Three headers can now be included for API requests:
X-Ratelimit-Used: Number of requests used in this period
X-Ratelimit-Remaining: Number of requests left to use
X-Ratelimit-Reset: Approximate number of seconds to end of period
Additionally, 429 responses can be returned for requests that
exceed the ratelimit.
Ratelimits are per-IP normally. OAuth clients will be
limited per user-client combo.
By knowing the ID36 of a link, it is possible to see its media embed
because the embed request is served off-domain and as a result can't
verify the user's cookie. To fix this, we add an authentication code to
the iframe URL for media embeds and require its presence for all embeds
in private subreddits.
This starts appending credentials to private subreddit embeds such that
when the latter half of the fix is deployed all apps are already
generating appropriate embed URLs.
This is part of a fix for an information disclosure vulnerability
reported by Jordan Milne (/u/largenocream).
This is one of the most heavily hit rels currently and the hope is that
pulling it out to its own pool will make the main cache more effective
for everything else. It may make sense to move SRMember to a different
model such as a C* DenormalizedRelation in the future.
Shows a mix of content from:
- subreddits recommended for the user (based on subscriptions and multis)
- rising threads
- items from discovery-focused subreddits
Listing items emphasize the subreddit name and have feedback controls.
The AccountSRPrefs class builds a user preferences model on-the-fly from
subscriptions, multireddits, and a record of recent user feedback.
The AccountSRFeedback column family stores a user's recent interactions with
the recommendation UI. For example, it records which srs the user dismissed
as uninteresting, and keeps track of which srs were recommended recently to
make sure we don't show the same ones too often.
Each type of feedback has a ttl after which it disappears from the db.
This is intended to reduce the number of critical secrets stored in the
INI file. An initial subset of secrets is moved into the vault to test
things out.
Many thanks to @chromakode for design and copy.
The old goldvertisement live config is left in for now so that old code
continues to function during rollout.
This media provider is for simple single-server installations where an
HTTP server running on the same machine handles serving of the static
media files.
An appropriate setup with nginx is now the default in the new install
script.
This allows defining a set of phrases on a wiki page, and whenever an
automatic gold-related PM is sent, a random phrase is selected and
appended to the message.
This does several things to subreddit stylesheets:
- stores them on the thumbs buckets rather than the main static bucket.
(this was not desirable before on reddit.com due to CDN configuration)
- enforces a new restriction of custom (%%style%%) images only in
stylesheets to make secure urls easier to resolve. existing subreddits
are grandfathered in for now.
- writes, if possible as above, a second stylesheet that references
subreddit images over https.
At some point in the future, the thumbs buckets should be directly accessible
on HTTPS via the same URLs which would remove the need for the second
stylesheet to be created and uploaded. The custom image rules and other changes
would still be good.
Since the S3 bucket we upload stylesheets to is not necessarily the same
as the rest of the statics, it is useful to be able to specify this
static domain separately.
Memoize creates very large objects that take up lots of space
and has weird behaviour when it gets evicted. We get some isolation
and monitoring by moving it to its own pool. Since it is sensitive
to split-brain stuff, we start out here by dual-writing to the new
pool.
If the relevant configuration options are left blank in the ini file, we
will pass None to boto for credentials allowing it to look in other
places, including the AWS instance metadata used by Roles for EC2.
