Commit Graph

8662 Commits

Author SHA1 Message Date
Martin Brennan
6eb0d0c38d
SECURITY: Fix is_private_ip for RateLimiter to cover all cases (#12464)
The regular expression to detect private IP addresses did not always detect them successfully.
Changed to use ruby's in-built IPAddr.new(ip_address).private? method instead
which does the same thing but covers all cases.
2021-03-22 13:56:32 +10:00
Martin Brennan
49f4c548ef
FEATURE: Bookmark pinning (#12431)
Users can now pin bookmarks from their bookmark list. This will anchor the bookmark to the top of the list, and show a pin icon next to it. This also applies in the nav bookmarks panel. If there are multiple pinned bookmarks they sort by last updated order.
2021-03-22 09:50:22 +10:00
Roman Rizzi
e3d86c4e35
FIX: Only refresh the review count when the user can see the review queue. (#12453)
We currently make an AJAX request every time someone opens the hamburger menu, resulting in a forbidden response when a user can't see the review queue.
2021-03-19 16:20:41 -03:00
Gerhard Schlager
2d1b087efc
FIX: Delete invalid web push subscriptions (#12447)
The endpoint as well as the public and private ECDH keys are required to successfully send a push notification.
2021-03-19 14:24:03 +01:00
Penar Musaraj
d470e4fade
FEATURE: Allow users to save draft and close composer (#12439)
We previously included this option conditionally when users were replying
or creating a new topic while they had content already in the composer.

This makes the dialog always include three buttons:
  - Close and discard
  - Close and save draft for later
  - Keed editing

This also changes how the backend notifies the frontend when there is
a current draft topic. This is now sent via the `has_topic_draft`
property in the current user serializer.
2021-03-19 09:19:15 -04:00
Martin Brennan
355d51afde
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419)
This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic.

The invitation methods that are supported include:

* Inviting people to groups via email address
* Inviting people to topics via email address
* Using invitation links generated by the Invite Users UI in the /my/invited/pending route

The flow works like this:

1. User visits an invite URL
2. The normal invitation validations (redemptions/expiry) happen at that point
3. We store the invite key in a secure session
4. The user clicks "Accept Invitation and Continue" (see below)
5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login
6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email
7. If the invite is OK we create the user via the normal SSO methods
8. We redeem the invite and activate the user. We clear the invite key in secure session.
9. If the invite had a topic we redirect the user there, otherwise we redirect to /

Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case.

Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-19 10:20:10 +10:00
Dan Ungureanu
033d6b6437
FEATURE: Obfuscate emails on invite show page (#12433)
The email should not be ever displayed in clear text, except the case
when the user authenticates using another service.
2021-03-18 19:09:23 +02:00
Roman Rizzi
da210b6d77
FEATURE: Replace markdown-it replacements rule. (#12417)
We override the default replacements rule to no longer replace "(c)", "(p)", and "(p)". Additionally, we merged the custom arrows rule into the replacement function.
2021-03-18 10:55:41 -03:00
Blake Erickson
44153cde18
FIX: Be able to handle long file extensions (#12375)
* FIX: Be able to handle long file extensions

Some applications have really long file extensions, but if we truncate
them weird behavior ensues.

This commit changes the file extension size from 10 characters to 255
characters instead.

See:

https://meta.discourse.org/t/182824

* Keep truncation at 10, but allow uppercase and dashes
2021-03-17 12:01:29 -06:00
Penar Musaraj
eb7f0ec766
FIX: In components, fall back to default theme color variables (#12423)
Component SCSS compilation should use the current theme's SCSS color
variables as a fallback before using the default core colors.

This is mostly a backwards-compatibility fix, new themes and components
should use CSS custom properties, which offer better support for on-the-fly
color scheme changes (dark mode support, etc.).
2021-03-17 13:34:15 -04:00
Bianca Nenciu
97623f5351
FIX: Do not raise if post no longer exists (#12428) 2021-03-17 19:22:05 +02:00
Robin Ward
52859bdeab
FIX: Viewing some tag routes wasn't rendering the list without JS (#12344) 2021-03-17 13:02:32 -04:00
Bianca Nenciu
16b5fa030b
DEV: Set disable_mailing_list_mode automatically (#12402)
The user mailing list mode continued to be silently enabled and
UserEmail job checked just that ignoring site setting
disable_mailing_list_mode.

