Commit Graph

460 Commits

Author SHA1 Message Date
Guo Xiang Tan
939180efa8 FIX: Missing 2FA guards when sso is enabled or when local login is disabled. 2018-03-02 10:39:10 +08:00
Guo Xiang Tan
964624f3ab FIX: No error displayed when 2FA token is invalid on admin login page. 2018-02-22 09:45:57 +08:00
Guo Xiang Tan
14f3594f9f Review Changes for f4f8a293e7. 2018-02-21 14:55:49 +08:00
Jeff Wong
f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Robin Ward
02093ecbdd Extensibility: Allow plugins to munge user params 2018-02-16 19:12:02 -05:00
Guo Xiang Tan
96e5a7da46 Prefer success_Json over custom success JSON payload. 2018-02-15 07:47:35 +08:00
Erick Guan
03b3e57a44 FEATURE: login by a link from email
Co-authored-by: tgxworld <tgx@discourse.org>
2018-02-13 16:14:39 +08:00
Sam
b34b1b6fe3 FIX: invite to message was not allowing groups
Previously we were incorrectly checking mentionable instead of messageable

Also fix edge case where multiple groups sharing a name mean that exact match override is not working

Also cleans up params sent to user selector
2018-02-13 13:28:46 +11:00
Sam
41986cdb2f Refactor requires login logic, reduce duplicate code
This also corrects the positioning in the chain of the check
and removes misuse of prepend_before_action
2018-02-01 15:17:59 +11:00
Sam
f2e7b74d88 FIX: don't return 200s when login is required to paths
When running `ensure_login_required` it should always happen prior to
`check_xhr` cause check xhr will trigger a 200 response
2018-02-01 12:26:45 +11:00
Robin Ward
2d340d1122 FIX: Don't allow username update via update route
It's not using the UsernameChanger
2018-01-26 16:53:43 -05:00
Gerhard Schlager
dde0fcc658 FEATURE: Allow sending invites to staged users 2018-01-22 15:37:18 +01:00
Régis Hanol
f74ac826c5 slightly more meaningful error message 2018-01-22 12:20:53 +01:00
Arpit Jalan
672888f526 FIX: handle invalid password reset token 2018-01-09 23:48:17 +05:30
Joffrey JAFFEUX
642645ba9a
FIX: broken select badge as user title (#5474)
* FIX: broken select badge as user title

