When processing an account confirmation email don't automatically
log the user in unless their browser session has a token that
matches the same user. Closes#3337.
In order to avoid forcing the user to press a confirm button, whilst
still not running into the problems we used to have with virus scanners
activating accounts we use javascript to hide and then automatically
submit the confirmation form.
Use a preinitializer to load the settings from application.yml so
that they are available as early as possible. All settings can also
be overridden using environment variables.
The ad-hoc settins in environment.rb are then moved to this new
system so we have one consistent location for settings.
When resetting a password only activate pending users, otherwise a
confirmed user's account gets set back to active and may then get
suspended by the spam scorer.
After we have processed the requested user changes, redirect back
to the list so that the resulting page is reloadable without getting
resubmission warnings from the browser.
Replace the existing "active" and "visible" with an enumerated status
that allows for extra cases. Currently we have "suspended" for users
who hve triggered the spam detector and "confirmed" for users that have
triggered the detector but have been confirmed as vald by an admin.
Make the decline button on the terms page a real form submit button
and have the server redirect to the wiki as it's the only way to get
something that will actually look the same as a button on all the
different browsers.
- Map is smaller and placed to the side with lists of friends
and nearby users (now excluding friends) beside it.
- Map includes friends as well as nearby users.
- Friend and nearby user lists include photos and links to
friend/unfriend as appropriate.
- OAuth settings link moved up with all the other links in the
main navigation bar.
The addition of friends to the map also carries through to the user
settings page.
the existing :notice messages.
Also reviewd all existing flash messages and changed them to be errors or
warnings when appropriate and checked that those which are not followed by
a redirect are done as flash.now[] instead of flash[].
