Commit Graph

53939 Commits

Author SHA1 Message Date
OsamaSayegh
8470546f59
SECURITY: Don't allow suspending staff users via other_user_ids param 2024-07-03 20:12:25 +08:00
Alan Guo Xiang Tan
6ce5673d2c
SECURITY: Avoid the use of Object#send in Onebox::Engine::StandardEmbed
Use `Object#public_send` instead which is much safer
2024-07-03 20:12:21 +08:00
Jan Cernik
26aef0c288
SECURITY: Fix Stored-dom XSS via Facebook Oneboxes 2024-07-03 20:12:18 +08:00
Blake Erickson
8d5b21170e
SECURITY: Update reviewable user serializer payload
Exclude email from reviewable user serializer based on user scope.
2024-07-03 20:12:14 +08:00
Ted Johansson
5b8cf11b69
SECURITY: Add FastImage SSRF safe freedom patch 2024-07-03 20:12:09 +08:00
Amanda Alves Branquinho
63c90e8c59
PERF: eager load field changes (#27675)
Fix N+1 issue for javascript_cache
stable backport for #27626
2024-07-02 12:43:08 -07:00
Discourse Translator Bot
ee53f42c2c
Update translations (#27644) 2024-07-02 16:42:48 +02:00
Discourse Translator Bot
30c877f397
Update translations (#27605) 2024-06-25 15:40:13 +02:00
Discourse Translator Bot
d0c2a91640
Update translations (#27512) 2024-06-18 15:39:36 +02:00
Jarek Radosz
1ba06b5444
DEV: Run flake check only on discourse/discourse (#27350) (#27415)
script/get_github_workflow_run_job_id.rb would fail on forks anyway
2024-06-11 17:30:34 +02:00
Discourse Translator Bot
3086f97971
Update translations (#27418) 2024-06-11 17:20:44 +02:00
Natalie Tay
a721e8fa48
DEV: Also fetch user when granting admin (#27384) 2024-06-07 16:45:35 +08:00
Discourse Translator Bot
db6eb2dd3e
Update translations (#27322) 2024-06-04 21:44:09 +02:00
Jarek Radosz
5e5234bb69
DEV: Fix the order of operations in themes-frontend (#27319)
Previously "themes frontend" CI job would:

1. pull compatible versions of themes that happened to be in the base image
2. clone all official themes (overriding the compatible versions from 1.)
3. run tests
2024-06-04 15:16:56 +02:00
Discourse Translator Bot
5558028f8c
Update translations (#27275) 2024-05-31 12:27:30 +02:00
Discourse Translator Bot
0b1b451a48
Update translations (#27105) 2024-05-21 17:40:55 +02:00
Martin Brennan
175b656689 FIX: is_my_own? check for users who are anonymously doing actions (#25716)
Followup to 978d52841a

It's complicated...we have multiple "anonymous" user concepts
in core, and even two classes called the exact same thing --
AnonymousUser.

The first case is Guardian::AnonymousUser, which is used for
people who are browsing the forum without being authenticated.

The second case is the model AnonymousUser, which is used when
a user is liking or posting anonymously via allow_anonymous_likes
or allow_anonymous_posting site settings.

We will untangle this naming nightmare later on...but for the
time being, only authenticated users who are pretending to be
anonymous should be able to like posts if allow_anonymous_likes
is on.
2024-05-21 13:50:26 +08:00
Martin Brennan
05d144273a DEV: Add post_action_users_list modifier for PostActionUsersController (#25740)
This commit adds another plugin modifier related to post
actions, similar to ae24e04a5e.

This will be used to exclude users who liked _and_ reacted to
the post, since now in discourse-reactions we make a Like when
a user reacts too. This will affect the display of the post footer.
2024-05-21 13:50:26 +08:00
Martin Brennan
26ba5cda43 DEV: Add a plugin modifier for user_action_stream_builder (#25691)
Reactions needs this to be able to filter out likes received
actions, where there is also an associated reaction, since
now most reactions also count as a like.
2024-05-21 13:50:26 +08:00
Alan Guo Xiang Tan
c4cc9eaf2b
DEV: Don't run discourse-ai plugin specs when running against stable (#27096)
`discourse-ai` has custom gems which need to be bumped in order to be
compatible with Ruby 3.3. However, its version is pinned so we can't
pull in the commits in which upgrades the gems to be compatible with
Ruby 3.3. Just avoid running the specs on `stable` branch for now until
we release a new stable.
2024-05-21 12:11:58 +08:00
Alan Guo Xiang Tan
d42cc7171e
DEV: Pull compatible themes in tests workflow (#27094)
This commit adds a step in our tests workflow on Github actions to update the themes to
use the compatible version when not running aginast the `main` branch.
This is to ensure that we are not running
the tests for themes against an incompatible version of Discourse.
2024-05-21 10:38:50 +08:00
Alan Guo Xiang Tan
56b3dfe6e5
Backport dependencies upgrade to make stable compatible with Ruby 3.3 (#27091)
* DEV: Drop fast_xs gem (#26442)

Why this gem?

