Commit Graph

36883 Commits

Author SHA1 Message Date
Kris
b76ae9e0f5 REFACTOR: Convert main button styles into a central mixin 2019-12-13 14:09:48 -05:00
Robin Ward
a04a631674 Changed CONFLICT to SQL for multiline strings
This is more consistent with the rest of our codebase.
2019-12-13 11:51:40 -05:00
Krzysztof Kotlarek
1c49875048 SECURITY: vulnerability in WildcardUrlChecker 2019-12-13 09:55:43 -05:00
Kris
3816107560 UX: Z-index of image lightbox needs to be higher than modal z-index 2019-12-13 09:38:38 -05:00
Krzysztof Kotlarek
d8360b4c82 SECURITY: vulnerability in WildcardUrlChecker 2019-12-13 09:29:09 -05:00
David Taylor
f47909a2b6 DEV: Check for pending migrations before running rspec suite
This should catch a few scenarios which can waste a lot of time in development
 - Forgetting to run migrations
 - Missing plugin migrations
 - Missing post_deploy migrations
2019-12-13 12:50:18 +00:00
Gerhard Schlager
c068804a0a Fixing the specs. Take 2. 2019-12-13 13:05:17 +01:00
Gerhard Schlager
2e8c23f0d0 Fix spec 2019-12-13 12:40:52 +01:00
Gerhard Schlager
f62215046f FEATURE: Completely remove unsafe-eval from CSP
Plugins can add it via API if they need to use `eval`:
```
extend_content_security_policy(script_src: [:unsafe_eval])
```

See https://meta.discourse.org/t/104243
2019-12-13 12:38:32 +01:00
Daniel Waterworth
1fb7a6297c DEV: Add unambiguous routes for tags
The trouble with having:

/tags/:tag_id/...

and:

/tags/intersection/*tag_ids

for example, is: what happens if you want a tag called intersection?

Under this new scheme. Routes referring to a single tag are unambiguous
because they are prefixed with:

/tag/:tag_id

Routes referring to the collection of tags still start with:

/tags/

This commit just adds the new routes. It doesn't remove the old ones or
cause the new ones to be used.
2019-12-13 11:24:59 +00:00
OsamaSayegh
dc3c4bdd00 DEV: Bump Logster version to 2.5.1
This version has minor follow-up fixes and changes to the pattern
grouping feature that was introduced yesterday. See Logster changelog
for details: https://github.com/discourse/logster/blob/master/CHANGELOG.md
2019-12-13 09:51:19 +00:00
Rishabh
387daaf7b8 UX: Improve copy on Move to Topic and Move to Message modals
Also clarify that messages can be searched for by url, id and not just title.
2019-12-13 14:13:13 +05:30
Hector Bustillos
42758379b9 FEATURE: Adds a message when the passwords doesn't match in rake admin:create (#8543) 2019-12-13 11:40:33 +11:00
Blake Erickson
006e5904be DEV: Remove buffered rendering from navigation-item
This is another refactoring in the multi-step process to remove all uses
of our custom Render Buffer.

Previous commit: ea6326c860 in this
series.

This commit affects the top menu buttons. It is just a refactor and
should not change any functionality.
2019-12-12 15:52:33 -07:00
Roman Rizzi
b6a2875749
FIX: Granting staff status should auto-approve users waiting approval (#8533)
* FIX: Granting staff status should auto-approve users waiting approval

* Update app/models/concerns/roleable.rb

Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-12-12 16:26:38 -03:00
Robin Ward
76f676879c FIX: Constraint error when inserting the same topic group twice
If that happens, update the value instead of raising an error.
2019-12-12 13:10:46 -05:00
Penar Musaraj
ff163ae980 DEV: Prevent empty admin topic buttons from rendering
When using api.decorateWidget("topic-admin-menu:adminMenuButtons") in plugins, an empty button is added if the helper only returns attributes based on a condition (for example, if the admin action is limited to public topics.) In that case, we need to exclude the button from rendering.
2019-12-12 12:21:30 -05:00
Penar Musaraj
f62c9def33 Revert "FIX: prevents focus of input on mobile (#6251)"
This reverts commit bfcf8ed61b.
2019-12-12 11:17:40 -05:00
David Taylor
8dcda65837 DEV: Correct error message check in run-qunit
Followup to 43ca1bb132
2019-12-12 14:06:06 +00:00
Blake Erickson
ea6326c860 DEV: Remove buffered rendering from topic-post-badges
This is another refactoring in the multi-step process to remove all uses
of our custom Render Buffer.

Previous commit: f5cca4930d in this
series.

This commit affects the display of some of the unread, new, and unseen
badges in topic lists like when then "show subcategory list above topics
in this category" option is checked.
2019-12-12 07:04:25 -07:00
Dan Ungureanu
b6589f203b FIX: Cache short upload URL (#8541)
The code for caching was already there, but it was caching invalid data,
which automatically invalidated the cache entry.
2019-12-12 15:03:34 +01:00
David Taylor
43ca1bb132 DEV: Handle occasional 'No inspectable targets' error in run-qunit
This is to work around https://github.com/GoogleChrome/chrome-launcher/issues/145
2019-12-12 13:24:58 +00:00
David Taylor
4c9ca24ccf
FEATURE: Hash API keys in the database (#8438)
API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak.

This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column.
2019-12-12 11:45:00 +00:00
Daniel Waterworth
b2ed17cf86 FIX: Disallow c as a tag 2019-12-12 11:26:57 +00:00
Daniel Waterworth
6aff510809 FIX: Disallow none as a category slug 2019-12-12 11:26:21 +00:00
Bianca Nenciu
3ec2081059
UX: Include public groups in mentionable groups set (#8516) 2019-12-12 13:13:40 +02:00
Martin Brennan
9f4c9bafa1
FIX: Hide old bookmark button on post-menu if SiteSetting.enable_bookmarks_with_reminders
Hide old bookmark post-menu item if the site setting for the new bookmark reminders is enabled and change icon for the new bookmark functionality to the same as the old bookmark button
Fix null @topic_view error in post serializer for post_bookmark, as new posts do not have a @topic_view
2019-12-12 16:28:01 +10:00
Sam Saffron
9d6a9bba96 DEV: correct flaky test
This is a slight workaround which helps somewhat now but is pending a larger
fix.

When this spec ran in parallel mode uploads could start cross talking and
an upload you expect to be there may vanish.

This works around the issue by making the upload unique every time it is
created

It also folds up an expensive test into the main one.
2019-12-12 16:54:22 +11:00
dependabot-preview[bot]
885d2bb87a Bump logster from 2.4.2 to 2.5.0 (#8538)
Bumps [logster](https://github.com/discourse/logster) from 2.4.2 to 2.5.0.
- [Release notes](https://github.com/discourse/logster/releases)
- [Changelog](https://github.com/discourse/logster/blob/master/CHANGELOG.md)
- [Commits](https://github.com/discourse/logster/commits)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

This new version of Logster has grouping patterns that can be added via the UI to group logs that match into a single row. More details at 24d6cc9742
2019-12-12 08:26:49 +03:00
Martin Brennan
ce03092e61 Fix DiscourseCops/NoURIEscapeEncode errors and re-enable 2019-12-12 14:54:26 +10:00
Martin Brennan
44e0c9e0b4 Temporarily disable DiscourseCops/NoURIEscapeEncode for plugins 2019-12-12 14:40:13 +10:00
Martin Brennan
e8ee847dd2 Merge branch 'master' of github.com:discourse/discourse 2019-12-12 14:33:09 +10:00
Martin Brennan
9c1e0b8bd2 bump rubocop-discourse to 1.0.2 for NoURIEscapeEncode cop 2019-12-12 14:30:27 +10:00
Martin Brennan
edbc356593
FIX: Replace deprecated URI.encode, URI.escape, URI.unescape and URI.unencode (#8528)
The following methods have long been deprecated in ruby due to flaws in their implementation per http://blade.nagaokaut.ac.jp/cgi-bin/vframe.rb/ruby/ruby-core/29293?29179-31097:

URI.escape
URI.unescape
URI.encode
URI.unencode
escape/encode are just aliases for one another. This PR uses the Addressable gem to replace these methods with its own encode, unencode, and encode_component methods where appropriate.

