sjw
/
pleroma
mirror of https://git.pleroma.social/sjw/pleroma.git
1
0
Fork 0
Code Issues Releases Wiki Activity
pleroma/lib/pleroma/web
History
William Pitcock 0159a6dbe9 router: require oauth_read for searching 
Search calls are generally expensive and allow unauthenticated users to
crawl the instance for user profiles or posts which contain specified
keywords.  An adversary can build a distributed search engine which not
only will consume significant instance resources, but also can be used
for undesirable purposes such as datamining.

Accordingly, require authenticated access to use the search API endpoints.
This acts as a nice balance as it allows guest users to make use of most
functionality available in Pleroma FE while ensuring that Pleroma
instances are reasonably protected from resource exhaustion.  It also
removes Pleroma as a potential vector in distributed search engines.
 		2019-05-29 10:58:45 +00:00
..
activity_pub Merge branch 'refactor/die-httpoison-die' into 'develop' 2019-05-26 13:33:11 +00:00
admin_api Add Reports to Admin API 2019-05-16 19:09:18 +00:00
auth differences_in_mastoapi_responses.md: fullname & bio are optionnal 2019-05-13 18:35:45 +00:00
channels Use `User.get_cached*` everywhere 2019-04-22 07:20:43 +00:00
common_api add Changelog entry 2019-05-17 23:00:14 +00:00
federator remove @websub and @ostatus module-level constants 2019-05-25 04:43:11 +00:00
mastodon_api kill @httpoison 2019-05-25 04:24:21 +00:00
media_proxy Add mediaproxy whitelist capability 2019-04-25 18:11:47 -05:00
metadata typo fix 2019-04-19 07:50:21 +00:00
mongooseim Linting. 2019-05-17 18:32:30 +02:00
nodeinfo Keep nodeinfo available when not federating 2019-05-25 08:15:12 +08:00
oauth [#699] add worker to clean expired oauth tokens 2019-05-22 15:44:50 +00:00
ostatus kill @httpoison 2019-05-25 04:24:21 +00:00
push WebPush: Use Object.normalize, rewrite tests so they test reality. 2019-04-29 18:15:30 +02:00
rich_media rich media: suppress link previews if post is marked as sensitive 2019-05-17 18:49:43 +00:00
salmon kill @httpoison 2019-05-25 04:24:21 +00:00
templates Merge branch '923_oauth_consumer_refactoring_ci' into 'develop' 2019-04-19 07:49:26 +00:00
twitter_api Add virtual :thread_muted? field 2019-05-21 00:35:46 +08:00
views logging: only return ISE reasons in API responses when in dev or test mode 2019-02-20 17:36:47 +00:00
web_finger kill @httpoison 2019-05-25 04:24:21 +00:00
websub kill @httpoison 2019-05-25 04:24:21 +00:00
xml update copyright years to 2019 2018-12-31 15:41:47 +00:00
chat_channel.ex [Credo] Remove parentesis on argument-less functions 2019-03-13 04:26:56 +01:00
controller_helper.ex Refactoring functions for dealing with oauth scopes. 2019-05-08 10:52:13 +00:00
endpoint.ex Move the Cache Control header test to its own file 2019-05-24 20:33:55 +00:00
gettext.ex update copyright years to 2019 2018-12-31 15:41:47 +00:00
metadata.ex Use object instead of activity for metadata 2019-01-18 09:32:52 +03:00
oauth.ex Refactoring functions for dealing with oauth scopes. 2019-05-08 10:52:13 +00:00
rel_me.ex Add `with_body: true` to requests relying on `max_body: val` 2019-04-12 00:16:33 +07:00
router.ex router: require oauth_read for searching 2019-05-29 10:58:45 +00:00
streamer.ex Credo fixes. 2019-05-03 13:53:17 +02:00
uploader_controller.ex Make credo happy 2019-02-09 14:59:20 +01:00
web.ex Made auth customization be runtime-configurable. 2019-02-28 13:00:54 +03:00