From 0fbc8c439c68c1bda31e5717b72d3d7d991e4822 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Wed, 7 Feb 2024 18:43:45 +0100
Subject: [PATCH 1/4] remove broken proxying of Twitter avatars

---
 liberapay/models/account_elsewhere.py | 3 ---
 sql/branch.sql                        | 3 +++
 2 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 sql/branch.sql

diff --git a/liberapay/models/account_elsewhere.py b/liberapay/models/account_elsewhere.py
index e7ab12e12..da530d109 100644
--- a/liberapay/models/account_elsewhere.py
+++ b/liberapay/models/account_elsewhere.py
@@ -193,9 +193,6 @@ def update():
                     raise
 
         # Return account after propagating avatar_url to participant
-        avatar_url = account.avatar_url
-        if avatar_url and avatar_url.startswith('https://pbs.twimg.com/'):
-            avatar_url = 'https://nitter.net/pic/' + avatar_url[22:].replace('/', '%2F')
         account.participant.update_avatar(check=False)
         return account
 
diff --git a/sql/branch.sql b/sql/branch.sql
new file mode 100644
index 000000000..910f9b6fe
--- /dev/null
+++ b/sql/branch.sql
@@ -0,0 +1,3 @@
+UPDATE participants
+   SET avatar_url = 'https://pbs.twimg.com/' || regexp_replace(substr(avatar_url, 24), '%2F', '/', 'g')
+ WHERE avatar_url LIKE 'https://nitter.net/pic/%';

From 866872e060d1e6fef690eb791c69f8e8dbe361b4 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 16 Feb 2024 18:28:30 +0100
Subject: [PATCH 2/4] include user ID in all email notifications

---
 emails/base.spt                 |  4 ++--
 liberapay/models/participant.py | 11 +++--------
 tests/py/test_sessions.py       |  2 ++
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/emails/base.spt b/emails/base.spt
index 076880092..cf1149d71 100644
--- a/emails/base.spt
+++ b/emails/base.spt
@@ -10,7 +10,7 @@ $body
         _("Something wrong? This email was sent automatically, but you can contact us by replying to it.")
     }}</div>
     <div style="font-size: 14px; padding-top: 12px;">
-        <a href="https://liberapay.com/about/me/emails/"
+        <a href="{{ participant.url('emails/') }}"
            style="text-decoration: underline;">{{
             _("Change your email settings")
         }}</a>.
@@ -29,4 +29,4 @@ $body
 
 {{ _("Something wrong? This email was sent automatically, but you can contact us by replying to it.") }}
 
-{{ _("Change your email settings") }}: https://liberapay.com/about/me/emails/
+{{ _("Change your email settings") }}: {{ participant.url('emails/') }}
diff --git a/liberapay/models/participant.py b/liberapay/models/participant.py
index 6066201f6..fc645de72 100644
--- a/liberapay/models/participant.py
+++ b/liberapay/models/participant.py
@@ -1794,7 +1794,7 @@ def url(self, path='', query='', log_in='auto'):
             extra_query = []
             if log_in == 'required' or log_in == 'auto' and not self.has_password:
                 primary_email = self.get_email_address()
-                if email_row.address.lower() == primary_email.lower():
+                if primary_email and email_row.address.lower() == primary_email.lower():
                     # Only send login links to the primary email address
                     session = self._email_session
                     if not session:
@@ -1810,13 +1810,8 @@ def url(self, path='', query='', log_in='auto'):
                         extra_query.append(('log-in.token', session.secret))
                         if log_in != 'required':
                             extra_query.append(('log-in.required', 'no'))
-                else:
-                    try:
-                        raise AssertionError('%r != %r' % (email_row.address, primary_email))
-                    except AssertionError as e:
-                        website.tell_sentry(e)
-                        if log_in == 'required':
-                            raise
+                elif log_in == 'required':
+                    raise AssertionError('%r != %r' % (email_row.address, primary_email))
             if not email_row.verified:
                 if not email_row.nonce:
                     email_row = self._rendering_email_to = self.db.one("""
diff --git a/tests/py/test_sessions.py b/tests/py/test_sessions.py
index 1cedab8a6..3bec81f2c 100644
--- a/tests/py/test_sessions.py
+++ b/tests/py/test_sessions.py
@@ -155,6 +155,7 @@ def test_email_login(self):
         alice = self.make_participant('alice', email=None)
         alice.add_email(email)
         alice.close()
+        self.db.run("DELETE FROM user_secrets")
 
