Commit Graph

34480 Commits

Author SHA1 Message Date
Sam Saffron
0420e8145e SECURITY: update rubyzip dependency
This updates rubyzip library so that callers can trust entries when
extracting files avoiding situations where a rogues zip imported by a rogue
admin could cause a disk space issue.
2019-10-01 17:11:20 +10:00
Sam Saffron
ba0114a6ff SECURITY: update rack-mini-profiler to latest to correct XSS
This corrects an XSS in ?pp=help.

Also removes the jQuery dependency from rack-mini-profiler and restricts
memory sensitive profiling methods development only.
2019-10-01 16:55:58 +10:00
Sam Saffron
499472b6a0 FIX: change focus when application resumes in android
Per new lifecycle https://developers.google.com/web/updates/2018/07/page-lifecycle-api

On Android and latest Chrome when an app transitions from "frozen" to
active the new "resume" event fires with no accompanying "visibilitychange"
event.

This means that often background tabs may be stuck thinking that discourse
has no focus when, indeed, it has.

This leads to cases where no posts are marked read anymore.
2019-10-01 12:00:07 +10:00
Kris
5cfbe19eef UX: Change composer's edit reason link to an icon 2019-09-30 20:58:31 -04:00
Penar Musaraj
444d123f0d UX: Use Visual Viewport API for iOS composer height
This applies to iPhones running iOS 13+.
Previous technique remains in place for iOS 12 and below.

Note that this does not apply to iPads on iOS 13 due to Apple no longer
identifying iPads in the user agent string.
2019-09-30 13:56:40 -04:00
Robin Ward
d5c5ca46b6 SECURITY: Don't allow base_uri as embeddable host if none exist 2019-09-29 20:51:59 -04:00
Kris
756104432e UX: add class to distinguish specific moderator categories on about page 2019-09-27 09:34:56 -04:00
Gerhard Schlager
8adec48b33 Update translations 2019-09-26 04:29:44 +02:00
Vinoth Kannan
02731ef33e FIX: include video tags and short urls in 'have_uploads' method.
While checking the existence of upload in posts we must include <video> tags and 'short-url' format of upload URLs.
2019-09-24 23:17:59 +05:30
Joffrey JAFFEUX
cb8fa46970
DEV: prevents populate task to crash (#8111)
Generated emails/names/sentences were crashing with the following error:

```
Can not transliterate strings with ASCII-8BIT encoding
```
2019-09-22 05:18:48 -07:00
Vinoth Kannan
301c5a303f FIX: include 'short_path' as src in each_upload_url method. 2019-09-22 15:32:28 +05:30
Rafael dos Santos Silva
7543695744 FIX: PWA install was broken due to missing basic logo
The current manifest validation in Chrome requires at least one
non-maskable icon to make it installable.

This commit adds the maskable entry as another entry, following up
on changes added in 3e590b8
2019-09-22 00:20:25 -04:00
Rafael dos Santos Silva
3e590b87cf FEATURE: Add support for maskable icons in the PWA manifest
Because:

- Chrome 78 and Firefox Fenix have support for it
- The icons will look better by using all the availiable space
- Admins can control the icon and add appropriate padding since we have a
dedicated asset for the manifest logo. Read more about it on
https://css-tricks.com/maskable-icons-android-adaptive-icons-for-your-pwa/

This commit:

- Adds a new key under the icons array in the webmanifest, named purpose
with maskable value.
2019-09-21 11:50:00 -04:00
Daniel Waterworth
7f8cdea924 FIX: Cleanup DiscoursePluginRegistry state after tests that use it
This was causing some heisentests
2019-09-20 13:32:54 +01:00
Daniel Waterworth
563253e9ed FIX: Fix options given to per-minute rate limiter
Previously the options for the per-minute and per-10-second rate
limiters were the same.
2019-09-20 10:48:59 +01:00
Osama Sayegh
57db3c1fbe
FIX: Properly render server side plugin outlets (#8106)
The behavior of the `render` helper method changed in Rails 6 so now the method doesn't render the template and return the output, instead it just returns the file content as-is. Context: https://meta.discourse.org/t/discourse-sitemap-plugin/40348/134?u=osama
2019-09-19 21:51:06 +03:00
Robin Ward
d251f12c9c Tweak calculation for reviewable sensitivities/priorities
Previously, calculating thresholds for reviewables was done based on the
50th and 85th percentile across all reviewables. However, many forum
owners provided feedback that these thresholds were too easy to hit, in
particular when it came to auto hiding content.

