Merge commit '5b291fcbe41564264954618fb1f4086a3be1c600' into glitch-soc/merge-upstream

Conflicts: - `app/validators/poll_options_validator.rb`: Upstream split `PollValidator` in two, and glitch-soc had local changes to make the options configurable. Refactored as upstream did, keeping glitch-soc's configurable limits.
2025-02-02 21:13:02 -05:00 · 2025-01-28 18:13:56 +01:00 · 2025-01-28 18:13:56 +01:00 · 353e5f797c
commit 353e5f797c
parent e736363e77 5b291fcbe4
26 changed files with 222 additions and 143 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -370,7 +370,7 @@ GEM
      marcel (~> 1.0.1)
      mime-types
      terrapin (>= 0.6.0, < 2.0)
-    language_server-protocol (3.17.0.3)
+    language_server-protocol (3.17.0.4)
    launchy (3.0.1)
      addressable (~> 2.8)
      childprocess (~> 5.0)
@ -716,7 +716,7 @@ GEM
      rspec-mocks (~> 3.0)
      sidekiq (>= 5, < 8)
    rspec-support (3.13.2)
-    rubocop (1.70.0)
+    rubocop (1.71.0)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
@ -726,14 +726,14 @@ GEM
      rubocop-ast (>= 1.36.2, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.37.0)
+    rubocop-ast (1.38.0)
      parser (>= 3.3.1.0)
    rubocop-capybara (2.21.0)
      rubocop (~> 1.41)
    rubocop-performance (1.23.1)
      rubocop (>= 1.48.1, < 2.0)
      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.28.0)
+    rubocop-rails (2.29.1)
      activesupport (>= 4.2.0)
      rack (>= 1.1)
      rubocop (>= 1.52.0, < 2.0)
--- a/app/controllers/concerns/signature_verification.rb
+++ b/app/controllers/concerns/signature_verification.rb
@ -117,7 +117,7 @@ module SignatureVerification
  def verify_signature_strength!
    raise SignatureVerificationError, 'Mastodon requires the Date header or (created) pseudo-header to be signed' unless signed_headers.include?('date') || signed_headers.include?('(created)')
-    raise SignatureVerificationError, 'Mastodon requires the Digest header or (request-target) pseudo-header to be signed' unless signed_headers.include?(Request::REQUEST_TARGET) || signed_headers.include?('digest')
+    raise SignatureVerificationError, 'Mastodon requires the Digest header or (request-target) pseudo-header to be signed' unless signed_headers.include?(HttpSignatureDraft::REQUEST_TARGET) || signed_headers.include?('digest')
    raise SignatureVerificationError, 'Mastodon requires the Host header to be signed when doing a GET request' if request.get? && !signed_headers.include?('host')
    raise SignatureVerificationError, 'Mastodon requires the Digest header to be signed when doing a POST request' if request.post? && !signed_headers.include?('digest')
  end
@ -155,14 +155,14 @@ module SignatureVerification
  def build_signed_string(include_query_string: true)
    signed_headers.map do |signed_header|
      case signed_header
-      when Request::REQUEST_TARGET
+      when HttpSignatureDraft::REQUEST_TARGET
        if include_query_string
-          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
+          "#{HttpSignatureDraft::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
        else
          # Current versions of Mastodon incorrectly omit the query string from the (request-target) pseudo-header.
          # Therefore, temporarily support such incorrect signatures for compatibility.
          # TODO: remove eventually some time after release of the fixed version
-          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
+          "#{HttpSignatureDraft::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
        end
      when '(created)'
        raise SignatureVerificationError, 'Invalid pseudo-header (created) for rsa-sha256' unless signature_algorithm == 'hs2019'
--- a/app/javascript/mastodon/locales/cs.json
+++ b/app/javascript/mastodon/locales/cs.json
@ -86,6 +86,13 @@
  "alert.unexpected.message": "Objevila se neočekávaná chyba.",
  "alert.unexpected.title": "Jejda!",
  "alt_text_badge.title": "Popisek",
  "alt_text_modal.add_alt_text": "Přidat alt text",
  "alt_text_modal.add_text_from_image": "Přidat text z obrázku",
  "alt_text_modal.cancel": "Zrušit",
  "alt_text_modal.change_thumbnail": "Změnit miniaturu",
  "alt_text_modal.describe_for_people_with_hearing_impairments": "Popište to pro osoby se sluchovým postižením…",
  "alt_text_modal.describe_for_people_with_visual_impairments": "Popište to pro osoby se zrakovým postižením…",
  "alt_text_modal.done": "Hotovo",
  "announcement.announcement": "Oznámení",
  "annual_report.summary.archetype.booster": "Lovec obsahu",
  "annual_report.summary.archetype.lurker": "Špión",
@ -407,6 +414,8 @@
  "ignore_notifications_modal.not_followers_title": "Ignorovat oznámení od lidí, kteří vás nesledují?",
