David Taylor
ff4a6a37de
SECURITY: Correct permission check when revoking user API keys
2019-12-17 11:07:36 +00:00
Dan Ungureanu
554b0f366d
SECURITY: Ensure only image uploads can be inlined
...
This prevents malicious files (for example special crafted XMLs) to be
used in XSS attacks.
2019-12-11 17:08:58 +02:00
Joffrey JAFFEUX
5cb00d5528
DEV: s/\$redis/Discourse\.redis
...
With manual merge conflicts
2019-12-03 14:26:57 +01:00
Sam Saffron
14db879a31
DEV: Implement a faster Discourse.cache
...
This is a bottom up rewrite of Discourse cache to support faster performance
and a limited surface area.
ActiveSupport::Cache::Store accepts many options we do not use, this partial
implementation only picks the bits out that we do use and want to support.
Additionally params are named which avoids typos such as "expires_at" vs "expires_in"
This also moves a few spots in Discourse to use Discourse.cache over setex
Performance of setex and Discourse.cache.write is similar.
2019-12-03 14:03:30 +01:00
Sam Saffron
ef791a5b1f
DEV: use Discourse.cache over Rails.cache
...
With manual merge
2019-12-03 14:03:21 +01:00
David Taylor
914e50db49
DEV: Update users controller spec following user_search update
2019-11-06 17:32:10 +00:00
Roman Rizzi
fd1a2a4c07
FIX: Improve protection against problematic usernames ( #8097 )
2019-09-13 15:52:05 -03:00
David Taylor
f80f8a34c0
SECURITY: Reset password when activating an account via auth provider
...
Followup to d693b4e35fe0e58c5578eae4a56c06dff4756ba2
2019-08-28 14:08:55 +01:00
Arpit Jalan
aea541d037
SECURITY: don't reveal category details to users that do not have access
2019-08-19 12:51:15 +05:30
Sam Saffron
c587df7e2a
Revert "FEATURE: add Noindex to robots.txt for disallowed routes"
...
This reverts commit d84256a876
.
This is not supported by Google and causes robots.txt to be flagged as
invalid
Removing Noindex
2019-07-30 11:37:00 +10:00
David Taylor
c4ff66e1a5
DEV: Correct merge conflicts for 9cfe3f99
2019-07-24 13:31:16 +01:00
David Taylor
9cfe3f9948
SECURITY: Add confirmation screen when connecting associated accounts
2019-07-24 13:29:59 +01:00
Gerhard Schlager
90a1aa5536
SECURITY: Validate backup chunk identifier
2019-07-22 08:44:38 +02:00
David Taylor
e6e47f2fb2
SECURITY: Add confirmation screen when logging in via user-api OTP
2019-06-17 16:18:44 +01:00
David Taylor
52387be4a4
SECURITY: Add confirmation screen when logging in via email link
2019-06-17 16:18:37 +01:00
David Taylor
5f6f707080
Revert "Merge pull request from GHSA-hv9p-jfm4-gpr9"
...
This reverts commit b8340c6c8e
.
2019-06-17 16:17:10 +01:00
David Taylor
b8340c6c8e
Merge pull request from GHSA-hv9p-jfm4-gpr9
...
* SECURITY: Add confirmation screen when logging in via email link
* SECURITY: Add confirmation screen when logging in via user-api OTP
* FIX: Correct translation key in session controller specs
* FIX: Use .email-login class for page
2019-06-17 15:59:41 +01:00
Arpit Jalan
863d8014d0
FIX: respond with 400 error on invalid redirect param
2019-06-17 16:44:30 +05:30
Sam Saffron
704c579550
FIX: do not allow unbound membership lookups
...
Previously we would allow looking up membership limits in an unbound way
via the API, this introduces an upper limit of 1000 per page.
2019-06-17 15:32:06 +10:00
Arpit Jalan
7b66f8fb46
DEV: optimize bulk invite process
2019-06-12 16:33:19 +05:30
Sam Saffron
89c4332ac1
DEV: correct spec making bad assumptions
...
bio_cooked is not meant to be touched directly, on save we "cook" the raw
bio.
2019-06-12 16:31:50 +10:00
Arpit Jalan
e2636f0ec7
FIX: handle array in redirect param
2019-06-11 17:49:09 +05:30
Sam Saffron
7b17eb06da
FEATURE: ban any SSO attempts with invalid external id
...
We now treat any external_id of blank string (" " or " " or "", etc) or a
invalid word (none, nil, blank, null) - case insensitive - as invalid.
In this case the client will see "please contact admin" the logs will explain
the reason clearly.
2019-06-11 10:04:26 +10:00
Gerhard Schlager
bae7b75e23
FIX: Updating a user profile as admin shouldn't change the user's locale
2019-06-07 17:53:46 +02:00
Penar Musaraj
f00275ded3
FEATURE: Support private attachments when using S3 storage ( #7677 )
...
