If the tracker URL isn't configured, we shouldn't include the header in
the response. This uses the same criteria (truthiness of g.tracker_url)
as the templates to determine whether or not to include the URL.
New subreddit fields for mobile, hidden behind feature flag.
Basic functionality with limited validation.
* community rules - list, no markdown
* related subreddits - list, no markdown
* key color - hex color
These fields are optional for `/api/site_admin`.
Upload and delete endpoints for new mobile subreddit icon and banner.
* icon - square, exactly 240x240px
* banner - 16:9 aspect ratio, min 640x360px, max 1280x720px
Users that have gold (or gold charter status) will be able to create and access
gold_only subreddits. Mods will be able to access gold_only status regardless of
their gold status. Approved submitters will not be able to access these subreddits.
To have a gold only subreddit, it must be created as gold only by a gold user or
have admin mode to convert it to gold only (requested via modmail to /r/reddit.com.
There is a default style (gold-only) applied to each gold_only subreddit.
Mods can choose to hide the sidebar adbox for gold-only subreddits. A "reddit gold"
('/subreddits/gold') tab is in '/subreddits' so that gold users can see all of the
gold only subreddits.
Being added as an approved submitter in gold_only and employee_only subreddits
don't allow you to see the subreddit. This will remove the link and ability to
edit the approved submitters so as to not confuse the mods.
Multis set to "hidden" will no longer be shown on the
user's sidebar. Instead, they'll be shown in a box
on their user page (only visible to that user).
Named multireddit objects now show additional fields:
* description_md
* description_html (read only)
* display_name
* key_color
* icon_url (read only)
* weighting_scheme
* copied_from (read only, requires owner)
The "visibility" field can now also be set to "hidden" via the API. Hidden
multireddits will not be shown on a user's sidebar on reddit.com, but will
still be visible to API consumers.
The "copied_from" field shows the multi's owner which multireddit
they copied from.
A "weighting_scheme" of "fresh" will favor newer content, rather than
forcing there to be at least 1 post from each subreddit. "classic"
weighting will use the old format. Note: "fresh" weighting will be enabled
in a future commit.
"key_color" must be an RGB color of the form #AABBCC. API consumers can
choose to set and make use of the key_color field for style purposes.
"icon_url" may contain a URL to an icon for this multireddit. API
consumers can choose to make use of this icon for style purposes.
"display_name" is a human-friendly name for this multireddit. API
consumers can choose to make use of this field to set/display friendlier
names for this multireddit.
Description fields are now included in the base multireddit object, and
"description_md" can be updated directly on the multireddit object.
The separate description endpoint is still available.
All of the above fields can be modified via the existing endpoint,
PUT /api/multi/<multipath>, except for fields marked read only.
Due to the number of new fields and the absence of an existing PATCH
endpoint for /api/multi/<multipath>, the existing PUT endpoint
has been updated to NOT clobber fields that aren't included in the
multi JSON, and to accept "partial" multireddit objects. This is to
prevent fields from getting clobbered by clients that haven't been
updated to send all the new data.
This will pull the people able to view/contribute from the employee list in
liveconfig. Mods are not automatically removed when removed from the liveconfig
and neither are approved submitters that are manually added. When a user is
removed from the employees_only list, they won't be able to see what they've
contributed in their history.
This also create an employees ('/subreddits/employees') tab in '/subreddits' so
that employees can view all of the employees only subreddits.
Only employees can create a subreddit that's employees_only. To change a subreddit
type from employees_only to something else, admin mode is required.
Firefox was returning a height of 0 when an iframe was hidden.
This was causing unnecessary reflows when toggling between the
options for comment embeds. There doesn't seem to be a good
reason to broadcast a 0 height up to the parent window, so
i've added a guard for that.
Safari respects `X-Frame-Options` on 304s, causing embeds to break
if `c.allow_framing` is not set before we return a 304. This splits
embed prepping into two stages so that we can set `c.allow_framing`
before we check modified headers.
When constucting urls to 3rd party cnames, for example,
"thecutelist.com" -> /r/aww, this forces the removal of the
`sr_path`. This was unintentionally affecting pages served by
the `media_domain`, eg. comment & live embeds.
Similar to `can_save`, `can_embed` controls the visibility of the
embed button. This needs to be apart of the `Comment` or else
the rendercache will use the wrong version on heavily cached
comments.
While in the process of rolling out comment embeds, we'd like to have restrict
our beta a bit - because by their nature, once embeds are out, we lose control
over them, making it extremely difficult to make changes. So we're restricting
the embed generation modal to a certain subset of users (for now), but a savvy
user could simply modify an existing public embed to plug in another comment
id, which would defeat the point of restricting it. Enter hmac.
We know generate a unique token for each comment, and only by using the
appropriate token will your embed work. This will be transparent to users, as
its just another piece of the html that they copy and paste onto their website.
Performance-wise, we're generating tokens for every comment that can be
embedded. However, for now that's a limited set, and the operation is pretty
fast (roughly 5ms for 1000 tokens on my dev VM); if that becomes a problem, we
can easily take this code out after we no longer need the restriction.
`add_sr()` has had, since reddit/reddit@b57dff70, a special-case when the
requested page was on https, where it would ignore whatever domain it would
normally set and use the current one instead. As best as we can tell, this was
to prevent issues with a lack of https support on all reddit domains, eg links
on `https://pay.reddit.com` pointing to `https://www.reddit.com`. This should
no longer be an issue.
Additionally, it has caused problems with the comment embeds, which are served
from `redditmedia.com` but need to have links pointing to `www.reddit.com`.
Now that this special-case doesn't exist, the function should act more
intuitively. And hopefully that doesn't break anything too badly. :p
The request from the comment embed javascript to get the actual embed has been
going through `g.media_domain`. This in turn meant that sometimes (namely,
when the embed was placed on an https page) the link to the comment was also
heading through the media domain. While this works, we'd rather have users go
through the standard `www.reddit.com` domain for brand, caching, and probably
other infrastructure reasons.
