Merge branch 'main' into glitch-soc/merge-upstream

Conflicts: - `.github/dependabot.yml`: Updated upstream, removed in glitch-soc to disable noise. Kept removed. - `CODE_OF_CONDUCT.md`: Upstream updated to a new version of the covenant, but I have not read it yet, so kept unchanged. - `Gemfile.lock`: Not a real conflict, one upstream dependency updated textually too close to the glitch-soc only `hcaptcha` dependency. Applied upstream changes. - `app/controllers/admin/base_controller.rb`: Minor conflict due to glitch-soc's theming system. Applied upstream changes. - `app/controllers/application_controller.rb`: Minor conflict due to glitch-soc's theming system. Applied upstream changes. - `app/controllers/disputes/base_controller.rb`: Minor conflict due to glitch-soc's theming system. Applied upstream changes. - `app/controllers/relationships_controller.rb`: Minor conflict due to glitch-soc's theming system. Applied upstream changes. - `app/controllers/statuses_cleanup_controller.rb`: Minor conflict due to glitch-soc's theming system. Applied upstream changes. - `app/helpers/application_helper.rb`: Minor conflict due to glitch-soc's theming system. Applied upstream changes. - `app/javascript/mastodon/features/compose/components/compose_form.jsx`: Upstream added a highlight animation for onboarding, while we changed the max character limit. Applied our local changes on top of upstream's new version. - `app/views/layouts/application.html.haml`: Minor conflict due to glitch-soc's theming system. Applied upstream changes. - `stylelint.config.js`: Upstream added ignore paths, glitch-soc had extra ignore paths. Added the same paths as upstream.
2023-04-29 10:44:56 +02:00
parent 1565af1caf 105f8687e4
commit 12b935fadf
440 changed files with 8274 additions and 3857 deletions
--- a/spec/controllers/accounts_controller_spec.rb
+++ b/spec/controllers/accounts_controller_spec.rb
@@ -17,6 +17,10 @@ RSpec.describe AccountsController, type: :controller do
      expect(session).to be_empty
    end

+    it 'returns Vary header' do
+      expect(response.headers['Vary']).to include 'Accept'
+    end
+
    it 'returns public Cache-Control header' do
      expect(response.headers['Cache-Control']).to include 'public'
    end
@@ -214,8 +218,8 @@ RSpec.describe AccountsController, type: :controller do
          expect(response.media_type).to eq 'application/activity+json'
        end

-        it 'returns public Cache-Control header' do
-          expect(response.headers['Cache-Control']).to include 'public'
+        it 'returns private Cache-Control header' do
+          expect(response.headers['Cache-Control']).to include 'private'
        end

        it 'renders account' do
--- a/spec/controllers/activitypub/followers_synchronizations_controller_spec.rb
+++ b/spec/controllers/activitypub/followers_synchronizations_controller_spec.rb
@@ -50,7 +50,7 @@ RSpec.describe ActivityPub::FollowersSynchronizationsController, type: :controll

      it 'returns orderedItems with followers from example.com' do
        expect(body[:orderedItems]).to be_an Array
-        expect(body[:orderedItems]).to match_array([follower_4.uri, follower_1.uri, follower_2.uri])
+        expect(body[:orderedItems]).to contain_exactly(follower_4.uri, follower_1.uri, follower_2.uri)
      end

      it 'returns private Cache-Control header' do
--- a/spec/controllers/admin/base_controller_spec.rb
+++ b/spec/controllers/admin/base_controller_spec.rb
@@ -18,6 +18,14 @@ describe Admin::BaseController, type: :controller do
    expect(response).to have_http_status(403)
  end

+  it 'returns private cache control headers' do
+    routes.draw { get 'success' => 'admin/base#success' }
+    sign_in(Fabricate(:user, role: UserRole.find_by(name: 'Moderator')))
+    get :success
+
+    expect(response.headers['Cache-Control']).to include('private, no-store')
+  end
+
  it 'renders admin layout as a moderator' do
    routes.draw { get 'success' => 'admin/base#success' }
    sign_in(Fabricate(:user, role: UserRole.find_by(name: 'Moderator')))
--- a/spec/controllers/admin/export_domain_blocks_controller_spec.rb
+++ b/spec/controllers/admin/export_domain_blocks_controller_spec.rb
@@ -29,7 +29,7 @@ RSpec.describe Admin::ExportDomainBlocksController, type: :controller do
      end

      it 'renders page with expected domain blocks' do
-        expect(assigns(:domain_blocks).map { |block| [block.domain, block.severity.to_sym] }).to match_array [['bad.domain', :silence], ['worse.domain', :suspend], ['reject.media', :noop]]
+        expect(assigns(:domain_blocks).map { |block| [block.domain, block.severity.to_sym] }).to contain_exactly(['bad.domain', :silence], ['worse.domain', :suspend], ['reject.media', :noop])
      end

      it 'returns http success' do
@@ -43,7 +43,7 @@ RSpec.describe Admin::ExportDomainBlocksController, type: :controller do
      end

      it 'renders page with expected domain blocks' do
-        expect(assigns(:domain_blocks).map { |block| [block.domain, block.severity.to_sym] }).to match_array [['bad.domain', :suspend], ['worse.domain', :suspend], ['reject.media', :suspend]]
+        expect(assigns(:domain_blocks).map { |block| [block.domain, block.severity.to_sym] }).to contain_exactly(['bad.domain', :suspend], ['worse.domain', :suspend], ['reject.media', :suspend])
      end

      it 'returns http success' do
--- a/spec/controllers/api/base_controller_spec.rb
+++ b/spec/controllers/api/base_controller_spec.rb
@@ -15,6 +15,12 @@ describe Api::BaseController do
    end
  end

