Commit Graph

409 Commits

Author SHA1 Message Date
Victor van Poppelen
9e60f9f093 JSON API parsing error on CSRF exception: single quotes in ['BAD CSRF'] is invalid JSON:
https://meta.discourse.org/t/json-api-parsing-error-single-quotes-used-for-errors-like-bad-csrf/58869
2017-03-16 16:47:18 -07:00
Régis Hanol
fdf749770b remove unecessary '.limit(1)' 2017-02-24 12:56:13 +01:00
Sam
f15f61da0a FEATURE: add immutable caching to rails site of things 2017-02-23 13:05:00 -05:00
Sam
1935f624b8 FEATURE: reset active record cache in sidekiq if needed
This can happen in multisite environments after restores
2017-02-17 12:09:53 -05:00
Sam
e0ff57ca75 SECURITY: prevent reuse of password reset 2016-12-19 18:00:22 +11:00
Sam
6ff309aa80 SECURITY: don't grant same privileges to user_api and api access
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
2016-12-16 12:05:43 +11:00
Guo Xiang Tan
81d333289e FIX: Return 503 when in readonly mode. 2016-12-07 14:04:42 +08:00
Sam
1db9d17756 Make removal of topic columns more resilient to deploys 2016-12-05 12:11:46 +11:00
Sam
c04d4171ff FIX: whisper no longer experimental
- Regular users are not notified of whispers
- Regular users no longer have "stuck" topics in unread
- Additional tracking for staff highest post number
- Remove a bunch of unused columns in topics table
2016-12-02 17:03:31 +11:00
Guo Xiang Tan
d95fbd89d0 Enable miniprofiler in development automatically. 2016-11-29 10:59:10 +08:00
Sam
63d9d4f301 FIX: properly specify default on no cache on all resources 2016-11-15 17:00:44 +11:00
Sam
6031e692f0 Merge pull request #4366 from xfalcox/print
Print Support
2016-10-11 11:47:20 +11:00
Neil Lalonde
600b23c0a4 FIX: permalink redirects should work on tag paths 2016-10-04 12:01:42 -04:00
Rafael dos Santos Silva
c12e533273 Feature: Adds a button to print a topic 2016-09-26 20:44:50 -03:00
Robin Ward
7f66cf618c FIX: You should be an admin to do the wizard 2016-09-22 11:12:51 -04:00
Robin Ward
29cf47cfb2 Track steps the user has completed, nag them to finish it. 2016-09-22 09:52:19 -04:00
Sam
75f3f7fcbd FEATURE: clean API method for reading a single notification 2016-09-16 16:14:15 +10:00
Sam
eaf87f0770 FIX: correctly handle api key so it uses current user provider 2016-08-26 10:39:13 +10:00
Sam
df535c6346 FEATURE: refresh session cookie at most once an hour
This feature ensures session cookie lifespan is extended
when user is online.

Also decreases session timeout from 90 to 60 days.
Ensures all users (including logged on ones) get expiring sessions.
2016-07-25 12:07:31 +10:00
Guo Xiang Tan
5fed886c8f FIX: Update post replies when we move posts. (#4324) 2016-07-13 17:34:21 +02:00
Guo Xiang Tan
e221414935
PERF: Remove N+1 queries on user messages page. 2016-06-29 09:30:54 +08:00
James Cook
c0e25b5a9a Replace certain uses of 'gsub' with 'tr' or 'chomp' for a speed
improvement
2016-06-10 22:08:37 -05:00
Robin Ward
4180e207c3 FIX: Crazy large ids should not raise exceptions 2016-03-23 12:13:47 -04:00
Sam
84d234a98a Merge pull request #4076 from scossar/locale-from-header-setting
FEATURE: add site setting for setting locale from header
2016-03-17 07:53:20 +11:00
Robin Ward
06591022fe FEATURE: Generous badge 2016-03-15 16:08:29 -04:00
scossar
0cbeda8414 add site setting for setting locale from header 2016-03-14 16:18:19 -07:00
Sam Saffron
7598037080 Only pull in gem if it is being used, remove middleware 2016-03-04 23:17:14 +11:00
Régis Hanol
1135d2094a Merge pull request #4006 from scossar/set-locale-from-header
Feature: (WIP) Set locale from Accept-Language header
2016-03-04 09:12:30 +01:00
Sam
610954ecce Merge pull request #4035 from tgxworld/dont_return_500_when_plugin_is_disabled
Return 404 instead 500 when plugin is disabled.
2016-02-27 16:55:50 +11:00
scossar
0a396583ed set locale for anonymous from header
set locale on signup

