* The photo signing JWT tokens carry more fields to validate against:
* The username the token is assigned to (or '@' for anyone)
* An 'anyone' boolean for widely public images, such as for the chat room
and public profile pages.
* A short filename hash of the image in question (whether a Photo or a
CommentPhoto) - so that the user can't borrow a JWT token from the chat
room and reveal a different picture.
* Refactored where the VisibleAvatarURL function lives, to avoid a cyclic
dependency error.
* Originally: (*models.User).VisibleAvatarURL(other *models.User)
* Now: (pkg/photo).VisibleAvatarURL(user, currentUser *models.User)
* Add support for authenticated static photo URLs, leveraging the NGINX module
ngx_http_auth_request. The README is updated with an example NGINX config
how to set this up on the proxy side.
* In settings.json a new SignedPhoto section is added: not enabled by default.
* PhotoURL will append a ?jwt= token to the /static/photos/ path for the
current user, which expires after 30 seconds.
* When SignedPhoto is enabled, it will enforce that the JWT token is valid and
matches the username of the current logged-in user, or else will return with
a 403 Forbidden error.
When a user marks that another photo should have been marked as explicit:
* The owner of that photo gets a notification about it, which reminds them of
the explicit photo policy.
* The photo's "Flagged" boolean is set (along with the Explicit boolean)
* The 'Edit' page on a Flagged photo shows a red banner above the Explicit
option, explaining that it was flagged. The checkbox text is crossed-out,
with a "no" cursor and title text over - but can still be unchecked.
If the user removes the Explicit flag on a flagged photo and saves it:
* An admin report is generated to notify to take a look too.
* The Explicit flag is cleared as normal
* The Flagged boolean is also cleared on this photo: if they set it back to
Explicit again themselves, the red banner won't appear and it won't notify
again - unless a community member flagged it again!
Also makes some improvements to the admin page:
* On photo reports: show a blurred-out (clickable to reveal) photo on feedback
items about photos.
* Profile pictures on profile pages now link to the gallery when clicked.
* Admins can no longer automatically see the default profile pic on profile
pages unless they have photo moderator ability.
* Photo view counts are not added when an admin with photo moderator ability
should not have otherwise been able to see the photo.
* Hitting the Like button on a photo will mark it as viewed.
* Move the 'Report' button on the message inbox page, to instead be in
the footer of each DM.
* Improve message reporting behavior to include the content of the
message in the admin report.
* Add a world cities database with type-ahead search on the Member Directory.
* Users can search for a known city to order users by distance from that city
rather than from their own configured location on their settings page.
* Users must opt-in their own location before this feature may be used, in order
to increase adoption of the location feature and to enforce fairness.
* The `nonshy setup locations` command can import the world cities database.
* Add a Search page to the forums to filter by user ID and find threads and
replies matching your search terms, with "quoted phrases" and -negation
support.
* On user profile pages, add an "Activity" box showing statistics on their
forum threads/comments, likes given/received, photo counts, etc.
* On the "Newest" and Search page for Forums: show an indicator whenever a
post includes an attached photo.
The following bugs are resolved:
* A blocked user comments on a Photo that you have also commented on
(are subscribed to), and you would be notified about their comment.
* A blocked user comments on a Forum Thread that you are subscribed to,
and you would be notified about their post.
* Comments by blocked users (on photos and forum threads) were visible
to you after you have blocked them.
Added the ability to delete or clear notifications.
* A "Clear all" button deletes them all (with confirmation)
* A "Remove" button on individual notifications (one confirmation per
page load, so you can remove several without too much tedium)
Fix some things regarding private photo notifications:
* When notifying your existing grants about a new upload, only users who
opt-in for Explicit are notified about Explicit private pictures.
* When revoking private grants, clean up the "has uploaded a new private
photo" notifications for all of your pics from their notification
feeds.
* Add support to upload a picture to forum posts and replies, in forums that
have the PermitPhotos setting enabled.
* New DB table: CommentPhoto holds the association between a photo and a
forum ID. Photos can be uploaded at preview time (before a CommentID is
available) and get associated to the CommentID on save.
* Cron endpoint /v1/comment-photos/remove-orphaned can clean up orphaned
photos without a CommentID older than 24 hours.
* Add "Photo Boards" as a default forum category for new boards.
* Add "Like" buttons to comments and forum posts.
* Make "private" profiles more private (logged-in users see only their profile
pic, display name, and can friend request or message, if they are not approved
friends of the private user)
* Add "logged-out view" visibility setting to profiles: to share a link to your
page on other sites. Opt-in setting - default is login required to view your
public profile page.
* CSRF cookie fix.
* Updated FAQ & Privacy pages.
Finish implementing the basic forum features:
* Pinned threads (admin or board owner only)
* Edit Thread settings when you edit the top-most comment.
* NoReply threads remove all the reply buttons.
* Explicit forums and threads are filtered out unless opted-in (admins
always see them).
* Count the unique members who participated in each forum.
* Get the most recently updated thread to show on forum list page.
* Contact/Report page: handle receiving a comment ID to report on.
Implement Likes & Notifications
* Like buttons added to Photos and Profile Pages. Implemented via simple
vanilla JS (likes.js) to make ajax requests to back-end to like/unlike.
* Notifications: for your photo or profile being liked. If you unlike,
the existing notifications about the like are revoked.
* The notifications appear as an alert number in the nav bar and are read
on the User Dashboard. Click to mark a notification as "read" or click
the "mark all as read" button.
Update DeleteUser to scrub likes, notifications, threads, and comments.