* Support private uploads in S3
* Use localStore for local avatars
* Add job to update private upload ACL on S3
* Test multisite paths
* update ACL for private uploads in migrate_to_s3 task
2019-06-06 13:27:24 +10:00
Bianca Nenciu
e0c821ebb0
FEATURE: Make staff action logs page support infinite loading
2019-06-06 13:02:53 +10:00
Roman Rizzi
c3a38d2304
DEV: Make groups/new extensible by plugins ( #7642 )
...
* Expose a new plugin outlet. Pass group model to the group-member-dropdown so it can be accessed by plugins
* Added controller tests for group custom fields. update custom fields when updating a group
2019-06-06 12:05:33 +10:00
Robin Ward
f1d547c301
FEATURE: Show "in reply to" on the review queue
...
We now show if a queued or flagged post is a reply to another when in
the review queue. It's especially helpful for queued posts where
normally they are linked to the topic where they are created, and you
have no context about the reply.
Note that this will only apply to new queued posts going forward.
Previously queued posts will not show the "in reply to"
2019-06-05 12:34:41 -04:00
Sam Saffron
78509eacb7
DEV: lint file
...
followup to 9779307e
2019-06-05 11:32:47 +10:00
Maja Komel
9779307efc
DEV: simpler spec for wayback machine crawler layout ( #7696 )
...
follow-up on 42809f4d
2019-06-05 11:24:52 +10:00
Régis Hanol
33bc8c276d
FIX: default top timeframe was overriding best_periods_for
2019-06-04 10:57:50 +02:00
Maja Komel
7da875f52a
FIX: trigger user_updated webhook when avatar changes
2019-06-04 16:46:46 +08:00
Maja Komel
42809f4d69
FIX: use crawler layout when saving url in Wayback Machine ( #7667 )
2019-06-03 12:13:32 +10:00
Sam Saffron
f415712269
DEV: avoid double sign-in which can lead to flaky tests
...
We should not be signing in twice in tests, it is both wasteful and risky
2019-06-03 10:15:49 +10:00
Robin Ward
2e0a40007b
FIX: Category topics should not be deletable via review queue
2019-05-30 16:43:23 -04:00
romanrizzi
e7ee556e87
Support multi-group user search
2019-05-30 08:45:20 +08:00
Sam Saffron
b114bcd294
DEV: switch message bus backend to memory for tests
...
This backend is a bit faster and well tested, this is part of a longer
term plan to have a `backend: :memory, threaded: false` type config for
message bus which we can use in test.
The threading in message bus causes all sorts of surprises in test, it will
be nice not to be beholden to them.
2019-05-29 16:34:55 +10:00
Guo Xiang Tan
f0620e7118
FEATURE: Support [description|attachment](upload://<short-sha>)
in MD take 2.
...
Previous attempt was missing `post_uploads` records.
2019-05-29 09:26:32 +08:00
Penar Musaraj
7c9fb95c15
Temporarily revert "FEATURE: Support [description|attachment](upload://<short-sha>)
in MD. ( #7603 )"
...
This reverts commit b1d3c678ca
.
We need to make sure post_upload records are correctly stored.
2019-05-28 16:37:01 -04:00
Guo Xiang Tan
b1d3c678ca
FEATURE: Support [description|attachment](upload://<short-sha>)
in MD. ( #7603 )
2019-05-28 11:18:21 -04:00
Bianca Nenciu
07b80d491b
FIX: Refresh automatic groups after inviting moderators.
2019-05-28 17:19:34 +08:00
Robin Ward
d95a68b837
FEATURE: When suspending a user, allow the Delete + Replies action
...
Previously you could only delete the post
2019-05-27 12:27:16 -04:00
Robin Ward
89b84651c3
Migrate score settings to use sensitivities
...
We hide scores so these settings no longer made sense.
2019-05-24 15:44:24 -04:00
Gerhard Schlager
f4a471f0eb
FIX: Correctly cache hash of extra translations
2019-05-24 11:38:26 +02:00
Gerhard Schlager
c1e9a70d59
FIX: Fallback locale was not available for extra translations
...
Translations from fallback locales were not sent to the client
for admin_js and wizard_js.
2019-05-24 11:38:26 +02:00
Robin Ward
e74cd54fc6
REFACTOR: Replace score bonuses with low/med/high priorities
...
We removed score from the UX so it makes more sense to have sites set
priorities instead of score bonuses.
2019-05-23 11:54:45 -04:00
Gerhard Schlager
58f72cd439
Remove duplicate translations
2019-05-22 16:15:22 +02:00
Sam Saffron
307c526840
DEV: correct test that assumed group 123 did not exist
...
This is an incorrect assumption leading to a flaky test, cause for all we
know, since sequences do not reset every test, group 123 could exist.
2019-05-21 12:57:14 +10:00
Gerhard Schlager
b788948985
FEATURE: English locale with international date formats
...
Makes en_US the new default locale
2019-05-20 13:47:20 +02:00
Guo Xiang Tan
148bfc9be5
DEV: Simplify client and server side code to support removing tags.
...
Follow up to 834c86678f
.
2019-05-17 16:39:20 +08:00