update spec

add locale option
2016-02-26 13:45:00 -08:00
Guo Xiang Tan
a3fa80847e Return 404 instead 500 when plugin is disabled. 2016-02-24 17:09:30 +08:00
Arpit Jalan
d77511319e show monthly top topics on 404 page 2016-02-24 13:46:55 +05:30
Sam
4c0a40f2b0 FIX: publish notification state when notifications are read
(this clears green and blue bubbles)
2016-02-22 12:24:51 +11:00
Sam
dd6ebde824 FIX: Always ensure notifications are treated as read once clicked
UX: improve messaging so notifications list is far more stable
PERF: improve performance of notifcation lookup queries

- Add feature "SetTransientHeader" that allows shipping info to server
   in the next Ajax request
- remove local storage hack used for notifications
- amend lookupStale to return hydrated objects, move logic into store
- stop magically clearing various notifications (likes, invitee accepted, group_summary, granted badge)
2016-02-15 19:29:47 +11:00
Régis Hanol
825a01cec3 fix the build 2016-01-15 12:34:28 +01:00
Régis Hanol
c9c6b09f36 FIX: allow staff members to edit staged users preferences 2016-01-15 12:16:00 +01:00
Faisal Abbas
f2480aa81f FIX: When 410 is received, display proper error message instead of generic. 2015-12-30 17:18:32 +05:00
Robin Ward
d1ebb9d0b5 FIX: I18n Fallbacks were not applying correctly 2015-12-23 12:09:18 -05:00
Robin Ward
de88be2fbc Support for "Only show overridden" in site text customization 2015-11-30 15:25:08 -05:00
Régis Hanol
16b3d26d7b allow staff members to view staged accounts user card/profile 2015-11-27 20:02:24 +01:00
Robin Ward
1506eba28d Support for overriding client side translation keys 2015-11-20 17:14:01 -05:00
Robin Ward
3720783c1b Refactor to our own Discourse I18n backend
This removes some monkey patches and makes testing easier.
It will also support database backed I18n changes.
2015-11-13 16:35:02 -05:00
Arpit Jalan
106cb9874a FIX: show 404 page when user is logged out and navigates to private message 2015-10-30 17:41:55 +05:30
Robin Ward
db5379508e FIX: Don't show an anonymous cache if there is a flash 2015-10-28 15:12:05 -04:00
Sam
6f43b575a8 FEATURE: no need to cap new and unread together anymore
- leave unread alone
- cap new at 500 per site, with a site setting
2015-10-01 17:17:15 +10:00
Robin Ward
3620c8c85e Move descriptions for rate limiting errors into the exception 2015-09-24 13:52:46 -04:00
Sam
335be272ff FEATURE: implement capping of new/unread
We cap new and unread at 2/5th of SiteSetting.max_tracked_new_unread

This dynamic capping is applied under 2 conditions:

1. New capping is applied once every 15 minutes in the periodical job, this effectively ensures that usually even super active sites are capped at 200 new items

2. Unread capping is applied if a user hits max_tracked_new_unread,
  meaning if new + unread == 500, we defer a job that runs within 15 minutes that will cap user at 200 unread

