }\n\n  @media all and (max-width: 800px) {\n    /* For mobile, the modal takes 100% of the available screen.\n    This ensures the minimized modal is always 50px above the browser bottom bar regardless of whether or not it is visible.\n   */\n    width: 100vw;\n  }\n\n  @media all and (max-height: 600px) {\n    display: none;\n  }\n\n  .content {\n    overflow: hidden;\n    margin-top: calc(-1 * var(--__top-fringe));\n    margin-bottom: calc(-1 * var(--__bottom-fringe));\n    margin-right: calc(-1 * var(--__right-fringe));\n\n    &.-noImage {\n      .text {\n        padding-right: var(--__right-fringe);\n      }\n    }\n  }\n\n  .panel-body {\n    border-width: 0 0 1px 0;\n    border-style: solid;\n    border-color: var(--border, $fallback--border);\n  }\n\n  .panel-footer {\n    z-index: 22;\n    position: relative;\n    border-width: 0;\n    grid-template-columns: auto;\n  }\n\n  .pleroma-tan {\n    object-fit: cover;\n    object-position: top;\n    transition: position, left, right, top, bottom, max-width, max-height;\n    transition-timing-function: ease-in-out;\n    transition-duration: 500ms;\n    width: 25em;\n    float: right;\n    z-index: 20;\n    position: relative;\n    shape-margin: 0.5em;\n    filter: drop-shadow(5px 5px 10px rgba(0,0,0,0.5));\n    pointer-events: none;\n  }\n\n  .spacer-top {\n    min-height: var(--__top-fringe);\n  }\n\n  .spacer-bottom {\n    min-height: var(--__bottom-fringe);\n  }\n\n  .extra-info-group {\n    transition: max-height, padding, height;\n    transition-timing-function: ease-in;\n    transition-duration: 700ms;\n    max-height: 70vh;\n    mask:\n      linear-gradient(to top, white, transparent) bottom/100% 2px no-repeat,\n      linear-gradient(to top, white, white);\n  }\n\n  .art-credit {\n    text-align: right;\n  }\n\n  &.-peek {\n  /* Explanation:\n   * 100vh - 100% = Distance between modal's top+bottom boundaries and screen\n   * (100vh - 100%) / 2 = Distance between bottom (or top) boundary and screen\n   */\n    transform: translateY(calc(((100vh - 100%) / 2)));\n\n    .pleroma-tan {\n      float: right;\n      z-index: 10;\n      shape-image-threshold: 0.7;\n    }\n\n    .extra-info-group {\n      max-height: 0;\n    }\n  }\n}\n"],"names":[],"sourceRoot":""}

priv/static/static/css/8532.88b90ac86f3060a3144e.css.map

@@ -1 +0,0 @@
-{"version":3,"file":"static/css/8532.88b90ac86f3060a3144e.css","mappings":"AAGA,gBACE,WACA,0BACE,iBACA,kDACE,aACA,eACA,cACA,2DACE,aACA,cAGA,YAFA,WACA,UACA,CACA,+DACE,YACA,qEACE","sources":["webpack://pleroma_fe/./src/components/sticker_picker/sticker_picker.vue"],"sourcesContent":["\n@import '../../_variables.scss';\n\n.sticker-picker {\n  width: 100%;\n  .contents {\n    min-height: 250px;\n    .sticker-picker-content {\n      display: flex;\n      flex-wrap: wrap;\n      padding: 0 4px;\n      .sticker {\n        display: flex;\n        flex: 1 1 auto;\n        margin: 4px;\n        width: 56px;\n        height: 56px;\n        img {\n          height: 100%;\n          &:hover {\n            filter: drop-shadow(0 0 5px var(--accent, $fallback--link));\n          }\n        }\n      }\n    }\n  }\n}\n\n"],"names":[],"sourceRoot":""}

priv/static/static/js/2724.e4840c73281069ba54ab.js.LICENSE.txt

@@ -33,12 +33,6 @@
 
 /*! (c) Andrea Giammarchi - ISC */
 
-/*! https://mths.be/punycode v1.3.2 by @mathias */
-
 /*! js-cookie v3.0.1 | MIT */
 
