mastodon/app/models/user.rb

# frozen_string_literal: true
# == Schema Information
#
# Table name: users
#
#  id                        :integer          not null, primary key
#  email                     :string           default(""), not null
#  account_id                :integer          not null
#  created_at                :datetime         not null
#  updated_at                :datetime         not null
#  encrypted_password        :string           default(""), not null
#  reset_password_token      :string
#  reset_password_sent_at    :datetime
#  remember_created_at       :datetime
#  sign_in_count             :integer          default(0), not null
#  current_sign_in_at        :datetime
#  last_sign_in_at           :datetime
#  current_sign_in_ip        :inet
#  last_sign_in_ip           :inet
#  admin                     :boolean          default(FALSE), not null
#  confirmation_token        :string
#  confirmed_at              :datetime
#  confirmation_sent_at      :datetime
#  unconfirmed_email         :string
#  locale                    :string
#  encrypted_otp_secret      :string
#  encrypted_otp_secret_iv   :string
#  encrypted_otp_secret_salt :string
#  consumed_timestep         :integer
#  otp_required_for_login    :boolean          default(FALSE), not null
#  last_emailed_at           :datetime
#  otp_backup_codes          :string           is an Array
#  filtered_languages        :string           default([]), not null, is an Array
#

class User < ApplicationRecord
  include Settings::Extend
  ACTIVE_DURATION = 14.days

  devise :registerable, :recoverable,
         :rememberable, :trackable, :validatable, :confirmable,
         :two_factor_authenticatable, :two_factor_backupable,
         otp_secret_encryption_key: ENV['OTP_SECRET'],
         otp_number_of_backup_codes: 10

  belongs_to :account, inverse_of: :user, required: true
  accepts_nested_attributes_for :account

  validates :locale, inclusion: I18n.available_locales.map(&:to_s), if: :locale?
  validates_with BlacklistedEmailValidator, if: :email_changed?

  scope :recent,    -> { order(id: :desc) }
  scope :admins,    -> { where(admin: true) }
  scope :confirmed, -> { where.not(confirmed_at: nil) }
  scope :inactive, -> { where(arel_table[:current_sign_in_at].lt(ACTIVE_DURATION.ago)) }
  scope :active, -> { confirmed.where(arel_table[:current_sign_in_at].gteq(ACTIVE_DURATION.ago)).joins(:account).where(accounts: { suspended: false }) }
  scope :matches_email, ->(value) { where(arel_table[:email].matches("#{value}%")) }
  scope :with_recent_ip_address, ->(value) { where(arel_table[:current_sign_in_ip].eq(value).or(arel_table[:last_sign_in_ip].eq(value))) }

  before_validation :sanitize_languages

  # This avoids a deprecation warning from Rails 5.1
  # It seems possible that a future release of devise-two-factor will
  # handle this itself, and this can be removed from our User class.
  attribute :otp_secret

  has_many :session_activations, dependent: :destroy

  def confirmed?
    confirmed_at.present?
  end

  def disable_two_factor!
    self.otp_required_for_login = false
    otp_backup_codes&.clear
    save!
  end

  def setting_default_privacy
    settings.default_privacy || (account.locked? ? 'private' : 'public')
  end

  def setting_default_sensitive
    settings.default_sensitive
  end

  def setting_unfollow_modal
    settings.unfollow_modal
  end

  def setting_boost_modal
    settings.boost_modal
  end

  def setting_delete_modal
    settings.delete_modal
  end

  def setting_auto_play_gif
    settings.auto_play_gif
  end

  def setting_system_font_ui
    settings.system_font_ui
  end

  def setting_noindex
    settings.noindex
  end

  def activate_session(request)
    session_activations.activate(session_id: SecureRandom.hex,
                                 user_agent: request.user_agent,
                                 ip: request.ip).session_id
  end

  def exclusive_session(id)
    session_activations.exclusive(id)
  end

  def session_active?(id)
    session_activations.active? id
  end

  def web_push_subscription(session)
    session.web_push_subscription.nil? ? nil : session.web_push_subscription.as_payload
  end

