Commit Graph

47 Commits

Author SHA1 Message Date
Martin Brennan
e69f7d2fd9
SECURITY: Limit user profile field length (#18302)
Adds limits to location and website fields at model and DB level
to match the bio_raw field limits. A limit cannot be added at the
DB level for bio_raw because it is a postgres text field.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2022-09-21 12:07:06 +10:00
Loïc Guitaut
3eaac56797 DEV: Use proper wording for contexts in specs 2022-08-04 11:05:02 +02:00
Loïc Guitaut
296aad430a DEV: Use describe for methods in specs 2022-07-27 16:35:27 +02:00
Bianca Nenciu
5f13ca5e54
FIX: Don't cook user fields to apply watched words (#17590)
The previous method for reused the PrettyText logic which applied the
watched word logic, but had the unwanted effect of cooking the text too.
This meant that regular text values were converted to HTML.

Follow up to commit 5a4c35f627.
2022-07-26 18:15:42 +03:00
Loïc Guitaut
5a4c35f627 FIX: Apply all watched words rules to user fields
Currently we only apply watched words of the `Block` type to custom user
fields and user profile fields.

This patch enables all rules to be applied such as `Censor` or
`Replace`.
2022-07-11 11:51:57 +02:00
Loïc Guitaut
ba148e082d FIX: Apply watched words to user fields
Currently we don’t apply watched words to custom user fields nor user
profile fields.
This led to users being able to use blocked words in their bio, location
or some custom user fields.

This patch addresses this issue by adding some validations so it’s not
possible anymore to save the User model or the UserProfile model if they
contain blocked words.
2022-05-10 11:37:52 +02:00
David Taylor
c9dab6fd08
DEV: Automatically require 'rails_helper' in all specs (#16077)
It's very easy to forget to add `require 'rails_helper'` at the top of every core/plugin spec file, and omissions can cause some very confusing/sporadic errors.

By setting this flag in `.rspec`, we can remove the need for `require 'rails_helper'` entirely.
2022-03-01 17:50:50 +00:00
Ayke Halder
5ff3a9c4bb
DEV: add native lazy loading for emojis (#15830) 2022-02-09 12:18:59 +01:00
Roman Rizzi
efb9fd6ac0
FIX: Make sure rel attributes are correctly set. (#10645)
We must guarantee that "rel=noopener" was set if "target=_blank" is present, which is not always the case for trusted users. Also, if the link contains the "nofollow" attribute, it has to have the "ugc" attribute as well.
2020-09-10 12:59:51 -03:00
Krzysztof Kotlarek
e0d9232259
FIX: use allowlist and blocklist terminology (#10209)
This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
2020-07-27 10:23:54 +10:00
Guo Xiang Tan
fd0eff6ce3 Revert "FIX: Add missing unique index on user_id for user_profiles."
Oops `user_id` is the primary key.

This reverts commit 5478aa63ab.
2019-05-24 12:58:36 +08:00
Guo Xiang Tan
5478aa63ab FIX: Add missing unique index on user_id for user_profiles. 2019-05-24 12:11:49 +08:00
Daniel Waterworth
e219588142 DEV: Prefabrication (test optimization) (#7414)
* Introduced fab!, a helper that creates database state for a group

It's almost identical to let_it_be, except:

 1. It creates a new object for each test by default,
 2. You can disable it using PREFABRICATION=0
2019-05-07 13:12:20 +10:00
Guo Xiang Tan
24347ace10 FIX: Properly associate user_profiles background urls via upload id.
`Upload#url` is more likely and can change from time to time. When it
does changes, we don't want to have to look through multiple tables to
ensure that the URLs are all up to date. Instead, we simply associate
uploads properly to `UserProfile` so that it does not have to replicate
the URLs in the table.
2019-05-02 14:58:24 +08:00
Sam Saffron
4ea21fa2d0 DEV: use #frozen_string_literal: true on all spec
This change both speeds up specs (less strings to allocate) and helps catch
cases where methods in Discourse are mutating inputs.

Overall we will be migrating everything to use #frozen_string_literal: true
it will take a while, but this is the first and safest move in this direction
2019-04-30 10:27:42 +10:00
Guo Xiang Tan
62579d79d4 DEV: Fix failing tests. 2019-03-11 11:12:11 +08:00
Joffrey JAFFEUX
10a3499d68
uses emoji versions for specs (#6276) 2018-08-16 13:45:30 +02:00
Guo Xiang Tan
d57a5d3e8c Fix brittle spec. 2018-06-01 11:56:56 +08:00
Arpit Jalan
33899664ce FIX: handle bad user profile website 2018-05-17 13:21:24 +05:30
Misaka 0x4e21
ff6be3c2e3 FEATURE: add profile_background fields into SSO (#5701)
Add profile_background and card_background fields into Discourse SSO.
2018-05-07 10:03:26 +02:00
Neil Lalonde
06022d042c fix failing spec user_profile_spec 2018-04-13 10:32:28 -04:00
Guo Xiang Tan
6ecf37c482 Improve URL validation to check for a valid host.
Parsing a URL with `URI` is not sufficient as the following cases
are considered valid:

URI.parse("http://https://google.com")
=> #<URI::HTTP http://https//google.com>
2017-12-21 13:50:15 +08:00
Joffrey JAFFEUX
506572bf04 FIX: display emojis (set, custom and native) in bio excerpt 2017-08-15 10:05:09 +02:00
Régis Hanol
e43799134c fix the regexp used to valide user's website 2017-08-02 10:19:24 +02:00
Guo Xiang Tan
13f3de4bf6 Nuke all SiteSetting.stubs from our codebase. 2017-07-07 15:09:14 +09:00
Arpit Jalan
8dea70d354 Revert "FIX: User website allows new TLDs" 2017-04-18 13:18:51 +05:30
Rafael dos Santos Silva
4289dbe3e5 FIX: User website allows new TLDs 2017-04-18 00:30:37 -03:00
Arpit Jalan
d72cbcb2a4 FEATURE: new setting to validate user website 2016-12-26 21:29:27 +05:30
Arpit Jalan
2d0c99636a do not add rel noreferrer 2016-11-20 18:19:14 +05:30
Arpit Jalan
7cb76f7333 FIX: add rel noopener and noreferrer in addition to nofollow 2016-11-20 17:07:27 +05:30
Robin Ward
2891f230d1 SECURITY: Make sure uploaded_urls have corresponding upload records 2016-07-28 13:54:17 -04:00
Arpit Jalan
8a7868be07 FIX: validate user website 2016-02-06 02:19:48 +05:30
Andy Waite
3e50313fdc Prepare for separation of RSpec helper files
Since rspec-rails 3, the default installation creates two helper files:
* `spec_helper.rb`
* `rails_helper.rb`

`spec_helper.rb` is intended as a way of running specs that do not
require Rails, whereas `rails_helper.rb` loads Rails (as Discourse's
current `spec_helper.rb` does).

For more information:

https://www.relishapp.com/rspec/rspec-rails/docs/upgrade#default-helper-files

In this commit, I've simply replaced all instances of `spec_helper` with
`rails_helper`, and renamed the original `spec_helper.rb`.

This brings the Discourse project closer to the standard usage of RSpec
in a Rails app.

At present, every spec relies on loading Rails, but there are likely
many that don't need to. In a future pull request, I hope to introduce a
separate, minimal `spec_helper.rb` which can be used in tests which
don't rely on Rails.
2015-12-01 20:39:42 +00:00
Luciano Sousa
b3d769ff4f Update rspec syntax to v3
update rspec syntax to v3

change syntax to rspec v3

oops. fix typo

mailers classes with rspec3 syntax

helpers with rspec3 syntax

jobs with rspec3 syntax

serializers with rspec3 syntax

views with rspec3 syntax

support to rspec3 syntax

category spec with rspec3 syntax
2015-01-05 11:59:30 -03:00
Régis Hanol
d7ef4f1edd remove useless 'puts' 2014-11-26 16:40:03 +01:00
Robin Ward
4c9f55d1e1 FIX: Suspended users should have links stripped from their profiles. 2014-11-25 16:14:39 -05:00
Jason W. May
bdc7947cd6 rspec expect...to deprecations 2014-10-31 10:44:26 -07:00
riking
e665bfd72a Fix test failure 2014-09-30 13:16:34 +10:00
Régis Hanol
de76b512c1 fix most deprecations in the specs (still some left) 2014-09-25 17:44:48 +02:00
Robin Ward
56eda5abf9 FIX: Don't allow profile bios longer than 3k chars 2014-09-08 15:23:21 -04:00
Sam
59d04c0695 Internal renaming of elder,leader,regular,basic to numbers
Changed internals so trust levels are referred to with

TrustLevel[1], TrustLevel[2] etc.

This gives us much better flexibility naming trust levels, these names
are meant to be controlled by various communities.
2014-09-05 15:20:52 +10:00
Jeff Atwood
fcca64c0cf rename site settings for trust levels as numbers 2014-09-04 13:16:51 -07:00
Sam
b11b5cb61b SECURITY: rebake old user profiles 2014-08-05 16:37:56 +10:00
Sam
6e9f5f5584 SECURITY: fix XSS in excerpt parser 2014-07-25 12:16:00 +10:00
Neil Lalonde
42dcb77d93 FEATURE: add site setting leader_links_no_follow to control whether users with trust level 3 or higher have nofollow on their links 2014-07-14 13:34:29 -04:00
Andrew Bezzub
9ffd173873 move bio to UserProfile from User 2014-06-13 14:55:32 -04:00
Robin Ward
7c22d738b6 FEATURE: Add a location field to a user's profile 2014-05-27 13:54:04 -04:00