Merge tag 'v4.5.3' into chinwag-next

Co-authored-by: GitHub Actions <noreply@github.com>

.dockerignore

@@ -5,6 +5,7 @@
 .gitattributes
 .gitignore
 .github
+.vscode
 public/system
 public/assets
 public/packs
@@ -20,6 +21,7 @@ postgres14
 redis
 elasticsearch
 chart
+storybook-static
 .yarn/
 !.yarn/patches
 !.yarn/plugins

.env.production.sample

@@ -88,24 +88,3 @@ S3_ALIAS_HOST=files.example.com
 # -----------------------
 IP_RETENTION_PERIOD=31556952
 SESSION_RETENTION_PERIOD=31556952
-
-# Fetch All Replies Behavior
-# --------------------------
-# When a user expands a post (DetailedStatus view), fetch all of its replies
-# (default: false)
-FETCH_REPLIES_ENABLED=false
-
-# Period to wait between fetching replies (in minutes)
-FETCH_REPLIES_COOLDOWN_MINUTES=15
-
-# Period to wait after a post is first created before fetching its replies (in minutes)
-FETCH_REPLIES_INITIAL_WAIT_MINUTES=5
-
-# Max number of replies to fetch - total, recursively through a whole reply tree
-FETCH_REPLIES_MAX_GLOBAL=1000
-
-# Max number of replies to fetch - for a single post
-FETCH_REPLIES_MAX_SINGLE=500
-
-# Max number of replies Collection pages to fetch - total
-FETCH_REPLIES_MAX_PAGES=500

.github/ISSUE_TEMPLATE/1.web_bug_report.yml

@@ -1,6 +1,6 @@
 name: Bug Report (Web Interface)
 description: There is a problem using Mastodon's web interface.
-labels: ['status/to triage', 'area/web interface']
+labels: ['area/web interface']
 type: Bug
 body:
   - type: markdown

.github/ISSUE_TEMPLATE/2.server_bug_report.yml

@@ -1,7 +1,6 @@
 name: Bug Report (server / API)
 description: |
   There is a problem with the HTTP server, REST API, ActivityPub interaction, etc.
-labels: ['status/to triage']
 type: 'Bug'
 body:
   - type: markdown

.github/renovate.json5

@@ -6,6 +6,7 @@
     ':labels(dependencies)',
     ':prConcurrentLimitNone', // Remove limit for open PRs at any time.
     ':prHourlyLimit2', // Rate limit PR creation to a maximum of two per hour.
+    ':enableVulnerabilityAlertsWithLabel(security)',
   ],
   rebaseWhen: 'conflicted',
   minimumReleaseAge: '3', // Wait 3 days after the package has been published before upgrading it
@@ -23,7 +24,6 @@
       matchManagers: ['npm'],
       matchPackageNames: [
         'tesseract.js', // Requires code changes
-        'react-hotkeys', // Requires code changes
 
         // react-router: Requires manual upgrade
         'history',
@@ -94,6 +94,19 @@
       matchUpdateTypes: ['patch', 'minor'],
       groupName: 'eslint (non-major)',
     },
+    {
+      // Group all Storybook-related packages in the same PR
+      matchManagers: ['npm'],
+      matchPackageNames: [
+        'chromatic',
+        'storybook',
+        '@storybook/*',
+        'msw',
+        'msw-storybook-addon',
+      ],
+      matchUpdateTypes: ['patch', 'minor'],
+      groupName: 'storybook (non-major)',
+    },
     {
       // Group actions/*-artifact in the same PR
       matchManagers: ['github-actions'],
@@ -142,6 +155,12 @@
       matchUpdateTypes: ['patch', 'minor'],
       groupName: 'opentelemetry-ruby (non-major)',
     },
+    {
+      // Group Playwright Ruby & JS deps in the same PR, as they need to be in sync
+      matchManagers: ['bundler', 'npm'],
+      matchPackageNames: ['playwright-ruby-client', 'playwright'],
+      groupName: 'Playwright',
+    },
     // Add labels depending on package manager
     { matchManagers: ['npm', 'nvm'], addLabels: ['javascript'] },
     { matchManagers: ['bundler', 'ruby-version'], addLabels: ['ruby'] },

.github/workflows/build-releases.yml

@@ -21,7 +21,7 @@ jobs:
       # Only tag with latest when ran against the latest stable branch
       # This needs to be updated after each minor version release
       flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.4.') }}
+        latest=${{ startsWith(github.ref, 'refs/tags/v4.5.') }}
       tags: |
         type=pep440,pattern={{raw}}
         type=pep440,pattern=v{{major}}.{{minor}}
@@ -39,7 +39,7 @@ jobs:
       # Only tag with latest when ran against the latest stable branch
       # This needs to be updated after each minor version release
       flavor: |
-        latest=${{ startsWith(github.ref, 'refs/tags/v4.4.') }}
+        latest=${{ startsWith(github.ref, 'refs/tags/v4.5.') }}
       tags: |
         type=pep440,pattern={{raw}}
         type=pep440,pattern=v{{major}}.{{minor}}

.github/workflows/build-security.yml

@@ -9,7 +9,6 @@ permissions:
 jobs:
   compute-suffix:
     runs-on: ubuntu-latest
-    if: github.repository == 'mastodon/mastodon'
     steps:
       - id: version_vars
         env:

.github/workflows/codeql.yml

@@ -25,8 +25,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['javascript', 'ruby']
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        language: ['actions', 'javascript', 'ruby']
+        # CodeQL supports [ 'actions', 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:

.github/workflows/crowdin-download-stable.yml

@@ -50,7 +50,7 @@ jobs:
 
       # Create or update the pull request
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7.0.6
+        uses: peter-evans/create-pull-request@v7.0.8
         with:
           commit-message: 'New Crowdin translations'
           title: 'New Crowdin Translations for ${{ github.base_ref || github.ref_name }} (automated)'

.gitignore

@@ -23,6 +23,7 @@
 /public/packs
 /public/packs-dev
 /public/packs-test
+stats.html
 .env
 .env.production
 node_modules/

.nvmrc

@@ -1 +1 @@
-22.17
+24.10

.rubocop/metrics.yml

@@ -1,17 +1,21 @@
 ---
 Metrics/AbcSize:
-  Exclude:
-    - lib/mastodon/cli/*.rb
+  Enabled: false
 
 Metrics/BlockLength:
   Enabled: false
 
+Metrics/BlockNesting:
+  Enabled: false
+
 Metrics/ClassLength:
   Enabled: false
 
+Metrics/CollectionLiteralLength:
+  Enabled: false
+
 Metrics/CyclomaticComplexity:
-  Exclude:
-    - lib/mastodon/cli/*.rb
+  Enabled: false
 
 Metrics/MethodLength:
   Enabled: false
@@ -20,4 +24,7 @@ Metrics/ModuleLength:
   Enabled: false
 
 Metrics/ParameterLists:
-  CountKeywordArgs: false
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false

.rubocop_todo.yml

@@ -1,32 +1,11 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --no-offense-counts --no-auto-gen-timestamp`
-# using RuboCop version 1.77.0.
+# using RuboCop version 1.80.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-Lint/NonLocalExitFromIterator:
-  Exclude:
-    - 'app/helpers/json_ld_helper.rb'
-
-# Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
-Metrics/AbcSize:
-  Max: 82
-
-# Configuration parameters: CountBlocks, CountModifierForms, Max.
-Metrics/BlockNesting:
-  Exclude:
-    - 'lib/tasks/mastodon.rake'
-
-# Configuration parameters: AllowedMethods, AllowedPatterns.
-Metrics/CyclomaticComplexity:
-  Max: 25
-
-# Configuration parameters: AllowedMethods, AllowedPatterns.
-Metrics/PerceivedComplexity:
-  Max: 27
-
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowedVars, DefaultToNil.
 Style/FetchEnvVar:

.ruby-version

@@ -1 +1 @@
-3.4.4
+3.4.7

.storybook/main.ts

@@ -1,3 +1,5 @@
+import { resolve } from 'node:path';
+
 import type { StorybookConfig } from '@storybook/react-vite';
 
 const config: StorybookConfig = {
@@ -26,6 +28,12 @@ const config: StorybookConfig = {
       'oops.png',
     ].map((path) => ({ from: `../public/${path}`, to: `/${path}` })),
   ],
+  viteFinal(config) {
+    // For an unknown reason, Storybook does not use the root
+    // from the Vite config so we need to set it manually.
+    config.root = resolve(__dirname, '../app/javascript');
+    return config;
+  },
 };
 
 export default config;

.storybook/preview-body.html

@@ -0,0 +1,2 @@
+<html class="no-reduce-motion">
+</html>

.storybook/preview.tsx

@@ -12,13 +12,14 @@ import { initialize, mswLoader } from 'msw-storybook-addon';
 import { action } from 'storybook/actions';
 
 import type { LocaleData } from '@/mastodon/locales';
-import { reducerWithInitialState, rootReducer } from '@/mastodon/reducers';
+import { reducerWithInitialState } from '@/mastodon/reducers';
 import { defaultMiddleware } from '@/mastodon/store/store';
 import { mockHandlers, unhandledRequestHandler } from '@/testing/api';
 
 // If you want to run the dark theme during development,
 // you can change the below to `/application.scss`
 import '../app/javascript/styles/mastodon-light.scss';
+import './styles.css';
 
 const localeFiles = import.meta.glob('@/mastodon/locales/*.json', {
   query: { as: 'json' },
@@ -49,12 +50,23 @@ const preview: Preview = {
     locale: 'en',
   },
   decorators: [
-    (Story, { parameters }) => {
+    (Story, { parameters, globals, args }) => {
+      // Get the locale from the global toolbar
+      // and merge it with any parameters or args state.
+      const { locale } = globals as { locale: string };
       const { state = {} } = parameters;
-      let reducer = rootReducer;
-      if (typeof state === 'object' && state) {
-        reducer = reducerWithInitialState(state as Record<string, unknown>);
-      }
+      const { state: argsState = {} } = args;
+
+      const reducer = reducerWithInitialState(
+        {
+          meta: {
+            locale,
+          },
+        },
+        state as Record<string, unknown>,
+        argsState as Record<string, unknown>,
+      );
+
       const store = configureStore({
         reducer,
         middleware(getDefaultMiddleware) {

.storybook/static/mockServiceWorker.js

@@ -7,8 +7,8 @@
  * - Please do NOT modify this file.
  */
 
-const PACKAGE_VERSION = '2.10.2'
-const INTEGRITY_CHECKSUM = 'f5825c521429caf22a4dd13b66e243af'
+const PACKAGE_VERSION = '2.11.3'
+const INTEGRITY_CHECKSUM = '4db4a41e972cec1b64cc569c66952d82'
 const IS_MOCKED_RESPONSE = Symbol('isMockedResponse')
 const activeClientIds = new Set()
 
@@ -71,11 +71,6 @@ addEventListener('message', async function (event) {
       break
     }
 
-    case 'MOCK_DEACTIVATE': {
-      activeClientIds.delete(clientId)
-      break
-    }
-
     case 'CLIENT_CLOSED': {
       activeClientIds.delete(clientId)
 
@@ -94,6 +89,8 @@ addEventListener('message', async function (event) {
 })
 
 addEventListener('fetch', function (event) {
+  const requestInterceptedAt = Date.now()
+
   // Bypass navigation requests.
   if (event.request.mode === 'navigate') {
     return
@@ -110,23 +107,29 @@ addEventListener('fetch', function (event) {
 
   // Bypass all requests when there are no active clients.
   // Prevents the self-unregistered worked from handling requests
-  // after it's been deleted (still remains active until the next reload).
+  // after it's been terminated (still remains active until the next reload).
   if (activeClientIds.size === 0) {
     return
   }
 
   const requestId = crypto.randomUUID()
-  event.respondWith(handleRequest(event, requestId))
+  event.respondWith(handleRequest(event, requestId, requestInterceptedAt))
 })
 
 /**
  * @param {FetchEvent} event
  * @param {string} requestId
+ * @param {number} requestInterceptedAt
  */
-async function handleRequest(event, requestId) {
+async function handleRequest(event, requestId, requestInterceptedAt) {
   const client = await resolveMainClient(event)
   const requestCloneForEvents = event.request.clone()
-  const response = await getResponse(event, client, requestId)
+  const response = await getResponse(
+    event,
+    client,
+    requestId,
+    requestInterceptedAt,
+  )
 
   // Send back the response clone for the "response:*" life-cycle events.
   // Ensure MSW is active and ready to handle the message, otherwise
@@ -204,7 +207,7 @@ async function resolveMainClient(event) {
  * @param {string} requestId
  * @returns {Promise<Response>}
  */
-async function getResponse(event, client, requestId) {
+async function getResponse(event, client, requestId, requestInterceptedAt) {
   // Clone the request because it might've been already used
   // (i.e. its body has been read and sent to the client).
   const requestClone = event.request.clone()
@@ -255,6 +258,7 @@ async function getResponse(event, client, requestId) {
       type: 'REQUEST',
       payload: {
         id: requestId,
+        interceptedAt: requestInterceptedAt,
         ...serializedRequest,
       },
     },

.storybook/styles.css

@@ -0,0 +1,8 @@
+a {
+  color: inherit;
+  text-decoration: none;
+}
+
+a:hover {
+  text-decoration: underline;
+}