This gem was added close to 10 years ago to speed up the generation of
RSS feeds. However, RSS feeds generation do not even call `String#to_xs`
anymore and the `fast_xs` gem does not install on macOS without using
the following workaround:

`bundle config build.fast_xs
--with-cflags=\"-Wno-incompatible-pointer-types\"`

Therefore, we have decided to drop the gem.

* DEV: Drop gc_tracer gem (#26441)

Why this change?

This gem is failing to install cleanly on macOS and the following
workaround is required:

`bundle config build.gc_tracer
--with-cflags=\"-Wno-incompatible-pointer-types\"`

Instead of requiring this workaround, we have decided to drop `gc_tracer`
because it isn't a gem that is used anymore.

* DEV: Add `csv` to Gemfile to resolve Ruby 3.3 deprecation warning (#26995)

The following warning is being printed when running Discourse with Ruby
3.3

`warning: /usr/local/lib/ruby/3.3.0/csv.rb was loaded from the standard
library, but will no longer be part of the default gems since Ruby
3.4.0. Add csv to your Gemfile or gemspec.`

* DEV: Add `mutex_m` and `drb` to Gemfile to remove deprecation warning (#27012)

Resolves the following deprecation warnings when running Discourse on
Ruby 3.3

```
warning: /Users/tgxworld/.asdf/installs/ruby/3.3.1/lib/ruby/3.3.0/mutex_m.rb was loaded from the standard library, but will no longer be part of the default gems since Ruby 3.4.0. Add mutex_m to your Gemfile or gemspec. Also contact author of activesupport-7.0.8.1 to add mutex_m into its gemspec.

warning: /Users/tgxworld/.asdf/installs/ruby/3.3.1/lib/ruby/3.3.0/drb.rb was loaded from the standard library, but will no longer be part of the default gems since Ruby 3.4.0. Add drb to your Gemfile or gemspec. Also contact author of activesupport-7.0.8.1 to add drb into its gemspec.
```

* Build(deps): Bump google-protobuf from 3.25.2 to 3.25.3 (#25709)

Bumps [google-protobuf](https://github.com/protocolbuffers/protobuf) from 3.25.2 to 3.25.3.
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

---
updated-dependencies:
- dependency-name: google-protobuf
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Build(deps): Bump actionview_precompiler from 0.3.0 to 0.4.0 (#25977)

Bumps [actionview_precompiler](https://github.com/jhawthorn/actionview_precompiler) from 0.3.0 to 0.4.0.
- [Commits](https://github.com/jhawthorn/actionview_precompiler/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: actionview_precompiler
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-21 09:20:01 +08:00
Grant
e70fa2df6f
FIX: Allow redirect when downloading maxmind database (#26333) (#27040)
Per https://dev.maxmind.com/geoip/release-notes/2024#presigned-urls-for-database-downloads 

MaxMind users who download databases should make sure that their HTTP client follows redirects and there are no proxy or firewall settings that would block requests to the host we are redirecting to.

Co-authored-by: Jay Pfaffman <jay@literatecomputing.com>
2024-05-16 10:12:34 +08:00
Jan Cernik
747ecc1f8c
Bump version to v3.2.2 2024-05-15 12:28:24 -03:00
Discourse Translator Bot
7270bc4816
Update translations (#27018) 2024-05-14 16:19:49 +02:00
David Taylor
39edf2a564
FIX: Don't unnecessarily scrub query params from homepage (stable) (#26960) 2024-05-09 23:12:43 +01:00
Discourse Translator Bot
94a9c6bc11
Update translations (#26904) 2024-05-07 09:31:05 -04:00
Discourse Translator Bot
662e1cdfe1
Update translations (#26822) 2024-04-30 21:57:33 +02:00
David Taylor
6f688be5c1
FIX: Improve handling of 'PublicExceptions' when bootstrap_error_pages enabled (#26737)
- Fix the readonly mode checking to avoid empty strings being passed (the `check_readonly_mode` before_action will not execute in the case of these re-dispatched exceptions)