I have put all references to Addressable::URI here into the UrlHelper to keep them corralled in one place to make changes to this implementation easier.

Addressable is now also an explicit gem dependency.
2019-12-12 12:49:21 +10:00
Sam Saffron
b6acfb7847 DEV: upgrade redis-namespace gem
New release has a few extra commands namespaced, nothing we use.

Also added a comment about why this is explicitly required.
2019-12-12 13:36:08 +11:00
dependabot-preview[bot]
61ac0d47ee DEV: Bump stackprof from 0.2.13 to 0.2.14 (#8531)
Bumps [stackprof](https://github.com/tmm1/stackprof) from 0.2.13 to 0.2.14.
- [Release notes](https://github.com/tmm1/stackprof/releases)
- [Changelog](https://github.com/tmm1/stackprof/blob/master/CHANGELOG.md)
- [Commits](https://github.com/tmm1/stackprof/compare/v0.2.13...v0.2.14)

Minor upgrade to stackprof which is only used for diagnostics and not default required. Changes all look safe.
2019-12-12 13:29:00 +11:00
David Taylor
1e59371a4f DEV: Remove unused omit_stats variable from user serializer (#8513)
* DEV: Remove unused omit_stats variable from user serializer

This was hard-coded to true in a8b5192efd, and is no longer used anywhere

* Remove attribute declarations
2019-12-12 13:27:23 +11:00
Krzysztof Kotlarek
e1e571d32c SECURITY: upgrade rack-mini-profiler to avoid possible XSS (#8537) 2019-12-12 13:23:09 +11:00
Krzysztof Kotlarek
746ba0d8fd SECURITY: upgrade rack-mini-profiler to avoid possible XSS (#8537) 2019-12-12 13:15:40 +11:00
Kris
91a5731e7b UX: Small fixes for iOS signup modal 2019-12-11 15:47:25 -05:00
Kris
9c41b66996 UX: Tag combo box styles should match tags on topics 2019-12-11 14:49:39 -05:00
Mark VanLandingham
09d9baa6d7
FIX: Update S3 stubs for more aws-sdk API changes (#8534) 2019-12-11 11:26:52 -08:00
Régis Hanol
278d70f3eb FIX: Add new content type for theme/component
When uploading a theme/component, depending on the extension of the
file and the OS/Browser being used, the content type might differ.

This adds the "application/x-zip-compressed" content type that is being
sent by most Browsers on latest Windows when uploading a .zip file.
2019-12-11 19:50:23 +01:00
Kris
2f8a25b2d5 UX: Minor style updates for tag info 2019-12-11 13:34:01 -05:00
dependabot-preview[bot]
863d3f89de Build(deps): Bump aws-sdk-s3 from 1.36.1 to 1.59.0 (#8502)
* Build(deps): Bump aws-sdk-s3 from 1.36.1 to 1.59.0

Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.36.1 to 1.59.0.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/compare/v1.36.1...v1.59.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Dependabot/bundler/aws sdk s3 1.59.0 (#8532)
2019-12-11 10:18:11 -08:00
David Taylor
584021ca38 DEV: Correct error handling in run-qunit
runAllTests is an async function, so the try/catch block does not help. The function always returns a promise, so we need to use `.catch` to handle errors. Previously, raised errors were ignored, and the process continued running until it timed out.
2019-12-11 16:50:31 +00:00
Dan Ungureanu
554b0f366d
SECURITY: Ensure only image uploads can be inlined
This prevents malicious files (for example special crafted XMLs) to be
used in XSS attacks.
2019-12-11 17:08:58 +02:00
Dan Ungureanu
43ddb6b36d
SECURITY: Remove event handlers from SVG files 2019-12-11 17:08:57 +02:00
Dan Ungureanu
4e130f1e03
SECURITY: Remove event handlers from SVG files 2019-12-11 17:04:50 +02:00
Dan Ungureanu
adfa793731
SECURITY: Ensure only image uploads can be inlined
This prevents malicious files (for example special crafted XMLs) to be
used in XSS attacks.
2019-12-11 17:04:49 +02:00