Commit Graph

2210 Commits

Author SHA1 Message Date
Mark VanLandingham
a0f4c7fe88
FIX: remove racing requests for admin users (#15936) 2022-03-16 08:47:48 -05:00
Bianca Nenciu
4fe99e39c3
FEATURE: Add new site setting list type with name and values (#16045)
These changes include a bug fix because allow_any attribute of site
settings was completely ignored before.
2022-03-08 13:18:43 +02:00
Bianca Nenciu
953d36b788
FIX: Allow none category if default is none (#15995)
Even if the site setting's default value is none by default, it did not
allow admins to select it again after it was changed.
2022-02-21 18:15:55 +02:00
Osama Sayegh
dd6ec65061
FEATURE: Centralized 2FA page (#15377)
2FA support in Discourse was added and grown gradually over the years: we first
added support for TOTP for logins, then we implemented backup codes, and last
but not least, security keys. 2FA usage was initially limited to logging in,
but it has been expanded and we now require 2FA for risky actions such as
adding a new admin to the site.

As a result of this gradual growth of the 2FA system, technical debt has
accumulated to the point where it has become difficult to require 2FA for more
actions. We now have 5 different 2FA UI implementations and each one has to
support all 3 2FA methods (TOTP, backup codes, and security keys) which makes
it difficult to maintain a consistent UX for these different implementations.
Moreover, there is a lot of repeated logic in the server-side code behind these
5 UI implementations which hinders maintainability even more.

This commit is the first step towards repaying the technical debt: it builds a
system that centralizes as much as possible of the 2FA server-side logic and
UI. The 2 main components of this system are:

1. A dedicated page for 2FA with support for all 3 methods.
2. A reusable server-side class that centralizes the 2FA logic (the
`SecondFactor::AuthManager` class).

From a top-level view, the 2FA flow in this new system looks like this:

1. User initiates an action that requires 2FA;

2. Server is aware that 2FA is required for this action, so it redirects the
user to the 2FA page if the user has a 2FA method, otherwise the action is
performed.

3. User submits the 2FA form on the page;

4. Server validates the 2FA and if it's successful, the action is performed and
the user is redirected to the previous page.

A more technically-detailed explanation/documentation of the new system is
available as a comment at the top of the `lib/second_factor/auth_manager.rb`
file. Please note that the details are not set in stone and will likely change
in the future, so please don't use the system in your plugins yet.

Since this is a new system that needs to be tested, we've decided to migrate
only the 2FA for adding a new admin to the new system at this time (in this
commit). Our plan is to gradually migrate the remaining 2FA implementations to
the new system.

For screenshots of the 2FA page, see PR #15377 on GitHub.
2022-02-17 12:12:59 +03:00
David Taylor
a01b1dd648
PERF: Update ember-auto-import and webpack (#15919)
This makes a small improvement to 'cold cache' ember-cli build times, and a large improvement to 'warm cache' build times

The ember-auto-import update means that vendor is now split into multiple files for efficiency. These are named `chunk.*`, and should be included immediately after the `vendor.js` file. This commit also updates the rails app to render script tags for these chunks.

This change was previously merged, and caused memory-related errors on RAM-constrained machines. This was because Webpack 5 switches from multiple worker processes to a single multi-threaded process. This meant that it was hitting node's default heap size limit (~500mb on a 1GB RAM server). Discourse's standard install procedure recommends adding 2GB swap to 1GB-RAM machines, so we can afford to override's Node's default via the `--max-old-space-size` flag.
2022-02-14 11:21:39 +00:00
Vinoth Kannan
1f30bacb65
FIX: use prev_period data if prev30Days value is not available. (#15867)
Previously, reports of likes and flags doesn't include the 30 days trend icon and title.
2022-02-09 22:09:33 +05:30
Martin Brennan
c1ad9c3276
DEV: Make clipboardCopy util available for import (#15874)
We need this in other places, this commit moves clipboardCopy
to the utilities.js lib. Had to remove use of Promise as well because
lib/utilities cannot import it, otherwise it will cause a mini racer error.
2022-02-09 16:11:41 +10:00
David Taylor
4cceb55621
Revert "PERF: Update ember-auto-import (#15814)" (#15854)
This reverts commit f4c6a61855 and a8325c9016

This update of ember-auto-import and webpack causes significantly higher memory use during rebuilds. This made ember-cli totally unusable on 1GB RAM / 2GB swap environments. We don't have a specific need for this upgrade right now, so reverting for now.
2022-02-07 22:41:07 +00:00
David Taylor
f4c6a61855
PERF: Update ember-auto-import (#15814)
This makes a small improvement to 'cold cache' ember-cli build times, and a large improvement to 'warm cache' build times

The ember-auto-import update means that vendor is now split into multiple files for efficiency. These are named `chunk.*`, and should be included immediately after the `vendor.js` file. This commit also updates the rails app to render script tags for these chunks
2022-02-04 11:00:51 +00:00
Keegan George
1485dab12e
FEATURE: Ability to re-order value lists (#15775)
Adds up and down buttons next to the inputs of value lists when there is more than 1 item present. This helps to re-order the items in the value lists if necessary.
2022-02-03 22:47:02 +01:00
David Taylor
c985f82174
Revert "PERF: Update ember-auto-import (#15695)" (#15805)
This reverts commit 76022132f7. This update introduced 'chunking' of vendored dependencies, which we don't support in the rails app.
2022-02-03 16:54:48 +00:00
David Taylor
76022132f7
PERF: Update ember-auto-import (#15695)
This makes a small improvement to 'cold cache' ember-cli build times, and a large improvement to 'warm cache' build times
2022-02-03 10:01:59 +00:00
Penar Musaraj
7d5d2bf13e
A11Y: Use autocomplete=off more widely (#15780) 2022-02-03 16:16:49 +11:00
Natalie Tay
23a8341b28
FEATURE: Validate domain settings for blocked_onebox_domain only (#15754)
We want to prevent the user from adding ? or * minimally
when setting domains in sitesettings
2022-02-03 11:26:53 +08:00
Jarek Radosz
7806857841
UX: Highlight "Users" link when on adminUser path (#15739) 2022-02-01 21:32:48 +01:00
Rafael dos Santos Silva
3f694e4ab5
FEATURE: Use native color-picker (#15748) 2022-02-01 11:18:13 -03:00
Martin Brennan
35343e7f91
FIX: Improve emoji upload UI (#15603)
This commit adds a hover effect for drag and drop in
the admin emoji uploader. It also changes the "Add New
Emoji" button to open the file selector; previously it
was useless because it was disabled unless a name was
entered (which is not even a requirement for the emoji)
and also it didn't actually do anything on click even
if it wasn't disabled.

Now we have a way of adding files without having to drag
and drop them, which is nice.

Also in this PR, there was no indication before that the upload was
complete apart from the button becoming enabled again.
This commit adds the highlight class to the emoji list
and removes it once the highlight fade animation is done,
like we do for new posts.
2022-01-17 11:48:49 +10:00
Bianca Nenciu
5d35c38db2
FEATURE: Search screened IP address in blocks (#15461)
An admin could search for all screened ip addresses in a block by
using wildcards. 192.168.* returned all IPs in range 192.168.0.0/16.
This feature allows admins to search for a single IP address in all
screened IP blocks. 192.168.0.1 returns all IP blocks that match it,
for example 192.168.0.0/16.

* FEATURE: Remove roll up button for screened IPs

* FIX: Match more specific screened IP address first
2022-01-11 09:16:51 +02:00
David Taylor
c1f74cd92a
DEV: Update default tagName and connectorTagName for plugin outlets (#13685)
This commit should be a no-op for all existing core outlets. Outlets which are introduced by themes/plugins may see a change in behavior, and should follow the steps below if they want to maintain their previous behavior.

`tagName="" connectorTagName=""` is almost always the correct choice for plugin outlets. 40eba8cd introduced a `noTags=true` shortcut which achieved this, and left a comment saying it should be the future default. This commit does exactly that. To avoid any breaking changes for plugins, all existing plugin outlets have been reviewed and adjusted by following this logic:

1) If `noTags=true`, remove the `noTags` parameter, and do not complete any further steps
2) If `tagName` is not specified, set `tagName="span"` (the previous default)
3) If `connectorTagName` is not specified, set `selectorTagName="div"` (the previous default)
4) If `tagName=""`, remove it
5) If `connectorTagName=""`, remove it

The updates were accomplished with the help of a ruby script:

```ruby
def removeAttr(tag, attribute)
  tag = tag.sub /\s#{attribute}="?\w*"? /, " "
  tag = tag.sub /\s#{attribute}="?\w*"?}}/, "}}"
  tag = tag.sub /^\s*#{attribute}="?\w*"?\n/, ""
  tag
end

files = Dir.glob("app/assets/javascripts/**/*.hbs")

puts "Checking #{files.count} files..."
files.each do |f|
  content = File.read(f)

  count = 0
  edits = 0
  content.gsub!(/{{\s*plugin-outlet.*?}}/m) do |match|
    count += 1

    result = match

    noTags = result.include?("noTags=true")
    tagName = result[/tagName="(\w*)"/, 1]
    connectorTagName = result[/connectorTagName="(\w*)"/, 1]

    if noTags
      result = removeAttr(result, "noTags")
    else
      if connectorTagName == ""
        result = removeAttr(result, "connectorTagName")
      elsif connectorTagName.nil?
        result = result.sub(/name="[\w-]+"/) { |m| "#{m} connectorTagName=\"div\"" }
      end

      if tagName == ""
        result = removeAttr(result, "tagName")
      elsif tagName.nil?
        result = result.sub(/name="[\w-]+"/) { |m| "#{m} tagName=\"span\"" }
      end
    end

    edits += 1 if match != result

    result
  end

  puts "#{count} outlets, #{edits} edited -> #{f}"

  File.write(f, content)
end
```
2022-01-06 20:38:17 +00:00
Martin Brennan
ed83d7573e
FIX: Tone down admin dashboard critical problem messaging (#15442)
Keep the title the same as it used to be and only
show the exclamation icon on the critical problems in
the list.
2022-01-04 13:00:58 +10:00
Martin Brennan
20fe5eceb8
FEATURE: Scheduled group email credential problem check (#15396)
This commit adds a check that runs regularly as per
2d68e5d942 which tests the
credentials of groups with SMTP or IMAP enabled. If any issues
are found with those credentials a high priority problem is added to the
admin dashboard.

This commit also formats the admin dashboard differently if
there are high priority problems, bringing them to the top of
the list and highlighting them.

The problem will be cleared if the issue is fixed before the next
problem check, or if the group's settings are updated with a valid
credential.
2022-01-04 10:14:33 +10:00
Penar Musaraj
108c8302fb
FEATURE: Automatic admin editor dark mode (#15419) 2021-12-29 11:02:37 -05:00
Martin Brennan
d330a5447d
DEV: Remove old backup uploader and resumable.js (#15365)
Now that d5e380e5c1 has been
committed there is nothing in the codebase that uses either
resumable.js or the old backup-uploader component.

R.I.P resumable.js
2021-12-21 15:02:10 +10:00
Martin Brennan
d5e380e5c1
DEV: Promote uppy backup uploader to primary uploader (#15363)
This commit removes the enable_experimental_backup_uploader site
setting and the flags in backups-index.hbs to make the uppy
backup uploader the main one from now on.

A follow-up commit will delete the old backup uploader code and
also remove resumable.js from the project.
2021-12-20 13:39:35 +10:00
Martin Brennan
2d68e5d942
FEATURE: Scheduled problem checks for admin dashboard (#15327)
This commit introduces scheduled problem checks for the admin dashboard, which are long running or otherwise cumbersome problem checks that will be run every 10 minutes rather than every time the dashboard is loaded. If these scheduled checks add a problem, the problem will remain until it is cleared or until the scheduled job runs again.

An example of a check that should be scheduled is validating credentials against an external provider.

This commit also introduces the concept of a `priority` to the problems generated by `AdminDashboardData` and the scheduled checks. This is `low` by default, and can be set to `high`, but this commit does not change any part of the UI with this information, only adds a CSS class.

I will be making a follow up PR to check group SMTP credentials.
2021-12-20 09:59:11 +10:00
Penar Musaraj
4ee5d52ac9
DEV: Remove jQuery autoellipsis dependency (#15336) 2021-12-17 11:45:12 -05:00
Bianca Nenciu
ce7c821aa9
UX: Extend user hyperlink in staff action logs (#15293)
The avatar hyperlink redirected to admin user page and the username
hyperlink applied a filter. Now both hyperlinks redirect to admin user
page.
2021-12-14 17:14:18 +02:00
Martin Brennan
40d13ce662
DEV: Only support multipart for backup S3 uploads with Uppy (#15270)
In the composer, we already only allow for S3 multipart uploads
if enable_direct_s3_uploads is true, so in the backups uploader
that is based on Uppy we want to do the same thing. In future
if self-hosters need some way to not use S3 multipart in these
scenarios for whatever reason we can revisit this then (which
should be as simple as adding a enable_multipart_s3_uploads site
setting).
2021-12-13 15:24:00 +10:00
Joffrey JAFFEUX
e0ea16f05d
DEV: removes jquery usage from admin-watched-words (#15246) 2021-12-09 17:06:54 +01:00
Joffrey JAFFEUX
f889ec2fcd
DEV: refactors admin-plugins/admin-site-settings (#15244)
- drops jQuery usage
- removes apparently useless clearfix
- uses @action
- drops unused clearFilter function in admin-plugins
2021-12-09 13:47:56 +01:00
Osama Sayegh
fced35de15
UX: Add title attribute to reports cells (#15137)
Some reports, like the Web Crawler User Agents report, have very long strings that need to be truncated when displayed. However, there is no way to see the full value without exporting the report or inspecting the elements using dev tools. This PR set a `title` attribute with the full value to the reports `<td>` elements so that the full value is shown on hover.
2021-11-30 14:58:42 +03:00
Jarek Radosz
de3680eb5c
DEV: Re-allow node 17, with a warning (#15083) 2021-11-24 21:16:33 +01:00
Jarek Radosz
e41f98bf96
DEV: Fix set-after-destroy issues (#15078)
Fixes broken tests on the legacy ember env.
2021-11-24 20:13:52 +01:00
Jarek Radosz
c75224e3d9
DEV: Update supported node versions (#15073)
13 and 15 are no longer supported by node, and issues with discourse dependencies prevent us from using 17. (for now)
2021-11-24 18:18:35 +01:00
Martin Brennan
49c49e8ae0
FEATURE: Local chunked uppy backup uploads with a new uploader plugin (#14894)
This takes the uppy chunking algorithm and combines it with some
form submission from resumable.js for parity with the current
backup controller to make local backup uploads work with uppy.
We can then use this to replace the resumable-upload component
and the resumable.js library from our codebase, once stable.

This is disabled by default, so people using local backups will not
be affected. The enable_experimental_backup_uploader site setting
must be enabled for this to work.
2021-11-23 08:45:42 +10:00
Jarek Radosz
a102673522
DEV: Avoid unnecessary site-settings:main lookups (#15006) 2021-11-18 17:11:59 +01:00
Joffrey JAFFEUX
ef881fdedc
DEV: drops jquery/simplify code/removes leaked event (#14947) 2021-11-16 10:26:39 +01:00
Joffrey JAFFEUX
c768c2ab3a
DEV: drops jquery usage in stacked chart (#14946) 2021-11-16 10:26:26 +01:00
Joffrey JAFFEUX
43659a6de2
DEV: jquery removal/listeners/cleanup of permalink form (#14944)
- Removes jquery
- Removes a not unregistered listener and uses component event
- Removes external-url class as it was only valid in one case of the dropdown
- Uses @action
- Tagless
- Other minor changes
2021-11-16 10:25:54 +01:00
Jarek Radosz
f414d5eace
DEV: Use method definition syntax consistently (#14915) 2021-11-13 14:01:55 +01:00
Jarek Radosz
bdd2c888b0
DEV: Avoid using globals (#14909) 2021-11-13 13:10:13 +01:00
Martin Brennan
729043633e
DEV: Add missing IDs to uppy upload components (#14880) 2021-11-11 15:38:39 +10:00
Martin Brennan
e4350bb966
FEATURE: Direct S3 multipart uploads for backups (#14736)
This PR introduces a new `enable_experimental_backup_uploads` site setting (default false and hidden), which when enabled alongside `enable_direct_s3_uploads` will allow for direct S3 multipart uploads of backup .tar.gz files.

To make multipart external uploads work with both the S3BackupStore and the S3Store, I've had to move several methods out of S3Store and into S3Helper, including:

* presigned_url
* create_multipart
* abort_multipart
* complete_multipart
* presign_multipart_part
* list_multipart_parts

Then, S3Store and S3BackupStore either delegate directly to S3Helper or have their own special methods to call S3Helper for these methods. FileStore.temporary_upload_path has also removed its dependence on upload_path, and can now be used interchangeably between the stores. A similar change was made in the frontend as well, moving the multipart related JS code out of ComposerUppyUpload and into a mixin of its own, so it can also be used by UppyUploadMixin.

Some changes to ExternalUploadManager had to be made here as well. The backup direct uploads do not need an Upload record made for them in the database, so they can be moved to their final S3 resting place when completing the multipart upload.

This changeset is not perfect; it introduces some special cases in UploadController to handle backups that was previously in BackupController, because UploadController is where the multipart routes are located. A subsequent pull request will pull these routes into a module or some other sharing pattern, along with hooks, so the backup controller and the upload controller (and any future controllers that may need them) can include these routes in a nicer way.
2021-11-11 08:25:31 +10:00
Bianca Nenciu
3791fbd919
FEATURE: Add read-only scope to API keys (#14856)
This commit adds a global read-only scope that can be used to create
new API keys.
2021-11-10 17:48:00 +02:00
Martin Brennan
23b7b42acd
DEV: Bump eslint-config-discourse (#14868)
Changes for 4f7aba06c0

Also fixes all of the object-shorthand violations in our JS code.
2021-11-10 09:31:41 +10:00
Bianca Nenciu
b203e316ac
FEATURE: Add pagination to API keys page (#14777) 2021-11-09 12:18:23 +02:00
Martin Brennan
18dc2c5040
FEATURE: Use uppy for tags uploader (#14821)
No other caveats or fixes.
2021-11-08 08:18:09 +10:00
Martin Brennan
1dddbf3d47
FEATURE: Use uppy for watched word uploader (#14817)
This commit, while changing the watched word uploader to use
uppy, also fixes a minor bug with the UppyUploadMixin where
the file input's value was not cleared after reset, which
prevented subsequent file uploads. The composer mixin already
has this fix.
2021-11-05 09:23:28 +10:00
Penar Musaraj
9b30103628
UX: Layout fixes for admin permalinks page (#14819) 2021-11-04 14:15:55 -04:00
Penar Musaraj
d2ddb82022
UX: Remove animation in admin theme list (#14743) 2021-10-27 13:09:34 -04:00