Version 1.13.2

CHANGELOG

@@ -457,3 +457,25 @@
 * Fix new installs by upgrading to the latest release of the nsa gem, instead of a no longer existing commit (mjankowski)
 * Fix insufficient checking of remote posts (GHSA-jhrq-qvrm-qr36)
 
+[1.13.1]
+* Update Mastodon to 4.2.8
+* This update changes registrations to be closed by default.
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.8)
+* Add hourly task to automatically require approval for new registrations in the absence of moderators (ClearlyClaire, ClearlyClaire)
+* In order to prevent future abandoned Mastodon servers from being used for spam, harassment and other malicious activity, Mastodon will now automatically switch new user registrations to require moderator approval whenever they are left open and no activity (including non-moderation actions from apps) from any logged-in user with permission to access moderation reports has been detected in a full week.
+* When this happens, users with the permission to change server settings will receive an email notification.
+* This feature is disabled when EMAIL_DOMAIN_ALLOWLIST is used, and can also be disabled with DISABLE_AUTOMATIC_SWITCHING_TO_APPROVED_REGISTRATIONS=true.
+* Change registrations to be closed by default on new installations (ClearlyClaire)
+* If you are running a server and never changed your registrations mode from the default, updating will automatically close your registrations.
+* Simply re-enable them through the administration interface or using tootctl settings registrations open if you want to enable them again.
+* Fix processing of remote ActivityPub actors making use of Link objects as Image url (ClearlyClaire)
+* Fix link verifications when page size exceeds 1MB (ClearlyClaire)
+
+[1.13.2]
+* Update Mastodon to 4.2.9
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.9)
+* Update dependencies
+* Fix private mention filtering (GHSA-5fq7-3p3j-9vrf)
+* Fix password change endpoint not being rate-limited (GHSA-q3rg-xx5v-4mxh)
+* Add hardening around rate-limit bypass (GHSA-c2r5-cfqr-c553)
+

CloudronManifest.json

@@ -5,8 +5,8 @@
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG",
   "tagline": "Federated social network",
-  "version": "1.13.0",
-  "upstreamVersion": "4.2.7",
+  "version": "1.13.2",
+  "upstreamVersion": "4.2.9",
   "healthCheckPath": "/about",
   "httpPort": 8000,
   "memoryLimit": 1610612736,
@@ -16,7 +16,6 @@
     "postgresql": {},
     "redis": {},
     "sendmail": {},
-    "ldap": {},
     "oidc": { "loginRedirectUri": "/auth/auth/openid_connect/callback" },
     "scheduler": {
       "cleanup": {

Dockerfile

@@ -17,14 +17,14 @@ RUN apt-get update && \
         libidn11-dev libicu-dev libjemalloc-dev && \
     rm -rf /var/cache/apt /var/lib/apt/lists
 
-# install rbenv since we need ruby 3.0.4
+# install rbenv since we need ruby 3.2.3
 RUN mkdir -p /usr/local/rbenv && curl -LSs "https://github.com/rbenv/rbenv/archive/refs/tags/v1.2.0.tar.gz" | tar -xz -C /usr/local/rbenv --strip-components 1 -f -
 ENV PATH /usr/local/rbenv/bin:$PATH
 ENV RBENV_ROOT /home/cloudron/rbenv
-RUN mkdir -p "$(rbenv root)"/plugins/ruby-build && curl -LSs "https://github.com/rbenv/ruby-build/archive/refs/tags/v20221101.tar.gz" | tar -xz -C "$(rbenv root)"/plugins/ruby-build --strip-components 1 -f -
+RUN mkdir -p "$(rbenv root)"/plugins/ruby-build && curl -LSs "https://github.com/rbenv/ruby-build/archive/refs/tags/v20240530.1.tar.gz" | tar -xz -C "$(rbenv root)"/plugins/ruby-build --strip-components 1 -f -
 
 # install specific ruby version (https://github.com/mastodon/mastodon/blob/main/Dockerfile)
-ARG RUBY_VERSION=3.0.4
+ARG RUBY_VERSION=3.2.3
 RUN rbenv install ${RUBY_VERSION}
 ENV PATH ${RBENV_ROOT}/versions/${RUBY_VERSION}/bin:$PATH
 
