Commit Graph

191 Commits

Author SHA1 Message Date
Sam
b97d186cb5 automatic groups should not allow you to muck with the listed users in the group 2013-06-17 12:54:25 +10:00
Sam
e6e81efe85 correct information leak in page not found 2013-06-13 10:27:17 +10:00
Robin Ward
5217602ec3 FIX: RSS paths render a 404 for missing topics. 2013-06-07 12:52:12 -04:00
Neil Lalonde
62041da7e0 Handle /t/only-the-slug urls by trying to find the topic by slug (second try) 2013-06-06 14:41:37 -04:00
Ian Christian Myers
0d01c33482 Enabled strong_parameters across all models/controllers.
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.

The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.

It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 00:30:59 -07:00
Chris Hunt
92a4828f72 Redirect all controllers to login if required
We want to skip the filter for sessions controller so that we can login
and we want to skip the filter for static pages because those should be
visible to visitors.
2013-06-04 16:10:10 -07:00
Robin Ward
02b1f78410 FIX: Include preloaded data even if the request type isn't explicitly text/html 2013-06-04 12:56:12 -04:00
Neil Lalonde
42714b424f For 403 errors, show the same html page as 404 2013-05-30 16:39:39 -04:00
Sam
e93b7a3b20 more progress towards live unread and new counts, unread message implemented, still to implement delete messages 2013-05-30 16:49:57 +10:00
Robin Ward
830b93a16b Reduced complexity of admin flags controller, split up into methods, moved reports into model. 2013-05-29 16:49:34 -04:00
Robin Ward
0f296cd42b Refactor + Fix: Wasn't correctly loading activity streams. Code is a lot more Ember-y now. 2013-05-22 12:06:37 -04:00
Sam
fc57578c85 proper 404 for json request 404 2013-05-20 17:28:32 +10:00
Sam
80fb20816c get rid of nonsense 404.html
correct 404 handling for invalid pages
2013-05-20 10:29:49 +10:00
Sam
b6bf95e741 speed up startup (avoid loading some gems on startup)
correct group permission leaks
add Discourse.cache for richer caching support
2013-05-13 18:04:03 +10:00
Sam
cef9a74053 route for markdown /md/topic_id/post_number 2013-04-30 16:30:41 +10:00
Régis Hanol
017ee7c2da FIX: [security bug] XHR check bypass 2013-04-30 02:34:19 +02:00
Sam
f9e33ec6b8 store ip address and current user with incoming links
make links long an readable in share dialog
2013-04-26 16:18:55 +10:00
Sam
37867af1bb track incoming links, amend share link to include user
fix pm styling
2013-04-24 18:05:35 +10:00
Sam
6974ad487c fix not found error when spiders were hitting with .php 2013-04-18 09:55:47 +10:00
Sam
0f362c5474 this has been bugging me for ages, broken "fill your profile link" fixed AND bio updates when you save 2013-04-12 10:07:58 +10:00
Sam
850b042cab introduce rack:cache as a default, so users don't need to configure apache or nginx
under rack cache we are able to serve 620reqs a second per thin (on my machine) before it 12 (on my machine)

reorganised so mini profilers can be cleanly disabled from config file

added caching for categories index

move production.rb to production.sample.rb
2013-04-11 16:24:21 +10:00
Régis Hanol
41b7f741d0 extract hard-coded strings 2013-04-07 18:14:50 +02:00
Sam
c57ec611e1 basic api support 2013-03-25 18:04:46 -07:00
Sam
deb603f41c Merge pull request #547 from kid0m4n/convert-ruby-1-9-syntax
Convert a lot of :a => b to a: b and bring peace to the world
2013-03-24 16:43:17 -07:00
Karan Misra
5dfb04e4b3 Convert a lot of :a => b to a: b and bring peace to the world 2013-03-25 05:07:36 +05:30
Régis Hanol
0da8f35659 [fixes #391] exception when wrong resource type in URL 2013-03-24 22:25:24 +01:00
Régis Hanol
239cbd2d58 enforce coding convention
replaced every `and` by `&&` and every `or` by `||`
2013-03-05 01:42:44 +01:00
Robin Ward
d2596c3c4c Remove unusued site_settings, show checkbox in UI for boolean values, remove restrict_access
boolean to avoid locking yourself out by setting access_password to empty string. Minor
UI tweaks.
2013-03-01 14:27:41 -05:00
Robin Ward
628927a79f Added Site Setting to change locale. 2013-02-28 14:34:38 -05:00
Gosha Arinich
cafc75b238 remove trailing whitespaces ❤️ 2013-02-26 07:31:35 +03:00
Sam Saffron
b66db4153d refactor and organise current_user better 2013-02-24 21:42:04 +11:00
tms
3e6641c07e Unsign auth token cookies per discussion on #215 2013-02-23 13:40:21 -05:00
tms
5616fdc475 Sign the auth token cookie and make it httpOnly 2013-02-20 17:24:19 -05:00
xdite
cab4d95eaf use canonical-url plugin to make view more clean 2013-02-13 19:04:43 +08:00
Robin Ward
57049b55a2 Little things:
- Retries on deadlock when calculating average time
- Removes Warning: When specifying html format for errors
- Doesn't use manual SQL to update user's ip address
2013-02-11 15:47:28 -05:00
Robin Ward
6ce32b8bc4 Trivial: Was not finding files in public for errors due to missing extensions. 2013-02-11 14:39:26 -05:00
Sam Saffron
80929ead4b security hole fixed 2013-02-11 17:28:21 +11:00
Jakub Arnold
61654ab8f0 Fix all the trailing whitespace 2013-02-07 16:45:24 +01:00
Robin Ward
6043a370ad Oops, that should be 1.minute 2013-02-06 12:07:22 -05:00
Robin Ward
8d568b05c4 Don't enable Cache-Control if the site has restricted access. 2013-02-06 11:55:54 -05:00
Robin Ward
21b5628528 Initial release of Discourse 2013-02-05 14:16:51 -05:00