Merge tag 'v4.4.5'

CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.4.5] - 2025-09-23
+
+### Security
+
+- Update dependencies
+
+### Added
+
+- Add support for `has:quote` in search (#36217 by @ClearlyClaire)
+
+### Changed
+
+- Change quoted posts from silenced accounts to use a click-through rather than being hidden (#36166 and #36167 by @ClearlyClaire)
+
+### Fixed
+
+- Fix processing of out-of-order `Update` as implicit updates (#36190 by @ClearlyClaire)
+- Fix getting `Create` and `Update` out of order (#36176 by @ClearlyClaire)
+- Fix quotes with Content Warnings but no text being shown without Content Warnings (#36150 by @ClearlyClaire)
+
 ## [4.4.4] - 2025-09-16
 
 ### Security
@@ -18,7 +38,7 @@ All notable changes to this project will be documented in this file.
 - Fix WebUI handling of deleted quoted posts (#35909 and #35918 by @ClearlyClaire and @diondiondion)
 - Fix “Edit” and “Delete & Redraft” on a poll not inserting empty option (#35892 by @ClearlyClaire)
 - Fix loading of some compatibility CSS on some configurations (#35876 by @shleeable)
-- Fix HttpLog not being enabled with `RAILS_LOGÈ_LEVEL=debug` (#35833 by @mjankowski)
+- Fix HttpLog not being enabled with `RAILS_LOG_LEVEL=debug` (#35833 by @mjankowski)
 - Fix self-destruct scheduler behavior on some Redis setups (#35823 by @ClearlyClaire)
 - Fix `tootctl admin create` not bypassing reserved username checks (#35779 by @ClearlyClaire)
 - Fix interaction policy changes in implicit updates not being saved (#35751 by @ClearlyClaire)

Gemfile.lock

@@ -725,7 +725,7 @@ GEM
     responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    rexml (3.4.1)
+    rexml (3.4.4)
     rotp (6.3.0)
     rouge (4.5.2)
     rpam2 (4.0.2)

app/javascript/mastodon/actions/importer/normalizer.js

@@ -81,7 +81,7 @@ export function normalizeStatus(status, normalOldStatus) {
   } else {
     // If the status has a CW but no contents, treat the CW as if it were the
     // status' contents, to avoid having a CW toggle with seemingly no effect.
-    if (normalStatus.spoiler_text && !normalStatus.content) {
+    if (normalStatus.spoiler_text && !normalStatus.content && !normalStatus.quote) {
       normalStatus.content = normalStatus.spoiler_text;
       normalStatus.spoiler_text = '';
     }

app/javascript/mastodon/components/status_quoted.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useMemo } from 'react';
+import { useCallback, useEffect, useMemo } from 'react';
 
 import { FormattedMessage } from 'react-intl';
 
@@ -11,13 +11,16 @@ import ArticleIcon from '@/material-icons/400-24px/article.svg?react';
 import ChevronRightIcon from '@/material-icons/400-24px/chevron_right.svg?react';
 import { Icon } from 'mastodon/components/icon';
 import StatusContainer from 'mastodon/containers/status_container';
+import { domain } from 'mastodon/initial_state';
 import type { Status } from 'mastodon/models/status';
 import type { RootState } from 'mastodon/store';
 import { useAppDispatch, useAppSelector } from 'mastodon/store';
 
 import QuoteIcon from '../../images/quote.svg?react';
+import { revealAccount } from '../actions/accounts_typed';
 import { fetchStatus } from '../actions/statuses';
 import { makeGetStatus } from '../selectors';
+import { getAccountHidden } from '../selectors/accounts';
 
 const MAX_QUOTE_POSTS_NESTING_LEVEL = 1;
 
@@ -73,6 +76,29 @@ type GetStatusSelector = (
   props: { id?: string | null; contextType?: string },
 ) => Status | null;
 
+const LimitedAccountHint: React.FC<{ accountId: string }> = ({ accountId }) => {
+  const dispatch = useAppDispatch();
+  const reveal = useCallback(() => {
+    dispatch(revealAccount({ id: accountId }));
+  }, [dispatch, accountId]);
+
+  return (
+    <>
+      <FormattedMessage
+        id='status.quote_error.limited_account_hint.title'
+        defaultMessage='This account has been hidden by the moderators of {domain}.'
+        values={{ domain }}
+      />
+      <button onClick={reveal} className='link-button'>
+        <FormattedMessage
+          id='status.quote_error.limited_account_hint.action'
+          defaultMessage='Show anyway'
+        />
+      </button>
+    </>
+  );
+};
+
 export const QuotedStatus: React.FC<{
   quote: QuoteMap;
   contextType?: string;
@@ -100,6 +126,14 @@ export const QuotedStatus: React.FC<{
 
   const shouldLoadQuote = !status?.get('isLoading') && quoteState !== 'deleted';
 