@@ -33,7 +33,7 @@ RUN gem install --no-document bundler
 ENV RAILS_ENV production
 ENV NODE_ENV production
 
-ARG VERSION=4.2.7
+ARG VERSION=4.2.9
 
 RUN curl -L https://github.com/tootsuite/mastodon/archive/v${VERSION}.tar.gz | tar -xz --strip-components 1 -f - && \
     bundle config --local set deployment 'true' && \
@@ -69,9 +69,7 @@ RUN ln -sf /run/mastodon/supervisord.log /var/log/supervisor/supervisord.log
 RUN ln -fs /app/data/env.production /app/code/.env.production
 RUN ln -fs /app/data/system /app/code/public/system
 
-COPY migrateUsers.js start.sh cleanup.sh config.sh env.template cache-env.sh.template /app/pkg/
-
-RUN chmod +x /app/pkg/migrateUsers.js
+COPY start.sh cleanup.sh config.sh env.template cache-env.sh.template /app/pkg/
 
 CMD [ "/app/pkg/start.sh" ]
 

POSTINSTALL.md

@@ -1,4 +1,6 @@
-Accounts are created with the username and the subdomain under which this app is installed  e.g. `@$CLOUDRON-USERNAME@$CLOUDRON-APP-FQDN`. Mastodon does not allow changing the domain part of the account later. See [the docs](https://docs.cloudron.io/apps/mastodon/#federation) for more information, if you want to change this domain.
+Accounts are created with the username and the subdomain under which this app is installed  e.g. `@$CLOUDRON-USERNAME@$CLOUDRON-APP-FQDN`.
+Mastodon does not allow changing the domain part of the account later.
+See [the docs](https://docs.cloudron.io/apps/mastodon/#federation) for more information, f you want to change this domain.
 
 <sso>
 **NOTE:**
@@ -7,3 +9,9 @@ Accounts are created with the username and the subdomain under which this app is
 * External registration [does not work well](https://github.com/mastodon/mastodon/issues/20655) when Cloudron user management is enabled.
 </sso>
 
+<nosso>
+**NOTE:**
+* Open registration is disabled by default. To enable this, see the [docs](https://docs.cloudron.io/apps/mastodon/#registration)
+
+* To add an initial account follow those [instructions](https://docs.cloudron.io/apps/mastodon/#adding-users)
+</nosso>

migrateUsers.js

@@ -1,45 +0,0 @@
-#!/usr/bin/env node
-
-'use strict';
-
-const execSync = require('child_process').execSync;
-
-const ldapUserSearchCmd = `ldapsearch -LLL -x -H "${process.env.CLOUDRON_LDAP_URL}" -D "${process.env.CLOUDRON_LDAP_BIND_DN}" -w "${process.env.CLOUDRON_LDAP_BIND_PASSWORD}" -b "${process.env.CLOUDRON_LDAP_USERS_BASE_DN}"`
-const postgresCmd = `PGPASSWORD=${process.env.CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${process.env.CLOUDRON_POSTGRESQL_HOST} -p ${process.env.CLOUDRON_POSTGRESQL_PORT} -U ${process.env.CLOUDRON_POSTGRESQL_USERNAME} -d ${process.env.CLOUDRON_POSTGRESQL_DATABASE}`
-
-let usersTableExists = execSync(`${postgresCmd} -AXqtc "SELECT count(*) FROM information_schema.tables WHERE table_schema LIKE 'public' AND table_type LIKE 'BASE TABLE' AND table_name = 'users'"`);
-if (usersTableExists == 0) {
-    console.log("DB hasn't been initialised yet. Nothing to migrate.");
-    process.exit(0);
-}
-
-let ldapProfiles = execSync(`${postgresCmd} -AXqtc "SELECT count(*) FROM users u JOIN accounts a ON a.id=u.account_id LEFT JOIN identities i ON i.uid=a.username WHERE i.uid IS NULL"`);
-console.log(`LDAP profiles in DB: ${ldapProfiles}`);
-if (ldapProfiles == 0) {
-    console.log("Nothing to migrate. All users' profiles are up-to-date.");
-    process.exit(0);
-}
-
-const ldapSearchOutput = execSync(ldapUserSearchCmd, { encoding: 'utf8' });
-
-const users = {};
-
-let userId;
-for (let line of ldapSearchOutput.split('\n')) {
-    if (line.startsWith('uid:')) userId = line.split(':')[1].trim();
-    if (line.startsWith('username:')) users[userId] = line.split(':')[1].trim();
-}
-
-console.log('Found usermapping:', users);
-
-for (let id in users) {
-    let uid = execSync(`${postgresCmd} -AXqtc "SELECT u.id FROM users u JOIN accounts a ON a.id=u.account_id WHERE NOT EXISTS (SELECT 1 FROM identities WHERE provider='openid_connect' AND uid='${users[id]}') AND a.username='${users[id]}'"`).toString().trim();
-    if (!uid)
-        continue;
-
-    console.log(`Migrate ${users[id]} to OIDC`);
-    execSync(`${postgresCmd} -c "INSERT INTO identities (provider, uid, user_id, created_at, updated_at) VALUES ('openid_connect', '${users[id]}', ${uid}, NOW(), NOW())"`);
-    console.log(`"INSERT INTO identities (provider, uid, user_id, created_at, updated_at) VALUES ('openid_connect', '${users[id]}', ${uid}, NOW(), NOW())"`);
-}
-
-console.log('Done');

