* With the new JWT signatures on photo URLs, it was no longer possible for
creative users to embed their gallery photos on their profile page.
* Add a function to ReSignPhotoLinks that finds/replaces (on the server side)
all references to paths under "/static/photos/" and gives them a fresh
?jwt= query string signature.
* Note: only applies to the profile page essays, ReSignPhotoLinks is a
template func that must be opted-in on a per page basis.
Other miscellaneous fixes
* Add "Edit" buttons in the corners of profile cards, when the current user
looks at their profile page. They link to URIs like
"/settings#profile/about_me" which will now:
1. Select the "Profile settings" tab like #profile
2. Scroll and focus the profile essay field that the user clicked to edit.
* The photo signing JWT tokens carry more fields to validate against:
* The username the token is assigned to (or '@' for anyone)
* An 'anyone' boolean for widely public images, such as for the chat room
and public profile pages.
* A short filename hash of the image in question (whether a Photo or a
CommentPhoto) - so that the user can't borrow a JWT token from the chat
room and reveal a different picture.
* Refactored where the VisibleAvatarURL function lives, to avoid a cyclic
dependency error.
* Originally: (*models.User).VisibleAvatarURL(other *models.User)
* Now: (pkg/photo).VisibleAvatarURL(user, currentUser *models.User)
* Add support for authenticated static photo URLs, leveraging the NGINX module
ngx_http_auth_request. The README is updated with an example NGINX config
how to set this up on the proxy side.
* In settings.json a new SignedPhoto section is added: not enabled by default.
* PhotoURL will append a ?jwt= token to the /static/photos/ path for the
current user, which expires after 30 seconds.
* When SignedPhoto is enabled, it will enforce that the JWT token is valid and
matches the username of the current logged-in user, or else will return with
a 403 Forbidden error.
* Add 'admin labels' to photos so an admin can classify a photo as:
* Not Explicit: e.g. it was flagged by the community but does not
actually need to be explicit. This option will hide the prompt to
report the explicit photo again.
* Force Explicit: if a user is fighting an explicit flag and keeps
removing it from their photo, the photo can be force marked
explicit.
* Admin labels appear on the Permalink page and in the edit photo
settings when viewed as a photo moderator admin.
* Add chat moderation rules to the website, so admins can apply selective rules
to problematic users. Available rules are:
* redcam: user's camera is always NSFW.
* nobroadcast: user can not broadcast their camera.
* novideo: user can not broadcast OR watch any video.
* noimage: user can not share OR see any shared image on chat.
* The page to manage a user's active rules is available on their admin card of
their profile page. When the user has rules active, a yellow counter is shown
by the link to manage their rules.
* Only chat moderator admins have access to the page or can see the yellow
counter to know whether rules are active.
* "Shy Accounts" are now permitted on the chat room! With some moderation rules
automatically applied to them: novideo,noimage.
* Update the Shy Account FAQ and messaging on the chat landing page.
* Update the auto-kick from chat behavior regarding shy accounts:
* They are kicked from chat only when an update to their profile settings will
transition then FROM a non-shy into a shy account.
* For example: when saving their profile settings (going private) or when
editing or deleting a photo (if they will have no more public photos left)
Adds two new features to collect and show useful analytics.
Usage Statistics:
* Begin tracking daily active users who log in and interact with major features
of the website each day, such as the chat room, forum and gallery.
Demographics page:
* For marketing, the home page now shows live statistics about the breakdown of
content (explicit vs. non-explicit) on the site, and the /insights page gives
a lot more data in detail.
* Show the percent split in photo gallery content and how many users opt-in or
share explicit content on the site.
* Show high-level demographics of the members (by age range, gender, orientation)
Misc cleanup:
* Rearrange model list in data export to match the auto-create statements.
* In data exports, include the forum_memberships, push_notifications and
usage_statistics tables.
* The Explore tab can now sort forums by their:
* Most recently updated thread
* Topics, Posts or Users (counts)
* Show owner information in forum cards
* Passive pagination support for the "My List" on forum home page.
* Only visible when there are >20 favorited Forums.
* Forums are disowned on user account deletion (their owner_id=0)
* A forum without an owner shows a notice at the bottom with a link to petition
to adopt the forum. It goes to the Contact form with a special subject.
* Note: there is no easy way to re-assign ownership yet other than a direct
database query.
* Code cleanup
* Alphabetize the DB.AutoMigrate tables.
* Delete more things on user deletion: forum_memberships, admin_group_users
* Vacuum worker to clean up orphaned polls after the threads are removed
Add minimum quotas for users to earn the ability to create custom forums.
