Commit Graph

952 Commits

Author SHA1 Message Date
Guo Xiang Tan
0972516abe FIX: Incorrect "rel" used for apple icons in <head>.
Nothing on the web I can find suggests that this should have been `rel=icon`.
See https://developer.apple.com/library/archive/documentation/AppleApplications/Reference/SafariWebContent/ConfiguringWebApplications/ConfiguringWebApplications.html
2018-11-26 10:40:09 +08:00
Joe
336436dfb4
UX: better handling of logo size 2018-11-23 22:04:42 +08:00
Joe
e2214b50f3
UX: add height attribute to logo on error pages
This matches what we do in the home-logo widget. The height is set as an attribute and we use CSS to get a scaled width that preserves the aspect ratio of the image.
2018-11-23 15:04:34 +08:00
Kyle Zhao
80398d0b8f
Extract inline JS on embedded comments (#6645)
* use the meta refresh tag instead

* extract inline JS in embedded comment
2018-11-22 10:02:58 -05:00
Kyle Zhao
5f754b43f1
extract inline onpopstate handler on 404 page (#6613) 2018-11-15 13:35:38 -05:00
Guo Xiang Tan
44391ee8ab
FEATURE: Upload Site Settings. (#6573) 2018-11-14 15:03:02 +08:00
Joe
7707e42441 DEV: moves print-specific styles from internal style tag to external print sheet (#6581)
* DEV: removes internal styles from print view

* DEV: adds styles to print sheet
2018-11-13 14:45:55 +11:00
Sam
42572ff138 Revert font awesome 5 changes
We are still pushing ahead on this 100% just need a bit longer to prepare
all plugins
2018-11-08 16:12:18 +11:00
David Taylor
37fb8fc0e7
FIX: Do not display broken image on crawler/print view (#6575) 2018-11-07 22:28:45 +00:00
Penar Musaraj
005e1ecb9b
FEATURE: Update Font Awesome to v5.4.1 and SVGs (#6557)
* First take on subsetting svg icons

* FontAwesome 5 svg subset WIP

* Include icons from plugins/badges into svg sprite subset

* add svg icon support to themes

* Add spec for SvgSprite

* Misc. SVG icon fixes

* Use FA5 svgs in local-dates plugin

* CSS adjustments, fix SVG icons in group flair

* Use SVG icons in poll plugin

* Add SVG icons to /wizard
2018-11-07 13:05:43 -05:00
Sam
d84256a876 FEATURE: add Noindex to robots.txt for disallowed routes
This strips pages out of indexes that should not exist see:

https://meta.discourse.org/t/pages-listed-in-the-robots-txt-are-crawled-and-indexed-by-google/100309/11?u=sam
2018-11-02 16:39:47 +11:00
Joe
4234058358 UX: don't show crawler navigation in print view (#6551)
* UX: adds CSS classes to crawler navigation links

* UX: hide crawler navigation in print view
2018-11-02 09:18:07 +11:00
Gerhard Schlager
733b8af47b FIX: Uploads didn't work for subfolder anymore 2018-10-30 12:53:57 +01:00
Vinoth Kannan
92bf3c667e FIX: Flash authentication data not rendered in latest iOS safari browser 2018-10-30 04:00:36 +05:30
Kyle Zhao
a6eca28ec6
CSP - extract all other inline JavaScripts (#6528)
* wizard page inline js

* print topic inline js

* drop JS for preventing double submission

this is the default behavior with Rails' UJS `disable_with` helper

* omniauth complete redirect JS

* account activate inline js
2018-10-25 09:52:01 -04:00
Sam Saffron
abaa3f0650 FEATURE: add server:before-head-close-crawler outlet for plugins
This outlet allows plugins to inject html prior to closing head tag
2018-10-25 16:31:05 +11:00
Kris
c219a5fb1e
Add btn-default class to all default buttons (#6521) 2018-10-24 16:09:36 -04:00
Sam
4c8fe13500 FIX: remove code that restricted "header" theme field from admin
There was some old code that restricted a percentage of a themes code from
admin, only when admin was refreshed, this leads to lots of confusion

Conditional is now removed
2018-10-15 17:29:10 +11:00
Robin Ward
c2add85e75 FIX: Typo, should be authentication
cc @xrav3nz
2018-10-11 14:58:46 -04:00
Kyle Zhao
acba7d2a5d Extract discourse_javascript.html.erb to a scrip include
* extract omniauth auth complete inline JS

