Commit Graph

190 Commits

Author SHA1 Message Date
Sam
f8ba5346c4 SECURITY: Remove email validation check bypass
- Increase size of email column to varchar(513)
 - Give error message on signup when email is too large

Overall impact: Low, allows signups from blocked domains. Main risk is increased spam.
2015-07-14 09:46:00 +10:00
Sam Saffron
32b17c628a SECURITY: Query @usernames in bulk
Otherwise you could add many requests at once while composing.
2015-06-11 13:12:01 -04:00
Sam Saffron
2c883833eb FEATURE: we need admin login always 2015-06-10 16:38:42 -04:00
Neil Lalonde
3e317b40da Merge master 2015-06-01 15:27:35 -04:00
Régis Hanol
cb025a65e0 FIX: make sure we also save the user_avatar.custom_upload_id 2015-05-29 10:21:41 +02:00
Régis Hanol
b7f8680618 fix build (:fired:) 2015-05-20 17:51:33 +02:00
Régis Hanol
8d967d9065 FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread 2015-05-20 16:45:48 +02:00
Sam
8277a586bb usage of raise corrected 2015-05-07 11:00:51 +10:00
Sam
77cc087b13 FIX: proper error message when account created is hit with no session 2015-05-07 11:00:22 +10:00
Arpit Jalan
2932284293 FEATURE: magic login route for admin when SSO is enabled 2015-04-27 22:54:48 +05:30
Robin Ward
2459f52c71 Merge pull request #3375 from techAPJ/patch-2
FEATURE: invite existing users to private topic
2015-04-16 11:13:42 -04:00
Arpit Jalan
d491d4f997 FEATURE: invite existing users to private topic 2015-04-16 00:52:54 +05:30
Sam
34c3b2966c SECURITY: log off all existing sessions when resetting password 2015-04-15 09:05:18 +10:00
Sam
2a3f71a9a1 SECURITY: log off all existing sessions when resetting password 2015-04-15 08:57:43 +10:00
Sam
f5d89169e2 FEATURE: initial implemenation of anonymous posting mode 2015-04-07 18:05:31 +10:00
Régis Hanol
1ec73b5ba0 FIX: use 'request.remote_ip' instead of 'request.ip' for better consistency 2015-04-02 16:24:27 +02:00
Robin Ward
e3eaa7fa75 FIX: In long topics, filtering button was not always showing in card 2015-03-24 12:33:50 -04:00
Robin Ward
6d38005a22 Allow staff to change uneditable user fields 2015-03-20 15:18:43 -04:00
Robin Ward
7ef306cd3b A bunch of tweaks to the Users directory
- Move user directory from `/directory` to `/users/`
- Defaults to 'weekly' time period
- Don't include deleted topics/posts in the results
- Move heart icon to header instead of on each row
- "Users" instead of "Users found"
2015-03-19 12:29:38 -04:00
Neil Lalonde
608647d02f FEATURE: Anonymize User. A way to remove a user but keep their topics and posts. 2015-03-10 11:59:08 -04:00
Sam
f5af4768eb FEATURE: add clean support for running Discourse in a subfolder
To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish
2015-03-09 13:14:29 +11:00
Sam
130dbf7358 PERF: don't run stats query in user card 2015-02-24 13:31:23 +11:00
Robin Ward
8186d86f38 FIX: Enforce max length for custom user fields 2015-02-23 13:02:30 -05:00
Sam
17927b2e8b FIX: don't use flash cause we are not redirecting
(we should probably change that though)
2015-02-20 10:28:58 +11:00
Neil Lalonde
16bea87fd3 Merge master 2015-02-19 16:17:51 -05:00
Sam
3a0cd0b760 make custom fields a bit more permissive input wise 2015-02-06 09:03:23 +11:00
Sam
ea7af7a83b Merge pull request #3135 from longhotsummer/fix-no-user-params
FIX: creating a user shouldn't error when optional fields aren't given
2015-01-30 10:12:57 +11:00
Régis Hanol
cd2c9edb46 FIX: 🐛 upload on IE9 wasn't working :'(
- FIX: make sure we set a default name to a pasted image only on Chrome (the only browser that supports it)
- FIX: use ".json" extension to uploads endpoints since IE9 doesn't pass the correct header
- FIX: pass the CSRF token in a query parameter since IE9 doesn't pass it in the headers
- FIX: display error messages comming from the server when there is one over the default error message
- FIX: HACK around IE9 security issue when clicking a file input via JavaScript (use a label and set `visibility:hidden` on the input)
- FIX: hide the "cancel" upload on IE9 since it's not supported
- FIX: return "text/plain" content-type when uploading a file for IE9 in order to prevent it from displaying the save dialog
- FIX: check the maximum file size on the server 💥
- update jQuery File Upload Plugin to v. 5.42.2
- update JQuery IFram Transport Plugin to v. 1.8.5
- update jQuery UI Widget to v. 1.11.1
2015-01-28 19:43:20 +01:00
Greg Kempe
d99ccf6d27 FIX: creating a user shouldn't error when optional fields aren't provided
This fixes a bug where the server would 500 if the only user fields
where optional ones, and the create_user call didn't provide any
values so that params[:user_fields] was nil.