  protected

  def send_devise_notification(notification, *args)
    devise_mailer.send(notification, self, *args).deliver_later
  end

  private

  def sanitize_languages
    filtered_languages.reject!(&:blank?)
  end
end
Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 16:56:29 +01:00			`# frozen_string_literal: true`
annotate models (#2697) * add annotate to Gemfile * rails g annotate:install * configure annotate_models * add schema info to models * fix rubocop to add frozen_string_literal 2017-05-02 02:14:47 +02:00			`# == Schema Information`
			`#`
			`# Table name: users`
			`#`
			`# id :integer not null, primary key`
			`# email :string default(""), not null`
			`# account_id :integer not null`
			`# created_at :datetime not null`
			`# updated_at :datetime not null`
			`# encrypted_password :string default(""), not null`
			`# reset_password_token :string`
			`# reset_password_sent_at :datetime`
			`# remember_created_at :datetime`
			`# sign_in_count :integer default(0), not null`
			`# current_sign_in_at :datetime`
			`# last_sign_in_at :datetime`
			`# current_sign_in_ip :inet`
			`# last_sign_in_ip :inet`
Fix boolean columns sometimes having a null value (#4162) * Fix boolean columns sometimes having a null value * Fix wrong value being set instead of null 2017-07-13 03:12:25 +02:00			`# admin :boolean default(FALSE), not null`
annotate models (#2697) * add annotate to Gemfile * rails g annotate:install * configure annotate_models * add schema info to models * fix rubocop to add frozen_string_literal 2017-05-02 02:14:47 +02:00			`# confirmation_token :string`
			`# confirmed_at :datetime`
			`# confirmation_sent_at :datetime`
			`# unconfirmed_email :string`
			`# locale :string`
			`# encrypted_otp_secret :string`
			`# encrypted_otp_secret_iv :string`
			`# encrypted_otp_secret_salt :string`
			`# consumed_timestep :integer`
Fix boolean columns sometimes having a null value (#4162) * Fix boolean columns sometimes having a null value * Fix wrong value being set instead of null 2017-07-13 03:12:25 +02:00			`# otp_required_for_login :boolean default(FALSE), not null`
annotate models (#2697) * add annotate to Gemfile * rails g annotate:install * configure annotate_models * add schema info to models * fix rubocop to add frozen_string_literal 2017-05-02 02:14:47 +02:00			`# last_emailed_at :datetime`
			`# otp_backup_codes :string is an Array`
Filter languages with opt out (#3175) * Remove allowed_languages and add filtered_languages * Use filtered_languages instead of allowed_languages 2017-05-20 17:32:44 +02:00			`# filtered_languages :string default([]), not null, is an Array`
annotate models (#2697) * add annotate to Gemfile * rails g annotate:install * configure annotate_models * add schema info to models * fix rubocop to add frozen_string_literal 2017-05-02 02:14:47 +02:00			`#`
Fix rubocop issues, introduce usage of frozen literal to improve performance 2016-11-15 16:56:29 +01:00
Upgrade to Rails 5.0.0.1 2016-08-17 17:56:23 +02:00			`class User < ApplicationRecord`
Extend rails-settings-cached to merge db-saved hash values with defaults 2017-01-13 02:42:22 +01:00			`include Settings::Extend`
Specs for cleanup workers (#3235) * Add spec files for feed and media cleanup workers * Add coverage for feed and media cleanup schedulers * Clean up feed and media cleanup workers 2017-05-22 19:36:21 +02:00			`ACTIVE_DURATION = 14.days`
Migrate from ledermann/rails-settings to rails-settings-cached which allows global settings with YAML-defined defaults. Add admin page for editing global settings. Add "site_description" setting that would show as a paragraph on the frontpage 2017-01-12 20:46:24 +01:00
Added optional two-factor authentication 2017-01-27 20:28:46 +01:00			`devise :registerable, :recoverable,`
			`:rememberable, :trackable, :validatable, :confirmable,`
Add recovery code support for two-factor auth (#1773) * Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names 2017-04-15 13:26:03 +02:00			`:two_factor_authenticatable, :two_factor_backupable,`
			`otp_secret_encryption_key: ENV['OTP_SECRET'],`
			`otp_number_of_backup_codes: 10`
Removing grape and adding devise 2016-03-05 13:12:24 +01:00
Required foreign keys (#2003) * Add `required: true` option to foreign column * Fixes NoMethodError ``` > Favourite.new.valid? NoMethodError: undefined method `reblog?' for nil:NilClass ``` 2017-04-17 15:54:33 +02:00			`belongs_to :account, inverse_of: :user, required: true`
Customizing devise views and controllers 2016-03-05 22:43:05 +01:00			`accepts_nested_attributes_for :account`
Removing grape and adding devise 2016-03-05 13:12:24 +01:00
Conditional validations no longer accept strings for if/unless (#3124) 2017-05-19 03:11:23 +02:00			`validates :locale, inclusion: I18n.available_locales.map(&:to_s), if: :locale?`
Correct validators so that existing error messages would look correct (#3668) 2017-06-09 19:46:01 +02:00			`validates_with BlacklistedEmailValidator, if: :email_changed?`
Bind oauth applications to users 2016-03-14 17:49:13 +01:00
Order by symbol value (#3077) 2017-05-16 03:35:17 +02:00			`scope :recent, -> { order(id: :desc) }`
Add digest e-mails 2017-03-03 23:45:48 +01:00			`scope :admins, -> { where(admin: true) }`
			`scope :confirmed, -> { where.not(confirmed_at: nil) }`
Specs for cleanup workers (#3235) * Add spec files for feed and media cleanup workers * Add coverage for feed and media cleanup schedulers * Clean up feed and media cleanup workers 2017-05-22 19:36:21 +02:00			`scope :inactive, -> { where(arel_table[:current_sign_in_at].lt(ACTIVE_DURATION.ago)) }`
Add rake task mastodon:feeds:build to regenerate all active users' feeds (#4303) 2017-07-23 01:15:04 +02:00			`scope :active, -> { confirmed.where(arel_table[:current_sign_in_at].gteq(ACTIVE_DURATION.ago)).joins(:account).where(accounts: { suspended: false }) }`
Add coverage for ReportFilter and AccountFilter (#3236) 2017-05-22 21:50:58 +02:00			`scope :matches_email, ->(value) { where(arel_table[:email].matches("#{value}%")) }`
			`scope :with_recent_ip_address, ->(value) { where(arel_table[:current_sign_in_ip].eq(value).or(arel_table[:last_sign_in_ip].eq(value))) }`
Adding user settings (model and mailer), no form yet 2016-10-07 13:17:56 +02:00
Improve allowed language handling (#2897) * Dont allow empty value in user allowed languages * Sanitize language input to reject blank values in array 2017-05-08 03:32:52 +02:00			`before_validation :sanitize_languages`