* extract Ember error logging inline JS

* transpile `authentication-complete`

This is CSP related work
2018-10-09 16:50:45 +11:00
Kyle Zhao
ab448ca8f3 extract client side Discourse setup inline JS (#6409) 2018-10-01 21:29:04 -07:00
Kyle Zhao
d0f660806d FIX: close data-preloaded div tag 2018-10-01 15:24:27 +08:00
Kyle Zhao
819f090d6a move large blobs out of <head> (#6428)
it unnecessarily bloats the section and increases the payload
dramatically for open graph tags.
2018-09-28 17:28:33 +08:00
Kyle Zhao
7a0232249a
extract inline JS that's used to store preloaded data (#6370) 2018-09-17 16:31:46 +08:00
Kyle Zhao
f666d72606 extract inline JS for google tag manager 2018-09-17 09:56:00 +10:00
Kyle Zhao
38c70bfda2 extract inline JS for google analytics 2018-09-17 09:56:00 +10:00
OsamaSayegh
a4f057a589 UX: improvements to admin theme UI 2018-09-17 09:49:53 +10:00
Osama Sayegh
16bd3f2cf2 FIX: use current user color scheme when filling theme-color attribute (#6384)
* FIX: use current user color scheme when filling `meta` attribute `theme-color`

* update manifest.webmanifest colors
2018-09-12 11:04:58 +10:00
Guo Xiang Tan
a033327b93 Manage qunit via yarn. 2018-09-11 15:07:28 +08:00
Gerhard Schlager
2801376df5 FIX: Wizard didn't load translations correctly
* Translations from the js.* namespace were not found, because the i18n-patches were not loaded.
* The extra-locales didn't use a hash in the URL.
2018-09-05 15:14:09 +02:00
Neil Lalonde
ebe7835316 FIX: links in rss feeds are sometimes wrong on subfolder installs 2018-08-27 18:05:15 -04:00
Gerhard Schlager
bed34b52b5 UX: Blue "Resend Activation Email" button in wizzard 2018-08-21 22:18:08 +02:00
Gerhard Schlager
cc851af750 FIX: HTML lang attribute expects hyphen instead of underscore 2018-08-20 13:55:58 +02:00
Misaka 0x4e21
d4fd19d49a UX: Replace Google search with Discourse search on not found page
* UX: Replace Google search with Discourse search on not found page.

* FIX: Update application_controller_spec.rb.
2018-08-15 11:53:04 +10:00
Neil Lalonde
71b65be6f6 SECURITY: prevent use of X-Forwarded-Host to perform XSS 2018-08-13 16:45:22 -04:00
Sam
7aef604f7d regression, if there is not excerpt skip 2018-08-09 15:07:18 +10:00
Osama Sayegh
0b7ed8ffaf FEATURE: backend support for user-selectable components
* FEATURE: backend support for user-selectable components

* fix problems with previewing default theme

* rename preview_key => preview_theme_id

* omit default theme from child themes dropdown and try a different fix

* cache & freeze stylesheets arrays
2018-08-08 14:46:34 +10:00
Sam
3f6ad65aec FEATURE: include excerpt in HTML view for pinned topics 2018-08-08 11:15:49 +10:00
Neil Lalonde
4e6e4a83df FIX: subfolder digest emails have incorrect URLs 2018-08-07 16:38:17 -04:00
Joffrey JAFFEUX
d494feaa32
FIX: should not be needed as we have itemprop='url' 2018-07-30 09:31:27 -04:00
Arpit Jalan
dfcb2a0d42 FEATURE: include published_time in metadata 2018-07-30 17:09:56 +05:30
Neil Lalonde
f4b5eccad3 FIX: categories page crawler view had incorrect URLs 2018-07-23 14:54:41 -04:00
OsamaSayegh
decf1f27cf FEATURE: Groundwork for user-selectable theme components
* Phase 0 for user-selectable theme components

- Drops `key` column from the `themes` table
- Drops `theme_key` column from the `user_options` table
- Adds `theme_ids` (array of ints default []) column to the `user_options` table and migrates data from `theme_key` to the new column.
- Removes the `default_theme_key` site setting and adds `default_theme_id` instead.
- Replaces `theme_key` cookie with a new one called `theme_ids`
- no longer need Theme.settings_for_client
2018-07-12 14:18:21 +10:00
Guo Xiang Tan
875008522d FIX: Discourse.S3BaseUrl did not account for subfolder bucket names. 2018-07-06 15:53:57 +08:00
Guo Xiang Tan
73e30ff4c2 Revert "Rename s3 vars, change condition when displaying s3 uploads"
The new variables do not reflect that they represent S3 settings.

This reverts commit 24dfa1b657.
2018-07-06 15:53:57 +08:00
Christoph Holtermann
68bfe0260a Fix typo (#6043)
typo: state instead of status
2018-07-05 09:26:48 +08:00
Joffrey JAFFEUX
1772b56cda
FIX: minor micro data fixes 2018-06-29 13:41:04 +02:00
Maja Komel
ec3e6a81a4 FEATURE: Second factor backup 2018-06-28 10:12:32 +02:00
Maja Komel
24dfa1b657 Rename s3 vars, change condition when displaying s3 uploads 2018-06-25 17:16:01 +02:00
Joffrey JAFFEUX
803968147c
FIX: ListItem can’t have itemprop=url and itemprop=item together 2018-06-25 14:12:55 +02:00
Christoph Holtermann
bed26ea0b3 fix indentation 2018-06-25 15:01:39 +10:00
Christoph Holtermann
a0af15d525 no redeclaring state 2018-06-25 15:01:39 +10:00
Christoph Holtermann
e874afaf31 read embed state info from data attribute 2018-06-25 15:01:39 +10:00
Christoph Holtermann
6eb0b310fe add data attributes to reflect embed status 2018-06-25 15:01:39 +10:00
Christoph Holtermann
5914a3db20 Update embed.html.erb
Small fix
2018-06-25 15:01:39 +10:00
Christoph Holtermann
2244f19ff9 Update embed.html.erb
Add state descriptor to message being sent to parent window
2018-06-25 15:01:39 +10:00
Rafael dos Santos Silva
8fc08aad09 FEATURE: Update the webmanifest
- Remove share target because the spec is changing
- Allow any orientation again because natural is too restrictive
- Use correct file and mime types for the manifest
2018-06-14 00:13:28 -03:00
Joffrey JAFFEUX
276526e30e
FIX: improves micro data support 2018-06-13 23:20:48 +02:00
Angus McLeod
0997eb6486 Add theme stylesheet(s) to the crawler layout 2018-06-12 12:47:48 +10:00
Jeff Wong
4599cc8435 FIX: PM participants listed inline 2018-06-11 18:14:25 -07:00
Régis Hanol
0402e97368 FIX: redirect to sso_destination_url after account activation 2018-05-11 19:57:04 +02:00
Régis Hanol
6a006b3646 FIX: format posts for embedded comments as we do for emails 2018-05-09 19:24:44 +02:00
Arpit Jalan
83245aa508 FIX: better handling of invite links after they are redeemed
FIX: deprecate invite_passthrough_hours setting
2018-05-08 20:17:57 +05:30
Jeff Wong
62a8904729
Feature: Include participants at the bottom of PM emails (#5797)
* Feature: Include participants at the bottom of PM emails

... as undecorated links.

https://meta.discourse.org/t/email-notification-recipients-unclear-when-pm-is-sent-to-multiple-users/26934/13?u=featheredtoast

Fix: missing translation for PM mentions

* display membership count as `group (count)`
2018-05-03 15:50:06 -07:00
Robin Ward
a5172a37e0 Allow staff members to enable safe mode, even if disabled 2018-04-25 11:49:57 -04:00
Robin Ward
fd14ee4797 FEATURE: Allow safe mode to be disabled 2018-04-24 11:03:33 -04:00
Sam
54d153068a DEV: remove qunit rails fork and add a couple of async tests 2018-04-23 16:42:40 +10:00
Arpit Jalan
45cfb61af1 FIX: sanitize click track links 2018-04-17 12:35:16 +05:30
Robin Ward
3d7dbdedc0 FEATURE: An API to help sites build robots.txt files programatically
This is mainly useful for subfolder sites, who need to expose their
robots.txt contents to a parent site.
2018-04-16 15:43:20 -04:00
Sam
223379e21a per spec we need to repeat disallow paths per agent 2018-04-16 15:38:10 +10:00
Arpit Jalan
a1ef455c78 SECURITY: do not show private topic title on /unsubscribed page 2018-04-16 10:35:57 +05:30
Régis Hanol
1a9271dd2f add a warning in robots.txt when using subfolder 2018-04-12 00:00:15 +02:00
Régis Hanol
df7970a6f6 prefix the robots.txt rules with the directory when using subfolder 2018-04-11 22:05:02 +02:00
Sam
489c22d93c FEATURE: Disallow tags and categories rss feeds
This stops crawlers from hitting tags and category rss feeds to discover
new content, instead they should focus on latest/posts if they need to
consume something regular
2018-04-11 14:36:10 +10:00
Sam
f40f10240c FEATURE: remove topic rss from robots
Crawlers love hitting the rss feeds (confirmed that both Google and Bing do)

Experimenting with the impact of blocking these feeds and forcing Crawlers to hit
the content direct. It is better if they hit the actual page to start with as opposed to

1. Hit RSS feed
2. Find new content
3. Hit post link
4. Get canonical
5. Hit canonical

Lots of pointless work.

