Socialhome is best described as a federated personal profile with social networking functionality

Last update: Dec 30, 2022

Overview

Description

Socialhome is best described as a federated personal profile with social networking functionality. Users can create rich content using Markdown and even HTML/JS/CSS (if set as trusted user). All content can be pinned to the user profile and all content will federate to contacts in the federated social web. Currently federation happens using the ActivityPub and Diaspora protocols.

Please check the official site for more information about features. Naturally, the official site is a Socialhome profile itself.

Official site: https://socialhome.network.

Documentation: http://socialhome.readthedocs.io/

Joining

Please check https://the-federation.info/socialhome for servers with open registration, if you don't want to run your own.

Please see the community pages for how to interact with the community.

Installation

Please see the installation pages.

Running an instance

Please see the running an instance pages.

Development

Please see the development pages.

NOTE! Contributions welcome through GitHub even though code repository has been moved to the Feneas GitLab. Issue tracker however is only available on the GitLab server. GitHub users, you can log in using your GitHub credentials.

Source code

Socialhome is fully open source, licenced under the AGPLv3 license.

Translations

Our translations are handled via Weblate. Please join the translations team by requesting access via there. Humble thank you for Weblate for their Libre hosting offering 💚

Please also read TRANSLATIONS.md for information on the translations process.

Comments

First attempt at Dockerized production socialhome
This is a small pull request, but there's a lot in this which we'll need to figure out.

The first thing to note is that we use a single image for all of the various Socialhome functions. That's not a normal Docker pattern, but due to the structure of Socialhome, the alternative would be to have a set of Docker images that are exactly the same except for the entrypoint. More on this a bit later.

Secondly, Docker Compose does not allow for multiple instances of a particular program. That is, it's not possible using Docker Compose to run multiple instances of RQScheduler. That leaves us with two alternatives: of a) Requiring Docker Swarm or b) Using something like Circus to manage these processes

While that's not supported in the current setup, my suggestion would be that for small instances, mirroring the Circus setup might be the easiest thing to do. Larger installations may want to use Docker Swarm or Kubernetes, but I'm hesitant to require it.

Thirdly, I've been giving a lot of thought and consideration to the users that these applications run as. Docker's use of Linux containers means that there should be no easy escalation path from root within a container to root outside of a container- that's the whole point of containers. That notwithstanding, I still think that privilege de-escalation is a good idea, the problem has to do with file permissions in the data volumes- that is between the mapping between the container's view of the world (its /etc/passwd) and the system's users, specifically mapping of UIDs and GIDs between the two. It would be fine (and easy) to run de-escalated within the container, but there can be problems with file permissions either between Docker images that don't share the same user, or between the Docker image and if (for some reason) that same area was shared with another system. The way this applies to Socialhome is in mainly regards to the media directory. I think the long term solution (before making this official) is to simply accept this limitation, but right now, everything runs as root.

Fourthly, I'm suggesting that a developer using this setup use nginx on an unencrypted port 80. The reason for this is that it likely makes sense that someone deploying this software will be using some kind of virtual host management and likely adding SSL/TLS encryption at that level. Therefore by offering the site unencrypted to that service, it can handle all the certificates itself, and or do caching.

Fifth, relatedly, I'm using the nginx official Docker image with a configuration file I supply myself. This involves an extra step for the user (deployer) in setting this up. We could offer our own image.

Sixth, I'm including an exim server for smart relay. I'm very much on the fence about this. On the argument for including it, this simplifies the Socialhome setup in the sense that the Socialhome software itself would only need to know about the "smtp" server, rather than needing to have the software talk to the actual mail server. This also eliminates the need for authentication credentials to the mail server to be shared to the various Python components, and also means that they don't need to even have network access to the final mail server- only the "smtp" server would need that. Lastly, it means that if the upsteam mail server is not up for some reason, it should allow for the mail sending process (one of the rqworker processes) to complete successfully.

On the 'con' side, there are a number of negatives. Firstly, this will add an extra level of complexity, and delay, to mail sending. Secondly, there's an argument that could be made that the notification system itself should handle the inability to send mail, rather than it completing successfully and then being unable to know if there was a failure later. Thirdly, I'm not entirely thrilled with this Docker image. It's unclear to me where Exim stores its mail queue data and without that, it would be possible that mail might be lost if the server is shut down. There are equivalent images for Postfix (which I'm more familiar with) but they seemed more complex to set up.

I almost went down of writing my own LSMTP server, and then decided that this was a very bad idea.

I don't consider this done and ready. I am giving this to you as something to discuss.

At the very least, before it's committed, it needs more testing and documentation.

Seventh and last, the production image should only contain the software needed to run, not all the software needed to build Socialhome. That means all the NPM build tools are unnecessary. There are a number of ways to do this, but I think the right way is simply to use a multi-stage build (the same way we might if we were compiling software). If we do this, we may also be able to take advantage of the opportunity to run compileall on the code, building .pyo and .pyc files to improve loading time.

Dovetailing this, though, we if we want to optimize this, we would also remove the javascript, as well as uwsgi, etc. from all but the necessary containers.

To highlight the most pressing questions:

Do we have one image with lots of entrypoints, or many images?

Handling the number of rqworkers required without adding more dependedencies

How do we want to handle users?

Do we want to ship instructions, or our own nginx image?

Do we want to suggest this exim container or maybe something else?

And remaining to do:

Testing this setup - I need to test it a few more times from scratch

Documentation - There's a lot to document, especially the boostrapping process

Deciding on some of the questions above

Putting up an official docker image for Socialhome
opened by ghost 14
Bootstrap-markdown on publisher

Note: The boostrap-markdown plugin is not compatible with BS4 yet. So I need an upstream PR to be merged to fix the buttons. Also, some FontAwesome icon seems to not work properly.

opened by christophehenry 12
Add NSFW shield
Ok, here is my proposition for a NSFW shield:

hidden

shown

When hidden, it only shows the tags. BTW, for an unknown reason, the tags field of the API does not gives the correct tags. In this example, it's an array containing 3.

