Commit Graph

36892 Commits

Author SHA1 Message Date
Blake Erickson
6b20d52338 FIX: Staged users getting user_linked and user_quoted emails
This fix ensures that if a staged user is linked to or quoted they won't
be emailed about it.

A staged user could email into a category, and another user could quote
them inside of a completely different category and we don't want a
staged user to receive an email for this.

Bug report:

https://meta.discourse.org/t/-/145202/9
2020-03-31 21:00:56 -06:00
Jeff Wong
45296a8fe9 FIX: backport reviewable topic claim not being shown correctly 2020-03-30 15:23:16 -07:00
Jeff Wong
385c3fe789 FIX: claiming topics for the review queue 2020-03-30 15:16:47 -07:00
Jeff Wong
7817d8b2ff FEATURE: Unassign the review queue topic when a flag is handled 2020-03-25 14:17:08 -07:00
Bianca Nenciu
fe15082d44 SECURITY: Ensure user can see group and group members 2020-03-24 12:23:11 +02:00
Jeff Wong
0e553f1fd1 FIX: correctly remove authentication_data cookie on oauth login flow (#9238)
Additionally correctly handle cookie path for authentication_data

There were two bugs that exposed an interesting case where two discourse
instances hosted across two subfolder installs in the same domain
with oauth may clash and cause strange redirection on first login:

Log in to example.com/forum1. authentication_data cookie is set with path /
On the first redirection, the current authentication_data cookie is not unset.
Log in to example.com/forum2. In this case, the authentication_data cookie
is already set from forum1 - the initial page load will incorrectly redirect
the user to the redirect URL from the already-stored cookie, to /forum1.

This removes this issue by:
* Setting the cookie for the correct path, and not having it on root
* Correctly removing the cookie on first login
2020-03-23 16:01:39 -07:00
Jeff Wong
e0f711960b FIX: consistency to show mute/ignore menu in user profile
Show the mute/ignore menu for another user even when the current user
cannot message them.
2020-03-23 16:01:39 -07:00
Jeff Wong
111fa7e277 FEATURE: prevent accidental canceling when drafting penalties (#9129)
Pop up a confirmation box when there is input. This prevents accidental closing
of the dialog boxes due to clicking outside.

This adds a development hook on modals in the form of a `beforeClose`
function. Modal windows can abort the close if the funtion returns false.

Additionally fixing a few issues with loop and state on the modal popups:

Escape key with bootbox is keyup.
Updating modal to close on keyup as well so escape key is working.
Fixes an issue where pressing esc will loop immediately back to the modal by:
keydown -> bootbox -> keyup -> acts as "cancel", restores modal

Needs a next call to reopenModal otherwise, keyup is handled again by the modal.
Fixes an issue where pressing esc will loop immediately back to the confirm:
esc keyup will be handled and bubble immediately back to the modal.

Additionally, only handle key events when the #discourse-modal is visible.
This resolves issues where escape or enter events were being handled by
a hidden modal window.
2020-03-23 16:01:39 -07:00
David Taylor
4e178d5c0d
SECURITY: Respect topic permissions when loading draft metadata
Co-authored-by: Sam Saffron <sam.saffron@gmail.com>
2020-03-23 11:54:36 +00:00
David Taylor
0e3dfd2925
DEV: Load plugin stylesheets before theme stylesheets (#9240)
This is a more logical order, since themes are more lightweight than plugins, and are often used to augment plugin styles
2020-03-19 19:24:06 +00:00
Martin Brennan
4eb4293e66 FIX: Ensure show_short URLs handle secure uploads using multisite (#9212)
Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224
* if the show_short route is hit for an upload that is
  secure, we redirect to the secure presigned URL. however
  this was not taking into account multisite so the db name
  was left off the path which broke the presigned URL
* we now use the correct url_for method if we know the
  upload (like in the show_short case) which takes into
  account multisite
2020-03-17 11:41:51 +10:00
Joffrey JAFFEUX
c4cd864c26 FIX: throttles topic tracking shortcut and enforces topic id (#9159) 2020-03-13 12:03:55 +01:00
Joffrey JAFFEUX
b4b0443d63 FIX: ensures pinned-options header is showing correct state (#9156) 2020-03-12 07:41:17 +01:00
Robin Ward
f8c31eb1e0 Let's not log the username/password
This could easily be seen by someone who shouldn't.
2020-03-11 12:54:19 -04:00
Sam Saffron
c738d31809
FIX: last ip address could point at wrong ip
Due to unicorn env object recycling request.ip could point at the wrong
ip address by the time defer block is called. This usually would happen
under load.