CHANGELOG.md

@@ -2,6 +2,177 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.5.3] - 2025-12-08
+
+### Security
+
+- Fix inconsistent error handling leaking information on existence of private posts ([GHSA-gwhw-gcjx-72v8](https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8))
+
+### Fixed
+
+- Fix “Delete and Redraft” on a non-quote being treated as a quote post in some cases (#37140 by @ClearlyClaire)
+- Fix YouTube embeds by sending referer (#37126 by @ChaosExAnima)
+- Fix streamed quoted polls not being hydrated correctly (#37118 by @ClearlyClaire)
+- Fix creation of duplicate conversations (#37108 by @oneiros)
+- Fix extraneous `noreferrer` in external links (#37107 by @ChaosExAnima)
+- Fix edge case error handling in some database migrations (#37079 by @ClearlyClaire)
+- Fix error handling when re-fetching already-known statuses (#37077 by @ClearlyClaire)
+- Fix post navigation in single-column mode when Advanced UI is enabled (#37044 by @diondiondion)
+- Fix `tootctl status remove` removing quoted posts and remote quotes of local posts (#37009 by @ClearlyClaire)
+- Fix known expensive S3 batch delete operation failing because of short timeouts (#37004 by @ClearlyClaire)
+- Fix compose autosuggest always lowercasing input token (#36995 by @ClearlyClaire)
+
+## [4.5.2] - 2025-11-20
+
+### Changed
+
+- Change private quote education modal to not show up on self-quotes (#36926 by @ClearlyClaire)
+
+### Fixed
+
+- Fix missing fallback link in CW-only quote posts (#36963 by @ClearlyClaire)
+- Fix statuses without text being hidden while loading (#36962 by @ClearlyClaire)
+- Fix `g` + `h` keyboard shortcut not working when a post is focused (#36935 by @diondiondion)
+- Fix quoting overwriting current content warning (#36934 by @ClearlyClaire)
+- Fix scroll-to-status in threaded view being unreliable (#36927 by @ClearlyClaire)
+- Fix path resolution for emoji worker (#36897 by @ChaosExAnima)
+- Fix `tootctl upgrade storage-schema` failing with `ArgumentError` (#36914 by @shugo)
+- Fix cross-origin handling of CSS modules (#36890 by @ClearlyClaire)
+- Fix error with remote tags including percent signs (#36886 and #36925 by @ChaosExAnima and @ClearlyClaire)
+- Fix bogus quote approval policy not always being replaced correctly (#36885 by @ClearlyClaire)
+- Fix hashtag completion not being inserted correctly (#36884 by @ClearlyClaire)
+- Fix Cmd/Ctrl + Enter in the composer triggering confirmation dialog action (#36870 by @diondiondion)
+
+## [4.5.1] - 2025-11-13
+
+### Fixed
+
+- Fix Cmd/Ctrl + Enter not submitting Alt text modal on some browsers (#36866 by @diondiondion)
+- Fix posts coming from public/hashtag streaming being marked as unquotable (#36860 and #36869 by @ClearlyClaire)
+- Fix old previously-undiscovered posts being treated as new when receiving an `Update` (#36848 by @ClearlyClaire)
+- Fix blank screen in browsers that don't support `Intl.DisplayNames` (#36847 by @diondiondion)
+- Fix filters not being applied to quotes in detailed view (#36843 by @ClearlyClaire)
+- Fix scroll shift caused by fetch-all-replies alerts (#36807 by @diondiondion)
+- Fix dropdown menu not focusing first item when opened via keyboard (#36804 by @diondiondion)
+- Fix assets build issue on arch64 (#36781 by @ClearlyClaire)
+- Fix `/api/v1/statuses/:id/context` sometimes returing `Mastodon-Async-Refresh` without `result_count` (#36779 by @ClearlyClaire)
+- Fix prepared quote not being discarded with contents when replying (#36778 by @ClearlyClaire)
+
+## [4.5.0] - 2025-11-06
+
+### Added
+
+- **Add support for allowing and authoring quotes** (#35355, #35578, #35614, #35618, #35624, #35626, #35652, #35629, #35665, #35653, #35670, #35677, #35690, #35697, #35689, #35699, #35700, #35701, #35709, #35714, #35713, #35715, #35725, #35749, #35769, #35780, #35762, #35804, #35808, #35805, #35819, #35824, #35828, #35822, #35835, #35865, #35860, #35832, #35891, #35894, #35895, #35820, #35917, #35924, #35925, #35914, #35930, #35941, #35939, #35948, #35955, #35967, #35990, #35991, #35975, #35971, #36002, #35986, #36031, #36034, #36038, #36054, #36052, #36055, #36065, #36068, #36083, #36087, #36080, #36091, #36090, #36118, #36119, #36128, #36094, #36129, #36138, #36132, #36151, #36158, #36171, #36194, #36220, #36169, #36130, #36249, #36153, #36299, #36291, #36301, #36315, #36317, #36364, #36383, #36381, #36459, #36464, #36461, #36516, #36528, #36549, #36550, #36559, #36693, #36704, #36690, #36689, #36696, #36721, #36695 and #36736 by @ChaosExAnima, @ClearlyClaire, @Lycolia, @diondiondion, and @tribela)\
+  This includes a revamp of the composer interface.\
+  See https://blog.joinmastodon.org/2025/09/introducing-quote-posts/ for a user-centric overview of the feature, and https://docs.joinmastodon.org/client/quotes/ for API documentation.
+- **Add support for fetching and refreshing replies to the web UI** (#35210, #35496, #35575, #35500, #35577, #35602, #35603, #35654, #36141, #36237, #36172, #36256, #36271, #36334, #36382, #36239, #36484, #36481, #36583, #36627 and #36547 by @ClearlyClaire, @diondiondion, @Gargron and @renchap)
+- **Add ability to block words in usernames** (#35407, #35655, and #35806 by @ClearlyClaire and @Gargron)
+- Add ability to individually disable local or remote feeds for visitors or logged-in users `disabled` value to server setting for live and topic feeds, as well as user permission to bypass that (#36338, #36467, #36497, #36563, #36577, #36585, #36607 and #36703 by @ClearlyClaire)\
+  This splits the `timeline_preview` setting into four more granular settings controlling live feeds and topic (hashtag, trending link) feeds.\
+  The setting for local topic feeds has 2 values: `public` and `authenticated`. Every other setting has 3 values: `public`, `authenticated`, `disabled`.\
+  When `disabled`, users with the “View live and topic feeds” will still be able to view them.
+- Add support for displaying of quote posts in Moderator UI (#35964 by @ThisIsMissEm)
+- Add support for displaying link previews for Admin UI (#35958 by @ThisIsMissEm)
+- Add a new server setting to choose the server landing page (#36588 and #36602 by @ClearlyClaire and @renchap)
+- Add support for `Update` activities on converted object types (#36322 by @ClearlyClaire)
+- Add support for dynamic viewport height (#36272 by @e1berd)
+- Add support for numeric-based URIs for new local accounts (#32724, #36304, #36316, and #36365 by @ClearlyClaire)
+- Add default visualizer for audio upload without poster (#36734 by @ChaosExAnima)
+- Add Traditional Mongolian to posting languages (#36196 by @shimon1024)
+- Add example post with manual quote approval policy to `dev:populate_sample_data` (#36099 by @ClearlyClaire)
+- Add server-side support for handling posts with a quote policy allowing followers to quote (#36093 and #36127 by @ClearlyClaire)
+- Add schema.org markup to SEO-enabled posts (#36075 by @Gargron)
+- Add migration to fill unset default quote policy based on default post privacy (#36041 by @ClearlyClaire)
+- Add “Posting defaults” setting page, moving existing settings from “Other” (#35896, #36033, #35966, #35969, and #36084 by @ClearlyClaire and @diondiondion)
+- Added emoji from Twemoji v16 (#36501 and #36530 by @ChaosExAnima)
+- Add feature to select custom emoji rendering (#35229, #35282, #35253, #35424, #35473, #35483, #35505, #35568, #35605, #35659, #35664, #35739, #35985, #36051, #36071, #36137, #36165, #36248, #36262, #36275, #36293, #36341, #36342, #36366, #36377, #36378, #36385, #36393, #36397, #36403, #36413, #36410, #36454, #36402, #36503, #36502, #36532, #36603, #36409, #36638 and #36750 by @ChaosExAnima, @ClearlyClaire and @braddunbar)\
+  This also completely reworks the processing and rendering of emojis and server-rendered HTML in statuses and other places.
+- Add support for exposing conversation context for new public conversations according to FEP-7888 (#35959 and #36064 by @ClearlyClaire and @jesseplusplus)
+- Add digest re-check before removing followers in synchronization mechanism (#34273 by @ClearlyClaire)
+- Add support for displaying Valkey version on admin dashboard (#35785 by @ykzts)
+- Add delivery failure tracking and handling to FASP jobs (#35625, #35628, and #35723 by @oneiros)
+- Add example of quote post with a preview card to development sample data (#35616 by @ClearlyClaire)
+- Add second set of blocked text that applies to accounts regardless of account age for spam-blocking (#35563 by @ClearlyClaire)
+
+### Changed
+
+- Change confirmation dialogs for follow button actions “unfollow”, “unblock”, and “withdraw request” (#36289 by @diondiondion)
+- Change “Follow” button labels (#36264 by @diondiondion)
+- Change appearance settings to introduce new Advanced settings section (#36496 and #36506 by @diondiondion)
+- Change display of blocked and muted quoted users (#36619 by @ClearlyClaire)\
+  This adds `blocked_account`, `blocked_domain` and `muted_account` values to the `state` attribute of `Quote` and `ShallowQuote` REST API entities.
+- Change submitting an empty post to show an error rather than failing silently (#36650 by @diondiondion)
+- Change "Privacy and reach" settings from "Public profile" to their own top-level category (#27294 by @ChaelCodes)
+- Change number of times quote verification is retried to better deal with temporary failures (#36698 by @ClearlyClaire)
+- Change display of content warnings in Admin UI (#35935 by @ThisIsMissEm)
+- Change styling of column banners (#36531 by @ClearlyClaire)
+- Change recommended Node version to 24 (LTS) (#36539 by @renchap)
+- Change min. characters required for logged-out account search from 5 to 3 (#36487 by @Gargron)
+- Change browser target to Vite legacy plugin defaults (#36611 by @larouxn)
+- Change index on `follows` table to improve performance of some queries (#36374 by @ClearlyClaire)
+- Change links to accounts in settings and moderation views to link to local view unless account is suspended (#36340 by @diondiondion)
+- Change redirection for denied registration from web app to sign-in page with error message (#36384 by @ClearlyClaire)
+- Change support for RFC9421 HTTP signatures to be enabled unconditionally (#36610 by @oneiros)
+- Change wording and design of interaction dialog to simplify it (#36124 by @diondiondion)
+- Change dropdown menus to allow disabled items to be focused (#36078 by @diondiondion)
+- Change modal background colours in light mode (#36069 by @diondiondion)
+- Change “Posting defaults” settings page to enforce `nobody` quote policy for `private` default visibility (#36040 by @ClearlyClaire)
+- Change description of “Quiet public” (#36032 by @ClearlyClaire)
+- Change “Boost with original visibility” to “Share again with your followers” (#36035 by @ClearlyClaire)
+- Change handling of push subscriptions to automatically delete invalid ones on delivery (#35987 by @ThisIsMissEm)
+- Change design of quote posts in web UI (#35584 and #35834 by @Gargron)
+- Change auditable accounts to be sorted by username in admin action logs interface (#35272 by @breadtk)
+- Change order of translation restoration and service credit on post card (#33619 by @colindean)
+- Change position of ‘add more’ to be inside table toolbar on reports (#35963 by @ThisIsMissEm)
+- Change docker-compose.yml sidekiq health check to work for both 4.4 and 4.5 (#36498 by @ClearlyClaire)
+
+### Fixed
+
+- Fix relationship not being fetched to evaluate whether to show a quote post (#36517 by @ClearlyClaire)
+- Fix rendering of poll options in status history modal (#35633 by @ThisIsMissEm)
+- Fix “mute” button being displayed to unauthenticated visitors in hashtag dropdown (#36353 by @mkljczk)
+- Fix initially selected language in Rules panel, hide selector when no alternative translations exist (#36672 by @diondiondion)
+- Fix URL comparison for mentions in case of empty path (#36613 and #36626 by @ClearlyClaire)
+- Fix hashtags not being picked up when full-width hash sign is used (#36103 and #36625 by @ClearlyClaire and @Gargron)
+- Fix layout of severed relationships when purged events are listed (#36593 by @mejofi)
+- Fix Skeleton placeholders being animated when setting to reduce animations is enabled (#36716 by @ClearlyClaire)
+- Fix vacuum tasks being interrupted by a single batch failure (#36606 by @Gargron)
+- Fix handling of unreachable network error for search services (#36587 by @mjankowski)
+- Fix bookmarks export when a bookmarked status is soft-deleted (#36576 by @ClearlyClaire)
+- Fix text overflow alignment for long author names in News (#36562 by @diondiondion)
+- Fix discovery preamble missing word in admin settings (#36560 by @belatedly)
+- Fix overflow handling of `.more-from-author` (#36310 by @edent)
+- Fix unfortunate action button wrapping in admin area (#36247 by @diondiondion)
+- Fix translate button width in Safari (#36164 and #36216 by @diondiondion)
+- Fix login page linking to other pages within OAuth authorization flow (#36115 by @Gargron)
+- Fix stale search results being displayed in Web UI while new query is in progress (#36053 by @ChaosExAnima)
+- Fix YouTube iframe not being able to start at a defined time (#26584 by @BrunoViveiros)
+- Fix banned text being able to be circumvented via unicode (#35978 by @Gargron)
+- Fix batch table toolbar displaying under status media (#35962 by @ThisIsMissEm)
+- Fix incorrect RSS feed MIME type in gzip_types directive (#35562 by @iioflow)
+- Fix 404 error after deleting status from detail view (#35800) (#35881 by @crafkaz)
+- Fix feeds keyboard navigation issues (#35853, #35864, and #36267 by @braddunbar and @diondiondion)
+- Fix layout shift caused by “Who to follow” widget (#35861 by @diondiondion)
+- Fix Vagrantfile (#35765 by @ClearlyClaire)
+- Fix reply indicator displaying wrong avatar in rare cases (#35756 by @ClearlyClaire)
+- Fix `Chewy::UndefinedUpdateStrategy` in `dev:populate_sample_data` task when Elasticsearch is enabled (#35615 by @ClearlyClaire)
+- Fix unnecessary account note addition for already-muted moved-to users (#35566 by @mjankowski)
+- Fix seeded admin user creation failing on specific configurations (#35565 by @oneiros)
+- Fix media modal images in Web UI having redundant `title` attribute (#35468 by @mayank99)
+- Fix inconsistent default privacy post setting when unset in settings (#35422 by @oneiros)
+- Fix glitchy status keyboard navigation (#35455 and #35504 by @diondiondion)
+- Fix post being submitted when pressing “Enter” in the CW field (#35445 by @diondiondion)
+
+### Removed
+
+- Remove support for PostgreSQL 13 (#36540 by @renchap)
+
+## [4.4.8] - 2025-10-21
+
+### Security
+
+- Fix quote control bypass ([GHSA-8h43-rcqj-wpc6](https://github.com/mastodon/mastodon/security/advisories/GHSA-8h43-rcqj-wpc6))
+
 ## [4.4.7] - 2025-10-15
 
