Merge commit '7f16397f3c37a8e378239974b73afbfe2b6e6844' into glitch-soc/merge-upstream

Conflicts: - `lib/mastodon/version.rb`: Upstream bumped the mastodon API version, glitch-soc has a change on an adjacent line adding a glitch API version.
2026-03-29 03:00:33 +02:00 · 2026-02-27 21:25:37 +01:00
parent 36c0f3701e 7f16397f3c
commit 0e1ea3110e
86 changed files with 1440 additions and 273 deletions
--- a/config/initializers/open_redirects.rb
+++ b/config/initializers/open_redirects.rb
@@ -1,7 +1,12 @@
 # frozen_string_literal: true

-# TODO: Starting with Rails 7.0, the framework default is true for this setting.
-# This location in devise redirects and we can't hook in or override:
-# https://github.com/heartcombo/devise/blob/v4.9.3/app/controllers/devise/confirmations_controller.rb#L28
-# When solution is found, this setting can go back to default.
-Rails.application.config.action_controller.raise_on_open_redirects = false
+# In the Devise confirmations#show action, a redirect_to is called:
+# https://github.com/heartcombo/devise/blob/v5.0.0/app/controllers/devise/confirmations_controller.rb#L28
+#
+# We override the `after_confirmation_path_for` method in a way which sometimes
+# returns raw URLs to external hosts, as part of the auth workflow.
+# Discussion: https://github.com/mastodon/mastodon/pull/36505#discussion_r2782876831
+
+Rails.application.reloader.to_prepare do
+  ActionController::Base.action_on_open_redirect = :log
+end