The current implementation solves #111 as the HTML element is not even redered until the user clicks the button to show.
opened by christophehenry 8

Add user profile at authentication

/api-token-auth/ now returns limited profile infos in addition to token:

{
  "guid": "eba9d938-71a2-4570-96c2-99e6e6bb232f",
  "handle": "[email protected]:8000",
  "home_url": "http:\/\/127.0.0.1:8000\/p\/eba9d938-71a2-4570-96c2-99e6e6bb232f\/",
  "id": 2,
  "image_url_small": "http:\/\/127.0.0.1:8000\/static\/images\/pony50.png",
  "is_local": true,
  "name": "",
  "url": "http:\/\/127.0.0.1:8000\/p\/eba9d938-71a2-4570-96c2-99e6e6bb232f\/",
  "token": "0ab231f9f7ab63a6f78fd9746b9bdc9926a734fd"
}

[x] Tests
[x] Update the docs to explain how to recover token

Refs: #446

opened by christophehenry 7

Remove hardcoded translations from Vue
[x] Use VueRouter to match the route and render different stamped elements

[x] Use Django's gettext library to perform translations

[x] I can haz tests?
opened by christophehenry 7
Use UUIDs for profile API
Changed the API to use UUIDs for profiles, and tests to test appropriately. Wanted to have a sanity check before starting work on the rest of the API.

TODO:

[X] update frontend where necessary
opened by ellisist 6
Add replies to vue.js streams + other improvements
Add replies to Vue.js streams

Organize replies first by original content then shares

Add shares endpoint to Content API

Add share replies to Content API replies endpoint

Add share_of to Content API serialization

Highlight reaction icons with active colour in vue.js streams

Remove unnecessary select_related in contentqueryset

TODO:

[x] Add moar tests for new and changed functionality

[x] Don't show reply to share button if the share has no replies

[x] Add spinner when loading the replies

Refs: #202, #206
in progress
opened by jaywink 6
Twitter streams OEmbed refactor
Fix (or hack around) how Masonry layout is done in Vue streams for Twitter OEmbed widgets.

Load widget script once in base template

Do a layout (hackily) after 2 and 4 seconds (if oembed's), to ensure Twitter widget has had time to load content

Add has_twitter_oembed to Content API as a read only field

TODO:

[x] ~~Check~~ Ensure layouting triggers after load more

Clear the flag on load more?

[x] Trigger widgets script after Vue initialized... how and where from?

Maybe call twttr.widgets.load() after each mount of streamelement with twitter oembed content?

Refs: #202
opened by jaywink 5
Add load more trigger to StreamElement
When processing content in stream store, add a load more trigger to the fifth last content object. For the content that has this flag, render a load more div in StreamElement, which reacts to scrolling.

Fires an event to turn off the load more once content is scrolled to.

Refs: #202

TODO:

[x] Add tests

@christophehenry, this solution seems to work, like I suggested in #346 comments. It will only fire the load more trigger once. Currently it doesn't have the dispatch to actually load more, just the trigger part. Sorry it wasn't really possible to send a PR to your branch any more.

I propose I finalize this (tests) and then merge it, then the actual data fetch can be added, the remaining parts in your PR? Might be easier to pick the still relevant parts into a new branch instead of trying to rebase the code. Sorry I couldn't help with this earlier.
opened by jaywink 5
Add an easily customizable ``robots.txt`` with default rules

The rules by default disallow all except direct links to content, the root profile and the public stream. Server admins can customize the rules easily via the admin interface.

opened by jaywink 4
Add Vue single content view
Make ContentDetailView render the Vue streams app if vue preference is set. Tweak streams app to render a single content in case the stream name is content stream. Some small refactoring to optimize grid stream related actions only when rendering a grid. Small optimization to store in preparing a 'stream' object when initializing the app. This will allow to update the state according to routing events in the future.

Refs: #202

TODO:

[x] Add test coverage for sigle content vue view
opened by jaywink 4
Bump flat and @vue/cli-plugin-unit-mocha in /socialhome/frontend
Bumps flat to 5.0.2 and updates ancestor dependency @vue/cli-plugin-unit-mocha. These dependencies need to be updated together.

Updates flat from 4.1.0 to 5.0.2

Commits

e5ffd66 Release 5.0.2

fdb79d5 Update dependencies, refresh lockfile, format with standard.

e52185d Test against node 14 in CI.

0189cb1 Avoid arrow function syntax.

f25d3a1 Release 5.0.1

54cc7ad use standard formatting

779816e drop dependencies

2eea6d3 Bump lodash from 4.17.15 to 4.17.19

a61a554 Bump acorn from 7.1.0 to 7.4.0

20ef0ef Fix prototype pollution on unflatten

Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by timoxley, a new releaser for flat since your current version.

Updates @vue/cli-plugin-unit-mocha from 4.2.2 to 5.0.8

Release notes

Sourced from @vue/cli-plugin-unit-mocha's releases.

v5.0.8

:bug: Bug Fix

@vue/cli-service

0260e4d fix: add devServer.server.type to useHttps judgement (vuejs/vue-cli#7222)

@vue/cli-ui

07052c4 fix: Vue CLI UI graphql subscription server error, fixes vuejs/vue-cli#7221

v5.0.7

@vue/cli-service

#7202, [558dea2] fix: support devServer.server option, avoid deprecation warnings (@backrunner, @sodatea)

[beffe8a] fix: allow disabling progress plugin via devServer.client.progress

@vue/cli-ui

#7210 chore: upgrade to apollo-server-express 3.x

Committers: 2

BackRunner (@backrunner)

Haoqun Jiang (@sodatea)

v5.0.6

Fix compatibility with the upcoming Vue 2.7 (currently in alpha) and Vue Loader 15.10 (currently in beta).

In Vue 2.7, vue-template-compiler is no longer a required peer dependency. Rather, there's a new export under the main package as vue/compiler-sfc.

v5.0.5

:bug: Bug Fix

@vue/cli

#7167 fix(upgrade): prevent changing the structure of package.json file during upgrade (@blzsaa)

@vue/cli-service

#7023 fix: windows vue.config.mjs support (@xiaoxiangmoe)

@vue/cli-plugin-e2e-cypress

[697bb44] fix: should correctly resolve cypress bin path for Cypress 10 (Note that the project is still created with Cypress 9 by default, but you can upgrade to Cypress 10 on your own now)

Committers: 3

Martijn Jacobs (@maerteijn)

ZHAO Jinxiang (@xiaoxiangmoe)

@blzsaa

v5.0.4

:bug: Bug Fix

@vue/cli-service

#7005 Better handling of publicPath: 'auto' (@AndreiSoroka)

@vue/cli-shared-utils, @vue/cli-ui

75826d6 fix: replace node-ipc with @achrinza/node-ipc to further secure the dependency chain

Committers: 1

Andrei (@AndreiSoroka)

Haoqun Jiang (@sodatea)

v5.0.3

... (truncated)

Changelog

Sourced from @vue/cli-plugin-unit-mocha's changelog.

5.0.7 (2022-07-05)

@vue/cli-service

#7202, [558dea2] fix: support devServer.server option, avoid deprecation warnings (@backrunner, @sodatea)

[beffe8a] fix: allow disabling progress plugin via devServer.client.progress

@vue/cli-ui

#7210 chore: upgrade to apollo-server-express 3.x

Committers: 2

BackRunner (@backrunner)

Haoqun Jiang (@sodatea)

5.0.6 (2022-06-16)

Fix compatibility with the upcoming Vue 2.7 (currently in alpha) and Vue Loader 15.10 (currently in beta).

In Vue 2.7, vue-template-compiler is no longer a required peer dependency. Rather, there's a new export under the main package as vue/compiler-sfc.

5.0.5 (2022-06-16)

:bug: Bug Fix

@vue/cli

#7167 feat(upgrade): prevent changing the structure of package.json file during upgrade (@blzsaa)

@vue/cli-service

#7023 fix: windows vue.config.mjs support (@xiaoxiangmoe)

Committers: 3

Martijn Jacobs (@maerteijn)

ZHAO Jinxiang (@xiaoxiangmoe)

@blzsaa

5.0.4 (2022-03-22)

:bug: Bug Fix

@vue/cli-service

#7005 Better handling of publicPath: 'auto' (@AndreiSoroka)

@vue/cli-shared-utils, @vue/cli-ui

75826d6 fix: replace node-ipc with @achrinza/node-ipc to further secure the dependency chain

Committers: 1

... (truncated)

Commits

b154dbd v5.0.8

4a0655f v5.0.7

ef08a08 v5.0.6

98c66c9 v5.0.5

ce97e62 fix: add XMLSerializer to the global scope (#7101)

ca97fc2 v5.0.4

dd53f26 v5.0.3

a859b1f v5.0.2

92d80a8 v5.0.1

c913cdc v5.0.0

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies javascript
opened by dependabot[bot] 0
Bump wheel from 0.37.0 to 0.38.1 in /requirements
Bumps wheel from 0.37.0 to 0.38.1.

Changelog

Sourced from wheel's changelog.

Release Notes

UNRELEASED

Updated vendored packaging to 22.0

0.38.4 (2022-11-09)

Fixed PKG-INFO conversion in bdist_wheel mangling UTF-8 header values in METADATA (PR by Anderson Bravalheri)

0.38.3 (2022-11-08)

Fixed install failure when used with --no-binary, reported on Ubuntu 20.04, by removing setup_requires from setup.cfg

0.38.2 (2022-11-05)

Fixed regression introduced in v0.38.1 which broke parsing of wheel file names with multiple platform tags

0.38.1 (2022-11-04)

Removed install dependency on setuptools

The future-proof fix in 0.36.0 for converting PyPy's SOABI into a abi tag was faulty. Fixed so that future changes in the SOABI will not change the tag.

0.38.0 (2022-10-21)

Dropped support for Python < 3.7

Updated vendored packaging to 21.3

Replaced all uses of distutils with setuptools

The handling of license_files (including glob patterns and default values) is now delegated to setuptools>=57.0.0 (#466). The package dependencies were updated to reflect this change.

Fixed potential DoS attack via the WHEEL_INFO_RE regular expression

Fixed ValueError: ZIP does not support timestamps before 1980 when using SOURCE_DATE_EPOCH=0 or when on-disk timestamps are earlier than 1980-01-01. Such timestamps are now changed to the minimum value before packaging.

0.37.1 (2021-12-22)

Fixed wheel pack duplicating the WHEEL contents when the build number has changed (#415)

Fixed parsing of file names containing commas in RECORD (PR by Hood Chatham)

0.37.0 (2021-08-09)

Added official Python 3.10 support

Updated vendored packaging library to v20.9

... (truncated)

Commits

6f1608d Created a new release

cf8f5ef Moved news item from PR #484 to its proper place

9ec2016 Removed install dependency on setuptools (#483)

747e1f6 Fixed PyPy SOABI parsing (#484)

7627548 [pre-commit.ci] pre-commit autoupdate (#480)

7b9e8e1 Test on Python 3.11 final

a04dfef Updated the pypi-publish action

94bb62c Fixed docs not building due to code style changes

d635664 Updated the codecov action to the latest version

fcb94cd Updated version to match the release

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python
opened by dependabot[bot] 0
Bump qs from 6.5.2 to 6.5.3 in /socialhome/frontend
Bumps qs from 6.5.2 to 6.5.3.

Changelog

Sourced from qs's changelog.

6.5.3

[Fix] parse: ignore __proto__ keys (#428)

[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source

[Fix] correctly parse nested arrays

[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)

[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided

[Fix] when parseArrays is false, properly handle keys ending in []

[Fix] fix for an impossible situation: when the formatter is called with a non-string value

[Fix] utils.merge: avoid a crash with a null target and an array source

[Refactor] utils: reduce observable [[Get]]s

[Refactor] use cached Array.isArray

[Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)

[Refactor] parse: only need to reassign the var once

[Robustness] stringify: avoid relying on a global undefined (#427)

[readme] remove travis badge; add github actions/codecov badges; update URLs

[Docs] Clean up license text so it’s properly detected as BSD-3-Clause

[Docs] Clarify the need for "arrayLimit" option

[meta] fix README.md (#399)

[meta] add FUNDING.yml

[actions] backport actions from main

[Tests] always use String(x) over x.toString()

[Tests] remove nonexistent tape option

[Dev Deps] backport from main

Commits

298bfa5 v6.5.3

ed0f5dc [Fix] parse: ignore __proto__ keys (#428)

691e739 [Robustness] stringify: avoid relying on a global undefined (#427)

1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs

12ac1c4 [meta] fix README.md (#399)

0338716 [actions] backport actions from main

5639c20 Clean up license text so it’s properly detected as BSD-3-Clause

51b8a0b add FUNDING.yml

45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...

f814a7f [Dev Deps] backport from main

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies javascript
opened by dependabot[bot] 0
Bump express from 4.17.1 to 4.18.2 in /socialhome/frontend
Bumps express from 4.17.1 to 4.18.2.

Release notes

Sourced from express's releases.

4.18.2

Fix regression routing a large stack in a single route

deps: [email protected]

deps: [email protected]

perf: remove unnecessary object clone

deps: [email protected]

4.18.1

Fix hanging on large stack of sync routes

4.18.0

Add "root" option to res.download

Allow options without filename in res.download

Deprecate string and non-integer arguments to res.status

Fix behavior of null/undefined as maxAge in res.cookie

Fix handling very large stacks of sync middleware

Ignore Object.prototype values in settings through app.set/app.get

Invoke default with same arguments as types in res.format

Support proper 205 responses using res.send

Use http-errors for res.format error

deps: [email protected]

Fix error message for json parse whitespace in strict

Fix internal error when inflated body exceeds limit

Prevent loss of async hooks context

Prevent hanging when request already read

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

Add priority option

Fix expires option to reject invalid dates

deps: [email protected]

Replace internal eval usage with Function constructor

Use instance methods on process to check for listeners

deps: [email protected]

Remove set content headers that break response

deps: [email protected]

deps: [email protected]

deps: [email protected]

Prevent loss of async hooks context

deps: [email protected]

deps: [email protected]

Fix emitted 416 error missing headers property

Limit the headers removed for 304 response

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

... (truncated)

Changelog

Sourced from express's changelog.

