activity feed: restrict csrf_token usage unless logged in to prevent cookie setting, remove the unused rack-cache

2025-04-28 11:12:30 +02:00 · 2025-04-24 17:54:37 -05:00 · 2025-04-24 17:54:37 -05:00 · e21e20b32e
commit e21e20b32e
parent 9479ca05d0
9 changed files with 34 additions and 45 deletions
--- a/1
+++ b/1
@ -18,7 +18,6 @@ gem 'sass', require: nil
 gem 'dav4rack', git: 'https://github.com/neocities/dav4rack.git', ref: '1bf1975c613d4f14d00f1e70ce7e0bb9e2e6cd9b'
 gem 'filesize'
 gem 'thread'
-gem 'rack-cache'
 gem 'rest-client', require: 'rest_client'
 gem 'addressable', '>= 2.8.0', require: 'addressable/uri'
 gem 'paypal-recurring', require: 'paypal/recurring'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -266,8 +266,6 @@ GEM
      nio4r (~> 2.0)
    racc (1.8.1)
    rack (3.1.12)
-    rack-cache (1.17.0)
-      rack (>= 0.4)
    rack-protection (4.1.1)
      base64 (>= 0.1.0)
      logger (>= 1.6.0)
@ -452,7 +450,6 @@ DEPENDENCIES
  phonelib
  pry
  puma (< 7)
-  rack-cache
  rack-test
  rack_session_access
  rake (>= 12.3.3)
--- a/app/activity.rb
+++ b/app/activity.rb
@ -1,6 +1,4 @@
 get '/activity' do
-  #expires 7200, :public, :must_revalidate if self.class.production? # 2 hours
-
  @page = params[:page] || 1

  if params[:tag]
--- a/app/admin.rb
+++ b/app/admin.rb
@ -75,7 +75,6 @@ end

 get '/admin/stats' do
  require_admin
-  # expires 14400, :public, :must_revalidate if self.class.production? # 4 hours

  @stats = {
    total_hosted_site_hits: DB['SELECT SUM(hits) FROM sites'].first[:sum],
--- a/config.ru
+++ b/config.ru
@ -6,11 +6,6 @@ require 'airbrake/sidekiq'
 use Airbrake::Rack::Middleware

 map('/') do
-  use(Rack::Cache,
-    verbose: false,
-    metastore: 'file:/tmp/neocitiesrackcache/meta',
-    entitystore: 'file:/tmp/neocitiesrackcache/body'
-  )
  run Sinatra::Application
 end

--- a/views/_news.erb
+++ b/views/_news.erb
@ -170,8 +170,6 @@
  <%== erb :_pagination, layout: false %>
 </div>

+<% if current_site %>
  <%== erb :'_news_templates', layout: false %>
-
-<script>
-
-</script>
+<% end %>
--- a/views/_news_actions.erb
+++ b/views/_news_actions.erb
@ -20,6 +20,7 @@
  <% end %>
 </div>

+<% if current_site %>
  <div class="modal hide" id="deleteEvent<%= event.id %>" tabindex="-1" role="dialog" aria-labelledby="deleteEventLabel<%= event.id %>" aria-hidden="true">
    <div class="modal-header">
      <button class="close" type="button" data-dismiss="modal" aria-hidden="true"><i class="fa fa-times"></i></button>
@ -35,3 +36,4 @@
      <button type="submit" class="btn-Action" onclick="Event.delete(<%= event.id %>, '<%= csrf_token %>'); return false">Delete</button>
    </div>
  </div>
+<% end %>
--- a/views/browse.erb
+++ b/views/browse.erb
@ -176,7 +176,7 @@
  }
 </script>

-
+<% if signed_in? && current_site.is_admin %>
  <script>
    function banSite(usernames, classifier, el) {
      $.post('/admin/banhammer', {
@ -189,3 +189,4 @@
      return false;
    }
  </script>
+<% end %>