An additional migrate was added to set disable_mailing_list_mode
to false if any users enabled the mailing list mode already.
2021-03-17 17:39:10 +02:00
Daniel Waterworth
9c3d5f861d
DEV: Speed up topics_controller_spec.rb (#12395) 2021-03-17 10:25:43 -05:00
Osama Sayegh
a23d0f9961
UX: Add image uploader widget for uploading badge images (#12377)
Currently the process of adding a custom image to badge is quite clunky; you have to upload your image to a topic, and then copy the image URL and pasting it in a text field. Besides being clucky, if the topic or post that contains the image is deleted, the image will be garbage-collected in a few days and the badge will lose the image because the application is not that the image is referenced by a badge.

This commit improves that by adding a proper image uploader widget for badge images.
2021-03-17 08:55:23 +03:00
Krzysztof Kotlarek
146775072a
FIX: mention notification takes precedence over group (#12407)
When a specific user is mentioned and group to which this user belongs, a direct mention notification should take precedence.
2021-03-17 08:20:41 +11:00
Dan Ungureanu
fb19ee9eee
FIX: Correctly use invite to topic email templates (#12411)
It was used both when inviting from a topic page and when creating
invites with "Send to topic on first login", while it should be used
only in the former case.
2021-03-16 17:08:54 +02:00
Arpit Jalan
64d2f260a9
FIX: do not convert format for site setting uploads (#12410) 2021-03-16 20:14:41 +05:30
Sam
6c57f6f49d
DEV: ensure state is clean prior to spec (#12399)
Corrects flaky spec

Previously we were only clearing state after our spec ran, leaving possible
edge cases where `Discourse.plugins` had data.

Clean-up source of the plugin leak

1 pop was not enough to clear the plugin, plus make specs a bit more
deliberate
2021-03-15 09:11:23 +01:00
David Taylor
7970d1d99f
FEATURE: Allow a cluster_name to be configured and used for /srv/status (#12365)
The cluster name can be configured by setting the `DISCOURSE_CLUSTER_NAME` environment variable. If set, you can then call /srv/status with a `?cluster=` parameter. If the cluster does not match, an error will be returned. This is useful if you need a load balancer to be able to verify the identity, as well as the presence, of an application container.
2021-03-15 15:41:59 +11:00
Jarek Radosz
303d2227cc
DEV: Fix FakeLogger spec issues (#12397)
* DEV: Add `#level` and `#level=` to `FakeLogger`

* DEV: Fix a leaky test
2021-03-15 15:36:10 +11:00
Blake Erickson
5c84f702b0
DEV: Update api docs to deprecate target_usernames field (#12394)
When creating a PM target_usernames has been deprecated for some time
now but the api docs have yet to reflect this.

The api docs now specify to use target_recipients.

See: eef21625c6
2021-03-12 16:48:39 -07:00
Daniel Waterworth
2a18b0b07e
DEV: Remove debug print statement (#12390) 2021-03-12 15:12:50 -06:00
Daniel Waterworth
ca436e429b
DEV: Remove stray debug logging (#12389) 2021-03-12 12:52:07 -06:00
Roman Rizzi
9a779ca99a
FIX: Show a proper error message when trying to bulk award a disabled badge. (#12384) 2021-03-12 14:28:27 -03:00
Penar Musaraj
52d833472c
DEV: Refactor plugin SCSS compilation (#12359) 2021-03-12 11:17:42 -05:00
Martin Brennan
cf1a80dea6
FIX: Make sure tag-based topic list uses its own preload key (#12354)
When transitioning from a tag topic list e.g. /tag/alerts
to the / route the topic list was not reloaded because the
same preload key was used for both lists (topic_list_latest).
The topic list was only reloaded when clicking on the / route
a second time because then it is forced to reload.