  "ignore_notifications_modal.not_following_title": "Ignorovat oznámení od lidí, které nesledujete?",
  "ignore_notifications_modal.private_mentions_title": "Ignorovat oznámení z nevyžádaných soukromých zmínek?",
  "info_button.label": "Nápověda",
  "info_button.what_is_alt_text": "<h1>Co je to alt text?</h1> <p>Alt text poskytuje popis obrázků pro lidi se zrakovými postižením, špatným připojením něbo těm, kteří potřebují více kontextu.</p> <p>Můžete zlepšit přístupnost a porozumění napsáním jasného, stručného a objektivního alt textu.</p> <ul> <li>Zachyťte důležité prvky</li> <li>Shrňte text v obrázku</li> <li>Použijte pravidelnou větnou skladbu</li> <li>Vyhněte se nadbytečným informacím</li> <li>U komplexních vizualizací (diagramy, mapy...) se zaměřte na trendy a klíčová zjištění</li> </ul>",
  "interaction_modal.action.favourite": "Chcete-li pokračovat, musíte oblíbit z vašeho účtu.",
  "interaction_modal.action.follow": "Chcete-li pokračovat, musíte sledovat z vašeho účtu.",
  "interaction_modal.action.reblog": "Chcete-li pokračovat, musíte dát boost z vašeho účtu.",
--- a/app/javascript/mastodon/locales/es-MX.json
+++ b/app/javascript/mastodon/locales/es-MX.json
@ -28,7 +28,7 @@
  "account.enable_notifications": "Notificarme cuando @{name} publique algo",
  "account.endorse": "Destacar en mi perfil",
  "account.featured_tags.last_status_at": "Última publicación el {date}",
-  "account.featured_tags.last_status_never": "No hay publicaciones",
+  "account.featured_tags.last_status_never": "Sin publicaciones",
  "account.featured_tags.title": "Etiquetas destacadas de {name}",
  "account.follow": "Seguir",
  "account.follow_back": "Seguir también",
@ -146,7 +146,7 @@
  "column.about": "Acerca de",
  "column.blocks": "Usuarios bloqueados",
  "column.bookmarks": "Marcadores",
-  "column.community": "Línea de tiempo local",
+  "column.community": "Cronología local",
  "column.create_list": "Crear lista",
  "column.direct": "Menciones privadas",
  "column.directory": "Buscar perfiles",
--- a/app/javascript/mastodon/locales/ko.json
+++ b/app/javascript/mastodon/locales/ko.json
@ -414,6 +414,7 @@
  "ignore_notifications_modal.not_followers_title": "나를 팔로우하지 않는 사람들의 알림을 무시할까요?",
  "ignore_notifications_modal.not_following_title": "내가 팔로우하지 않는 사람들의 알림을 무시할까요?",
  "ignore_notifications_modal.private_mentions_title": "요청하지 않은 개인 멘션 알림을 무시할까요?",
  "info_button.label": "도움말",
  "interaction_modal.action.favourite": "계속하려면 내 계정으로 즐겨찾기해야 합니다.",
  "interaction_modal.action.follow": "계속하려면 내 계정으로 팔로우해야 합니다.",
  "interaction_modal.action.reblog": "계속하려면 내 계정으로 리블로그해야 합니다.",
--- a/app/lib/http_signature_draft.rb
+++ b/app/lib/http_signature_draft.rb
@ -0,0 +1,31 @@
 # frozen_string_literal: true
 # This implements an older draft of HTTP Signatures:
 # https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures
 class HttpSignatureDraft
  REQUEST_TARGET = '(request-target)'
  def initialize(keypair, key_id, full_path: true)
    @keypair = keypair
    @key_id = key_id
    @full_path = full_path
  end
  def request_target(verb, url)
    if url.query.nil? || !@full_path
      "#{verb} #{url.path}"
    else
      "#{verb} #{url.path}?#{url.query}"
    end
  end
  def sign(signed_headers, verb, url)
    signed_headers = signed_headers.merge(REQUEST_TARGET => request_target(verb, url))
    signed_string = signed_headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
    algorithm = 'rsa-sha256'
    signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest.new('SHA256'), signed_string))
    "keyId=\"#{@key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers.keys.join(' ').downcase}\",signature=\"#{signature}\""
  end
 end
--- a/app/lib/request.rb
+++ b/app/lib/request.rb
@ -61,8 +61,6 @@ class PerOperationWithDeadline < HTTP::Timeout::PerOperation
 end
 class Request
  REQUEST_TARGET = '(request-target)'
  # We enforce a 5s timeout on DNS resolving, 5s timeout on socket opening
  # and 5s timeout on the TLS handshake, meaning the worst case should take
  # about 15s in total
@ -78,11 +76,18 @@ class Request
    @http_client = options.delete(:http_client)
    @allow_local = options.delete(:allow_local)
    @full_path   = !options.delete(:omit_query_string)
-    @options     = options.merge(socket_class: use_proxy? || @allow_local ? ProxySocket : Socket)
+    @options     = {
-    @options     = @options.merge(timeout_class: PerOperationWithDeadline, timeout_options: TIMEOUT)
+      follow: {
        max_hops: 3,
        on_redirect: ->(response, request) { re_sign_on_redirect(response, request) },
      },
      socket_class: use_proxy? || @allow_local ? ProxySocket : Socket,
    }.merge(options)
    @options     = @options.merge(proxy_url) if use_proxy?
