Commit Graph

51397 Commits

Author SHA1 Message Date
Godfrey Chan
6036001667
DEV: stop relying on global jQuery, import "jquery" instead (#23924)
We'll probably have to keep the globals around for compatibility, but we should always import it ourselves. We'll followup with an updated eslint config to enforce this.
2023-10-17 13:56:59 +01:00
dependabot[bot]
070f4e318b
Build(deps): Bump @babel/traverse from 7.23.0 to 7.23.2 (#23949)
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.23.0 to 7.23.2.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse)

---
updated-dependencies:
- dependency-name: "@babel/traverse"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-17 13:43:12 +02:00
Martin Brennan
3cde7f125d
DEV: Remove hashtag autocomplete experimental setting (#23954)
Everything relying on this was removed in
09223e5ae7
2023-10-17 15:05:58 +10:00
Martin Brennan
61c87fb59f
FIX: Properly attach secure images to email for non-secure uploads (#23865)
There are cases where a user can copy image markdown from a public
post (such as via the discourse-templates plugin) into a PM which
is then sent via an email. Since a PM is a secure context (via the
.with_secure_uploads? check on Post), the image will get a secure
URL in the PM post even though the backing upload is not secure.

This fixes the bug in that case where the image would be stripped
from the email (since it had a /secure-uploads/ URL) but not re-attached
further down the line using the secure_uploads_allow_embed_images_in_emails
setting because the upload itself was not secure.

The flow in Email::Sender for doing this is still not ideal, but
there are chicken and egg problems around when to strip the images,
how to fit in with other attachments and email size limits, and
when to apply the images inline via Email::Styles. It's convoluted,
but at least this fixes the Template use case for now.
2023-10-17 14:08:21 +10:00
Krzysztof Kotlarek
09eca87c76
FIX: synonym tags are not considered as unused (#23950)
Currently, `Tag.unused` scope is used to delete unused tags on `/tags` and by CleanUpTags job. Synonym tags, should not be included and treated as unused. Synonyms are only deleted when main tag is deleted:

https://github.com/discourse/discourse/blob/main/app/models/tag.rb#L57
2023-10-16 23:53:02 +00:00
dependabot[bot]
ee9aa02ab3
Build(deps): Bump terser in /app/assets/javascripts (#23948)
Bumps [terser](https://github.com/terser/terser) from 5.21.0 to 5.22.0.
- [Changelog](https://github.com/terser/terser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/terser/terser/compare/v5.21.0...v5.22.0)

---
updated-dependencies:
- dependency-name: terser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 23:45:02 +02:00
Jeff Wong
d208396c5c
UX: improve touch, swipe, panning performance on mobile menus (#23775)
PERF: improve touch, swipe, panning performance on mobile menus
---

* stop event propagation on swipe events: other touch events were stealing a huge amount of time here. Stop event
propagation when handling pan events.
* animate with [web animations api](https://developer.mozilla.org/en-US/docs/Web/API/Web_Animations_API/Using_the_Web_Animations_API)
* prefer translate3d to hint for gpu rendering.
* query document for elements only on start move event, not on subsequent move
events
* remove unused calculations for directioned velocity and distance: all swipe/pan elements function in x/y direction only.
* re-implement scroll locking behavior.

re-implemented scroll lock behavior
---

With stop event propagation, we need to re-implement scroll locking on menu swipes.
Previously, this was using onTouchMove which was costly.

We may now use styling with overflow-y:hidden to lock scroll behavior.

overflow:hidden on html/body elements is now supported by iOS as of 2022
https://bugs.webkit.org/show_bug.cgi?id=153852
https://bugs.webkit.org/show_bug.cgi?id=220908

UX: improve swipe
---

Some improvements to get gestures and swipes feeling a little more polished.

This focuses on end gesture, and how we transfer it to a css animation to
complete a menu open/close action.

Multitouch: events may pan, scroll, and zoom - especially on iOS safari.
Cancelling the swipe event allows for a more pleasant zooming experience.

* ease-out on menus opening, linear on close
* calculate animation duration for opening and closing,
attempt to better transfer user swipe velocity to css animation.
* more timely close/open and cleanup from calculated animation timing.
* add animation to closing menus on cloak tap
* correctly animate menus with ease-in and ease-out
* add swipe cancel event on multitouch event

DEV
---

* lean on promises

js animations api gives us promises to listen to. Update test waiters
to use waitForPromise from @ember/test-waiters instead of reigster/unregister.

