Commit Graph

43615 Commits

Author SHA1 Message Date
David Taylor
1fa7a87f86
SECURITY: Remove ember-cli specific response from application routes (#15155)
Under some conditions, these varied responses could lead to cache poisoning, hence the 'security' label.

Previously the Rails application would serve JSON data in place of HTML whenever Ember CLI requested an `application.html.erb`-rendered page. This commit removes that logic, and instead parses the HTML out of the standard response. This means that Rails doesn't need to customize its response for Ember CLI.
2021-12-01 16:10:40 +00:00
Andrei Prigorshnev
f37375f582
DEV: avoid sending events to a destroying object and enable few skipped tests (#15030) 2021-12-01 18:21:44 +04:00
Martin Brennan
4bdb956a0d
Revert "UX: Fix alignment in group navigation bar (#15145)" (#15150)
This reverts commit 01830f9d28.

This broke sidebar and could have affected customer themes
on a full enterprise deploy.
2021-12-01 16:13:03 +11:00
Natalie Tay
0f598ca51e
SECURITY: Only show tags to users with permission (#15148) 2021-12-01 10:26:56 +08:00
Penar Musaraj
01830f9d28
UX: Fix alignment in group navigation bar (#15145) 2021-12-01 11:49:34 +11:00
Martin Brennan
d64323b4e6
DEV: Change create-invite-uploader to use uppy (#15088)
Part of overall strategy to remove jQuery file uploader
from the codebase. Also added some helper functionality to
the uppy mixin to allow for non-autostart uploads (all
previous upload changes have been for auto start components.)
2021-12-01 09:45:05 +10:00
Martin Brennan
dce6c6fb50
FIX: Native File object was not passed to uploadHandler (#15146)
The commit 20b2a42f49 broke
upload handlers, because previously we passed through the
native File object to the handler, not the uppy-wrapped
File object.
2021-12-01 09:01:53 +10:00
Krzysztof Kotlarek
9cabd3721b
FEATURE: ability to add description to tags (#15125)
Ability to add description to tags, which will be displayed on hover.
2021-12-01 09:18:56 +11:00
Jarek Radosz
78723345c0
DEV: Fix a flaky bookmarks test (#15129)
* DEV: Specify bookmarks order

It's better to order by id than to have a semi-random order. Fixes a flaky test:

```
 1) TopicView with a few sample posts #bookmarks gets the first post bookmark reminder at for the user
59
     Failure/Error: expect(first[:post_id]).to eq(bookmark1.post_id)
60

61
       expected: 1901
62
            got: 1902
63

64
       (compared using ==)
65
     # ./spec/components/topic_view_spec.rb:420:in `block (4 levels) in <main>'
66
     # ./spec/rails_helper.rb:284:in `block (2 levels) in <top (required)>'
67
     # ./vendor/bundle/ruby/2.7.0/gems/webmock-3.14.0/lib/webmock/rspec.rb:37:in `block (2 levels) in <top (required)>'
68
```

* Change test

* Revert "DEV: Specify bookmarks order"

This reverts commit 1f50026231.
2021-12-01 08:56:00 +11:00
Discourse Translator Bot
b12f89e351
Update translations (#15140) 2021-11-30 21:06:39 +01:00
Rafael dos Santos Silva
4ef11e786b
DEV: Add aarch64 platform (#15143) 2021-11-30 16:31:11 -03:00
Jarek Radosz
0bf30196c9
FIX: Broken css in #15141 (#15144) 2021-11-30 20:02:22 +01:00
David Taylor
2eb162e25b
FEATURE: Show user cards for 'replying...' users (#15142)
Also removes some unneeded parameters from the `avatar` helper.
2021-11-30 18:57:57 +00:00
Jarek Radosz
feb9a3675d
UX: Tweak mobile composer styling (#15141)
A followup to #15117
2021-11-30 19:50:28 +01:00
Jarek Radosz
ac79c5efc6
UX: Tweak composer styling (#15117)
* Even margins
* Slightly more muted and unified borders, separators, and icons
* Editor and preview area have same height
2021-11-30 17:41:22 +01:00
Jarek Radosz
7ce6971539
DEV: Add drop-date to drop-dateless deprecations (#15133) 2021-11-30 17:41:04 +01:00
Jarek Radosz
c0781d7d23
DEV: Replace bent with node-fetch in bootstrap (#15139)
Drops the `acceptedStatusCodes` array.
2021-11-30 17:40:32 +01:00
Roman Rizzi
1fc06520bd
REFACTOR: Improve support for consolidating notifications. (#14904)
* REFACTOR: Improve support for consolidating notifications.