    @headers     = {}
    @signing = nil
    raise Mastodon::HostValidationError, 'Instance does not support hidden service connections' if block_hidden_service?
    set_common_headers!
@ -92,8 +97,9 @@ class Request
  def on_behalf_of(actor, sign_with: nil)
    raise ArgumentError, 'actor must not be nil' if actor.nil?
-    @actor         = actor
+    key_id = ActivityPub::TagManager.instance.key_uri_for(actor)
-    @keypair       = sign_with.present? ? OpenSSL::PKey::RSA.new(sign_with) : @actor.keypair
+    keypair = sign_with.present? ? OpenSSL::PKey::RSA.new(sign_with) : actor.keypair
    @signing = HttpSignatureDraft.new(keypair, key_id, full_path: @full_path)
    self
  end
@ -119,7 +125,7 @@ class Request
  end
  def headers
-    (@actor ? @headers.merge('Signature' => signature) : @headers).without(REQUEST_TARGET)
+    (@signing ? @headers.merge('Signature' => signature) : @headers)
  end
  class << self
@ -134,14 +140,13 @@ class Request
    end
    def http_client
-      HTTP.use(:auto_inflate).follow(max_hops: 3)
+      HTTP.use(:auto_inflate)
    end
  end
  private
  def set_common_headers!
    @headers[REQUEST_TARGET]    = request_target
    @headers['User-Agent']      = Mastodon::Version.user_agent
    @headers['Host']            = @url.host
    @headers['Date']            = Time.now.utc.httpdate
@ -152,31 +157,28 @@ class Request
    @headers['Digest'] = "SHA-256=#{Digest::SHA256.base64digest(@options[:body])}"
  end
  def request_target
    if @url.query.nil? || !@full_path
      "#{@verb} #{@url.path}"
    else
      "#{@verb} #{@url.path}?#{@url.query}"
    end
  end
  def signature
-    algorithm = 'rsa-sha256'
+    @signing.sign(@headers.without('User-Agent', 'Accept-Encoding'), @verb, @url)
    signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest.new('SHA256'), signed_string))
    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers.keys.join(' ').downcase}\",signature=\"#{signature}\""
  end
-  def signed_string
+  def re_sign_on_redirect(_response, request)
-    signed_headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
+    # Delete existing signature if there is one, since it will be invalid
    request.headers.delete('Signature')
    return unless @signing.present? && @verb == :get
    signed_headers = request.headers.to_h.slice(*@headers.keys)
    unless @headers.keys.all? { |key| signed_headers.key?(key) }
      # We have lost some headers in the process, so don't sign the new
      # request, in order to avoid issuing a valid signature with fewer
      # conditions than expected.
      Rails.logger.warn { "Some headers (#{@headers.keys - signed_headers.keys}) have been lost on redirect from {@uri} to #{request.uri}, this should not happen. Skipping signatures" }
      return
    end
-  def signed_headers
+    signature_value = @signing.sign(signed_headers.without('User-Agent', 'Accept-Encoding'), @verb, Addressable::URI.parse(request.uri))
-    @headers.without('User-Agent', 'Accept-Encoding')
+    request.headers['Signature'] = signature_value
  end
  def key_id
    ActivityPub::TagManager.instance.key_uri_for(@actor)
  end
  def http_client
--- a/app/models/poll.rb
+++ b/app/models/poll.rb
@ -37,7 +37,8 @@ class Poll < ApplicationRecord
  validates :options, presence: true
  validates :expires_at, presence: true, if: :local?
-  validates_with PollValidator, on: :create, if: :local?
