Certification Required page:
* Show helpful advice if the reason for the page is only that the user had
deleted their default profile pic, but their account was certified.
Batch Photo Delete & Visibility:
* On user galleries, owners and admins can batch Delete or Set Visibility on
many photos at once. Checkboxes appear in the edit/delete row of each photo,
and bulk actions appear at the bottom of the page along with select/unselect
all boxes.
* Deprecated the old /photo/delete endpoint: it now redirects to the batch
delete page with the one photo ID.
Misc Changes:
* Notifications now sort unread to the top always.
* The photo signing JWT tokens carry more fields to validate against:
* The username the token is assigned to (or '@' for anyone)
* An 'anyone' boolean for widely public images, such as for the chat room
and public profile pages.
* A short filename hash of the image in question (whether a Photo or a
CommentPhoto) - so that the user can't borrow a JWT token from the chat
room and reveal a different picture.
* Refactored where the VisibleAvatarURL function lives, to avoid a cyclic
dependency error.
* Originally: (*models.User).VisibleAvatarURL(other *models.User)
* Now: (pkg/photo).VisibleAvatarURL(user, currentUser *models.User)
* Add support for authenticated static photo URLs, leveraging the NGINX module
ngx_http_auth_request. The README is updated with an example NGINX config
how to set this up on the proxy side.
* In settings.json a new SignedPhoto section is added: not enabled by default.
* PhotoURL will append a ?jwt= token to the /static/photos/ path for the
current user, which expires after 30 seconds.
* When SignedPhoto is enabled, it will enforce that the JWT token is valid and
matches the username of the current logged-in user, or else will return with
a 403 Forbidden error.
Adds two new features to collect and show useful analytics.
Usage Statistics:
* Begin tracking daily active users who log in and interact with major features
of the website each day, such as the chat room, forum and gallery.
Demographics page:
* For marketing, the home page now shows live statistics about the breakdown of
content (explicit vs. non-explicit) on the site, and the /insights page gives
a lot more data in detail.
* Show the percent split in photo gallery content and how many users opt-in or
share explicit content on the site.
* Show high-level demographics of the members (by age range, gender, orientation)
Misc cleanup:
* Rearrange model list in data export to match the auto-create statements.
* In data exports, include the forum_memberships, push_notifications and
usage_statistics tables.
* The bottoms of threads have moderator buttons now, to easily Pin or
Unpin the thread (for Owners + Admins) or to Lock/Unlock the thread
(all moderators).
* The "Newest" tab of the forum is updated with new filter options.
* Which forums: All, Official, Community, My List
* Show: By threads, All posts
* The option for "Which forums" is saved in the user's preferences and set as
their default on future visits, similar to the Site Gallery "Whose photos"
option.
* So users can subscribe to their favorite forums and always get their latest
posts easily while filtering out the rest.
* Forum Moderators
* Add the ability to add and remove moderators for your forum.
* Users are notified when they are added as a moderator.
* Moderators can opt themselves out by unfollowing the forum.
* ForumMembership: add unique constraint on user_id,forum_id.
* Add "Browse" tab to the forums to view them all.
* Text search
* Show all, official, community, or "My List" forums.
* Add a Follow/Unfollow button into the header bar of forums to add it to
"My List"
* On the Categories page, a special "My List" category appears at the top
if the user follows categories, with their follows in alphabetical order.
* On the Categories & Browse pages: forums you follow will have a green
bookmark icon by their name.
Permissions:
* The forum owner is able to Delete comments by others, but not Edit.
Notes:
* Currently a max limit of 100 follow forums (no pagination yet).
Allow regular (non-admin) users access to the Manage Forums page so they can
create and manage their own forums.
Things that were already working:
* The admin forum page was already anticipating regular LoginRequired credential
* Users only see their owned forums, while admins can see and manage ALL forums
Improvements made to the Forum Admin page:
* Change the title color from admin-red to user-blue.
* Add ability to search (filter) and sort the forums.
