Slugs can be the empty string, but the added index didn't account for
that. This commit changes the migration, stopping it from being unique
so that it can be applied everywhere and adds another migration that
recreates the index properly.
This feature amends it so instead of using one challenge and honeypot
statically per site we have a rotating honeypot and challenge value which
changes every hour.
This means you must grab a fresh copy of honeypot and challenge value once
an hour or account registration will be rejected.
We also now cycle the value of the challenge when after successful account
registration forcing an extra call to hp.json between account registrations
Client has been made aware of these changes.
Additionally this contains a JavaScript workaround for:
https://bugs.chromium.org/p/chromium/issues/detail?id=987293
This is client side code that is specific to Chrome user agent and swaps
a PASSWORD type honeypot with a TEXT type honeypot.
When a category has a subcategory, we ensure that no one who can see the
subcategory cannot see the parent. However, we don't take into account
the fact that, when no CategoryGroups exist, the default is that
everyone has full permissions.
Moving posts also moves the read state (`topic_users` table) to the destination topic. This changes that behavior so that only users who posted in the destination topic will have the original notification level (probably "watching") of the original topic. The notification level for all other users will be set to "regular".
When an admin changes the site setting slug_generation_method to
encoded, we weren't really encoding the slug, but just allowing non-ascii
characters in the slug (unicode).
That brings problems when a user posts a link to topic without the slug, as
our topic controller tries to redirect the user to the correct URL that contains
the slug with unicode characters. Having unicode in the Location header in a
response is a RFC violation and some browsers end up in a redirection loop.
Bug report: https://meta.discourse.org/t/-/125371?u=falco
This commit also checks if a site uses encoded slugs and clear all saved slugs
in the db so they can be regenerated using an onceoff job.
* DEV: allow serializing data for drafts
* Various fixes
* added an alias method for 'serializeToDraft' to plugin-api
* fixed linting issues
* changed single quotes to double quotes to fix linting issue
* fixed linting issues
* fixed composer model file via prettier
* fixed composer controller file via prettier
* fixed plugin-api file via prettier
Our instance used for template rendering needs a lock to ensure there is
no race condition where rendering happens on 2 threads at the same time.
This can lead to local poisoning which can cause unexpected results in
emails
A modal's primary action (blue button in the default theme) can now be invoked
by hitting Enter on the keyboard. This applies to all modals that aren't strict
forms as long as the focus is not on a textarea element.
Dropping the temp table in an `ensure` block hides the actual exception. Creating the table with `ON COMMIT DROP` makes the temp table disappear automatically at the end of the transaction. We only need the explicit `DROP` in tests, because tests already run inside a transaction, so the temp table won't be dropped after each test which leads to spec failures.
Bump onebox version, and add new styling
Commit, PR and Issue oneboxes are updated with a new design. Timestamps are now localized using local-dates (if installed).
We were mixing in 20 or so methods into a controller just to use a single
one.
The helper itself is not the actual implementation anyway... MobileDetection
is responsible here.
We expect mini profiler only to show up on accounts that are flagged as
developer accounts.
Unfortunately there was a bypass on any controllers that mix in ApplicationHelper
Post timings are created by `topic_id` and `post_number` and it's possible that the destination topic already contains post timings for non-existent posts. For example, this can happen if the destination topic was previously split and Discourse recorded post timings for moved posts in the destination topic.
This commit ensures that all timings which reference non-existent posts are deleted from the destination topic before the posts are moved.
This addresses the following issues:
- on iPad, with keyboard attached, the composer is no longer forced to full screen
- on iPad, with keyboard attached, the topic no longer scrolls when starting a
reply and then cancelling it
- switching between inputs and buttons (formatting, emojis, categories/tags, etc.) no longer
causes layout to bounce around
If the setting is turned on, then the user will receive information
about the subject: if it was deleted or requires some special access to
a group (only if the group is public). Otherwise, the user will receive
a generic #404 error message. For now, this change affects only the
topics and categories controller.
This commit also tries to refactor some of the code related to error
handling. To make error pages more consistent (design-wise), the actual
error page will be rendered server-side.
Using popups is becoming increasingly rare. Full page redirects are already used on mobile, and for some providers. This commit removes all logic related to popup authentication, leaving only the full page redirect method.
For more info, see https://meta.discourse.org/t/do-we-need-popups-for-login/127988
Removes setting for iOS devices that support Visual Viewport API.
On devices where it was previously enabled, it was causing some scrolling drift when invoking the composer.
This is useful by analytics libraries or other code that wants to track
when replies are begun. A new event: `page:compose-reply` is fired with
the topic.
If we are interested in page events (say analytics), they are reported
when the route changes, which does not wait for any promises in
`setupController` to finish.
A plugin might want to know when a topic has fully loaded, so this event
is triggered when that happens.
Bump onebox version to include new github rendering, and add relevant CSS
Avatars are reduced in size significantly, and icons are added to easily differentiate PRs and commits. The 'Issue:' prefix is removed from issue oneboxes, to make them consistent with commits and PRs.
Previous to this fix we were leaking methods on the internal action view
template class per render.
This caused email generation to be very low and a steady memory leak in the
application in sidekiq when sending out emails
The behavior change is new to Rails 6 so this fix does not need to be
backported into stable.
* FEATURE: Added input for name when creating a new authenticator in user preferences
* FEATURE: Added placeholders to authenticator inputs
* Ran prettier on second-factor-add-totp.js.es6
AppEvents was always a service object in disguise, so we should move it
to the correct place in the application. Doing this allows other service
objects to inject it easily without container access.
In the future we should also deprecate `this.appEvents` without an
explicit injection too.
Added on Aug 21, 2015 in bef80633b1
The only usage removed on Aug 26, 2015 in 4ba89eec27
As far I can tell it isn't used by core or any official plugins.
* FEATURE: Adds an extra protection layer when decompressing files.
* Rename exporter/importer to zip importer. Update old locale
* Added a new composite class to decompress a file with multiple strategies
* Set max file size inside a site setting
* Ensure that file is deleted after compression
* Sanitize path and files before compressing/decompressing
This fix is needed due to what feels like an iOS Safari bug. The CSS rule `margin-bottom: env(safe-area-inset-bottom);` should not apply to the topic progress element when the composer is visible, because the element is not near the bottom of the viewport.
* Fix broken security key 2FA on mobile login.hbs
* Show nicer error message when a security key already exists
* [COPY] Disable -> Delete for security key editing
* Standardize UI elements in 2FA prefs password confirmation
* Minor fixes to label location for resetPasswordProgress