In the topic list adapter, we call `PreloadStore.getAndRemove` to
get the topic lists:

534777f5fd/app/assets/javascripts/discourse/app/adapters/topic-list.js (L34-L41)

Now instead of both / and /tag/alerts sharing the same preload
key of `topic_list_latest`, the tag has a key of `topic_list_tag/alerts/l/latest`
2021-03-12 09:06:21 +10:00
Dan Ungureanu
9c93a62b97
DEV: Update API documentation for invites (#12360) 2021-03-11 18:19:32 +02:00
Roman Rizzi
56262349a9
FIX: When destroying a topic, destroy its associated published page. (#12358)
Destroying a topic should remove the associated published page so another topic could re-use the slug.
2021-03-11 11:34:54 -03:00
Roman Rizzi
8fcad73b36
FEATURE: Admins can flag posts so they can review them later. (#12311)
Staff can send a post to the review queue by clicking the "Flag Post" button next to "Take Action...". Clicking it flags the post using the "Notify moderators" score type and hides it. A custom message will be sent to the user.
2021-03-11 08:21:24 -03:00
David Taylor
0902e56162
FEATURE: Flag to disable DiscourseConnect CSRF protection (#12356)
This is not recommended. But if you have other protections in place for CSRF mitigation, you may wish to disable Discourse's implementation. This site setting is not visible in the UI, and must be changed via the console.
2021-03-11 10:38:34 +00:00
Kris
83519e7f3a
FEATURE: Always show tag dropdown when tagging is enabled (#12209) 2021-03-10 21:13:15 -05:00
Penar Musaraj
10780d2448
DEV: support json_schema in theme settings (#12294) 2021-03-10 20:15:04 -05:00
Sam
9fb9a2c098
DEV: freeze time when running rate limiter tests (#12315)
This avoids issues around clock skew making retry-after return 9 instead of
10
2021-03-11 10:47:23 +11:00
jbrw
aed97c7bab
FIX: Add amazon sites to force_get_hosts (#12341)
It has been observed that doing a HEAD against an Amazon store URL may result in a 405 error being returned.

Skipping the HEAD request may result in an improved oneboxing experience when requesting these URLs.
2021-03-10 14:42:17 -05:00
David Taylor
bce837db0c
FIX: Update excerpt after process_post (#12340)
Onebox content may only be resolved during the process_post job. Onebox content could change the content of the excerpt, so we need to make sure the excerpt is updated accordingly.
2021-03-10 17:07:13 +00:00
Penar Musaraj
4071af1d09
DEV: Refactor font and category background importers (#12312) 2021-03-10 11:05:56 -05:00
Bianca Nenciu
9bd436c20b
FIX: Do not add same email multiple times (#12322)
The user and an admin could create multiple email change requests for
the same user. If any of the requests was validated and it became
primary, the other request could not be deleted anymore.
2021-03-10 14:49:26 +02:00
Bianca Nenciu
92ad2182f5
FIX: Validate user email only once (#12327)
It was validated twice: once by validates_associated and once
by has_many.
2021-03-10 14:49:13 +02:00
jbrw
ac7773a30d
FEATURE: allow category group moderators to pin/unpin topics (#12325)
* FEATURE: allow category group moderators to pin/unpin topics

Category group moderators should be able to pin/unpin any topics within a category where they have appropraite category group moderator permissions.
2021-03-09 16:05:11 -05:00
David Taylor
4430bc153d
FIX: Do not clean up uploads when they're used by theme settings (#12326)
We intend to move ThemeSetting to use an upload_id column, rather than storing the URL. So this is a short-term solution.
2021-03-09 19:16:45 +00:00
Vinoth Kannan
e3d8e828b8
FEATURE: allow search engines to index tag pages. (#12248)
Previously, we blocked search engines in tag pages since they may get marked as a duplicate content.