+  const accountId: string | null = status?.get('account', null) as
+    | string
+    | null;
+
+  const hiddenAccount = useAppSelector(
+    (state) => accountId && getAccountHidden(state, accountId),
+  );
+
   useEffect(() => {
     if (shouldLoadQuote && quotedStatusId) {
       dispatch(
@@ -164,6 +198,8 @@ export const QuotedStatus: React.FC<{
         defaultMessage='This post cannot be displayed.'
       />
     );
+  } else if (hiddenAccount && accountId) {
+    quoteError = <LimitedAccountHint accountId={accountId} />;
   }
 
   if (quoteError) {

app/javascript/mastodon/locales/en.json

@@ -873,6 +873,8 @@
   "status.open": "Expand this post",
   "status.pin": "Pin on profile",
   "status.quote_error.filtered": "Hidden due to one of your filters",
+  "status.quote_error.limited_account_hint.action": "Show anyway",
+  "status.quote_error.limited_account_hint.title": "This account has been hidden by the moderators of {domain}.",
   "status.quote_error.not_found": "This post cannot be displayed.",
   "status.quote_error.pending_approval": "This post is pending approval from the original author.",
   "status.quote_error.rejected": "This post cannot be displayed as the original author does not allow it to be quoted.",

app/lib/activitypub/activity/update.rb

@@ -28,6 +28,9 @@ class ActivityPub::Activity::Update < ActivityPub::Activity
 
     @status = Status.find_by(uri: object_uri, account_id: @account.id)
 
+    # We may be getting `Create` and `Update` out of order
+    @status ||= ActivityPub::Activity::Create.new(@json, @account, **@options).perform
+
     return if @status.nil?
 
     ActivityPub::ProcessStatusUpdateService.new.call(@status, @json, @object, request_id: @options[:request_id])

app/lib/status_cache_hydrator.rb

@@ -85,7 +85,7 @@ class StatusCacheHydrator
         if quote.quoted_status.nil?
           payload[nested ? :quoted_status_id : :quoted_status] = nil
           payload[:state] = 'deleted'
-        elsif StatusFilter.new(quote.quoted_status, Account.find_by(id: account_id)).filtered?
+        elsif StatusFilter.new(quote.quoted_status, Account.find_by(id: account_id)).filtered_for_quote?
           payload[nested ? :quoted_status_id : :quoted_status] = nil
           payload[:state] = 'unauthorized'
         else

app/lib/status_filter.rb

@@ -15,6 +15,12 @@ class StatusFilter
     blocked_by_policy? || (account_present? && filtered_status?) || silenced_account?
   end
 
+  def filtered_for_quote?
+    return false if !account.nil? && account.id == status.account_id
+
+    blocked_by_policy? || (account_present? && filtered_status?)
+  end
+
   private
 
   def account_present?

app/models/concerns/status/search_concern.rb

@@ -43,6 +43,7 @@ module Status::SearchConcern
       properties << 'embed' if preview_card&.video?
       properties << 'sensitive' if sensitive?
       properties << 'reply' if reply?
+      properties << 'quote' if with_quote?
     end
   end
 end

app/serializers/rest/base_quote_serializer.rb

@@ -8,13 +8,13 @@ class REST::BaseQuoteSerializer < ActiveModel::Serializer
 
     # Extra states when a status is unavailable
     return 'deleted' if object.quoted_status.nil?
-    return 'unauthorized' if status_filter.filtered?
+    return 'unauthorized' if status_filter.filtered_for_quote?
 
     object.state
   end
 
   def quoted_status
-    object.quoted_status if object.accepted? && object.quoted_status.present? && !status_filter.filtered?
+    object.quoted_status if object.accepted? && object.quoted_status.present? && !status_filter.filtered_for_quote?
   end
 
   private

app/services/activitypub/process_status_update_service.rb

@@ -25,6 +25,9 @@ class ActivityPub::ProcessStatusUpdateService < BaseService
 
     if @status_parser.edited_at.present? && (@status.edited_at.nil? || @status_parser.edited_at > @status.edited_at)
       handle_explicit_update!
+    elsif @status.edited_at.present? && (@status_parser.edited_at.nil? || @status_parser.edited_at < @status.edited_at)
+      # This is an older update, reject it
+      return @status
     else
       handle_implicit_update!
     end

