Commit Graph

36884 Commits

Author SHA1 Message Date
David Taylor
4e178d5c0d
SECURITY: Respect topic permissions when loading draft metadata
Co-authored-by: Sam Saffron <sam.saffron@gmail.com>
2020-03-23 11:54:36 +00:00
David Taylor
0e3dfd2925
DEV: Load plugin stylesheets before theme stylesheets (#9240)
This is a more logical order, since themes are more lightweight than plugins, and are often used to augment plugin styles
2020-03-19 19:24:06 +00:00
Martin Brennan
4eb4293e66 FIX: Ensure show_short URLs handle secure uploads using multisite (#9212)
Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224
* if the show_short route is hit for an upload that is
  secure, we redirect to the secure presigned URL. however
  this was not taking into account multisite so the db name
  was left off the path which broke the presigned URL
* we now use the correct url_for method if we know the
  upload (like in the show_short case) which takes into
  account multisite
2020-03-17 11:41:51 +10:00
Joffrey JAFFEUX
c4cd864c26 FIX: throttles topic tracking shortcut and enforces topic id (#9159) 2020-03-13 12:03:55 +01:00
Joffrey JAFFEUX
b4b0443d63 FIX: ensures pinned-options header is showing correct state (#9156) 2020-03-12 07:41:17 +01:00
Robin Ward
f8c31eb1e0 Let's not log the username/password
This could easily be seen by someone who shouldn't.
2020-03-11 12:54:19 -04:00
Sam Saffron
c738d31809
FIX: last ip address could point at wrong ip
Due to unicorn env object recycling request.ip could point at the wrong
ip address by the time defer block is called. This usually would happen
under load.

This also avoids keeping the entire request object as referenced by the
closure.
2020-03-11 17:43:44 +11:00
Neil Lalonde
ea73880146
Version bump to v2.4.1 2020-03-05 12:28:17 -05:00
Gerhard Schlager
766665a287
FIX: Restoring with disable_emails: false didn't work anymore 2020-03-05 11:47:35 -05:00
Martin Brennan
f0072dd897
FIX: Stop infinite lookup-urls issue for video/audio on page (#9096)
Meta report: https://meta.discourse.org/t/excessive-requests-to-uploads-lookup-urls-leading-to-429-response/143119

* The data-orig-src attribute was not being removed from cooked
video and audio so the composer was infinitely trying to get the
URLs for them, which would never resolve to anything
* Also the code that retrieved the short URL was unscoped, and was
getting everything on the page. if running from the composer we
now scope to the preview window
* Also fixed a minor issue where the element href for the video
and audio tags was not being set when the short URL was found
2020-03-05 11:47:14 -05:00
Joffrey JAFFEUX
d5ab4776cd
FIX: prevents click on sk header to bubble (#9084) 2020-03-05 11:46:55 -05:00
Gerhard Schlager
55a49d8494
FIX: Google Groups scraper failed to login 2020-03-05 11:46:36 -05:00
Sam Saffron
980d2ed052
PERF: improve performance of category topic list
In some cases CTE caused pathologically bad query plans.
This optimises it so query runs by itself and caches for lifetime
of the topic query object.

This lightweight caching is done cause topic query will often
execute two queries (one for pinned and one for non pinned)
2020-03-05 11:46:20 -05:00
Dan Ungureanu
5f88b86ac9
FIX: Sync preload key format for category topic lists
The server and client used two different formats for preload keys. The
server was using 'topic_list_c/SLUG/l/latest', but the client was using
'topic_list_c/SLUG/ID/l/latest'.

This commit is an addition to 374534f00e.
2020-03-05 11:46:02 -05:00
Dan Ungureanu
4bb966aae6
DEV: Fix build
Follow up to 60184a290c.
2020-03-05 11:45:45 -05:00
Joffrey JAFFEUX
2cc533e26e
FIX: prevents loading to show during debouncing (#9060)
This will also fix a bug in IE11 where click event would not be triggered on row
2020-03-05 11:45:19 -05:00
Joffrey JAFFEUX
751708ba0c
FIX: prevents row click event to be caught by filter input event (#9059)
This was causing some dropdowns to not work under IE11
2020-03-05 11:44:54 -05:00
David Taylor
b8e4b5f884
FIX: Polyfill Promise for IE11 (#9057)
Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2020-03-05 11:44:33 -05:00
Robin Ward
c7634d56f6 SECURITY: Add more restrictions on invite emails
They could be filtered and returned in some circumstances where they
shouldn't have been.
2020-03-05 09:55:54 -05:00
Robin Ward
20a8a2f396 SECURITY: Ensure the invite JSON API matches the UX
Anonymous users could query the invite json and see counts and
summaries which is not allowed in the UX of Discourse.

This commit has those endpoints return a 403 unless the user is
allowed to invite.
2020-03-05 09:55:45 -05:00
Joffrey JAFFEUX
2246fe8015 FIX: allows to select the action when agreeing with penalty (#9099)
Note this commit also fixes an issue where the edit post actions was trying to focus the edit textarea, but was using jquery functions on a DOM node.

scrollTo is not available on IE11 but that shouldn't cause much trouble.
2020-03-04 10:32:20 -05:00
Mark VanLandingham
737e8bdb2c FIX: Prettier on iframed-html component (#9062) 2020-02-27 11:57:18 -06:00
Mark VanLandingham
df70b9118e Merge pull request from GHSA-vw39-6w7q-gfx5
Co-authored-by: Robin Ward <robin.ward@gmail.com>
2020-02-27 11:57:10 -06:00
Neil Lalonde
76b9be3f19 Version bump to v2.4.0 2020-02-26 16:46:06 -05:00
Neil Lalonde
254d410d4e Merge branch 'master' into stable 2020-02-25 17:32:08 -05:00
Robin Ward
603c56f71c FIX: Lefthook was not excluding enough JS 2020-02-25 17:28:53 -05:00
Neil Lalonde
4d611dcaed Merge diffs from master 2020-02-25 17:23:37 -05:00
Neil Lalonde
52c10848bc Merge master 2020-02-25 17:21:37 -05:00
Joffrey JAFFEUX
baba1cc02e
FIX: ensures destroying a user with security keys doesn't fail (#9042) 2020-02-25 14:07:57 -05:00
David Taylor
96ac4fc072
FIX: Include .json suffix for email login route (#9041)
In IE11, the browser returns the cached HTML response, rather than the JSON formatted response. Adding the `.json` suffix ensures that the cache is not shared. Same root cause as b0211772
2020-02-25 18:01:33 +00:00
Neil Lalonde
b0675075f7 Update translations 2020-02-25 10:29:14 -05:00
Dan Ungureanu
514c22e64b
FIX: Make reviewable claiming work with deleted topics (#9040)
This fixes the case when the reviewed topic is deleted (for example, in
discourse-akismet).
2020-02-25 15:49:23 +02:00
Dan Ungureanu
5905930c32
FIX: Sync Ember and non-Ember layouts (#9028) 2020-02-25 15:31:04 +02:00
spirobel
41ee7cad0e
FIX plugin generator: mobile, desktop stylesheets registering (#9039)
After adding styles in the mobile scss they will also be applied to desktop without this change.

https://meta.discourse.org/t/registering-assets-for-mobile-and-desktop-making-site-responsive/65041/2
2020-02-25 11:43:17 +01:00
Joffrey JAFFEUX
a5c7f0c98d
UX: hides emoji picker from edit category tab topic template (#9036) 2020-02-25 00:49:41 +01:00
Joffrey JAFFEUX
e303b4d181
UX: hides local-date picker when used outside of main composer 2020-02-25 00:17:43 +01:00
Joffrey JAFFEUX
bd49368942
FIX: ensures topic count is correctly showing in box category badges (#9034) 2020-02-24 23:41:36 +01:00
Penar Musaraj
d6a603cc50
FIX: Translate none-tag and all-tags labels in tag filter (#9030)
* FIX: Translate none-tag and all-tags labels in tag filter
* Add test
2020-02-25 07:57:24 +11:00
dependabot-preview[bot]
709772ea52
Build(deps): Bump bootsnap from 1.4.5 to 1.4.6 (#9032)
Bumps [bootsnap](https://github.com/Shopify/bootsnap) from 1.4.5 to 1.4.6.
- [Release notes](https://github.com/Shopify/bootsnap/releases)
- [Changelog](https://github.com/Shopify/bootsnap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Shopify/bootsnap/compare/v1.4.5...v1.4.6)

Simple low risk dependency, only used in dev
2020-02-25 07:54:24 +11:00
Justin DiRose
f35ee5e887
DEV: Improvements to SMF2 script (#9006) 2020-02-24 12:51:45 -06:00
dependabot-preview[bot]
fee7a4be8a
Build(deps-dev): Bump simplecov from 0.18.2 to 0.18.3 (#9025)
Bumps [simplecov](https://github.com/colszowka/simplecov) from 0.18.2 to 0.18.3.
- [Release notes](https://github.com/colszowka/simplecov/releases)
- [Changelog](https://github.com/colszowka/simplecov/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colszowka/simplecov/compare/v0.18.2...v0.18.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-02-24 13:32:38 -05:00
dependabot-preview[bot]
dedd37503e
Build(deps): Bump simplecov-html from 0.12.0 to 0.12.1 (#9024)
Bumps [simplecov-html](https://github.com/colszowka/simplecov-html) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/colszowka/simplecov-html/releases)
- [Changelog](https://github.com/colszowka/simplecov-html/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colszowka/simplecov-html/compare/v0.12.0...v0.12.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-02-24 13:31:52 -05:00
Joffrey JAFFEUX
f336aeee6f
FIX: ensures scoped search category is searching in all categories (#9031) 2020-02-24 19:19:53 +01:00
Kris
832a0e410a UX: Restrict icon height in btn-small to prevent height inconsistency 2020-02-24 13:18:46 -05:00
Joffrey JAFFEUX
0ea11a9d49
FIX: ensures we don't attempt to create a new PM on an existing topic (#9029)
This fix attempts to both fix it at UI level and server side. A previous attempt related to this behavior has been made in commit: 49c750ca78
2020-02-24 08:55:12 -06:00
dependabot-preview[bot]
31f3ed8d36
Build(deps-dev): Bump ruby-prof from 1.2.0 to 1.3.0 (#9023)
Bumps [ruby-prof](https://github.com/ruby-prof/ruby-prof) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/ruby-prof/ruby-prof/releases)
- [Changelog](https://github.com/ruby-prof/ruby-prof/blob/master/CHANGES)
- [Commits](https://github.com/ruby-prof/ruby-prof/compare/1.2.0...1.3.0)

Minor change only impacts development
2020-02-24 13:13:09 +11:00
Sam Saffron
372f6f4f22
FEATURE: limit number of notifications per user to 10,000
Introduces a new site setting `max_notifications_per_user`.

Out-of-the-box this is set to 10,000. If a user exceeds this number of
notifications, we will delete the oldest notifications keeping only 10,000.

To disable this safeguard set the setting to 0.

Enforcement happens weekly.

This is in place to protect the system from pathological states where a
single user has enormous amounts of notifications causing various queries
to time out. In practice nobody looks back more than a few hundred notifications.
2020-02-24 11:42:50 +11:00
Sam Saffron
f93de763b7
DOC: improve documentation of image limit site settings
max_image_megapixels is a hard limit

max_image_size_kb is a soft limit and images are resized to fit
2020-02-24 09:32:07 +11:00
Kris
e5bc649057 modal footer button height fix 2020-02-21 20:13:23 -05:00
Neil Lalonde
f73ed45de9 FIX: blank popular posts in summary emails due to lightbox images
When looking for the first paragraph with content in a post,
it was matching the lightboxed image paragraph as "<p></p>".
Fix that and other potential empty paragraphs with the
p:not(:empty) selector.
Add a new selector to find the image links in lightboxed
images as valid content for emails.
2020-02-21 16:18:38 -05:00