* selected id wasn’t pass to underlying component
* <none> was rendered as an html tag <none></none>
* overriding a badge name wouldn’t work as it was using badge.name and not badge.display_name
* adds a spec to ensure this behavior is correct
2018-01-05 16:58:15 +01:00
Sam
62a27f9d57 FEATURE: warn if attempting to mention a group with too many members 2017-12-21 16:13:57 +11:00
Philipp Daniels
6a2bce1931 FIX: Data loss on update of single user_field.
https://meta.discourse.org/t/api-data-loss-caused-by-changed-behaviour-of-custom-user-field-update/74990
2017-12-20 16:33:23 +08:00
Sam
96584403cd SECURITY: prevent staged accounts from changing email 2017-12-14 17:16:49 +11:00
Sam
a393d3bcbb FIX: ensure staged accounts are always inactive
If for any reason active is stored in the user model, clear it out
prior to creating an account
2017-12-13 14:22:16 +11:00
Guo Xiang Tan
e2b64257b3 Fix undefined method for NilClass error. 2017-12-12 18:54:29 +08:00
Arpit Jalan
5003f07b2c FEATURE: new site setting show_inactive_accounts 2017-12-07 19:22:41 +05:30
Robin Ward
628275fc31 FIX: Some badge routes were still working even with badges disabled 2017-11-21 12:22:44 -05:00
Guo Xiang Tan
ed16cba77f REFACTOR: Raise error if email token fails to create. 2017-11-08 12:02:33 +08:00
Neil Lalonde
d7880af0bb FIX: change password form validation should instruct admins to use min password length for admin accounts 2017-11-07 16:14:56 -05:00
Guo Xiang Tan
d320f4840d FIX: Unable to invite groups that are not public visible into pms.
https://meta.discourse.org/t/inviting-groups-broken-in-head/73346/6
2017-11-03 21:40:33 +08:00
Guo Xiang Tan
edf4af608e FIX: Better match when searching for groups. 2017-11-02 10:20:14 +08:00
Guo Xiang Tan
defea6245c REFACTOR: Always validate email by default. 2017-10-25 13:48:34 +08:00
Neil Lalonde
2db66072d7 SECURITY: signup without verified email using Google auth 2017-10-16 13:51:41 -04:00
Neil Lalonde
1faae3c765 rename forgot_password_strict to hide_email_address_taken 2017-10-03 15:28:31 -04:00
Neil Lalonde
e47f5cedd2 FEATURE: forgot_password_strict setting also prevents reporting that an email address is taken during signup 2017-10-03 15:28:30 -04:00
Régis Hanol
daf1dda700 FIX: username autocomplete in assign modal wasn't working 2017-10-03 12:49:45 +02:00
Guo Xiang Tan
8140e54675 FIX: More fixes for Group#mentionable and Group#messageable feature. 2017-10-02 17:45:58 +08:00
Régis Hanol
f6c484881b FIX: wasn't able to save watched/tracked/muted categories/tags 2017-09-29 13:09:48 +02:00
Régis Hanol
cd6dff58dd FIX: add user option/profile fields that were not permitted 2017-09-28 14:59:53 +02:00
Régis Hanol
af01e62b14 FIX: wasn't allowed to set a user's title anymore 2017-09-26 20:13:24 +02:00
Régis Hanol
28c54b42c5 FIX: wasn't able to update user options anymore 2017-09-26 20:00:10 +02:00
Guo Xiang Tan
77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Régis Hanol
797936d2c5 FIX: don't leak whisper count in user card 2017-09-14 20:08:16 +02:00
Robin Ward
171d9e5aed SECURITY: Prevent users from updating to blacklisted email domains 2017-09-12 10:11:08 -04:00
Neil Lalonde
d7d9923b8e FIX: display email validation error messages 2017-09-11 13:22:14 -04:00
Sam
9f0f086b3e FEATURE: allow API to mark accounts as approved on creation 2017-08-28 15:36:46 -04:00
Arpit Jalan
6c997b65d9 optimize enqueuing activation email code 2017-07-31 22:57:39 +05:30
Arpit Jalan
2e2b5e28aa FIX: add slight delay when enqueuing activation email 2017-07-31 16:52:07 +05:30
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Leo McArdle
d0b027d88d FEATURE: phase 1 of supporting multiple email addresses 2017-07-20 11:22:27 +09:00
Guo Xiang Tan
5994c85ea9 FIX: Raise the right error when email params is missing. 2017-06-12 17:48:32 +09:00
Robin Ward
54bb2a6bc2 FIX: Don't redirect to wizard when resetting password 2017-06-07 12:36:52 -04:00
Guo Xiang Tan
2cad739262 FIX: Better error message when username change fails.
https://meta.discourse.org/t/500-error-on-username-edit/64064
2017-06-07 10:45:53 +09:00
Robin Ward
b584264d82 FIX: Don't show "resend email" option when user approval is on 2017-05-25 15:29:05 -04:00
Robin Ward
57a2042ef6 FIX: Quiet server side errors for requesting json for account-created 2017-05-04 12:30:13 -04:00
Robin Ward
81190f5d66 FIX: Redirect away from account-created if you're logged in 2017-05-03 11:18:01 -04:00
Robin Ward
12fb20fe1b FEATURE: Allow users to resend/update email from confirmation page 2017-05-03 11:18:01 -04:00
Robin Ward
b381372184 Use Ember.js for the /u/account-created path so we can add controls 2017-05-03 11:18:01 -04:00
Neil Lalonde
0722ffadf1 Remove site settings enforce_global_nicknames and discourse_org_access_key 2017-05-01 14:53:16 -04:00
Arpit Jalan
ea26c56631 FIX: redirect to login page for anonymous user when profiles are hidden 2017-04-20 13:00:45 +05:30
Guo Xiang Tan
04016f0dec Support Ruby 2.4. 2017-04-15 12:29:00 +08:00
Guo Xiang Tan
57788200ec REFACTOR: Add User.reserved_username?. 2017-04-13 10:44:26 +08:00
Guo Xiang Tan
5943543ec3 FIX: Improve checks for non-human users. 2017-04-06 11:29:34 +08:00
Robin Ward
40ab2e5667 FEATURE: Let users update their emails before confirming
This allows users who entered a typo or invalid email address when
signing up an opportunity to fix it and resending the confirmation
email to that address.
2017-04-05 16:44:49 -04:00
Robin Ward
17f2974d0a SECURITY: Confirm new administrator accounts via email 2017-04-04 15:59:01 -04:00
Guo Xiang Tan
406d721f11 Fix NilClass error in UsersController. 2017-04-04 14:17:45 +08:00
Robin Ward
14410b71fb Convert server side paths to use /u/ 2017-03-30 10:23:24 -04:00
Arpit Jalan
7c3ae50dcd FIX: send activation email if user have unconfirmed email 2017-03-21 09:41:50 +05:30
Guo Xiang Tan
ca965bb455 FEATURE: Redirect to groups page after login/registration flow. 2017-03-16 09:48:51 +08:00
Sam
a690121805 SECURITY: always allow staff to resend activation mails 2017-03-13 10:32:24 -04:00
Sam
1a745ca16a else @user makes no sense :) 2017-03-13 10:22:23 -04:00
Guo Xiang Tan
9364d8ce71 FIX: Store user's id instead for sending activation email.
* Email and username are both allowed to be used for logging in.
  Therefore, it is easier to just store the user's id rather than
  to store the username and email in the session.
2017-03-13 20:24:55 +08:00
Guo Xiang Tan
7ebfa3c901 SECURITY: Only allow users to resend activation email with a valid session.
* Improve error when an active user tries to request for an activation email.
2017-03-13 19:35:29 +08:00
Neil Lalonde
d0fbb27f3e FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-15 16:51:57 -05:00
Sam Saffron
4332f0dde1 FEATURE: allow user search API to restrict to group 2017-02-09 18:45:39 -05:00
Sam
ff49f72ad9 FEATURE: per client user tokens
Revamped system for managing authentication tokens.

- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes

New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.

Also introduces weekly job to expire old auth tokens.
2017-02-07 09:22:16 -05:00
Neil Lalonde
c4e10f2a9d FEATURE: redesign the change password page to use javascript and validations 2017-02-03 16:09:24 -05:00
Guo Xiang Tan
43671b1fda UX: Display group fullname in mention autocomplete. 2017-01-04 11:40:14 +08:00
Sam
e0ff57ca75 SECURITY: prevent reuse of password reset 2016-12-19 18:00:22 +11:00
Sam
c04d4171ff FIX: whisper no longer experimental
- Regular users are not notified of whispers
- Regular users no longer have "stuck" topics in unread
- Additional tracking for staff highest post number
- Remove a bunch of unused columns in topics table
2016-12-02 17:03:31 +11:00
Guo Xiang Tan
f824afb4d3 FEATURE: Allow date_of_field column to be updated. 2016-11-17 15:16:58 +08:00
cpradio
c3d4c949f1 Add comments to relevant sections denoting "create new topic" scenario is not supported for cannot-see-mention (per @coding-horror instruction) 2016-11-16 06:26:36 -05:00
cpradio
824c235760 FEATURE: Notify user when mention can't see the reply they were mentioned in
FIX: Group Mention Notifications
2016-11-14 22:03:16 -05:00
Robin Ward
c03d25f170 FEATURE: Configure Admin Account
Adds a "Step 0" to the wizard if the site has no admin accounts where
the user is prompted to finish setting up their admin account from the
list of acceptable email addresses.