This logic ensures that at worst case a user gets "bad" numbers for 15 minutes and then the system goes ahead and fixes itself up
2015-09-07 12:03:17 +10:00
Dan Singerman
8055d065f2 Refactor ApplicationController#redirect_to_login_if_required to use session for SSO 2015-08-11 16:48:55 +01:00
Robin Ward
9911e92e24 Merge pull request #3609 from riking/patch-7
FEATURE: Localization fallbacks
2015-07-30 10:44:29 -04:00
Arpit Jalan
d6069e8c90 UX: fix container layout 2015-07-28 13:58:30 +05:30
Sam
4491813d22 Revert "Revert "PERF: optimise query that gathers topic tracking state""
This reverts commit 909be09f1a.
2015-07-21 21:48:07 +10:00
Sam
909be09f1a Revert "PERF: optimise query that gathers topic tracking state"
This reverts commit 343e417a55.
2015-07-21 17:35:50 +10:00
Sam
343e417a55 PERF: optimise query that gathers topic tracking state
(this query runs on the front page to figure out new and unread topics)
2015-07-21 17:14:30 +10:00
Kane York
ecfa17b5a7 FEATURE: Localization fallbacks (server-side)
The FallbackLocaleList object tells I18n::Backend::Fallbacks what order the
languages should be attempted in. Because of the translate_accelerator patch,
the SiteSetting.default_locale is *not* guaranteed to be fully loaded after the
server starts, so a call to ensure_loaded! is added after the locale is set for
the current user.

The declarations of config.i18n.fallbacks = true in the environment files were
actually garbage, because the I18n.default_locale was
SiteSetting.default_locale, so there was nothing to fall back to. *derp*
2015-07-15 10:17:36 -07:00
Sam
b052179ae6 Merge pull request #3163 from rcfox/fix-by-external
Allow periods in the external_id value used in the /users/by-external route.
2015-06-24 13:07:12 +10:00
Sam
f26eee8431 FEATURE: add username to NGINX logs 2015-06-16 17:43:53 +10:00
Sam
690f4a4c37 add X so it shows up at the end of chrome 2015-06-16 10:27:42 +10:00
Sam
9b8b1d0034 FEATURE: add special header that names the action for the request 2015-06-16 09:54:44 +10:00
Robin Ward
5da5269652 FIX: Bad page title for categories view by google crawler 2015-06-08 12:07:35 -04:00
Sam
fe46d1dd3b PERF: avoid cookies for all static, public, cached forever assets 2015-05-22 16:15:46 +10:00
Robin Ward
0ed1c8011c FIX: About page error when login_required 2015-05-21 14:37:49 -04:00
Sam
e5888cf090 PERF: avoid preloading json in cases where it is not needed
(uploads / avatars / non GET requests)
2015-05-20 17:12:16 +10:00
Ryan Fox
14d2b76354 Merge branch 'master' into fix-by-external
Conflicts:
	app/controllers/users_controller.rb
2015-05-15 19:54:11 -04:00
Sam
8277a586bb usage of raise corrected 2015-05-07 11:00:51 +10:00
Robin Ward
16408cee06 Allow Postgres to trigger readonly mode for the site. 2015-04-29 11:49:58 -04:00
Robin Ward
3cb4554bbb Can refresh queued posts via button 2015-04-27 13:52:54 -04:00
Robin Ward
3a6efa25f0 Allow ReadOnly to propogate up to the Ember app via Response Header 2015-04-24 14:37:16 -04:00
Robin Ward
0c233e4e25 Interface is wired up for Approving/Rejecting posts 2015-04-15 14:54:37 -04:00
Robin Ward
96d2c5069b Interface for reviewing queued posts 2015-04-15 14:54:37 -04:00
Robin Ward
19a9a8b408 NewPostManager determines whether to queue a post or not 2015-04-15 14:54:36 -04:00
Sam
bb20f64cb2 use standard error so its easier to catch 2015-03-23 12:20:50 +11:00
Régis Hanol
df3b1f6968 FIX: editing a post wasn't showing error messages from the server 2015-03-19 12:25:15 +01:00
Robin Ward
3ad12d44f3 Use a mixin for the path function to DRY it up 2015-03-09 15:24:16 -04:00
Sam
f5af4768eb FEATURE: add clean support for running Discourse in a subfolder
To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish
2015-03-09 13:14:29 +11:00
Sam
71d6266f98 REGRESSION: exceptions are handled natively by logster 2015-02-27 13:05:51 +11:00
Sigurður Guðbrandsson
96e6fd3449 Cleaned up the sso codefix, thanks @SamSaffron
@SamSaffron showed me a cleaner way to use the if statements in the sso redirect code.

