Commit Graph

48655 Commits

Author SHA1 Message Date
Keegan George
80164322e0
DEV: Remove unused locale (#19764) 2023-01-05 13:35:10 -08:00
Vinoth Kannan
7ecf4d12a9
FIX: use reviewer's guardian permissions to create post/topic while approve. (#19710)
We previously used post creator's guardian permissions which will raise an error if the reviewer added a staff-only (restricted) tag.

Co-authored-by: Natalie Tay <natalie.tay@discourse.org>
2023-01-05 19:31:37 +05:30
David Taylor
d5491b13f5
DEV: Fix syntax/formatting in xenforo import script (#19761)
Followup to 7dfe85fc
2023-01-05 12:47:05 +00:00
Martin Brennan
41acabad19
DEV: Change system spec JS log level to SEVERE by default (#19757)
Having this set to ALL pollutes the JS system spec
logs with a bunch of unnecessary noise like this:

> "PresenceChannel '/chat-user/core/1' dropped message (received 315, expecting 246), resyncing..."

Or:

> "DEPRECATION: The \u003Cdiscourse@component:plugin-connector::ember1112>#save computed property was just overridden. This removes the computed property and replaces it with a plain value, and has been deprecated.

Now, we will only log errors. To configure this set
the `SELENIUM_BROWSER_LOG_LEVEL` env var.
2023-01-05 16:41:22 +10:00
Alan Guo Xiang Tan
df6d323bd1 Version bump to v2.8.14 (#19755) 2023-01-05 10:54:47 +08:00
Alan Guo Xiang Tan
ffc59a3b28 SECURITY: BCC active user emails from group SMTP (#19724)
When sending emails out via group SMTP, if we
are sending them to non-staged users we want
to mask those emails with BCC, just so we don't
expose them to anyone we shouldn't. Staged users
are ones that have likely only interacted with
support via email, and will likely include other
people who were CC'd on the original email to the
group.

Co-authored-by: Martin Brennan <martin@discourse.org>
2023-01-05 10:54:47 +08:00
Alan Guo Xiang Tan
7a47c7b3f1 Revert "SECURITY: BCC active user emails from group SMTP (#19724)"
This reverts commit a09dc2d5c2.
2023-01-05 10:54:47 +08:00
Alan Guo Xiang Tan
2bb31f1ce6 Revert "Version bump to v2.8.14 (#19755)"
This reverts commit 8665f06f63.
2023-01-05 10:54:47 +08:00
Alan Guo Xiang Tan
8665f06f63
Version bump to v2.8.14 (#19755) 2023-01-05 09:56:13 +08:00
Alan Guo Xiang Tan
6543dec7cb
Version bump to v3.0.0.beta16 (#19751) 2023-01-05 09:45:40 +08:00
Alan Guo Xiang Tan
a09dc2d5c2 SECURITY: BCC active user emails from group SMTP (#19724)
When sending emails out via group SMTP, if we
are sending them to non-staged users we want
to mask those emails with BCC, just so we don't
expose them to anyone we shouldn't. Staged users
are ones that have likely only interacted with
support via email, and will likely include other
people who were CC'd on the original email to the
group.

Co-authored-by: Martin Brennan <martin@discourse.org>
2023-01-05 09:45:30 +08:00
Alan Guo Xiang Tan
1cb5200450 Revert "SECURITY: BCC active user emails from group SMTP (#19724)"
This reverts commit 7bd83ef6b5.
2023-01-05 09:45:30 +08:00
Alan Guo Xiang Tan
c83a7c91d1
SECURITY: Convert send_digest to a post request (#19748)
Co-authored-by: Isaac Janzen <isaac.janzen@discourse.org>
2023-01-05 08:51:39 +08:00
Alan Guo Xiang Tan
fae0cd9f54
SECURITY: use rstrip instead of regex gsub to prevent ReDOS (#19738)
`rstrip` implementation is much more performant than regex