+  it 'returns private cache control headers by default' do
+    routes.draw { get 'success' => 'api/base#success' }
+    get :success
+    expect(response.headers['Cache-Control']).to include('private, no-store')
+  end
+
  describe 'forgery protection' do
    before do
      routes.draw { post 'success' => 'api/base#success' }
--- a/spec/controllers/api/oembed_controller_spec.rb
+++ b/spec/controllers/api/oembed_controller_spec.rb
@@ -17,5 +17,9 @@ RSpec.describe Api::OEmbedController, type: :controller do
    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end
 end
--- a/spec/controllers/api/v1/accounts/follower_accounts_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/follower_accounts_controller_spec.rb
@@ -28,7 +28,7 @@ describe Api::V1::Accounts::FollowerAccountsController do
      get :index, params: { account_id: account.id, limit: 2 }

      expect(body_as_json.size).to eq 2
-      expect([body_as_json[0][:id], body_as_json[1][:id]]).to match_array([alice.id.to_s, bob.id.to_s])
+      expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
    end

    it 'does not return blocked users' do
@@ -58,7 +58,7 @@ describe Api::V1::Accounts::FollowerAccountsController do
        get :index, params: { account_id: account.id, limit: 2 }

        expect(body_as_json.size).to eq 2
-        expect([body_as_json[0][:id], body_as_json[1][:id]]).to match_array([alice.id.to_s, bob.id.to_s])
+        expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
      end
    end
  end
--- a/spec/controllers/api/v1/accounts/following_accounts_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/following_accounts_controller_spec.rb
@@ -28,7 +28,7 @@ describe Api::V1::Accounts::FollowingAccountsController do
      get :index, params: { account_id: account.id, limit: 2 }

      expect(body_as_json.size).to eq 2
-      expect([body_as_json[0][:id], body_as_json[1][:id]]).to match_array([alice.id.to_s, bob.id.to_s])
+      expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
    end

    it 'does not return blocked users' do
@@ -58,7 +58,7 @@ describe Api::V1::Accounts::FollowingAccountsController do
        get :index, params: { account_id: account.id, limit: 2 }

        expect(body_as_json.size).to eq 2
-        expect([body_as_json[0][:id], body_as_json[1][:id]]).to match_array([alice.id.to_s, bob.id.to_s])
+        expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
      end
    end
  end
--- a/spec/controllers/api/v1/accounts/statuses_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/statuses_controller_spec.rb
@@ -99,7 +99,7 @@ describe Api::V1::Accounts::StatusesController do
        it 'lists both the public and the private statuses' do
          get :index, params: { account_id: account.id, pinned: true }
          json = body_as_json
-          expect(json.map { |item| item[:id].to_i }).to match_array([status.id, private_status.id])
+          expect(json.map { |item| item[:id].to_i }).to contain_exactly(status.id, private_status.id)
        end
      end
    end
--- a/spec/controllers/api/v1/bookmarks_controller_spec.rb
+++ b/spec/controllers/api/v1/bookmarks_controller_spec.rb
@@ -57,7 +57,7 @@ RSpec.describe Api::V1::BookmarksController, type: :controller do

          get :index

-          expect(assigns(:statuses)).to match_array [bookmarked_by_user.status]
+          expect(assigns(:statuses)).to contain_exactly(bookmarked_by_user.status)
        end

        it 'adds pagination headers if necessary' do
--- a/spec/controllers/api/v1/favourites_controller_spec.rb
+++ b/spec/controllers/api/v1/favourites_controller_spec.rb
@@ -57,7 +57,7 @@ RSpec.describe Api::V1::FavouritesController, type: :controller do

          get :index

-          expect(assigns(:statuses)).to match_array [favourite_by_user.status]
+          expect(assigns(:statuses)).to contain_exactly(favourite_by_user.status)
        end

        it 'adds pagination headers if necessary' do
--- a/spec/controllers/api/v1/reports_controller_spec.rb
+++ b/spec/controllers/api/v1/reports_controller_spec.rb
@@ -69,7 +69,7 @@ RSpec.describe Api::V1::ReportsController, type: :controller do
      end