Thanks sam ;)
2015-02-23 22:10:44 +00:00
Sigurður Guðbrandsson
334a357363 FIX: Forward to SSO login automatically
Forward to SSO login URL automatically if SSO is enabled and login is required.

Makes it simpler for users to log in automatically.
2015-02-23 21:20:36 +00:00
Sam
5266ad4539 Merge pull request #3183 from riking/json-errors-2
Consolidate custom exception handling
2015-02-23 16:58:05 +11:00
riking
ecb911285d Fix the render_json_error api 2015-02-22 21:28:50 -08:00
riking
68ccd2d664 FEATURE: All 500 errors now show up in Logster
Added Discourse.handle_request_exception()
2015-02-09 12:48:33 -08:00
riking
8d39480831 use symbols for error types (squash me) 2015-02-09 10:20:00 -08:00
Lincoln Lee
02f3f8c1b3 Fix customize HTML/CSS only show desktop code
custom_top and custom_footer method in SiteCustomization is setting
:desktop as default argument for `target`

It output the desktop version of the custom_top, custom_footer even
user in mobile_view.

This fix is adding the missing target into method argument.
2015-02-10 00:48:42 +08:00
riking
a16aa9fde8 HACK: Keep old behavior for topics#show 2015-02-08 13:56:56 -08:00
riking
8cf21f2363 FEATURE: Refactor error returns in application_controller 2015-02-08 13:40:38 -08:00
riking
06f02ce9fc FIX: 🈂️ Allow closing polls in multi-locale sites 2015-02-05 19:55:03 -08:00
Robin Ward
25daca8f23 Helpers for plugins to support enabling/disabling 2015-02-04 16:23:56 -05:00
Arpit Jalan
68377ba4ab add class for container div on 404 page 2015-02-04 00:40:21 +05:30
Ryan Fox
c3f21dcdfc Remove the .json part from the external_id value when using it to lookup a user. 2015-02-02 12:58:02 -05:00
riking
fb72e2665f PERF 🐎 Don't calculate preload data for non-xhr json requests
This will help out anyone querying as API instead of through a
browser.
2015-01-23 21:14:58 -08:00
Robin Ward
987504c6ab Rename no_js layout to no_ember
While *sometimes* `no_js` was used for visitors without js (for example
disabling it on your browser) it was also used for some pages that were
disabled to JS capable browsers, including the 404 page.