The entry requirements that could earn the first forum include:
1. Having a Certified account status for at least 45 days.
2. Having written 10 posts or replies in the forums.
Additional quota is granted in increasing difficulty based on the count of
forum posts created.
Other changes:
* Admin view of Manage Forums can filter for official/community.
* "Certified Since" now shown on profile pages.
* Update FAQ page for Forums feature.
* Add a "Report" link to the footer of forums.
* Allow some non-admin users to view a private forum and its threads.
* Moderators and approved followers can see it
* Note: the endpoint to follow a forum won't let a user invite themselves
to a private forum. Currently there is no way to approve a user except
by also adding them as a moderator.
* Explore and Newest tabs can show these private forums if viewable.
* Add "Browse" tab to the forums to view them all.
* Text search
* Show all, official, community, or "My List" forums.
* Add a Follow/Unfollow button into the header bar of forums to add it to
"My List"
* On the Categories page, a special "My List" category appears at the top
if the user follows categories, with their follows in alphabetical order.
* On the Categories & Browse pages: forums you follow will have a green
bookmark icon by their name.
Permissions:
* The forum owner is able to Delete comments by others, but not Edit.
Notes:
* Currently a max limit of 100 follow forums (no pagination yet).
Allow regular (non-admin) users access to the Manage Forums page so they can
create and manage their own forums.
Things that were already working:
* The admin forum page was already anticipating regular LoginRequired credential
* Users only see their owned forums, while admins can see and manage ALL forums
Improvements made to the Forum Admin page:
* Change the title color from admin-red to user-blue.
* Add ability to search (filter) and sort the forums.
Other changes:
* Turn the Forum tab bar into a reusable component.
* Add support for Web Push Notifications when users receive a new Message or
Friend Request on the main website.
* Users opt in or out of this on their Notification Settings. They can also
individually opt out of Message and Friend Request push notifications.
The nonshy website is changing the policy on profile pictures. From August 30,
the square cropped avatar images will need to be publicly viewable to everyone.
This implements the first pass of the rollout:
* Add the Public Avatar Consent Page which explains the change to users and
asks for their acknowledgement. The link is available from their User Settings
page, near their Certification Photo link.
* When users (with non-public avatars) accept the change: their square cropped
avatar will become visible to everybody, instead of showing a placeholder
avatar.
* Users can change their mind and opt back out, which will again show the
placeholder avatar.
* The Certification Required middleware will automatically enforce the consent
page once the scheduled go-live date arrives.
Next steps are:
1. Post an announcement on the forum about the upcoming change and link users
to the consent form if they want to check it out early.
2. Update the nonshy site to add banners to places like the User Dashboard for
users who will be affected by the change, to link them to the forum post
and the consent page.
* Inner circle: users have the ability to remove themselves and can avoid being
invited again in the future.
* Admin actions: add a "Reset Password" ability to user accounts.
* Admin "Create New User" page.
* Rate limit error handling improvements for the login page.
* Add a transparency page where regular user accounts can list the roles and
permissions that an admin user has access to. It is available by clicking on
the "Admin" badge on that user's profile page.
* Add additional admin scopes to lock down more functionality:
* User feedback and reports
* Change logs
* User notes and admin notes
* Add friendly descriptions to what all the scopes mean in practice.
* Don't show admin notification badges to admins who aren't allowed to act on
those notifications.
* Update the admin dashboard page and documentation for admins.
* Add an Alt Text field for users to describe their photos for accessibility.
* Alt texts appear on mouse over on Gallery pages, in the lightbox modal (on
mouse over or by clicking the ALT button that appears), and in a box on the
permalink page below the photo caption.
* Max length of Alt Text is 5,000 characters.
* Fix a bug with the right-click blocker not working on the lightbox modal.
* Add a ChangeLog table to collect historic updates to various database tables.
* Created, Updated (with field diffs) and Deleted actions are logged, as well
as certification photo approves/denies.
* Specific items added to the change log:
* When a user photo is marked Explicit by an admin
* When users block/unblock each other
* When photo comments are posted, edited, and deleted
* When forums are created, edited, and deleted
* When forum comments are created, edited and deleted
* When a new forum thread is created
* When a user uploads or removes their own certification photo
* When an admin approves or rejects a certification photo
* When a user uploads, modifies or deletes their gallery photos
* When a friend request is sent
* When a friend request is accepted, ignored, or rejected
* When a friendship is removed
New feature: User Notes
* Add a "Notes" tab to user profile pages and galleries.
* Users can create one private note about another user.
* Admins can see all notes left about a user.
* Admins also see Feedback & Reports regarding the user on that page.
Bring back the online chatters list
* The Usernames are filtered down based on blocklist status.
