Commit Graph

51582 Commits

Author SHA1 Message Date
Bianca Nenciu
76bdea5ce2
SECURITY: Hide user profiles from public
User profiles, including the summary, should be private to anonymous
users if hide_user_profiles_from_public is enabled.
2023-10-16 10:34:32 -04:00
Jan Cernik
6350ba2cb3
SECURITY: Add permissions to MessageBus in chat
Add spec

compact
2023-10-16 10:34:30 -04:00
chapoi
9d1726fe2b
UX: better align user count (#23941) 2023-10-16 13:28:35 +02:00
David Taylor
1884b57af3
FIX: Open invite modal correctly from topic share UI (#23940)
This regressed when the create-invite modal was converted to the new component-based API in 8a7b5b00ea
2023-10-16 12:26:18 +01:00
David Taylor
c8c38bea7e
DEV: Write execution file for test failures (#23879)
Followup to 3f8a85ed49
2023-10-16 11:12:13 +01:00
David Taylor
aa4a5add70
DEV: Add system specs for dismiss new on tag routes (#23936) 2023-10-16 10:51:59 +01:00
dependabot[bot]
20a765e3ca
Build(deps-dev): Bump rubocop from 1.57.0 to 1.57.1 (#23937)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.57.0 to 1.57.1.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop/compare/v1.57.0...v1.57.1)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:24:12 +02:00
dependabot[bot]
b0f5e99026
Build(deps-dev): Bump bullet from 7.1.1 to 7.1.2 (#23938)
Bumps [bullet](https://github.com/flyerhzm/bullet) from 7.1.1 to 7.1.2.
- [Changelog](https://github.com/flyerhzm/bullet/blob/main/CHANGELOG.md)
- [Commits](https://github.com/flyerhzm/bullet/compare/7.1.1...7.1.2)

---
updated-dependencies:
- dependency-name: bullet
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:23:53 +02:00
dependabot[bot]
a21a6dbd4d
Build(deps-dev): Bump webpack in /app/assets/javascripts (#23939)
Bumps [webpack](https://github.com/webpack/webpack) from 5.88.2 to 5.89.0.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](https://github.com/webpack/webpack/compare/v5.88.2...v5.89.0)

---
updated-dependencies:
- dependency-name: webpack
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:23:00 +02:00
Renato Atilio
6c818b449a
FIX: add missing type to form template upload (#23935) 2023-10-15 11:17:11 -03:00
Penar Musaraj
1a70817962
DEV: Add UI for passkeys (3/3) (#23853)
Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). 

See PR for more details. 
---------

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2023-10-13 12:24:06 -04:00
Jarek Radosz
a5858e60e1
FIX: Transitioning to tag-intersection route (#23931)
…didn't correctly update location query params.

A followup to 1df3ccc903 (things broke after merging `main` to PR's branch)
2023-10-13 16:23:04 +01:00
David Taylor
b3df0a362b
DEV: Ensure current-post-changed is fired when switching between topics (#23930)
Previously this logic was only checking the post number. That meant that navigating between the first post of two topics would not trigger the event.

In the past, the event would be triggered anyway because the ScrollingPostStream would be destroyed/re-created when navigating between topics. But now that we use the 'loading slider' technique, the same component instance is re-used.

The motivation for this commit is to fix the 'DiscoToc' theme component, which relies on the event firing when navigating between topics.
2023-10-13 15:45:32 +01:00
Gerhard Schlager
ec8ae3fc65 DEV: Add GitHub Actions workflow for testing migrations
This workflow runs only for code underneath the `migrations/` directory. The usual test workflow is skipped for migrations because running frontend and backend tests is a waste of time and resources when only migrations are changed.
2023-10-13 16:03:55 +02:00
Gerhard Schlager
7644419976 DEV: Add codeowner for migrations related code
This allows automatic assignment of reviewers for migrations related code.
2023-10-13 16:03:55 +02:00
Gerhard Schlager
0907c0deb7 DEV: Update labeler for migration related code
This activates the `sync-labels` flag which causes the removal of labels when matching files are reverted or no longer changed by the PR.
2023-10-13 16:03:55 +02:00
Gerhard Schlager
e16537fa9f DEV: Add initial structure for migrations-tooling 2023-10-13 16:03:55 +02:00
chapoi
29beaff25b
FIX: revert (edited) layout in chat message (#23927)
* Revert "UX: place (edited) on same line (#23866)"

This reverts commit c1017a479b.

