discourse

mirror of https://github.com/discourse/discourse.git synced 2024-11-24 15:49:55 +08:00

Author	SHA1	Message	Date
Sam	df45e82377	SECURITY: only allow picking of avatars created by self (#6417 ) * SECURITY: only allow picking of avatars created by self Also adds origin tracking to all uploads including de-duplicated uploads	2018-09-19 22:33:10 -07:00
Vinoth Kannan	9281b72308	FEATURE: Log entity export in staff logs	2018-09-19 03:16:45 +05:30
Sam	0e9841b995	SECURITY: remove admin memory diagnostics routes	2018-09-18 08:35:09 +10:00
Neil Lalonde	6f1b8ad16d	FIX: tag groups page should only be visible to staff No security concern here because nothing private was visible, and no actions could be taken by non-staff users.	2018-09-17 11:41:18 -04:00
Kyle Zhao	7b19ed06c1	reworked specs of existing group behavior	2018-09-17 17:46:43 +10:00
pmusaraj	5bdf476de7	raise error early in drafts controller	2018-09-13 08:40:57 -04:00
pmusaraj	aa614e393c	return 403 when trying drafts of another user	2018-09-12 13:08:02 -04:00
Sam	d1984a0b4d	FIX: display a correct error when attempting to agree on a deferred flag Previously we would raise a 500 error if a moderator tried to agree on a flag another moderator deferred. This can happen cause the UX for flags does not live refresh as flags are handled	2018-09-12 13:16:59 +10:00
Guo Xiang Tan	71185c13b5	Merge pull request #6377 from tgxworld/remove_tif_tiff Drop `tif`, `tiff`, `webp` and `bmp` from supported images.	2018-09-12 09:32:32 +08:00
Guo Xiang Tan	e1b16e445e	Rename `FileHelper.is_image?` -> `FileHelper.is_supported_image?`.	2018-09-12 09:22:28 +08:00
Osama Sayegh	16bd3f2cf2	FIX: use current user color scheme when filling `theme-color` attribute (#6384 ) * FIX: use current user color scheme when filling `meta` attribute `theme-color` * update manifest.webmanifest colors	2018-09-12 11:04:58 +10:00
Neil Lalonde	9e77fd8fc3	FIX: wrong category links on subfolder install in rss feed for a category topic list	2018-09-07 10:03:30 -04:00
Sam	879067d000	FIX: check admin theme cookie against user selectable previously admin got a free pass and could set theme via cookie to anything including themes that are not selectable this refactor ensures that only "preview" gets a free pass, all the rest goes through the same pipeline	2018-09-07 10:47:28 +10:00
Gerhard Schlager	797cbf8653	FIX: Remove user fields when anonymizing user	2018-09-07 00:02:56 +02:00
Vinoth Kannan	d8b543bb67	FIX: redirect to original URL after social signup	2018-09-05 01:44:23 +05:30
David Taylor	4382fb5fac	DEV: Allow plugins to whitelist specific user custom_fields for editing (#6358 )	2018-09-04 20:45:36 +10:00
Sam	2f5c21e28c	FIX: return a 400 error instead of 500 for null injections Many security scanners like to inject NULL in inputs causing application to exception out and return a 500 We now handle this exception and render a 400 status back	2018-09-04 12:11:52 +10:00
Gerhard Schlager	f33433bf9e	Validation of params should restrict to max int (#6331 ) * FIX: Validation of params should restrict to max int * FIX: Send status 400 when "page" param isn't between 1 and max int	2018-09-03 14:45:32 +10:00
Guo Xiang Tan	59c9051a2e	REFACTOR: Rescue error at the specific spot that is raising the error.	2018-09-03 11:04:58 +08:00
Bianca Nenciu	f5e0356fb2	correct miscellaneous issues with user login history	2018-09-02 17:24:54 +10:00
Bianca Nenciu	931cffcebe	FEATURE: Let users see their user auth tokens. (#6313 )	2018-08-31 10:18:06 +02:00
Sam	b3aab1770f	FIX: set old last modified date for invalid avatars In some cases Akami was holding tight to these invalid avatars, to avoid this happening we explain the avatar image is ancient then when a new upload is added it automatically is older than this.	2018-08-31 17:07:31 +10:00
Blake Erickson	ae532f8548	FIX: return 422 for an invalid group name on category create	2018-08-30 14:28:55 -06:00
David Taylor	103509b9dd	SECURITY: Prevent users from modifying custom fields	2018-08-30 12:59:36 +01:00
Bianca Nenciu	72ffabf619	UX: Improve email testing admin tool. (#6308 )	2018-08-29 23:14:16 +02:00