+  validates_with PollOptionsValidator, if: :local?
  validates_with PollExpirationValidator, if: -> { local? && expires_at_changed? }
  before_validation :prepare_options, if: :local?
  before_validation :prepare_votes_count
--- a/app/serializers/initial_state_serializer.rb
+++ b/app/serializers/initial_state_serializer.rb
@ -19,10 +19,10 @@ class InitialStateSerializer < ActiveModel::Serializer
  def poll_limits
    {
-      max_options: PollValidator::MAX_OPTIONS,
+      max_options: PollOptionsValidator::MAX_OPTIONS,
-      max_option_chars: PollValidator::MAX_OPTION_CHARS,
+      max_option_chars: PollOptionsValidator::MAX_OPTION_CHARS,
-      min_expiration: PollValidator::MIN_EXPIRATION,
+      min_expiration: PollExpirationValidator::MIN_EXPIRATION,
-      max_expiration: PollValidator::MAX_EXPIRATION,
+      max_expiration: PollExpirationValidator::MAX_EXPIRATION,
    }
  end
--- a/app/serializers/rest/instance_serializer.rb
+++ b/app/serializers/rest/instance_serializer.rb
@ -88,10 +88,10 @@ class REST::InstanceSerializer < ActiveModel::Serializer
      },
      polls: {
-        max_options: PollValidator::MAX_OPTIONS,
+        max_options: PollOptionsValidator::MAX_OPTIONS,
-        max_characters_per_option: PollValidator::MAX_OPTION_CHARS,
+        max_characters_per_option: PollOptionsValidator::MAX_OPTION_CHARS,
-        min_expiration: PollValidator::MIN_EXPIRATION,
+        min_expiration: PollExpirationValidator::MIN_EXPIRATION,
-        max_expiration: PollValidator::MAX_EXPIRATION,
+        max_expiration: PollExpirationValidator::MAX_EXPIRATION,
      },
      translation: {
--- a/app/serializers/rest/v1/instance_serializer.rb
+++ b/app/serializers/rest/v1/instance_serializer.rb
@ -42,10 +42,10 @@ class REST::V1::InstanceSerializer < ActiveModel::Serializer
  def poll_limits
    {
-      max_options: PollValidator::MAX_OPTIONS,
+      max_options: PollOptionsValidator::MAX_OPTIONS,
-      max_option_chars: PollValidator::MAX_OPTION_CHARS,
+      max_option_chars: PollOptionsValidator::MAX_OPTION_CHARS,
-      min_expiration: PollValidator::MIN_EXPIRATION,
+      min_expiration: PollExpirationValidator::MIN_EXPIRATION,
-      max_expiration: PollValidator::MAX_EXPIRATION,
+      max_expiration: PollExpirationValidator::MAX_EXPIRATION,
    }
  end
@ -84,10 +84,10 @@ class REST::V1::InstanceSerializer < ActiveModel::Serializer
      },
      polls: {
-        max_options: PollValidator::MAX_OPTIONS,
+        max_options: PollOptionsValidator::MAX_OPTIONS,
-        max_characters_per_option: PollValidator::MAX_OPTION_CHARS,
+        max_characters_per_option: PollOptionsValidator::MAX_OPTION_CHARS,
-        min_expiration: PollValidator::MIN_EXPIRATION,
+        min_expiration: PollExpirationValidator::MIN_EXPIRATION,
-        max_expiration: PollValidator::MAX_EXPIRATION,
+        max_expiration: PollExpirationValidator::MAX_EXPIRATION,
      },
    }
  end
--- a/app/validators/poll_expiration_validator.rb
+++ b/app/validators/poll_expiration_validator.rb
@ -0,0 +1,13 @@
 # frozen_string_literal: true
 class PollExpirationValidator < ActiveModel::Validator
  MAX_EXPIRATION = 1.month.freeze
  MIN_EXPIRATION = 5.minutes.freeze
  def validate(poll)
    current_time = Time.now.utc
    poll.errors.add(:expires_at, I18n.t('polls.errors.duration_too_long')) if poll.expires_at.nil? || poll.expires_at - current_time > MAX_EXPIRATION
    poll.errors.add(:expires_at, I18n.t('polls.errors.duration_too_short')) if poll.expires_at.present? && (poll.expires_at - current_time).ceil < MIN_EXPIRATION
  end
 end
--- a/app/validators/poll_options_validator.rb
+++ b/app/validators/poll_options_validator.rb
@ -1,19 +1,13 @@
 # frozen_string_literal: true
-class PollValidator < ActiveModel::Validator
+class PollOptionsValidator < ActiveModel::Validator
  MAX_OPTIONS      = (ENV['MAX_POLL_OPTIONS'] || 5).to_i
  MAX_OPTION_CHARS = (ENV['MAX_POLL_OPTION_CHARS'] || 100).to_i
  MAX_EXPIRATION   = 1.month.freeze
  MIN_EXPIRATION   = 5.minutes.freeze
  def validate(poll)
    current_time = Time.now.utc
    poll.errors.add(:options, I18n.t('polls.errors.too_few_options')) unless poll.options.size > 1
    poll.errors.add(:options, I18n.t('polls.errors.too_many_options', max: MAX_OPTIONS)) if poll.options.size > MAX_OPTIONS
    poll.errors.add(:options, I18n.t('polls.errors.over_character_limit', max: MAX_OPTION_CHARS)) if poll.options.any? { |option| option.mb_chars.grapheme_length > MAX_OPTION_CHARS }
    poll.errors.add(:options, I18n.t('polls.errors.duplicate_options')) unless poll.options.uniq.size == poll.options.size
    poll.errors.add(:expires_at, I18n.t('polls.errors.duration_too_long')) if poll.expires_at.nil? || poll.expires_at - current_time > MAX_EXPIRATION
    poll.errors.add(:expires_at, I18n.t('polls.errors.duration_too_short')) if poll.expires_at.present? && (poll.expires_at - current_time).ceil < MIN_EXPIRATION
  end
 end
--- a/config/locales/cs.yml
+++ b/config/locales/cs.yml
@ -1247,6 +1247,7 @@ cs:
    too_fast: Formulář byl odeslán příliš rychle, zkuste to znovu.