* convert swipe mixin to its own class.

Convert swipe callbacks to custom events on the element.
Move shared functions for max animation time and close logic to
new shared class.

swipe-events lib uses custom events to trigger callbacks, rather than assuming
implemented hard coded function from the mixin's base class. Custom events are
triggered from the bound element as swipestart, swipeend, swipe

Add shared convenience functions for swipe events so they can be more easily
shared.

A client receives an initial swipe event and can check some state to see if it
wants to handle the swipe event and if it doesn't, calling
`event.preventDefault();` will prevent `swipe` and `swipeend` events from firing
until another distinct swipestart event is fired. Swipe events will auto-cancel on multitouch.

The scroll lock has also exposed as its own utility class.
2023-10-16 11:27:00 -07:00
Joffrey JAFFEUX
d1ef6ab99f
FIX: do not serialize status when profile is hidden (#23946)
Users can decide to hide their profile and presence. It seems more correct to also not return the status in this case.

Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
2023-10-16 17:43:39 +02:00
Penar Musaraj
1400d4a8fd
Bump version to v3.2.0.beta3-dev 2023-10-16 11:20:22 -04:00
Penar Musaraj
be04154838
Bump version to v3.2.0.beta2 2023-10-16 11:20:20 -04:00
Penar Musaraj
13afad70a5
DEV: Lint admin-email-preview-test.js 2023-10-16 10:46:02 -04:00
Alan Guo Xiang Tan
cbbe3a808b
SECURITY: Add a default limit as to when logs should be truncated
Why this change?

This ensures that malicious requests cannot end up causing the logs to
quickly fill up. The default chosen is sufficient for most legitimate
requests to the Discourse application.

When truncation happens, parsing of logs in supported format like
lograge may break down.
2023-10-16 10:34:38 -04:00
Kelvin Tan
ee084b754e
SECURITY: Prevent unauthorized access to grouped poll results
This adds access controls for the `/polls/grouped_poll_results`
endpoint, such that only users with appropriate permissions can read
the grouped results of a given poll.
2023-10-16 10:34:37 -04:00
Alan Guo Xiang Tan
4cb7472376
SECURITY: Prevent arbitrary topic custom fields from being set
Why this change?

The `PostsController#create` action allows arbitrary topic custom fields
to be set by any user that can create a topic. Without any restrictions,
this opens us up to potential security issues where plugins may be using
topic custom fields in security sensitive areas.

What does this change do?

1. This change introduces the `register_editable_topic_custom_field` plugin
API which allows plugins to register topic custom fields that are
editable either by staff users only or all users. The registered
editable topic custom fields are stored in `DiscoursePluginRegistry` and
is called by a new method `Topic#editable_custom_fields` which is then
used in the `PostsController#create` controller action. When an unpermitted custom fields is present in the `meta_data` params,
a 400 response code is returned.

2. Removes all reference to `meta_data` on a topic as it is confusing
   since we actually mean topic custom fields instead.
2023-10-16 10:34:35 -04:00
David Taylor
0ed20fe1cd
SECURITY: Correctly escape 'text' email preview 2023-10-16 10:34:34 -04:00
Bianca Nenciu
76bdea5ce2
SECURITY: Hide user profiles from public
User profiles, including the summary, should be private to anonymous
users if hide_user_profiles_from_public is enabled.
2023-10-16 10:34:32 -04:00
Jan Cernik
6350ba2cb3
SECURITY: Add permissions to MessageBus in chat
Add spec

compact
2023-10-16 10:34:30 -04:00
chapoi
9d1726fe2b
UX: better align user count (#23941) 2023-10-16 13:28:35 +02:00
David Taylor
1884b57af3
FIX: Open invite modal correctly from topic share UI (#23940)
This regressed when the create-invite modal was converted to the new component-based API in 8a7b5b00ea
2023-10-16 12:26:18 +01:00
David Taylor
c8c38bea7e
DEV: Write execution file for test failures (#23879)
Followup to 3f8a85ed49
2023-10-16 11:12:13 +01:00
David Taylor
aa4a5add70
DEV: Add system specs for dismiss new on tag routes (#23936) 2023-10-16 10:51:59 +01:00
dependabot[bot]
20a765e3ca
Build(deps-dev): Bump rubocop from 1.57.0 to 1.57.1 (#23937)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.57.0 to 1.57.1.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop/compare/v1.57.0...v1.57.1)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:24:12 +02:00
dependabot[bot]
b0f5e99026
Build(deps-dev): Bump bullet from 7.1.1 to 7.1.2 (#23938)
Bumps [bullet](https://github.com/flyerhzm/bullet) from 7.1.1 to 7.1.2.
- [Changelog](https://github.com/flyerhzm/bullet/blob/main/CHANGELOG.md)
- [Commits](https://github.com/flyerhzm/bullet/compare/7.1.1...7.1.2)