The calculation has been adjusted to base the priorities on reviewables
that have a minimum of 2 scores (flags). This should push the amount of
flags required to hide something higher then before.
2019-09-19 14:07:56 -04:00
Robin Ward
d5b52abf2f FIX: Require a min amount of reviewables before calculating thresholds
On forums with very few flags you don't want to calculate averages
because they won't be very useful. Stick with the defaults until we hit
15 reviewables at least.
2019-09-19 13:42:50 -04:00
Robin Ward
3c6a5836c2 FIX: Sensitivity did not work by default
Forums without previously calculated scores would return the same values
for low/medium/high sensitivity. Now those are scaled based on the
default value.

The default value has also been changed from 10.0 to 12.5 based on
observing data from live discourse forums.
2019-09-19 13:26:17 -04:00
Jeff Atwood
7ad338e3e6 copyedit on topic template modify warn 2019-09-18 16:31:53 -07:00
Krzysztof Kotlarek
f64c9f37fa FIX: Remove versions from Active Record warm up (#8105) 2019-09-18 17:59:51 -04:00
Kris
e7ea5d3099 update color variable 2019-09-18 15:57:58 -04:00
Penar Musaraj
c6cfbebf1f
FIX: ignore min_trust_to_send_messages when messaging groups (#8104)
This means that TL0 users can message groups with "Who can message this
group?" set to "Everyone".

It also means that members of a group with "Who can message this
group?" set to "members, moderators and admins" can also message the
group, even when their trust level is below min_trust_to_send_messages.
2019-09-18 15:23:13 -04:00
tshenry
cad83bf071
Copy: Update Dashboard Advice PM
If dashboard advice has already been acted on, an admin may want to find out what the advice was, who acted on it, and when. Linking to the staff action logs should help in tracking down this information.
2019-09-18 11:54:12 -07:00
Régis Hanol
72e38b291f FIX: proper jumpToPost with whispers/small-actions
findPostIdForPostNumber does not take into account whispers and small actions posts
so the jump might end up on the wrong post.
2019-09-18 18:32:40 +02:00
Gerhard Schlager
ed1e5ef6cc FIX: By default, don't abort Google Groups crawling on error 2019-09-18 18:14:04 +02:00
Krzysztof Kotlarek
a4f5f5d0bb FIX: Split migration into two steps in developer guide (#8103) 2019-09-18 10:09:17 -04:00
Robin Ward
0b921d2356 Add spec to confirm auto hide is not executed on like 2019-09-18 09:51:07 -04:00
Robin Ward
7ae071282a FIX: Only apply post hide logic to flag actions 2019-09-18 09:39:09 -04:00
Gerhard Schlager
ab96239f2a FIX: Google Groups crawler failed to login
Trying to automate the login into a Google account is quite hard. This makes the crawler use the content of a cookies.txt file instead. It also removes a couple of deprecation warnings and adds some color to the output.
2019-09-18 13:09:20 +02:00
David Taylor
479fdaaea1
DEV: Allow specifying button class in reviewable action definitions (#8093)
This avoids the need for using `@extend` in SCSS, which can be problematic in plugins

For context, see https://review.discourse.org/t/fix-make-compatible-with-debundled-plugin-css-assets-feature/5297/7
2019-09-18 11:28:59 +01:00
Sam Saffron
1ca257be79 DEV: db:migrate no longer works after db:schema:load
In Rails 6 due to internal changes, the following sequence no longer works:

```
RAILS_ENV=test bin/rake db:migrate
RAILS_ENV=test bin/rake db:schema:dump
dropdb discourse_test
createdb discourse_test
RAILS_ENV=test bin/rake db:schema:load
RAILS_ENV=test bin/rake db:migrate
```

What appears to be happening is that our tracking of plugin migrations is
being missed on schema:dump or load.