    use_security_key: Použít bezpečnostní klíč
    user_agreement_html: Přečetl jsem si a souhlasím s <a href="%{terms_of_service_path}" target="_blank">podmínkami služby</a> a <a href="%{privacy_policy_path}" target="_blank">ochranou osobních údajů</a>
    user_privacy_agreement_html: Četl jsem a souhlasím se zásadami <a href="%{privacy_policy_path}" target="_blank">ochrany osobních údajů</a>
  author_attribution:
    example_title: Ukázkový text
    hint_html: Píšete novinové články nebo blog mimo Mastodon? Kontrolujte, jak Vám bude připisováno autorství, když jsou sdíleny na Mastodonu.
--- a/config/locales/ko.yml
+++ b/config/locales/ko.yml
@ -302,7 +302,7 @@ ko:
      deleted_account: 계정을 삭제했습니다
      empty: 로그를 찾을 수 없습니다
      filter_by_action: 동작 별 필터
-      filter_by_user: 사용자로 거르기
+      filter_by_user: 사용자 기준으로 필터
      title: 감사 로그
      unavailable_instance: "(도메인네임 사용불가)"
    announcements:
@ -1192,6 +1192,7 @@ ko:
    too_fast: 너무 빠르게 양식이 제출되었습니다, 다시 시도하세요.
    use_security_key: 보안 키 사용
    user_agreement_html: <a href="%{terms_of_service_path}" target="_blank">이용 약관</a>과 <a href="%{privacy_policy_path}" target="_blank">개인정보처리방침</a>을 읽었고 동의합니다
    user_privacy_agreement_html: <a href="%{privacy_policy_path}" target="_blank">개인정보처리방침</a>을 읽었고 동의합니다
  author_attribution:
    example_title: 예시 텍스트
    hint_html: 마스토돈 밖에서 뉴스나 블로그 글을 쓰시나요? 마스토돈에 공유되었을 때 어떻게 표시될지를 제어하세요.
--- a/config/locales/simple_form.cs.yml
+++ b/config/locales/simple_form.cs.yml
@ -3,6 +3,7 @@ cs:
  simple_form:
    hints:
      account:
        attribution_domains: Jeden na řádek. Chrání před falešným připisování autorství.
        discoverable: Vaše veřejné příspěvky a profil mohou být zobrazeny nebo doporučeny v různých oblastech Mastodonu a váš profil může být navrhován ostatním uživatelům.
        display_name: Vaše celé jméno nebo přezdívka.
        fields: Vaše domovská stránka, zájmena, věk, cokoliv chcete.
@ -155,6 +156,7 @@ cs:
        url: Kam budou události odesílány
    labels:
      account:
        attribution_domains: Webové stránky s povolením Vám připsat autorství
        discoverable: Zobrazovat profil a příspěvky ve vyhledávacích algoritmech
        fields:
          name: Označení
--- a/lib/devise/strategies/two_factor_ldap_authenticatable.rb
+++ b/lib/devise/strategies/two_factor_ldap_authenticatable.rb
@ -23,7 +23,7 @@ module Devise
      protected
      def valid_params?
-        params[scope] && params[scope][:password].present?
+        params[scope].is_a?(Hash) && params[scope][:password].present?
      end
    end
  end
--- a/lib/devise/strategies/two_factor_pam_authenticatable.rb
+++ b/lib/devise/strategies/two_factor_pam_authenticatable.rb
@ -22,7 +22,7 @@ module Devise
      protected
      def valid_params?
-        params[scope].respond_to?(:[]) && params[scope][:password].present?