      it 'saves rule_ids' do
-        expect(target_account.targeted_reports.first.rule_ids).to match_array([rule.id])
+        expect(target_account.targeted_reports.first.rule_ids).to contain_exactly(rule.id)
      end
    end
  end
--- a/spec/controllers/api/v1/statuses/favourited_by_accounts_controller_spec.rb
+++ b/spec/controllers/api/v1/statuses/favourited_by_accounts_controller_spec.rb
@@ -33,7 +33,7 @@ RSpec.describe Api::V1::Statuses::FavouritedByAccountsController, type: :control
      it 'returns accounts who favorited the status' do
        get :index, params: { status_id: status.id, limit: 2 }
        expect(body_as_json.size).to eq 2
-        expect([body_as_json[0][:id], body_as_json[1][:id]]).to match_array([alice.id.to_s, bob.id.to_s])
+        expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
      end

      it 'does not return blocked users' do
--- a/spec/controllers/api/v1/statuses/reblogged_by_accounts_controller_spec.rb
+++ b/spec/controllers/api/v1/statuses/reblogged_by_accounts_controller_spec.rb
@@ -33,7 +33,7 @@ RSpec.describe Api::V1::Statuses::RebloggedByAccountsController, type: :controll
      it 'returns accounts who reblogged the status' do
        get :index, params: { status_id: status.id, limit: 2 }
        expect(body_as_json.size).to eq 2
-        expect([body_as_json[0][:id], body_as_json[1][:id]]).to match_array([alice.id.to_s, bob.id.to_s])
+        expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
      end

      it 'does not return blocked users' do
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -139,25 +139,6 @@ describe ApplicationController, type: :controller do
    include_examples 'respond_with_error', 422
  end

-  describe 'before_action :store_current_location' do
-    it 'stores location for user if it is not devise controller' do
-      routes.draw { get 'success' => 'anonymous#success' }
-      get 'success'
-      expect(controller.stored_location_for(:user)).to eq '/success'
-    end
-
-    context do
-      controller Devise::SessionsController do
-      end
-
-      it 'does not store location for user if it is devise controller' do
-        @request.env['devise.mapping'] = Devise.mappings[:user]
-        get 'create'
-        expect(controller.stored_location_for(:user)).to be_nil
-      end
-    end
-  end
-
  describe 'before_action :check_suspension' do
    before do
      routes.draw { get 'success' => 'anonymous#success' }
--- a/spec/controllers/auth/registrations_controller_spec.rb
+++ b/spec/controllers/auth/registrations_controller_spec.rb
@@ -33,27 +33,42 @@ RSpec.describe Auth::RegistrationsController, type: :controller do
  end

  describe 'GET #edit' do
-    it 'returns http success' do
+    before do
      request.env['devise.mapping'] = Devise.mappings[:user]
      sign_in(Fabricate(:user))
      get :edit
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control header' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end

  describe 'GET #update' do
-    it 'returns http success' do
+    let(:user) { Fabricate(:user) }
+
+    before do
      request.env['devise.mapping'] = Devise.mappings[:user]
-      sign_in(Fabricate(:user), scope: :user)
+      sign_in(user, scope: :user)
      post :update
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end

+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
+
    context 'when suspended' do
+      let(:user) { Fabricate(:user, account_attributes: { username: 'test', suspended_at: Time.now.utc }) }
+
      it 'returns http forbidden' do
-        request.env['devise.mapping'] = Devise.mappings[:user]
-        sign_in(Fabricate(:user, account_attributes: { username: 'test', suspended_at: Time.now.utc }), scope: :user)
-        post :update
        expect(response).to have_http_status(403)
      end
    end
--- a/spec/controllers/custom_css_controller_spec.rb
+++ b/spec/controllers/custom_css_controller_spec.rb
@@ -6,9 +6,25 @@ describe CustomCssController do
  render_views

  describe 'GET #show' do
-    it 'returns http success' do
+    before do
      get :show
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns public cache control header' do
+      expect(response.headers['Cache-Control']).to include('public')
+    end
+
+    it 'does not set cookies' do
+      expect(response.cookies).to be_empty
+      expect(response.headers['Set-Cookies']).to be_nil
+    end
+
+    it 'does not set sessions' do
+      expect(session).to be_empty
+    end
  end
 end
--- a/spec/controllers/filters/statuses_controller_spec.rb
+++ b/spec/controllers/filters/statuses_controller_spec.rb
@@ -18,21 +18,27 @@ describe Filters::StatusesController do

    context 'with a signed in user' do
      context 'with the filter user signed in' do
-        before { sign_in(filter.account.user) }
+        before do
+          sign_in(filter.account.user)
+          get :index, params: { filter_id: filter }
+        end

        it 'returns http success' do
-          get :index, params: { filter_id: filter }
-
          expect(response).to have_http_status(200)
        end
+
+        it 'returns private cache control headers' do
+          expect(response.headers['Cache-Control']).to include('private, no-store')
+        end
      end

      context 'with another user signed in' do
-        before { sign_in(Fabricate(:user)) }
+        before do
+          sign_in(Fabricate(:user))
+          get :index, params: { filter_id: filter }
+        end

        it 'returns http not found' do
-          get :index, params: { filter_id: filter }
-
          expect(response).to have_http_status(404)
        end
      end
--- a/spec/controllers/filters_controller_spec.rb
+++ b/spec/controllers/filters_controller_spec.rb
@@ -7,21 +7,28 @@ describe FiltersController do

  describe 'GET #index' do
    context 'with signed out user' do
-      it 'redirects' do
+      before do
        get :index
+      end

+      it 'redirects' do
        expect(response).to be_redirect
      end
    end

    context 'with a signed in user' do
-      before { sign_in(Fabricate(:user)) }
+      before do
+        sign_in(Fabricate(:user))
+        get :index
+      end

      it 'returns http success' do
-        get :index
-
        expect(response).to have_http_status(200)
      end
+
+      it 'returns private cache control headers' do
+        expect(response.headers['Cache-Control']).to include('private, no-store')
+      end
    end
  end
 end
--- a/spec/controllers/follower_accounts_controller_spec.rb
+++ b/spec/controllers/follower_accounts_controller_spec.rb
@@ -41,7 +41,7 @@ describe FollowerAccountsController do
    context 'when format is json' do
      subject(:response) { get :index, params: { account_username: alice.username, page: page, format: :json } }

-      subject(:body) { JSON.parse(response.body) }
+      subject(:body) { response.parsed_body }

      context 'with page' do
        let(:page) { 1 }
--- a/spec/controllers/following_accounts_controller_spec.rb
+++ b/spec/controllers/following_accounts_controller_spec.rb
@@ -41,7 +41,7 @@ describe FollowingAccountsController do
    context 'when format is json' do
      subject(:response) { get :index, params: { account_username: alice.username, page: page, format: :json } }

-      subject(:body) { JSON.parse(response.body) }
+      subject(:body) { response.parsed_body }

      context 'with page' do
        let(:page) { 1 }
--- a/spec/controllers/invites_controller_spec.rb
+++ b/spec/controllers/invites_controller_spec.rb
@@ -5,35 +5,40 @@ require 'rails_helper'
 describe InvitesController do
  render_views

+  let(:user) { Fabricate(:user) }
+
  before do
    sign_in user
  end

  describe 'GET #index' do
-    subject { get :index }
-
-    let(:user) { Fabricate(:user) }
-    let!(:invite) { Fabricate(:invite, user: user) }
+    before do
+      Fabricate(:invite, user: user)
+    end

    context 'when everyone can invite' do
      before do
        UserRole.everyone.update(permissions: UserRole.everyone.permissions | UserRole::FLAGS[:invite_users])
+        get :index
      end

-      it 'renders index page' do
-        expect(subject).to render_template :index
-        expect(assigns(:invites)).to include invite
-        expect(assigns(:invites).count).to eq 1
+      it 'returns http success' do
+        expect(response).to have_http_status(:success)
+      end
+
+      it 'returns private cache control headers' do
+        expect(response.headers['Cache-Control']).to include('private, no-store')
      end
    end

    context 'when not everyone can invite' do
      before do
        UserRole.everyone.update(permissions: UserRole.everyone.permissions & ~UserRole::FLAGS[:invite_users])
+        get :index
      end

-      it 'returns 403' do
-        expect(subject).to have_http_status 403
+      it 'returns http forbidden' do
+        expect(response).to have_http_status(403)
      end
    end
  end
@@ -42,8 +47,6 @@ describe InvitesController do
    subject { post :create, params: { invite: { max_uses: '10', expires_in: 1800 } } }

    context 'when everyone can invite' do
-      let(:user) { Fabricate(:user) }
-
      before do
        UserRole.everyone.update(permissions: UserRole.everyone.permissions | UserRole::FLAGS[:invite_users])
      end
@@ -56,26 +59,28 @@ describe InvitesController do
    end

    context 'when not everyone can invite' do
-      let(:user) { Fabricate(:user) }
-
      before do
        UserRole.everyone.update(permissions: UserRole.everyone.permissions & ~UserRole::FLAGS[:invite_users])
      end

-      it 'returns 403' do
-        expect(subject).to have_http_status 403
+      it 'returns http forbidden' do
+        expect(subject).to have_http_status(403)
      end
    end
  end

  describe 'DELETE #create' do
-    subject { delete :destroy, params: { id: invite.id } }
+    let(:invite) { Fabricate(:invite, user: user, expires_at: nil) }

-    let(:user) { Fabricate(:user) }
-    let!(:invite) { Fabricate(:invite, user: user, expires_at: nil) }
+    before do
+      delete :destroy, params: { id: invite.id }
+    end
+
+    it 'redirects' do
+      expect(response).to redirect_to invites_path
+    end

    it 'expires invite' do
-      expect(subject).to redirect_to invites_path
      expect(invite.reload).to be_expired
    end
  end
--- a/spec/controllers/manifests_controller_spec.rb
+++ b/spec/controllers/manifests_controller_spec.rb
@@ -7,11 +7,24 @@ describe ManifestsController do

  describe 'GET #show' do
    before do
-      get :show, format: :json
+      get :show
    end

