Commit Graph

56390 Commits

Author SHA1 Message Date
dependabot[bot]
07e880f3d2 Build(deps-dev): Bump selenium-devtools from 0.127.0 to 0.128.0 (#28622)
Bumps [selenium-devtools](https://github.com/SeleniumHQ/selenium) from 0.127.0 to 0.128.0.
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES)
- [Commits](https://github.com/SeleniumHQ/selenium/commits)

---
updated-dependencies:
- dependency-name: selenium-devtools
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-07 12:22:11 +08:00
dependabot[bot]
7ba5599033 Build(deps-dev): Bump selenium-devtools from 0.126.0 to 0.127.0 (#28309)
Bumps [selenium-devtools](https://github.com/SeleniumHQ/selenium) from 0.126.0 to 0.127.0.
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES)
- [Commits](https://github.com/SeleniumHQ/selenium/commits)

---
updated-dependencies:
- dependency-name: selenium-devtools
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-07 12:22:11 +08:00
Alan Guo Xiang Tan
c5f9a300d8
Bump version to v3.3.2 2024-10-07 12:16:40 +08:00
Penar Musaraj
250625774e
SECURITY: prevent topic list filtering by hidden tags for unathorized users
This fixes an issue where unathorized users were able to filter topics
by tags that are hidden from them.
2024-10-07 11:50:07 +08:00
OsamaSayegh
f08cd7f701
SECURITY: Block registrations for encoded emails that are invalid 2024-10-07 11:50:04 +08:00
Jan Cernik
cd9d0d7c17
SECURITY: add pagination to post replies
When a post has some replies, and the user click on the button to show them, we would load ALL the replies. This could lead to DoS if there were a very large number of replies.

This adds support for pagination to these post replies.

Internal ref t/129773
2024-10-07 11:50:00 +08:00
Bianca Nenciu
e9e9ae37a9
SECURITY: Use different anon cache keys for XHR requests
XHR requests are handled differently by the application and the
responses do not have any preloaded data so the cache key needs to
differntiate between those requests.
2024-10-07 11:49:57 +08:00
Jan Cernik
77a2d82d5a
SECURITY: Correctly parse URLs in chat excerpts 2024-10-07 11:49:54 +08:00
Loïc Guitaut
aedfb12eda DEV: Output failing MF keys when compilation fails
Currently, when the MessageFormat compiler fails on some translations,
we just have the raw output from the compiler in the logs and that’s not
always very helpful.

Now, when there is an error, we iterate over the translation keys and
try to compile them one by one. When we detect one that is failing, it’s
added to a list that is now outputted in the logs. That way, it’s easier
to know which keys are not properly translated, and the problems can be
addressed quicker.
2024-10-04 23:51:08 +09:00
Discourse Translator Bot
7bf7bc2b8c Update translations 2024-10-02 08:55:14 +02:00
Ted Johansson
25514419e0
FIX: Fix incorrect check for required custom fields (#28541) (#28939)
This check was checking the wrong scope, causing problems in certain edge conditions, for example:

1. Admin adds an "on signup" field that isn't editable after signup.
2. Admin adds a "for all users" field.
3. User goes and fills up the "for all users" field from 2.
4. User is now stuck on the required fields page without any fields showing.

With this change, we only consider "for all users" fields when asking if required custom fields are filled in.
2024-09-17 13:32:26 +08:00
Alan Guo Xiang Tan
a21c68b7f3
DEV: Cap number of thread-loader workers in assets:precompile:build (#28830) (#28836)
We were running into errors running `ember build` on machines with high
CPU counts. It was then noted that `thread-loader`, which embroider uses, defaults to spinning
up x workers where x is number of physical CPU cores - 1. That is
probably too much so we set out to find out an optimial count to set for
the `JOBS` env which embroider will use to set the number of
`thread-loader` workers.

I first built an image using the following Dockerfile.

```
FROM discourse/base:release

RUN cd /var/www/discourse && sudo -EH -u discourse bundle exec rake plugin:install_all_official
RUN cd /var/www/discourse && sudo -EH -u discourse bundle exec rake assets:precompile:prereqs
```

I then ran the following command on my M3 Max Macbook Pro that has 14
phyisal CPU cores.

```
for j in 1 2 4 8 14; do echo "JOBS=$j"; time docker run --rm -it -e JOBS=$j test:latest /bin/bash -c "su discourse -c 'cd /var/www/discourse && bundle exec rake assets:precompile:build'"; done
```

These are the results I got:

```
JOBS=1 0.04s user 0.03s system 0% cpu 1:01.92 total
JOBS=2 0.04s user 0.02s system 0% cpu 42.605 total
JOBS=4 0.04s user 0.02s system 0% cpu 37.012 total
JOBS=8 0.04s user 0.02s system 0% cpu 35.199 total
JOBs=14 0.04s user 0.02s system 0% cpu 37.941 total
```

We think JOBS=2 is a good default when the `JOBS` env has not been set.
Anything above just consumes more resources for little benefit.
2024-09-11 09:04:04 +08:00
Discourse Translator Bot
381cf85481
Update translations (#28706) 2024-09-05 16:00:39 +02:00
Discourse Translator Bot
6e82e844a1
Update translations (#28578) 2024-09-02 18:00:09 +02:00
Bianca Nenciu
15f036bafa
DEV: Migrate notifications#id and related columns to bigint (#28584)
* DEV: Migrate notifications#id to bigint (#28444)

The `notifications.id` column is the most probable column to run out of
values. This is because it is an `int` column that has only 2147483647
values and many notifications are generated on a regular basis in an
active community. This commit migrates the column to `bigint`.

These migrations do not use `ALTER TABLE ... COLUMN ... TYPE` in order
to avoid the `ACCESS EXCLUSIVE` lock on the entire table. Instead, they
create a new `bigint` column, copy the values to the new column and
then sets the new column as primary key.

Related columns (see `user_badges`, `shelved_notifications`) will
be migrated in a follow-up commit.

* DEV: Fix bigint notifications id migration to deal with public schema (#28538)

Follow up to 799a45a291

* DEV: Migrate shelved_notifications#notification_id to bigint (#28549)

DEV: Migrate shelved_notifications#notification_id to bigint

The `notifications.id` has been migrated to `bigint` in previous commit
799a45a291.

* DEV: Fix annotations (#28569)

Follow-up to ec8ba5a0b9

* DEV: Migrate user_badges#notification_id to bigint (#28546)

The `notifications.id` has been migrated to bigint in previous commit
799a45a291. This commit migrates one of
the related columns, `user_badges.notification_id`, to `bigint`.

* DEV: Migrate `User#seen_notification_id` to `bigint` (#28572)

`Notification#id` was migrated to `bigint` in 799a45a291

* DEV: Migrate `Chat::NotificationMention#notification_id` to `bigint` (#28571)

`Notification#id` was migrated to `bigint` in 799a45a291

---------

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2024-08-29 18:06:55 +03:00
Penar Musaraj
c4ece1a7b7
Bump version to v3.3.1 2024-08-27 10:58:34 -04:00
Joffrey JAFFEUX
d3ad2ecda9
FIX: Badge image uploader (#28188) (#28521)
In the formkit conversion in 2ca06ba236
we missed setting a type for the UppyImageUploader for badges. Also,
we were not passing down the `image_url` as form data, so when we used
`data.image` for that field the badge was not updating in the UI after
page loads and the image URL was not loading for preview.

Co-authored-by: Martin Brennan <martin@discourse.org>
2024-08-23 18:08:32 +02:00
Discourse Translator Bot
ea7d25338f
Update translations (#28439) 2024-08-20 17:59:52 +02:00
Ted Johansson
eaa40bb179
DEV: Allow disabling problem checks programatically (#28440) (#28441)
We need a way to disable certain checks programatically, e.g. on Discourse hosting. This PR adds a configuration option for this, and makes it so that disabled checks aren't run as part of #run_all.
2024-08-20 17:14:46 +02:00
Alan Guo Xiang Tan
6cc856c1df
DEV: Switch back to Chrome for running QUnit tests (#28430)
QUnit tests are failing in different ways on Chromium in Debian
bookworm. We have no interest in figuring out why as it is not a good
use of our time and the long term plan is to switch to Chrome for Testing
anyway.
2024-08-20 13:09:00 +08:00
Alan Guo Xiang Tan
9e7be60847
DEV: Update mini_racer (#28363) (#28428)
This pulls in 87ef545a27
2024-08-20 09:07:19 +08:00
Martin Brennan
93d4b538a8
DEV: Add backup helpers for specs (#28394) (#28426)
This has been split out from https://github.com/discourse/discourse/pull/28051
so we can use this same code in plugin specs before merging the core PR,
adds some helpers for creating local backup temp files
and cleaning them up.
2024-08-20 10:31:57 +10:00
Ted Johansson
9cb28a232e
DEV: Add plugin outlet for below wizard field (#28371) (#28384)
We changed the design of the member access wizard step to use toggle groups instead of switches. To support existing designs for notices, we need another plugin outlet.

Merged in main here. This is a backport to stable.
2024-08-15 09:44:50 +02:00
Discourse Translator Bot
b24917a815
Update translations (#28365) 2024-08-14 08:10:48 +02:00
Discourse Translator Bot
3ff8968f79
Update translations (#28247) 2024-08-13 16:31:29 +02:00
Loïc Guitaut
c500dbdaaf FIX: Return additional message types properly
Following a recent refactor, some methods from `FlagSettings` have been
renamed (`custom_types` -> `additional_message_types`). The
`PostActionType` model was using `custom_types` but when the renaming
was done, it was renamed to `with_additional_message` instead of
`additional_message_types`, which under the right circumstances will
raise an error.
2024-08-06 16:44:05 +02:00
Penar Musaraj
ac30a798f0
FIX: system badges can be disabled (#28169) (#28171)
A previous commit mistakenly assumed system badges couldn't be disabled.

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2024-07-31 11:53:38 -04:00
Discourse Translator Bot
1b619b7d63
Update translations (#28147) 2024-07-31 00:14:23 +02:00
Gerhard Schlager
f6aca544e9
DEV: Remove unused "migration-tests" from stable branch (#28144)
It's currently not working and not needed on the stable branch
2024-07-30 11:25:16 +02:00
Nat
5bbdc8a813
Bump version to v3.3.0 2024-07-30 15:35:41 +08:00
Nat
4922ad795d
Merge v3.3.0.beta5 into stable 2024-07-30 15:35:40 +08:00
Nat
9ed203ed8c
Bump version to v3.2.5 2024-07-30 14:36:23 +08:00
Nat
f4cbf025b5
Bump version to v3.3.0.beta5 2024-07-30 14:35:56 +08:00
Natalie Tay
76f06f6b14
SECURITY: Fixes for stable (#28138)
* SECURITY: Update default allowed iframes list

Change the default iframe url list to all include 3 slashes.

* SECURITY: limit group tag's name length

Limit the size of a group tag's name to 100 characters.

Internal ref - t/130059

* SECURITY: Improve sanitization of SVGs in Onebox (stable)

---------

Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
Co-authored-by: Régis Hanol <regis@hanol.fr>
Co-authored-by: David Taylor <david@taylorhq.com>
2024-07-30 14:19:08 +08:00
Natalie Tay
188cb58daa
SECURITY: Fixes for main (#28137)
* SECURITY: Update default allowed iframes list

Change the default iframe url list to all include 3 slashes.

* SECURITY: limit group tag's name length

Limit the size of a group tag's name to 100 characters.

Internal ref - t/130059

* SECURITY: Improve sanitization of SVGs in Onebox

---------

Co-authored-by: Blake Erickson <o.blakeerickson@gmail.com>
Co-authored-by: Régis Hanol <regis@hanol.fr>
Co-authored-by: David Taylor <david@taylorhq.com>
2024-07-30 14:19:01 +08:00
Martin Brennan
2d5f323ca3
DEV: Move config area site setting fetch into new controller (#28136)
Followup 4aea12fdcb

In certain config areas (like About) we want to be able
to fetch specific site settings by name. In this case,
sometimes we need to be able to fetch hidden settings,
in cases where a config area is still experimental.

Splitting out a different endpoint for this purpose
allows us to be stricter with what we return for config
areas without affecting the main site settings UI, revealing
hidden settings before they are ready.
2024-07-30 15:41:28 +10:00
Krzysztof Kotlarek
284aa1da22
FIX: addCommunitySectionLink secondary argument (#28135)
`addCommunitySectionLink` API function accepts secondary argument to determine if the link should be added to the primary or secondary (more) section. There was a bug and all links were mounted in the secondary section.
2024-07-30 14:32:07 +10:00
Alan Guo Xiang Tan
3193afe7ca
FIX: Rescue and warn when error is encountered in DiscourseIpInfo.mmdb_download (#28134)
Since switching to Maxmind permalinks to download the databases in
7079698cdf, we have received multiple
reports about rebuilds failing as `maxminddb:refresh` runs during
the rebuilds and failing to download the databases cases the rebuilds to
fail.

