[1.0.0] - 2019-06-29

Security

  • Mastodon API: Fix display names not being sanitized
  • Rich media: Do not crawl private IP ranges

Added

  • Scheduled statuses
  • Polls
  • Add a generic settings store for frontends / clients to use.
  • Explicit addressing option for posting.
  • Optional SSH access mode. (Needs erlang-ssh package on some distributions).
  • MongooseIM http authentication support.
  • LDAP authentication
  • External OAuth provider authentication
  • Support for building a release using mix release
  • A job queue for federation, emails, web push, etc.
  • Prometheus metrics
  • Support for Mastodon's remote interaction
  • Mix Tasks: mix pleroma.database bump_all_conversations
  • Mix Tasks: mix pleroma.database remove_embedded_objects
  • Mix Tasks: mix pleroma.database update_users_following_followers_counts
  • Mix Tasks: mix pleroma.user toggle_confirmed
  • Mix Tasks: mix pleroma.config migrate_to_db
  • Mix Tasks: mix pleroma.config migrate_from_db
  • Support for reports
  • Configuration: poll_limits option
  • Configuration: pack_extensions option
  • Configuration: safe_dm_mentions option
  • Configuration: link_name option
  • Configuration: fetch_initial_posts option
  • Configuration: notify_email option
  • Configuration: Media proxy whitelist option
  • Configuration: report_uri option
  • Configuration: limit_to_local_content option
  • AdminFE: initial release with basic user/report management accessible at /pleroma/admin/
  • Metadata: RelMe provider
  • OAuth: added support for refresh tokens
  • Emoji packs and emoji pack manager
  • Object pruning (mix pleroma.database prune_objects)
  • OAuth: added job to clean expired access tokens
  • MRF: Support for rejecting reports from specific instances (mrf_simple)
  • MRF: Support for stripping avatars and banner images from specific instances (mrf_simple)
  • MRF: Support for running subchains.
  • Configuration: skip_thread_containment option
  • Configuration: rate_limit option. See Pleroma.Plugs.RateLimiter documentation for details.
  • MRF: Support for filtering out likely spam messages by rejecting posts from new users that contain links.
  • Configuration: ignore_hosts option
  • Configuration: ignore_tld option
  • Configuration: default syslog tag "Pleroma" is now lowercased to "pleroma"

Changed

  • Breaking: bind to 127.0.0.1 instead of 0.0.0.0 by default
  • Breaking: Configuration: move from Pleroma.Mailer to Pleroma.Emails.Mailer
  • Thread containment / test for complete visibility will be skipped by default.
  • Enforcement of OAuth scopes
  • Add multiple use/time expiring invite token
  • Restyled OAuth pages to fit with Pleroma's default theme
  • Link/mention/hashtag detection is now handled by auto_linker
  • Configuration: Dedupe enabled by default
  • Configuration: Default log level in prod environment is now set to warn
  • Configuration: Added extra_cookie_attrs for setting non-standard cookie attributes. Defaults to ["SameSite=Lax"] so that remote follows work.
  • Timelines: Messages involving people you have blocked will be excluded from the timeline in all cases instead of just repeats.
  • Don't ship finmoji by default, they can be installed as an emoji pack
  • Hide deactivated users and their statuses
  • Posts which are marked sensitive or tagged nsfw no longer have link previews.
  • HTTP connection timeout is now set to 10 seconds.
  • Rich Media: crawl only https URLs.

Fixed

  • Follow requests don't get 'stuck' anymore.
  • Added an FTS index on objects. Running vacuum analyze and setting a larger work_mem is recommended.
  • Followers counter not being updated when a follower is blocked
  • Deactivated users being able to request an access token
  • Limit on request body in rich media/relme parsers being ignored resulting in a possible memory leak
  • Proper Twitter Card generation instead of a dummy
  • Deletions failing for users with a large number of posts
  • NodeInfo: Include admins in staffAccounts
  • ActivityPub: Crashing when requesting empty local user's outbox
  • Federation: Handling of objects without summary property
  • Federation: Add a language tag to activities as required by ActivityStreams 2.0
  • Federation: Do not federate avatar/banner if set to default allowing other servers/clients to use their defaults
  • Federation: Cope with missing or explicitly nulled address lists
  • Federation: Explicitly ensure activities addressed to as:Public become addressed to the followers collection
  • Federation: Better cope with actors which do not declare a followers collection and use as:Public with these semantics
  • Federation: Follow requests from remote users who have been blocked will be automatically rejected if appropriate
  • MediaProxy: Parse name from content disposition headers even for non-whitelisted types
  • MediaProxy: S3 link encoding
  • Rich Media: Reject any data which cannot be explicitly encoded into JSON
  • Importing follows from Mastodon 2.8+
  • User-Agent is now sent correctly for all HTTP requests.
  • MRF: Simple policy now properly delists imported or relayed statuses

Removed

  • Configuration: config :pleroma, :fe in favor of the more flexible config :pleroma, :frontend_configurations

For more API/federation changes refer to the the changelog