+        params[scope].is_a?(Hash) && params[scope][:password].present?
      end
    end
  end
--- a/spec/controllers/admin/domain_blocks_controller_spec.rb
+++ b/spec/controllers/admin/domain_blocks_controller_spec.rb
@ -48,15 +48,11 @@ RSpec.describe Admin::DomainBlocksController do
        post :create, params: { domain_block: { domain: 'example.com', severity: 'silence' } }
      end
-      it 'records a block' do
+      it 'records a block, calls a worker, redirects' do
        expect(DomainBlock.exists?(domain: 'example.com', severity: 'silence')).to be true
      end
      it 'calls DomainBlockWorker' do
        expect(DomainBlockWorker).to have_received(:perform_async)
      end
      it 'redirects with a success message' do
        expect(flash[:notice]).to eq I18n.t('admin.domain_blocks.created_msg')
        expect(response).to redirect_to(admin_instances_path(limited: '1'))
      end
@ -68,15 +64,11 @@ RSpec.describe Admin::DomainBlocksController do
        post :create, params: { domain_block: { domain: 'example.com', severity: 'silence' } }
      end
-      it 'does not record a block' do
+      it 'does not record a block or call worker, renders new' do
        expect(DomainBlock.exists?(domain: 'example.com', severity: 'silence')).to be false
      end
      it 'does not call DomainBlockWorker' do
        expect(DomainBlockWorker).to_not have_received(:perform_async)
      end
      it 'renders new' do
        expect(response).to render_template :new
      end
    end
@ -87,15 +79,11 @@ RSpec.describe Admin::DomainBlocksController do
          post :create, params: { domain_block: { domain: 'example.com', severity: 'suspend', reject_media: true, reject_reports: true } }
        end
-        it 'does not record a block' do
+        it 'does not record a block or call worker, renders confirm suspension' do
          expect(DomainBlock.exists?(domain: 'example.com', severity: 'suspend')).to be false
        end
        it 'does not call DomainBlockWorker' do
          expect(DomainBlockWorker).to_not have_received(:perform_async)
        end
        it 'renders confirm_suspension' do
          expect(response).to render_template :confirm_suspension
        end
      end
@ -105,15 +93,11 @@ RSpec.describe Admin::DomainBlocksController do
          post :create, params: { :domain_block => { domain: 'example.com', severity: 'suspend', reject_media: true, reject_reports: true }, 'confirm' => '' }
        end
-        it 'records a block' do
+        it 'records a block and calls worker and redirects' do
          expect(DomainBlock.exists?(domain: 'example.com', severity: 'suspend')).to be true
        end
        it 'calls DomainBlockWorker' do
          expect(DomainBlockWorker).to have_received(:perform_async)
        end
        it 'redirects with a success message' do
          expect(flash[:notice]).to eq I18n.t('admin.domain_blocks.created_msg')
          expect(response).to redirect_to(admin_instances_path(limited: '1'))
        end
@ -130,15 +114,11 @@ RSpec.describe Admin::DomainBlocksController do
          post :create, params: { domain_block: { domain: 'example.com', severity: 'suspend', reject_media: true, reject_reports: true } }
        end
-        it 'does not record a block' do
+        it 'does not record a block or call worker, renders confirm suspension' do
          expect(DomainBlock.exists?(domain: 'example.com', severity: 'suspend')).to be false
        end
        it 'does not call DomainBlockWorker' do
          expect(DomainBlockWorker).to_not have_received(:perform_async)
        end
        it 'renders confirm_suspension' do
          expect(response).to render_template :confirm_suspension
        end
      end
@ -148,15 +128,11 @@ RSpec.describe Admin::DomainBlocksController do
          post :create, params: { :domain_block => { domain: 'example.com', severity: 'suspend', reject_media: true, reject_reports: true }, 'confirm' => '' }
        end
-        it 'updates the record' do
+        it 'updates the record and calls worker, redirects' do
          expect(DomainBlock.exists?(domain: 'example.com', severity: 'suspend')).to be true
        end
        it 'calls DomainBlockWorker' do
          expect(DomainBlockWorker).to have_received(:perform_async)
        end
        it 'redirects with a success message' do
          expect(flash[:notice]).to eq I18n.t('admin.domain_blocks.created_msg')
          expect(response).to redirect_to(admin_instances_path(limited: '1'))
        end
--- a/spec/controllers/admin/email_domain_blocks_controller_spec.rb
+++ b/spec/controllers/admin/email_domain_blocks_controller_spec.rb
@ -58,11 +58,9 @@ RSpec.describe Admin::EmailDomainBlocksController do
        post :create, params: { email_domain_block: { domain: 'example.com' }, save: '' }
      end
-      it 'blocks the domain' do
+      it 'blocks the domain and redirects to email domain blocks' do
        expect(EmailDomainBlock.find_by(domain: 'example.com')).to_not be_nil
      end
      it 'redirects to e-mail domain blocks' do
        expect(response).to redirect_to(admin_email_domain_blocks_path)