4.18.2 / 2022-10-08

Fix regression routing a large stack in a single route

deps: [email protected]

deps: [email protected]

perf: remove unnecessary object clone

deps: [email protected]

4.18.1 / 2022-04-29

Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

Add "root" option to res.download

Allow options without filename in res.download

Deprecate string and non-integer arguments to res.status

Fix behavior of null/undefined as maxAge in res.cookie

Fix handling very large stacks of sync middleware

Ignore Object.prototype values in settings through app.set/app.get

Invoke default with same arguments as types in res.format

Support proper 205 responses using res.send

Use http-errors for res.format error

deps: [email protected]

Fix error message for json parse whitespace in strict

Fix internal error when inflated body exceeds limit

Prevent loss of async hooks context

Prevent hanging when request already read

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

deps: [email protected]

Add priority option

Fix expires option to reject invalid dates

deps: [email protected]

Replace internal eval usage with Function constructor

Use instance methods on process to check for listeners

deps: [email protected]

Remove set content headers that break response

deps: [email protected]

deps: [email protected]

deps: [email protected]

Prevent loss of async hooks context

deps: [email protected]

deps: [email protected]

... (truncated)

Commits

8368dc1 4.18.2

61f4049 docs: replace Freenode with Libera Chat

bb7907b build: [email protected]

f56ce73 build: [email protected]

24b3dc5 deps: [email protected]

689d175 deps: [email protected]

340be0f build: [email protected]

33e8dc3 docs: use Node.js name style

644f646 build: [email protected]

ecd7572 build: [email protected]

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies javascript
opened by dependabot[bot] 0
Bump certifi from 2021.5.30 to 2022.12.7 in /requirements
Bumps certifi from 2021.5.30 to 2022.12.7.

Commits

9e9e840 2022.12.07

b81bdb2 2022.09.24

939a28f 2022.09.14

aca828a 2022.06.15.2

de0eae1 Only use importlib.resources's new files() / Traversable API on Python ≥3.11 ...

b8eb5e9 2022.06.15.1

47fb7ab Fix deprecation warning on Python 3.11 (#199)

b0b48e0 fixes #198 -- update link in license

9d514b4 2022.06.15

4151e88 Add py.typed to MANIFEST.in to package in sdist (#196)

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies python
opened by dependabot[bot] 0
Bump qs from 6.5.2 to 6.5.3
Bumps qs from 6.5.2 to 6.5.3.

Changelog

Sourced from qs's changelog.

6.5.3

[Fix] parse: ignore __proto__ keys (#428)

[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source

[Fix] correctly parse nested arrays

[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)

[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided

[Fix] when parseArrays is false, properly handle keys ending in []

[Fix] fix for an impossible situation: when the formatter is called with a non-string value

[Fix] utils.merge: avoid a crash with a null target and an array source

[Refactor] utils: reduce observable [[Get]]s

[Refactor] use cached Array.isArray

[Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)

[Refactor] parse: only need to reassign the var once

[Robustness] stringify: avoid relying on a global undefined (#427)

[readme] remove travis badge; add github actions/codecov badges; update URLs

[Docs] Clean up license text so it’s properly detected as BSD-3-Clause

[Docs] Clarify the need for "arrayLimit" option

[meta] fix README.md (#399)

[meta] add FUNDING.yml

[actions] backport actions from main

[Tests] always use String(x) over x.toString()

[Tests] remove nonexistent tape option

[Dev Deps] backport from main

Commits

298bfa5 v6.5.3

ed0f5dc [Fix] parse: ignore __proto__ keys (#428)

691e739 [Robustness] stringify: avoid relying on a global undefined (#427)

1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs

12ac1c4 [meta] fix README.md (#399)

0338716 [actions] backport actions from main

5639c20 Clean up license text so it’s properly detected as BSD-3-Clause

51b8a0b add FUNDING.yml

45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...

f814a7f [Dev Deps] backport from main

Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR

@dependabot recreate will recreate this PR, overwriting any edits that have been made to it

@dependabot merge will merge this PR after your CI passes on it

@dependabot squash and merge will squash and merge this PR after your CI passes on it

@dependabot cancel merge will cancel a previously requested merge and block automerging

@dependabot reopen will reopen this PR if it is closed

@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot use these labels will set the current labels as the default for future PRs for this repo and language

@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language

@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language

@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependencies javascript
opened by dependabot[bot] 0

Releases(v0.9.3)

v0.9.3(Aug 29, 2018)
0.9.3 (2018-08-29)

Fixed .....

Update pycryptodome due to CVE-2018-15560 security issue.

Source code(tar.gz)
Source code(zip)
v0.9.2(Aug 11, 2018)
0.9.2 (2018-08-11)

Fixed

Update to federation which switches crypto libraries to fix CVE-2018-6594.

Note! If you don't use pip-sync to deploy, then you must do pip uninstall pycrypto before deploying, or things will break badly.

Source code(tar.gz)
Source code(zip)
v0.9.1(Aug 11, 2018)
0.9.1 (2018-08-11)

Fixed

Django bumped to 2.0.8 to fix a security issue. This issue did not affect Socialhome, but we're upgrading just to be sure.

Source code(tar.gz)
Source code(zip)
v0.9.0(Jul 20, 2018)
0.9.0 (2018-07-21)

Added

Add possibility to configure Sentry for error reporting.

Adding the Sentry project DSN as SENTRY_DSN=foo to environment variables will make all error level exceptions be raised to Sentry. To change the level, define SENTRY_LEVEL with a valid Python logging module level.

Add NodeInfo2 support. For organization details, admin name and email will be published if the new setting SOCIALHOME_SHOW_ADMINS is set to True (default False).

Add possibility to delete user account (#131)

Deletion is permanent and will delete all created content including uploaded images. Delete request for profile and related content will be sent to remote servers.

Add user export API (#478)

New API endpoints /api/profiles/create_export/ will create an export and /api/profiles/retrieve_export/ will retrieve the export zip file. Export will contain a JSON file of the user, profile, followers and content. A zip file of uploaded images will also be included.

