github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-16 00:26:29 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
34,237 Commits 214 Branches 500 Tags 960 MiB
1c49875048
Commit Graph

2915 Commits

Author SHA1 Message Date
Dan Ungureanu
554b0f366d
SECURITY: Ensure only image uploads can be inlined 
This prevents malicious files (for example special crafted XMLs) to be
used in XSS attacks.
 2019-12-11 17:08:58 +02:00
Joffrey JAFFEUX
5cb00d5528 DEV: s/\$redis/Discourse\.redis 
With manual merge conflicts
 2019-12-03 14:26:57 +01:00
Sam Saffron
14db879a31 DEV: Implement a faster Discourse.cache 
This is a bottom up rewrite of Discourse cache to support faster performance
and a limited surface area.

ActiveSupport::Cache::Store accepts many options we do not use, this partial
implementation only picks the bits out that we do use and want to support.

Additionally params are named which avoids typos such as "expires_at" vs "expires_in"

This also moves a few spots in Discourse to use Discourse.cache over setex
Performance of setex and Discourse.cache.write is similar.
 2019-12-03 14:03:30 +01:00
Roman Rizzi
fd1a2a4c07 FIX: Improve protection against problematic usernames (#8097) 2019-09-13 15:52:05 -03:00
David Taylor
51b7f4d900 FIX: When activating via omniauth, create tokens after password reset 
Resetting a password invalidates all email tokens, so we need to create the tokens after the password reset.
 2019-08-28 14:50:07 +01:00
David Taylor
f80f8a34c0 SECURITY: Reset password when activating an account via auth provider 
Followup to d693b4e35fe0e58c5578eae4a56c06dff4756ba2
 2019-08-28 14:08:55 +01:00
Arpit Jalan
aea541d037 SECURITY: don't reveal category details to users that do not have access 2019-08-19 12:51:15 +05:30
David Taylor
9cfe3f9948 SECURITY: Add confirmation screen when connecting associated accounts 2019-07-24 13:29:59 +01:00
Gerhard Schlager
90a1aa5536 SECURITY: Validate backup chunk identifier 2019-07-22 08:44:38 +02:00
Gerhard Schlager
5b91182985 DEV: Respond with error 400 to uploads requested via XHR 
follow-up to 13f38055
 2019-06-27 11:30:05 +02:00
Gerhard Schlager
9c8aa0a906 SECURITY: XSS in routes 
Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com>
Co-authored-by: David Taylor <david@taylorhq.com>
 2019-06-26 16:45:33 +02:00
Neil Lalonde
04be572a92 Merge diffs from master 2019-06-17 20:07:19 -04:00
Neil Lalonde
a4308fdd43 Merge master 2019-06-17 20:04:04 -04:00
David Taylor
40cbcc7720 SECURITY: Add confirmation screen when logging in via email link 2019-06-17 18:20:48 +01:00
David Taylor
e6e47f2fb2 SECURITY: Add confirmation screen when logging in via user-api OTP 2019-06-17 16:18:44 +01:00
David Taylor
52387be4a4 SECURITY: Add confirmation screen when logging in via email link 2019-06-17 16:18:37 +01:00
David Taylor
5f6f707080 Revert "Merge pull request from GHSA-hv9p-jfm4-gpr9" 
This reverts commit b8340c6c8e.
 2019-06-17 16:17:10 +01:00
David Taylor
b8340c6c8e
Merge pull request from GHSA-hv9p-jfm4-gpr9 
* SECURITY: Add confirmation screen when logging in via email link

* SECURITY: Add confirmation screen when logging in via user-api OTP

* FIX: Correct translation key in session controller specs

* FIX: Use .email-login class for page
 2019-06-17 15:59:41 +01:00
Arpit Jalan
863d8014d0 FIX: respond with 400 error on invalid redirect param 2019-06-17 16:44:30 +05:30
Sam Saffron
704c579550 FIX: do not allow unbound membership lookups 
Previously we would allow looking up membership limits in an unbound way
via the API, this introduces an upper limit of 1000 per page.
 2019-06-17 15:32:06 +10:00
Arpit Jalan
36e53db300 Fix the build. 2019-06-12 16:44:17 +05:30
Arpit Jalan
7b66f8fb46 DEV: optimize bulk invite process 2019-06-12 16:33:19 +05:30
Arpit Jalan
e2636f0ec7 FIX: handle array in redirect param 2019-06-11 17:49:09 +05:30
Dan Ungureanu
a046f6ced5 FEATURE: Trigger Discourse events from authenticators. (#7724) 2019-06-11 11:28:42 +10:00
Gerhard Schlager
bae7b75e23 FIX: Updating a user profile as admin shouldn't change the user's locale 2019-06-07 17:53:46 +02:00
Sam Saffron
cbd4d06da0 PERF: only check for totp record on current user at when needed 
Previously the check was done a bit too early causing one extra query
per page unconditionally for logged on users
 2019-06-07 16:25:04 +10:00
Penar Musaraj
f00275ded3 FEATURE: Support private attachments when using S3 storage (#7677) 
* Support private uploads in S3
* Use localStore for local avatars
* Add job to update private upload ACL on S3
* Test multisite paths
* update ACL for private uploads in migrate_to_s3 task
 2019-06-06 13:27:24 +10:00
Bianca Nenciu
e0c821ebb0 FEATURE: Make staff action logs page support infinite loading 2019-06-06 13:02:53 +10:00
Saurabh Patel
b510006ca8 FEATURE: show tags in crawler view of tags page for static site 
Previously tags page would have an empty page in crawler view
 2019-06-06 12:55:37 +10:00
Roman Rizzi
c3a38d2304 DEV: Make groups/new extensible by plugins (#7642) 
* Expose a new plugin outlet. Pass group model to the group-member-dropdown so it can be accessed by plugins