    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns public cache control header' do
+      expect(response.headers['Cache-Control']).to include('public')
+    end
+
+    it 'does not set cookies' do
+      expect(response.cookies).to be_empty
+      expect(response.headers['Set-Cookies']).to be_nil
+    end
+
+    it 'does not set sessions' do
+      expect(session).to be_empty
+    end
  end
 end
--- a/spec/controllers/oauth/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/authorizations_controller_spec.rb
@@ -31,6 +31,11 @@ RSpec.describe Oauth::AuthorizationsController, type: :controller do
        expect(response).to have_http_status(200)
      end

+      it 'returns private cache control headers' do
+        subject
+        expect(response.headers['Cache-Control']).to include('private, no-store')
+      end
+
      it 'gives options to authorize and deny' do
        subject
        expect(response.body).to match(/Authorize/)
--- a/spec/controllers/oauth/authorized_applications_controller_spec.rb
+++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb
@@ -27,6 +27,11 @@ describe Oauth::AuthorizedApplicationsController do
        expect(response).to have_http_status(200)
      end

+      it 'returns private cache control headers' do
+        subject
+        expect(response.headers['Cache-Control']).to include('private, no-store')
+      end
+
      include_examples 'stores location for user'
    end

--- a/spec/controllers/relationships_controller_spec.rb
+++ b/spec/controllers/relationships_controller_spec.rb
@@ -7,42 +7,39 @@ describe RelationshipsController do

  let(:user) { Fabricate(:user) }

-  shared_examples 'authenticate user' do
-    it 'redirects when not signed in' do
-      expect(subject).to redirect_to '/auth/sign_in'
-    end
-  end
-
  describe 'GET #show' do
-    subject { get :show, params: { page: 2, relationship: 'followed_by' } }
+    context 'when signed in' do
+      before do
+        sign_in user, scope: :user
+        get :show, params: { page: 2, relationship: 'followed_by' }
+      end

-    it 'assigns @accounts' do
-      Fabricate(:account, domain: 'old').follow!(user.account)
-      Fabricate(:account, domain: 'recent').follow!(user.account)
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end

-      sign_in user, scope: :user
-      subject
-
-      assigned = assigns(:accounts).per(1).to_a
-      expect(assigned.size).to eq 1
-      expect(assigned[0].domain).to eq 'old'
+      it 'returns private cache control headers' do
+        expect(response.headers['Cache-Control']).to include('private, no-store')
+      end
    end

-    it 'returns http success' do
-      sign_in user, scope: :user
-      subject
-      expect(response).to have_http_status(200)
-    end
+    context 'when not signed in' do
+      before do
+        get :show, params: { page: 2, relationship: 'followed_by' }
+      end

-    include_examples 'authenticate user'
+      it 'redirects when not signed in' do
+        expect(response).to redirect_to '/auth/sign_in'
+      end
+    end
  end

  describe 'PATCH #update' do
-    let(:poopfeast) { Fabricate(:account, username: 'poopfeast', domain: 'example.com') }
+    let(:alice) { Fabricate(:account, username: 'alice', domain: 'example.com') }

    shared_examples 'redirects back to followers page' do
      it 'redirects back to followers page' do
-        poopfeast.follow!(user.account)
+        alice.follow!(user.account)

        sign_in user, scope: :user
        subject
@@ -58,27 +55,36 @@ describe RelationshipsController do
    end

    context 'when select parameter is provided' do
-      subject { patch :update, params: { form_account_batch: { account_ids: [poopfeast.id] }, remove_domains_from_followers: '' } }
+      subject { patch :update, params: { form_account_batch: { account_ids: [alice.id] }, remove_domains_from_followers: '' } }

      it 'soft-blocks followers from selected domains' do
-        poopfeast.follow!(user.account)
+        alice.follow!(user.account)

        sign_in user, scope: :user
        subject

-        expect(poopfeast.following?(user.account)).to be false
+        expect(alice.following?(user.account)).to be false
      end

      it 'does not unfollow users from selected domains' do
-        user.account.follow!(poopfeast)
+        user.account.follow!(alice)

        sign_in user, scope: :user
        subject

-        expect(user.account.following?(poopfeast)).to be true
+        expect(user.account.following?(alice)).to be true
+      end
+
+      context 'when not signed in' do
+        before do
+          subject
+        end
+
+        it 'redirects when not signed in' do
+          expect(response).to redirect_to '/auth/sign_in'
+        end
      end

-      include_examples 'authenticate user'
      include_examples 'redirects back to followers page'
    end
  end
--- a/spec/controllers/settings/aliases_controller_spec.rb
+++ b/spec/controllers/settings/aliases_controller_spec.rb
@@ -13,10 +13,17 @@ describe Settings::AliasesController do
  end

  describe 'GET #index' do
-    it 'returns http success' do
+    before do
      get :index
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end

  describe 'POST #create' do
--- a/spec/controllers/settings/applications_controller_spec.rb
+++ b/spec/controllers/settings/applications_controller_spec.rb
@@ -13,13 +13,17 @@ describe Settings::ApplicationsController do
  end

  describe 'GET #index' do
-    let!(:other_app) { Fabricate(:application) }
-
-    it 'shows apps' do
+    before do
+      Fabricate(:application)
      get :index
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
-      expect(assigns(:applications)).to include(app)
-      expect(assigns(:applications)).to_not include(other_app)
+    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
    end
  end