Once confirmed, the wizard begins.
2016-10-19 11:27:56 -04:00
Robin Ward
f62d01ff1b FIX: Clear the session after a reset token was used 2016-09-30 12:20:23 -04:00
Guo Xiang Tan
4e663998af PERF: N+1 query on user summary page. 2016-09-23 12:44:08 +08:00
Sam
afaba56de3 FEATURE: missing API endpoint for topic tracking states 2016-08-12 17:10:35 +10:00
Robin Ward
429f27ec96 SECURITY: Avoid mass assignment on user create 2016-08-05 11:57:13 -04:00
Sam
4161ee210a FEATURE: improved tag and category watching and tracking
- present tags watched on the user prefs page
- automatically watch or unwatch old topics based on watch status

New watching and tracking logic takes care of handling old topics
(either with or without read state)

When you watch a topic you now watch historically

Also removes confusing warnings from user.
2016-07-08 12:58:30 +10:00
Sam
1411eedad3 FEATURE: offer to unwatch categories when unwatching category 2016-06-28 18:34:20 +10:00
Régis Hanol
5bfc9cf69e Allow API to create staged users 2016-06-23 12:27:05 +02:00
Arpit Jalan
f387dfe226 FIX: mixed case group mentions were not getting highligted in composer 2016-05-22 18:32:49 +05:30
Robin Ward
89e506551a
Add body class to account-created route 2016-05-05 14:37:09 -04:00
Sam
a130cb8305 FEATURE: move more urgent emails notifications to critical queue
Move signup, admin login and password change email notifications
to critical queue
2016-04-07 14:39:01 +10:00
Aryan Raj
c3507a3242 Fix: Added underscore to my_redirect regex 2016-03-20 13:00:56 +05:30
Robin Ward
5771d2aee2 SECURITY: Support for confirm old as well as new email accounts 2016-03-08 14:52:22 -05:00
Robin Ward
d62689fa76 Move updating a user's email to its own controller 2016-03-08 14:52:22 -05:00
Régis Hanol
1135d2094a Merge pull request #4006 from scossar/set-locale-from-header
Feature: (WIP) Set locale from Accept-Language header
2016-03-04 09:12:30 +01:00
Arpit Jalan
36f82aa68c FEATURE: enforce admin password validation when signing up via developer email 2016-03-04 00:28:47 +05:30
scossar
0a396583ed set locale for anonymous from header
set locale on signup

update spec

add locale option
2016-02-26 13:45:00 -08:00
Arpit Jalan
0064927077 FIX: do not allow new email to be duplicate
FIX: return proper error message when email already exists
2016-01-23 13:42:53 +05:30
Sam Saffron
7303f8f309 FEATURE: first pass at user summary page 2016-01-20 15:14:25 +11:00
Arpit Jalan
380764dc92 FIX: validate email when changing via user preferences page 2016-01-16 10:50:49 +05:30
Neil Lalonde
c7df6783a9 FIX: only invalidate password reset links using javascript 2016-01-04 11:48:54 -05:00
Sam
a8b5192efd FEATURE: User page refactor
Re-organise user page so it is easier to find interesting info
split it into tabs

- Introduce notifications and messages tabs
- Stop couting stuff for the user page to speed up rendering
- Suppress more information when viewing your own profile
2015-12-20 16:45:49 +11:00
Sam
7917316f6f FEATURE: display warning on top of composer for group mentions
If users attempt to mention a group that is "mentionable" display a warning
informing them that people will be notified.
2015-12-04 13:41:07 +11:00
Sam
9899e8d4a5 FEATURE: First class messages to groups, you can select a group as a target of a message 2015-12-02 15:49:43 +11:00
Sam
f6390c8ad6 correct bad merge 2015-11-30 17:12:51 +11:00
Sam
ad3dd161e7 FEATURE: first class group mentions built in
If you allow a group to be mentioned it can be mentioned with the @ symbol.