Downloading Maxmind databases should not sit in the critical rebuild
path but since we are close to the Discourse 3.3 release, we have opted
to just rescue all errors encountered when downloading the databases.

In the near future after the Discourse 3.3 release, we will be looking
at moving the downloading of maxmind databases out of the rebuild path.
2024-07-30 11:33:20 +08:00
Loïc Guitaut
1f5cbb9a44
DEV: Refactor translation overrides a bit (#28125)
This is a small followup of
https://github.com/discourse/discourse/pull/28037.
2024-07-30 09:56:46 +08:00
Osama Sayegh
e9aa2c96e1
FIX: Add new/missing email templates to the email templates editor (#28075)
We have a dedicated admin page (`/admin/customize/email_templates`) that lets admins customize all emails that Discourse sends to users. The way this page works is that it lists all translations strings that are used for emails, and the list of translation strings is currently hardcoded and hasn't been updated in years. We've had a number of new emails that Discourse sends, so we should add those templates to the list to let admins easily customize those templates.

Meta topic: https://meta.discourse.org/t/3-2-x-still-ignores-some-custom-email-templates/308203.
2024-07-30 00:27:41 +03:00
Daniel Waterworth
1a95543e93
PERF: Don't use unaccent on string literals (#28120)
unaccent isn't marked as a pure function, so it gets evaluated per row
instead of once.
2024-07-29 15:37:25 -05:00
David Taylor
b44190307f
UX: Avoid header topic-info flicker when using ?page= params (#28117)
In this case, there is no 'nearPost' param in the URL. Instead, the server preloads a post-stream with whichever page of posts is requested. We can check for that situation using `postStream.firstPostPresent`.

Also updates the widget-header version to fetch a value from the service on initial render, instead of relying on the observer triggering.

Followup to bdec564d14
2024-07-29 20:36:23 +01:00
Natalie Tay
5b51ed3856
DEV: Promote historic post_deploy migrations (#28128)
This commit promotes all post_deploy migrations which existed in Discourse v3.2.0 (timestamp <= 20240112043325)
2024-07-30 01:14:03 +08:00
Natalie Tay
7a1e3accff
DEV: Promote historic post_deploy migrations (#28127)
This commit promotes all post_deploy migrations which existed in Discourse v3.2.0 (timestamp <= 20240112043325)
2024-07-30 00:49:21 +08:00
Loïc Guitaut
cfa4f07378 FIX: Don't crash when MF definitions are missing
Currently, if MF definitions are missing (typically because there’s a
compilation error), `I18n.messageFormat` will try to access
`I18n._mfMessages.hasMessage` resulting in a crash that will in turn
crash Ember.

This patch addresses the issue by using the optional chaining operator
making the `I18n.messageFormat` method return a "Missing Key" message.
MF strings won’t be rendered properly, but the site will stay usable.
2024-07-29 18:13:17 +02:00
Neil Lalonde
e81fc27a0f
FIX: db_timestamps_mover errors from discourse-voting plugin (#28123)
https://github.com/discourse/discourse-topic-voting/pull/196

Some tables in that plugin are read-only, so the script fails when
trying to update rows in those tables. Add them to the ignore list.
2024-07-29 11:20:14 -04:00
Loïc Guitaut
9c57be6403 DEV: Update Ruby I18n pluralization rules
The current pluralization rules used by the I18n system in Ruby are
obsolete and don’t follow the official rules available at
unicode.org/cldr/charts/45/supplemental/language_plural_rules.html.

Using https://github.com/ruby-i18n/ruby-cldr, new and updated ones have
been generated.
2024-07-29 15:44:52 +02:00
Loïc Guitaut
fbf6bf6243 FIX: Don't escape MF variables in HTML links
We have some MF strings that are outputting HTML tags (typically links)
and their attributes are using single quotes. The problem is that with
the current implementation of MessageFormat, single quotes act as an
escaping mechanism for special characters like `{`. This then prevents
from interpolating some variables in the strings.

This patch addresses that issue by using double quotes instead,
restoring the expected behavior.
2024-07-29 15:30:52 +02:00
Discourse Translator Bot
7b6b55d53e
Update translations (#28116) 2024-07-29 15:16:45 +02:00
Discourse Translator Bot
f5fc49f5db
Update translations (#28115)
* Update translations

* DEV: Spec failed because of translation update

---------

Co-authored-by: Gerhard Schlager <gerhard.schlager@discourse.org>
2024-07-29 15:16:40 +02:00