 ### Fixed
@@ -661,7 +832,6 @@ The following changelog entries focus on changes visible to users, administrator
   You can now separately filter or drop notifications from people you don't follow, people who don't follow you, accounts created within the past 30 days, as well as unsolicited private mentions, and accounts limited by the moderation.\
   Instead of being outright dropped, notifications that you chose to filter are put in a separate “Filtered notifications” box that you can review separately without it clogging your main notifications.\
   This adds the following REST API endpoints:
-
   - `GET /api/v2/notifications/policy`: https://docs.joinmastodon.org/methods/notifications/#get-policy
   - `PATCH /api/v2/notifications/policy`: https://docs.joinmastodon.org/methods/notifications/#update-the-filtering-policy-for-notifications
   - `GET /api/v1/notifications/requests`: https://docs.joinmastodon.org/methods/notifications/#get-requests
@@ -673,7 +843,6 @@ The following changelog entries focus on changes visible to users, administrator
   - `GET /api/v1/notifications/requests/merged`: https://docs.joinmastodon.org/methods/notifications/#requests-merged
 
   In addition, accepting one or more notification requests generates a new streaming event:
-
   - `notifications_merged`: an event of this type indicates accepted notification requests have finished merging, and the notifications list should be refreshed
 
 - **Add notifications of severed relationships** (#27511, #29665, #29668, #29670, #29700, #29714, #29712, and #29731 by @ClearlyClaire and @Gargron)\

Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.12
+# syntax=docker/dockerfile:1.18
 
 # This file is designed for production server deployment, not local development work
 # For a containerized local dev environment, see: https://github.com/mastodon/mastodon/blob/main/docs/DEVELOPMENT.md#docker
@@ -13,15 +13,15 @@ ARG BASE_REGISTRY="docker.io"
 
 # Ruby image to use for base image, change with [--build-arg RUBY_VERSION="3.4.x"]
 # renovate: datasource=docker depName=docker.io/ruby
-ARG RUBY_VERSION="3.4.4"
-# # Node.js version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="20"]
+ARG RUBY_VERSION="3.4.7"
+# # Node.js version to use in base image, change with [--build-arg NODE_MAJOR_VERSION="22"]
 # renovate: datasource=node-version depName=node
-ARG NODE_MAJOR_VERSION="22"
-# Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="bookworm"]
-ARG DEBIAN_VERSION="bookworm"
-# Node.js image to use for base image based on combined variables (ex: 20-bookworm-slim)
+ARG NODE_MAJOR_VERSION="24"
+# Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="trixie"]
+ARG DEBIAN_VERSION="trixie"
+# Node.js image to use for base image based on combined variables (ex: 20-trixie-slim)
 FROM ${BASE_REGISTRY}/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim AS node
-# Ruby image to use for base image based on combined variables (ex: 3.4.x-slim-bookworm)
+# Ruby image to use for base image based on combined variables (ex: 3.4.x-slim-trixie)
 FROM ${BASE_REGISTRY}/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS ruby
 
 # Resulting version string is vX.X.X-MASTODON_VERSION_PRERELEASE+MASTODON_VERSION_METADATA
@@ -96,9 +96,6 @@ RUN \
 # Set /opt/mastodon as working directory
 WORKDIR /opt/mastodon
 
-# Add backport repository for some specific packages where we need the latest version
-RUN echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list
-
 # hadolint ignore=DL3008,DL3005
 RUN \
   # Mount Apt cache and lib directories from Docker buildx caches
@@ -161,11 +158,11 @@ RUN \
   libexif-dev \
   libexpat1-dev \
   libgirepository1.0-dev \
-  libheif-dev/bookworm-backports \
+  libheif-dev \
+  libhwy-dev \
   libimagequant-dev \
   libjpeg62-turbo-dev \
   liblcms2-dev \
-  liborc-dev \
   libspng-dev \
   libtiff-dev \
   libwebp-dev \
@@ -186,7 +183,7 @@ FROM build AS libvips
 
 # libvips version to compile, change with [--build-arg VIPS_VERSION="8.15.2"]
 # renovate: datasource=github-releases depName=libvips packageName=libvips/libvips
-ARG VIPS_VERSION=8.17.0
+ARG VIPS_VERSION=8.17.3
 # libvips download URL, change with [--build-arg VIPS_URL="https://github.com/libvips/libvips/releases/download"]
 ARG VIPS_URL=https://github.com/libvips/libvips/releases/download
 
@@ -209,14 +206,14 @@ FROM build AS ffmpeg
 
 # ffmpeg version to compile, change with [--build-arg FFMPEG_VERSION="7.0.x"]
 # renovate: datasource=repology depName=ffmpeg packageName=openpkg_current/ffmpeg
-ARG FFMPEG_VERSION=7.1
+ARG FFMPEG_VERSION=8.0
 # ffmpeg download URL, change with [--build-arg FFMPEG_URL="https://ffmpeg.org/releases"]
-ARG FFMPEG_URL=https://ffmpeg.org/releases
+ARG FFMPEG_URL=https://github.com/FFmpeg/FFmpeg/archive/refs/tags
 
 WORKDIR /usr/local/ffmpeg/src
 # Download and extract ffmpeg source code
-ADD ${FFMPEG_URL}/ffmpeg-${FFMPEG_VERSION}.tar.xz /usr/local/ffmpeg/src/
-RUN tar xf ffmpeg-${FFMPEG_VERSION}.tar.xz;
+ADD ${FFMPEG_URL}/n${FFMPEG_VERSION}.tar.gz /usr/local/ffmpeg/src/
+RUN tar xf n${FFMPEG_VERSION}.tar.gz && mv FFmpeg-n${FFMPEG_VERSION} ffmpeg-${FFMPEG_VERSION};
 
 WORKDIR /usr/local/ffmpeg/src/ffmpeg-${FFMPEG_VERSION}
 
@@ -327,28 +324,28 @@ RUN \
   # Apt update install non-dev versions of necessary components
   apt-get install -y --no-install-recommends \
   libexpat1 \
-  libglib2.0-0 \
-  libicu72 \
+  libglib2.0-0t64 \
+  libicu76 \
   libidn12 \
   libpq5 \
-  libreadline8 \
-  libssl3 \
+  libreadline8t64 \
+  libssl3t64 \
   libyaml-0-2 \
   # libvips components
   libcgif0 \
   libexif12 \
-  libheif1/bookworm-backports \
+  libheif1 \
+  libhwy1t64 \
   libimagequant0 \
   libjpeg62-turbo \
   liblcms2-2 \
-  liborc-0.4-0 \
   libspng0 \
   libtiff6 \
   libwebp7 \
   libwebpdemux2 \
   libwebpmux3 \
   # ffmpeg components
-  libdav1d6 \
+  libdav1d7 \
   libmp3lame0 \
   libopencore-amrnb0 \
   libopencore-amrwb0 \
@@ -358,9 +355,9 @@ RUN \
   libvorbis0a \
   libvorbisenc2 \
   libvorbisfile3 \
-  libvpx7 \
+  libvpx9 \
   libx264-164 \
-  libx265-199 \
+  libx265-215 \
   ;
 
 # Copy Mastodon sources into final layer

Gemfile

@@ -4,12 +4,12 @@ source 'https://rubygems.org'
 ruby '>= 3.2.0', '< 3.5.0'
 
 gem 'propshaft'
-gem 'puma', '~> 6.3'
+gem 'puma', '~> 7.0'
 gem 'rails', '~> 8.0'
 gem 'thor', '~> 1.2'
 
 gem 'dotenv'
-gem 'haml-rails', '~>2.0'
+gem 'haml-rails', '~>3.0'
 gem 'pg', '~> 1.5'
 gem 'pghero'
 
@@ -62,7 +62,7 @@ gem 'inline_svg'
 gem 'irb', '~> 1.8'
 gem 'kaminari', '~> 1.2'
 gem 'link_header', '~> 0.0'
-gem 'linzer', '~> 0.7.2'
+gem 'linzer', '~> 0.7.7'
 gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock'
 gem 'mime-types', '~> 3.7.0', require: 'mime/types/columnar'
 gem 'mutex_m'
@@ -82,13 +82,13 @@ gem 'rqrcode', '~> 3.0'
 gem 'ruby-progressbar', '~> 1.13'
 gem 'sanitize', '~> 7.0'
 gem 'scenic', '~> 1.7'
-gem 'sidekiq', '< 8'
+gem 'sidekiq', '< 9'
 gem 'sidekiq-bulk', '~> 0.2.0'
-gem 'sidekiq-scheduler', '~> 5.0'
+gem 'sidekiq-scheduler', '~> 6.0'
 gem 'sidekiq-unique-jobs', '> 8'
 gem 'simple_form', '~> 5.2'
 gem 'simple-navigation', '~> 4.4'
-gem 'stoplight', '~> 4.1'
+gem 'stoplight'
 gem 'strong_migrations'
 gem 'tty-prompt', '~> 0.23', require: false
 gem 'twitter-text', '~> 3.1.0'
@@ -102,23 +102,23 @@ gem 'rdf-normalize', '~> 0.5'
 
 gem 'prometheus_exporter', '~> 2.2', require: false
 
-gem 'opentelemetry-api', '~> 1.5.0'
+gem 'opentelemetry-api', '~> 1.7.0'
 
 group :opentelemetry do
-  gem 'opentelemetry-exporter-otlp', '~> 0.30.0', require: false
-  gem 'opentelemetry-instrumentation-active_job', '~> 0.8.0', require: false
-  gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.22.0', require: false
-  gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.22.0', require: false
-  gem 'opentelemetry-instrumentation-excon', '~> 0.23.0', require: false
-  gem 'opentelemetry-instrumentation-faraday', '~> 0.27.0', require: false
-  gem 'opentelemetry-instrumentation-http', '~> 0.25.0', require: false
-  gem 'opentelemetry-instrumentation-http_client', '~> 0.23.0', require: false
-  gem 'opentelemetry-instrumentation-net_http', '~> 0.23.0', require: false
-  gem 'opentelemetry-instrumentation-pg', '~> 0.30.0', require: false
-  gem 'opentelemetry-instrumentation-rack', '~> 0.26.0', require: false
-  gem 'opentelemetry-instrumentation-rails', '~> 0.36.0', require: false
-  gem 'opentelemetry-instrumentation-redis', '~> 0.26.0', require: false
-  gem 'opentelemetry-instrumentation-sidekiq', '~> 0.26.0', require: false
+  gem 'opentelemetry-exporter-otlp', '~> 0.31.0', require: false
+  gem 'opentelemetry-instrumentation-active_job', '~> 0.10.0', require: false
+  gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.24.0', require: false
+  gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.24.0', require: false
+  gem 'opentelemetry-instrumentation-excon', '~> 0.26.0', require: false
+  gem 'opentelemetry-instrumentation-faraday', '~> 0.30.0', require: false
+  gem 'opentelemetry-instrumentation-http', '~> 0.27.0', require: false
+  gem 'opentelemetry-instrumentation-http_client', '~> 0.26.0', require: false
+  gem 'opentelemetry-instrumentation-net_http', '~> 0.26.0', require: false
+  gem 'opentelemetry-instrumentation-pg', '~> 0.32.0', require: false
+  gem 'opentelemetry-instrumentation-rack', '~> 0.29.0', require: false
+  gem 'opentelemetry-instrumentation-rails', '~> 0.39.0', require: false
+  gem 'opentelemetry-instrumentation-redis', '~> 0.28.0', require: false
+  gem 'opentelemetry-instrumentation-sidekiq', '~> 0.28.0', require: false
   gem 'opentelemetry-sdk', '~> 1.4', require: false
 end
 
@@ -138,6 +138,7 @@ group :test do
   # Browser integration testing
   gem 'capybara', '~> 3.39'
   gem 'capybara-playwright-driver'
+  gem 'playwright-ruby-client', '1.55.0', require: false # Pinning the exact version as it needs to be kept in sync with the installed npm package
 
   # Used to reset the database between system tests
   gem 'database_cleaner-active_record'
@@ -146,7 +147,7 @@ group :test do
   gem 'climate_control'
 
   # Validate schemas in specs
-  gem 'json-schema', '~> 5.0'
+  gem 'json-schema', '~> 6.0'
 
   # Test harness fo rack components
   gem 'rack-test', '~> 2.1'
@@ -226,7 +227,7 @@ gem 'connection_pool', require: false
 gem 'xorcist', '~> 1.1'
 
 gem 'net-http', '~> 0.6.0'
-gem 'rubyzip', '~> 2.3'
+gem 'rubyzip', '~> 3.0'
 
 gem 'hcaptcha', '~> 7.1'
 

README.md

@@ -20,32 +20,36 @@ Click below to **learn more** in a video:
 
 <img src="app/javascript/images/cigarmanwoman.svg?raw=true" align="right" width="30%" />
 
-**No vendor lock-in: Fully interoperable with any conforming platform** - It doesn't have to be Mastodon; whatever implements ActivityPub is part of the social network! [Learn more](https://blog.joinmastodon.org/2018/06/why-activitypub-is-the-future/)
+**Part of the Fediverse. Based on open standards, with no vendor lock-in.** - the network goes beyond just Mastodon; anything that implements ActivityPub is part of a broader social network known as [the Fediverse](https://jointhefediverse.net/). You can follow and interact with users on other servers (including those running different software), and they can follow you back.
 