Before this commit, we didn't have a single way of consolidating notifications. For notifications like group summaries, we manually removed old ones before creating a new one. On the other hand, we used an after_create callback for likes and group membership requests, which caused unnecessary work, as we need to delete the record we created to replace it with a consolidated one.

We now have all the consolidation rules centralized in a single place: the consolidation planner class. Other parts of the app looking to create a consolidable notification can do so by calling Notification#consolidate_or_save!, instead of the default Notification#create! method.

Finally, we added two more rules: one for re-using existing group summaries and another for deleting duplicated dashboard problems PMs notifications when the user is tracking the moderator's inbox. Setting the threshold to one forces the planner to apply this rule every time.

I plan to add plugin support for adding custom rules in another PR to keep this one relatively small.

* DEV: Introduces a plugin API for consolidating notifications.

This commit removes the `Notification#filter_by_consolidation_data` scope since plugins could have to define their criteria. The Plan class now receives two blocks, one to query for an already consolidated notification, which we'll try to update, and another to query for existing ones to consolidate.

It also receives a consolidation window, which accepts an ActiveSupport::Duration object, and filter notifications created since that value.
2021-11-30 13:36:14 -03:00
Andrei Prigorshnev
284ab8cdf7
DEV: migrate (almost all) routes from actions: to @action syntax (#14722)
This should be safe, all these places are pretty straightforward. I've run into one problem when changing this, though. That problem was fixed in https://github.com/discourse/discourse/pull/14624
2021-11-30 17:01:06 +04:00
Andrei Prigorshnev
88f9bb3dc9
FIX: do not suggest "user1" as a username to invited users (#15031)
Recently, the wrong new behavior appeared – we started to suggest to invited users usernames like "user1".

To reproduce:
1. Create an invitation with default settings, do not restrict it to email
2. Copy an invitation link and follow it in incognito mode
See username already filled, with eg “user1”. See screenshot. Should be empty.

This bug was very likely introduced by my recent changes to UserNameSuggester.
2021-11-30 16:59:37 +04:00
Jarek Radosz
24356e339b
DEV: Fix pending posts page, make tests work in legacy env (#15132)
* Running the tests only in the ember cli env hid the fact that the pending posts feature wasn't working in the legacy environment
* Tests were using ember-cli-only APIs while there are widely used testing APIs in Discourse that support both ember envs
* `ember-test-selectors` was in both dependencies and devDependencies in discourse/package.json
* `qunit-dom` in package.json was not only unused but also defunct, as it wasn't pulled into the legacy env app

A followup to #14501, and #15128.
2021-11-30 13:01:39 +01:00
Osama Sayegh
fced35de15
UX: Add title attribute to reports cells (#15137)
Some reports, like the Web Crawler User Agents report, have very long strings that need to be truncated when displayed. However, there is no way to see the full value without exporting the report or inspecting the elements using dev tools. This PR set a `title` attribute with the full value to the reports `<td>` elements so that the full value is shown on hover.
2021-11-30 14:58:42 +03:00
Joffrey JAFFEUX
77a1d8675c
FIX: adds 422 status code to bootstrap json (#15138)
A post error validation would return a 422 status code. This status code was not accepted with the recent changes to bootstrap-json/index.js and would return a "Discourse Build Error" string, preventing any kind of bootbox popup error in the composer.
2021-11-30 11:54:38 +01:00
Osama Sayegh
7bd3986b21
FEATURE: Replace Crawl-delay directive with proper rate limiting (#15131)
We have a couple of site setting, `slow_down_crawler_user_agents` and `slow_down_crawler_rate`, that are meant to allow site owners to signal to specific crawlers that they're crawling the site too aggressively and that they should slow down.

When a crawler is added to the `slow_down_crawler_user_agents` setting, Discourse currently adds a `Crawl-delay` directive for that crawler in `/robots.txt`. Unfortunately, many crawlers don't support the `Crawl-delay` directive in `/robots.txt` which leaves the site owners no options if a crawler is crawling the site too aggressively.