Neil Lalonde	9bf4333491	FIX: redirect to wrong URL after account creation on subfolder install	2018-08-24 10:34:44 -04:00
Joffrey JAFFEUX	82dcc5cbfa	FEATURE: makes reports loadable in bulk (#6309 )	2018-08-24 15:28:01 +02:00
Osama Sayegh	e0cc29d658	FEATURE: themes and components split * FEATURE: themes and components split * two seperate methods to switch theme type * use strict equality operator	2018-08-24 11:30:00 +10:00
Sam	29315b73c2	FIX: improve last_modified date returned for avatars instead of hard coding a date: 1. For optimized images use the upload date when on s3 2. For not-found use 10 minutes ago to match the expiry	2018-08-24 09:36:11 +10:00
Osama Sayegh	2711f173dc	FIX: don't allow inviting more than `max_allowed_message_recipients` * FIX: don't allow inviting more than `max_allowed_message_recipients` setting allows * add specs for guardian * user preferences for auto track shouldn't be applicable to PMs (it auto watches on visit) Execlude PMs from "Automatically track topics I enter..." and "When I post in a topic, set that topic to..." user preferences * groups take only 1 slot in PM * just return if topic is a PM	2018-08-23 14:36:49 +10:00
James Kiesel	cdea969c6a	FEATURE: Make initial admins TL1 * Match register controller TL to rake admin:create * Don't promote if trust_level > 1	2018-08-22 15:45:24 +10:00
Sam	5a6d1ee257	FIX: defer actions in a static method This avoids capturing a huge closure and passing to defer	2018-08-22 14:36:56 +10:00
Gerhard Schlager	17dc8f2490	UX: Wizard resends activation email when user exists	2018-08-21 19:13:41 +02:00
Sam	2d96160192	FEATURE: improve API error reporting for invalid records	2018-08-21 11:54:34 +10:00
Bianca Nenciu	dc5fddbfe6	FIX: Do not show an empty modal when an IP address is allowed or blocked. (#6265 )	2018-08-20 17:37:30 +02:00
Guo Xiang Tan	b4f92a05b3	FIX: Load more on groups page does not account for params. https://meta.discourse.org/t/cant-scroll-through-list-of-users-groups-if-more-than-one-page/92259	2018-08-20 17:08:50 +08:00
Sam	ce4b12ae59	FIX: if we have not target available do not redirect	2018-08-20 13:10:59 +10:00
Joffrey JAFFEUX	37d4f27c44	FIX: quality/bugfix dashboard/reports pass (#6283 )	2018-08-17 16:19:25 +02:00
Sam	9628c3cf97	FEATURE: automatically correct extension for bad uploads This fixes with post thumbnails on the fly	2018-08-17 14:00:27 +10:00
Sam	baa72d18f8	FIX: simplify so we ban all auth paths previously plugins that have auth paths were not disallowed and robots tend to call them	2018-08-16 19:16:47 +10:00
Sam	796164b58c	FIX: automatically correct bad avatars on access Also start relying on upload extension for optimized images	2018-08-16 16:32:56 +10:00
Rafael dos Santos Silva	c8b5e6baae	FEATURE: Use `display: browser` in webmanifest for iOS devices Since iOS doesn't have a back button and can have issues on log in. See https://twitter.com/firt/status/1021477243909033984	2018-08-15 23:36:08 -03:00
Misaka 0x4e21	d4fd19d49a	UX: Replace Google search with Discourse search on not found page * UX: Replace Google search with Discourse search on not found page. * FIX: Update application_controller_spec.rb.	2018-08-15 11:53:04 +10:00
Régis Hanol	12bab65167	FIX: going from /categories to /latest on mobile might break infinite scrolling	2018-08-15 01:22:03 +02:00
Régis Hanol	de92913bf4	FIX: store the topic links using the cooked upload url	2018-08-14 12:23:32 +02:00
Sam	ad5f502332	FIX: add a basic validator for topic params This cuts down on log noise when people try out sql injection	2018-08-14 17:01:04 +10:00
Sam	6f6b4ff988	regression: don't return from a block also clean up some warnings (shadowed var, unused var)	2018-08-10 14:53:55 +10:00
Gerhard Schlager	b9072e8292	FEATURE: Add "Reset Bump Date" action to topic admin wrench (#6246 )	2018-08-10 10:51:03 +10:00
Gerhard Schlager	ef4b9f98c1	FEATURE: Allow admins to reply without topic bump	2018-08-10 10:48:30 +10:00
Neil Lalonde	2c4d7225d8	FIX: permalink redirects with subfolder	2018-08-09 11:05:27 -04:00

1 2 3 4 5 ...

2583 Commits