--- a/spec/controllers/settings/deletes_controller_spec.rb
+++ b/spec/controllers/settings/deletes_controller_spec.rb
@@ -11,20 +11,27 @@ describe Settings::DeletesController do

      before do
        sign_in user, scope: :user
+        get :show
      end

      it 'renders confirmation page' do
-        get :show
        expect(response).to have_http_status(200)
      end

+      it 'returns private cache control headers' do
+        expect(response.headers['Cache-Control']).to include('private, no-store')
+      end
+
      context 'when suspended' do
        let(:user) { Fabricate(:user, account_attributes: { suspended_at: Time.now.utc }) }

        it 'returns http forbidden' do
-          get :show
          expect(response).to have_http_status(403)
        end
+
+        it 'returns private cache control headers' do
+          expect(response.headers['Cache-Control']).to include('private, no-store')
+        end
      end
    end

--- a/spec/controllers/settings/exports_controller_spec.rb
+++ b/spec/controllers/settings/exports_controller_spec.rb
@@ -11,16 +11,16 @@ describe Settings::ExportsController do

      before do
        sign_in user, scope: :user
+        get :show
      end

-      it 'renders export' do
-        get :show
-
-        export = assigns(:export)
-        expect(export).to be_instance_of Export
-        expect(export.account).to eq user.account
+      it 'returns http success' do
        expect(response).to have_http_status(200)
      end
+
+      it 'returns private cache control headers' do
+        expect(response.headers['Cache-Control']).to include('private, no-store')
+      end
    end

    context 'when not signed in' do
--- a/spec/controllers/settings/imports_controller_spec.rb
+++ b/spec/controllers/settings/imports_controller_spec.rb
@@ -10,10 +10,17 @@ RSpec.describe Settings::ImportsController, type: :controller do
  end

  describe 'GET #show' do
-    it 'returns http success' do
+    before do
      get :show
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end

  describe 'POST #create' do
--- a/spec/controllers/settings/login_activities_controller_spec.rb
+++ b/spec/controllers/settings/login_activities_controller_spec.rb
@@ -12,9 +12,16 @@ describe Settings::LoginActivitiesController do
  end

  describe 'GET #index' do
-    it 'returns http success' do
+    before do
      get :index
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end
 end
--- a/spec/controllers/settings/migration/redirects_controller_spec.rb
+++ b/spec/controllers/settings/migration/redirects_controller_spec.rb
@@ -12,10 +12,17 @@ describe Settings::Migration::RedirectsController do
  end

  describe 'GET #new' do
-    it 'returns http success' do
+    before do
      get :new
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end

  describe 'POST #create' do
--- a/spec/controllers/settings/preferences/appearance_controller_spec.rb
+++ b/spec/controllers/settings/preferences/appearance_controller_spec.rb
@@ -12,11 +12,17 @@ describe Settings::Preferences::AppearanceController do
  end

  describe 'GET #show' do
-    it 'returns http success' do
+    before do
      get :show
+    end

+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end

  describe 'PUT #update' do
--- a/spec/controllers/settings/preferences/notifications_controller_spec.rb
+++ b/spec/controllers/settings/preferences/notifications_controller_spec.rb
@@ -12,10 +12,17 @@ describe Settings::Preferences::NotificationsController do
  end

  describe 'GET #show' do
-    it 'returns http success' do
+    before do
      get :show
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end

  describe 'PUT #update' do
--- a/spec/controllers/settings/preferences/other_controller_spec.rb
+++ b/spec/controllers/settings/preferences/other_controller_spec.rb
@@ -12,10 +12,17 @@ describe Settings::Preferences::OtherController do
  end

  describe 'GET #show' do
-    it 'returns http success' do
+    before do
      get :show
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end

  describe 'PUT #update' do
--- a/spec/controllers/settings/profiles_controller_spec.rb
+++ b/spec/controllers/settings/profiles_controller_spec.rb
@@ -13,10 +13,17 @@ RSpec.describe Settings::ProfilesController, type: :controller do
  end

  describe 'GET #show' do
-    it 'returns http success' do
+    before do
      get :show
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end

  describe 'PUT #update' do
--- a/spec/controllers/settings/two_factor_authentication/webauthn_credentials_controller_spec.rb
+++ b/spec/controllers/settings/two_factor_authentication/webauthn_credentials_controller_spec.rb
@@ -140,7 +140,7 @@ describe Settings::TwoFactorAuthentication::WebauthnCredentialsController do
          it 'includes existing credentials in list of excluded credentials' do
            get :options