Add user data export to user account page (#478)

The account page now has a button to request an export of user data. In addition to user and profile data, this export contains a list of profiles followed, content (including shares and replies) and a zip file of image uploads. An email notification will be sent to the user once the export is ready for download from the account page.

New environment variable DJANGO_TIMEZONE allows easily customizing the time zone that the Socialhome instance runs on. It defaults to UTC.

Staff users can now access the admin and task queue (background jobs) pages via the new "gears" menu in the navbar. See <documentation on how to make a user admin.

Add an easily customizable robots.txt with default rules

The rules by default disallow all except direct links to content, the root profile and the public stream. Server admins can customize the rules easily via the admin interface.

Admins can now add Terms of Service and Privacy Policy documents to the site (#477)

Terms of Service and Privacy policy documents are good to have. These tell people visiting your site what rules you operate with. Socialhome provides default templates you can activate with a few clicks.

To review and enable the policy documents, log in as admin and access the admin pages through the navigation bar cogs menu. Scroll down and locate "Policy documents". There are two types of documents, the Terms of Service and Privacy Policy. Each one can be edited in draft mode and then published. Further updates in draft mode will not overwrite the last published version, until published.

To publish the documents, open them, review the text and then change the status below the document to "published". Click Save - this version is now published. To edit in draft mode, switch the status back and the current edited revision will not show to users. You can also send email updates to users from the policy documents list. Select the policy documents you wish the send an email about, choose "Send email" from the actions list and confirm.

Published policy documents are shown to both authenticated and unauthenticated users via the navigation bar cogs menu.

Searching for hashtags is now possible using the global search

The global search now in addition to profile results returns also results of matching hashtags. If the search term includes the hash ('#') and matches exactly to a tag, an instant redirect will be made to the tag stream.

Mentions are now parsed out of incoming remote content and locally created content.

Currently the only syntax supported is the Diaspora mentions syntax, ie @{Name; [email protected]}. Currently Socialhome users can create mentions by using the syntax manually. UI layer will be added later to choose people using the standard @ syntax to trigger search.

When mentioned, local users will be sent an email notification with a link to the content.

Note to admins: A script is provided if you want to parse old content for mentions. Run ./manage.py runscript link_old_mentions if you wish to parse the content from the last year and create the links. This will also send out email notifications.

Admin now has a section for Content items and Profiles, for debugging purposes. The User admin was also improved.

Limited content is now supported 🙈 💪 (#302)

Limited content can now be created using the web create form. Note, API does not currently allow creating limited content (except replies to limited content). Once create form is ported to the API, things should be refactored there, right now had no bandwidth to ensure both work.

Limited content is shown in the stream with a lock symbol. The create shows some extra fields for limited content. These include "recipients" and "include following". Recipients is a comma separated list of target profile handles the limited content will be sent to. Include following will populate recipients (on save) with all the profiles that one follows. Later on we will add contact lists for better targeting.

Limited content visibilities can be edited. If someone is removed from the target recipients, a retraction will be sent to try and delete the content remotely from the target recipient.

Currently recipients must already be known to the server, in the future a remote search will be done if the profile is not known. Any known remote profile can be targeted - it is up to the receiving server to decide whether to accept it or not. For local profiles, those of visibility SELF (ie hidden) cannot be targeted.

There is also a new stream "Limited" available. It shows all limited content visible to you.

Add "Local" stream which contains only content from users registered on the same server. (#491)

Changed

Bump Django to 2.0 🎉 (#460)

Only precache for users who have been active (#436)

Don't precache items into streams for users who have not been active. Controlled by the same settings as the maintenance of precached streams. Will reduce unnecessary background jobs and make Redis memory usage even more stable.

Provided Circus configuration now ensures RQ worker processes are not allowed to endlessly hog server memory. In some rare cases it has happened that normally very stable RQ worker processes have hogged several gigabytes of memory due to reasons which are still being investigated. Now Circus will end those processes automatically.

Moved user account, logout, email management and API token pages links under the new "gears" menu in the navbar. These links used to be in the profile page menu.

Fixed

Allow search with Diaspora handle that contains port (#457)

Important for server admins. There was a mistake in the production Redis connection settings. The setting was not following the given configuration in the documentation. Now the possibility to set REDIS_URL (undocumented) directly has been removed and will raise an error. Use the REDIS_HOST, REDIS_DB, REDIS_PORT and REDIS_PASSWORD settings instead when needed.

Ensure all streams Redis keys have a default expiry of 30 days.

Fix parsing of remote profile names by also using last_name attribute, where given (#414)

Show possible validation errors on create form instead of just not allowing a save.

Fix failure of processing remote retractions of replies or shares in some situations.

Removed

Legacy streams routes /public/, /followed/ and /tags/<name>/ have been removed. They already partially broke in the Vue.js streams rewrite.

Source code(tar.gz)
Source code(zip)
v0.8.0(Mar 6, 2018)
0.8.0 (2018-03-06)

Added

RFC3033 webfinger support for Diaspora protocol (#405)

This allows better profile discovery by remote non-Socialhome servers.

Added better streams precache maintenance in regards to inactive users (#436)

Two new settings have been added:

SOCIALHOME_STREAMS_PRECACHE_INACTIVE_DAYS (default 90)

SOCIALHOME_STREAMS_PRECACHE_INACTIVE_SIZE (default 0)

If a user has been more than the set days without logging in, when trimming the precaches for that user, the inactive setting will be used instead. By default this means that precaches for users that haven't logged in for 90 days are removed. This is done to ensure Redis memory usage is predictable and stable in relation to active users.

Users who have been inactive for longer than the X days will still get their stream content normally but instead of getting a fast stream render from the cache, the items will be calculated using databse queries, which produces a slower stream load experience.

Added management command to delete local users and remote profiles

This allows removing users who want their account to be deleted (coming to UI soon, sorry) and also deleting content and locking remote spam accounts. See documentation for details.

Changed

Setting SOCIALHOME_RELAY_DOMAIN is now called SOCIALHOME_RELAY_ID. We're slowly replacing all direct Diaspora handle references with Diaspora URI format profile ID's in preparation for ActivityPub protocol addition.

No action needed from server admins unless you have changed this setting, in which case it should be updated accordingly.

Start sending profile changes to remote nodes as public messages for better efficiency

Start sending federation payloads in new format (federation #59)

This could drop federation compatibility with some really old servers in the fediverse, but adds compatibility to for example GangGo which is now able to receive Socialhome content.

Stop requesting Twitter widget script for each tweet OEmbed (#202)

Since Vue streams all tweets are initialized programmatically as they are rendered in the stream so we don't need to have the script tag on each oembed separately.

