Gerhard Schlager
5b91182985
DEV: Respond with error 400 to uploads requested via XHR
...
follow-up to 13f38055
2019-06-27 11:30:05 +02:00
Gerhard Schlager
9c8aa0a906
SECURITY: XSS in routes
...
Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com>
Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 16:45:33 +02:00
Neil Lalonde
04be572a92
Merge diffs from master
2019-06-17 20:07:19 -04:00
Neil Lalonde
a4308fdd43
Merge master
2019-06-17 20:04:04 -04:00
David Taylor
40cbcc7720
SECURITY: Add confirmation screen when logging in via email link
2019-06-17 18:20:48 +01:00
David Taylor
e6e47f2fb2
SECURITY: Add confirmation screen when logging in via user-api OTP
2019-06-17 16:18:44 +01:00
David Taylor
52387be4a4
SECURITY: Add confirmation screen when logging in via email link
2019-06-17 16:18:37 +01:00
David Taylor
5f6f707080
Revert "Merge pull request from GHSA-hv9p-jfm4-gpr9"
...
This reverts commit b8340c6c8e
.
2019-06-17 16:17:10 +01:00
David Taylor
b8340c6c8e
Merge pull request from GHSA-hv9p-jfm4-gpr9
...
* SECURITY: Add confirmation screen when logging in via email link
* SECURITY: Add confirmation screen when logging in via user-api OTP
* FIX: Correct translation key in session controller specs
* FIX: Use .email-login class for page
2019-06-17 15:59:41 +01:00
Arpit Jalan
863d8014d0
FIX: respond with 400 error on invalid redirect param
2019-06-17 16:44:30 +05:30
Sam Saffron
704c579550
FIX: do not allow unbound membership lookups
...
Previously we would allow looking up membership limits in an unbound way
via the API, this introduces an upper limit of 1000 per page.
2019-06-17 15:32:06 +10:00
Arpit Jalan
36e53db300
Fix the build.
2019-06-12 16:44:17 +05:30
Arpit Jalan
7b66f8fb46
DEV: optimize bulk invite process
2019-06-12 16:33:19 +05:30
Arpit Jalan
e2636f0ec7
FIX: handle array in redirect param
2019-06-11 17:49:09 +05:30
Dan Ungureanu
a046f6ced5
FEATURE: Trigger Discourse events from authenticators. ( #7724 )
2019-06-11 11:28:42 +10:00
Gerhard Schlager
bae7b75e23
FIX: Updating a user profile as admin shouldn't change the user's locale
2019-06-07 17:53:46 +02:00
Sam Saffron
cbd4d06da0
PERF: only check for totp record on current user at when needed
...
Previously the check was done a bit too early causing one extra query
per page unconditionally for logged on users
2019-06-07 16:25:04 +10:00
Penar Musaraj
f00275ded3
FEATURE: Support private attachments when using S3 storage ( #7677 )
...
* Support private uploads in S3
* Use localStore for local avatars
* Add job to update private upload ACL on S3
* Test multisite paths
* update ACL for private uploads in migrate_to_s3 task
2019-06-06 13:27:24 +10:00
Bianca Nenciu
e0c821ebb0
FEATURE: Make staff action logs page support infinite loading
2019-06-06 13:02:53 +10:00
Saurabh Patel
b510006ca8
FEATURE: show tags in crawler view of tags page for static site
...
Previously tags page would have an empty page in crawler view
2019-06-06 12:55:37 +10:00
Roman Rizzi
c3a38d2304
DEV: Make groups/new extensible by plugins ( #7642 )
...
* Expose a new plugin outlet. Pass group model to the group-member-dropdown so it can be accessed by plugins
* Added controller tests for group custom fields. update custom fields when updating a group
2019-06-06 12:05:33 +10:00
Robin Ward
d902c4eb9f
FEATURE: Can sort reviewable queue
...
Choices are Priority / Created At (and desc versions.)
2019-06-05 13:21:05 -04:00
Joffrey JAFFEUX
ce79a71c5d
typo s/faivcon/favicon ( #7697 )
2019-06-05 09:46:07 +02:00
Sam Saffron
b9df7a2257
FIX: if favicon is missing due to bad url we would return a 500 on favicons
...
This ensures that the error logging does not corrupt the cache
2019-06-05 16:43:40 +10:00
Arpit Jalan
e7fe7010b8
FIX: use hijack for processing bulk invites ( #7679 )
...