-            excluded_credentials_ids = JSON.parse(response.body)['excludeCredentials'].pluck('id')
+            excluded_credentials_ids = response.parsed_body['excludeCredentials'].pluck('id')
            expect(excluded_credentials_ids).to match_array(user.webauthn_credentials.pluck(:external_id))
          end
        end
--- a/spec/controllers/settings/two_factor_authentication_methods_controller_spec.rb
+++ b/spec/controllers/settings/two_factor_authentication_methods_controller_spec.rb
@@ -26,23 +26,25 @@ describe Settings::TwoFactorAuthenticationMethodsController do
      describe 'when user has enabled otp' do
        before do
          user.update(otp_required_for_login: true)
+          get :index
        end

        it 'returns http success' do
-          get :index
-
          expect(response).to have_http_status(200)
        end
+
+        it 'returns private cache control headers' do
+          expect(response.headers['Cache-Control']).to include('private, no-store')
+        end
      end

      describe 'when user has not enabled otp' do
        before do
          user.update(otp_required_for_login: false)
+          get :index
        end

        it 'redirects to enable otp' do
-          get :index
-
          expect(response).to redirect_to(settings_otp_authentication_path)
        end
      end
--- a/spec/controllers/shares_controller_spec.rb
+++ b/spec/controllers/shares_controller_spec.rb
@@ -9,7 +9,7 @@ describe SharesController do

  before { sign_in user }

-  describe 'GTE #show' do
+  describe 'GET #show' do
    subject(:body_classes) { assigns(:body_classes) }

    before { get :show, params: { title: 'test title', text: 'test text', url: 'url1 url2' } }
--- a/spec/controllers/statuses_cleanup_controller_spec.rb
+++ b/spec/controllers/statuses_cleanup_controller_spec.rb
@@ -11,19 +11,32 @@ RSpec.describe StatusesCleanupController, type: :controller do
  end

  describe 'GET #show' do
-    it 'returns http success' do
+    before do
      get :show
+    end
+
+    it 'returns http success' do
      expect(response).to have_http_status(200)
    end
+
+    it 'returns private cache control headers' do
+      expect(response.headers['Cache-Control']).to include('private, no-store')
+    end
  end

  describe 'PUT #update' do
-    it 'updates the account status cleanup policy' do
+    before do
      put :update, params: { account_statuses_cleanup_policy: { enabled: true, min_status_age: 2.weeks.seconds, keep_direct: false, keep_polls: true } }
-      expect(response).to redirect_to(statuses_cleanup_path)
+    end
+
+    it 'updates the account status cleanup policy' do
      expect(@user.account.statuses_cleanup_policy.enabled).to be true
      expect(@user.account.statuses_cleanup_policy.keep_direct).to be false
      expect(@user.account.statuses_cleanup_policy.keep_polls).to be true
    end
+
+    it 'redirects' do
+      expect(response).to redirect_to(statuses_cleanup_path)
+    end
  end
 end
--- a/spec/controllers/statuses_controller_spec.rb
+++ b/spec/controllers/statuses_controller_spec.rb
@@ -15,6 +15,10 @@ describe StatusesController do
      expect(session).to be_empty
    end

+    it 'returns Vary header' do
+      expect(response.headers['Vary']).to include 'Accept, Accept-Language, Cookie'
+    end
+
    it 'returns public Cache-Control header' do
      expect(response.headers['Cache-Control']).to include 'public'
    end
@@ -80,7 +84,7 @@ describe StatusesController do
        end

        it 'returns Vary header' do
-          expect(response.headers['Vary']).to eq 'Accept'
+          expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
        end

        it 'returns public Cache-Control header' do
@@ -105,7 +109,7 @@ describe StatusesController do
        end

        it 'returns Vary header' do
-          expect(response.headers['Vary']).to eq 'Accept'
+          expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
        end

        it_behaves_like 'cacheable response'
@@ -204,11 +208,11 @@ describe StatusesController do
          end

          it 'returns Vary header' do
-            expect(response.headers['Vary']).to eq 'Accept'
+            expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
          end

-          it 'returns no Cache-Control header' do
-            expect(response.headers).to_not include 'Cache-Control'
+          it 'returns private Cache-Control header' do
+            expect(response.headers['Cache-Control']).to include 'private'
          end

          it 'renders status' do
@@ -229,11 +233,11 @@ describe StatusesController do
          end

          it 'returns Vary header' do
-            expect(response.headers['Vary']).to eq 'Accept'
+            expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
          end

-          it 'returns public Cache-Control header' do
-            expect(response.headers['Cache-Control']).to include 'public'
+          it 'returns private Cache-Control header' do
+            expect(response.headers['Cache-Control']).to include 'private'
          end

          it 'returns Content-Type header' do
@@ -268,11 +272,11 @@ describe StatusesController do
            end

            it 'returns Vary header' do
-              expect(response.headers['Vary']).to eq 'Accept'
+              expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
            end

-            it 'returns no Cache-Control header' do
-              expect(response.headers).to_not include 'Cache-Control'
+            it 'returns private Cache-Control header' do
+              expect(response.headers['Cache-Control']).to include 'private'
            end

            it 'renders status' do
@@ -293,7 +297,7 @@ describe StatusesController do
            end

            it 'returns Vary header' do
-              expect(response.headers['Vary']).to eq 'Accept'
+              expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
            end

            it 'returns private Cache-Control header' do
@@ -355,11 +359,11 @@ describe StatusesController do
            end

            it 'returns Vary header' do
-              expect(response.headers['Vary']).to eq 'Accept'
+              expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
            end