Keep in mind as a safety mechanism max_users_notified_per_group_mention is set to 100
2015-11-30 17:08:43 +11:00
Régis Hanol
16b3d26d7b allow staff members to view staged accounts user card/profile 2015-11-27 20:02:24 +01:00
Régis Hanol
76692235ae FIX: don't ever fetch staged accounts in unseen mentions 2015-11-27 18:16:50 +01:00
Régis Hanol
43614439e6 FEATURE: can take over a staged account 2015-11-13 19:07:28 +01:00
Régis Hanol
16f509afb9 FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side 2015-11-12 10:26:45 +01:00
Régis Hanol
bb79e6aff7 FEATURE: new hide_user_profiles_from_public site setting 2015-10-28 19:56:08 +01:00
Robin Ward
46ca66771b FIX: Better error message for resending activation. Don't limit staff. 2015-10-27 16:25:30 -04:00
Robin Ward
a527c58c7d UX: Show a nicer "Log In" screen if the user follows /my/preferences 2015-10-14 13:39:31 -04:00
Robin Ward
d66a545dd2 FIX: /my/preferences should prompt users to log in 2015-10-14 12:40:13 -04:00
Régis Hanol
36309e50cc Merge pull request #3767 from tgxworld/track_user_profile_views
Track user profile views
2015-09-23 11:38:18 +02:00
Régis Hanol
07e7b07b63 FIX: refreshing gravatar wasn't working 2015-09-17 19:42:44 +02:00
Guo Xiang Tan
7acc93b2a0 FEATURE: Track user profile views. 2015-09-16 14:48:31 +08:00
Régis Hanol
18d7c1c75d fix the build - take 2 2015-09-11 15:47:48 +02:00
Régis Hanol
93f9dcfcec FIX: don't overwrite custom uploaded avatar when selecting gravatar
FIX: remove unecessary serialized fields
2015-09-11 15:10:56 +02:00
Sam
6437cd0341 FEATURE: add support for generic external avatar services
This changes it so we only ship an avatar template down to the client
it has no magic, all it knows is how to plug in size
2015-09-11 15:10:56 +02:00
Régis Hanol
2742602254 FEATURE: support for external letter avatars service 2015-09-11 02:12:40 +02:00
Robin Ward
32e2d7963a FEATURE: Show FAQ at top of the hamburger until the user reads it 2015-09-04 16:56:02 -04:00
Arpit Jalan
99edcddafb FEATURE: show pending/redeemed invite count in tabs 2015-08-25 01:12:46 +05:30
Arpit Jalan
91519fdfe7 FIX: do not persist error message 2015-08-24 00:29:58 +05:30
Kane York
2a897a8a6b SECURITY: Remove email validation check bypass
- Increase size of email column to varchar(513)
 - Give error message on signup when email is too large