FIX: do not store bulk invite CSV file on server
2019-06-04 20:19:46 +05:30
Régis Hanol
33bc8c276d
FIX: default top timeframe was overriding best_periods_for
2019-06-04 10:57:50 +02:00
Régis Hanol
d7ff640778
fix the build
2019-06-03 20:42:46 +02:00
Maja Komel
42809f4d69
FIX: use crawler layout when saving url in Wayback Machine ( #7667 )
2019-06-03 12:13:32 +10:00
Sam Saffron
e302c0af8b
DEV: by default disable anon impersonation in dev environments
...
The impersonate any user by anonymous feature in dev should require a
deliberate opt-in. This way developers are better aware of the security
implications of this development only feature.
2019-06-03 10:02:27 +10:00
Robin Ward
2e0a40007b
FIX: Category topics should not be deletable via review queue
2019-05-30 16:43:23 -04:00
romanrizzi
e7ee556e87
Support multi-group user search
2019-05-30 08:45:20 +08:00
Guo Xiang Tan
a3938f98f8
Revert changes to FileStore::S3Store#path_for
in f0620e7118
.
...
There are some places in the code base that assumes the method should
return nil.
2019-05-29 18:39:07 +08:00
Guo Xiang Tan
f0620e7118
FEATURE: Support [description|attachment](upload://<short-sha>)
in MD take 2.
...
Previous attempt was missing `post_uploads` records.
2019-05-29 09:26:32 +08:00
Penar Musaraj
7c9fb95c15
Temporarily revert "FEATURE: Support [description|attachment](upload://<short-sha>)
in MD. ( #7603 )"
...
This reverts commit b1d3c678ca
.
We need to make sure post_upload records are correctly stored.
2019-05-28 16:37:01 -04:00
Guo Xiang Tan
b1d3c678ca
FEATURE: Support [description|attachment](upload://<short-sha>)
in MD. ( #7603 )
2019-05-28 11:18:21 -04:00
Bianca Nenciu
07b80d491b
FIX: Refresh automatic groups after inviting moderators.
2019-05-28 17:19:34 +08:00
Sam Saffron
7429700389
FIX: ensure we can download maxmind without redis or db config
...
This also corrects FileHelper.download so it supports "follow_redirect"
correctly (it used to always follow 1 redirect) and adds a `validate_url`
param that will bypass all uri validation if set to false (default is true)
2019-05-28 10:28:57 +10:00
Robin Ward
d26c4509ea
FIX: Adding a user to a group twice under concurrency
...
This prevents an error from being raised / logged.
2019-05-27 15:42:40 -04:00
Penar Musaraj
dfcc2e7ad8
Revert "FEATURE: Send notification when member was accepted to group. ( #7503 )"
...
This reverts commit 42c82d544e
.
2019-05-27 15:19:59 -04:00
Robin Ward
d95a68b837
FEATURE: When suspending a user, allow the Delete + Replies action
...
Previously you could only delete the post
2019-05-27 12:27:16 -04:00
Bianca Nenciu
42c82d544e
FEATURE: Send notification when member was accepted to group. ( #7503 )
2019-05-27 17:28:41 +03:00
Gerhard Schlager
f4a471f0eb
FIX: Correctly cache hash of extra translations
2019-05-24 11:38:26 +02:00
Gerhard Schlager
c1e9a70d59
FIX: Fallback locale was not available for extra translations
...
Translations from fallback locales were not sent to the client
for admin_js and wizard_js.
2019-05-24 11:38:26 +02:00
Robin Ward
e74cd54fc6
REFACTOR: Replace score bonuses with low/med/high priorities
...
We removed score from the UX so it makes more sense to have sites set
priorities instead of score bonuses.
2019-05-23 11:54:45 -04:00
Gerhard Schlager
b788948985
FEATURE: English locale with international date formats
...
Makes en_US the new default locale
2019-05-20 13:47:20 +02:00
Guo Xiang Tan
148bfc9be5
DEV: Simplify client and server side code to support removing tags.
...
Follow up to 834c86678f
.
2019-05-17 16:39:20 +08:00
Guo Xiang Tan
834c86678f
FIX: Missing post revision when editing the first post.
2019-05-17 12:54:27 +08:00
Guo Xiang Tan
e2444e0d31
DEV: Fix another frozen string error.
2019-05-17 10:07:37 +08:00
Guo Xiang Tan
227bedebf7
DEV: Fix modifying a frozen string.
2019-05-16 11:30:31 +08:00
David Taylor
1299c94a52
FIX: Make serverside and clientside omniauth origin redirects consistent
...
Previously external domains were allowed in the client-side redirects, but not the server-side redirects. Now the behavior is to only allow local origins.
2019-05-15 12:40:51 +01:00