Even worse, sometimes it was used on pages that *had* Javascript, such
as our `/activate-account` route. It has been renamed to `no_ember` to
indicate what it really is, a layout for the site that doesn't load our
Ember.js application.
2015-01-15 15:56:53 -05:00
Régis Hanol
6734a51b6a move SiteText.{head,top,bottom} to SiteCustomization 2015-01-14 12:15:53 +01:00
Robin Ward
f3b72f5d96 Revert "move SiteText.{head,bottom} to SiteCustomization and remove redundant SiteText.top"
This reverts commit 6ee2849df6.
2015-01-12 20:21:22 -05:00
Régis Hanol
6ee2849df6 move SiteText.{head,bottom} to SiteCustomization and remove redundant SiteText.top 2015-01-12 19:59:43 +01:00
Sam
a99c3c3df9 FEATURE: allow users to persist customization with &sticky=true 2015-01-06 17:39:08 +11:00
Régis Hanol
45dbdb6896 FEATURE: custom emojis 2014-12-23 01:12:26 +01:00
Régis Hanol
cdbee4f5d9 Merge pull request #3045 from techAPJ/patch-2
FIX: redirect client to the original url after logging in for private in...
2014-12-17 11:21:56 +01:00
Arpit Jalan
9f8e73303a FIX: redirect client to the original url after logging in for private instances 2014-12-16 13:19:26 +05:30
Robin Ward
b1bc4741b1 FEATURE: Load fewer topics in the topic list on slow platforms (Android) 2014-12-15 11:54:26 -05:00
Sam
c7bc692f40 PERF: stop querying banner topic on every page hit 2014-11-14 15:39:17 +11:00
Régis Hanol
ec76be964e UX: better footer handling 2014-11-10 21:51:55 +01:00
Robin Ward
572842721d FIX: Better page titles for SEO 2014-10-30 14:26:56 -04:00
Régis Hanol
5754e8dd0f FEATURE: auto-close topics based on last post 2014-10-10 18:21:44 +02:00
Robin Ward
8b5a1cd20f Migrate tosAccepted to new user fields 2014-09-30 10:45:18 -04:00
Sam
e14e8f64bc FIX: don't stop youtube when liking a post
Also fixes post action create/destroy api not to include post raw.
2014-09-25 12:02:41 +10:00
Robin Ward
bc53d48bd7 Renaming site contents to site text 2014-09-24 16:08:14 -04:00
Robin Ward
56eda5abf9 FIX: Don't allow profile bios longer than 3k chars 2014-09-08 15:23:21 -04:00
Robin Ward
b04a52676e FIX: Don't show wrong flag choices after undo 2014-09-02 17:37:54 -04:00
Robin Ward
c9262a8390 FIX: Resend activation email was busted 2014-08-28 12:07:13 -04:00
Robin Ward
9a1580244a FIX: Don't show profile pages for inactive users and don't show them in
search results.
2014-08-13 13:30:25 -04:00
Sam
0920c4bea6 PERF: reduce storage requirements for incoming links
Only store incoming links for topics.
2014-08-04 11:06:48 +10:00
Sam
9468ebeb2e CHANGE: Mini Profiler only enabled for developers in prd 2014-07-17 08:34:41 +10:00
riking
783454ebe1 Fix /p/post/user route not saving referrals
Make user id optional for /p/id/uid
Add /posts/id/raw route for debugging failed post processing
2014-07-11 14:44:07 -07:00
Neil Lalonde
5bcfb6ee38 FIX: don't show 'About category' topics on the 404 page 2014-07-04 16:18:17 -04:00
riking
2d5f667160 Make ?preview-style make sense
New behavior:
?preview-style=(sha) -- see that stylesheet
?preview-style= -- see the currently selected stylesheet
?preview-style=default -- see the default stylesheet ("rescue mode")
2014-06-20 09:06:36 -07:00
Neil Lalonde
ad2bd11d6e Add a way to get user based on sso external id 2014-06-18 14:40:25 -04:00
Régis Hanol
00117c18c3 FEATURE: dismissable banner topic 2014-06-18 20:05:19 +02:00
Sam
f1a28d62a3 FEATURE: support registration of custom html by plugins 2014-06-05 11:39:33 +10:00
Sam
fa6f22dd39 Move letter avatars out of upload system
FIX: S3 issues around system avatars
FIX: reduced backup file size
2014-05-30 14:45:55 +10:00
Sam
f8b7f0d73f FEATURE: logster env tab, log current user 2014-05-12 15:28:23 +10:00
Louis Rose
1574485443 Perform the where(...).first to find_by(...) refactoring.
This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb"
2014-05-06 14:41:59 +01:00
Vikhyat Korrapati
8f53b7a65b Detect arrays for serialization using respond_to?(:to_ary).
This is the way AMS detects arrays, and is more robust than checking
is_a? for whitelisted classes. For example, this works for
ActiveRecord::AssociationRelation which the current logic does not
handle.
2014-04-16 20:48:09 +05:30
Robin Ward
558a06a117 Adds better reusable error message support. Added to fetching remote
posts. /cc @riking
2014-04-02 13:22:10 -04:00
Robin Ward
b0f3061113 It doesn't make sense to redirect when not logged in on a non-GET
request. We should report a failure then. They likely logged out or
in another tab or timed out.
2014-03-05 12:12:53 -05:00
Neil Lalonde
7322345039 FIX: when shown 403 error page and logging in, it will take you to the same page 2014-02-26 17:53:53 -05:00
Robin Ward
3151f59bc9 REFACTOR: We don't cache the json for the Site model anymore, so let's
rename and remove the methods leftover from that.
2014-02-24 14:25:37 -05:00
Neil Lalonde
9545e2e46e FIX: broken 404 page. don't bother showing current_usre stuff 2014-02-21 12:24:45 -05:00
Robin Ward
d95887c57d CHANGE: We now include the _escaped_fragment_ support by default, but
only if the crawler check fails. It is a fallback for non-google search
engines that support the Ajax crawling API.
2014-02-20 17:02:26 -05:00
Robin Ward
c4b5455c21 REFACTOR: Rename GooglebotDetection to CrawlerDetection because we
will likely whitelist more crawlers in the future.
2014-02-20 16:07:02 -05:00
Régis Hanol
d443ddd43d Merge pull request #1922 from joallard/language-toggle
Allow users to toggle interface language in their preferences
2014-02-19 18:28:00 +01:00
Neil Lalonde
7f6b2e5563 Show login button on 404 page. Add routes to show login and signup modals when page/route loads. If logged in and showing 404 page, load ember app. 2014-02-18 17:18:53 -05:00
Jonathan Allard