* Revert "UX: prevent (edited) and following from being copied (#23882)"

This reverts commit 563bff509a.
2023-10-13 13:01:56 +02:00
Joffrey JAFFEUX
b6d9aa5a4c
DEV: simplify reply to message smoke spec (#23928)
We now create threads on reply so the refresh check is not really necessary as there's nothing special about it anymore. We don't refresh every pages in other tests to check they still work.

Hopefully these changes will prevent few flakeys too.
2023-10-13 11:16:26 +02:00
Joffrey JAFFEUX
c1abf8b35c
UX: improves reminder setting text (#23918)
The setting will change from "%{count} days" to "Chat settings have been set to retain channel messages for %{count} day."

This commit also:
- migrates `chat-retention-reminder` to gjs
- adds a "type" property to `chat-retention-reminder-text` to allow use a long or short text depending on where it's used.
2023-10-13 07:55:47 +02:00
Blake Erickson
b607d81d50
DEV: Change video placeholder click target (#23925)
Have the click target be the entire placeholder instead of just the play
button.
2023-10-13 13:26:10 +10:00
Martin Brennan
9762e65758
FEATURE: Add Revise... option for queued post reviewable (#23454)
This commit adds a new Revise... action that can be taken
for queued post reviewables. This will open a modal where
the user can select a Reason from a preconfigured list
(or by choosing Other..., a custom reason) and provide feedback
to the user about their post.

The post will be rejected still, but a PM will also be sent to
the user so they have an opportunity to improve their post when
they resubmit it.
2023-10-13 11:28:31 +10:00
dependabot[bot]
5fe4e0ed48
Build(deps-dev): Bump sass in /app/assets/javascripts (#23921)
Bumps [sass](https://github.com/sass/dart-sass) from 1.69.2 to 1.69.3.
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sass/dart-sass/compare/1.69.2...1.69.3)

---
updated-dependencies:
- dependency-name: sass
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 03:22:53 +02:00
dependabot[bot]
2fa9620f77
Build(deps-dev): Bump qunit-dom in /app/assets/javascripts (#23920)
Bumps [qunit-dom](https://github.com/mainmatter/qunit-dom) from 2.0.0 to 3.0.0.
- [Release notes](https://github.com/mainmatter/qunit-dom/releases)
- [Commits](https://github.com/mainmatter/qunit-dom/compare/v2.0.0...v3.0.0)

---
updated-dependencies:
- dependency-name: qunit-dom
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 03:00:58 +02:00
Jarek Radosz
1df3ccc903
FIX: Pass category param on /tags/intersection (#23352) 2023-10-13 02:42:41 +02:00
dependabot[bot]
f33b60ba17
Build(deps-dev): Bump shoulda-matchers from 68f76ce to c17bac4 (#23923)
Bumps [shoulda-matchers](https://github.com/thoughtbot/shoulda-matchers) from `68f76ce` to `c17bac4`.
- [Release notes](https://github.com/thoughtbot/shoulda-matchers/releases)
- [Commits](68f76ce13e...c17bac468c)

---
updated-dependencies:
- dependency-name: shoulda-matchers
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 00:11:52 +02:00
dependabot[bot]
1fac13b405
Build(deps-dev): Bump the babel group (#23919)
Bumps the babel group in /app/assets/javascripts with 1 update: [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core).

- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/@babel/core@7.23.2/packages/babel-core)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: babel
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 00:08:07 +02:00
dependabot[bot]
67d98364a5
Build(deps): Bump sass-embedded from 1.69.2 to 1.69.3 (#23922)
Bumps [sass-embedded](https://github.com/ntkme/sass-embedded-host-ruby) from 1.69.2 to 1.69.3.
- [Commits](https://github.com/ntkme/sass-embedded-host-ruby/compare/v1.69.2...v1.69.3)

---
updated-dependencies:
- dependency-name: sass-embedded
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 00:07:20 +02:00
Joffrey JAFFEUX
b122e69ed3
DEV: flakey members list spec (#23917)
No repro but, it's possible that we were at the limit of triggering the scroll, this should ensure we correctly trigger the scroll more.
2023-10-12 22:32:03 +02:00
Sérgio Saquetim
526d2dc582
FEATURE: Allow searching users using a list of usernames (#23902) 2023-10-12 20:00:33 +00:00
Blake Erickson
2443446e62
DEV: Prevent videos from preloading metadata (#23807)
Preloading just metadata is not always respected by browsers, and
sometimes the whole video will be downloaded. This switches to using a
placeholder image for the video and only loads the video when the play
button is clicked.
2023-10-12 13:47:48 -06:00
Tobias Eigen
460e702887
improve desc of review every post admin setting (#23899)
Adds more information about what the "review every post" admin setting does. All new posts are sent to the review queue so they can be reviewed by moderators, but are still published.
2023-10-12 09:43:14 -07:00
Mark VanLandingham
55e4fd63be
DEV: add class to bookmark-list TD (#23914) 2023-10-12 11:27:00 -05:00
Jarek Radosz
90743f162a
DEV: Add a plugin outlet for conditional-loading-spinner (#23911) 2023-10-12 17:53:53 +02:00
Kris
76cbfcd60c
A11Y: move new account disclaimer above buttons (#23884) 2023-10-12 11:30:03 -04:00
Godfrey Chan
2e00482ac4
DEV: convert I18n pseudo package into real package (discourse-i18n) (#23867)
Currently, `window.I18n` is defined in an old school hand written
script, inlined into locale/*.js by the Rails asset pipeline, and
then the global variable is shimmed into a pseudo AMD module later
in `module-shims.js`.

This approach has some problems – for one thing, when we add a new
V2 addon (e.g. in #23859), Embroider/Webpack is stricter about its
dependencies and won't let you `import from "I18n";` when `"I18n"`
isn't listed as one of its `dependencies` or `peerDependencies`.

This moves `I18n` into a real package – `discourse-i18n`. (I was
originally planning to keep the `I18n` name since it's a private
package anyway, but NPM packages are supposed to have lower case
names and that may cause problems with other tools.)

This package defines and exports a regular class, but also defines
the default global instance for backwards compatibility. We should
use the exported class in tests to make one-off instances without
mutating the global instance and having to clean it up after the
test run. However, I did not attempt that refactor in this PR.

Since `discourse-i18n` is now included by the app, the locale
scripts needs to be loaded after the app chunks. Since no "real"
work happens until later on when we kick things off in the boot
script, the order in which the script tags appear shouldn't be a
problem. Alternatively, we can rework the locale bundles to be more
lazy like everything else, and require/import them into the app.

I avoided renaming the imports in this commit since that would be
quite noisy and drowns out the actual changes here. Instead, I used
a Webpack alias to redirect the current `"I18n"` import to the new
package for the time being. In a separate commit later on, I'll
rename all the imports in oneshot and remove the alias. As always,
plugins and the legacy bundles (admin/wizard) still relies on the
runtime AMD shims regardless.

For the most part, I avoided refactoring the actual I18n code too
much other than making it a class, and some light stuff like `var`
into `let`.

However, now that it is in a reasonable format to work with (no
longer inside the global script context!) it may also be a good
opportunity to refactor and make clear what is intended to be
public API vs internal implementation details.

Speaking of, I took the librety to make `PLACEHOLDER`, `SEPARATOR`
and `I18nMissingInterpolationArgument` actual constants since it
seemed pretty clear to me those were just previously stashed on to
the `I18n` global to avoid polluting the global namespace, rather
than something we expect the consumers to set/replace.
2023-10-12 14:44:01 +01:00
Jan Cernik
5d632fd30a
FIX: Chat layout shift with GitHub onebox (#23909) 2023-10-12 07:54:11 -03:00
David Taylor
525cfcbe0e
FIX: Ensure nested ember components can be used with mustache syntax (#23912)
We run the ember-this-fallback transformation on plugin and theme code so that they can continue omitting `this.` in `.hbs` templates. A bug in the implementation meant that it was incorrectly transforming things like `{{dir/some-component}}` into `<DirSomeComponent />` (rather than `<Dir::SomeComponent />`).

