Krzysztof Kotlarek
99086edf85
FIX: Allow themes to upload and serve js files ( #8188 )
...
If you set `config.public_file_server.enabled = false` when you try to get uploaded js file you will get an error:
`Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.`
The reason is that content type is `application/javascript` and in Rails 5 guard looked like that:
https://github.com/rails/rails/blob/5-2-stable/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L278-L280
However, in Rails 6 `application` was added to regex:
https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L282-L284
This pull request is related to https://meta.discourse.org/t/uploaded-js-file-for-theme-causes-a-rejection/129753/8
2019-10-14 15:40:33 +11:00
Krzysztof Kotlarek
427d54b2b0
DEV: Upgrading Discourse to Zeitwerk ( #8098 )
...
Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains.
We no longer need to use Rails "require_dependency" anywhere and instead can just use standard
Ruby patterns to require files.
This is a far reaching change and we expect some followups here.
2019-10-02 14:01:53 +10:00
Penar Musaraj
03805e5a76
FIX: Ensure lightbox image download has correct content disposition in S3 ( #7845 )
2019-07-04 11:32:51 -04:00
Gerhard Schlager
fe870a1e54
DEV: Respond with error 400 to uploads requested via XHR
...
follow-up to 13f38055
2019-06-27 11:15:35 +02:00
Gerhard Schlager
13f38055ac
SECURITY: XSS in routes
...
Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com>
Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 16:34:15 +02:00
Penar Musaraj
f00275ded3
FEATURE: Support private attachments when using S3 storage ( #7677 )
...
* Support private uploads in S3
* Use localStore for local avatars
* Add job to update private upload ACL on S3
* Test multisite paths
* update ACL for private uploads in migrate_to_s3 task
2019-06-06 13:27:24 +10:00
Guo Xiang Tan
a3938f98f8
Revert changes to FileStore::S3Store#path_for
in f0620e7118
.
...
There are some places in the code base that assumes the method should
return nil.
2019-05-29 18:39:07 +08:00
Guo Xiang Tan
f0620e7118
FEATURE: Support [description|attachment](upload://<short-sha>)
in MD take 2.
...
Previous attempt was missing `post_uploads` records.
2019-05-29 09:26:32 +08:00
Penar Musaraj
7c9fb95c15
Temporarily revert "FEATURE: Support [description|attachment](upload://<short-sha>)
in MD. ( #7603 )"
...
This reverts commit b1d3c678ca
.
We need to make sure post_upload records are correctly stored.
2019-05-28 16:37:01 -04:00
Guo Xiang Tan
b1d3c678ca
FEATURE: Support [description|attachment](upload://<short-sha>)
in MD. ( #7603 )
2019-05-28 11:18:21 -04:00
Sam Saffron
7429700389
FIX: ensure we can download maxmind without redis or db config
...
This also corrects FileHelper.download so it supports "follow_redirect"
correctly (it used to always follow 1 redirect) and adds a `validate_url`
param that will bypass all uri validation if set to false (default is true)
2019-05-28 10:28:57 +10:00
Vinoth Kannan
42b10a646d
FIX: return 404 only if upload url also not internal.
2019-05-15 02:06:54 +05:30
Sam Saffron
30990006a9
DEV: enable frozen string literal on all files
...
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.
Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Sam Saffron
1be01f8dd4
DEV: Add support for Rails 6
...
Minor fixes to add Rails 6 support to Discourse, we now will boot
with RAILS_MASTER=1, all specs pass
Only one tiny deprecation left
Largest change was the way ActiveModel:Errors changed interface a
bit but there is a simple backwards compat way of working it
2019-05-02 16:23:25 +10:00
Guo Xiang Tan
58b0e945bd
UX: Lightbox support for image uploader. ( #7034 )
2019-02-21 10:13:37 +08:00
Robin Ward
6f656f6e7d
FIX: Better error handling if a file cannot be sent
...
If for some reason `Discourse.store.path_for` returns `nil`, the
forum would throw an error rather than returning 404.
Why would it be `nil`? One cause could be changing the type of
file store and having the `url` field no longer be relative.
2019-01-29 16:47:25 -05:00
Bianca Nenciu
1a4f592749
FIX: Always allow admins upload selectable avatars.
2018-12-05 21:55:23 +01:00
Guo Xiang Tan
44391ee8ab
FEATURE: Upload Site Settings. ( #6573 )
2018-11-14 15:03:02 +08:00
Guo Xiang Tan
e1b16e445e
Rename FileHelper.is_image?
-> FileHelper.is_supported_image?
.
2018-09-12 09:22:28 +08:00
Guo Xiang Tan
2b57239389
FIX: Upload's content is the only source of truth for the file type.
2018-08-07 13:15:00 +08:00
Guo Xiang Tan
142571bba0
Remove use of rescue nil
.