Additionally, don't bother double-checked for required fields, since we
iterate over all fields and will catch any that are required and blank.
2015-01-27 11:48:27 +02:00
riking
1ab0d6bd82 FEATURE: Log username changes by staff
Also fix the tests for changing username
2015-01-17 02:26:12 -08:00
Robin Ward
987504c6ab Rename no_js layout to no_ember
While *sometimes* `no_js` was used for visitors without js (for example
disabling it on your browser) it was also used for some pages that were
disabled to JS capable browsers, including the 404 page.

Even worse, sometimes it was used on pages that *had* Javascript, such
as our `/activate-account` route. It has been renamed to `no_ember` to
indicate what it really is, a layout for the site that doesn't load our
Ember.js application.
2015-01-15 15:56:53 -05:00
Régis Hanol
e20078a9dc PERF: fix performance issue when displaying the user card for admins 2015-01-05 19:49:32 +01:00
Blake Erickson
02ade72ceb Update username should return a json response
- Have update username return json response that contains the updated
  username and id. I figured this would be better than just return "OK".
- Add test to verify that the new username is returned.
2014-12-10 09:43:16 -07:00
Blake Erickson
e9e88c9b82 Remove legacy avatar code
- Remove method that was only left around because the
  [api](https://github.com/discourse/discourse_api/pull/53) called it
- Modify test to use new route instead of legacy route

https://meta.discourse.org/t/legacy-route-for-avatars/22838/2
2014-12-07 06:13:14 -07:00
Blake Erickson
a61519eebf Have pick_avatar return json.
I'm working on writing a test in the discourse_api gem for uploading
avatars and the pick method needs to return a json response.

I also added a test to make sure json is returned.
2014-12-06 09:26:32 -07:00
Régis Hanol
07211489f0 FIX: hide restricted profile info from TL0 users to anonymous in 'JS-off' page 2014-11-27 19:51:13 +01:00
Neil Lalonde
6e0152ab94 Version bump to v1.1.1 2014-11-18 15:57:50 -05:00
Régis Hanol
7641d88224 FEATURE: new 'maximum new user accounts per registration IP' site setting 2014-11-17 12:04:29 +01:00
Neil Lalonde
361aca1156 merge master 2014-11-06 15:26:38 -05:00
Robin Ward
c9eb809dad FIX: The text to users who signed up when approval was required was
misleading.
2014-11-04 15:48:03 -05:00
Régis Hanol
865194f409 FIX: cannot show email for pending/inactive users 2014-10-29 01:07:27 +01:00
Robin Ward
71f211f0b3 FEATURE: Allow users to select a badge with an image to appear on their
user card
2014-10-20 16:35:38 -04:00
Robin Ward
1cf4a0d604 Rename "User Expansion" to the much clearer "User Card" 2014-10-20 12:11:59 -04:00
Régis Hanol
10094a0bcd FIX: resolve flags as good when deleting a spam user 2014-10-20 16:59:06 +02:00
Robin Ward
4d465362b5 FEATURE: Allow a user to upload an image for their expansion background. 2014-10-16 15:05:36 -04:00
Robin Ward
f9a8f6d6ce FEATURE: Support for a required setting on user fields. 2014-10-08 15:10:19 -04:00
Sam
0e7be81e60 FIX: badge granted titles were not being revoked when badge was revoked 2014-10-08 10:26:18 +11:00
Robin Ward
381814fd5d Adds support for a description to user fields. 2014-10-02 15:56:52 -04:00
Arpit Jalan
41af2d79b5 add user email on account created page 2014-10-02 12:43:44 +05:30
Robin Ward
be93f224a6 Revert "add user email on account created page"
This reverts commit 164fc1108a.
2014-10-01 10:30:26 -04:00