* DEV: block tag inner pages from search engines crawling.
2021-03-09 23:55:57 +05:30
Alan Guo Xiang Tan
ce04db8610 FEATURE: Allow invites redemption with Omniauth providers. 2021-03-09 09:27:18 +08:00
Alan Guo Xiang Tan
ebe4896e48 FEATURE: Change very high/low search priority to rank at absolute ends.
Prior to this change, we had weights for very_high, high, low and
very_low. This means there were 4 weights to tweak and what weights to
use for `very_high/high` and `very_low/low` pair was hard to explain.
This change makes it such that `very_high` search priority will always
ensure that the posts are ranked at the top while `very_low` search
priority will ensure that the posts are ranked at the very bottom.
2021-03-09 09:20:37 +08:00
Dan Ungureanu
7f3240ea31
FEATURE: Various improvements to invite system (#12298)
* FIX: Do not show expired invites under Pending tab

* DEV: Controller action was renamed in previous commit

* FEATURE: Add 'Expired' tab to invites

* FEATURE: Refresh model after removing expired invites

* FEATURE: Do not immediately add invite to the list

Opening the 'create-invite' modal used to automatically generate an
invite to reserve an invite link. If the user did not save it and
closed the modal, the invite would be destroyed. This operations caused
the invite list to change in the background and confuse users.

* FEATURE: Sort redeemed users by creation time

* UX: Improve show / hide advanced options link

* FIX: Show redeemed users even if invites were trashed

* UX: Change modal title when editing invite

* UX: Remove Get Link button

Users can get it from the edit modal

* FEATURE: Add limit for invite links generated by regular users

* FEATURE: Add option to skip email

* UX: Show better error messages

* FIX: Show "Invited by" even if invite was trashed

Follow up to 1fdfa13a099d8e46edd0c481b3aaaafe40455ced.

* FEATURE: Add button to save without sending email

Follow up to c86379a465f28a3cc64a4a8c939cf32cf2931659.

* DEV: Use a buffer to hold all changed data

* FEATURE: Close modal after save

* FEATURE: Rate limit resend invite email

* FEATURE: Make the save buttons smarter

* FEATURE: Do not always send email even for new invites
2021-03-06 13:29:35 +02:00
Krzysztof Kotlarek
e076506135
FIX: new topic indicator on the mobile categories page (#12271)
Regression with new dismiss button. We need the same solution to indicate if the topic was seen for category_list as done for topic_list:
https://github.com/discourse/discourse/blob/master/app/models/topic_list.rb#L123

Meta: https://meta.discourse.org/t/dismissed-new-topics-still-show-blue-dots-in-categories-view/181596
2021-03-05 09:04:19 +11:00
David Taylor
5a4d3e7576
FIX: Ensure UserField changes are reflected instantly in webhooks (#12291)
The Guardian object memoizes a list of allowed user fields. Normally this is fine because Guardian objects only persist for a single request. However, the WebHook class was memoizing a guardian at the class level. This meant that an app restart was required for changes to be reflected. Plus, the Guardian was being shared across all sites in a multisite instance.

Initializing a guardian is cheap, so we can manage without memoization here.
2021-03-04 21:41:57 +00:00
Joshua Rosenfeld
75dc01627d
FEATURE: Mailing list mode default disabled (#11091)
Mailing list mode can generate significant email volume, especially on sites with a large user base. Disable mailing list mode via site settings by default so sites don't experience an unexpectedly large cost from outgoing email.
2021-03-04 15:24:37 -05:00
Blake Erickson
2123561125
FIX: Mobile app notification urls w/ subfolder (#12282)
The urls that we generate for mobile post notifications don't take into
account the subfolder url if a site happens to have one configured. When
this happens when you tap on a new mobile notification it takes you to
a url that doesn't work because it is missing the subfolder portion.

I honestly think this should be handled in the Post model like we do
with the Topic model. `Post.url` should know how to handle subfolder
installs, but that seemed like a very risky change because there are
lots of other places in the codebase where we tack on the base_path and
I didn't want to risk duplicating it.

I also found a small typo in the topics controller spec.
2021-03-04 07:07:37 -07:00
Alan Guo Xiang Tan
51483e1aef FIX: Make email a required param when accepting invite links.
A missing email when accepting an invite link does not make sense so we
should make it a required param which helps to catch bugs in our test
suite and also prevent potential bugs in our code base when the code
trips on a `nil` email.
2021-03-04 09:27:04 +08:00