0592420e52 Add a site setting to allow users to toggle I18n.locale
It is false by default.
2014-02-18 14:54:00 -05:00
Jonathan Allard
c513725f26 Allow users to toggle interface language in their preferences 2014-02-18 14:53:59 -05:00
Neil Lalonde
d298e2e065 Detect Googlebot from user agent and use a different layout that doesn't load javascript 2014-02-15 17:54:34 -05:00
Régis Hanol
5725f02d9e allow full access to /admin/backups while in read-only mode 2014-02-13 13:31:14 -08:00
Régis Hanol
e7472dc374 readonly mode 2014-02-13 13:31:13 -08:00
Neil Lalonde
e0df404d7e Add site setting tos_accept_required. If enabled, users must check a box saying that they've read and accept the terms of service. 2014-02-07 16:04:13 -05:00
slainer68
748e1e0748 Allow using the API when Login required site setting is on. 2014-01-24 14:02:49 +01:00
Neil Lalonde
259295d865 Add post_edit_time_limit site setting to limit the how long a post can be edited and deleted by the author. Default is 1 year. 2014-01-09 11:55:04 -05:00
christophe
dfb9b8fa58 Fix unused parameter 2014-01-04 08:53:27 +01:00
Neil Lalonde
1f0a59584b Revert "Re-apply with fixes: Stop using user agent to detect mobile devices. Use a media query and yepnope to load the appropriate css and customizations." 2013-12-18 14:47:22 -05:00
Régis Hanol
94fda12795 use a helper instead of a view for custom HTML content 2013-12-17 18:56:59 +01:00
Régis Hanol
4c6b535cc0 move arbitrary html content out of noscript and into the preloadstore 2013-12-17 18:25:27 +01:00
Neil Lalonde
5171a23a9c Re-apply with fixes: Stop using user agent to detect mobile devices. Use a media query and yepnope to load the appropriate css and customizations. 2013-12-11 11:19:22 -05:00
Neil Lalonde
2596f7dec2 Revert "Stop using user agent to detect mobile devices. Use a media query and yepnope to load the appropriate css and customizations." 2013-12-09 16:28:11 -05:00
Neil Lalonde
ca5d4d5e54 Stop using user agent to detect mobile devices. Use a media query and yepnope to load the appropriate css and customizations. 2013-12-09 13:28:42 -05:00
Harry Seo
2d9876a6ac FIX: set_locale filter must be executed before check_xhr filter because check_xhr filter renders html in some cases 2013-12-04 20:49:54 +09:00
Robin Ward
7207cef7aa TopicQuery cleanup in advance of custom sorting:
- Move SQL method constants into a module
- Removed unused count methods
- Moved methods that don't return a TopicList into Topic
- Replaced some confusing method signatures
2013-11-13 12:26:32 -05:00
Régis Hanol
e9f9d22482 add query parameter to temporarily disable customization 2013-11-12 18:14:22 +01:00
Robin Ward
de30af9302 Support for inviting to a forum from a user's invite page. 2013-11-06 12:56:50 -05:00
Vikhyat Korrapati
855ee3b43d Fix ActiveRecord::Associations::CollectionProxy serialization in Rails 4. 2013-11-03 10:41:38 +05:30
Robin Ward
348e2e3ef2 Support for per-user API keys 2013-10-22 17:34:39 -04:00
Sam
3d647a4b41 remove rack cache, it has been causing trouble
instead implement an aggressive anonymous cache that is stored in redis
this cache is sitting in the front of the middleware stack enabled only in production
TODO: expire it more intelligently when stuff is created
2013-10-16 16:39:18 +11:00
Sam
939a452293 require dependency was leading to errors in dev 2013-10-09 17:22:41 +11:00
Sam
7993845bfa add current_user_provider so people can override current_user bevior cleanly, see
http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 15:11:54 +11:00
Neil Lalonde
45d7765936 Merge branch 'master' into mobile 2013-09-05 15:54:22 -04:00
Robin Ward
f157ec1f91 Select +Replies for bulk operations 2013-09-05 11:03:29 -04:00
Neil Lalonde
9efa29e688 Detect whether to use mobile view. Session var mobile_view can override automatic detection. 2013-08-27 14:57:42 -04:00
Sam
c4a0152dc6 recover from bad CSRF tokens without requiring a hard refresh of the browser 2013-08-27 15:56:12 +10:00
Sam
11dca1fd92 make code climate a bit happier 2013-08-06 06:25:44 +10:00
Sam
aa6c92922d SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 15:13:13 +10:00
Sam
ecf17cfebb work in progress, add fidelity to category group permissions (full, create posts, readonly) 2013-07-16 15:46:11 +10:00
Robin Ward
19c169540c Staff can enter and view deleted topics 2013-07-11 16:39:35 -04:00
Stephan Kaag
e39cc464b1 Refactor routes in order to be compatible with Rails 4 2013-07-01 20:00:06 +02:00
Sam
92562c2090 Merge pull request #1057 from house9/list-controller-1
refactor list_controller
2013-06-25 17:36:56 -07:00
Neil Lalonde
a86b35c873 Remove the access_password site setting 2013-06-25 15:05:25 -04:00
Jesse House
2e12eb2b62 refactor list_controller
- minor refactoring of actions 'category' and 'category_feed'
- fix defect in 'category' where check was for literal
  string 'uncategorized' instead of SiteSetting.uncategorized_name
- major refactoring on defined topic actions
2013-06-25 08:29:00 -07:00
Vipul A M
4ddc0825f5 Remove code duplication in ApplicationController 2013-06-20 21:17:33 +05:30
Sam
7ca5ab3da3 allow api for restricted by global password sites 2013-06-17 16:09:59 +10:00
Sam
b97d186cb5 automatic groups should not allow you to muck with the listed users in the group 2013-06-17 12:54:25 +10:00
Sam
e6e81efe85 correct information leak in page not found 2013-06-13 10:27:17 +10:00
Robin Ward
5217602ec3 FIX: RSS paths render a 404 for missing topics. 2013-06-07 12:52:12 -04:00
Neil Lalonde
62041da7e0 Handle /t/only-the-slug urls by trying to find the topic by slug (second try) 2013-06-06 14:41:37 -04:00
Ian Christian Myers
0d01c33482 Enabled strong_parameters across all models/controllers.
All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that.