-/*! lozad.js - v1.16.0 - 2020-09-06
-* https://github.com/ApoorvSaxena/lozad.js
-* Copyright (c) 2020 Apoorv Saxena; Licensed MIT */
-
 /*! regenerator-runtime -- Copyright (c) 2014-present, Facebook, Inc. -- license (MIT): https://github.com/facebook/regenerator/blob/main/LICENSE */

priv/static/sw-pleroma.js.LICENSE.txt

@@ -25,6 +25,4 @@
  * MIT Licensed
  */
 
-/*! https://mths.be/punycode v1.3.2 by @mathias */
-
 /*! regenerator-runtime -- Copyright (c) 2014-present, Facebook, Inc. -- license (MIT): https://github.com/facebook/regenerator/blob/main/LICENSE */

test/pleroma/notification_test.exs

@@ -334,6 +334,32 @@ test "it disables notifications from strangers" do
       refute Notification.create_notification(activity, followed)
     end
 
+    test "it disables notifications from non-followees" do
+      follower = insert(:user)
+
+      followed =
+        insert(:user,
+          notification_settings: %Pleroma.User.NotificationSetting{block_from_strangers: true}
+        )
+
+      CommonAPI.follow(follower, followed)
+      {:ok, activity} = CommonAPI.post(follower, %{status: "hey @#{followed.nickname}"})
+      refute Notification.create_notification(activity, followed)
+    end
+
+    test "it allows notifications from followees" do
+      poster = insert(:user)
+
+      receiver =
+        insert(:user,
+          notification_settings: %Pleroma.User.NotificationSetting{block_from_strangers: true}
+        )
+
+      CommonAPI.follow(receiver, poster)
+      {:ok, activity} = CommonAPI.post(poster, %{status: "hey @#{receiver.nickname}"})
+      assert Notification.create_notification(activity, receiver)
+    end
+
     test "it doesn't create a notification for user if he is the activity author" do
       activity = insert(:note_activity)
       author = User.get_cached_by_ap_id(activity.data["actor"])
@@ -1225,5 +1251,32 @@ test "it returns notifications about favorites with filtered word", %{user: user
 
       assert length(Notification.for_user(user)) == 1
     end
+
+    test "it returns notifications when related object is without content and filters are defined",
+         %{user: user} do
+      followed_user = insert(:user, is_locked: true)
+
+      insert(:filter, user: followed_user, phrase: "test", hide: true)
+
+      {:ok, _, _, _activity} = CommonAPI.follow(user, followed_user)
+      refute FollowingRelationship.following?(user, followed_user)
+      assert [notification] = Notification.for_user(followed_user)
+
+      assert %{type: "follow_request"} =
+               NotificationView.render("show.json", %{
+                 notification: notification,
+                 for: followed_user
+               })
+
+      assert {:ok, _} = CommonAPI.accept_follow_request(user, followed_user)
+
+      assert [notification] = Notification.for_user(followed_user)
+
+      assert %{type: "follow"} =
+               NotificationView.render("show.json", %{
+                 notification: notification,
+                 for: followed_user
+               })
+    end
   end
 end

test/pleroma/upload/filter/exiftool/read_description_test.exs

@@ -42,6 +42,33 @@ test "otherwise returns ImageDescription when present" do
              {:ok, :filtered, uploads_after}
   end
 
+  test "Ignores warnings" do
+    uploads = %Pleroma.Upload{
+      name: "image_with_imagedescription_and_caption-abstract_and_stray_data_after.png",
+      content_type: "image/png",
+      path:
+        Path.absname(
+          "test/fixtures/image_with_imagedescription_and_caption-abstract_and_stray_data_after.png"
+        ),
+      tempfile:
+        Path.absname(
+          "test/fixtures/image_with_imagedescription_and_caption-abstract_and_stray_data_after.png"
+        )
+    }
+
+    assert {:ok, :filtered, %{description: "a descriptive white pixel"}} =
+             Filter.Exiftool.ReadDescription.filter(uploads)
+
+    uploads = %Pleroma.Upload{
+      name: "image_with_stray_data_after.png",
+      content_type: "image/png",
+      path: Path.absname("test/fixtures/image_with_stray_data_after.png"),
+      tempfile: Path.absname("test/fixtures/image_with_stray_data_after.png")
+    }
+
+    assert {:ok, :filtered, %{description: nil}} = Filter.Exiftool.ReadDescription.filter(uploads)
+  end
+
   test "otherwise returns iptc:Caption-Abstract when present" do
     upload = %Pleroma.Upload{
       name: "image_with_caption-abstract.jpg",