docker-compose.yml

@@ -59,7 +59,7 @@ services:
   web:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.4.4
+    image: ghcr.io/mastodon/mastodon:v4.4.5
     restart: always
     env_file: .env.production
     command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
     # build:
     #   dockerfile: ./streaming/Dockerfile
     #   context: .
-    image: ghcr.io/mastodon/mastodon-streaming:v4.4.4
+    image: ghcr.io/mastodon/mastodon-streaming:v4.4.5
     restart: always
     env_file: .env.production
     command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
   sidekiq:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.4.4
+    image: ghcr.io/mastodon/mastodon:v4.4.5
     restart: always
     env_file: .env.production
     command: bundle exec sidekiq

lib/mastodon/version.rb

@@ -13,7 +13,7 @@ module Mastodon
     end
 
     def patch
-      4
+      5
     end
 
     def default_prerelease

spec/lib/activitypub/activity_spec.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ActivityPub::Activity do
+  describe 'processing a Create and an Update' do
+    let(:sender) { Fabricate(:account, followers_url: 'http://example.com/followers', domain: 'example.com', uri: 'https://example.com/actor') }
+    let(:quoted_account) { Fabricate(:account, domain: 'quoted.example.com') }
+    let(:quoted_status) { Fabricate(:status, account: quoted_account) }
+    let(:approval_uri) { 'https://quoted.example.com/approvals/1' }
+
+    let(:approval_payload) do
+      {
+        '@context': [
+          'https://www.w3.org/ns/activitystreams',
+          {
+            QuoteAuthorization: 'https://w3id.org/fep/044f#QuoteAuthorization',
+            gts: 'https://gotosocial.org/ns#',
+            interactingObject: {
+              '@id': 'gts:interactingObject',
+              '@type': '@id',
+            },
+            interactionTarget: {
+              '@id': 'gts:interactionTarget',
+              '@type': '@id',
+            },
+          },
+        ],
+        type: 'QuoteAuthorization',
+        id: approval_uri,
+        attributedTo: ActivityPub::TagManager.instance.uri_for(quoted_status.account),
+        interactingObject: [ActivityPub::TagManager.instance.uri_for(sender), 'post1'].join('/'),
+        interactionTarget: ActivityPub::TagManager.instance.uri_for(quoted_status),
+      }
+    end
+
+    let(:create_json) do
+      {
+        '@context': [
+          'https://www.w3.org/ns/activitystreams',
+          {
+            quote: 'https://w3id.org/fep/044f#quote',
+          },
+        ],
+        id: [ActivityPub::TagManager.instance.uri_for(sender), '#create'].join,
+        type: 'Create',
+        actor: ActivityPub::TagManager.instance.uri_for(sender),
+        object: {
+          id: [ActivityPub::TagManager.instance.uri_for(sender), 'post1'].join('/'),
+          type: 'Note',
+          to: [
+            'https://www.w3.org/ns/activitystreams#Public',
+          ],
+          content: 'foo',
+          published: '2025-05-24T11:03:10Z',
+          quote: ActivityPub::TagManager.instance.uri_for(quoted_status),
+        },
+      }.deep_stringify_keys
+    end
+
+    let(:update_json) do
+      {
+        '@context': [
+          'https://www.w3.org/ns/activitystreams',
+          {
+            quote: 'https://w3id.org/fep/044f#quote',
+            quoteAuthorization: { '@id': 'https://w3id.org/fep/044f#quoteAuthorization', '@type': '@id' },
+          },
+        ],
+        id: [ActivityPub::TagManager.instance.uri_for(sender), '#update'].join,
+        type: 'Update',
+        actor: ActivityPub::TagManager.instance.uri_for(sender),
+        object: {
+          id: [ActivityPub::TagManager.instance.uri_for(sender), 'post1'].join('/'),
+          type: 'Note',
+          to: [
+            'https://www.w3.org/ns/activitystreams#Public',
+          ],
+          content: 'foo',
+          published: '2025-05-24T11:03:10Z',
+          quote: ActivityPub::TagManager.instance.uri_for(quoted_status),
+          quoteAuthorization: approval_uri,
+        },
+      }.deep_stringify_keys
+    end
+
+    before do
+      sender.update(uri: ActivityPub::TagManager.instance.uri_for(sender))
+
+      stub_request(:get, approval_uri).to_return(headers: { 'Content-Type': 'application/activity+json' }, body: Oj.dump(approval_payload))
+    end
+
+    context 'when getting them in order' do
+      it 'creates a status and approves the quote' do
+        described_class.factory(create_json, sender).perform
+        status = described_class.factory(update_json, sender).perform
+
+        expect(status.quote.state).to eq 'accepted'
+      end
+    end
+
+    context 'when getting them out of order' do
+      it 'creates a status and approves the quote' do
+        described_class.factory(update_json, sender).perform
+        status = described_class.factory(create_json, sender).perform
+
+        expect(status.quote.state).to eq 'accepted'
+      end
+    end
+  end
+end