-**Real-time, chronological timeline updates** - updates of people you're following appear in real-time in the UI via WebSockets. There's a firehose view as well!
+**Real-time, chronological timeline updates** - updates of people you're following appear in real-time in the UI.
 
-**Media attachments like images and short videos** - upload and view images and WebM/MP4 videos attached to the updates. Videos with no audio track are treated like GIFs; normal videos loop continuously!
+**Media attachments** - upload and view images and videos attached to the updates. Videos with no audio track are treated like animated GIFs; normal videos loop continuously.
 
-**Safety and moderation tools** - Mastodon includes private posts, locked accounts, phrase filtering, muting, blocking, and all sorts of other features, along with a reporting and moderation system. [Learn more](https://blog.joinmastodon.org/2018/07/cage-the-mastodon/)
+**Safety and moderation tools** - Mastodon includes private posts, locked accounts, phrase filtering, muting, blocking, and many other features, along with a reporting and moderation system.
 
-**OAuth2 and a straightforward REST API** - Mastodon acts as an OAuth2 provider, so 3rd party apps can use the REST and Streaming APIs. This results in a rich app ecosystem with a lot of choices!
+**OAuth2 and a straightforward REST API** - Mastodon acts as an OAuth2 provider, and third party apps can use the REST and Streaming APIs. This results in a [rich app ecosystem](https://joinmastodon.org/apps) with a variety of choices!
 
 ## Deployment
 
 ### Tech stack
 
-- **Ruby on Rails** powers the REST API and other web pages
-- **React.js** and **Redux** are used for the dynamic parts of the interface
-- **Node.js** powers the streaming API
+- [Ruby on Rails](https://github.com/rails/rails) powers the REST API and other web pages.
+- [PostgreSQL](https://www.postgresql.org/) is the main database.
+- [Redis](https://redis.io/) and [Sidekiq](https://sidekiq.org/) are used for caching and queueing.
+- [Node.js](https://nodejs.org/) powers the streaming API.
+- [React.js](https://reactjs.org/) and [Redux](https://redux.js.org/) are used for the dynamic parts of the interface.
+- [BrowserStack](https://www.browserstack.com/) supports testing on real devices and browsers. (This project is tested with BrowserStack)
+- [Chromatic](https://www.chromatic.com/) provides visual regression testing. (This project is tested with Chromatic)
 
 ### Requirements
 
-- **PostgreSQL** 13+
-- **Redis** 6.2+
 - **Ruby** 3.2+
+- **PostgreSQL** 14+
+- **Redis** 7.0+
 - **Node.js** 20+
 
-The repository includes deployment configurations for **Docker and docker-compose** as well as specific platforms like **Heroku**, and **Scalingo**. For Helm charts, reference the [mastodon/chart repository](https://github.com/mastodon/chart). The [**standalone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the documentation.
+This repository includes deployment configurations for **Docker and docker-compose**, as well as for other environments like Heroku and Scalingo. For Helm charts, reference the [mastodon/chart repository](https://github.com/mastodon/chart). A [**standalone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the main documentation.
 
 ## Contributing
 
@@ -61,7 +65,7 @@ Copyright (c) 2016-2025 Eugen Rochko (+ [`mastodon authors`](AUTHORS.md))
 
 Licensed under GNU Affero General Public License as stated in the [LICENSE](LICENSE):
 
-```
+```text
 Copyright (c) 2016-2025 Eugen Rochko & other Mastodon contributors
 