Overall impact: Low, allows signups from blocked domains. Main risk is increased spam.
2015-07-13 15:36:17 -07:00
Arpit Jalan
e0c9054748 FEATURE: invite page tabs 2015-07-13 09:42:51 +05:30
Doug
5e615ef26e Fixed bug that caused substrings of reserved usernames to be treated as reserved. 2015-07-06 23:54:25 -07:00
Kane York
df988a20eb FEATURE: Reserved usernames
A list of usernames that will be blocked from being used to sign up.
2015-07-01 13:50:55 -07:00
Sam
b052179ae6 Merge pull request #3163 from rcfox/fix-by-external
Allow periods in the external_id value used in the /users/by-external route.
2015-06-24 13:07:12 +10:00
Sam Saffron
c58b495e15 SECURITY: Query @usernames in bulk
Otherwise you could add many requests at once while composing.
2015-06-11 13:03:49 -04:00
Sam Saffron
4409a3072d FEATURE: we need admin login always 2015-06-05 18:43:59 +10:00
Régis Hanol
cb025a65e0 FIX: make sure we also save the user_avatar.custom_upload_id 2015-05-29 10:21:41 +02:00
Régis Hanol
b7f8680618 fix build (:fired:) 2015-05-20 17:51:33 +02:00
Régis Hanol
8d967d9065 FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread 2015-05-20 16:45:48 +02:00
Ryan Fox
14d2b76354 Merge branch 'master' into fix-by-external
Conflicts:
	app/controllers/users_controller.rb
2015-05-15 19:54:11 -04:00
Sam
8277a586bb usage of raise corrected 2015-05-07 11:00:51 +10:00
Sam
77cc087b13 FIX: proper error message when account created is hit with no session 2015-05-07 11:00:22 +10:00
Arpit Jalan
2932284293 FEATURE: magic login route for admin when SSO is enabled 2015-04-27 22:54:48 +05:30
Robin Ward
2459f52c71 Merge pull request #3375 from techAPJ/patch-2
FEATURE: invite existing users to private topic
2015-04-16 11:13:42 -04:00
Arpit Jalan
d491d4f997 FEATURE: invite existing users to private topic 2015-04-16 00:52:54 +05:30
Sam
2a3f71a9a1 SECURITY: log off all existing sessions when resetting password 2015-04-15 08:57:43 +10:00
Sam
f5d89169e2 FEATURE: initial implemenation of anonymous posting mode 2015-04-07 18:05:31 +10:00
Régis Hanol
1ec73b5ba0 FIX: use 'request.remote_ip' instead of 'request.ip' for better consistency 2015-04-02 16:24:27 +02:00
Robin Ward
e3eaa7fa75 FIX: In long topics, filtering button was not always showing in card 2015-03-24 12:33:50 -04:00
Robin Ward
6d38005a22 Allow staff to change uneditable user fields 2015-03-20 15:18:43 -04:00
Robin Ward
7ef306cd3b A bunch of tweaks to the Users directory
- Move user directory from `/directory` to `/users/`
- Defaults to 'weekly' time period
- Don't include deleted topics/posts in the results
- Move heart icon to header instead of on each row
- "Users" instead of "Users found"
2015-03-19 12:29:38 -04:00
Neil Lalonde
608647d02f FEATURE: Anonymize User. A way to remove a user but keep their topics and posts. 2015-03-10 11:59:08 -04:00
Sam
f5af4768eb FEATURE: add clean support for running Discourse in a subfolder
To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish
2015-03-09 13:14:29 +11:00
Sam
130dbf7358 PERF: don't run stats query in user card 2015-02-24 13:31:23 +11:00
Robin Ward
8186d86f38 FIX: Enforce max length for custom user fields 2015-02-23 13:02:30 -05:00
Sam
17927b2e8b FIX: don't use flash cause we are not redirecting
(we should probably change that though)
2015-02-20 10:28:58 +11:00
Sam
3a0cd0b760 make custom fields a bit more permissive input wise 2015-02-06 09:03:23 +11:00
Ryan Fox
1f0915bf83 Allow periods in the external_id value used in the /users/by-external route. 2015-02-02 12:55:32 -05:00
Sam
ea7af7a83b Merge pull request #3135 from longhotsummer/fix-no-user-params
FIX: creating a user shouldn't error when optional fields aren't given
2015-01-30 10:12:57 +11:00
Régis Hanol
cd2c9edb46 FIX: 🐛 upload on IE9 wasn't working :'(
- FIX: make sure we set a default name to a pasted image only on Chrome (the only browser that supports it)
- FIX: use ".json" extension to uploads endpoints since IE9 doesn't pass the correct header
- FIX: pass the CSRF token in a query parameter since IE9 doesn't pass it in the headers
- FIX: display error messages comming from the server when there is one over the default error message
- FIX: HACK around IE9 security issue when clicking a file input via JavaScript (use a label and set `visibility:hidden` on the input)
- FIX: hide the "cancel" upload on IE9 since it's not supported
- FIX: return "text/plain" content-type when uploading a file for IE9 in order to prevent it from displaying the save dialog
- FIX: check the maximum file size on the server 💥
- update jQuery File Upload Plugin to v. 5.42.2
- update JQuery IFram Transport Plugin to v. 1.8.5
- update jQuery UI Widget to v. 1.11.1
2015-01-28 19:43:20 +01:00
Greg Kempe
d99ccf6d27 FIX: creating a user shouldn't error when optional fields aren't provided
This fixes a bug where the server would 500 if the only user fields
where optional ones, and the create_user call didn't provide any
values so that params[:user_fields] was nil.