Other changes:
* Turn the Forum tab bar into a reusable component.
* Add a world cities database with type-ahead search on the Member Directory.
* Users can search for a known city to order users by distance from that city
rather than from their own configured location on their settings page.
* Users must opt-in their own location before this feature may be used, in order
to increase adoption of the location feature and to enforce fairness.
* The `nonshy setup locations` command can import the world cities database.
* Add support for Web Push Notifications when users receive a new Message or
Friend Request on the main website.
* Users opt in or out of this on their Notification Settings. They can also
individually opt out of Message and Friend Request push notifications.
The nonshy website is changing the policy on profile pictures. From August 30,
the square cropped avatar images will need to be publicly viewable to everyone.
This implements the first pass of the rollout:
* Add the Public Avatar Consent Page which explains the change to users and
asks for their acknowledgement. The link is available from their User Settings
page, near their Certification Photo link.
* When users (with non-public avatars) accept the change: their square cropped
avatar will become visible to everybody, instead of showing a placeholder
avatar.
* Users can change their mind and opt back out, which will again show the
placeholder avatar.
* The Certification Required middleware will automatically enforce the consent
page once the scheduled go-live date arrives.
Next steps are:
1. Post an announcement on the forum about the upcoming change and link users
to the consent form if they want to check it out early.
2. Update the nonshy site to add banners to places like the User Dashboard for
users who will be affected by the change, to link them to the forum post
and the consent page.
* Inner circle: users have the ability to remove themselves and can avoid being
invited again in the future.
* Admin actions: add a "Reset Password" ability to user accounts.
* Admin "Create New User" page.
* Rate limit error handling improvements for the login page.
* Add a transparency page where regular user accounts can list the roles and
permissions that an admin user has access to. It is available by clicking on
the "Admin" badge on that user's profile page.
* Add additional admin scopes to lock down more functionality:
* User feedback and reports
* Change logs
* User notes and admin notes
* Add friendly descriptions to what all the scopes mean in practice.
* Don't show admin notification badges to admins who aren't allowed to act on
those notifications.
* Update the admin dashboard page and documentation for admins.
* Add a ChangeLog table to collect historic updates to various database tables.
* Created, Updated (with field diffs) and Deleted actions are logged, as well
as certification photo approves/denies.
* Specific items added to the change log:
* When a user photo is marked Explicit by an admin
* When users block/unblock each other
* When photo comments are posted, edited, and deleted
* When forums are created, edited, and deleted
* When forum comments are created, edited and deleted
* When a new forum thread is created
* When a user uploads or removes their own certification photo
* When an admin approves or rejects a certification photo
* When a user uploads, modifies or deletes their gallery photos
* When a friend request is sent
* When a friend request is accepted, ignored, or rejected
* When a friendship is removed
* Add a Search page to the forums to filter by user ID and find threads and
replies matching your search terms, with "quoted phrases" and -negation
support.
* On user profile pages, add an "Activity" box showing statistics on their
forum threads/comments, likes given/received, photo counts, etc.
* On the "Newest" and Search page for Forums: show an indicator whenever a
post includes an attached photo.
* Add endpoint /go/comment?id= that finds the right page that a comment
can be seen on for the current user and redirects there.
* Resolves issues with link discrepancies in comment notifications, if
the recipient sees different page numbers depending on blocklist
status.
* Supports copyable permalinks to any comment on the site reliably.
* Add a way for users to temporarily deactivate their accounts, in a
recoverable way should they decide to return later.
* A deactivated account may log in but have limited options: to
reactivate their account, permanently delete it, or log out.
* Fix several bugs around the display of comments, messages and
forum threads for disabled, banned, or blocked users:
* Messages (inbox and sentbox) will be hidden and the unread indicator
will not count unread messages the user can't access.
* Comments on photos and forum posts are hidden, and top-level threads
on the "Newest" tab will show "[unavailable]" for their text and
username.