Update Rails to version 5.1.1 (#3121) * Update rails to version 5.1.1 * Run `rails app:update` * Remove the override of polymorphic activity relationship * Silence warning about otp_secret attribute being unknown to rails * We will only introduce form_with where we want to use remote data 2017-06-01 20:53:37 +02:00			`# This avoids a deprecation warning from Rails 5.1`
			`# It seems possible that a future release of devise-two-factor will`
			`# handle this itself, and this can be removed from our User class.`
			`attribute :otp_secret`

Revocable sessions (#3616) * feat: Revocable sessions * fix: Tests using sign_in * feat: Configuration entry for the maximum number of session activations 2017-06-23 18:50:53 +02:00			`has_many :session_activations, dependent: :destroy`

Admin UI for confirming users (#2245) * Shows confirmed status in list. * Adds ability to confirm users in admin UI. * Added new english translations. * Addresses feedback from #2245. * More feedback. 2017-04-23 04:43:42 +02:00			`def confirmed?`
			`confirmed_at.present?`
			`end`

Add option to disable two factor auth in admin accounts panel. (#2584) * Add option to disable two factor auth in admin accounts panel. Closes #2578 * Add @mjankowski's suggestions. * Moves destroy actions behind User#disable_two_factor! * Adds spec coverage for Admin:TwoFactorAuthenticationsController and User#disable_two_factor! 2017-05-02 21:07:12 +02:00			`def disable_two_factor!`
			`self.otp_required_for_login = false`
			`otp_backup_codes&.clear`
			`save!`
			`end`

