Commit Graph

3465 Commits

Author SHA1 Message Date
Guo Xiang Tan
5cd680b0be SECURITY: Ensure oAuth authenticated email is the same as created user's email. 2017-02-24 15:40:31 +08:00
Guo Xiang Tan
465660bdfc Revert "SECURITY: Ensure that user has been authenticated."
This reverts commit d1091f7f57.
2017-02-24 15:39:56 +08:00
Guo Xiang Tan
d1091f7f57 SECURITY: Ensure that user has been authenticated. 2017-02-24 11:46:59 +08:00
Sam
7912966209 SECURITY: inactive/suspended accounts should be banned from api
Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:09:08 -05:00
Sam
1d3f04d4bb SECURITY: correctly validate input when admin searches for screened ips 2017-02-06 16:11:48 -05:00
Régis Hanol
f49c9f6c43 FIX: log backups download/destroy staff action
FIX: clean up junk left by the specs
RENAME: 'backup_operation' to 'backup_create' to match other backup log types
2017-01-16 19:58:04 +01:00
Robin Ward
8f34c2332d Version bump to v1.7.1 2017-01-13 11:08:58 -05:00
Régis Hanol
9f3c38832e FIX: don't onebox to IP addresses 2017-01-12 22:36:59 +01:00
Guo Xiang Tan
38496985ef Fix syntax error. 2017-01-12 10:03:37 +08:00
Guo Xiang Tan
23d4435af1 Oops. 2017-01-12 09:56:20 +08:00
Guo Xiang Tan
515f50e42e FEATURE: Log admin action when readonly mode is changed. 2017-01-12 09:41:02 +08:00
Régis Hanol
887e9af84f FEATURE: new 'max_image_megapixels' site setting 2017-01-11 23:37:12 +01:00
Neil Lalonde
b177827841 more specs for staff action logging 2017-01-11 11:41:21 -05:00
Guo Xiang Tan
1758af9a1d FIX: Perform emoji unescape for topic titles in quotes. 2017-01-11 17:23:13 +08:00
Guo Xiang Tan
cdd550e947 Use a different Redis key when PG failover sets site to readonly mode. 2017-01-11 16:38:49 +08:00
Régis Hanol
185dcb2ca1 handle emails with localized headers 😠 2017-01-09 22:59:30 +01:00
Guo Xiang Tan
3d21ccd4a5 FIX: Add validation to disallow censored words in topic title. 2017-01-09 16:55:41 +08:00
Régis Hanol
98c62bccb5 FIX: mark forwarded email as read by the forwarder
FIX: 'Re:' prefix is mostly used for replies and not forwarded emails
2017-01-06 15:33:55 +01:00
Guo Xiang Tan
58f3a2e9a9 Fix randomly failing spec. 2017-01-06 15:25:49 +08:00
Guo Xiang Tan
68300f515c FIX: Return 404 if id is not valid. 2017-01-06 10:39:44 +08:00
Guo Xiang Tan
d10fe51b72 Fix broken specs since all urls will be oneboxed. 2017-01-06 10:05:51 +08:00
Guo Xiang Tan
f473a119ff Remove unnecessary stub. 2017-01-06 08:53:30 +08:00
Arpit Jalan
7a1ff59822 FIX: PM email to suspended member was broken 2017-01-05 13:58:14 +05:30
Guo Xiang Tan
a89f60b85b Merge pull request #4631 from tgxworld/prevent_users_from_changing_permissions_of_non_real_users
FIX: Do not allow admins to meddle with admin and moderation access o…
2017-01-04 09:10:27 +08:00
Robin Ward
cf7774bdd9 FEATURE: Block muted users from sending you PMs 2017-01-03 14:51:53 -05:00
Guo Xiang Tan
c68bcfeb72 Improve spec. 2017-01-03 15:36:36 +08:00
Guo Xiang Tan
ad4a96d387 FIX: Only send membership request to the last 5 active group owners. 2017-01-03 15:33:57 +08:00
Arpit Jalan
495a511862 simplify quote markup in emails 2017-01-02 21:37:01 +05:30
Guo Xiang Tan
f1beef43a8 Merge pull request #4618 from tgxworld/fix_invalid_emails
FIX: Don't allow invalid email to be saved.
2016-12-30 07:11:48 +08:00
Guo Xiang Tan
c7b151683d FIX: Do not allow admins to meddle with admin and moderation access of non real users. 2016-12-29 11:11:33 +08:00
Neil Lalonde
9c40657ba4 FIX: error during signup saying "Password is the same as your current password" due to automatic group membership granting a trust level 2016-12-28 17:36:04 -05:00
Sam
d28d8a1f85 FIX: order by op_likes leads to broken browsing 2016-12-27 19:08:54 +11:00
Arpit Jalan
d72cbcb2a4 FEATURE: new setting to validate user website 2016-12-26 21:29:27 +05:30
Guo Xiang Tan
5aee2673c7 FIX: Push null fields to last when sorting group members. 2016-12-22 14:55:24 +08:00
Guo Xiang Tan
8551d821a0 FEATURE: Add site setting to disable group directory. 2016-12-22 14:14:22 +08:00
Sam
c531f4ded5 remove rails-observers
Rails yanked out observers many many years ago, instead the functionality
was yanked out to a gem that is very lightly maintained.