-            it 'returns no Cache-Control header' do
-              expect(response.headers).to_not include 'Cache-Control'
+            it 'returns private Cache-Control header' do
+              expect(response.headers['Cache-Control']).to include 'private'
            end

            it 'renders status' do
@@ -380,7 +384,7 @@ describe StatusesController do
            end

            it 'returns Vary header' do
-              expect(response.headers['Vary']).to eq 'Accept'
+              expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
            end

            it 'returns private Cache-Control header' do
@@ -468,11 +472,11 @@ describe StatusesController do
          end

          it 'returns Vary header' do
-            expect(response.headers['Vary']).to eq 'Accept'
+            expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
          end

-          it 'returns no Cache-Control header' do
-            expect(response.headers).to_not include 'Cache-Control'
+          it 'returns private Cache-Control header' do
+            expect(response.headers['Cache-Control']).to include 'private'
          end

          it 'renders status' do
@@ -493,7 +497,7 @@ describe StatusesController do
          end

          it 'returns Vary header' do
-            expect(response.headers['Vary']).to eq 'Accept'
+            expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
          end

          it_behaves_like 'cacheable response'
@@ -530,11 +534,11 @@ describe StatusesController do
            end

            it 'returns Vary header' do
-              expect(response.headers['Vary']).to eq 'Accept'
+              expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
            end

-            it 'returns no Cache-Control header' do
-              expect(response.headers).to_not include 'Cache-Control'
+            it 'returns private Cache-Control header' do
+              expect(response.headers['Cache-Control']).to include 'private'
            end

            it 'renders status' do
@@ -555,7 +559,7 @@ describe StatusesController do
            end

            it 'returns Vary header' do
-              expect(response.headers['Vary']).to eq 'Accept'
+              expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
            end

            it 'returns private Cache-Control header' do
@@ -617,11 +621,11 @@ describe StatusesController do
            end

            it 'returns Vary header' do
-              expect(response.headers['Vary']).to eq 'Accept'
+              expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
            end

-            it 'returns no Cache-Control header' do
-              expect(response.headers).to_not include 'Cache-Control'
+            it 'returns private Cache-Control header' do
+              expect(response.headers['Cache-Control']).to include 'private'
            end

            it 'renders status' do
@@ -642,7 +646,7 @@ describe StatusesController do
            end

            it 'returns Vary header' do
-              expect(response.headers['Vary']).to eq 'Accept'
+              expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
            end

            it 'returns private Cache-Control header' do
@@ -823,7 +827,7 @@ describe StatusesController do
      end

      it 'returns Vary header' do
-        expect(response.headers['Vary']).to eq 'Accept'
+        expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
      end

      it 'returns public Cache-Control header' do
--- a/spec/controllers/tags_controller_spec.rb
+++ b/spec/controllers/tags_controller_spec.rb
@@ -6,21 +6,50 @@ RSpec.describe TagsController, type: :controller do
  render_views

  describe 'GET #show' do
-    let!(:tag)     { Fabricate(:tag, name: 'test') }
-    let!(:local)   { Fabricate(:status, tags: [tag], text: 'local #test') }
-    let!(:remote)  { Fabricate(:status, tags: [tag], text: 'remote #test', account: Fabricate(:account, domain: 'remote')) }
-    let!(:late)    { Fabricate(:status, tags: [tag], text: 'late #test') }
+    let(:format) { 'html' }
+    let(:tag) { Fabricate(:tag, name: 'test') }
+    let(:tag_name) { tag&.name }
+
+    before do
+      get :show, params: { id: tag_name, format: format }
+    end

    context 'when tag exists' do
-      it 'returns http success' do
-        get :show, params: { id: 'test', max_id: late.id }
-        expect(response).to have_http_status(200)
+      context 'when requested as HTML' do
+        it 'returns http success' do
+          expect(response).to have_http_status(200)
+        end
+
+        it 'returns Vary header' do
+          expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
+        end
+
+        it 'returns public Cache-Control header' do
+          expect(response.headers['Cache-Control']).to include 'public'
+        end
+      end
+
+      context 'when requested as JSON' do
+        let(:format) { 'json' }
+
+        it 'returns http success' do
+          expect(response).to have_http_status(200)
+        end
+
+        it 'returns Vary header' do
+          expect(response.headers['Vary']).to eq 'Accept, Accept-Language, Cookie'
+        end
+
+        it 'returns public Cache-Control header' do
+          expect(response.headers['Cache-Control']).to include 'public'
+        end
      end
    end

    context 'when tag does not exist' do
+      let(:tag_name) { 'hoge' }
+
      it 'returns http not found' do
-        get :show, params: { id: 'none' }
        expect(response).to have_http_status(404)
      end
    end