Context: https://hexbear.net/post/159221
Hi everyone, we're excited to announce that we are ready to do the final site migration back to Lemmy. Before we actually push the new version to the main site, we want to test the new version of Lemmy we're running to catch bugs and any weird behaviour we can fix quickly before we move do the move.
The final move is (tentatively) scheduled for next weekend (downtime will be announced once this is confirmed). This is no longer the plan but it will still be soon.
We have a test Lemmy instance from a recent-ish snapshot of the site that we need people to try using. You can login with your normal account details and just post away.
Test Lemmy instance URL: https://test.hexbear.net Testing is complete.
Disclaimer: Anything you post will be nuked after a week or two, nothing is being saved from this test instance.
If you encounter a bug please let us know what happened, how we can reproduce it, and your OS & browser in the comments below. The more detail, the more likely we can fix things!
Possible issue for a site like hexbear, could we get a setting to disable auto displayed images in user submissions which don't originate from hexbear.net? Could be a security concern if a wrecker posts image urls originating from their own website. Then they can (in theory) log the IP addresses of every hexbear user who views the comments of a post, for example.
Maybe an alternative (if it's easier) is to hide the image until a user clicks it. But that might fuck with the emojis.
To replicate: make a comment with an image url that isn't hexbear, it will be displayed automatically.
Firefox 112.0.1, linux
Yeah this is probably going to have to be taken seriously. imagine if a wrecker could just embed a tracking pixel in their comment and have the IP of everyone on the page that wasn't using a VPN
My recollection is that current hexbear only directly embeds from a whitelist of known sites (not necessarily trusted, just big and not actively malicious), we seem to directly embed from imgur for example, but for most things we generate and serve from hexbear.net our own thumbnail.
The version of Lemmy Hexbear currently runs on uses a thing called iframely to fetch thumbnails / summaries / video embeds from URLs people post. I'm not 100% sure how Lemmy handles this now, but they dropped iframely a long while ago.
yeahh that rings a bell. I know there is some way of doing it in modern lemmy but idk if it's working on the test instance or not rn, and some stuff is just being embedded directly in very unsafe ways
This should probably be considered before federating too, since hexbear can't control what gets posted to other instances. So maybe it could be controlled on the display side of things rather than restricting user input.
right, I think that's the only sensible way to do it, simply don't render it if it's not from a whitelisted domain
I don't really understand, but I don't use the discord anymore :blob-no-thoughts:
Oh I don't really eat yogurt that often. I am trying to cut out more dairy, but the vegan skyr sucks and I don't know of any recipes...
You didn't tell me we were couping Lemmy. I've got my peaceful legal trade union dress on! Now I have to go and find my coup dress and pray that it isn't wrinkled! The night is ruined!
holy shit, i could actually change my pronouns
10/10
:lets-fucking-go:
avatars are also very cool!
and banners!We are going to have the dopest profile pics. Like, Blahaj executing Rowling made to look like a ww2 photo tier-quality.
Thank you devs, just in time to pick up a new batch of refugees from the Bad Site. :sankara-salute:
if you still have the passwords you may still be able to get back into them. (content you posted ought to be deleted and I'm not sure if it can be undeleted but things like saved posts may still be there)
Okay I'm done breaking it now.
The speed is really nice, avatars are really nice, and the (1 new) indicator is really nice. It's all just really nice. Looking forward to the upgrade.
Just pushed latest changes now. Be sure to clear cache (and possibly also manually delete Service Worker if it isn't clearing automatically)
Main Stuff:
- Only allow images from whitelisted domains (hexbear and imgur for now)
- Disabled video thumbnails, for now (need to revisit later)
- Lots of style fixes
- Admin: uploading emojis is fixed
- Editing posts should work again
- Mobile view expand post text is working again
- Default theme is now darkly (will revisit theming at a later date, fix litely)
- Rounded avatars, as default lemmy does
- misc style stuff
Thanks everyone for all the testing! Lots of stuff that was missed while developing. We are still looking into weird performance issues, esp around deleting comments and saving user settings. Also looking into old Safari versions not able to view page properly.
Edit: Also been laughing a lot at all the funny bugs and stuff you guys are surfacing. Been a joy working on it :lenin-laugh:
Thanks a ton dude:programming-communism: :shrek-progress:
Banning works, but there is nothing indicating that a user was banned, to the banned user or other users
Pogging out of my gourd rn :isaac-pog:
Thank you for all of your hard work :cat-trans:
