Commit Graph

42041 Commits

Author SHA1 Message Date
Régis Hanol
3477c8a2a9
SECURITY: XSS in bookmarks list (#13311)
We should use `fancy_title` instead of `title` when displaying a topic title to ensure only the allowed html is not escaped.
2021-06-07 16:49:57 +02:00
Penar Musaraj
6759e5e396
DEV: Do not always include software update HTML in DOM (#13291) 2021-06-07 09:40:03 -04:00
Arpit Jalan
2e4f07678e
FIX: IMDb links were being oneboxed as posters (#13310)
IMDb movie links were being rendered as posters. This was because
IMDb was sending `og:type` as `image` randomly in some cases. To
fix this we'll now default all IMDb links as article type. This will
ensure that the IMDb onebox link includes all the information instead
of showing just a poster without any context.
2021-06-07 18:45:59 +05:30
awesomerobot
2110fd2638 UX: Improve tag truncation in scrolled header 2021-06-07 16:44:03 +08:00
Alan Guo Xiang Tan
064bca430c PERF: Preload Post#image_upload in TopicView.
This fixes an N+1 queires problem when generating `Post#image_url` which
requires the upload to be loaded.

Follow-up to 141f16eb6b
2021-06-07 14:43:49 +08:00
Martin Brennan
b463a80cbf
FIX: Do not enqueue :group_smtp_email job if IMAP disabled for the group (#13307)
When a group only has SMTP enabled and not IMAP, we do not
want to enqueue the :group_smtp_email job because using the group's
SMTP credentials for sending user_private_message emails is
handled by the UserNotifications class.

We do not want the :group_smtp_email job to be enqueued because
that uses a reply key instead of the group.email_username
for the reply-to address which is not what we want for SMTP
only, and also creates an IncomingEmail record to prevent IMAP
double syncing which we do not need either.

There is an open question about what happens when IMAP is
enabled after SMTP has been enabled for a while, and also questions
around whether we could do away with :group_smtp_email altogether
and handle everything via EmailLog and UserNotifications, adding
additional columns to the former and modifying the Imap::Sync
class to take this into account...a lot more further testing
for IMAP needs to be done to answer those questions.

For now, this fix should be sufficient to get the correct
reply-to address for user_private_response messages sent in
response to emails sent directly to the group's
email_username SMTP address.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2021-06-07 14:17:35 +10:00
Jarek Radosz
0a259b94f0 DEV: Fix an ActiveModel::Errors deprecation
The warning was:

DEPRECATION WARNING: Calling `<<` to an ActiveModel::Errors message array in order to add an error is deprecated. Please call `ActiveModel::Errors#add` instead. (called from block (3 levels) in activate! at discourse/plugins/poll/plugin.rb:519)
2021-06-07 11:34:38 +08:00
Alan Guo Xiang Tan
9f650b45a0 DEV: Bump rubocop-discourse to 2.4.2. 2021-06-07 11:34:08 +08:00
dependabot[bot]
b1fc8c8537 Build(deps): Bump concurrent-ruby from 1.1.8 to 1.1.9
Bumps [concurrent-ruby](https://github.com/ruby-concurrency/concurrent-ruby) from 1.1.8 to 1.1.9.
- [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases)
- [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ruby-concurrency/concurrent-ruby/compare/v1.1.8...v1.1.9)

---
updated-dependencies:
- dependency-name: concurrent-ruby
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-07 11:30:20 +08:00
dependabot[bot]
36efc740d1
Build(deps): Bump loofah from 2.9.1 to 2.10.0 (#13305)
Bumps [loofah](https://github.com/flavorjones/loofah) from 2.9.1 to 2.10.0.
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md)
- [Commits](https://github.com/flavorjones/loofah/compare/v2.9.1...v2.10.0)

---
updated-dependencies:
- dependency-name: loofah
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-06-07 00:24:35 +02:00
Penar Musaraj
9ebc9541b9
FIX: Size of emoji in poll options (#13294)
Fixes a regression in 33cb1b
2021-06-04 18:27:25 -04:00
Rafael dos Santos Silva
ee6ff9f1d7
FIX: Use newly created PushSubscription object for push test message (#13293) 2021-06-04 16:05:46 -03:00
Bianca Nenciu
46cd355046
FIX: Allow any other tag to be a synonym (#13290)
Tag-chooser component expects an array of blocked tags, but was passed
a string instead. That made tag-chooser to not allow any tags that were
a substring of the current one.
2021-06-04 21:51:53 +03:00
Penar Musaraj
c4e801852f
A11Y: Improve topic details toggle button label (#13287) 2021-06-04 13:28:18 -04:00
Penar Musaraj
2c6ceec9ea
A11Y: Add aria-label to modal close button (#13288) 2021-06-04 13:28:04 -04:00
Penar Musaraj
78029fd913
A11Y: Include aria-label for avatar images in widgets (#13286) 2021-06-04 13:26:08 -04:00
Robin Ward
5d2b836ae5
DEV: Move pretty-text into vendor and use that (#13273)
In Ember CLI addons get put into the vendor bundle, as opposed to their
own bundle like we're doing in the Rails app. We never use pretty-text
without our vendor bundle so this should have no difference on
performance.

We need to keep the pretty-text bundle for server side cooking.
2021-06-04 11:01:59 -04:00
Dan Ungureanu
70eddbece1
UX: Copy edit (#13285) 2021-06-04 15:16:52 +03:00
Andrei Prigorshnev
476dfaed2f
FIX: Composer doesn't show an error message in case of a network issue and stops updating draft after (#13268) 2021-06-04 16:15:47 +04:00
Dan Ungureanu
da2889a7a8
DEV: Add more verbose logging for image uploads (#13270)
Image optimization fails randomly (very rare) without a trace and it is
near impossible to find culprit image, reproduce the issue and attempt
to fix.
2021-06-04 15:13:58 +03:00
Ikko Ashimine
9431051ac1 FIX: misspelling in associate_accounts_controller_spec.rb
non-existant -> non-existent
2021-06-04 13:55:35 +08:00
Martin Brennan
b01e4738ab
DEV: Add more keyboard shortcut acceptance tests (#13280)
This adds acceptance tests for keyboard shortcuts to
dismiss new and unread topics.

Also, I cleaned out a few old specs for the unit test for
keyboard-shortcuts. Some were introduced way back in
5100c2bbd2
but then supplanted by
9548876c2d
and never cleaned up, so they were doing nothing.

Follow up to https://review.discourse.org/t/fix-dismiss-topics-keyboard-shortcut-not-working-pr-13260/22157/4?u=martin
2021-06-04 14:04:20 +10:00
dependabot[bot]
27763da412
Build(deps): Bump nokogiri from 1.11.6 to 1.11.7 (#13275)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.11.6 to 1.11.7.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.11.6...v1.11.7)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-06-04 13:05:36 +10:00
Kris
e3b0abc575
UX: Revert some search dropdown styles (#13274) 2021-06-03 22:54:22 -04:00
Alan Guo Xiang Tan
982eaab9b0 PERF: Defer setting of distributed cache in category.
See follow up commit for rational.

Follow-up to 8cfe203
2021-06-04 10:49:54 +08:00
Alan Guo Xiang Tan
9625208f40 DEV: Clean up state leak in BootstrapController spec.
The state leak was causing `ExtraLocalesController.client_overrides_exist?` specs to fail randomly.

Follow-up to 1976306539
2021-06-04 10:10:11 +08:00
Penar Musaraj
33cb1b7cf1
FIX: Ensure images in polls don't cause abrupt scrolling (#13272)
In some very rare cases, poll options can end up with images that have
no dimensions, in which case, navigating to replies in that post stream
might result in unexpected scrolling (as the browser loads the images
and adjusts its layout).

This ensures that if width/height attributes are missing from an image,
the image is forced to display within a 200 by 200 pixels space.

Co-authored-by: David Taylor <david@taylorhq.com>
2021-06-03 22:09:59 -04:00
Alan Guo Xiang Tan
3c1f4d5771 FIX: Clear post action types application serializer fragment cache.
The bug was introduced in dc10bdee3d
2021-06-04 09:14:49 +08:00
Alan Guo Xiang Tan
cadf5eafe6 DEV: Move Discourse app specific concern out of unicorn conf. 2021-06-04 09:13:34 +08:00
Alan Guo Xiang Tan
a8667b5454 PERF: Defer setting of distributed cache in more spots.
See follow up commit for rational.

Follow-up to 8cfe203383
2021-06-04 09:13:18 +08:00
Kris
cd9941e0ca
UX: more consistent setting/edit buttons (#13276) 2021-06-03 18:33:36 -04:00
jbrw
9d8bc6a405
FIX: Return naturalWidth and naturalHeight for Composer image sizes (#13271)
Rather than returning the size of the currently rendered image in the composer window (which is dependent on browser settings such as window size and zoom level), return the actual dimensions of the image file itself.

(Also see commit abac614492 which was an earlier attempt to fix this by excluding Oneboxed images entirely. That was reverted as the CSS selector didn’t work on all browsers.)
2021-06-03 16:21:56 -04:00
Penar Musaraj
9a449ac534
UX: Adjustments to tag groups layout (#13269) 2021-06-03 13:58:28 -04:00
Arpit Jalan
b27674597c
FIX: redirect non-staff user to homepage when deleting own topic (#13267) 2021-06-03 20:27:29 +05:30
David Taylor
4134173bbf
FEATURE: Add global admin api key rate limiter (#12527) 2021-06-03 10:52:43 +01:00
Alan Guo Xiang Tan
58b30fb510 PERF: Preload settings, groups and badge icons in SvgSprite.
Identified as a hot path in production. Preload it early instead of
executing the queries in a live request.
2021-06-03 16:45:56 +08:00
Martin Brennan
eb2c399445
FEATURE: Use group SMTP settings for sending user notification emails (initial) (#13220)
This PR changes the `UserNotification` class to send outbound `user_private_message` using the group's SMTP settings, but only if:

* The first allowed_group on the topic has SMTP configured and enabled
* SiteSetting.enable_smtp is true
* The group does not have IMAP enabled, if this is enabled the `GroupSMTPMailer` handles things

The email is sent using the group's `email_username` as both the `from` and `reply-to` address, so when the user replies from their email it will go through the group's SMTP inbox, which needs to have email forwarding set up to send the message on to a location (such as a hosted site email address like meta@discoursemail.com) where it can be POSTed into discourse's handle_mail route.