This also avoids keeping the entire request object as referenced by the
closure.
2020-03-11 17:43:44 +11:00
Neil Lalonde
ea73880146
Version bump to v2.4.1 2020-03-05 12:28:17 -05:00
Gerhard Schlager
766665a287
FIX: Restoring with disable_emails: false didn't work anymore 2020-03-05 11:47:35 -05:00
Martin Brennan
f0072dd897
FIX: Stop infinite lookup-urls issue for video/audio on page (#9096)
Meta report: https://meta.discourse.org/t/excessive-requests-to-uploads-lookup-urls-leading-to-429-response/143119

* The data-orig-src attribute was not being removed from cooked
video and audio so the composer was infinitely trying to get the
URLs for them, which would never resolve to anything
* Also the code that retrieved the short URL was unscoped, and was
getting everything on the page. if running from the composer we
now scope to the preview window
* Also fixed a minor issue where the element href for the video
and audio tags was not being set when the short URL was found
2020-03-05 11:47:14 -05:00
Joffrey JAFFEUX
d5ab4776cd
FIX: prevents click on sk header to bubble (#9084) 2020-03-05 11:46:55 -05:00
Gerhard Schlager
55a49d8494
FIX: Google Groups scraper failed to login 2020-03-05 11:46:36 -05:00
Sam Saffron
980d2ed052
PERF: improve performance of category topic list
In some cases CTE caused pathologically bad query plans.
This optimises it so query runs by itself and caches for lifetime
of the topic query object.

This lightweight caching is done cause topic query will often
execute two queries (one for pinned and one for non pinned)
2020-03-05 11:46:20 -05:00
Dan Ungureanu
5f88b86ac9
FIX: Sync preload key format for category topic lists
The server and client used two different formats for preload keys. The
server was using 'topic_list_c/SLUG/l/latest', but the client was using
'topic_list_c/SLUG/ID/l/latest'.

This commit is an addition to 374534f00e.
2020-03-05 11:46:02 -05:00
Dan Ungureanu
4bb966aae6
DEV: Fix build
Follow up to 60184a290c.
2020-03-05 11:45:45 -05:00
Joffrey JAFFEUX
2cc533e26e
FIX: prevents loading to show during debouncing (#9060)
This will also fix a bug in IE11 where click event would not be triggered on row
2020-03-05 11:45:19 -05:00
Joffrey JAFFEUX
751708ba0c
FIX: prevents row click event to be caught by filter input event (#9059)
This was causing some dropdowns to not work under IE11
2020-03-05 11:44:54 -05:00
David Taylor
b8e4b5f884
FIX: Polyfill Promise for IE11 (#9057)
Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2020-03-05 11:44:33 -05:00
Robin Ward
c7634d56f6 SECURITY: Add more restrictions on invite emails
They could be filtered and returned in some circumstances where they
shouldn't have been.
2020-03-05 09:55:54 -05:00
Robin Ward
20a8a2f396 SECURITY: Ensure the invite JSON API matches the UX
Anonymous users could query the invite json and see counts and
summaries which is not allowed in the UX of Discourse.

This commit has those endpoints return a 403 unless the user is
allowed to invite.
2020-03-05 09:55:45 -05:00
Joffrey JAFFEUX
2246fe8015 FIX: allows to select the action when agreeing with penalty (#9099)
Note this commit also fixes an issue where the edit post actions was trying to focus the edit textarea, but was using jquery functions on a DOM node.