/api-token-auth/ endpoint now returns limited profile information in addition to token

Fixed

Fix precached streams maintenance job. (#436)

Due to mistake in regexp not all old precached stream items were pruned in maintenance. Now fixed which should ensure Redis memory usage does not suffer from unreasonable increase over time.

Fix profile discovery from current stable Diaspora (#413)

A bug in Diaspora caused Socialhome profile discovery to fail. Introduce some patches to our webfinger to work around the bug and make profiles available to latest Diaspora versions.

Fix receiving public content from GangGo (federation #115)

Fix various errors in search for remote profiles

For example GNU Social implements webfinger but the necessary attributes we need are not present and were causing errors.

Add missing titles and OG tags back to streams (#428)

These disappeared in the rewrite of streams in 0.7.0. Also added a few new head tags improving author information in single content view and telling Twitter to not track users so much.

Source code(tar.gz)
Source code(zip)
v0.7.0(Feb 4, 2018)
0.7.0 (2018-02-04)

New Vue.js frontend

The work that started at a small hackathon in Helsinki in July 2017 is finally finished! The old buggy and hard to maintain Django template + jQuery based frontend has been completely rewritten in Vue.js. This provides a modern frontend code base, making it possible to add new features faster and to spend less time fixing bugs in the spaghetti code.

A huge thanks goes out to @christophehenry doing most of the work in pushing this rewrite through!

Added

Possibility to skip adding an OEmbed or OpenGraph preview to content. (#364)

There is a new checkbox on content create that allows skipping adding a link preview to the content.

Add maintenance job to groom precache information from Redis. This ensures Redis memory usage stays stable.

Important for server admins. There is a new process to run that is responsible for scheduling these maintenance jobs. The process is executed as a Django management command ie python manage.py rqscheduler.

If you already use the provided Circus configuration to run Socialhome, you don't need to do anything. When you restart Socialhome, the updated Circus configuration will automatically be used and the scheduler process started by Circus.

If you have a custom setup, preferring to run all processes manually, ensure one rqscheduler process is running at all times to ensure maintenance jobs and other future scheduled jobs are executed.

A new configuration item SOCIALHOME_STREAMS_PRECACHE_SIZE is available to set the maximum size of precached stream items per user, per stream. This defaults to 100 items. Increasing this setting can radically increase Redis memory usage. If you have a lot of users, you might consider decreasing this setting if Redis memory usage climbs up too high.

It is now possible to use email for log-in. (#377)

Added a Code of Conduct document. All contributors to Socialhome are expected to honour these simple rules to ensure our project is a safe place to contribute to.

Read the Code of Conduct here.

Profile API has 4 new read only fields:

followers_count - Count of followers the given Profile has. For remote profiles this will contain only the count of followers on this server, not all the followers the profile has.

following_count - Count of local and remote profiles this Profile is following. For remote profiles this will contain only the count of profiles following this profile on this particular server.

has_pinned_content - Boolean indication whether the local profile has pinned any Content to their profile stream. Always false for remote profiles.

user_following - Boolean whether logged in user is following the profile.

There is now a management command to generate dummy content for development environment purposes. See development pages.

Installation docs now have an example SystemD service configuration, see installation-other-systemd. (#397)

Content API has a new read only field has_twitter_oembed. This is true if the content text had a Tweet URL and a fetch for the OEmbed code has been successfully made.

Content create page now has an option to disable federating to remote servers when saving the content. (#296)

The content will still update to local streams normally. Federating the content can be enabled on further saves.

If signups are closed, the signup link will now stay active but will point to a list of Socialhome nodes. (#354)

By default this URL is https://the-federation.info/socialhome, but can be configured by the server admin.

Changed

When processing a remote share of local content, deliver it also to all participants in the original shared content and also to all personal followers. (#206)

Allow creating replies via the Content API.

Replies are created by simply passing in a parent with the ID value of the target Content. It is not possible to change the parent value for an existing reply or root level Content object once created. When creating a reply, you can omit visibility from the sent data. Visibility will be used from the parent Content item automatically.

Removed Opbeat integration related configuration. The service is being ramped down. (#393)

If as a server administrator you have enabled Opbeat monitoring, it will stop working on this update.

New VueJS stream is now default o/ (#202)

Old stream can still be accessed using the user preferences or by passing a vue=0 parameter in the URL. All existing users have been migrated to use the new VueJS streams by default.

Fixed

Redirect back to profile instead of home view after organize pinned content save action. (#313)

Fix searching of an unknown remote profile by handle using uppercase letters resulting in an invalid local profile creation.

Fix Content querysets not correctly including the 'through' information which tells what content caused a share to be added to a stream. (#412)

This information was already correctly added in the streams precalculation phase, but if the cache started cold or a viewing user cycled through all cached content ID's and wanted some more, the database queries did not return the right results.

Attempt to fetch OEmbed and OpenGraph previews of URL's in content in the order of the links found. (#365)

Previous behaviour lead to fetching previews of urls in random order, leading to a different url preview on different Socialhome servers.

Fix remote profile retrieval from remote servers which don't support legacy Diaspora protocol webfinger. (#405)

New version of federation library defaults to trying the new style webfinger with a fall back to legacy.

Source code(tar.gz)
Source code(zip)
v0.6.0(Nov 13, 2017)
0.6.0 (2017-11-13)

Added

Profile "All content" streams now include the shares the profile has done. (#206)

Streams API now has endpoints for profile streams to match the profile streams in the UI. (#194)

/api/streams/profile-all/{id}/ - fetches all content by the given profile (including shares), ordered by created date in reverse order (= new stuff first).

/api/streams/profile-pinned/{id}/ - fetches pinned content by the given profile, ordered as set by the profile owner.

New fields added to Content API:

is_nsfw, boolean value, true if the content text has the tag #nsfw in it.

share_of, if the content_type is share, this will contain the ID of the shared Content.

If an incoming share references a remote target that doesn't yet exist locally, it and the author profile will be fetched and imported over the network. (#206)

There are now Docker files for doing development work for Socialhome. See the docs here.

Third-party applications can now be added to enhance Socialhome or replace some of the core functionality, using configuration. The following new settings are available:

SOCIALHOME_ADDITIONAL_APPS - List of additional applications to use in Django settings.

SOCIALHOME_ADDITIONAL_APPS_URLS - Additional third-party URL's to add to core url configuration.

SOCIALHOME_HOME_VIEW - Override the home view with another view defined with this setting.

Content API now has a new shares endpoint. (#206)

This allows retrieving all the shares done on a Content.

We now have a logo ✌

The logo also comes in a light version, for dark backgrounds. See brand for details.

Changed

Logging configuration changes:

Removed separate logfile for the federation loggers. Now all logs go to one place. Setting SOCIALHOME_LOGFILE_FEDERATION has been removed.