* Added controller tests for group custom fields. update custom fields when updating a group
 2019-06-06 12:05:33 +10:00
Robin Ward
d902c4eb9f FEATURE: Can sort reviewable queue 
Choices are Priority / Created At (and desc versions.)
 2019-06-05 13:21:05 -04:00
Joffrey JAFFEUX
ce79a71c5d
typo s/faivcon/favicon (#7697) 2019-06-05 09:46:07 +02:00
Sam Saffron
b9df7a2257 FIX: if favicon is missing due to bad url we would return a 500 on favicons 
This ensures that the error logging does not corrupt the cache
 2019-06-05 16:43:40 +10:00
Arpit Jalan
e7fe7010b8
FIX: use hijack for processing bulk invites (#7679) 
FIX: do not store bulk invite CSV file on server
 2019-06-04 20:19:46 +05:30
Régis Hanol
33bc8c276d FIX: default top timeframe was overriding best_periods_for 2019-06-04 10:57:50 +02:00
Régis Hanol
d7ff640778 fix the build 2019-06-03 20:42:46 +02:00
Maja Komel
42809f4d69 FIX: use crawler layout when saving url in Wayback Machine (#7667) 2019-06-03 12:13:32 +10:00
Sam Saffron
e302c0af8b DEV: by default disable anon impersonation in dev environments 
The impersonate any user by anonymous feature in dev should require a
deliberate opt-in. This way developers are better aware of the security
implications of this development only feature.
 2019-06-03 10:02:27 +10:00
Robin Ward
2e0a40007b FIX: Category topics should not be deletable via review queue 2019-05-30 16:43:23 -04:00
romanrizzi
e7ee556e87 Support multi-group user search 2019-05-30 08:45:20 +08:00
Guo Xiang Tan
a3938f98f8 Revert changes to FileStore::S3Store#path_for in f0620e7118. 
There are some places in the code base that assumes the method should
return nil.
 2019-05-29 18:39:07 +08:00
Guo Xiang Tan
f0620e7118 FEATURE: Support [description|attachment](upload://<short-sha>) in MD take 2. 
Previous attempt was missing `post_uploads` records.
 2019-05-29 09:26:32 +08:00
Penar Musaraj
7c9fb95c15 Temporarily revert "FEATURE: Support [description|attachment](upload://<short-sha>) in MD. (#7603)" 
This reverts commit b1d3c678ca.

We need to make sure post_upload records are correctly stored.
 2019-05-28 16:37:01 -04:00
Guo Xiang Tan
b1d3c678ca FEATURE: Support [description|attachment](upload://<short-sha>) in MD. (#7603) 2019-05-28 11:18:21 -04:00
Bianca Nenciu
07b80d491b FIX: Refresh automatic groups after inviting moderators. 2019-05-28 17:19:34 +08:00
Sam Saffron
7429700389 FIX: ensure we can download maxmind without redis or db config 
This also corrects FileHelper.download so it supports "follow_redirect"
correctly (it used to always follow 1 redirect) and adds a `validate_url`
param that will bypass all uri validation if set to false (default is true)
 2019-05-28 10:28:57 +10:00
Robin Ward
d26c4509ea FIX: Adding a user to a group twice under concurrency 
This prevents an error from being raised / logged.
 2019-05-27 15:42:40 -04:00
Penar Musaraj
dfcc2e7ad8 Revert "FEATURE: Send notification when member was accepted to group. (#7503)" 
This reverts commit 42c82d544e.
 2019-05-27 15:19:59 -04:00
Robin Ward
d95a68b837 FEATURE: When suspending a user, allow the Delete + Replies action 
Previously you could only delete the post
 2019-05-27 12:27:16 -04:00
Bianca Nenciu
42c82d544e
FEATURE: Send notification when member was accepted to group. (#7503) 2019-05-27 17:28:41 +03:00