This PR replaces the `Crawl-delay` directive with proper rate limiting for crawlers added to the `slow_down_crawler_user_agents` list. On every request made by a non-logged in user, Discourse will check the User Agent string and if it contains one of the values of the `slow_down_crawler_user_agents` list, Discourse will only allow 1 request every N seconds for that User Agent (N is the value of the `slow_down_crawler_rate` setting) and the rest of requests made within the same interval will get a 429 response. 

The `slow_down_crawler_user_agents` setting becomes quite dangerous with this PR since it could rate limit lots if not all of anonymous traffic if the setting is not used appropriately. So to protect against this scenario, we've added a couple of new validations to the setting when it's changed:

1) each value added to setting must 3 characters or longer
2) each value cannot be a substring of tokens found in popular browser User Agent. The current list of prohibited values is: apple, windows, linux, ubuntu, gecko, firefox, chrome, safari, applewebkit, webkit, mozilla, macintosh, khtml, intel, osx, os x, iphone, ipad and mac.
2021-11-30 12:55:25 +03:00
Jeff Wong
9896fc7d33
FIX: allow staff to upload when they should and authorized_extensions is blank (#15136)
Allow staff to upload when authorized_extensions is blank, but
authorized_extensions_for_staff is not
2021-11-29 21:40:54 -08:00
Alan Guo Xiang Tan
0edacbd8f7
DEV: Load fabricators for plugins automatically. (#15106) 2021-11-30 15:55:45 +11:00
David Taylor
af4b8d0e21
DEV: Automatically leave PresenceChannels when in the background (#15047)
* DEV: Improve PresenceChannel state storage

Replaces some objects with Maps, and removes the redundant _presentChannels Set.

* DEV: Automatically leave PresenceChannels when in the background

If a tab has been in the background for 10s, or there has been no user activity for 60s, then the user will be removed from all PresenceChannels until activity resumes. Developers can opt-out of this by passing `{onlyWhileActive: false}` to the `enter` method.
2021-11-30 15:38:19 +11:00
Jarek Radosz
6662101208
DEV: Fix a test leak (#15135)
The leak was introduced in #11722 and a test was added that relied on it in #14563

This PR fixes the leak (bookmarks-test), fixes the test that relied on it (fast-edit-test), and repleces some ad-hoc code with cloneJSON helper (other files)
2021-11-30 13:45:26 +11:00
Martin Brennan
7e5f52a163
DEV: Use pushObject for inProgressUploads in uppy (#15134)
The inProgressUploads is meant to be used to display these uploads
in a UI, and Ember will only update the array in the UI if pushObject
is used to notify it.
2021-11-30 10:42:45 +10:00
Martin Brennan
f70e6c302f
DEV: Switch to using uppy uploads in composer by default (#15058)
This is a big change to change over to using the uppy
upload mixin in the composer by default. This gets rid
of the temporary composer-editor-uppy component, as well
as removing the old ComposerUpload mixin and copying over
any missing functions that were not yet implemented by
ComposerUploadUppy. This has been working well on our
hosting for some time now and has led us to several
bug fixes.

This commit also deletes the old plugin API for adding
preprocessors for the uploads. The accepted method of doing
this now is via an uppy preprocessor plugin, which we have
several examples of in the core codebase.

Leaving the `enable_experimental_composer_uploader` site setting
intact for now because some plugins still rely on it, this
will be removed at a later date.

One step closer to ending the jQuery file uploader saga...
2021-11-30 08:33:06 +10:00
dependabot[bot]
433f9a4dc9
Build(deps): Bump parser from 3.0.3.0 to 3.0.3.1 (#15130)
Bumps [parser](https://github.com/whitequark/parser) from 3.0.3.0 to 3.0.3.1.
- [Release notes](https://github.com/whitequark/parser/releases)
- [Changelog](https://github.com/whitequark/parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/whitequark/parser/compare/v3.0.3.0...v3.0.3.1)