      end
    end
--- a/spec/controllers/admin/roles_controller_spec.rb
+++ b/spec/controllers/admin/roles_controller_spec.rb
@ -68,11 +68,9 @@ RSpec.describe Admin::RolesController do
        let(:selected_position) { 1 }
        let(:selected_permissions_as_keys) { %w(manage_roles) }
-        it 'redirects to roles page' do
+        it 'redirects to roles page and creates role' do
          expect(response).to redirect_to(admin_roles_path)
        end
        it 'creates new role' do
          expect(UserRole.find_by(name: 'Bar')).to_not be_nil
        end
      end
@ -81,11 +79,9 @@ RSpec.describe Admin::RolesController do
        let(:selected_position) { 100 }
        let(:selected_permissions_as_keys) { %w(manage_roles) }
-        it 'renders new template' do
+        it 'renders new template and does not create role' do
          expect(response).to render_template(:new)
        end
        it 'does not create new role' do
          expect(UserRole.find_by(name: 'Bar')).to be_nil
        end
      end
@ -94,11 +90,9 @@ RSpec.describe Admin::RolesController do
        let(:selected_position) { 1 }
        let(:selected_permissions_as_keys) { %w(manage_roles manage_users manage_reports) }
-        it 'renders new template' do
+        it 'renders new template and does not create role' do
          expect(response).to render_template(:new)
        end
        it 'does not create new role' do
          expect(UserRole.find_by(name: 'Bar')).to be_nil
        end
      end
@ -109,11 +103,9 @@ RSpec.describe Admin::RolesController do
        let(:selected_position) { 1 }
        let(:selected_permissions_as_keys) { %w(manage_roles manage_users manage_reports) }
-        it 'redirects to roles page' do
+        it 'redirects to roles page and creates new role' do
          expect(response).to redirect_to(admin_roles_path)
        end
        it 'creates new role' do
          expect(UserRole.find_by(name: 'Bar')).to_not be_nil
        end
      end
@ -166,11 +158,9 @@ RSpec.describe Admin::RolesController do
    end
    context 'when user does not have permission to manage roles' do
-      it 'returns http forbidden' do
+      it 'returns http forbidden and does not update role' do
        expect(response).to have_http_status(403)
      end
      it 'does not update the role' do
        expect(role.reload.name).to eq 'Bar'
      end
    end
@ -179,11 +169,9 @@ RSpec.describe Admin::RolesController do
      let(:permissions) { UserRole::FLAGS[:manage_roles] }
      context 'when role has permissions the user doesn\'t' do
-        it 'renders edit template' do
+        it 'renders edit template and does not update role' do
          expect(response).to render_template(:edit)
        end
        it 'does not update the role' do
          expect(role.reload.name).to eq 'Bar'
        end
      end
@ -192,11 +180,9 @@ RSpec.describe Admin::RolesController do
        let(:permissions) { UserRole::FLAGS[:manage_roles] | UserRole::FLAGS[:manage_users] }
        context 'when user outranks the role' do
-          it 'redirects to roles page' do
+          it 'redirects to roles page and updates role' do
            expect(response).to redirect_to(admin_roles_path)
          end
          it 'updates the role' do
            expect(role.reload.name).to eq 'Baz'
          end
        end
@ -204,11 +190,9 @@ RSpec.describe Admin::RolesController do
        context 'when role outranks user' do
          let(:role_position) { current_role.position + 1 }
-          it 'returns http forbidden' do
+          it 'returns http forbidden and does not update role' do
            expect(response).to have_http_status(403)
          end
          it 'does not update the role' do
            expect(role.reload.name).to eq 'Bar'
          end
        end
--- a/spec/controllers/admin/users/roles_controller_spec.rb
+++ b/spec/controllers/admin/users/roles_controller_spec.rb
@ -44,11 +44,9 @@ RSpec.describe Admin::Users::RolesController do
      let(:permissions) { UserRole::FLAGS[:manage_roles] }
      let(:position) { 1 }
-      it 'updates user role' do
+      it 'updates user role and redirects' do
        expect(user.reload.role_id).to eq selected_role&.id
      end
      it 'redirects back to account page' do
        expect(response).to redirect_to(admin_account_path(user.account_id))
      end
    end
@ -57,11 +55,9 @@ RSpec.describe Admin::Users::RolesController do
      let(:permissions) { UserRole::FLAGS[:administrator] }
      let(:position) { 100 }
-      it 'does not update user role' do
+      it 'does not update user role and renders edit' do
        expect(user.reload.role_id).to eq previous_role&.id
      end
      it 'renders edit form' do
        expect(response).to render_template(:show)
      end
    end
@ -71,11 +67,9 @@ RSpec.describe Admin::Users::RolesController do
      let(:permissions) { UserRole::FLAGS[:manage_roles] }
      let(:position) { 1 }
-      it 'does not update user role' do
+      it 'does not update user role and returns http forbidden' do
        expect(user.reload.role_id).to eq previous_role&.id