The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method.

It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 00:30:59 -07:00
Chris Hunt
92a4828f72 Redirect all controllers to login if required
We want to skip the filter for sessions controller so that we can login
and we want to skip the filter for static pages because those should be
visible to visitors.
2013-06-04 16:10:10 -07:00
Robin Ward
02b1f78410 FIX: Include preloaded data even if the request type isn't explicitly text/html 2013-06-04 12:56:12 -04:00
Neil Lalonde
42714b424f For 403 errors, show the same html page as 404 2013-05-30 16:39:39 -04:00
Sam
e93b7a3b20 more progress towards live unread and new counts, unread message implemented, still to implement delete messages 2013-05-30 16:49:57 +10:00
Robin Ward
830b93a16b Reduced complexity of admin flags controller, split up into methods, moved reports into model. 2013-05-29 16:49:34 -04:00
Robin Ward
0f296cd42b Refactor + Fix: Wasn't correctly loading activity streams. Code is a lot more Ember-y now. 2013-05-22 12:06:37 -04:00
Sam
fc57578c85 proper 404 for json request 404 2013-05-20 17:28:32 +10:00
Sam
80fb20816c get rid of nonsense 404.html
correct 404 handling for invalid pages
2013-05-20 10:29:49 +10:00
Sam
b6bf95e741 speed up startup (avoid loading some gems on startup)
correct group permission leaks
add Discourse.cache for richer caching support
2013-05-13 18:04:03 +10:00
Sam
cef9a74053 route for markdown /md/topic_id/post_number 2013-04-30 16:30:41 +10:00
Régis Hanol
017ee7c2da FIX: [security bug] XHR check bypass 2013-04-30 02:34:19 +02:00
Sam
f9e33ec6b8 store ip address and current user with incoming links
make links long an readable in share dialog
2013-04-26 16:18:55 +10:00
Sam
37867af1bb track incoming links, amend share link to include user
fix pm styling
2013-04-24 18:05:35 +10:00
Sam
6974ad487c fix not found error when spiders were hitting with .php 2013-04-18 09:55:47 +10:00
Sam
0f362c5474 this has been bugging me for ages, broken "fill your profile link" fixed AND bio updates when you save 2013-04-12 10:07:58 +10:00
Sam
850b042cab introduce rack:cache as a default, so users don't need to configure apache or nginx
under rack cache we are able to serve 620reqs a second per thin (on my machine) before it 12 (on my machine)