 This program is free software: you can redistribute it and/or modify it under
@@ -77,7 +81,3 @@ details.
 You should have received a copy of the GNU Affero General Public License along
 with this program. If not, see https://www.gnu.org/licenses/
 ```
-
-[CONTRIBUTING]: CONTRIBUTING.md
-[DEVELOPMENT]: docs/DEVELOPMENT.md
-[OpenCollective]: https://opencollective.com/mastodon

SECURITY.md

@@ -15,7 +15,8 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 
 | Version | Supported        |
 | ------- | ---------------- |
+| 4.5.x   | Yes              |
 | 4.4.x   | Yes              |
-| 4.3.x   | Yes              |
+| 4.3.x   | Until 2026-05-06 |
 | 4.2.x   | Until 2026-01-08 |
 | < 4.2   | No               |

Vagrantfile

@@ -54,6 +54,7 @@ sudo apt-get install \
   pkg-config \
   protobuf-compiler \
   zlib1g-dev \
+  libvips42t64 \
   -y
 
 # Install rvm
@@ -134,7 +135,7 @@ VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
-  config.vm.box = "ubuntu/focal64"
+  config.vm.box = "bento/ubuntu-24.04"
 
   config.vm.provider :virtualbox do |vb|
     vb.name = "mastodon"
@@ -172,7 +173,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   end
 
   if config.vm.networks.any? { |type, options| type == :private_network }
-    config.vm.synced_folder ".", "/vagrant", type: "nfs", mount_options: ['rw', 'actimeo=1']
+    config.vm.synced_folder ".", "/vagrant", type: "nfs", mount_options: ['rw', 'actimeo=1'], nfs_udp: false
   else
     config.vm.synced_folder ".", "/vagrant", type: "rsync", create: true, rsync__args: ["--verbose", "--archive", "--delete", "-z"]
   end

app/controllers/accounts_controller.rb

@@ -71,6 +71,10 @@ class AccountsController < ApplicationController
     params[:username]
   end
 
+  def account_id_param
+    params[:id]
+  end
+
   def skip_temporary_suspension_response?
     request.format == :json
   end

app/controllers/activitypub/contexts_controller.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+class ActivityPub::ContextsController < ActivityPub::BaseController
+  vary_by -> { 'Signature' if authorized_fetch_mode? }
+
+  before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :set_conversation
+  before_action :set_items
+
+  DESCENDANTS_LIMIT = 60
+
+  def show
+    expires_in 3.minutes, public: public_fetch_mode?
+    render_with_cache json: context_presenter, serializer: ActivityPub::ContextSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+  end
+
+  def items
+    expires_in 3.minutes, public: public_fetch_mode?
+    render_with_cache json: items_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+  end
+
+  private
+
+  def account_required?
+    false
+  end
+
+  def set_conversation
+    account_id, status_id = params[:id].split('-')
+    @conversation = Conversation.local.find_by(parent_account_id: account_id, parent_status_id: status_id)
+  end
+
+  def set_items
+    @items = @conversation.statuses.distributable_visibility.paginate_by_min_id(DESCENDANTS_LIMIT, params[:min_id])
+  end
+
+  def context_presenter
+    first_page = ActivityPub::CollectionPresenter.new(
+      id: items_context_url(@conversation, page_params),
+      type: :unordered,
+      part_of: items_context_url(@conversation),
+      next: next_page,
+      items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
+    )
+
+    ActivityPub::ContextPresenter.from_conversation(@conversation).tap do |presenter|
+      presenter.first = first_page
+    end
+  end
+
+  def items_collection_presenter
+    page = ActivityPub::CollectionPresenter.new(
+      id: items_context_url(@conversation, page_params),
+      type: :unordered,
+      part_of: items_context_url(@conversation),
+      next: next_page,
+      items: @items.map { |status| status.local? ? ActivityPub::TagManager.instance.uri_for(status) : status.uri }
+    )
+
+    return page if page_requested?
+
+    ActivityPub::CollectionPresenter.new(
+      id: items_context_url(@conversation),
+      type: :unordered,
+      first: page
+    )
+  end
+
+  def page_requested?
+    truthy_param?(:page)
+  end
+
+  def next_page
+    return nil if @items.size < DESCENDANTS_LIMIT
+
+    items_context_url(@conversation, page: true, min_id: @items.last.id)
+  end
+
+  def page_params
+    params.permit(:page, :min_id)
+  end
+end

app/controllers/activitypub/likes_controller.rb

@@ -22,13 +22,13 @@ class ActivityPub::LikesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 
   def likes_collection_presenter
     ActivityPub::CollectionPresenter.new(
-      id: account_status_likes_url(@account, @status),
+      id: ActivityPub::TagManager.instance.likes_uri_for(@status),
       type: :unordered,
       size: @status.favourites_count
     )

app/controllers/activitypub/outboxes_controller.rb

@@ -73,6 +73,8 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   end
 
   def set_account
-    @account = params[:account_username].present? ? Account.find_local!(username_param) : Account.representative
+    return super if params[:account_username].present? || params[:account_id].present?
+
+    @account = Account.representative
   end
 end

app/controllers/activitypub/quote_authorizations_controller.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class ActivityPub::QuoteAuthorizationsController < ActivityPub::BaseController
+  include Authorization
+
+  vary_by -> { 'Signature' if authorized_fetch_mode? }
+
+  before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :set_quote_authorization
+
+  def show
+    expires_in 30.seconds, public: true if @quote.quoted_status.distributable? && public_fetch_mode?
+    render json: @quote, serializer: ActivityPub::QuoteAuthorizationSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
+  end
+
+  private
+
+  def pundit_user
+    signed_request_account
+  end
+
+  def set_quote_authorization
+    @quote = Quote.accepted.where(quoted_account: @account).find(params[:id])
+    return not_found unless @quote.status.present? && @quote.quoted_status.present?
+
+    authorize @quote.quoted_status, :show?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
+    not_found
+  end
+end

app/controllers/activitypub/replies_controller.rb

@@ -25,7 +25,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 
@@ -37,7 +37,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
 
   def replies_collection_presenter
     page = ActivityPub::CollectionPresenter.new(
-      id: account_status_replies_url(@account, @status, page_params),
+      id: ActivityPub::TagManager.instance.replies_uri_for(@status, page_params),
       type: :unordered,
       part_of: account_status_replies_url(@account, @status),
       next: next_page,
@@ -47,7 +47,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
     return page if page_requested?
 
     ActivityPub::CollectionPresenter.new(
-      id: account_status_replies_url(@account, @status),
+      id: ActivityPub::TagManager.instance.replies_uri_for(@status),
       type: :unordered,
       first: page
     )
@@ -66,8 +66,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
       # Only consider remote accounts
       return nil if @replies.size < DESCENDANTS_LIMIT
 
-      account_status_replies_url(
-        @account,
+      ActivityPub::TagManager.instance.replies_uri_for(
         @status,
         page: true,
         min_id: @replies&.last&.id,
@@ -77,8 +76,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
       # For now, we're serving only self-replies, but next page might be other accounts
       next_only_other_accounts = @replies&.last&.account_id != @account.id || @replies.size < DESCENDANTS_LIMIT
 
-      account_status_replies_url(
-        @account,
+      ActivityPub::TagManager.instance.replies_uri_for(
         @status,
         page: true,
         min_id: next_only_other_accounts ? nil : @replies&.last&.id,

app/controllers/activitypub/shares_controller.rb

@@ -22,13 +22,13 @@ class ActivityPub::SharesController < ActivityPub::BaseController
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 
   def shares_collection_presenter
     ActivityPub::CollectionPresenter.new(
-      id: account_status_shares_url(@account, @status),
+      id: ActivityPub::TagManager.instance.shares_uri_for(@status),
       type: :unordered,
       size: @status.reblogs_count
     )

app/controllers/admin/accounts_controller.rb

@@ -16,11 +16,14 @@ module Admin
     def batch
       authorize :account, :index?
 
-      @form = Form::AccountBatch.new(form_account_batch_params)
-      @form.current_account = current_account
-      @form.action = action_from_button
-      @form.select_all_matching = params[:select_all_matching]
-      @form.query = filtered_accounts
+      @form = Form::AccountBatch.new(
+        form_account_batch_params.merge(
+          action: action_from_button,
+          current_account:,
+          query: filtered_accounts,
+          select_all_matching: params[:select_all_matching]
+        )
+      )
       @form.save
     rescue ActionController::ParameterMissing
       flash[:alert] = I18n.t('admin.accounts.no_account_selected')

app/controllers/admin/action_logs_controller.rb

@@ -6,7 +6,7 @@ module Admin
 
     def index
       authorize :audit_log, :index?
-      @auditable_accounts = Account.auditable.select(:id, :username)
+      @auditable_accounts = Account.auditable.select(:id, :username).order(username: :asc)
     end
 
     private

app/controllers/admin/confirmations_controller.rb

@@ -19,15 +19,13 @@ module Admin
 
       log_action :resend, @user
 
-      flash[:notice] = I18n.t('admin.accounts.resend_confirmation.success')
-      redirect_to admin_accounts_path
+      redirect_to admin_accounts_path, notice: t('admin.accounts.resend_confirmation.success')
     end
 
     private
 
     def redirect_confirmed_user
-      flash[:error] = I18n.t('admin.accounts.resend_confirmation.already_confirmed')
-      redirect_to admin_accounts_path
+      redirect_to admin_accounts_path, flash: { error: t('admin.accounts.resend_confirmation.already_confirmed') }
     end
 
     def user_confirmed?

app/controllers/admin/disputes/appeals_controller.rb

@@ -18,7 +18,7 @@ class Admin::Disputes::AppealsController < Admin::BaseController
   end
 
   def reject
-    authorize @appeal, :approve?
+    authorize @appeal, :reject?
     log_action :reject, @appeal
     @appeal.reject!(current_account)
     UserMailer.appeal_rejected(@appeal.account.user, @appeal).deliver_later

app/controllers/admin/domain_blocks_controller.rb

@@ -36,7 +36,7 @@ module Admin
     end
 
     def edit
-      authorize :domain_block, :create?
+      authorize :domain_block, :update?
     end
 
     def create
@@ -129,7 +129,7 @@ module Admin
     end
 
     def requires_confirmation?
-      @domain_block.valid? && (@domain_block.new_record? || @domain_block.severity_changed?) && @domain_block.severity.to_s == 'suspend' && !params[:confirm]
+      @domain_block.valid? && (@domain_block.new_record? || @domain_block.severity_changed?) && @domain_block.suspend? && !params[:confirm]
     end
   end
 end

app/controllers/admin/export_domain_allows_controller.rb

@@ -49,8 +49,8 @@ module Admin
 
     def export_data
       CSV.generate(headers: export_headers, write_headers: true) do |content|
-        DomainAllow.allowed_domains.each do |instance|
-          content << [instance.domain]
+        DomainAllow.allowed_domains.each do |domain|
+          content << [domain]
         end
       end
     end

app/controllers/admin/reports/actions_controller.rb

@@ -13,27 +13,9 @@ class Admin::Reports::ActionsController < Admin::BaseController
 
     case action_from_button
     when 'delete', 'mark_as_sensitive'
-      status_batch_action = Admin::StatusBatchAction.new(
-        type: action_from_button,
-        status_ids: @report.status_ids,
-        current_account: current_account,
-        report_id: @report.id,
-        send_email_notification: !@report.spam?,
-        text: params[:text]
-      )
-
-      status_batch_action.save!
+      Admin::StatusBatchAction.new(status_batch_action_params).save!
     when 'silence', 'suspend'
-      account_action = Admin::AccountAction.new(
-        type: action_from_button,
-        report_id: @report.id,
-        target_account: @report.target_account,
-        current_account: current_account,
-        send_email_notification: !@report.spam?,
-        text: params[:text]
-      )
-
-      account_action.save!
+      Admin::AccountAction.new(account_action_params).save!
     else
       return redirect_to admin_report_path(@report), alert: I18n.t('admin.reports.unknown_action_msg', action: action_from_button)
     end
@@ -43,6 +25,26 @@ class Admin::Reports::ActionsController < Admin::BaseController
 
   private
 
+  def status_batch_action_params
+    shared_params
+      .merge(status_ids: @report.status_ids)
+  end
+
+  def account_action_params
+    shared_params
+      .merge(target_account: @report.target_account)
+  end
+
+  def shared_params
+    {
+      current_account: current_account,
+      report_id: @report.id,
+      send_email_notification: !@report.spam?,
+      text: params[:text],
+      type: action_from_button,
+    }
+  end
+
   def set_report
     @report = Report.find(params[:report_id])
   end

app/controllers/admin/settings_controller.rb

@@ -14,8 +14,7 @@ module Admin
       @admin_settings = Form::AdminSettings.new(settings_params)
 
       if @admin_settings.save
-        flash[:notice] = I18n.t('generic.changes_saved_msg')
-        redirect_to after_update_redirect_path
+        redirect_to after_update_redirect_path, notice: t('generic.changes_saved_msg')
       else
         render :show
       end

app/controllers/admin/tags_controller.rb

@@ -5,6 +5,7 @@ module Admin
     before_action :set_tag, except: [:index]
 
     PER_PAGE = 20
+    PERIOD_DAYS = 6.days
 
     def index
       authorize :tag, :index?
@@ -15,7 +16,7 @@ module Admin
     def show
       authorize @tag, :show?
 
-      @time_period = (6.days.ago.to_date...Time.now.utc.to_date)
+      @time_period = report_range
     end
 
     def update
@@ -24,7 +25,7 @@ module Admin
       if @tag.update(tag_params.merge(reviewed_at: Time.now.utc))
         redirect_to admin_tag_path(@tag.id), notice: I18n.t('admin.tags.updated_msg')
       else
-        @time_period = (6.days.ago.to_date...Time.now.utc.to_date)
+        @time_period = report_range
 
         render :show
       end
@@ -36,6 +37,10 @@ module Admin
       @tag = Tag.find(params[:id])
     end
 
+    def report_range
+      (PERIOD_DAYS.ago.to_date...Time.now.utc.to_date)
+    end
+
     def tag_params
       params
         .expect(tag: [:name, :display_name, :trendable, :usable, :listable])

app/controllers/admin/username_blocks_controller.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+class Admin::UsernameBlocksController < Admin::BaseController
+  before_action :set_username_block, only: [:edit, :update]
+
+  def index
+    authorize :username_block, :index?
+    @username_blocks = UsernameBlock.order(username: :asc).page(params[:page])
+    @form = Form::UsernameBlockBatch.new
+  end
+
+  def batch
+    authorize :username_block, :index?
+
+    @form = Form::UsernameBlockBatch.new(form_username_block_batch_params.merge(current_account: current_account, action: action_from_button))
+    @form.save
+  rescue ActionController::ParameterMissing
+    flash[:alert] = I18n.t('admin.username_blocks.no_username_block_selected')
+  rescue Mastodon::NotPermittedError
+    flash[:alert] = I18n.t('admin.username_blocks.not_permitted')
+  ensure
+    redirect_to admin_username_blocks_path
+  end
+
+  def new
+    authorize :username_block, :create?
+    @username_block = UsernameBlock.new(exact: true)
+  end
+
+  def edit
+    authorize @username_block, :update?
+  end
+
+  def create
+    authorize :username_block, :create?
+
+    @username_block = UsernameBlock.new(resource_params)
+
+    if @username_block.save
+      log_action :create, @username_block
+      redirect_to admin_username_blocks_path, notice: I18n.t('admin.username_blocks.created_msg')