Also includes a fix to `EmailReceiver#group_incoming_emails_regex` to include the `group.email_username` so the group does not get a staged user created and invited to the topic (which was a problem for IMAP), as well as updating `Group.find_by_email` to find using the `email_username` as well for inbound emails with that as the TO address.

#### Note

This is safe to merge without impacting anyone seriously. If people had SMTP enabled for a group they would have IMAP enabled too currently, and that is a very small amount of users because IMAP is an alpha product, and also because the UserNotification change has a guard to make sure it is not used if IMAP is enabled for the group. The existing IMAP tests work, and I tested this functionality by manually POSTing replies to the SMTP address into my local discourse.

There will probably be more work needed on this, but it needs to be tested further in a real hosted environment to continue.
2021-06-03 14:47:32 +10:00
Osama Sayegh
3249312c81
FIX: Escape periods in current user's username before generating RegExp (#13247)
If we don't escape periods, they are interpreted as wildcards and it
becomes impossible to visit profiles of other users whose usernames
match. E.g., if your username was `a.c` and attempted to visit `abc`'s
profile, you would be incorrectly redirected to your own profile.
2021-06-03 14:15:38 +10:00
Kris
f3e021ad45
UX: Update search panel styles, consistency (#13262) 2021-06-03 14:14:24 +10:00
Bianca Nenciu
d184fe59ca
FEATURE: Censor Oneboxes (#12902)
Previously onebox content was not passed by the censor regex, meaning you could sneak in censored words via onebox.
2021-06-03 11:39:12 +10:00
Alan Guo Xiang Tan
58cb120aa2
DEV: Minor code clean up in assets.rake. (#13245) 2021-06-03 11:37:06 +10:00
jbrw
b57dca90fc
Revert "FIX: Ignore allowlistgeneric Onebox image sizes (#13240)" (#13261)
This reverts commit abac614492.

The CSS selector I was trying to use does not appear to be widely supported.
2021-06-02 21:36:46 -04:00
Bianca Nenciu
648d2fd793
DEV: Add test for link watched words (#13251) 2021-06-03 11:36:07 +10:00
Alan Guo Xiang Tan
8cfe203383 PERF: Defer setting of distributed cache in performance critical paths.
Setting a key/value pair in DistributedCache involves waiting on the
write to Redis to finish. In most cases, we don't need to wait on the
setting of the cache to finish. We just need to take our return value
and move on.
2021-06-03 09:30:52 +08:00
Martin Brennan
83211cff25
FIX: Change order of topic_tracking_state SELECT SQL (#13259)
This allows us to do DISTINCT on the topic_id to remove
duplicates (e.g. in extensions to the report SQL), and
also introduces an additional_join_sql string to allow
extensions to JOIN additional tables.
2021-06-03 11:21:33 +10:00
Martin Brennan
006d52f32b
FIX: Dismiss topics keyboard shortcut not working (#13260)
This issue is a result of
7a79bd7da3,
where the ID for the bottom Dismiss Topic buttons changed to
dismiss-topic-bottom.
2021-06-03 11:20:20 +10:00
jbrw
abac614492
FIX: Ignore allowlistgeneric Onebox image sizes (#13240)
* FIX: Ignore `allowlistgeneric` Onebox image sizes

The size of an image contained within the preview pane of a Composer window may vary depending on the configuration of the browser displaying the Composer (e.g., dimension of browser window, zoom level, etc.).

Presently, the dimensions of the images from the browser creating the post containing the Onebox will be used to render the Onebox to anyone who views the post. It is safer to let the backend figure out the dimensions of the images. Therefore, exclude `.onebox.allowlistedgeneric` images from the list of `image_sizes` sent to the backend.

* DEV: Replace jQuery selector with pure JS

* DEV: remove more jQuery
2021-06-02 20:02:13 -04:00
Jordan Vidrine
188ac1c51f
FIX: Add check for if element doesnt exist on ensureDropClosed (#13256) 2021-06-02 13:44:21 -05:00
Jarek Radosz
3bb765ac92
DEV: Remove the remaining Travis code (#13255)
The second attempt at #10041 now that all our plugins use GitHub Actions CI instead.
2021-06-02 20:29:47 +02:00
jbrw
4a7c043382
DEV: bundle update fastimage (#13253)
FastImage 2.2.4 - includes a fix for BOM characters in SVG files, and HEIC support
2021-06-02 14:06:20 -04:00