For example: if we want to upgrade to rails 5 there is no published gem

Internally the usage of observers had quite a few problem.

The series of refactors renamed a bunch of classes to give us more clarity
and removed some magic.
2016-12-22 16:46:53 +11:00
Sam
019f1a1d06 UserEmailObserver is now removed
no big surprises here was pretty straightforward

after_commit semantics sure are weird though
2016-12-22 16:46:53 +11:00
Sam
2f6a4cc6de remove UserActionObserver, replace with after_save and service
interestingly there was some left over dead code from when stars
existed in the topic_users table
2016-12-22 16:46:53 +11:00
Sam
0a78ae739d Remove SearchObserver, aim is to remove all observers
rails-observers gem is mostly unmaintained and is a pain to carry forward
new implementation contains significantly less magic as a bonus
2016-12-22 13:13:14 +11:00
Guo Xiang Tan
28befcb5d4 Fix specs. 2016-12-21 21:21:39 +08:00
Guo Xiang Tan
076a08d8e1 FIX: Unactivated users should not be automatically added into groups as well. 2016-12-21 18:15:01 +08:00
Guo Xiang Tan
7228081820 FIX: Automatic group membership should not add staged or unactivated users. 2016-12-21 18:04:26 +08:00
Guo Xiang Tan
13c6191e89 FIX: Don't allow invalid email to be saved. 2016-12-21 17:47:11 +08:00
Guo Xiang Tan
5d7f3223f0 SECURITY: Users can only bookmark posts which they can see. 2016-12-21 12:01:26 +08:00
Neil Lalonde
c75bebdea2 FIX: uncategorized setting to control whether topic featured links are allowed 2016-12-20 15:55:30 -05:00
Guo Xiang Tan
9db5d5b6a7 FIX: Incorrect serializer for groups page. 2016-12-20 15:44:22 +08:00
Guo Xiang Tan
7c7c233c1c FIX: Can't update Groups#allow_membership_requests in admin. 2016-12-20 15:14:35 +08:00
Guo Xiang Tan
502e114c60 FIX: Incorrect count when loading more groups. 2016-12-20 14:39:44 +08:00
Guo Xiang Tan
193f8301a4 FIX: Do not show automatic groups to normal users. 2016-12-20 14:26:49 +08:00
Régis Hanol
52cd9972bb FIX: prevent DDoS with lots of _oneboxable_ links
FIX: ensure the onebox route is only allowed to logged in users
FIX: only allow 1 outgoing onebox preview per user
FIX: client should only do 1 preview at a time
2016-12-20 00:31:10 +01:00