Partial backport of bca855f239
2024-04-24 10:32:51 +01:00
Discourse Translator Bot
1b44077715
Update translations (#26714) 2024-04-23 16:22:32 +02:00
Discourse Translator Bot
500da3d311
Update translations (#26652) 2024-04-16 17:37:54 +02:00
Discourse Translator Bot
0d761a0c4b
Update translations (#26576) 2024-04-09 18:48:49 +02:00
Discourse Translator Bot
0060fbfc0b
Update translations (#26464) 2024-04-02 18:19:51 +02:00
Discourse Translator Bot
5abd8e9bb0
Update translations (#26369) 2024-03-26 16:30:06 +01:00
Loïc Guitaut
6168e041b3 DEV: Switch to Chromium in CI 2024-03-25 21:27:14 +01:00
Jeff Wong
7e7b2cf7b5
PERF: only allow one reviewable notification at a time (#26331)
This job may notify hundreds of mods and take quite a while to run.

Co-authored-by: Sam <sam.saffron@gmail.com>
2024-03-22 15:00:33 -07:00
Discourse Translator Bot
7d9c8993cd
Update translations (#26243) 2024-03-19 16:00:12 +01:00
Jarek Radosz
6a0aa03aa2
UX: Fix the video spinner css (#25770)
A followup to 62e36145c5
2024-03-15 16:06:05 +08:00
Jarek Radosz
b1111e64d1
UX: Tweak play button css (#25754)
* Remove unnecessary properties
* Use rem unit
* Add a drop shadow
* Make the "box shadow" slightly more subtle
* Use --d-border-radius
* Don't scale the "box shadow" on hover
* Scale down the on-hover size
* Make the button slightly larger
* Respect prefers-reduced-motion
* Use white rather than --secondary-or-primary
* Don't animate on-hover on mobile
2024-03-15 16:05:45 +08:00
Blake Erickson
c90488b917
FIX: Add a boarder around the video placeholder play button (#25727)
The video placeholder play button is white, so on a video placeholder
that is also white it is very hard to see where the play button is, so
this change adds a dark grey transparent background to the play button
so that it stands out. This is similar to how we have done the
play/pause button on animated gifs.
2024-03-15 16:01:43 +08:00
Penar Musaraj
457c2bf5bb
FIX: Handle old Firefox versions that do not support isConditionalMediationAvailable (#25549)
Some versions of Firefox will throw a TypeError when calling
PublicKeyCredential.isConditionalMediationAvailable() because the
method does not exist. That would previously lead to a "Sorry, an error
has occurred." modal when trying to login.

This commit fixes the issue by properly checking if the method exists.
Since it only affects older Firefox versions, no tests are added.
2024-03-15 16:01:27 +08:00
Neil Lalonde
798068b2a3
FIX: missing translation of guidelines_topic.body (#25505)
Broken in https://github.com/discourse/discourse/pull/25253
2024-03-15 15:59:17 +08:00
Nat
d41529c811
Bump version to v3.2.1 2024-03-15 15:27:07 +08:00
Penar Musaraj
bcc556b956
SECURITY: Limit invites params length 2024-03-15 14:37:28 +08:00
Alan Guo Xiang Tan
c41755bd69
SECURITY: Add rate limits for uploads 2024-03-15 14:37:23 +08:00
Bianca Nenciu
5a0851d8ac
SECURITY: Generate more category CSS on client
This commit moves the generation of category background CSS from the
server side to the client side. This simplifies the server side code
because it does not need to check which categories are visible to the
current user.
2024-03-15 14:37:19 +08:00
Daniel Waterworth
e9a8c059ec
SECURITY: Prevent large staff actions causing DoS
This commit operates at three levels of abstraction:

 1. We want to prevent user history rows from being unbounded in size.
    This commit adds rails validations to limit the sizes of columns on
    user_histories,

 2. However, we don't want to prevent certain actions from being
    completed if these columns are too long. In those cases, we truncate
    the values that are given and store the truncated versions,

 3. For endpoints that perform staff actions, we can further control
    what is permitted by explicitly validating the params that are given
    before attempting the action,
2024-03-15 14:37:15 +08:00
Daniel Waterworth
1f2ded8e8d
SECURITY: Don't disclose the existence of secret subcategories 2024-03-15 14:37:11 +08:00
Discourse Translator Bot
9f85bf559a
Update translations (#26137) 2024-03-12 15:40:16 +01:00
Jarek Radosz
99fe9ddd40 UX: Fix the video spinner css (#25770)
A followup to 62e36145c5
2024-03-06 14:36:50 -07:00