scrollTo is not available on IE11 but that shouldn't cause much trouble.
2020-03-04 10:32:20 -05:00
Mark VanLandingham
737e8bdb2c FIX: Prettier on iframed-html component (#9062) 2020-02-27 11:57:18 -06:00
Mark VanLandingham
df70b9118e Merge pull request from GHSA-vw39-6w7q-gfx5
Co-authored-by: Robin Ward <robin.ward@gmail.com>
2020-02-27 11:57:10 -06:00
Neil Lalonde
76b9be3f19 Version bump to v2.4.0 2020-02-26 16:46:06 -05:00
Neil Lalonde
254d410d4e Merge branch 'master' into stable 2020-02-25 17:32:08 -05:00
Robin Ward
603c56f71c FIX: Lefthook was not excluding enough JS 2020-02-25 17:28:53 -05:00
Neil Lalonde
4d611dcaed Merge diffs from master 2020-02-25 17:23:37 -05:00
Neil Lalonde
52c10848bc Merge master 2020-02-25 17:21:37 -05:00
Joffrey JAFFEUX
baba1cc02e
FIX: ensures destroying a user with security keys doesn't fail (#9042) 2020-02-25 14:07:57 -05:00
David Taylor
96ac4fc072
FIX: Include .json suffix for email login route (#9041)
In IE11, the browser returns the cached HTML response, rather than the JSON formatted response. Adding the `.json` suffix ensures that the cache is not shared. Same root cause as b0211772
2020-02-25 18:01:33 +00:00
Neil Lalonde
b0675075f7 Update translations 2020-02-25 10:29:14 -05:00
Dan Ungureanu
514c22e64b
FIX: Make reviewable claiming work with deleted topics (#9040)
This fixes the case when the reviewed topic is deleted (for example, in
discourse-akismet).
2020-02-25 15:49:23 +02:00
Dan Ungureanu
5905930c32
FIX: Sync Ember and non-Ember layouts (#9028) 2020-02-25 15:31:04 +02:00
spirobel
41ee7cad0e
FIX plugin generator: mobile, desktop stylesheets registering (#9039)
After adding styles in the mobile scss they will also be applied to desktop without this change.

https://meta.discourse.org/t/registering-assets-for-mobile-and-desktop-making-site-responsive/65041/2
2020-02-25 11:43:17 +01:00
Joffrey JAFFEUX
a5c7f0c98d
UX: hides emoji picker from edit category tab topic template (#9036) 2020-02-25 00:49:41 +01:00
Joffrey JAFFEUX
e303b4d181
UX: hides local-date picker when used outside of main composer 2020-02-25 00:17:43 +01:00
Joffrey JAFFEUX
bd49368942
FIX: ensures topic count is correctly showing in box category badges (#9034) 2020-02-24 23:41:36 +01:00
Penar Musaraj
d6a603cc50
FIX: Translate none-tag and all-tags labels in tag filter (#9030)
* FIX: Translate none-tag and all-tags labels in tag filter
* Add test
2020-02-25 07:57:24 +11:00
dependabot-preview[bot]
709772ea52
Build(deps): Bump bootsnap from 1.4.5 to 1.4.6 (#9032)
Bumps [bootsnap](https://github.com/Shopify/bootsnap) from 1.4.5 to 1.4.6.
- [Release notes](https://github.com/Shopify/bootsnap/releases)
- [Changelog](https://github.com/Shopify/bootsnap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Shopify/bootsnap/compare/v1.4.5...v1.4.6)

Simple low risk dependency, only used in dev
2020-02-25 07:54:24 +11:00
Justin DiRose
f35ee5e887
DEV: Improvements to SMF2 script (#9006) 2020-02-24 12:51:45 -06:00
dependabot-preview[bot]
fee7a4be8a
Build(deps-dev): Bump simplecov from 0.18.2 to 0.18.3 (#9025)
Bumps [simplecov](https://github.com/colszowka/simplecov) from 0.18.2 to 0.18.3.
- [Release notes](https://github.com/colszowka/simplecov/releases)
- [Changelog](https://github.com/colszowka/simplecov/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colszowka/simplecov/compare/v0.18.2...v0.18.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-02-24 13:32:38 -05:00
dependabot-preview[bot]
dedd37503e
Build(deps): Bump simplecov-html from 0.12.0 to 0.12.1 (#9024)
Bumps [simplecov-html](https://github.com/colszowka/simplecov-html) from 0.12.0 to 0.12.1.
- [Release notes](https://github.com/colszowka/simplecov-html/releases)
- [Changelog](https://github.com/colszowka/simplecov-html/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colszowka/simplecov-html/compare/v0.12.0...v0.12.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-02-24 13:31:52 -05:00