Co-authored-by: Krzysztof Kotlarek <kotlarek.krzysztof@gmail.com>
2023-01-05 08:51:33 +08:00
Alan Guo Xiang Tan
4bf306f0e3
SECURITY: Delete email tokens when a user's email is changed or deleted (#19736)
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
2023-01-05 08:51:27 +08:00
Alan Guo Xiang Tan
b9e2e997f4
SECURITY: Check the length of raw post body (#19734)
Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2023-01-05 08:51:21 +08:00
Alan Guo Xiang Tan
66ab2d71ff
SECURITY: escape quotes in tag description when rendering (#19731)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2023-01-05 08:51:16 +08:00
Alan Guo Xiang Tan
9470ae7190
SECURITY: Don't expose user post counts to users who can't see the topic (#19729)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
2023-01-05 08:51:10 +08:00
Alan Guo Xiang Tan
06a70d249b
SECURITY: Sanitize PendingPost titles before rendering to prevent XSS (#19727)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2023-01-05 08:51:00 +08:00
Alan Guo Xiang Tan
7bd83ef6b5
SECURITY: BCC active user emails from group SMTP (#19724)
When sending emails out via group SMTP, if we
are sending them to non-staged users we want
to mask those emails with BCC, just so we don't
expose them to anyone we shouldn't. Staged users
are ones that have likely only interacted with
support via email, and will likely include other
people who were CC'd on the original email to the
group.

Co-authored-by: Martin Brennan <martin@discourse.org>
2023-01-05 08:50:54 +08:00
Alan Guo Xiang Tan
e58277adf3
DEV: Increase Capybara.default_max_wait_time on github actions (#19750)
Our working theory is that system tests on Github run on much less
powerful hardware as compared to running the tests on our work machines.
Hopefully, increasing the wait time now will help reduce some flakes
that we're seeing on Github.
2023-01-05 08:50:35 +08:00
David Taylor
c77a9f18be
DEV: Use ruby-2.7 for stable branch CI (#19749) 2023-01-05 08:50:22 +08:00
Alan Guo Xiang Tan
cf862e7365
SECURITY: Convert send_digest to a post request (#19746)
Co-authored-by: Isaac Janzen <isaac.janzen@discourse.org>
2023-01-05 06:57:12 +08:00
Martin Brennan
c2013865d7
FEATURE: Make experimental hashtag autocomplete default for new sites (#19681)
This feature is stable enough now to make it the default going forward
for new sites. Existing sites that have not yet set enable_experimental_hashtag_autocomplete
to `true` will have it set to `false` for their site settings, which was the old default.

c.f https://meta.discourse.org/t/hashtags-are-getting-a-makeover/248866
2023-01-05 08:44:58 +10:00
Martin Brennan
16b9165630
FIX: Bookmark auto delete preference usage and default value (#19707)
This commit fixes an issue where the chat message bookmarks
did not respect the user's `bookmark_auto_delete_preference`
which they select in their user preference page.

Also, it changes the default for that value to "keep bookmark and clear reminder"
rather than "never", which ends up leaving a lot of expired bookmark
reminders around which are a pain to clean up.
2023-01-05 08:43:58 +10:00
Jarek Radosz
1174a94867
DEV: Update json5, remove an unused lockfile (#19732) 2023-01-04 23:15:49 +01:00
Alan Guo Xiang Tan
918dd4d635
SECURITY: use rstrip instead of regex gsub to prevent ReDOS (#19737)
`rstrip` implementation is much more performant than regex

Co-authored-by: Krzysztof Kotlarek <kotlarek.krzysztof@gmail.com>
2023-01-05 06:09:17 +08:00
Alan Guo Xiang Tan
83944213b2
SECURITY: Delete email tokens when a user's email is changed or deleted (#19735)
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
2023-01-05 06:08:55 +08:00
Alan Guo Xiang Tan
bf6b08670a
SECURITY: Check the length of raw post body (#19733)
Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2023-01-05 06:08:43 +08:00
Alan Guo Xiang Tan
692329896a
SECURITY: escape quotes in tag description when rendering (#19730)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2023-01-05 06:08:32 +08:00
Alan Guo Xiang Tan
cbcf8a064b
SECURITY: Don't expose user post counts to users who can't see the topic (#19728)
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>

Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
2023-01-05 06:08:19 +08:00
Alan Guo Xiang Tan
c0e2d7bada
SECURITY: Sanitize PendingPost titles before rendering to prevent XSS (#19726)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2023-01-05 06:08:05 +08:00
Alan Guo Xiang Tan
ab3a032b4b
SECURITY: BCC active user emails from group SMTP (#19725)
When sending emails out via group SMTP, if we
are sending them to non-staged users we want
to mask those emails with BCC, just so we don't
expose them to anyone we shouldn't. Staged users
are ones that have likely only interacted with
support via email, and will likely include other
people who were CC'd on the original email to the
group.