Added possibility to direct Django and application logs using a defined level to syslog. Adds three settings, SOCIALHOME_LOG_TARGET to define whether to log to file or syslog, SOCIALHOME_SYSLOG_LEVEL to define the level of syslog logging and SOCIALHOME_SYSLOG_FACILITY to define the syslog logging facility. See configuration documentation.

Important! The file to place configuration environment variables has changed to .env.

This is a more standard file name for environment variables than the previous env.local. For now we'll still load from the old file too, but a warning will be displayed to rename the file.

Breaking change. API Content serialization now returns list of tags as name of tag, not ID as before. The names do not contain the character "#".

Content API replies endpoint now includes all the replies on the shares of the Content too.

Use modified timestamp for created timestamp when federating out to remote nodes. (#314)

This makes edits federate more reliably to some remote platforms that support edits.

Stream grid item reply icon changed from "envelope" to "comments". (#339)

Fixed

Fix various issues with OpenGraph tags parsing by switching to self-maintained fork of python-opengraph.

Share button is no longer visible if not signed in (#325)

Remote profile image urls that are relative are now fixed to be absolute when importing the profile from remote (#327)

Fix poor performance of fetching replies.

When adding replies of shares to the collection of replies fetched when clicking the reply icon in the UI, a serious performance regression was also added. Database queries have now been optimized to fetch replies faster again.

When editing a reply, the user is now redirected back to the parent content detail view instead of going to the reply detail view. (#315)

Fix regression on visibility of remote replies on shares.

Replies inherit the parent object visibility and share visibility defaults to non-public in the federation library. Diaspora protocol removed the public property from shares in a recent release, which meant that we started getting all shares as non-public from the federation layer. This meant that all comments on the shares were processed as non-public too.

With a change in the federation layer, Diaspora protocol shares are now public by default.

Fixed Streams API content user_is_author value always having false value.

Source code(tar.gz)
Source code(zip)
v0.5.0(Oct 1, 2017)
0.5.0 (2017-10-01)

Python dependencies

Switched to pip-tools as the recommended way to install Python dependencies and cleaned the requirements files a bit. Now all the "base" dependencies, including production deployment dependencies are locked in requirements.txt. The new file dev-requirements.txt includes both the base and the extra development/testing related dependencies.

To use pip-tools, first install it:

pip install -U pip-tools

Then install dependencies:

# Production environment pip-sync # Development environment pip-sync dev-requirements.txt

It is not mandatory to use pip-tools for running a production installation. For development it is mandatory. All dependencies should be placed (unlocked) in either requirements/requirements.in (base) or requirements/requirements-dev.in (development extras). Then execute ./compile-requirements.sh to update the locked dependency files after each change to the .in files. See pip-tools for more information.

Added

GIF uploads are now possible when creating content or replies. (#125)

Content API has a new endpoint /api/content/<id>/replies/. This returns all the replies for the given content.

Shares made by followed contacts are now pulled up to the "Followed" stream.

This happens only if the user has not already seen this content in their "Followed" stream. Each content should only appear once, either directly by following the author or a followed contact sharing the content. Multiple shares do not raise the content in the stream again.

Changed

Rendered link processing has been rewritten. This fixes issues with some links not being linkified when rendering. Additionally now all external links are made to open in a new tab or window. (#197)

Previously previews and oEmbed's for content used to only pick up "orphan" links from the content text. This meant that if there was a Markdown or HTML link, there would be no link preview or oEmbed fetched. This has now been changed. All links found in the content will be considered for preview and oEmbed. The first link to return a preview or oEmbed will be used.

Streams URL changes:

All streams will now be under /streams/ for a cleaner URL layout. So for example /public/ is now /streams/public/.

Tag stream URL has been changed from /streams/tags/<tag>/ to /streams/tag/<tag>/. This small change allows us to later map /stream/tags/ to the tags the user is following.

Since lots of old content will point to the old URL's, there will be support for the legacy URL's until they are needed for something else in the future.

Breaking change. Profile API field changes:

Added:

url (Full URL of local profile)

home_url (Full URL of remote profile, if remote user)

is_local (Boolean, is user local)

visibility (Profile visibility setting, either public, limited, site or self. Editable to self)

Removed (internal attributes unnecessary for frontend rendering):

user

rsa_public_key

Breaking change. Content API field changes:

Added:

timestamp (ISO 8601 formatted timestamp of last save)

humanized_timestamp (For example "2 hours ago")

url (Full URL to content detail)

edited (Boolean whether content has been edited since creation)

user_following_author (Boolean whether current user is following content author)

user_is_author (Boolean whether current user is the author of the content)

user_has_shared (Boolean whether current user has shared the content)

Changed:

author is now a limited serialization of the author profile, containing the following keys: "guid", "handle", "home_url", "id", "image_url_small", "is_local", "name", "url".

The reason for serializing the author information to content is related to privacy controls. A user who maintains a limited profile can still create public content, for example. A user who is able to view the content created by the user should also see some limited information about the creating profile. To get the full profile, the user needs to fetch the profile object by ID, which is subject to the visibility set by the profile owner.

Removed (internal attributes unnecessary for frontend rendering):

created

modified

oembed

opengraph

Refactoring for streams views to use new Stream classes which support pre-caching of content ID's. No visible changes to user experience except a faster "Followed users" stream.

A stream class that is set as cached will store into Redis a list of content ID's for each user who would normally see that content in the stream. This allows pulling content out of the database very fast. If the stream is not cached or does not have cached content ID's, normal database lookups will be used.

This refactoring enables creating more complex streams which require heavier calculations to decide whether a content item should be in a stream or not.

Fixed

Cycling browser tabs with CTRL-TAB when focused on the editor no longer inserts a TAB character in the editor.

Don't federate shares to shared content local author. This caused unnecessary deliveries between the same host.

Source code(tar.gz)
Source code(zip)
v0.4.0(Aug 31, 2017)
0.4.0 (2017-08-31)

Update notes

This release contains long running migrations. Please allow up to 10 minutes for the migrations to run, depending on your database size.

Added

Allow user to change profile picture. (#151)

Profile menu now has an extra option "Change picture". This allows uploading a new picture and optionally setting focus point for cropping a picture that is not square shape.

Federate local profiles to remote followers on save. (#168)

Process remote profiles entities on receive.

Remote profiles were so far only created on first encounter. Now we also process incoming Profile entities from the federation layer.

When following a remote profile, federate profile to them at the same time.

It is now possible to expose statistics from a Socialhome node. This includes counts for users (total, 30 day, 6 month), local content and local replies. These will be exposed via the NodeInfo documents that for example the-federation.info node list consumes.