Additionally, don't bother double-checked for required fields, since we
iterate over all fields and will catch any that are required and blank.
2015-01-27 11:48:27 +02:00
riking
1ab0d6bd82 FEATURE: Log username changes by staff
Also fix the tests for changing username
2015-01-17 02:26:12 -08:00
Robin Ward
987504c6ab Rename no_js layout to no_ember
While *sometimes* `no_js` was used for visitors without js (for example
disabling it on your browser) it was also used for some pages that were
disabled to JS capable browsers, including the 404 page.

Even worse, sometimes it was used on pages that *had* Javascript, such
as our `/activate-account` route. It has been renamed to `no_ember` to
indicate what it really is, a layout for the site that doesn't load our
Ember.js application.
2015-01-15 15:56:53 -05:00
Régis Hanol
e20078a9dc PERF: fix performance issue when displaying the user card for admins 2015-01-05 19:49:32 +01:00
Blake Erickson
02ade72ceb Update username should return a json response
- Have update username return json response that contains the updated
  username and id. I figured this would be better than just return "OK".
- Add test to verify that the new username is returned.
2014-12-10 09:43:16 -07:00
Blake Erickson
e9e88c9b82 Remove legacy avatar code
- Remove method that was only left around because the
  [api](https://github.com/discourse/discourse_api/pull/53) called it
- Modify test to use new route instead of legacy route

https://meta.discourse.org/t/legacy-route-for-avatars/22838/2
2014-12-07 06:13:14 -07:00
Blake Erickson
a61519eebf Have pick_avatar return json.
I'm working on writing a test in the discourse_api gem for uploading
avatars and the pick method needs to return a json response.