Co-authored-by: Martin Brennan <martin@discourse.org>
2023-01-05 06:07:50 +08:00
dependabot[bot]
f4ab3f4543
Build(deps): Bump @babel/core in /app/assets/javascripts (#19723)
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.20.7 to 7.20.12.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.20.12/packages/babel-core)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 22:50:20 +01:00
dependabot[bot]
ec1c8d3353
Build(deps): Bump @babel/standalone in /app/assets/javascripts (#19722)
Bumps [@babel/standalone](https://github.com/babel/babel/tree/HEAD/packages/babel-standalone) from 7.20.11 to 7.20.12.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.20.12/packages/babel-standalone)

---
updated-dependencies:
- dependency-name: "@babel/standalone"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 22:42:24 +01:00
dependabot[bot]
fb2c0ed548
Build(deps): Bump excon from 0.95.0 to 0.96.0 (#19721)
Bumps [excon](https://github.com/excon/excon) from 0.95.0 to 0.96.0.
- [Release notes](https://github.com/excon/excon/releases)
- [Changelog](https://github.com/excon/excon/blob/master/changelog.txt)
- [Commits](https://github.com/excon/excon/compare/v0.95.0...v0.96.0)

---
updated-dependencies:
- dependency-name: excon
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 22:38:22 +01:00
dependabot[bot]
f6c683e58c
Build(deps): Bump unicode-display_width from 2.4.0 to 2.4.2 (#19720)
Bumps [unicode-display_width](https://github.com/janlelis/unicode-display_width) from 2.4.0 to 2.4.2.
- [Release notes](https://github.com/janlelis/unicode-display_width/releases)
- [Changelog](https://github.com/janlelis/unicode-display_width/blob/main/CHANGELOG.md)
- [Commits](https://github.com/janlelis/unicode-display_width/compare/v2.4.0...v2.4.2)

---
updated-dependencies:
- dependency-name: unicode-display_width
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 22:37:48 +01:00
David Taylor
45435cbbd5
PERF: Use user-specific channel for message-bus logout (#19719)
Using a shared channel means that every user receives an update to the 'last_id' when *any* other user is logged out. If many users are being programmatically logged out at the same time, this can cause a very large number of message-bus polls.

This commit switches to use a user-specific channel, which means that each user has its own 'last id' which will only increment when they are logged out
2023-01-04 19:55:52 +00:00
dependabot[bot]
5c39e4b1c0
Build(deps-dev): Bump simplecov from 0.21.2 to 0.22.0 (#19626)
Bumps [simplecov](https://github.com/simplecov-ruby/simplecov) from 0.21.2 to 0.22.0.
- [Release notes](https://github.com/simplecov-ruby/simplecov/releases)
- [Changelog](https://github.com/simplecov-ruby/simplecov/blob/main/CHANGELOG.md)
- [Commits](https://github.com/simplecov-ruby/simplecov/compare/v0.21.2...v0.22.0)

---
updated-dependencies:
- dependency-name: simplecov
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 19:47:12 +01:00
Kris
dedf19803b
UX: more descriptive sidebar titles, casing (#19717) 2023-01-04 13:40:35 -05:00
Meghna
a9f2b62ac0
UX: fix the positioning of topic admin popup menu (#19713) 2023-01-04 17:45:24 +01:00
dependabot[bot]
696ec39327
Build(deps): Bump racc from 1.6.1 to 1.6.2 (#19625)
Bumps [racc](https://github.com/tenderlove/racc) from 1.6.1 to 1.6.2.
- [Release notes](https://github.com/tenderlove/racc/releases)
- [Changelog](https://github.com/ruby/racc/blob/master/ChangeLog)
- [Commits](https://github.com/tenderlove/racc/compare/v1.6.1...v1.6.2)

---
updated-dependencies:
- dependency-name: racc
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 17:16:39 +01:00
Martin Brennan
9e175a3613
DEV: Add chat system spec for multi-file upload (#19709)
Followup to 29638f0639
2023-01-04 15:26:52 +01:00
Joffrey JAFFEUX
ab7f3ee599
DEV: adds basic sorting to avoid flakey test (#19711)
`last_message_sent_at` has a `NOT_NULL` constraint in the DB so it should be safe to use for sorting.