...
* `rescue nil` is a really bad pattern to use in our code base.
We should rescue errors that we expect the code to throw and
not rescue everything because we're unsure of what errors the
code would throw. This would reduce the amount of pain we face
when debugging why something isn't working as expexted. I've
been bitten countless of times by errors being swallowed as a
result during debugging sessions.
2018-04-02 13:52:51 +08:00
Sam
41986cdb2f
Refactor requires login logic, reduce duplicate code
...
This also corrects the positioning in the chain of the check
and removes misuse of prepend_before_action
2018-02-01 15:17:59 +11:00
Sam
f2e7b74d88
FIX: don't return 200s when login is required to paths
...
When running `ensure_login_required` it should always happen prior to
`check_xhr` cause check xhr will trigger a 200 response
2018-02-01 12:26:45 +11:00
Régis Hanol
f5e170c6b5
FIX: catch all server-side error when uploading a file
...
UX: always show a message to the user whenever an error happens on the server when uploading a file
2017-12-27 16:33:25 +01:00
Sam
eb428ef54d
FEATURE: uploads are processed a faster
...
Also cleans up API to always return 422 on upload error. (previously returned 200)
Uploads are processed using new hijack pattern
2017-11-27 12:43:35 +11:00
Sam
49f97d75b7
FIX: make uploads safe for block that can run later
2017-11-23 17:28:18 +11:00
Sam
a92f61e926
FIX: allow login required sites access to attachements
2017-11-22 10:50:55 +11:00
Guo Xiang Tan
77d4c4d8dc
Fix all the errors to get our tests green on Rails 5.1.
2017-09-25 13:48:58 +08:00
Sam
d7a2584c6e
FEATURE: image uploads now have short urls
...
Shorten all image uploads to use short urls, this is the client
side implementation.
2017-08-22 16:40:08 -04:00
Régis Hanol
a9c0df0b58
FIX: always try to convert PNG to JPG when pasting an image
2017-06-23 12:13:48 +02:00
Régis Hanol
5d63a7f4a6
FIX: pull hotlinked images even when they have no extension
2017-06-13 13:27:05 +02:00
Régis Hanol
54e8fb0d89
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-12 22:41:29 +02:00
Robin Ward
cdbe027c1c
Refactor FileHelper
to use keyword arguments.
2017-05-24 13:54:26 -04:00
Arpit Jalan
1fd8e426f2
FIX: better uploads error page
2017-05-18 23:29:37 +05:30
Régis Hanol
13e489b4ca
replace the upload type whitelist with a sanitizer
2017-05-18 12:13:13 +02:00
Régis Hanol
9641d2413d
REFACTOR: upload workflow creation into UploadCreator
...
- Automatically convert large-ish PNG/BMP to JPEG
- Updated fast_image to latest version
2017-05-11 00:16:57 +02:00
Guo Xiang Tan
e7c972ac89
FIX: Don't use backticks that take in inputs.
2017-03-17 15:33:51 +08:00
Régis Hanol
3ce3abef8f
FIX: add Content-Disposition and Content-Type headers when downloading attachments
2017-02-20 15:59:01 +01:00
Guo Xiang Tan
18007ed34b
FIX: Can't use an internal name here if SiteSetting.convert_pasted_images_to_hq_jpg
is false
.
2017-02-01 14:51:56 +08:00
Guo Xiang Tan
f6d9745c5f
Bye bye byebug.
2017-02-01 14:50:14 +08:00
Guo Xiang Tan
6c8c91dca4
UX: Change default filename for images that have been pasted.
2017-02-01 14:44:41 +08:00
Sam
15b5fddd49
SECURITY: protect upload params, only allow very strict filenames
2016-12-19 10:16:18 +11:00
Robin Ward
af83c8dc14
Upload Logos Step
2016-09-22 09:52:19 -04:00
Régis Hanol
6dac9075dc
new 'convert_pasted_images_quality' site setting
2016-07-27 19:59:44 +02:00
Régis Hanol
be099bb637
only convert pasted images to HQ jpg when it's at least 5% smaller
2016-07-27 19:55:13 +02:00
Régis Hanol
749b981759
FEATURE: new 'convert_pasted_images_to_hq_jpg' site setting
2016-07-25 23:01:28 +02:00
Régis Hanol
7fca6f502f
fix and improve image downsizing algorithm
2016-06-20 12:35:07 +02:00
Régis Hanol
a5d8dfb07e
FIX: don't hardcode maximum file size
2016-04-06 22:51:28 +02:00
Régis Hanol
4d981cec53
FIX: don't try to optimize large PNGs (takes too much time)
2016-02-22 12:57:24 +01:00
Jeff Atwood
e1f90d12f1
formally remove IE9 support
2016-01-02 23:49:52 -08:00