+    else
+      render :new
+    end
+  end
+
+  def update
+    authorize @username_block, :update?
+
+    if @username_block.update(resource_params)
+      log_action :update, @username_block
+      redirect_to admin_username_blocks_path, notice: I18n.t('admin.username_blocks.updated_msg')
+    else
+      render :new
+    end
+  end
+
+  private
+
+  def set_username_block
+    @username_block = UsernameBlock.find(params[:id])
+  end
+
+  def form_username_block_batch_params
+    params
+      .expect(form_username_block_batch: [username_block_ids: []])
+  end
+
+  def resource_params
+    params
+      .expect(username_block: [:username, :comparison, :allow_with_approval])
+  end
+
+  def action_from_button
+    'delete' if params[:delete]
+  end
+end

app/controllers/api/v1/accounts/credentials_controller.rb

@@ -48,6 +48,7 @@ class Api::V1::Accounts::CredentialsController < Api::BaseController
         default_privacy: source_params.fetch(:privacy, @account.user.setting_default_privacy),
         default_sensitive: source_params.fetch(:sensitive, @account.user.setting_default_sensitive),
         default_language: source_params.fetch(:language, @account.user.setting_default_language),
+        default_quote_policy: source_params.fetch(:quote_policy, @account.user.setting_default_quote_policy),
       },
     }
   end

app/controllers/api/v1/admin/tags_controller.rb

@@ -2,6 +2,7 @@
 
 class Api::V1::Admin::TagsController < Api::BaseController
   include Authorization
+
   before_action -> { authorize_if_got_token! :'admin:read' }, only: [:index, :show]
   before_action -> { authorize_if_got_token! :'admin:write' }, only: :update
 

app/controllers/api/v1/invites_controller.rb

@@ -7,6 +7,7 @@ class Api::V1::InvitesController < Api::BaseController
   skip_around_action :set_locale
 
   before_action :set_invite
+  before_action :check_valid_usage!
   before_action :check_enabled_registrations!
 
   # Override `current_user` to avoid reading session cookies
@@ -22,9 +23,11 @@ class Api::V1::InvitesController < Api::BaseController
     @invite = Invite.find_by!(code: params[:invite_code])
   end
 
-  def check_enabled_registrations!
-    return render json: { error: I18n.t('invites.invalid') }, status: 401 unless @invite.valid_for_use?
+  def check_valid_usage!
+    render json: { error: I18n.t('invites.invalid') }, status: 401 unless @invite.valid_for_use?
+  end
 
+  def check_enabled_registrations!
     raise Mastodon::NotPermittedError unless allowed_registration?(request.remote_ip, @invite)
   end
 end

app/controllers/api/v1/polls/votes_controller.rb

@@ -17,7 +17,7 @@ class Api::V1::Polls::VotesController < Api::BaseController
   def set_poll
     @poll = Poll.find(params[:poll_id])
     authorize @poll.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v1/polls_controller.rb

@@ -17,7 +17,7 @@ class Api::V1::PollsController < Api::BaseController
   def set_poll
     @poll = Poll.find(params[:id])
     authorize @poll.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v1/push/subscriptions_controller.rb

@@ -16,16 +16,7 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
   def create
     with_redis_lock("push_subscription:#{current_user.id}") do
       destroy_web_push_subscriptions!
-
-      @push_subscription = Web::PushSubscription.create!(
-        endpoint: subscription_params[:endpoint],
-        key_p256dh: subscription_params[:keys][:p256dh],
-        key_auth: subscription_params[:keys][:auth],
-        standard: subscription_params[:standard] || false,
-        data: data_params,
-        user_id: current_user.id,
-        access_token_id: doorkeeper_token.id
-      )
+      @push_subscription = Web::PushSubscription.create!(web_push_subscription_params)
     end
 
     render json: @push_subscription, serializer: REST::WebPushSubscriptionSerializer
@@ -55,6 +46,18 @@ class Api::V1::Push::SubscriptionsController < Api::BaseController
     not_found if @push_subscription.nil?
   end
 
+  def web_push_subscription_params
+    {
+      access_token_id: doorkeeper_token.id,
+      data: data_params,
+      endpoint: subscription_params[:endpoint],
+      key_auth: subscription_params[:keys][:auth],
+      key_p256dh: subscription_params[:keys][:p256dh],
+      standard: subscription_params[:standard] || false,
+      user_id: current_user.id,
+    }
+  end
+
   def subscription_params
     params.expect(subscription: [:endpoint, :standard, keys: [:auth, :p256dh]])
   end

app/controllers/api/v1/statuses/base_controller.rb

@@ -10,7 +10,7 @@ class Api::V1::Statuses::BaseController < Api::BaseController
   def set_status
     @status = Status.find(params[:status_id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/v1/statuses/bookmarks_controller.rb

@@ -23,7 +23,7 @@ class Api::V1::Statuses::BookmarksController < Api::V1::Statuses::BaseController
     bookmark&.destroy!
 
     render json: @status, serializer: REST::StatusSerializer, relationships: StatusRelationshipsPresenter.new([@status], current_account.id, bookmarks_map: { @status.id => false })
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/v1/statuses/favourites_controller.rb

@@ -25,7 +25,7 @@ class Api::V1::Statuses::FavouritesController < Api::V1::Statuses::BaseControlle
 
     relationships = StatusRelationshipsPresenter.new([@status], current_account.id, favourites_map: { @status.id => false }, attributes_map: { @status.id => { favourites_count: count } })
     render json: @status, serializer: REST::StatusSerializer, relationships: relationships
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/v1/statuses/interaction_policies_controller.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+class Api::V1::Statuses::InteractionPoliciesController < Api::V1::Statuses::BaseController
+  include Api::InteractionPoliciesConcern
+
+  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }
+
+  def update
+    authorize @status, :update?
+
+    @status.update!(quote_approval_policy: quote_approval_policy)
+
+    broadcast_updates! if @status.quote_approval_policy_previously_changed?
+
+    render json: @status, serializer: REST::StatusSerializer
+  end
+
+  private
+
+  def status_params
+    params.permit(:quote_approval_policy)
+  end
+
+  def broadcast_updates!
+    DistributionWorker.perform_async(@status.id, { 'update' => true, 'skip_notifications' => true })
+    ActivityPub::StatusUpdateDistributionWorker.perform_async(@status.id, { 'updated_at' => Time.now.utc.iso8601 })
+  end
+end

app/controllers/api/v1/statuses/quotes_controller.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+class Api::V1::Statuses::QuotesController < Api::V1::Statuses::BaseController
+  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :index
+  before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only: :revoke
+
+  before_action :set_statuses, only: :index
+
+  before_action :set_quote, only: :revoke
+  after_action :insert_pagination_headers, only: :index
+
+  def index
+    cache_if_unauthenticated!
+    render json: @statuses, each_serializer: REST::StatusSerializer
+  end
+
+  def revoke
+    authorize @quote, :revoke?
+
+    RevokeQuoteService.new.call(@quote)
+
+    render json: @quote.status, serializer: REST::StatusSerializer
+  end
+
+  private
+
+  def set_quote
+    @quote = @status.quotes.find_by!(status_id: params[:id])
+  end
+
+  def set_statuses
+    scope = default_statuses
+    scope = scope.not_excluded_by_account(current_account) unless current_account.nil?
+    @statuses = scope.merge(paginated_quotes).to_a
+
+    # Store next page info before filtering
+    @records_continue = @statuses.size == limit_param(DEFAULT_STATUSES_LIMIT)
+    @pagination_since_id = @statuses.first.quote.id unless @statuses.empty?
+    @pagination_max_id = @statuses.last.quote.id if @records_continue
+
+    if current_account&.id != @status.account_id
+      domains = @statuses.filter_map(&:account_domain).uniq
+      account_ids = @statuses.map(&:account_id).uniq
+      relations = current_account&.relations_map(account_ids, domains) || {}
+      @statuses.reject! { |status| StatusFilter.new(status, current_account, relations).filtered? }
+    end
+  end
+
+  def default_statuses
+    Status.includes(:quote).references(:quote)
+  end
+
+  def paginated_quotes
+    @status.quotes.accepted.paginate_by_max_id(
+      limit_param(DEFAULT_STATUSES_LIMIT),
+      params[:max_id],
+      params[:since_id]
+    )
+  end
+
+  def next_path
+    api_v1_status_quotes_url pagination_params(max_id: pagination_max_id) if records_continue?
+  end
+
+  def prev_path
+    api_v1_status_quotes_url pagination_params(since_id: pagination_since_id) unless @statuses.empty?
+  end
+
+  attr_reader :pagination_max_id, :pagination_since_id
+
+  def records_continue?
+    @records_continue
+  end
+end

app/controllers/api/v1/statuses/reblogs_controller.rb

@@ -36,7 +36,7 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
 
     relationships = StatusRelationshipsPresenter.new([@status], current_account.id, reblogs_map: { @reblog.id => false }, attributes_map: { @reblog.id => { reblogs_count: count } })
     render json: @reblog, serializer: REST::StatusSerializer, relationships: relationships
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 
@@ -45,7 +45,7 @@ class Api::V1::Statuses::ReblogsController < Api::V1::Statuses::BaseController
   def set_reblog
     @reblog = Status.find(params[:status_id])
     authorize @reblog, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/api/v1/statuses_controller.rb

@@ -2,6 +2,8 @@
 
 class Api::V1::StatusesController < Api::BaseController
   include Authorization
+  include AsyncRefreshesConcern
+  include Api::InteractionPoliciesConcern
 
   before_action -> { authorize_if_got_token! :read, :'read:statuses' }, except: [:create, :update, :destroy]
   before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only:   [:create, :update, :destroy]
@@ -9,6 +11,7 @@ class Api::V1::StatusesController < Api::BaseController
   before_action :set_statuses, only:         [:index]
   before_action :set_status, only:           [:show, :context]
   before_action :set_thread, only:           [:create]
+  before_action :set_quoted_status, only:    [:create]
   before_action :check_statuses_limit, only: [:index]
 
   override_rate_limit_headers :create, family: :statuses
@@ -57,9 +60,21 @@ class Api::V1::StatusesController < Api::BaseController
     @context = Context.new(ancestors: loaded_ancestors, descendants: loaded_descendants)
     statuses = [@status] + @context.ancestors + @context.descendants
 
-    render json: @context, serializer: REST::ContextSerializer, relationships: StatusRelationshipsPresenter.new(statuses, current_user&.account_id)
+    refresh_key = "context:#{@status.id}:refresh"
+    async_refresh = AsyncRefresh.new(refresh_key)
 
-    ActivityPub::FetchAllRepliesWorker.perform_async(@status.id) if !current_account.nil? && @status.should_fetch_replies?
+    if async_refresh.running?
+      add_async_refresh_header(async_refresh)
+    elsif !current_account.nil? && @status.should_fetch_replies?
+      add_async_refresh_header(AsyncRefresh.create(refresh_key, count_results: true))
+
+      WorkerBatch.new.within do |batch|
+        batch.connect(refresh_key, threshold: 1.0)
+        ActivityPub::FetchAllRepliesWorker.perform_async(@status.id, { 'batch_id' => batch.id })
+      end
+    end
+
+    render json: @context, serializer: REST::ContextSerializer, relationships: StatusRelationshipsPresenter.new(statuses, current_user&.account_id)
   end
 
   def create
@@ -67,6 +82,8 @@ class Api::V1::StatusesController < Api::BaseController
       current_user.account,
       text: status_params[:status],
       thread: @thread,
+      quoted_status: @quoted_status,
+      quote_approval_policy: quote_approval_policy,
       media_ids: status_params[:media_ids],
       sensitive: status_params[:sensitive],
       spoiler_text: status_params[:spoiler_text],
@@ -98,7 +115,8 @@ class Api::V1::StatusesController < Api::BaseController
       sensitive: status_params[:sensitive],
       language: status_params[:language],
       spoiler_text: status_params[:spoiler_text],
-      poll: status_params[:poll]
+      poll: status_params[:poll],
+      quote_approval_policy: quote_approval_policy
     )
 
     render json: @status, serializer: REST::StatusSerializer
@@ -127,7 +145,7 @@ class Api::V1::StatusesController < Api::BaseController
   def set_status
     @status = Status.find(params[:id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 
@@ -138,6 +156,14 @@ class Api::V1::StatusesController < Api::BaseController
     render json: { error: I18n.t('statuses.errors.in_reply_not_found') }, status: 404
   end
 
+  def set_quoted_status
+    @quoted_status = Status.find(status_params[:quoted_status_id])&.proper if status_params[:quoted_status_id].present?
+    authorize(@quoted_status, :quote?) if @quoted_status.present?
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
+    # TODO: distinguish between non-existing and non-quotable posts
+    render json: { error: I18n.t('statuses.errors.quoted_status_not_found') }, status: 404
+  end
+
   def check_statuses_limit
     raise(Mastodon::ValidationError) if status_ids.size > DEFAULT_STATUSES_LIMIT
   end
@@ -154,6 +180,8 @@ class Api::V1::StatusesController < Api::BaseController
     params.permit(
       :status,
       :in_reply_to_id,
+      :quoted_status_id,
+      :quote_approval_policy,
       :sensitive,
       :spoiler_text,
       :visibility,

app/controllers/api/v1/timelines/base_controller.rb

@@ -3,14 +3,8 @@
 class Api::V1::Timelines::BaseController < Api::BaseController
   after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
 
-  before_action :require_user!, if: :require_auth?
-
   private
 
-  def require_auth?
-    !Setting.timeline_preview
-  end
-
   def pagination_collection
     @statuses
   end

app/controllers/api/v1/timelines/home_controller.rb

@@ -3,8 +3,8 @@
 class Api::V1::Timelines::HomeController < Api::V1::Timelines::BaseController
   include AsyncRefreshesConcern
 
-  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: [:show]
-  before_action :require_user!, only: [:show]
+  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }
+  before_action :require_user!
 
   PERMITTED_PARAMS = %i(local limit).freeze
 

app/controllers/api/v1/timelines/link_controller.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class Api::V1::Timelines::LinkController < Api::V1::Timelines::BaseController
+class Api::V1::Timelines::LinkController < Api::V1::Timelines::TopicController
   before_action -> { authorize_if_got_token! :read, :'read:statuses' }
   before_action :set_preview_card
   before_action :set_statuses

app/controllers/api/v1/timelines/public_controller.rb

@@ -2,6 +2,7 @@
 
 class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
   before_action -> { authorize_if_got_token! :read, :'read:statuses' }
+  before_action :require_user!, if: :require_auth?
 
   PERMITTED_PARAMS = %i(local remote limit only_media).freeze
 
@@ -13,6 +14,16 @@ class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
 
   private
 
+  def require_auth?
+    if truthy_param?(:local)
+      Setting.local_live_feed_access != 'public'
+    elsif truthy_param?(:remote)
+      Setting.remote_live_feed_access != 'public'
+    else
+      Setting.local_live_feed_access != 'public' || Setting.remote_live_feed_access != 'public'
+    end
+  end
+
   def load_statuses
     preloaded_public_statuses_page
   end

app/controllers/api/v1/timelines/tag_controller.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class Api::V1::Timelines::TagController < Api::V1::Timelines::BaseController
+class Api::V1::Timelines::TagController < Api::V1::Timelines::TopicController
   before_action -> { authorize_if_got_token! :read, :'read:statuses' }
   before_action :load_tag
 
@@ -14,10 +14,6 @@ class Api::V1::Timelines::TagController < Api::V1::Timelines::BaseController
 
   private
 
-  def require_auth?
-    !Setting.timeline_preview