test/pleroma/upload/filter/exiftool/strip_location_test.exs

@@ -31,12 +31,19 @@ test "apply exiftool filter" do
     refute String.match?(exif_filtered, ~r/GPS/)
   end
 
-  test "verify webp files are skipped" do
-    upload = %Pleroma.Upload{
-      name: "sample.webp",
-      content_type: "image/webp"
-    }
+  test "verify webp, heic, svg  files are skipped" do
+    uploads =
+      ~w{webp heic svg svg+xml}
+      |> Enum.map(fn type ->
+        %Pleroma.Upload{
+          name: "sample.#{type}",
+          content_type: "image/#{type}"
+        }
+      end)
 
-    assert Filter.Exiftool.StripLocation.filter(upload) == {:ok, :noop}
+    uploads
+    |> Enum.each(fn upload ->
+      assert Filter.Exiftool.StripLocation.filter(upload) == {:ok, :noop}
+    end)
   end
 end

test/pleroma/web/activity_pub/activity_pub_test.exs

@@ -1342,6 +1342,14 @@ test "returns reblogs for users for whom reblogs have not been muted" do
       %{test_file: test_file}
     end
 
+    test "strips / from filename", %{test_file: file} do
+      file = %Plug.Upload{file | filename: "../../../../../nested/bad.jpg"}
+      {:ok, %Object{} = object} = ActivityPub.upload(file)
+      [%{"href" => href}] = object.data["url"]
+      assert Regex.match?(~r"/bad.jpg$", href)
+      refute Regex.match?(~r"/nested/", href)
+    end
+
     test "sets a description if given", %{test_file: file} do
       {:ok, %Object{} = object} = ActivityPub.upload(file, description: "a cool file")
       assert object.data["name"] == "a cool file"

test/pleroma/web/admin_api/controllers/report_controller_test.exs

@@ -366,6 +366,34 @@ test "returns reports with specified state", %{conn: conn} do
                |> json_response_and_validate_schema(:ok)
     end
 
+    test "renders content correctly", %{conn: conn} do
+      [reporter, target_user] = insert_pair(:user)
+      note = insert(:note, user: target_user, data: %{"content" => "mew 1"})
+      note2 = insert(:note, user: target_user, data: %{"content" => "mew 2"})
+      activity = insert(:note_activity, user: target_user, note: note)
+      activity2 = insert(:note_activity, user: target_user, note: note2)
+
+      {:ok, _report} =
+        CommonAPI.report(reporter, %{
+          account_id: target_user.id,
+          comment: "I feel offended",
+          status_ids: [activity.id, activity2.id]
+        })
+
+      CommonAPI.delete(activity.id, target_user)
+      CommonAPI.delete(activity2.id, target_user)
+
+      response =
+        conn
+        |> get(report_path(conn, :index))
+        |> json_response_and_validate_schema(:ok)
+
+      assert [open_report] = response["reports"]
+      assert %{"statuses" => [s1, s2]} = open_report
+      assert "mew 1" in [s1["content"], s2["content"]]
+      assert "mew 2" in [s1["content"], s2["content"]]
+    end
+
     test "returns 403 when requested by a non-admin" do
       user = insert(:user)
       token = insert(:oauth_token, user: user)

test/pleroma/web/common_api/utils_test.exs

@@ -178,6 +178,10 @@ test "links" do
       code = "https://github.com/pragdave/earmark/"
       {result, [], []} = Utils.format_input(code, "text/markdown")
       assert result == ~s[<p><a href="#{code}">#{code}</a></p>]
+
+      code = "https://github.com/~foo/bar"
+      {result, [], []} = Utils.format_input(code, "text/markdown")
+      assert result == ~s[<p><a href="#{code}">#{code}</a></p>]
     end
 
     test "link with local mention" do

test/pleroma/web/common_api_test.exs

@@ -518,6 +518,25 @@ test "it de-duplicates tags" do
     assert Object.tags(object) == ["2hu"]
   end
 