By default statistics is off. Admins can switch the counts on by setting environment variable SOCIALHOME_STATISTICS=True and restarting Socialhome.

Add user API token view. Allows retrieving an API token for usage in clients and tools. Allows also regenerating the token if it has been lost or exposed.

Added bookmarklet to easily share external pages. The bookmarklet can be bookmarked from the 'Create' page. (#138)

Sharing with the bookmarklet will copy the page url, title and optionally selected text into the create content text area. The bookmarklet is compatible with Diaspora, so for example the Firefox sharing service will work.

Support receiving 'Share' entities. Show amount of shares on content. (#206)

Show replies to shares on the original shared content. (#206)

Add share endpoint to Content API. This enables creating and removing shares via the API. (#206)

Allow sharing content. Clicking the share counter icon exposes a 'Share' button which when clicked will create a share. (#206)

Allow unsharing content. Clicking the share counter icon exposes an 'Unshare' button (assuming the user has shared the content) which when clicked will remove the share. (#206)

Federate local shares to remote nodes. (#206)

There is now a 'My content' stream link in the navbar 'Streams' dropdown. This goes to your own profile all content stream.

Add user preference for the new stream refactoring. If enabled, all streams that have a new version in progress will be rendered with the new frontend code based on Vue.js. (#202)

Warning! The new frontent code doesn't have all the features of the current on yet.

Content API has three new read only fields available:

local, boolean whether the content is local or remote.

reply_count, count of replies (including replies on shares)

shares_count, count of shares

Make email notifications nicer by using HTML templates in addition to the plain text version. (#206)

In addition to reply and follow notifications, send also when own content is shared.

Changed

Breaking change. Content API results now return visibility as a string ('public', 'limited', 'site' or 'self'), not an integer.

Fixed

There was no notification sent out when a local user followed a local user. This has now been fixed.

Removed

Breaking change. Removed Content, Profile and Users API LIST routes. For now these are seen as not required for building a client and allow unnecessarily easy data mining.

Removed content modal. Clicking timestamp in grid now directly loads the content detail view. (#162)

Loading the content in a modal was an early experiment and didn't end out very usable.

Removed reply button from replies. Technically, threaded replies are possible but the UI implementation is not done. Replying to a reply will be back once UI and federation layer will handle threaded replies properly.

Source code(tar.gz)
Source code(zip)
v0.3.1(Aug 6, 2017)
0.3.1 (2017-08-06)

Fixed

Bump federation library again to fix a regression in reply relaying due to security fixes in the library 0.14.0 release.

Source code(tar.gz)
Source code(zip)
v0.3.0(Aug 6, 2017)
0.3.0 (2017-08-06)

Security

Reject remote content updates via the federation layer which reference an already existing remote content object but have a different author.

Note that locally created content was previously safe from this kind of takeover. This, even though serious, affects only remote created content stored locally.

Reject remote reply updates via the federation layer which try to change the parent content reference.

Bump federation to ensure remote entity authorship is verified correctly.

Added

API has two new endpoints, the "Content" and "Image Upload" routes. (#120)

Content API allows browsing content objects that are visible to self, or public for anonymous users. Content objects owned by self can be updated or deleted. Creating content is also possible.

Image Upload API allows uploading images via the same mechanism that is used in the content create UI form. The uploaded image will be stored and a markdown string is passed back which can be added to content created in for example mobile clients. Note, uploading an image doesn't create any content itself, it just allows embedding images into content, just like in the UI.

New API docs exposed by Django REST Swagger. These are in the same place as the old ones, at /api/. Adding to the documentation is still a work in progress.

Add image upload button to the create/reply editor. This makes it possible to upload images from mobile browsers. (#120)

Make profile "following" button link to "following contacts" page, if user is logged in and own profile.

Changed

Create and update content will now redirect to the content created or updated. Previous behaviour was user preferred landing page.

Delete content will now redirect back to the page where the delete was triggered from. Previous behaviour was user preferred landing page. If the content delete is triggered from the content detail page, redirect will happen to user preferred landing page as before. (#204)

Fixed

Fix internal server error when replying to content that contained only characters outside the western Latin character sets.

Visual fixes for content rendering in content delete page.

Make direct profile handle search survive extra spaces before or after the searched handle.

Source code(tar.gz)
Source code(zip)
v0.2.1(Jul 30, 2017)
0.2.1 (2017-07-30)

Fixed

Fix reply form regression introduced in v0.2.0. (#217)

Source code(tar.gz)
Source code(zip)
v0.2.0(Jul 29, 2017)
0.2.0 (2017-07-30)

Security

Fix XSS vulnerability in profile edit. Unsanitized profile field input was allowed and one place showed a field without escaping it. The fields are now sanitized and escaping has been ensured.

The problem concerned only local users and not remote profile fields which were correctly sanitized already.

Added

Added search for profiles (#163)

There is now a global search in the right side of the header. The search returns matches for local and remote profiles based on their name and username part of the handle. Profiles marked with visibility Self or Limited are excluded from the search results. Profiles marked with visibility Site will be excluded if not logged in, leaving only public profile results. If a direct match happens with a full handle, a redirect is done directly to the searched profile.

IMPORTANT for node maintainers. After pulling in this change, you MUST run the command python manage.py rebuild_index to create the search index. Not doing this will cause an error to be raised when trying to search. The indexes are kept up to date automatically after running this command once.

When searching for profiles based on handle, fetch profile from remote if it isn’t found locally (#163)

Changed

Improved content/reply create/edit form. Replies don’t contain visibility or pinned form elements any more. Added also some help texts regarding drag’n’drop image embed, visibility and content pinning.

Fixed

Make reply notifications to local users not send one single email with all local participants, but one email per participant. Previous implementation would have leaked emails of participants to other participants.

Correctly send replies to remotes (#210)

If parent content is local, send via the relayable forwarding mechanism. This ensures parent author signs the content. If parent author is remote, send just to the remote author. The remote author should then relay it.

Ensure calling Profile.private_key or Profile.key don’t crash if the profile doesn’t have keys. Now the properties just return None.

Fix regression in profile all content stream load more functionality. (#190)

Filter out “limited” visibility profiles from API list results. These profiles are not available in the search so they shouldn’t be available to list through the API either.

Source code(tar.gz)
Source code(zip)
v0.1.0(Jul 27, 2017)
0.1.0 (2017-07-27)

Initial versioned release. Main implemented features:

Working streams (followed, public, profiles)

Content creation

Content OEmbed / OpenGraph previews

Replies

Follow/unfollow of profiles

Contacts list

Pinning content to profile

Source code(tar.gz)
Source code(zip)