---
updated-dependencies:
- dependency-name: bullet
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:23:53 +02:00
dependabot[bot]
a21a6dbd4d
Build(deps-dev): Bump webpack in /app/assets/javascripts (#23939)
Bumps [webpack](https://github.com/webpack/webpack) from 5.88.2 to 5.89.0.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](https://github.com/webpack/webpack/compare/v5.88.2...v5.89.0)

---
updated-dependencies:
- dependency-name: webpack
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:23:00 +02:00
Renato Atilio
6c818b449a
FIX: add missing type to form template upload (#23935) 2023-10-15 11:17:11 -03:00
Penar Musaraj
1a70817962
DEV: Add UI for passkeys (3/3) (#23853)
Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). 

See PR for more details. 
---------

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2023-10-13 12:24:06 -04:00
Jarek Radosz
a5858e60e1
FIX: Transitioning to tag-intersection route (#23931)
…didn't correctly update location query params.

A followup to 1df3ccc903 (things broke after merging `main` to PR's branch)
2023-10-13 16:23:04 +01:00
David Taylor
b3df0a362b
DEV: Ensure current-post-changed is fired when switching between topics (#23930)
Previously this logic was only checking the post number. That meant that navigating between the first post of two topics would not trigger the event.

In the past, the event would be triggered anyway because the ScrollingPostStream would be destroyed/re-created when navigating between topics. But now that we use the 'loading slider' technique, the same component instance is re-used.

The motivation for this commit is to fix the 'DiscoToc' theme component, which relies on the event firing when navigating between topics.
2023-10-13 15:45:32 +01:00
Gerhard Schlager
ec8ae3fc65 DEV: Add GitHub Actions workflow for testing migrations
This workflow runs only for code underneath the `migrations/` directory. The usual test workflow is skipped for migrations because running frontend and backend tests is a waste of time and resources when only migrations are changed.
2023-10-13 16:03:55 +02:00
Gerhard Schlager
7644419976 DEV: Add codeowner for migrations related code
This allows automatic assignment of reviewers for migrations related code.
2023-10-13 16:03:55 +02:00
Gerhard Schlager
0907c0deb7 DEV: Update labeler for migration related code
This activates the `sync-labels` flag which causes the removal of labels when matching files are reverted or no longer changed by the PR.
2023-10-13 16:03:55 +02:00
Gerhard Schlager
e16537fa9f DEV: Add initial structure for migrations-tooling 2023-10-13 16:03:55 +02:00
chapoi
29beaff25b
FIX: revert (edited) layout in chat message (#23927)
* Revert "UX: place (edited) on same line (#23866)"

This reverts commit c1017a479b.

* Revert "UX: prevent (edited) and following from being copied (#23882)"

This reverts commit 563bff509a.
2023-10-13 13:01:56 +02:00
Joffrey JAFFEUX
b6d9aa5a4c
DEV: simplify reply to message smoke spec (#23928)
We now create threads on reply so the refresh check is not really necessary as there's nothing special about it anymore. We don't refresh every pages in other tests to check they still work.

Hopefully these changes will prevent few flakeys too.
2023-10-13 11:16:26 +02:00
Joffrey JAFFEUX
c1abf8b35c
UX: improves reminder setting text (#23918)
The setting will change from "%{count} days" to "Chat settings have been set to retain channel messages for %{count} day."

This commit also:
- migrates `chat-retention-reminder` to gjs
- adds a "type" property to `chat-retention-reminder-text` to allow use a long or short text depending on where it's used.
2023-10-13 07:55:47 +02:00
Blake Erickson
b607d81d50
DEV: Change video placeholder click target (#23925)
Have the click target be the entire placeholder instead of just the play
button.
2023-10-13 13:26:10 +10:00
Martin Brennan
9762e65758
FEATURE: Add Revise... option for queued post reviewable (#23454)
This commit adds a new Revise... action that can be taken
for queued post reviewables. This will open a modal where
the user can select a Reason from a preconfigured list
(or by choosing Other..., a custom reason) and provide feedback
to the user about their post.

The post will be rejected still, but a PM will also be sent to
the user so they have an opportunity to improve their post when
they resubmit it.
2023-10-13 11:28:31 +10:00
dependabot[bot]
5fe4e0ed48
Build(deps-dev): Bump sass in /app/assets/javascripts (#23921)
Bumps [sass](https://github.com/sass/dart-sass) from 1.69.2 to 1.69.3.
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sass/dart-sass/compare/1.69.2...1.69.3)

---
updated-dependencies:
- dependency-name: sass
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 03:22:53 +02:00
dependabot[bot]
2fa9620f77
Build(deps-dev): Bump qunit-dom in /app/assets/javascripts (#23920)
Bumps [qunit-dom](https://github.com/mainmatter/qunit-dom) from 2.0.0 to 3.0.0.
- [Release notes](https://github.com/mainmatter/qunit-dom/releases)
- [Commits](https://github.com/mainmatter/qunit-dom/compare/v2.0.0...v3.0.0)

---
updated-dependencies:
- dependency-name: qunit-dom
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 03:00:58 +02:00
Jarek Radosz
1df3ccc903
FIX: Pass category param on /tags/intersection (#23352) 2023-10-13 02:42:41 +02:00
dependabot[bot]
f33b60ba17
Build(deps-dev): Bump shoulda-matchers from 68f76ce to c17bac4 (#23923)
Bumps [shoulda-matchers](https://github.com/thoughtbot/shoulda-matchers) from `68f76ce` to `c17bac4`.
- [Release notes](https://github.com/thoughtbot/shoulda-matchers/releases)
- [Commits](68f76ce13e...c17bac468c)

---
updated-dependencies:
- dependency-name: shoulda-matchers
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 00:11:52 +02:00
dependabot[bot]
1fac13b405
Build(deps-dev): Bump the babel group (#23919)
Bumps the babel group in /app/assets/javascripts with 1 update: [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core).

- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/@babel/core@7.23.2/packages/babel-core)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: babel
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 00:08:07 +02:00
dependabot[bot]
67d98364a5
Build(deps): Bump sass-embedded from 1.69.2 to 1.69.3 (#23922)
Bumps [sass-embedded](https://github.com/ntkme/sass-embedded-host-ruby) from 1.69.2 to 1.69.3.
- [Commits](https://github.com/ntkme/sass-embedded-host-ruby/compare/v1.69.2...v1.69.3)

---
updated-dependencies:
- dependency-name: sass-embedded
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 00:07:20 +02:00
Joffrey JAFFEUX
b122e69ed3
DEV: flakey members list spec (#23917)
No repro but, it's possible that we were at the limit of triggering the scroll, this should ensure we correctly trigger the scroll more.
2023-10-12 22:32:03 +02:00
Sérgio Saquetim
526d2dc582
FEATURE: Allow searching users using a list of usernames (#23902) 2023-10-12 20:00:33 +00:00
Blake Erickson
2443446e62
DEV: Prevent videos from preloading metadata (#23807)
Preloading just metadata is not always respected by browsers, and
sometimes the whole video will be downloaded. This switches to using a
placeholder image for the video and only loads the video when the play
button is clicked.
2023-10-12 13:47:48 -06:00
Tobias Eigen
460e702887
improve desc of review every post admin setting (#23899)
Adds more information about what the "review every post" admin setting does. All new posts are sent to the review queue so they can be reviewed by moderators, but are still published.
2023-10-12 09:43:14 -07:00
Mark VanLandingham
55e4fd63be
DEV: add class to bookmark-list TD (#23914) 2023-10-12 11:27:00 -05:00
Jarek Radosz
90743f162a
DEV: Add a plugin outlet for conditional-loading-spinner (#23911) 2023-10-12 17:53:53 +02:00
Kris
76cbfcd60c
A11Y: move new account disclaimer above buttons (#23884) 2023-10-12 11:30:03 -04:00