-  end
-
   def load_tag
     @tag = Tag.find_normalized(params[:id])
   end

app/controllers/api/v1/timelines/topic_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class Api::V1::Timelines::TopicController < Api::V1::Timelines::BaseController
+  before_action :require_user!, if: :require_auth?
+
+  private
+
+  def require_auth?
+    if truthy_param?(:local)
+      Setting.local_topic_feed_access != 'public'
+    elsif truthy_param?(:remote)
+      Setting.remote_topic_feed_access != 'public'
+    else
+      Setting.local_topic_feed_access != 'public' || Setting.remote_topic_feed_access != 'public'
+    end
+  end
+end

app/controllers/api/v2/search_controller.rb

@@ -20,7 +20,7 @@ class Api::V2::SearchController < Api::BaseController
     @search = Search.new(search_results)
     render json: @search, serializer: REST::SearchSerializer
   rescue Mastodon::SyntaxError
-    unprocessable_entity
+    unprocessable_content
   rescue ActiveRecord::RecordNotFound
     not_found
   end

app/controllers/api/web/embeds_controller.rb

@@ -30,7 +30,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
   def set_status
     @status = Status.find(params[:id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 end

app/controllers/api/web/push_subscriptions_controller.rb

@@ -49,7 +49,7 @@ class Api::Web::PushSubscriptionsController < Api::Web::BaseController
     {
       policy: 'all',
       alerts: Notification::TYPES.index_with { alerts_enabled },
-    }
+    }.deep_stringify_keys
   end
 
   def alerts_enabled

app/controllers/application_controller.rb

@@ -28,7 +28,7 @@ class ApplicationController < ActionController::Base
   rescue_from Mastodon::NotPermittedError, with: :forbidden
   rescue_from ActionController::RoutingError, ActiveRecord::RecordNotFound, with: :not_found
   rescue_from ActionController::UnknownFormat, with: :not_acceptable
-  rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_entity
+  rescue_from ActionController::InvalidAuthenticityToken, with: :unprocessable_content
   rescue_from Mastodon::RateLimitExceededError, with: :too_many_requests
 
   rescue_from(*Mastodon::HTTP_CONNECTION_ERRORS, with: :internal_server_error)
@@ -123,7 +123,7 @@ class ApplicationController < ActionController::Base
     respond_with_error(410)
   end
 
-  def unprocessable_entity
+  def unprocessable_content
     respond_with_error(422)
   end
 

app/controllers/auth/omniauth_callbacks_controller.rb

@@ -38,8 +38,7 @@ class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   private
 
   def record_login_activity
-    LoginActivity.create(
-      user: @user,
+    @user.login_activities.create(
       success: true,
       authentication_method: :omniauth,
       provider: @provider,

app/controllers/auth/passwords_controller.rb

@@ -19,8 +19,7 @@ class Auth::PasswordsController < Devise::PasswordsController
   private
 
   def redirect_invalid_reset_token
-    flash[:error] = I18n.t('auth.invalid_reset_password_token')
-    redirect_to new_password_path(resource_name)
+    redirect_to new_password_path(resource_name), flash: { error: t('auth.invalid_reset_password_token') }
   end
 
   def reset_password_token_is_valid?

app/controllers/auth/registrations_controller.rb

@@ -23,11 +23,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController
     super(&:build_invite_request)
   end
 
-  def edit # rubocop:disable Lint/UselessMethodDefinition
+  def edit
     super
   end
 
-  def create # rubocop:disable Lint/UselessMethodDefinition
+  def create
     super
   end
 
@@ -89,7 +89,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
   end
 
   def check_enabled_registrations
-    redirect_to root_path unless allowed_registration?(request.remote_ip, @invite)
+    redirect_to new_user_session_path, alert: I18n.t('devise.failure.closed_registrations', email: Setting.site_contact_email) unless allowed_registration?(request.remote_ip, @invite)
   end
 
   def invite_code

app/controllers/auth/sessions_controller.rb

@@ -12,6 +12,8 @@ class Auth::SessionsController < Devise::SessionsController
   skip_before_action :require_functional!
   skip_before_action :update_user_sign_in
 
+  around_action :preserve_stored_location, only: :destroy, if: :continue_after?
+
   prepend_before_action :check_suspicious!, only: [:create]
 
   include Auth::TwoFactorAuthenticationConcern
@@ -31,11 +33,9 @@ class Auth::SessionsController < Devise::SessionsController
   end
 
   def destroy
-    tmp_stored_location = stored_location_for(:user)
     super
     session.delete(:challenge_passed_at)
     flash.delete(:notice)
-    store_location_for(:user, tmp_stored_location) if continue_after?
   end
 
   def webauthn_options
@@ -96,6 +96,12 @@ class Auth::SessionsController < Devise::SessionsController
 
   private
 
+  def preserve_stored_location
+    original_stored_location = stored_location_for(:user)
+    yield
+    store_location_for(:user, original_stored_location)
+  end
+
   def check_suspicious!
     user = find_user
     @login_is_suspicious = suspicious_sign_in?(user) unless user.nil?
@@ -151,12 +157,11 @@ class Auth::SessionsController < Devise::SessionsController
     sign_in(user)
     flash.delete(:notice)
 
-    LoginActivity.create(
-      user: user,
-      success: true,
-      authentication_method: security_measure,
-      ip: request.remote_ip,
-      user_agent: request.user_agent
+    user.login_activities.create(
+      request_details.merge(
+        authentication_method: security_measure,
+        success: true
+      )
     )
 
     UserMailer.suspicious_sign_in(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later! if @login_is_suspicious
@@ -167,13 +172,12 @@ class Auth::SessionsController < Devise::SessionsController
   end
 
   def on_authentication_failure(user, security_measure, failure_reason)
-    LoginActivity.create(
-      user: user,
-      success: false,
-      authentication_method: security_measure,
-      failure_reason: failure_reason,
-      ip: request.remote_ip,
-      user_agent: request.user_agent
+    user.login_activities.create(
+      request_details.merge(
+        authentication_method: security_measure,
+        failure_reason: failure_reason,
+        success: false
+      )
     )
 
     # Only send a notification email every hour at most
@@ -182,6 +186,13 @@ class Auth::SessionsController < Devise::SessionsController
     UserMailer.failed_2fa(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later!
   end
 
+  def request_details
+    {
+      ip: request.remote_ip,
+      user_agent: request.user_agent,
+    }
+  end
+
   def second_factor_attempts_key(user)
     "2fa_auth_attempts:#{user.id}:#{Time.now.utc.hour}"
   end

app/controllers/authorize_interactions_controller.rb

@@ -21,7 +21,7 @@ class AuthorizeInteractionsController < ApplicationController
   def set_resource
     @resource = located_resource
     authorize(@resource, :show?) if @resource.is_a?(Status)
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/concerns/account_owned_concern.rb

@@ -18,7 +18,11 @@ module AccountOwnedConcern
   end
 
   def set_account
-    @account = Account.find_local!(username_param)
+    @account = username_param.present? ? Account.find_local!(username_param) : Account.local.find(account_id_param)
+  end
+
+  def account_id_param
+    params[:account_id]
   end
 
   def username_param

app/controllers/concerns/api/interaction_policies_concern.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Api::InteractionPoliciesConcern
+  extend ActiveSupport::Concern
+
+  def quote_approval_policy
+    case status_params[:quote_approval_policy].presence || current_user.setting_default_quote_policy
+    when 'public'
+      Status::QUOTE_APPROVAL_POLICY_FLAGS[:public] << 16
+    when 'followers'
+      Status::QUOTE_APPROVAL_POLICY_FLAGS[:followers] << 16
+    when 'nobody'
+      0
+    else
+      # TODO: raise more useful message
+      raise ActiveRecord::RecordInvalid
+    end
+  end
+end

app/controllers/concerns/async_refreshes_concern.rb

@@ -6,6 +6,9 @@ module AsyncRefreshesConcern
   def add_async_refresh_header(async_refresh, retry_seconds: 3)
     return unless async_refresh.running?
 
-    response.headers['Mastodon-Async-Refresh'] = "id=\"#{async_refresh.id}\", retry=#{retry_seconds}"
+    value = "id=\"#{async_refresh.id}\", retry=#{retry_seconds}"
+    value += ", result_count=#{async_refresh.result_count}" unless async_refresh.result_count.nil?
+
+    response.headers['Mastodon-Async-Refresh'] = value
   end
 end

app/controllers/concerns/auth/captcha_concern.rb

@@ -5,6 +5,18 @@ module Auth::CaptchaConcern
 
   include Hcaptcha::Adapters::ViewMethods
 
+  CAPTCHA_DIRECTIVES = %w(
+    connect_src
+    frame_src
+    script_src
+    style_src
+  ).freeze
+
+  CAPTCHA_SOURCES = %w(
+    https://*.hcaptcha.com
+    https://hcaptcha.com
+  ).freeze
+
   included do
     helper_method :render_captcha
   end
@@ -42,20 +54,9 @@ module Auth::CaptchaConcern
   end
 
   def extend_csp_for_captcha!
-    policy = request.content_security_policy&.clone
+    return unless captcha_required? && request.content_security_policy.present?
 
-    return unless captcha_required? && policy.present?
-
-    %w(script_src frame_src style_src connect_src).each do |directive|
-      values = policy.send(directive)
-
-      values << 'https://hcaptcha.com' unless values.include?('https://hcaptcha.com') || values.include?('https:')
-      values << 'https://*.hcaptcha.com' unless values.include?('https://*.hcaptcha.com') || values.include?('https:')
-
-      policy.send(directive, *values)
-    end
-
-    request.content_security_policy = policy
+    request.content_security_policy = captcha_adjusted_policy
   end
 
   def render_captcha
@@ -63,4 +64,24 @@ module Auth::CaptchaConcern
 
     hcaptcha_tags
   end
+
+  private
+
+  def captcha_adjusted_policy
+    request.content_security_policy.clone.tap do |policy|
+      populate_captcha_policy(policy)
+    end
+  end
+
+  def populate_captcha_policy(policy)
+    CAPTCHA_DIRECTIVES.each do |directive|
+      values = policy.send(directive)
+
+      CAPTCHA_SOURCES.each do |source|
+        values << source unless values.include?(source) || values.include?('https:')
+      end
+
+      policy.send(directive, *values)
+    end
+  end
 end

app/controllers/concerns/signature_verification.rb

@@ -9,6 +9,8 @@ module SignatureVerification
 
   EXPIRATION_WINDOW_LIMIT = 12.hours
   CLOCK_SKEW_MARGIN       = 1.hour
+  STOPLIGHT_COOL_OFF_TIME = 5.minutes.seconds
+  STOPLIGHT_THRESHOLD = 1
 
   def require_account_signature!
     render json: signature_verification_failure_reason, status: signature_verification_failure_code unless signed_request_account
@@ -107,10 +109,12 @@ module SignatureVerification
   end
 
   def stoplight_wrapper
-    Stoplight("source:#{request.remote_ip}")
-      .with_threshold(1)
-      .with_cool_off_time(5.minutes.seconds)
-      .with_error_handler { |error, handle| error.is_a?(HTTP::Error) || error.is_a?(OpenSSL::SSL::SSLError) ? handle.call(error) : raise(error) }
+    Stoplight(
+      "source:#{request.remote_ip}",
+      cool_off_time: STOPLIGHT_COOL_OFF_TIME,
+      threshold: STOPLIGHT_THRESHOLD,
+      tracked_errors: [HTTP::Error, OpenSSL::SSL::SSLError]
+    )
   end
 
   def actor_refresh_key!(actor)

app/controllers/follower_accounts_controller.rb

@@ -60,17 +60,17 @@ class FollowerAccountsController < ApplicationController
   def collection_presenter
     if page_requested?
       ActivityPub::CollectionPresenter.new(
-        id: account_followers_url(@account, page: params.fetch(:page, 1)),
+        id: page_url(params.fetch(:page, 1)),
         type: :ordered,
         size: @account.followers_count,
         items: follows.map { |follow| ActivityPub::TagManager.instance.uri_for(follow.account) },
-        part_of: account_followers_url(@account),
+        part_of: ActivityPub::TagManager.instance.followers_uri_for(@account),
         next: next_page_url,
         prev: prev_page_url
       )
     else
       ActivityPub::CollectionPresenter.new(
-        id: account_followers_url(@account),
+        id: ActivityPub::TagManager.instance.followers_uri_for(@account),
         type: :ordered,
         size: @account.followers_count,
         first: page_url(1)

app/controllers/following_accounts_controller.rb

@@ -49,7 +49,7 @@ class FollowingAccountsController < ApplicationController
   end
 
   def page_url(page)
-    account_following_index_url(@account, page: page) unless page.nil?
+    ActivityPub::TagManager.instance.following_uri_for(@account, page: page) unless page.nil?
   end
 
   def next_page_url
@@ -63,17 +63,17 @@ class FollowingAccountsController < ApplicationController
   def collection_presenter
     if page_requested?
       ActivityPub::CollectionPresenter.new(
-        id: account_following_index_url(@account, page: params.fetch(:page, 1)),
+        id: page_url(params.fetch(:page, 1)),
         type: :ordered,
         size: @account.following_count,
         items: follows.map { |follow| ActivityPub::TagManager.instance.uri_for(follow.target_account) },
-        part_of: account_following_index_url(@account),
+        part_of: ActivityPub::TagManager.instance.following_uri_for(@account),
         next: next_page_url,
         prev: prev_page_url
       )
     else
       ActivityPub::CollectionPresenter.new(
-        id: account_following_index_url(@account),
+        id: ActivityPub::TagManager.instance.following_uri_for(@account),
         type: :ordered,
         size: @account.following_count,
         first: page_url(1)

app/controllers/media_controller.rb

@@ -34,7 +34,7 @@ class MediaController < ApplicationController
 
   def verify_permitted_status!
     authorize @media_attachment.status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/controllers/settings/login_activities_controller.rb

@@ -5,6 +5,6 @@ class Settings::LoginActivitiesController < Settings::BaseController
   skip_before_action :require_functional!
 
   def index
-    @login_activities = LoginActivity.where(user: current_user).order(id: :desc).page(params[:page])
+    @login_activities = current_user.login_activities.order(id: :desc).page(params[:page])
   end
 end

app/controllers/settings/migration/redirects_controller.rb

@@ -22,7 +22,7 @@ class Settings::Migration::RedirectsController < Settings::BaseController
   end
 
   def destroy
-    if current_account.moved_to_account_id.present?
+    if current_account.moved?
       current_account.update!(moved_to_account: nil)
       ActivityPub::UpdateDistributionWorker.perform_async(current_account.id)
     end

app/controllers/settings/preferences/posting_defaults_controller.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class Settings::Preferences::PostingDefaultsController < Settings::Preferences::BaseController
+  private
+
+  def after_update_redirect_path
+    settings_preferences_posting_defaults_path
+  end
+
+  def user_params
+    super.tap do |params|
+      params[:settings_attributes][:default_quote_policy] = 'nobody' if params[:settings_attributes][:default_privacy] == 'private'
+    end
+  end
+end

app/controllers/settings/sessions_controller.rb

@@ -8,8 +8,7 @@ class Settings::SessionsController < Settings::BaseController
 
   def destroy
     @session.destroy!
-    flash[:notice] = I18n.t('sessions.revoke_success')
-    redirect_to edit_user_registration_path
+    redirect_to edit_user_registration_path, notice: t('sessions.revoke_success')
   end
 
   private

app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb

@@ -52,7 +52,7 @@ module Settings
             end
           else
             flash[:error] = I18n.t('webauthn_credentials.create.error')
-            status = :unprocessable_entity
+            status = :unprocessable_content
           end
         else
           flash[:error] = t('webauthn_credentials.create.error')
@@ -86,13 +86,11 @@ module Settings
       private
 
       def redirect_invalid_otp
-        flash[:error] = t('webauthn_credentials.otp_required')
