github/reddit
1
1
Fork 0
mirror of https://github.com/reddit-archive/reddit.git synced 2026-01-23 22:08:11 -05:00
Code Issues Packages Projects Releases Wiki Activity
4,861 Commits 1 Branch 0 Tags
25a890d8edee2c4dbaee8d0052daa5bbbcbbff9e
Commit Graph

4861 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jordan Milne
25a890d8ed Replace disable_require_employee_https with a feature flag 2014-09-05 14:10:52 -07:00
Jordan Milne
4dbf7cb2cf Update security preferences page 2014-09-05 14:10:47 -07:00
Jordan Milne
8aa2312c94 Disable toolbar when using forcing HTTPS 2014-09-05 14:10:42 -07:00
Jordan Milne
0b5eebac2d Properly enforce users' cookie security preferences 2014-09-05 14:10:36 -07:00
Jordan Milne
95b5a6601c Don't try to pick up an HSTS grant if it's not likely to help 
This also fixes some nasty business with JSONP urls where
`hsts_eligible` saw the "secure_session" cookie, but
`c.user_is_loggedin` was forced to `False`, causing a redirect loop.
 2014-09-05 14:10:30 -07:00
Jordan Milne
a825f1b844 Never try to send a user who's forcing HTTPS back to HTTP 
This fixes an issue where Safari would refuse to redirect to a
`Location` with an "http:" scheme if an HSTS grant had been given
in the same response.
 2014-09-05 14:10:18 -07:00
Jordan Milne
54957ee639 Ensure downstream proxies don't cache enforce_https()'s redirect 2014-09-05 14:10:09 -07:00
Jordan Milne
971f24f1c1 Don't put responses with uncacheable cookies in the pagecache 
This deals with people getting sent someone else's reddit_session
cookie when loggedin responses use the pagecache
 2014-09-05 14:10:03 -07:00
Jordan Milne
39160007d3 Remove unused c.allow_loggedin_cache 
This hasn't been used on reddit.com since recent changes to
how stylesheets are served, and loggedin responses cannot be
safely cached by a downstream proxy anymore.
 2014-09-05 14:09:57 -07:00
Jordan Milne
597ecd6e20 Remove a vestigial checkbox for pref_force_https 2014-09-05 14:09:50 -07:00
Jordan Milne
d4e737092f Use the correct abort() in modify_hsts_grant 2014-09-05 14:09:44 -07:00
Jordan Milne
1ba46be710 Force HTTPS: Check the value of the 'secure_session' cookie 2014-09-05 14:09:40 -07:00
Jordan Milne
6a51465e5e Put the 'security' tab behind a feature flag 2014-09-05 14:09:35 -07:00
Jordan Milne
1d148afbe1 Set c.user when logging in 
This fixes an issue with PostController.login where we didn't know
the user's HTTPS preferences at the point when they logged in
 2014-09-05 14:09:30 -07:00
Jordan Milne
b4df9a6781 Respect the https_forced property when setting cookies client-side 2014-09-05 14:08:46 -07:00
Jordan Milne
fc053abab5 Merge HTTPS prefs page with OTP page, require a password to toggle 
This way we can invalidate all sessions session cookies that may
have been sent in the clear, as well as ensure that people who
can't remember their password don't get bit by the "remember me"
flag not being tracked.
 2014-09-05 14:08:41 -07:00
Jordan Milne
9e20cc125a Allow forcing HTTPS upon employees 2014-09-05 14:08:35 -07:00
Jordan Milne
7a4fa77a23 Redirect through HSTS granting / revoking endpoint on base domain 
Since grants / revokes only happen on the base domain for simplicity,
we need to redirect through an endpoint on the base domain whenever
we perform an action that might change a user's HSTS eligibility.
 2014-09-05 14:08:30 -07:00
Jordan Milne
b70556a3ab Add support for forced HTTPS with HSTS grants 
Right now we only give HSTS grants when the user is on g.domain
so we can easily revoke the grant. We also track changes to the
forced HTTPS pref accross sessions and modify the user's session
cookies as needed.
 2014-09-05 14:08:25 -07:00
Brian Simpson
a5f61e9ed0 Don't break existing users of POST_report. 
Continue to support sending the Thing's fullname as the "id".