      end
      it 'returns http forbidden' do
        expect(response).to have_http_status(403)
      end
    end
--- a/spec/lib/request_spec.rb
+++ b/spec/lib/request_spec.rb
@ -60,16 +60,12 @@ RSpec.describe Request do
        expect(a_request(:get, 'http://example.com')).to have_been_made.once
      end
-      it 'sets headers' do
+      it 'makes a request with expected headers, yields, and closes the underlying connection' do
        expect { |block| subject.perform(&block) }.to yield_control
        expect(a_request(:get, 'http://example.com').with(headers: subject.headers)).to have_been_made
      end
      it 'closes underlying connection' do
        allow(subject.send(:http_client)).to receive(:close)
        expect { |block| subject.perform(&block) }.to yield_control
        expect(a_request(:get, 'http://example.com').with(headers: subject.headers)).to have_been_made
        expect(subject.send(:http_client)).to have_received(:close)
      end
@ -80,6 +76,29 @@ RSpec.describe Request do
      end
    end
    context 'with a redirect and HTTP signatures' do
      let(:account) { Fabricate(:account) }
      before do
        stub_request(:get, 'http://example.com').to_return(status: 301, headers: { Location: 'http://redirected.example.com/foo' })
        stub_request(:get, 'http://redirected.example.com/foo').to_return(body: 'lorem ipsum')
      end
      it 'makes a request with expected headers and follows redirects' do
        expect { |block| subject.on_behalf_of(account).perform(&block) }.to yield_control
        # request.headers includes the `Signature` sent for the first request
        expect(a_request(:get, 'http://example.com').with(headers: subject.headers)).to have_been_made.once
        # request.headers includes the `Signature`, but it has changed
        expect(a_request(:get, 'http://redirected.example.com/foo').with(headers: subject.headers.merge({ 'Host' => 'redirected.example.com' }))).to_not have_been_made
        # `with(headers: )` matching tests for inclusion, so strip `Signature`
        # This doesn't actually test that there is a signature, but it tests that the original signature is not passed
        expect(a_request(:get, 'http://redirected.example.com/foo').with(headers: subject.headers.without('Signature').merge({ 'Host' => 'redirected.example.com' }))).to have_been_made.once
      end
    end
    context 'with private host' do
      around do |example|
        WebMock.disable!
--- a/spec/requests/api/v2/instance_spec.rb
+++ b/spec/requests/api/v2/instance_spec.rb
@ -59,7 +59,7 @@ RSpec.describe 'Instances' do
            description_limit: MediaAttachment::MAX_DESCRIPTION_LENGTH
          ),
          polls: include(
-            max_options: PollValidator::MAX_OPTIONS
+            max_options: PollOptionsValidator::MAX_OPTIONS
          )
        )
      )
--- a/spec/validators/poll_expiration_validator_spec.rb
+++ b/spec/validators/poll_expiration_validator_spec.rb
@ -2,7 +2,7 @@
 require 'rails_helper'
-RSpec.describe PollValidator do
+RSpec.describe PollExpirationValidator do
  describe '#validate' do
    before do
      validator.validate(poll)
@ -14,16 +14,24 @@ RSpec.describe PollValidator do
    let(:options) { %w(foo bar) }
    let(:expires_at) { 1.day.from_now }
-    it 'have no errors' do
+    it 'has no errors' do
      expect(errors).to_not have_received(:add)
    end
-    context 'when expires is just 5 min ago' do
+    context 'when the poll expires in 5 min from now' do
      let(:expires_at) { 5.minutes.from_now }
-      it 'not calls errors add' do
+      it 'has no errors' do
        expect(errors).to_not have_received(:add)
      end
    end
    context 'when the poll expires in the past' do
      let(:expires_at) { 5.minutes.ago }
      it 'has errors' do
        expect(errors).to have_received(:add)
      end
    end
  end
 end
--- a/spec/validators/poll_options_validator_spec.rb
+++ b/spec/validators/poll_options_validator_spec.rb
@ -0,0 +1,45 @@
 # frozen_string_literal: true
 require 'rails_helper'
 RSpec.describe PollOptionsValidator do
  describe '#validate' do
    before do
      validator.validate(poll)
    end
    let(:validator) { described_class.new }
    let(:poll) { instance_double(Poll, options: options, expires_at: expires_at, errors: errors) }
    let(:errors) { instance_double(ActiveModel::Errors, add: nil) }
    let(:options) { %w(foo bar) }
    let(:expires_at) { 1.day.from_now }
    it 'has no errors' do
      expect(errors).to_not have_received(:add)
    end
    context 'when the poll has duplicate options' do
      let(:options) { %w(foo foo) }
      it 'adds errors' do
        expect(errors).to have_received(:add)
      end
    end
    context 'when the poll has no options' do
      let(:options) { [] }
      it 'adds errors' do
        expect(errors).to have_received(:add)
      end
    end
    context 'when the poll has too many options' do
      let(:options) { Array.new(described_class::MAX_OPTIONS + 1) { |i| "option #{i}" } }
      it 'adds errors' do
        expect(errors).to have_received(:add)
      end
    end
  end
 end