+  test "zwnj is treated as word character" do
+    user = insert(:user)
+    {:ok, activity} = CommonAPI.post(user, %{status: "#ساٴين‌س"})
+
+    object = Object.normalize(activity, fetch: false)
+
+    assert Object.tags(object) == ["ساٴين‌س"]
+  end
+
+  test "double dot in link is allowed" do
+    user = insert(:user)
+    text = "https://example.to/something..mp3"
+    {:ok, activity} = CommonAPI.post(user, %{status: text})
+
+    object = Object.normalize(activity, fetch: false)
+
+    assert object.data["content"] == "<a href=\"#{text}\" rel=\"ugc\">#{text}</a>"
+  end
+
   test "it adds emoji in the object" do
     user = insert(:user)
     {:ok, activity} = CommonAPI.post(user, %{status: ":firefox:"})

test/pleroma/web/mastodon_api/controllers/instance_controller_test.exs

@@ -92,4 +92,18 @@ test "get peers", %{conn: conn} do
 
     assert ["peer1.com", "peer2.com"] == Enum.sort(result)
   end
+
+  test "instance languages", %{conn: conn} do
+    assert %{"languages" => ["en"]} =
+             conn
+             |> get("/api/v1/instance")
+             |> json_response_and_validate_schema(200)
+
+    clear_config([:instance, :languages], ["aa", "bb"])
+
+    assert %{"languages" => ["aa", "bb"]} =
+             conn
+             |> get("/api/v1/instance")
+             |> json_response_and_validate_schema(200)
+  end
 end

test/pleroma/web/mastodon_api/controllers/media_controller_test.exs

@@ -122,6 +122,23 @@ test "/api/v2/media, upload_limit", %{conn: conn, user: user} do
 
       assert :ok == File.rm(Path.absname("test/tmp/large_binary.data"))
     end
+
+    test "Do not allow nested filename", %{conn: conn, image: image} do
+      image = %Plug.Upload{
+        image
+        | filename: "../../../../../nested/file.jpg"
+      }
+
+      desc = "Description of the image"
+
+      media =
+        conn
+        |> put_req_header("content-type", "multipart/form-data")
+        |> post("/api/v1/media", %{"file" => image, "description" => desc})
+        |> json_response_and_validate_schema(:ok)
+
+      refute Regex.match?(~r"/nested/", media["url"])
+    end
   end
 
   describe "Update media description" do

test/pleroma/web/mastodon_api/update_credentials_test.exs

@@ -383,6 +383,34 @@ test "updates the user's background, upload_limit, returns a HTTP 413", %{
       assert :ok == File.rm(Path.absname("test/tmp/large_binary.data"))
     end
 
+    test "Strip / from upload files", %{user: user, conn: conn} do
+      new_image = %Plug.Upload{
+        content_type: "image/jpeg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "../../../../nested/an_image.jpg"
+      }
+
+      assert user.avatar == %{}
+
+      res =
+        patch(conn, "/api/v1/accounts/update_credentials", %{
+          "avatar" => new_image,
+          "header" => new_image,
+          "pleroma_background_image" => new_image
+        })
+
+      assert user_response = json_response_and_validate_schema(res, 200)
+      assert user_response["avatar"]
+      assert user_response["header"]
+      assert user_response["pleroma"]["background_image"]
+      refute Regex.match?(~r"/nested/", user_response["avatar"])
+      refute Regex.match?(~r"/nested/", user_response["header"])
+      refute Regex.match?(~r"/nested/", user_response["pleroma"]["background_image"])
+
+      user = User.get_by_id(user.id)
+      refute user.avatar == %{}
+    end
+
     test "requires 'write:accounts' permission" do
       token1 = insert(:oauth_token, scopes: ["read"])
       token2 = insert(:oauth_token, scopes: ["write", "follow"])