start.sh

@@ -30,33 +30,7 @@ sed -e "s/DB_HOST=.*/DB_HOST=${CLOUDRON_POSTGRESQL_HOST}/g" \
     -e "s/WEB_DOMAIN=.*/WEB_DOMAIN=${CLOUDRON_APP_DOMAIN}/g" \
     -i /app/data/env.production
 
-# migrate LDAP settings to OIDC (should be removed on the next release)
-if grep -q "^LDAP_ENABLED" /app/data/env.production; then
-    # get rid LDAP settings
-    sed -e "s/LDAP_.*//g" \
-        -e "s/# SSO configuration//g" \
-        -i /app/data/env.production
-
-    cat >> /app/data/env.production <<EOT
-# SSO configuration
-OIDC_ENABLED=
-OIDC_DISPLAY_NAME=
-OIDC_ISSUER=
-OIDC_CLIENT_ID=
-OIDC_CLIENT_SECRET=
-OIDC_REDIRECT_URI=
-OIDC_DISCOVERY=
-OIDC_SCOPE=
-OIDC_UID_FIELD=
-OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=
-EOT
-fi
-
 if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
-    # should be removed on the next release
-    echo "==> migrating LDAP users to OIDC"
-    /app/pkg/migrateUsers.js
-
     echo "==> Setting up OIDC"
     sed -e "s/OIDC_ENABLED=.*/OIDC_ENABLED=true/g" \
         -e "s/OIDC_DISPLAY_NAME=.*/OIDC_DISPLAY_NAME=Cloudron/g" \

test/package.json

@@ -10,10 +10,10 @@
   "license": "ISC",
   "devDependencies": {
     "expect.js": "^0.3.1",
-    "mocha": "^10.3.0",
-    "selenium-webdriver": "^4.17.0"
+    "mocha": "^10.4.0",
+    "selenium-webdriver": "^4.21.0"
   },
   "dependencies": {
-    "chromedriver": "^121.0.1"
+    "chromedriver": "^125.0.2"
   }
 }

test/test.js

@@ -134,7 +134,7 @@ describe('Application life cycle test', function () {
     it('install app (no sso)', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
     it('can get app information', getAppInfo);
 
-    it('has registration open', checkRegistration.bind(null, 'open'));
+    it('has registration open', checkRegistration.bind(null, 'none'));
     let testPassword;
     it('create a user with CLI', function () {
         let output = execSync('cloudron exec --app ' + LOCATION + ' -- bin/tootctl accounts create test --email=test@cloudron.io', { cwd: path.resolve(__dirname, '..'), encoding: 'utf8' });
@@ -199,7 +199,7 @@ describe('Application life cycle test', function () {
     it('can install app', function () { execSync('cloudron install --appstore-id ' + manifest.id + ' --location ' + LOCATION, EXEC_ARGS); });
     it('can get app information', getAppInfo);
     // needs to be changed to loginOIDC on the next release
-    it('can LDAP login', login.bind(null, username, password));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
     it('can logout', logout);
 
     it('can update', async function () {