Add API modifiers to limit returned toots from public/hashtag timelines to only those from local users; Add link to "extended information" to getting started in the UI; Add defaults for posting privacy; Change how publish button looks depending on posting privacy chosen 2017-02-06 23:16:20 +01:00			`def setting_default_privacy`
			`settings.default_privacy \|\| (account.locked? ? 'private' : 'public')`
			`end`
Allow user to disable the boost confirm dialog in preferences 2017-04-11 16:10:16 +02:00
Add setting a always mark media as sensitive (#4136) 2017-07-10 14:00:32 +02:00			`def setting_default_sensitive`
			`settings.default_sensitive`
			`end`
Add unfollow modal (optional) (#4246) * Add unfollow modal * unfollowing someone * remove unnecessary prop 2017-07-18 17:14:43 +02:00
			`def setting_unfollow_modal`
			`settings.unfollow_modal`
			`end`
Add setting a always mark media as sensitive (#4136) 2017-07-10 14:00:32 +02:00
Allow user to disable the boost confirm dialog in preferences 2017-04-11 16:10:16 +02:00			`def setting_boost_modal`
			`settings.boost_modal`
			`end`
Add gif auto-play/pause preference This introduces a new per-user preference called "Auto-play animated GIFs", which is enabled by default. When a user disables this setting, gifs in toots become click-to-play. Previews of animated gifs were changed to display the video play button so that users can distinguish them from regular images. This setting also affects account avatars in the detailed account view, which was changed to use the same hover-to-play mechanism that is used for animated avatars in timelines. Fixes #1652 2017-04-17 12:14:03 +02:00
Add preference setting for delete toot modal (#3368) * Set delete_modal preference to true by default * Does not show confirmation modal if delete_modal is false * Add ja translation for preference setting page 2017-05-29 17:56:13 +02:00			`def setting_delete_modal`
			`settings.delete_modal`
			`end`

Add gif auto-play/pause preference This introduces a new per-user preference called "Auto-play animated GIFs", which is enabled by default. When a user disables this setting, gifs in toots become click-to-play. Previews of animated gifs were changed to display the video play button so that users can distinguish them from regular images. This setting also affects account avatars in the detailed account view, which was changed to use the same hover-to-play mechanism that is used for animated avatars in timelines. Fixes #1652 2017-04-17 12:14:03 +02:00			`def setting_auto_play_gif`
			`settings.auto_play_gif`
			`end`
Improve allowed language handling (#2897) * Dont allow empty value in user allowed languages * Sanitize language input to reject blank values in array 2017-05-08 03:32:52 +02:00
Add a setting allowing the use of system's default font in Web UI (#4033) * add a system_font_ui setting on the server * Plug the system_font_ui on the front-end * add EN/FR locales for the new setting * put Roboto after all other fonts * remove trailing whitespace so CodeClimate is happy * fix user_spec.rb * correctly write user_spect this time * slightly better way of adding the classes * add comments to the system-font stack for clarification * use .system-font for the class instead * don't use multiple lines for comments * remove trailing whitespace * use the classnames module for consistency * use `mastodon-font-sans-serif` instead of Roboto directly 2017-07-06 22:39:56 +02:00			`def setting_system_font_ui`
			`settings.system_font_ui`
			`end`

Add option to opt out of search engines on public profile/status pages (#4199) 2017-07-14 16:41:02 +02:00			`def setting_noindex`
			`settings.noindex`
			`end`

Add overview of active sessions (#3929) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test 2017-06-25 16:54:30 +02:00			`def activate_session(request)`
			`session_activations.activate(session_id: SecureRandom.hex,`
			`user_agent: request.user_agent,`
			`ip: request.ip).session_id`
Revocable sessions (#3616) * feat: Revocable sessions * fix: Tests using sign_in * feat: Configuration entry for the maximum number of session activations 2017-06-23 18:50:53 +02:00			`end`