-        redirect_to settings_two_factor_authentication_methods_path
+        redirect_to settings_two_factor_authentication_methods_path, flash: { error: t('webauthn_credentials.otp_required') }
       end
 
       def redirect_invalid_webauthn
-        flash[:error] = t('webauthn_credentials.not_enabled')
-        redirect_to settings_two_factor_authentication_methods_path
+        redirect_to settings_two_factor_authentication_methods_path, flash: { error: t('webauthn_credentials.not_enabled') }
       end
     end
   end

app/controllers/statuses_controller.rb

@@ -11,6 +11,7 @@ class StatusesController < ApplicationController
   before_action :require_account_signature!, only: [:show, :activity], if: -> { request.format == :json && authorized_fetch_mode? }
   before_action :set_status
   before_action :redirect_to_original, only: :show
+  before_action :verify_embed_allowed, only: :embed
 
   after_action :set_link_headers
 
@@ -40,8 +41,6 @@ class StatusesController < ApplicationController
   end
 
   def embed
-    return not_found if @status.hidden? || @status.reblog?
-
     expires_in 180, public: true
     response.headers.delete('X-Frame-Options')
 
@@ -50,6 +49,10 @@ class StatusesController < ApplicationController
 
   private
 
+  def verify_embed_allowed
+    not_found if @status.hidden? || @status.reblog?
+  end
+
   def set_link_headers
     response.headers['Link'] = LinkHeader.new(
       [[ActivityPub::TagManager.instance.uri_for(@status), [%w(rel alternate), %w(type application/activity+json)]]]
@@ -59,7 +62,7 @@ class StatusesController < ApplicationController
   def set_status
     @status = @account.statuses.find(params[:id])
     authorize @status, :show?
-  rescue Mastodon::NotPermittedError
+  rescue ActiveRecord::RecordNotFound, Mastodon::NotPermittedError
     not_found
   end
 

app/helpers/admin/action_logs_helper.rb

@@ -13,6 +13,8 @@ module Admin::ActionLogsHelper
       end
     when 'UserRole'
       link_to log.human_identifier, admin_roles_path(log.target_id)
+    when 'UsernameBlock'
+      link_to log.human_identifier, edit_admin_username_block_path(log.target_id)
     when 'Report'
       link_to "##{log.human_identifier.presence || log.target_id}", admin_report_path(log.target_id)
     when 'Instance', 'DomainBlock', 'DomainAllow', 'UnavailableDomain'

app/helpers/application_helper.rb

@@ -113,6 +113,7 @@ module ApplicationHelper
   end
 
   def material_symbol(icon, attributes = {})
+    whitespace = attributes.delete(:whitespace) { true }
     safe_join(
       [
         inline_svg_tag(
@@ -121,7 +122,7 @@ module ApplicationHelper
           role: :img,
           data: attributes[:data]
         ),
-        ' ',
+        whitespace ? ' ' : '',
       ]
     )
   end
@@ -243,6 +244,10 @@ module ApplicationHelper
     tag.input(type: :text, maxlength: 999, spellcheck: false, readonly: true, **options)
   end
 
+  def recent_tag_users(tag)
+    tag.statuses.public_visibility.joins(:account).merge(Account.without_suspended.without_silenced).includes(:account).limit(3).map(&:account)
+  end
+
   def recent_tag_usage(tag)
     people = tag.history.aggregate(2.days.ago.to_date..Time.zone.today).accounts
     I18n.t 'user_mailer.welcome.hashtags_recent_count', people: number_with_delimiter(people), count: people
@@ -256,6 +261,10 @@ module ApplicationHelper
     'https://play.google.com/store/apps/details?id=org.joinmastodon.android'
   end
 
+  def within_authorization_flow?
+    session[:user_return_to].present? && Rails.application.routes.recognize_path(session[:user_return_to])[:controller] == 'oauth/authorizations'
+  end
+
   private
 
   def storage_host_var

app/helpers/context_helper.rb

@@ -39,6 +39,12 @@ module ContextHelper
       'automaticApproval' => { '@id' => 'gts:automaticApproval', '@type' => '@id' },
       'manualApproval' => { '@id' => 'gts:manualApproval', '@type' => '@id' },
     },
+    quote_authorizations: {
+      'gts' => 'https://gotosocial.org/ns#',
+      'quoteAuthorization' => { '@id' => 'https://w3id.org/fep/044f#quoteAuthorization', '@type' => '@id' },
+      'interactingObject' => { '@id' => 'gts:interactingObject' },
+      'interactionTarget' => { '@id' => 'gts:interactionTarget' },
+    },
   }.freeze
 
   def full_context

app/helpers/email_helper.rb

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-module EmailHelper
-  def self.included(base)
-    base.extend(self)
-  end
-
-  def email_to_canonical_email(str)
-    username, domain = str.downcase.split('@', 2)
-    username, = username.delete('.').split('+', 2)
-
-    "#{username}@#{domain}"
-  end
-
-  def email_to_canonical_email_hash(str)
-    Digest::SHA2.new(256).hexdigest(email_to_canonical_email(str))
-  end
-end

app/helpers/formatting_helper.rb

@@ -27,7 +27,9 @@ module FormattingHelper
   module_function :extract_status_plain_text
 
   def status_content_format(status)
-    html_aware_format(status.text, status.local?, preloaded_accounts: [status.account] + (status.respond_to?(:active_mentions) ? status.active_mentions.map(&:account) : []))
+    quoted_status = status.quote&.quoted_status if status.local?
+
+    html_aware_format(status.text, status.local?, preloaded_accounts: [status.account] + (status.respond_to?(:active_mentions) ? status.active_mentions.map(&:account) : []), quoted_status: quoted_status)
   end
 
   def rss_status_content_format(status)
@@ -65,12 +67,12 @@ module FormattingHelper
   end
 
   def rss_content_preroll(status)
-    if status.spoiler_text?
-      safe_join [
-        tag.p { spoiler_with_warning(status) },
-        tag.hr,
-      ]
-    end
+    return unless status.spoiler_text?
+
+    safe_join [
+      tag.p { spoiler_with_warning(status) },
+      tag.hr,
+    ]
   end
 
   def spoiler_with_warning(status)
@@ -81,10 +83,10 @@ module FormattingHelper
   end
 
   def rss_content_postroll(status)
-    if status.preloadable_poll
-      tag.p do
-        poll_option_tags(status)
-      end
+    return unless status.preloadable_poll
+
+    tag.p do
+      poll_option_tags(status)
     end
   end
 

app/helpers/home_helper.rb

@@ -21,7 +21,13 @@ module HomeHelper
                         end
                     end
                   else
-                    link_to(path || ActivityPub::TagManager.instance.url_for(account), class: 'account__display-name') do
+                    account_url = if account.suspended?
+                                    ActivityPub::TagManager.instance.url_for(account)
+                                  else
+                                    web_url("@#{account.pretty_acct}")
+                                  end
+
+                    link_to(path || account_url, class: 'account__display-name') do
                       content_tag(:div, class: 'account__avatar-wrapper') do
                         image_tag(full_asset_url(current_account&.user&.setting_auto_play_gif ? account.avatar_original_url : account.avatar_static_url), class: 'account__avatar', width: 46, height: 46)
                       end +
@@ -39,18 +45,8 @@ module HomeHelper
     end
   end
 
-  def obscured_counter(count)
-    if count <= 0
-      '0'
-    elsif count == 1
-      '1'
-    else
-      '1+'
-    end
-  end
-
-  def custom_field_classes(field)
-    if field.verified?
+  def field_verified_class(verified)
+    if verified
       'verified'
     else
       'emojify'

app/helpers/json_ld_helper.rb

@@ -134,7 +134,7 @@ module JsonLdHelper
         patch_for_forwarding!(value, compacted_value)
       elsif value.is_a?(Array)
         compacted_value = [compacted_value] unless compacted_value.is_a?(Array)
-        return if value.size != compacted_value.size
+        return nil if value.size != compacted_value.size
 
         compacted[key] = value.zip(compacted_value).map do |v, vc|
           if v.is_a?(Hash) && vc.is_a?(Hash)

app/helpers/languages_helper.rb

@@ -107,6 +107,7 @@ module LanguagesHelper
     mk: ['Macedonian', 'македонски јазик'].freeze,
     ml: ['Malayalam', 'മലയാളം'].freeze,
     mn: ['Mongolian', 'Монгол хэл'].freeze,
+    'mn-Mong': ['Traditional Mongolian', 'ᠮᠣᠩᠭᠣᠯ ᠬᠡᠯᠡ'].freeze,
     mr: ['Marathi', 'मराठी'].freeze,
     ms: ['Malay', 'Bahasa Melayu'].freeze,
     'ms-Arab': ['Jawi Malay', 'بهاس ملايو'].freeze,

app/helpers/statuses_helper.rb

@@ -46,6 +46,14 @@ module StatusesHelper
     status.preloadable_poll.options.map { |o| "[ ] #{o}" }.join("\n")
   end
 
+  def status_classnames(status, is_quote)
+    if is_quote
+      'status--is-quote'
+    elsif status.quote.present?
+      'status--has-quote'
+    end
+  end
+
   def status_description(status)
     components = [[media_summary(status), status_text_summary(status)].compact_blank.join(' · ')]
 
@@ -57,6 +65,20 @@ module StatusesHelper
     components.compact_blank.join("\n\n")
   end
 
+  # This logic should be kept in sync with https://github.com/mastodon/mastodon/blob/425311e1d95c8a64ddac6c724fca247b8b893a82/app/javascript/mastodon/features/status/components/card.jsx#L160
+  def preview_card_aspect_ratio_classname(preview_card)
+    interactive = preview_card.type == 'video'
+    large_image = (preview_card.image.present? && preview_card.width > preview_card.height) || interactive
+
+    if large_image && interactive
+      'status-card__image--video'
+    elsif large_image
+      'status-card__image--large'
+    else
+      'status-card__image--normal'
+    end
+  end
+
   def visibility_icon(status)
     VISIBLITY_ICONS[status.visibility.to_sym]
   end
@@ -64,4 +86,16 @@ module StatusesHelper
   def prefers_autoplay?
     ActiveModel::Type::Boolean.new.cast(params[:autoplay]) || current_user&.setting_auto_play_gif
   end
+
+  def render_seo_schema(status)
+    json = ActiveModelSerializers::SerializableResource.new(
+      status,
+      serializer: SEO::SocialMediaPostingSerializer,
+      adapter: SEO::Adapter
+    ).to_json
+
+    # rubocop:disable Rails/OutputSafety
+    content_tag(:script, json_escape(json).html_safe, type: 'application/ld+json')
+    # rubocop:enable Rails/OutputSafety
+  end
 end

app/helpers/theme_helper.rb

@@ -24,24 +24,24 @@ module ThemeHelper
   end
 
   def custom_stylesheet
-    if active_custom_stylesheet.present?
-      stylesheet_link_tag(
-        custom_css_path(active_custom_stylesheet),
-        host: root_url,
-        media: :all,
-        skip_pipeline: true
-      )
-    end
+    return if active_custom_stylesheet.blank?
+
+    stylesheet_link_tag(
+      custom_css_path(active_custom_stylesheet),
+      host: root_url,
+      media: :all,
+      skip_pipeline: true
+    )
   end
 
   private
 
   def active_custom_stylesheet
-    if cached_custom_css_digest.present?
-      [:custom, cached_custom_css_digest.to_s.first(8)]
-        .compact_blank
-        .join('-')
-    end
+    return if cached_custom_css_digest.blank?
+
+    [:custom, cached_custom_css_digest.to_s.first(8)]
+      .compact_blank
+      .join('-')
   end
 
   def cached_custom_css_digest

app/javascript/config/html-tags.json

@@ -0,0 +1,61 @@
+{
+  "global": {
+    "class": "className",
+    "id": true,
+    "title": true,
+    "dir": true,
+    "lang": true
+  },
+  "tags": {
+    "p": {},
+    "br": {
+      "children": false
+    },
+    "span": {
+      "attributes": {
+        "translate": true
+      }
+    },
+    "a": {
+      "attributes": {
+        "href": true,
+        "rel": true,
+        "translate": true,
+        "target": true
+      }
+    },
+    "del": {},
+    "s": {},
+    "pre": {},
+    "blockquote": {},
+    "code": {},
+    "b": {},
+    "strong": {},
+    "u": {},
+    "i": {},
+    "img": {
+      "children": false,
+      "attributes": {
+        "src": true,
+        "alt": true,
+        "title": true
+      }
+    },
+    "em": {},
+    "ul": {},
+    "ol": {
+      "attributes": {
+        "start": true,
+        "reversed": true
+      }
+    },
+    "li": {
+      "attributes": {
+        "value": true
+      }
+    },
+    "ruby": {},
+    "rt": {},
+    "rp": {}
+  }
+}

app/javascript/entrypoints/admin.tsx

@@ -1,6 +1,7 @@
 import { createRoot } from 'react-dom/client';
 
 import Rails from '@rails/ujs';
+import { decode, ValidationError } from 'blurhash';
 
 import ready from '../mastodon/ready';
 
@@ -362,6 +363,46 @@ ready(() => {
   document.querySelectorAll('[data-admin-component]').forEach((element) => {
     void mountReactComponent(element);
   });
+
+  document
+    .querySelectorAll<HTMLCanvasElement>('canvas[data-blurhash]')
+    .forEach((canvas) => {
+      const blurhash = canvas.dataset.blurhash;
+      if (blurhash) {
+        try {
+          // decode returns a Uint8ClampedArray<ArrayBufferLike> not Uint8ClampedArray<ArrayBuffer>
+          const pixels = decode(
+            blurhash,
+            32,
+            32,
+          ) as Uint8ClampedArray<ArrayBuffer>;
+          const ctx = canvas.getContext('2d');
+          const imageData = new ImageData(pixels, 32, 32);
+
+          ctx?.putImageData(imageData, 0, 0);
+        } catch (err) {
+          if (err instanceof ValidationError) {
+            // ignore blurhash validation errors
+            return;
+          }
+
+          throw err;
+        }
+      }
+    });
+
+  document
+    .querySelectorAll<HTMLDivElement>('.preview-card')
+    .forEach((previewCard) => {
+      const spoilerButton = previewCard.querySelector('.spoiler-button');
+      if (!spoilerButton) {
+        return;
+      }
+
+      spoilerButton.addEventListener('click', () => {
+        previewCard.classList.toggle('preview-card--image-visible');
+      });
+    });
 }).catch((reason: unknown) => {
   throw reason;
 });

app/javascript/entrypoints/public.tsx

@@ -145,6 +145,10 @@ function loaded() {
       );
     });
 
+  updateDefaultQuotePrivacyFromPrivacy(
+    document.querySelector('#user_settings_attributes_default_privacy'),
+  );
+
   const reactComponents = document.querySelectorAll('[data-component]');
 
   if (reactComponents.length > 0) {
@@ -347,6 +351,31 @@ const setInputDisabled = (
   }
 };
 
+const setInputHint = (
+  input: HTMLInputElement | HTMLSelectElement,
+  hintPrefix: string,
+) => {
+  const fieldWrapper = input.closest<HTMLElement>('.fields-group > .input');
+  if (!fieldWrapper) return;
+
+  const hint = fieldWrapper.dataset[`${hintPrefix}Hint`];
+  const hintElement =
+    fieldWrapper.querySelector<HTMLSpanElement>(':scope > .hint');
+
+  if (hint) {
+    if (hintElement) {
+      hintElement.textContent = hint;
+    } else {
+      const newHintElement = document.createElement('span');
+      newHintElement.className = 'hint';
+      newHintElement.textContent = hint;
+      fieldWrapper.appendChild(newHintElement);
+    }
+  } else {
+    hintElement?.remove();
+  }
+};
+
 Rails.delegate(
   document,
   '#account_statuses_cleanup_policy_enabled',
@@ -364,6 +393,36 @@ Rails.delegate(
   },
 );
 
+const updateDefaultQuotePrivacyFromPrivacy = (
+  privacySelect: EventTarget | null,
+) => {
+  if (!(privacySelect instanceof HTMLSelectElement) || !privacySelect.form)
+    return;
+
+  const select = privacySelect.form.querySelector<HTMLSelectElement>(
+    'select#user_settings_attributes_default_quote_policy',
+  );
+  if (!select) return;
+
+  setInputHint(select, privacySelect.value);
+
+  if (privacySelect.value === 'private') {
+    select.value = 'nobody';
+    setInputDisabled(select, true);
+  } else {
+    setInputDisabled(select, false);
+  }
+};
+
+Rails.delegate(
+  document,
+  '#user_settings_attributes_default_privacy',
+  'change',
+  ({ target }) => {
+    updateDefaultQuotePrivacyFromPrivacy(target);
+  },
+);
+
 // Empty the honeypot fields in JS in case something like an extension
 // automatically filled them.
 Rails.delegate(document, '#registration_new_user,#new_user', 'submit', () => {

app/javascript/images/mailer-new/heading/README.md

@@ -1 +1,3 @@
 Images in this folder are based on [Tabler.io icons](https://tabler.io/icons).
+
+Seems to be 1.5 width icons scaled to 64×64px and centered above a blue square with round corners (24px).