reorganised so mini profilers can be cleanly disabled from config file

added caching for categories index

move production.rb to production.sample.rb
2013-04-11 16:24:21 +10:00
Régis Hanol
41b7f741d0 extract hard-coded strings 2013-04-07 18:14:50 +02:00
Sam
c57ec611e1 basic api support 2013-03-25 18:04:46 -07:00
Sam
deb603f41c Merge pull request #547 from kid0m4n/convert-ruby-1-9-syntax
Convert a lot of :a => b to a: b and bring peace to the world
2013-03-24 16:43:17 -07:00
Karan Misra
5dfb04e4b3 Convert a lot of :a => b to a: b and bring peace to the world 2013-03-25 05:07:36 +05:30
Régis Hanol
0da8f35659 [fixes #391] exception when wrong resource type in URL 2013-03-24 22:25:24 +01:00
Régis Hanol
239cbd2d58 enforce coding convention
replaced every `and` by `&&` and every `or` by `||`
2013-03-05 01:42:44 +01:00
Robin Ward
d2596c3c4c Remove unusued site_settings, show checkbox in UI for boolean values, remove restrict_access
boolean to avoid locking yourself out by setting access_password to empty string. Minor
UI tweaks.
2013-03-01 14:27:41 -05:00
Robin Ward
628927a79f Added Site Setting to change locale. 2013-02-28 14:34:38 -05:00
Gosha Arinich
cafc75b238 remove trailing whitespaces ❤️ 2013-02-26 07:31:35 +03:00
Sam Saffron
b66db4153d refactor and organise current_user better 2013-02-24 21:42:04 +11:00
tms
3e6641c07e Unsign auth token cookies per discussion on #215 2013-02-23 13:40:21 -05:00
tms
5616fdc475 Sign the auth token cookie and make it httpOnly 2013-02-20 17:24:19 -05:00
xdite
cab4d95eaf use canonical-url plugin to make view more clean 2013-02-13 19:04:43 +08:00
Robin Ward
57049b55a2 Little things:
- Retries on deadlock when calculating average time
- Removes Warning: When specifying html format for errors
- Doesn't use manual SQL to update user's ip address
2013-02-11 15:47:28 -05:00
Robin Ward
6ce32b8bc4 Trivial: Was not finding files in public for errors due to missing extensions. 2013-02-11 14:39:26 -05:00
Sam Saffron
80929ead4b security hole fixed 2013-02-11 17:28:21 +11:00
Jakub Arnold
61654ab8f0 Fix all the trailing whitespace 2013-02-07 16:45:24 +01:00
Robin Ward
6043a370ad Oops, that should be 1.minute 2013-02-06 12:07:22 -05:00
Robin Ward
8d568b05c4 Don't enable Cache-Control if the site has restricted access. 2013-02-06 11:55:54 -05:00
Robin Ward
21b5628528 Initial release of Discourse 2013-02-05 14:16:51 -05:00