---
updated-dependencies:
- dependency-name: parser
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-11-29 22:52:04 +01:00
Jarek Radosz
c9e0ad5ec4
DEV: Remove build:stamp task and related code (#15069)
I don't think we use `build:stamp` task anymore, nor we rely on config/version.rb
2021-11-29 19:09:05 +01:00
Joffrey JAFFEUX
3dc0b9e077
UX: closes multi-select on selection when maximum=1 (#15092) 2021-11-29 14:29:11 +01:00
Loïc Guitaut
354f88358c DEV: Add ember-test-selectors to production env 2021-11-29 11:31:31 +01:00
David Taylor
0ab57975a4
FIX: Ensure widget hooks always call the correct instance (#15127)
Widgets instances are ephemeral - they change on every re-render. We always want to notify the 'most recent' widget instance of events. This regressed in 1b9cf1b1 because the touchStart and drag hooks would persist the widget instance from the initial render. This commit switches TouchStart and Drag back to the pattern other events use, so that the most recent instance is always called. The performance benefits of per-element event listeners are retained.
2021-11-29 09:33:40 +00:00
Loïc Guitaut
a5fbb90df4 FEATURE: Display pending posts on user’s page
Currently when a user creates posts that are moderated (for whatever
reason), a popup is displayed saying the post needs approval and the
total number of the user’s pending posts. But then this piece of
information is kind of lost and there is nowhere for the user to know
what are their pending posts or how many there are.

This patch solves this issue by adding a new “Pending” section to the
user’s activity page when there are some pending posts to display. When
there are none, then the “Pending” section isn’t displayed at all.
2021-11-29 10:26:33 +01:00
Joffrey JAFFEUX
6e603799eb
FIX: treats ipad as mobileView for popper positioning (#15091)
* FIX: treats ipad as mobileView for popper positioning

* ensures it doesn’t break wizard
2021-11-29 17:40:01 +11:00
Jarek Radosz
530eb0c9bd
DEV: Throw on non-xhr errors (#15123)
Makes it easier to debug post-stream problems when the issue isn't with the server response.
2021-11-29 17:36:48 +11:00
Jarek Radosz
5d643a498e
FIX: Global log notice regressed in #15000 (#15119)
Notice models didn't have the same injections as GlobalNotice components.
2021-11-29 17:13:35 +11:00
Martin Brennan
20b2a42f49
DEV: Send multiple files in batches to composer upload handlers when using uppy (#15124)
In jQuery file upload land, we were sending a single file through
at a time to matching upload handlers. This in turn required plugin
authors to marshal the files as they came through one by one if they
wanted to group them together to do something with them. Now that
we are using uppy, files come through in the groups they are added
in (for example dropping multiple, selecting multiple from the system
file dialogue).

This commit changes the matching upload handlers to send through
all matching files at once instead of piecemeal.
2021-11-29 11:19:02 +10:00
Jarek Radosz
13aed6fe3b
FIX: Setting bookmarks in some cases was broken (#15120)
Error introduced in #14781

```
Error: Assertion Failed: You attempted to update <(unknown):ember3217>.bookmarks to "<(unknown):ember3846>", but it is being tracked by a tracking context, such as a template, computed property, or observer. In order to make sure the context updates properly, you must invalidate the property when updating it. You can mark the property as `@tracked`, or use `@ember/object#set` to do this.
```
2021-11-28 23:34:51 +01:00
Martin Brennan
e464958333
DEV: Fix uploadHandler impl. in composer-upload-uppy mixin (#15105)
In f6528afa01 I added parity support
for composer upload handlers to the uppy-ized composer. However the
way I assumed that it was only possible to handle a single file
upload at a time was false; it only appeared this way in the old
jQuery file upload composer because jQuery file upload sent through
files one at a time even if multiple were added at once. This caused
issues in certain plugins and themes by third parties.