This was causing two flakeys:

```
  1) UserNotifications.chat_summary with public channel email subject with regular mentions includes both channel titles when there are exactly two with unread mentions
     Failure/Error: example.run

       expected: "[Discourse] New message in Random 62 and Test channel"
            got: "[Discourse] New message in Test channel and Random 62"

       (compared using ==)
     # ./plugins/chat/spec/mailers/user_notifications_spec.rb:203:in `block (6 levels) in <main>'
     # ./spec/rails_helper.rb:356:in `block (2 levels) in <top (required)>'
     # ./vendor/bundle/ruby/3.1.0/gems/webmock-3.18.1/lib/webmock/rspec.rb:37:in `block (2 levels) in <top (required)>'

  2) UserNotifications.chat_summary with public channel email subject with regular mentions displays a count when there are more than two channels with unread mentions
     Failure/Error: example.run

       expected: "[Discourse] New message in Random 62 and 2 others"
            got: "[Discourse] New message in Test channel 0 and 2 others"

       (compared using ==)
     # ./plugins/chat/spec/mailers/user_notifications_spec.rb:236:in `block (6 levels) in <main>'
     # ./spec/rails_helper.rb:356:in `block (2 levels) in <top (required)>'
     # ./vendor/bundle/ruby/3.1.0/gems/webmock-3.18.1/lib/webmock/rspec.rb:37:in `block (2 levels) in <top (required)>'
```
2023-01-04 11:00:07 +01:00
Gerhard Schlager
8dfe7a68e6
UX: Remove unused strings (#19701)
* Remove unused strings
* Remove trailing quote from string
* Remove even more unused strings (they were removed in c4e10f2a9d)
* Don't use translations in tests which are only available on server
* Use more specific translation (and fix missing translation)
2023-01-04 10:32:53 +01:00
Osama Sayegh
bbcdf74c58
DEV: Flip primary_email_verified? default to false (#19703)
This commit changes the default return value of `Auth::ManagedAuthenticator#primary_email_verified?` to false. We're changing the default to force developers to think about email verification when building a new authentication method. All existing authenticators (in core and official plugins) have been updated to explicitly define the `primary_email_verified?` method in their subclass of `Auth::ManagedAuthenticator` (example commit 65f57a4d05).

Internal topic: t/82084.
2023-01-04 10:51:10 +03:00
Martin Brennan
42cf32169d
DEV: Refactor autocomplete scrolling element detection (#19706)
Rather than hardcoding `.hashtag-autocomplete__fadeout` as the
div element to scroll in autocomplete, instead pass it in as
an option via `scrollElementSelector`, then we don't have hashtag
template specific things in the autocomplete lib.
2023-01-04 14:11:52 +10:00
Alan Guo Xiang Tan
81c3c746d3
DEV: Fix a flaky test (#19705)
We don't really care about the order here so there is no need for us to
assert against a fixed order.
2023-01-04 09:21:21 +08:00
dependabot[bot]
6e0d4b2c1c
Build(deps): Bump unicode-display_width from 2.3.0 to 2.4.0 (#19700)
Bumps [unicode-display_width](https://github.com/janlelis/unicode-display_width) from 2.3.0 to 2.4.0.
- [Release notes](https://github.com/janlelis/unicode-display_width/releases)
- [Changelog](https://github.com/janlelis/unicode-display_width/blob/main/CHANGELOG.md)
- [Commits](https://github.com/janlelis/unicode-display_width/compare/v2.3.0...v2.4.0)

---
updated-dependencies:
- dependency-name: unicode-display_width
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 09:07:41 +08:00
dependabot[bot]
fdc64c4555
Build(deps): Bump parser from 3.1.3.0 to 3.2.0.0 (#19699)
Bumps [parser](https://github.com/whitequark/parser) from 3.1.3.0 to 3.2.0.0.
- [Release notes](https://github.com/whitequark/parser/releases)
- [Changelog](https://github.com/whitequark/parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/whitequark/parser/compare/v3.1.3.0...v3.2.0.0)

---
updated-dependencies:
- dependency-name: parser
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 09:07:13 +08:00