A more comprehensive fix restoring schema:dump / load support will be
investigated.
2019-09-18 13:17:49 +10:00
Sam Saffron
cd1ab206d9 DEV: add missing ultra low queue to mwrap sidekiq
note: mwrap is used for analysis of memory bloat and leaks of processes
2019-09-18 11:18:35 +10:00
Régis Hanol
bb127b8140 FIX: preview up to 'max_oneboxes_per_post' oneboxes
We were counting all the oneboxes in the DOM instead of just the ones in the preview.

Also refactored the logic to count up to 'max_oneboxes_per_post` instead of down to 0.
That also ensured we don't load 11 oneboxes when the setting is limiting to 10.
2019-09-17 23:25:15 +02:00
Penar Musaraj
3debdc8131 SECURITY: XSS when oneboxing user profile location field
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
2019-09-17 16:12:50 -04:00
Robin Ward
c3bbf643b1 FIX: Put back the TL3 -> TL0 spam thing
We talked about it and decided it's still relevant in the score world.
2019-09-17 16:04:46 -04:00
Jay Pfaffman
215f6d97e5 Make INSTALL-cloud agree with discourse-setup (#8102)
`discourse-setup` will install Docker. Several people lately have had trouble with a `|` getting turned into a `>` when trying to `curl` the site into `sh`.

Also, the recommended `git clone` command will create `/var/discourse`, so don't tell people to make that directory, as that too can be confusing.
2019-09-17 12:45:40 -07:00
Robin Ward
5bf3a00328 FIX: Ignored flags should not count in your accuracy score 2019-09-17 14:54:20 -04:00
Joshua Rosenfeld
c463a04c3f Copy: Update too few topics/posts notice
The current copy has caused some confusion that admins can only create 5 topics or 30 posts. Update copy to make it clearer this is a recommended minimum, not a limit.
2019-09-17 14:41:52 -04:00
Robin Ward
4cd620e36e Remove special cases for flagging
Prior to the new review queue there were a couple special cases where
posts would be auto hidden:

* If a TL3 or above flagged a TL0 post as spam
* If a TL4 or above flagged a non-staff, non-TL4 post as spam, inappropriate or off
topic.

These cases are now removed in favour of the scoring system.
2019-09-17 13:44:15 -04:00
Joshua Rosenfeld
5c897b6d0c
Copy: Update Dashboard Advice PM
All admins receive the Dashboard Advice PM. If one admin takes action on the advice, future admins who follow the link in the PM will see no advice on the dashboard. This has caused some confusion, so we've updated the text to make this clearer.
2019-09-17 13:39:26 -04:00
David Taylor
e1e8cac58f FIX: Correct theme SCSS error handling 2019-09-17 10:20:32 +01:00
David Taylor
e74f851728 FIX: Live reload plugin stylesheets when editing in development 2019-09-17 09:54:59 +01:00
David Taylor
3da9b99dbf FIX: Live reload plugin stylesheets when the color scheme changes 2019-09-17 09:54:55 +01:00
David Taylor
081c36a459 FIX: Do not include theme variables in plugin SCSS, and fix register_css 2019-09-17 09:54:52 +01:00
Arpit Jalan
4a11e7ee56 fix the build. 2019-09-17 13:00:41 +05:30
Arpit Jalan
671ffc4e06 FIX: do not allow posting of category topic template without any changes 2019-09-17 12:32:46 +05:30
Sam Saffron
b282c893b2 DEV: support multiple hosts in dev
This renames the DISCOURSE_ENV_HOST var @eviltrout introduced in 95a9a544
to DISCOURSE_ENV_HOSTS and allows for a comma delimited list of hosts

This is useful for testing plugins and customized host names
2019-09-17 16:01:39 +10:00
Sam Saffron
445d305154 DEV: initial migration can fail
db:migrate can issue translations due to module loading localizing
end user messages

This allows db:migrate to work even when db is blank
2019-09-17 13:38:01 +10:00
Kyle Zhao
fb200e3055 FIX: Escape $ in translations before interpolating (#8100)
The dollar sign (`$`) is a special replace pattern, and `$&` inserts the
matched string. Thus dollars signs need to be escaped with the special
pattern `$$`, which inserts a single `$`.
2019-09-16 13:52:49 -04:00