This commit fixes the issue by making the uppy upload handler work
the same as the old one, by capturing all of the added files that
have matching handlers then going through them one by one and passing
them to the handler function.
2021-11-29 08:32:06 +10:00
dependabot[bot]
7c572d0472
Build(deps): Bump logster from 2.9.8 to 2.10.0 (#15121)
Bumps [logster](https://github.com/discourse/logster) from 2.9.8 to 2.10.0.
- [Release notes](https://github.com/discourse/logster/releases)
- [Changelog](https://github.com/discourse/logster/blob/main/CHANGELOG.md)
- [Commits](https://github.com/discourse/logster/compare/v2.9.8...v2.10.0)

---
updated-dependencies:
- dependency-name: logster
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-11-28 22:29:40 +01:00
dependabot[bot]
f1b926ed3b
Build(deps): Bump globalid from 0.6.0 to 1.0.0 (#15122)
Bumps [globalid](https://github.com/rails/globalid) from 0.6.0 to 1.0.0.
- [Release notes](https://github.com/rails/globalid/releases)
- [Commits](https://github.com/rails/globalid/compare/v0.6.0...v1.0.0)

---
updated-dependencies:
- dependency-name: globalid
  dependency-type: indirect
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2021-11-28 22:23:39 +01:00
Jarek Radosz
fb5e871dff
DEV: Remove unnecessary functions (#15113) 2021-11-28 12:45:32 +01:00
David Taylor
1b9cf1b1c7
PERF: Update widget hooks to avoid global scroll-blocking events (#15116)
For widget event handlers, we register a single listener on the `<body>`, and then notify the relavent widget (if any) when the event fires.

`touchstart` and `touchmove` events are particularly performance sensitive because they block scrolling on mobile. Therefore we want to avoid registering global non-passive listeners for these events.

This commit updates the WidgetTouchStartHook and WidgetDragHook implementations to automatically register listeners on the specific widget DOM elements when required.

This commit removes the last global scroll-blocking event handler from Discourse core. That means that mobile scrolling is now completely decoupled from our JS app. Even if the JS app is completely blocked (e.g. during rendering), scrolling will now continue to work. This should make things feel a lot smoother, especially on lower performance devices.
2021-11-28 10:47:44 +00:00
David Taylor
bca5c58c90
DEV: Disable 'passive' handlers for pan-events mixin (#15118)
These were set to `passive: true` in ff72522f.

However, two consumers of this mixin (topic-navigation and site-header) do need to call `e.preventDefault()`, so we can't use passive listeners here.

That's ok, because this mixin only applies to a specific component's element, not the entire page. So having these non-passive listeners doesn't affect the vast majority of scrolling
2021-11-28 10:42:59 +00:00
David Taylor
136189508b
DEV: Ensure scrolling-post-stream event listeners are removed correctly (#15115)
The method was switched from _debouncedScrollCallback to _debouncedScroll in ff72522f, but the cleanup was not updated to match.
2021-11-27 17:04:31 +00:00
David Taylor
1b184cefd0
PERF: Update scrolling mixin implementation (#15109)
This mixin calls the "scrolled" method of some object with no parameters, so there is no way that consumers would ever call `event.preventDefault()`. Therefore we can make the listeners passive, and improve scrolling performance on mobile.

This commit also updates the mixin to remove JQuery usage. The API is slightly modified to remove the need for an event 'name' for binding/unbinding.

The calls to `.bindScrolling` and `.unbindScrolling` in user-stream.js are removed because they are already called by the LoadMore mixin which is applied to the component.

The `bindScrolling` method claimed to offer debouncing-by-default. However, a bug in the `opts` parsing meant that debouncing was skipped if a 'name' was passed in. Therefore the only consumer actually being debounced was the LoadMore mixin. This commit fixes the opts parsing, so all consumers get the same behavior.

However, when scrolling, debounce is rarely what we want. The documentation of `bindScrolling` says "called every 100ms". In fact, debounce means that the functions were only called 'after the user **stops scrolling** for 100ms'. If you're scrolling very slowly (e.g. when using momentum-based scrolling on mobile), then this can be quite frustrating. This is why "Load more" is only triggered on topics/topic-lists when you completely stop scrolling.

Therefore, this commit also replaces the default 'debounce' with a 'throttle'. The 'throttle' is configured with `immediate = false`, so that it fires on the trailing edge, and therefore the final call will always be **after** we finish scrolling. (the default `immediate: true` would fire on the leading edge, and so the last call could be up to 100ms **before** we finish scrolling).
2021-11-26 20:22:50 +00:00
David Taylor
5d59b7e733
DEV: Make plugin api errors more descriptive (#15111)
With more descriptive errors, developers will know **why** a change is required, and may be more likely to take action.
2021-11-26 20:22:29 +00:00