         # Sanity checks
         email_row = alice.get_email(email)
@@ -248,6 +249,7 @@ def test_email_login_with_old_unverified_address(self):
         alice = self.make_participant('alice', email=None)
         alice.add_email(email)
         Participant.dequeue_emails()
+        self.db.run("DELETE FROM user_secrets")
         self.db.run("UPDATE emails SET nonce = null")
 
         # Initiate email log-in

From df8dbaace6b040235badaafdc7eb8d7332753f5f Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 16 Feb 2024 18:29:47 +0100
Subject: [PATCH 3/4] remove duplicate information in `/admin/payments`

---
 www/admin/payments.spt | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/admin/payments.spt b/www/admin/payments.spt
index 52e116170..6b54c7235 100644
--- a/www/admin/payments.spt
+++ b/www/admin/payments.spt
@@ -81,9 +81,11 @@ title = "Payments Admin"
 
 % extends "templates/layouts/admin.html"
 
-% macro render_payin_transfer(pt, pi)
+% macro render_payin_transfer(pt, pi, show_amount=True)
     <li>
+    % if show_amount
     {{ locale.format_money(pt.amount) }}
+    % endif
     to <a href="/~{{ pt.recipient }}/">{{ pt.recipient_name }}</a>
     % if pt.period
         ({{ locale.format_money(pt.unit_amount) }}/{{ pt.period[:-2] }} × {{ pt.n_units }})
@@ -167,8 +169,9 @@ title = "Payments Admin"
                     {{ locale.format_money_basket(item['sum']) }}
                     through team <a href="/~{{ item['team_id'] }}/">{{ item['team_name'] }}</a>
                     <ul class="hooked-right-pointing-arrows">
+                    % set show_amount = len(item['transfers']) > 1
                     % for pt in item['transfers']
-                        {{ render_payin_transfer(pt, pi) }}
+                        {{ render_payin_transfer(pt, pi, show_amount=show_amount) }}
                     % endfor
                     </ul>
                     </li>

From 408f26e9280fa347fa04d301a6cf28daa39a2dc6 Mon Sep 17 00:00:00 2001
From: Changaco <changaco@changaco.oy.lc>
Date: Fri, 16 Feb 2024 18:30:22 +0100
Subject: [PATCH 4/4] fix notifications of payment disputes

Stripe has sent us at least one callback erroneously containing `"status": "needs_response"` for an unchallengeable dispute.
---
 www/callbacks/stripe.spt | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/www/callbacks/stripe.spt b/www/callbacks/stripe.spt
index 976ebdaf2..54af17d2d 100644
--- a/www/callbacks/stripe.spt
+++ b/www/callbacks/stripe.spt
@@ -87,6 +87,10 @@ elif event_object_type == 'charge.dispute':
     # Notify the person who initiated the payment
     payer = Participant.from_id(payin.payer)
     if dispute.status in ('needs_response', 'lost'):
+        try:
+            due_by = dispute.evidence_details.due_by
+        except AttributeError:
+            due_by = 0
         try:
             payer.notify(
                 'payin_disputed',
@@ -97,7 +101,10 @@ elif event_object_type == 'charge.dispute':
                 payin_amount=payin.amount,
                 payin_ctime=payin.ctime,
                 dispute_reason=dispute.reason,
-                dispute_can_be_withdrawn=dispute.status == 'needs_response',
+                dispute_can_be_withdrawn=(
+                    dispute.status == 'needs_response' and
+                    due_by > utcnow().timestamp()
+                ),
                 mandate_url=route.get_mandate_url(),
             )
         except DuplicateNotification: