Commit Graph

6539 Commits

Author SHA1 Message Date
Neil Lalonde
3e73c0a34d Version bump to v2.3.4 2019-10-01 17:43:25 -04:00
Penar Musaraj
6e04120e71 SECURITY: XSS when oneboxing user profile location field
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
2019-09-17 16:36:53 -04:00
Régis Hanol
39a427efce DEV: plugin API to register User custom field types 2019-09-06 12:16:59 +02:00
Neil Lalonde
046b6300d1 Version bump to v2.3.3 2019-09-04 10:44:22 -04:00
Roman Rizzi
52fdc1468d Feature/Fix: Flagged posts user notifications (#8041)
* FIX: User should get notified when a post is deleted

* FEATURE: Notify posters when restoring flagged posts

* Fix typo

Co-Authored-By: Régis Hanol <regis@hanol.fr>

* Improve tests
2019-09-02 15:22:03 -03:00
Sam Saffron
a3d42e2c52 FIX: add_to_serializer not correctly accounting for inheritance chains
This is a very long standing bug we had, if a plugin attempted to amend a
serializer core was not "correcting" the situation for all descendant classes
this often only showed up in production cause production eager loads serializers
prior to plugins amending them.

This is a critical fix for various plugins
2019-08-27 18:23:32 +10:00
Gerhard Schlager
ab3e18090f FIX: Disallow user self-delete when user posted in PMs
All posts created by the user are counted unless they are deleted,
belong to a PM sent between a non-human user and the user or belong
to a PM created by the user which doesn't have any other recipients.

It also makes the guardian prevent self-deletes when SSO is enabled.
2019-08-10 12:06:40 +02:00
David Taylor
e9c0fb0621 SECURITY: Sanitize email id for use as mutex key 2019-07-24 13:51:08 +01:00
David Taylor
9cfe3f9948 SECURITY: Add confirmation screen when connecting associated accounts 2019-07-24 13:29:59 +01:00
Neil Lalonde
af192ff9d5 Version bump to v2.3.2 2019-07-15 10:00:45 -04:00
Robin Ward
fe8bd92f71 SECURITY: SQL injection with default categories
This is a low severity security fix because it requires a logged in
admin user to update a site setting via the API directly to an invalid
value.

The fix adds validation for the affected site settings, as well as a
secondary fix to prevent injection in the event of bad data somehow
already exists.
2019-07-11 13:53:12 -04:00
Neil Lalonde
2c26998f86 Version bump to v2.3.1 2019-06-25 12:26:20 -04:00
Neil Lalonde
0bcb62fc2d Version bump to v2.3.0 2019-06-17 20:47:22 -04:00
Neil Lalonde
04be572a92 Merge diffs from master 2019-06-17 20:07:19 -04:00
Neil Lalonde
a4308fdd43 Merge master 2019-06-17 20:04:04 -04:00
Penar Musaraj
4bbb43cb2b DEV: pull plugin repos before linting them 2019-06-14 13:50:15 -04:00
Sam Saffron
ecb2fd8222 DEV: improve db:create to catch all cases
- No RAILS_ENV - create multisite / dev / test
- `test` RAILS_ENV - create multisite / test
2019-06-14 15:47:05 +10:00
Sam Saffron
a01488ae67 DEV: improve on rake db:create
Followup on 3af00a65 which broke build
2019-06-14 15:06:07 +10:00
Sam Saffron
3af00a65e6 FIX: site settings loading default values when no db
This fixes a condition where an intermittent db connection could cause
invalid site settings to be stored

It also removes a catch all we had.

Somewhere around Rails 5 `db:create` started wanting full environment
this is a problem for Discourse since it needs to boot up data from the
db.

This removes the catch all and surgically adds a db / redis bypass to
db:create task.
2019-06-14 14:21:07 +10:00
Guo Xiang Tan
eaa7527933 DEV: Switch posts:inline_uploads scope to be more generic. 2019-06-14 11:53:34 +08:00
Penar Musaraj
4182d8638c Remove duplicate entry for discourse-yearly-review 2019-06-13 13:56:38 -04:00
Vinoth Kannan
35d6fff69e PERF: use url instead of file key in temporary inventory table. 2019-06-13 22:03:58 +05:30
David Taylor
ed21128ee6 FIX: Do not change directory when decompressing S3 inventory
In sidekiq, jobs are run in multiple threads within the same process. `cd` affects the entire process, so can cause unexpected issues in other running jobs.
2019-06-13 17:13:50 +01:00
Penar Musaraj
66b15b9d87 DEV: support installing plugin gems in test images
- adds plugin:install_all_gems rake task

- adds UPDATE_ALL_PLUGINS env variable in docker:test
2019-06-13 09:58:57 -04:00
Guo Xiang Tan
9bce3d5e65 DEV: Multisite support for rake posts:inline_uploads. 2019-06-13 16:13:45 +08:00
Sam Saffron
215216df48 FIX: stop re-downloading backup maxmind
We omitted updating the mmdb_time which changed causing a constant
re-download of the maxmind db
2019-06-13 17:42:26 +10:00
Sam
fa2a5f6f56
FEATURE: SKIP_DB_AND_REDIS env var (#7756)
Sometimes we would like to create a base image without any DB access, this
assists in creating custom base images with custom plugins that already
includes `public/assets`

Following this change set you can run:

```
SPROCKETS_CONCURRENT=1 DONT_PRECOMPILE_CSS=1 SKIP_DB_AND_REDIS=1 RAILS_ENV=production bin/rake assets:precompile
```

Then it is straight forward to create a base image without needing a DB or
Redis.
2019-06-13 12:58:27 +10:00
Penar Musaraj
e47ca6633b DEV: Fix plugin:update_all task
Reenable subtask so it loops through all plugins.

Only run for plugins that are git repositories.
2019-06-12 17:21:56 -04:00
Guo Xiang Tan
d49c193289 FIX: posts:inline_uploads rake task needs to bypass bump. 2019-06-12 09:13:31 +08:00
Bianca Nenciu
934adb14d2
FIX: On tag change notify only users watching the tag. (#7707) 2019-06-11 18:06:54 +03:00
Guo Xiang Tan
864222372f Remove incorrectly committed byebug.
Follow up to 49b921147a.
2019-06-11 16:33:49 +08:00
Guo Xiang Tan
49b921147a FIX: Undefined method in posts:inline_uploads. 2019-06-11 16:28:41 +08:00
Guo Xiang Tan
40e67971f9 DEV: Add spec for Email::Sender for upload links in plain text emails. 2019-06-11 16:02:24 +08:00
Guo Xiang Tan
42ab016856 FIX: Use markdown for images and attachments in Email::Receiver. 2019-06-11 14:49:46 +08:00
Dan Ungureanu
a046f6ced5 FEATURE: Trigger Discourse events from authenticators. (#7724) 2019-06-11 11:28:42 +10:00
Guo Xiang Tan
06d974d55c FEATURE: Add base62 sha1 to cooked data attribute
* FEATURE: Add base62 sha1 to data attribute in `Post#cooked`.

* FIX: Use `Upload#short_url` when quoting an image.
2019-06-11 11:15:45 +10:00
Neil Lalonde
62345a7f8d Version bump to v2.3.0.beta11 2019-06-10 13:09:47 -04:00
Neil Lalonde
809a544786 Version bump to v2.2.6 2019-06-10 11:47:21 -04:00
Guo Xiang Tan
1cf3bf016c Make rubocop happy. 2019-06-10 09:49:02 +08:00
Guo Xiang Tan
29259b46ae DEV: Verbose mode for posts:inline_uploads rake task. 2019-06-10 08:59:11 +08:00
Vinoth Kannan
d74ee9dbce DEV: skip S3 inventory records without correct multisite prefix. 2019-06-08 18:36:06 +05:30
Sam Saffron
1d76b7b7b5 PERF: fix N+A+lot query
reviewable_counts could be `{}` which is technically blank.

We wanted to check for nil here
2019-06-08 12:30:21 +10:00
Gerhard Schlager
19edc4abb8 FIX: English locale must not fall back to any other locale 2019-06-07 21:53:01 +02:00
Neil Lalonde
a08b2589d4 FIX: removing hidden tag bumps topic when all tags are removed
JS sends empty string to remove all tags.
2019-06-07 14:25:46 -04:00
Joffrey JAFFEUX
8cd13b22a1
DEV: allows smoke test to run on macOS (#7735) 2019-06-07 18:20:48 +02:00
David Taylor
e3a9a2d2dd FIX: Avoid infinite loop if disk space is low
We now continue to enqueue the pull_hotlinked_images job for optimized images, even if disk space is low
2019-06-07 14:24:22 +01:00
David Taylor
65b0cafc03 FIX: Always schedule pull_hotlinked_images in cooked_post_processor
The job is now used to pull optimized images, and images from other sites on the same CDN. This needs to run even if download_remote_images is false
2019-06-07 13:08:23 +01:00
Sam Saffron
f88dced0b7 PERF: optimize lookup of reviewable info in post stream
This previously was a hot path in topic view. Avoids an expensive active
record operation and instead perform SQL directly which is far more
targeted and efficient
2019-06-07 18:12:30 +10:00
Dan Ungureanu
8bd815dab2 FIX: Permit new tags when allow_global_tags true. (#7722) 2019-06-07 15:45:16 +10:00
Régis Hanol
b1c5ea4289 FIX: use URI.regexp to find URLs in plain text 2019-06-07 01:26:06 +02:00