From e21e20b32e1ff15cb192f78c4c75872f00bda8ef Mon Sep 17 00:00:00 2001
From: Kyle Drake <kyle@kyledrake.net>
Date: Thu, 24 Apr 2025 17:54:37 -0500
Subject: [PATCH] activity feed: restrict csrf_token usage unless logged in to
 prevent cookie setting, remove the unused rack-cache

---
 Gemfile                 |  1 -
 Gemfile.lock            |  3 ---
 app/activity.rb         |  2 --
 app/admin.rb            |  1 -
 config.ru               |  5 -----
 views/_news.erb         |  8 +++-----
 views/_news_actions.erb | 30 ++++++++++++++++--------------
 views/activity.erb      |  2 +-
 views/browse.erb        | 27 ++++++++++++++-------------
 9 files changed, 34 insertions(+), 45 deletions(-)

diff --git a/Gemfile b/Gemfile
index bbe00b79..4fc343e3 100644
--- a/Gemfile
+++ b/Gemfile
@@ -18,7 +18,6 @@ gem 'sass', require: nil
 gem 'dav4rack', git: 'https://github.com/neocities/dav4rack.git', ref: '1bf1975c613d4f14d00f1e70ce7e0bb9e2e6cd9b'
 gem 'filesize'
 gem 'thread'
-gem 'rack-cache'
 gem 'rest-client', require: 'rest_client'
 gem 'addressable', '>= 2.8.0', require: 'addressable/uri'
 gem 'paypal-recurring', require: 'paypal/recurring'
diff --git a/Gemfile.lock b/Gemfile.lock
index 812fcc2b..d78fec06 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -266,8 +266,6 @@ GEM
       nio4r (~> 2.0)
     racc (1.8.1)
     rack (3.1.12)
-    rack-cache (1.17.0)
-      rack (>= 0.4)
     rack-protection (4.1.1)
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
@@ -452,7 +450,6 @@ DEPENDENCIES
   phonelib
   pry
   puma (< 7)
-  rack-cache
   rack-test
   rack_session_access
   rake (>= 12.3.3)
diff --git a/app/activity.rb b/app/activity.rb
index e3201b8c..968f2203 100644
--- a/app/activity.rb
+++ b/app/activity.rb
@@ -1,6 +1,4 @@
 get '/activity' do
-  #expires 7200, :public, :must_revalidate if self.class.production? # 2 hours
-
   @page = params[:page] || 1
 
   if params[:tag]
diff --git a/app/admin.rb b/app/admin.rb
index 7b2ce889..551e1e7a 100644
--- a/app/admin.rb
+++ b/app/admin.rb
@@ -75,7 +75,6 @@ end
 
 get '/admin/stats' do
   require_admin
-  # expires 14400, :public, :must_revalidate if self.class.production? # 4 hours
 
   @stats = {
     total_hosted_site_hits: DB['SELECT SUM(hits) FROM sites'].first[:sum],
diff --git a/config.ru b/config.ru
index f9b8adce..33615ded 100644
--- a/config.ru
+++ b/config.ru
@@ -6,11 +6,6 @@ require 'airbrake/sidekiq'
 use Airbrake::Rack::Middleware
 
 map('/') do
-  use(Rack::Cache,
-    verbose: false,
-    metastore: 'file:/tmp/neocitiesrackcache/meta',
-    entitystore: 'file:/tmp/neocitiesrackcache/body'
-  )
   run Sinatra::Application
 end
 
diff --git a/views/_news.erb b/views/_news.erb
index a622e307..bdb52e3b 100644
--- a/views/_news.erb
+++ b/views/_news.erb
@@ -170,8 +170,6 @@
   <%== erb :_pagination, layout: false %>
 </div>
 
-<%== erb :'_news_templates', layout: false %>
-
-<script>
-
-</script>
\ No newline at end of file
+<% if current_site %>
+  <%== erb :'_news_templates', layout: false %>
+<% end %>
\ No newline at end of file
diff --git a/views/_news_actions.erb b/views/_news_actions.erb
index 9d205dde..bf15a4bf 100644
--- a/views/_news_actions.erb
+++ b/views/_news_actions.erb
@@ -20,18 +20,20 @@
   <% end %>
 </div>
 
-<div class="modal hide" id="deleteEvent<%= event.id %>" tabindex="-1" role="dialog" aria-labelledby="deleteEventLabel<%= event.id %>" aria-hidden="true">
-  <div class="modal-header">
-    <button class="close" type="button" data-dismiss="modal" aria-hidden="true"><i class="fa fa-times"></i></button>
-    <h3 id="addTagLabel">Delete</h3>
+<% if current_site %>
+  <div class="modal hide" id="deleteEvent<%= event.id %>" tabindex="-1" role="dialog" aria-labelledby="deleteEventLabel<%= event.id %>" aria-hidden="true">
+    <div class="modal-header">
+      <button class="close" type="button" data-dismiss="modal" aria-hidden="true"><i class="fa fa-times"></i></button>
+      <h3 id="addTagLabel">Delete</h3>
+    </div>
+    <div class="modal-body">
+      <p>
+        Are you sure you want to remove this <%= event.name %> from the news feed?
+      </p>
+    </div>
+    <div class="modal-footer">
+      <button class="btn cancel" data-dismiss="modal" aria-hidden="true">Cancel</button>
+      <button type="submit" class="btn-Action" onclick="Event.delete(<%= event.id %>, '<%= csrf_token %>'); return false">Delete</button>
+    </div>
   </div>
-  <div class="modal-body">
-    <p>
-      Are you sure you want to remove this <%= event.name %> from the news feed?
-    </p>
-  </div>
-  <div class="modal-footer">
-    <button class="btn cancel" data-dismiss="modal" aria-hidden="true">Cancel</button>
-    <button type="submit" class="btn-Action" onclick="Event.delete(<%= event.id %>, '<%= csrf_token %>'); return false">Delete</button>
-  </div>
-</div>
\ No newline at end of file
+<% end %>
\ No newline at end of file
diff --git a/views/activity.erb b/views/activity.erb
index bc86ce2a..32fe19a5 100644
--- a/views/activity.erb
+++ b/views/activity.erb
@@ -22,7 +22,7 @@
 </div>
 <div>
   <div class="content single-Col misc-page">
-      <% if !signed_in? %>
+    <% if !signed_in? %>
       <div class="welcome">
         <h4>All the latest Neocities site news!</h4>
         <p>
diff --git a/views/browse.erb b/views/browse.erb
index a006beb1..796000ad 100644
--- a/views/browse.erb
+++ b/views/browse.erb
@@ -176,16 +176,17 @@
   }
 </script>
 
-
-<script>
-  function banSite(usernames, classifier, el) {
-    $.post('/admin/banhammer', {
-      usernames: usernames,
-      classifier: classifier,
-      csrf_token: '<%= csrf_token %>'
-    }, function(data) {
-      $(el).css('color', '#3eff00')
-    })
-    return false;
-  }
-</script>
+<% if signed_in? && current_site.is_admin %>
+  <script>
+    function banSite(usernames, classifier, el) {
+      $.post('/admin/banhammer', {
+        usernames: usernames,
+        classifier: classifier,
+        csrf_token: '<%= csrf_token %>'
+      }, function(data) {
+        $(el).css('color', '#3eff00')
+      })
+      return false;
+    }
+  </script>
+<% end %>
\ No newline at end of file