We do not know for sure what impact this will have on newsreader apps,
we will listen for feedback.
2018-04-11 11:57:52 +10:00
Jeff Wong
32f919ea34 Fix - service worker registrations
* register service workers in a development env

* register service worker from ember initialize fn
2018-04-10 15:17:32 -07:00
Sam
3a7b696703 FEATURE: allow for setting crawl delay per user agent
Also moved to default crawl delay bing so no more than a req every 5 seconds is allowed

New site settings:

"slow_down_crawler_user_agents" - list of crawlers that will be slowed down
"slow_down_crawler_rate" - how many seconds to wait between requests

Not enforced server side yet
2018-04-06 10:15:23 +10:00
Neil Lalonde
b7ecdb72d6 FIX: update Google Tag Manager javascript 2018-04-03 14:22:06 -04:00
Arpit Jalan
5e4dd20795 Revert "Prevent robots from indexing uploads"
This reverts commit 0fd622e5d1.
2018-04-02 21:29:29 +05:30
Neil Lalonde
c9216626d8
Merge pull request #5688 from discourse/fix-embed-comments-template-error
FIX: Make sure a post has replies before accessing the reply_id
2018-03-27 15:30:53 -04:00
Neil Lalonde
ced7e9a691 FEATURE: control which web crawlers can access using a whitelist or blacklist 2018-03-22 15:41:02 -04:00
scossar
f213dea529 Make sure a post has replies before accessing the reply id 2018-03-20 12:13:41 -07:00
Régis Hanol
89f5c90ce0 FIX: show an error page on click tracking error 2018-03-17 00:33:11 +01:00
Sam
8c1d145f0e FIX: when visiting post on mobile it is not selected 2018-03-13 14:06:08 +11:00
Dan Nicholson
0fd622e5d1 Prevent robots from indexing uploads
Although most user uploads are probably harmless, it's possible someone
has (either maliciously or not) uploaded sensitive information. Prevent
robots from indexing the uploads route.
2018-03-09 05:51:55 -06:00
OsamaSayegh
282f53f0cd FEATURE: Theme settings (2) (#5611)
Allows theme authors to specify custom theme settings for the theme. 

Centralizes the theme/site settings into a single construct
2018-03-04 19:04:23 -05:00
Sam
e19ae6c55e FEATURE: disallow groups from being indexed 2018-03-02 13:38:30 +11:00
Guo Xiang Tan
70f14da732 UX: Use 'tel' input type for 2FA token inputs. 2018-02-27 09:30:44 +08:00
Joffrey JAFFEUX
ac701696b3
FEATURE: replaces tag-chooser/tag-group-chooser with select-kit component
These component were also the last using select2. As a consequence select2 is removed from Discourse in this commit.
2018-02-26 11:42:57 +01:00
Guo Xiang Tan
a9699da672 UX: Specify pattern and maxlength for 2FA input fields. 2018-02-26 18:29:46 +08:00
Guo Xiang Tan
1f74509a75 FIX: 2FA prompt incorrectly displayed on admin login page. 2018-02-23 11:05:39 +08:00
Maja Komel
76a2fc3d07 UX: Add og metadata for groups.
https://meta.discourse.org/t/onebox-for-groups/79155
2018-02-22 15:03:41 +08:00
Guo Xiang Tan
964624f3ab FIX: No error displayed when 2FA token is invalid on admin login page. 2018-02-22 09:45:57 +08:00
Guo Xiang Tan
edf326a9a5 Fix incorrect translation. 2018-02-22 08:06:37 +08:00
Guo Xiang Tan
14f3594f9f Review Changes for f4f8a293e7. 2018-02-21 14:55:49 +08:00
Jeff Wong
f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Guo Xiang Tan
7902296c11 Oops we should register a service worker as long as it is supported. 2018-02-15 15:02:14 +08:00
Guo Xiang Tan
28365f8ae5 PERF: Have nginx cache and serve the service worker file. 2018-02-15 10:50:39 +08:00
Erick Guan
03b3e57a44 FEATURE: login by a link from email
Co-authored-by: tgxworld <tgx@discourse.org>
2018-02-13 16:14:39 +08:00
Robin Ward
0776340b29 SECURITY: Prevent robots from indexing more routes
These routes could contain sensitive material and should never be
indexed for content.
2018-02-04 13:24:36 -05:00