This commit uses patch-package to apply the fix from https://github.com/tildeio/ember-this-fallback/pull/56
2023-10-12 11:08:57 +01:00
dependabot[bot]
7c6a8fa09a
Build(deps-dev): Bump rswag-specs from 2.10.1 to 2.11.0 (#23905)
Bumps [rswag-specs](https://github.com/rswag/rswag) from 2.10.1 to 2.11.0.
- [Release notes](https://github.com/rswag/rswag/releases)
- [Changelog](https://github.com/rswag/rswag/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rswag/rswag/compare/2.10.1...2.11.0)

---
updated-dependencies:
- dependency-name: rswag-specs
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 12:05:24 +02:00
dependabot[bot]
7ec167892d
Build(deps-dev): Bump rubocop from 1.56.4 to 1.57.0 (#23906)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.56.4 to 1.57.0.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop/compare/v1.56.4...v1.57.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 12:05:00 +02:00
David Taylor
6e004b04e1
FIX: Support PluginOutlet invocations with deprecated tagName (#23913)
This regressed in af305366
2023-10-12 11:03:44 +01:00
dependabot[bot]
88951e03bf
Build(deps): Bump the babel group (#23907)
Bumps the babel group in /app/assets/javascripts with 1 update: [@babel/standalone](https://github.com/babel/babel/tree/HEAD/packages/babel-standalone).

- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-standalone)

---
updated-dependencies:
- dependency-name: "@babel/standalone"
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: babel
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 12:02:35 +02:00
dependabot[bot]
bf74d06a86
Build(deps-dev): Bump @ember/legacy-built-in-components (#23908)
Bumps [@ember/legacy-built-in-components](https://github.com/emberjs/ember-legacy-built-in-components) from 0.5.0-alpha.0 to 0.5.0.
- [Release notes](https://github.com/emberjs/ember-legacy-built-in-components/releases)
- [Commits](https://github.com/emberjs/ember-legacy-built-in-components/commits)

---
updated-dependencies:
- dependency-name: "@ember/legacy-built-in-components"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 12:02:08 +02:00
Krzysztof Kotlarek
cb8190d32f
FEATURE: option to automatically delete unused tags (#23864)
Introduced a new site setting that enables the automatic and daily removal of unused tags.
2023-10-11 23:58:56 +00:00
David Taylor
e2e30788b9
DEV: Add note about wrapper element to renderInOutlet API (#23903) 2023-10-11 23:11:08 +01:00
Godfrey Chan
2ae913f45e
Consistently import escape from discourse-common (#23790)
`escape` from `pretty-text/sanitizer` is a re-export of the same
function defined in `discourse-common`. Updating the import paths
across the codebase to use the `discourse-common` import path.

`escape` is a rather simple function that can be accomplished with
a regular expression in `discourse-common`.

On the other hand, the remaining parts in `pretty-text/sanitizer`
has a lot of code, PLUS it depend on the rather heavy "xss" NPM
library.

Currently, most of the consumers of `pretty-text/sanitizer` are of
the `{ escape }` varient. This is resolved by this PR.

The remaining usages are either:

1. via/through `PrettyText` which is essentially gated behind
   loading the markdown-it bundle, OR

2. via `sanitize` from `discourse/lib/text`

I believe we may ultimately be able to move all the usages to behind
the markdown-it bundle (or, equivilantly, set up another lazy bundle
for `sanitize`) and be able to shed the sanitization code and the
"xss" library from the initial page load.

`discourse/lib/text` also defines a `sanitizeAsync` which is gated
behind loading the markdown-it bundle.