			`def exclusive_session(id)`
			`session_activations.exclusive(id)`
			`end`

			`def session_active?(id)`
			`session_activations.active? id`
			`end`

Web Push Notifications (#3243) * feat: Register push subscription * feat: Notify when mentioned * feat: Boost, favourite, reply, follow, follow request * feat: Notification interaction * feat: Handle change of public key * feat: Unsubscribe if things go wrong * feat: Do not send normal notifications if push is enabled * feat: Focus client if open * refactor: Move push logic to WebPushSubscription * feat: Better title and body * feat: Localize messages * chore: Fix lint errors * feat: Settings * refactor: Lazy load * fix: Check if push settings exist * feat: Device-based preferences * refactor: Simplify logic * refactor: Pull request feedback * refactor: Pull request feedback * refactor: Create /api/web/push_subscriptions endpoint * feat: Spec PushSubscriptionController * refactor: WebPushSubscription => Web::PushSubscription * feat: Spec Web::PushSubscription * feat: Display first media attachment * feat: Support direction * fix: Stuff broken while rebasing * refactor: Integration with session activations * refactor: Cleanup * refactor: Simplify implementation * feat: Set VAPID keys via environment * chore: Comments * fix: Crash when no alerts * fix: Set VAPID keys in testing environment * fix: Follow link * feat: Notification actions * fix: Delete previous subscription * chore: Temporary logs * refactor: Move migration to a later date * fix: Fetch the correct session activation and misc bugs * refactor: Move migration to a later date * fix: Remove follow request (no notifications) * feat: Send administrator contact to push service * feat: Set time-to-live * fix: Do not show sensitive images * fix: Reducer crash in error handling * feat: Add badge * chore: Fix lint error * fix: Checkbox label overlap * fix: Check for payload support * fix: Rename action "type" (crash in latest Chrome) * feat: Action to expand notification * fix: Lint errors * fix: Unescape notification body * fix: Do not allow boosting if the status is hidden * feat: Add VAPID keys to the production sample environment * fix: Strip HTML tags from status * refactor: Better error messages * refactor: Handle browser not implementing the VAPID protocol (Samsung Internet) * fix: Error when target_status is nil * fix: Handle lack of image * fix: Delete reference to invalid subscriptions * feat: Better error handling * fix: Unescape HTML characters after tags are striped * refactor: Simpify code * fix: Modify to work with #4091 * Sort strings alphabetically * i18n: Updated Polish translation it annoys me that it's not fully localized :P * refactor: Use current_session in PushSubscriptionController * fix: Rebase mistake * fix: Set cacheName to mastodon * refactor: Pull request feedback * refactor: Remove logging statements * chore(yarn): Fix conflicts with master * chore(yarn): Copy latest from master * chore(yarn): Readd offline-plugin * refactor: Use save! and update! * refactor: Send notifications async * fix: Allow retry when push fails * fix: Save track for failed pushes * fix: Minify sw.js * fix: Remove account_id from fabricator 2017-07-13 22:15:32 +02:00			`def web_push_subscription(session)`
			`session.web_push_subscription.nil? ? nil : session.web_push_subscription.as_payload`
			`end`

Refactor User and spec (#3431) * Protect send_devise_notification of User * Improve spec for User 2017-05-30 15:28:56 +02:00			`protected`

			`def send_devise_notification(notification, *args)`
			`devise_mailer.send(notification, self, *args).deliver_later`
			`end`

Improve allowed language handling (#2897) * Dont allow empty value in user allowed languages * Sanitize language input to reject blank values in array 2017-05-08 03:32:52 +02:00			`private`

			`def sanitize_languages`
Filter languages with opt out (#3175) * Remove allowed_languages and add filtered_languages * Use filtered_languages instead of allowed_languages 2017-05-20 17:32:44 +02:00			`filtered_languages.reject!(&:blank?)`
Improve allowed language handling (#2897) * Dont allow empty value in user allowed languages * Sanitize language input to reject blank values in array 2017-05-08 03:32:52 +02:00			`end`
Made some progress 2016-02-22 16:00:20 +01:00			`end`