 2014-09-03 02:32:57 -04:00
Brian Simpson
85a9223dce Add report reasons for Links and Comments. 2014-09-03 02:32:50 -04:00
Matt Lee
d2404e4108 Make PromoteLinkNew subclass of PromoteLinkBase. 
Not needed at this point, but for consistency.
 2014-09-02 14:36:13 -07:00
Matt Lee
7346abd833 Update sponsored/roadblock page with new UI. 2014-09-02 14:36:12 -07:00
Matt Lee
74f845cc75 Update sponsored/report page with new UI. 2014-09-02 14:36:12 -07:00
Matt Lee
724f1a1f43 Update sponsored/inventory with new UI. 2014-09-02 14:36:12 -07:00
Matt Lee
7aa0e2b56e Make min/max constraints in timing_field optional. 2014-09-02 14:36:11 -07:00
Matt Lee
c1c653fac0 Allow setting default targeting type for targeting_field. 2014-09-02 14:36:11 -07:00
Matt Lee
0e9c5cd2f1 Remove dependency on fill_campaign_editor from sponsored.js methods. 2014-09-02 14:36:11 -07:00
Matt Lee
a045074435 Make PromoteLinkEdit inherit from PromoteLinkBase. 
Add methods for getting form data to PromoLinkBase.
 2014-09-02 14:36:11 -07:00
Matt Lee
788549415b Allow updated UI on pages other than promoted/edit_promo. 2014-09-02 14:36:11 -07:00
Brian Simpson
50d358de0b Support collections on promoted/inventory page. 2014-09-02 14:36:10 -07:00
Matt Lee
becce7f835 Collapse creative editor when opening campaign editor. 2014-09-02 14:36:10 -07:00
Matt Lee
a193428007 Always enable the new campaign button when closing the campaign editor. 2014-09-02 14:36:10 -07:00
Brian Simpson
9236d0ef49 default_thing_wrapper: Don't set rowstyle_cls, it will get overwritten. 
Builder also calls add_props, which completely overwrites the attribute.
 2014-09-02 01:56:25 -04:00
Brian Simpson
774c28ed7b Don't fire pixels or fetch trackers on requested ads. 2014-09-02 01:56:19 -04:00
Brian Simpson
5243f25f4a Allow all users to view a requested ad. 
Previously this was only allowed for sponsors or the owner of the ad.
 2014-09-02 01:56:11 -04:00
Brian Simpson
43f7c27d31 Fix location targeting for sponsors. 
Also return 403 responses for invalid location targets, rather than
setting location to None.
 2014-09-02 01:56:02 -04:00
Brian Simpson
f3b1eab25f Allow sponsors to location target collections at house priority. 2014-09-02 01:55:56 -04:00
Roger Ostrander
b0ffed3ddd Details, userpage: Preserve referers 2014-09-02 14:29:09 -04:00
Brian Simpson
dcb727930e Keep midcol spacing for deleted/removed comments. 2014-08-28 04:30:57 -04:00
Brian Simpson
ed1951823a Obey sort when fetching morechildren. 2014-08-28 04:30:57 -04:00
Brian Simpson
b497b4f962 GET_info: allow lists of things. 2014-08-28 04:30:57 -04:00
Brian Simpson
2b58de12aa api: Separate GET_info and GET_button_info. 2014-08-28 04:30:52 -04:00
Chad Birch
5361dd7d74 Add a simple admin tool for giving users creddits 2014-08-27 16:13:07 -06:00
Brian Simpson
0f5ea44692 Toolbar: make comment layout like the regular site. 2014-08-27 14:43:23 -04:00
Brian Simpson
0a02ac7465 Set domain_override for new promos. 2014-08-27 14:43:23 -04:00
Brian Simpson
5d5c17581a Remove the concept of trusted sponsor accounts. 2014-08-27 14:43:23 -04:00
Brian Simpson
57f1623d3f Link: Add domain_override to defaults. 2014-08-27 14:43:23 -04:00
Brian Simpson
6354355afc Add closing paren for domain override label. 2014-08-27 14:43:18 -04:00
Brian Simpson
8c4c2b70b5 inventory: Don't penalize if all targets have been allocated. 2014-08-26 22:35:15 -04:00