* Your historical notifications will hide users who are blocked, banned
or disabled.
* Add a "Friends" tab to user profile pages, to see other users' friends.
* The page is Certification Required so non-cert users can't easily
discover any members on the site.
New feature: User Notes
* Add a "Notes" tab to user profile pages and galleries.
* Users can create one private note about another user.
* Admins can see all notes left about a user.
* Admins also see Feedback & Reports regarding the user on that page.
Bring back the online chatters list
* The Usernames are filtered down based on blocklist status.
* On user profile pages and gallery: the total photo count for the user
will only include photos that the viewer can actually see (taking into
account friendship and private grants), so that users won't harass
each other to see the additional photos that aren't visible to them.
* On the member directory search: the photo counts will only show public
photos on their page for now, and may be fewer than the number of
photos the current user could actually see.
* Blocklist: you can now manually add a user by username to your block
list. So if somebody blocked you on the site and you want to block
them back, there is a way to do this.
* Friends: you can now directly unfriend someone from their profile
page by clicking on the "Friends" button. You get a confirmation
popup before the remove friend action goes through.
* Bugfix: when viewing a user's gallery, you were able to see their
Friends-only photos if they granted you their Private photo access,
even if you were not their friend.
* Bugfix: when uploading a new private photo, instead of notifying
everybody you granted access to your privates it will only notify
if they are also on your friend list.
Added the ability to delete or clear notifications.
* A "Clear all" button deletes them all (with confirmation)
* A "Remove" button on individual notifications (one confirmation per
page load, so you can remove several without too much tedium)
Fix some things regarding private photo notifications:
* When notifying your existing grants about a new upload, only users who
opt-in for Explicit are notified about Explicit private pictures.
* When revoking private grants, clean up the "has uploaded a new private
photo" notifications for all of your pics from their notification
feeds.
Add a permission system for admin users so you can lock down specific admins to
a narrower set of features instead of them all having omnipotent powers.
* New page: Admin Dashboard -> Admin Permissions Management
* Permissions are handled in the form of 'scopes' relevant to each feature or
action on the site. Scopes are assigned to Groups, and in turn, admin user
accounts are placed in those Groups.
* The Superusers group (scope '*') has wildcard permission to all scopes. The
permissions dashboard has a create-once action to initialize the Superusers
for the first admin who clicks on it, and places that admin in the group.
The following are the exhaustive list of permission changes on the site:
* Moderator scopes:
* Chat room (enter the room with Operator permission)
* Forums (can edit or delete user posts on the forum)
* Photo Gallery (can see all private/friends-only photos on the site
gallery or user profile pages)
* Certification photos (with nuanced sub-action permissions)
* Approve: has access to the Pending tab to act on incoming pictures
* List: can paginate thru past approved/rejected photos
* View: can bring up specific user cert photo from their profile
* The minimum requirement is Approve or else no cert photo page
will load for your admin user.
* User Actions (each action individually scoped)
* Impersonate
* Ban
* Delete
* Promote to admin
* Inner circle whitelist: no longer are admins automatically part of the
inner circle unless they have a specialized scope attached.
The AdminRequired decorator may also apply scopes on an entire admin route.
The following routes have scopes to limit them:
* Forum Admin (manage forums and their settings)
* Remove from inner circle
* Add the PollVotes table and associated logic.
* Multiple choice polls supported.
* Expiring and non-expiring polls.
* Icons and badges on the forum pages to show posts with polls
* Bugfix: non-explicit users getting SQL errors on Newest Posts page.
* Add support to upload a picture to forum posts and replies, in forums that
have the PermitPhotos setting enabled.
* New DB table: CommentPhoto holds the association between a photo and a
forum ID. Photos can be uploaded at preview time (before a CommentID is
available) and get associated to the CommentID on save.
* Cron endpoint /v1/comment-photos/remove-orphaned can clean up orphaned
photos without a CommentID older than 24 hours.
* Add "Photo Boards" as a default forum category for new boards.