Looking through the usages of `sanitize`, I believe most of these
can be safely switched to use `sanitizeAsync`, in that they are
already in an asynchrnous path that handles a server response. Most
of them are actually rendering a piece of server-generated HTML
message as flash message, so I am not sure there really is value in
sanitizing (we should be able to trust our own server?), but in any
case, code-wise, they should already be able to absorb the async
just fine.

I am not sure if `sanitize` and `sanitizeAsync` are actually API
compatible – they both take `options` but I think those `options` do
pretty different things. This is somethign for another person to
investigate down the road in another PR.

According to `all-the-plugins`, `discourse-graphviz` also import
from this location, so perhaps we should PR to update. That being
said, it doesn't really hurt anything to keep the alias around for
a while.
2023-10-11 22:21:01 +01:00
Godfrey Chan
210d13e3cb
DEV: fix setting isTesting (#23901)
This started out as a seemingly benign refactor to replace the
`require` for `withPluginApi` to an actual import. However, it
broke the test in seemingly random places.

It turns out that in serveral places, we are calling `isTesting()`
in module scope and assigning the result to a constant. For example
we do that in the composer service to disable checking drafts when
testing.

This is problematic because `isTesting` doesn't really set until
the `discourse-bootstrap` initializer is run, and so any modules
that are evaluated before then will have locked in the wrong value
for `isTesting()`.

If we are going to use and treat `isTesting()` like a constant then
we will have to make sure we set it sufficiently early before any
code-loading happens.
2023-10-11 22:20:02 +01:00
Penar Musaraj
e3e73a3091
DEV: Add routes and controller actions for passkeys (2/3) (#23587)
This is part 2 (of 3) for passkeys support.

This adds a hidden site setting plus routes and controller actions.

1. registering passkeys

Passkeys are registered in a two-step process. First, `create_passkey`
returns details for the browser to create a passkey. This includes
- a challenge
- the relying party ID and Origin
- the user's secure identifier
- the supported algorithms
- the user's existing passkeys (if any)

Then the browser creates a key with this information, and submits it to
the server via `register_passkey`.

2. authenticating passkeys

A similar process happens here as well. First, a challenge is created
and sent to the browser. Then the browser makes a public key credential
and submits it to the server via `passkey_auth_perform`.

3. renaming/deleting passkeys

These routes allow changing the name of a key and deleting it.

4. checking if session is trusted for sensitive actions

Since a passkey is a password replacement, we want to make sure to confirm the user's identity before allowing adding/deleting passkeys. The u/trusted-session GET route returns success if user has confirmed their session (and failed if user hasn't). In the frontend (in the next PR), we're using these routes to show the password confirmation screen. 

The `/u/confirm-session` route allows the user to confirm their session with a password. The latter route's functionality already existed in core, under the 2FA flow, but it has been abstracted into its own here so it can be used independently.


Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2023-10-11 14:36:54 -04:00
Meghna
90be6f304f
UX: fix likes notification for multiple users on mobile (#23896) 2023-10-11 20:41:19 +05:30
David Taylor
597ef11195
DEV: Improve reactivity of user-tips and remove runloop workarounds (#23897)
Previously, the `user-tips` service included a couple of calls to `next()`. These were introduced to work around errors like

```
You attempted to update `availableTips` on `<UserTips:ember659>`, but it had already been used previously in the same computation
```

These errors come from the fact that various `<UserTip>` components are rendering at slightly different times in the runloop and stepping on each other. Normally this doesn't happen in Ember, but the implementation details of our 'Widget' system and its 'RenderGlimmer' helper mean that RenderGlimmer components are rendered later than normal Ember components. Using `next()` avoids the problem because it means that all the updates are scheduled together in the following runloop interation.

However, the use of `next()` can create some subtle timing issues, which have been evident in the recent flakiness of some qunit tests. This commit makes a few changes to improve the situation:

1. Use a TrackedMap to provide fine-grained `shouldRender()` reactivity for each user-tip id. That means that different user tips will not be trying to update the same piece of tracked state (previously the entire `availableTips` array was `@tracked`, and was completely re-assigned every time a new `<UserTip>` was rendered

2. Avoid reassigning any tracked state unless the value has actually changed

3. Remove the `next()` workarounds
2023-10-11 14:03:31 +01:00