I also added a test to make sure json is returned.
2014-12-06 09:26:32 -07:00
Régis Hanol
07211489f0 FIX: hide restricted profile info from TL0 users to anonymous in 'JS-off' page 2014-11-27 19:51:13 +01:00
Régis Hanol
7641d88224 FEATURE: new 'maximum new user accounts per registration IP' site setting 2014-11-17 12:04:29 +01:00
Robin Ward
c9eb809dad FIX: The text to users who signed up when approval was required was
misleading.
2014-11-04 15:48:03 -05:00
Régis Hanol
865194f409 FIX: cannot show email for pending/inactive users 2014-10-29 01:07:27 +01:00
Robin Ward
71f211f0b3 FEATURE: Allow users to select a badge with an image to appear on their
user card
2014-10-20 16:35:38 -04:00
Robin Ward
1cf4a0d604 Rename "User Expansion" to the much clearer "User Card" 2014-10-20 12:11:59 -04:00
Régis Hanol
10094a0bcd FIX: resolve flags as good when deleting a spam user 2014-10-20 16:59:06 +02:00
Robin Ward
4d465362b5 FEATURE: Allow a user to upload an image for their expansion background. 2014-10-16 15:05:36 -04:00
Robin Ward
f9a8f6d6ce FEATURE: Support for a required setting on user fields. 2014-10-08 15:10:19 -04:00
Sam
0e7be81e60 FIX: badge granted titles were not being revoked when badge was revoked 2014-10-08 10:26:18 +11:00
Robin Ward
381814fd5d Adds support for a description to user fields. 2014-10-02 15:56:52 -04:00
Arpit Jalan
41af2d79b5 add user email on account created page 2014-10-02 12:43:44 +05:30
Robin Ward
be93f224a6 Revert "add user email on account created page"
This reverts commit 164fc1108a.
2014-10-01 10:30:26 -04:00
Arpit Jalan
164fc1108a add user email on account created page 2014-10-01 13:53:50 +05:30
Robin Ward
edb34c178a FEATURE: Show user fields when the user is signing up 2014-09-30 10:45:18 -04:00
Régis Hanol
7e309a21cf FEATURE: hide emails behind a button for staff members 2014-09-29 22:31:05 +02:00
Sam
a901d682fe raise not found if user is not found 2014-09-25 17:45:45 +10:00
Sam
8f8ea735ee FIX: allow retry activation of account by username or password 2014-09-25 17:42:48 +10:00
Arpit Jalan
b3838c2c1c Trigger browser password manager after sigining up 2014-09-24 01:04:36 +05:30
Sam
7a4082cbad FIX: allow API to create users when invite_only is true 2014-09-23 09:06:19 +10:00
Neil Lalonde
c4e285f3ec SECURITY: rate limit change email requests 2014-09-18 10:48:56 -04:00
riking
2c6d03f87f SECURITY: Limit passwords to 200 characters
Prevents layer 8 attack.
2014-09-12 12:07:11 -04:00
Robin Ward
56eda5abf9 FIX: Don't allow profile bios longer than 3k chars 2014-09-08 15:23:21 -04:00
Robin Ward
c9262a8390 FIX: Resend activation email was busted 2014-08-28 12:07:13 -04:00
Robin Ward
ed125975a1 SECURITY: Prefix session key and validate token format. 2014-08-25 15:31:49 -04:00
Arpit Jalan
4cd8abc905 FEATURE: dynamically load invites 2014-08-05 22:20:23 +05:30
Neil Lalonde
939e8505a9 Remove hub username integration 2014-07-16 12:25:24 -04:00
Neil Lalonde
01a68f8cc7 Emails are case insensitive 2014-07-16 10:22:01 -04:00
Robin Ward
4f416bf6ce Check honeypot/challenge value on activation too 2014-07-15 14:07:35 -04:00
riking
915f60b0fc Don't redirect to login when activating account... 2014-07-15 10:50:28 -07:00
Neil Lalonde
766196af87 FEATURE: add site setting allow_new_registrations which can be used to block all new account registrations 2014-07-14 15:42:22 -04:00
Robin Ward
cce7cf8c85 FEATURE: Require Javascript to activate an account via email link 2014-07-14 12:26:10 -04:00
Sam
4a2cc269ab FIX: allow selection of no title 2014-07-14 18:07:07 +10:00
Sam
833c50c460 FEATURE: Read Faq badge 2014-07-11 17:32:29 +10:00
Sam
9a9ad9bda8 FEATURE: Badge progress
- Refactor model so it stores backfill query
- Implement autobiographer
- Remove sample badge
- Correct featured badges to only include a badge once
2014-07-03 17:29:44 +10:00
Sam
5a0aed2bfa FIX: regression, forgot password broken
also... mocks were invented by the devil
2014-07-02 13:06:55 +10:00
Robin Ward
9000c358d1 REFACTOR: Use common path for RESTful DELETE action from upload image
component
2014-06-30 14:13:59 -04:00
Robin Ward
4088fba4f2 REFACTOR: Convert profile background uploader to be an ember component 2014-06-30 14:13:59 -04:00
Andrew Bezzub
386d1e231a move profile_background from User to UserProfile 2014-06-26 12:30:07 -04:00
riking
6e698315d6 Allow all /my URLs
Previously, URLs like /my/activity/posts were denied. This change allows those URLs.
2014-06-14 10:58:20 -07:00