Commit Graph

54857 Commits

Author SHA1 Message Date
Alan Guo Xiang Tan
10afe5fcf1
SECURITY: Avoid the use of Object#send in Onebox::Engine::StandardEmbed
Use `Object#public_send` instead which is much safer
2024-07-03 20:49:25 +08:00
Jan Cernik
311b737c91
SECURITY: Fix Stored-dom XSS via Facebook Oneboxes 2024-07-03 20:49:22 +08:00
Blake Erickson
e2a7265dba
SECURITY: Update reviewable user serializer payload
Exclude email from reviewable user serializer based on user scope.
2024-07-03 20:49:19 +08:00
Ted Johansson
67e7808603
SECURITY: Add FastImage SSRF safe freedom patch 2024-07-03 20:49:15 +08:00
Jarek Radosz
89c0123b3a
FIX: Redo relative-time-picker (#27651)
Fixes various issues with the picker
2024-07-03 14:15:21 +02:00
Natalie Tay
751750c7f8
FIX: Do not schedule avatar download if image is '' (#27687) 2024-07-03 19:50:31 +08:00
锦心
f3130bc6d9
FIX: Inline footnotes doesn’t work in the table at fullscreen (#27686)
* FIX: Inline footnotes doesn’t work in the table at fullscreen

meta topic: https://meta.discourse.org/t/inline-footnotes-doesnt-work-in-the-table-at-fullscreen/313445
2024-07-03 18:52:36 +08:00
dependabot[bot]
395cbbfe67
Build(deps-dev): Bump esbuild from 0.22.0 to 0.23.0 (#27681)
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.22.0 to 0.23.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.22.0...v0.23.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-03 11:03:10 +02:00
Krzysztof Kotlarek
4157161578
DEV: flaky reorder flags specs (#27684)
Before checking if flags were reordered on the topic page, we need to ensure that the reorder action was finished. To achieve it "saving" CSS is added and removed when AJAX call is completed.
2024-07-03 12:02:18 +10:00
dependabot[bot]
13c297e4ff
Build(deps): Bump sassc-embedded from 1.77.1 to 1.77.2 (#27682)
Bumps [sassc-embedded](https://github.com/sass-contrib/sassc-embedded-shim-ruby) from 1.77.1 to 1.77.2.
- [Commits](https://github.com/sass-contrib/sassc-embedded-shim-ruby/compare/v1.77.1...v1.77.2)

---
updated-dependencies:
- dependency-name: sassc-embedded
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-03 09:13:40 +08:00
Martin Brennan
527f02e99f
FEATURE: Only count topic views for explicit/deferred tracked views (#27533)
Followup 2f2da72747

This commit moves topic view tracking from happening
every time a Topic is requested, which is susceptible
to inflating numbers of views from web crawlers, to
our request tracker middleware.

In this new location, topic views are only tracked when
the following headers are sent:

* HTTP_DISCOURSE_TRACK_VIEW - This is sent on every page navigation when
  clicking around the ember app. We count these as browser page views
  because we know it comes from the AJAX call in our app. The topic ID
  is extracted from HTTP_DISCOURSE_TRACK_VIEW_TOPIC_ID
* HTTP_DISCOURSE_DEFERRED_TRACK_VIEW - Sent when MessageBus initializes
  after first loading the page to count the initial page load view. The
  topic ID is extracted from HTTP_DISCOURSE_DEFERRED_TRACK_VIEW.

This will bring topic views more in line with the change we
made to page views in the referenced commit and result in
more realistic topic view counts.
2024-07-03 10:38:49 +10:00
Krzysztof Kotlarek
57af5d6f0d
FIX: missing flag serializer (#27683)
FlagSerializer is using in this PR
https://github.com/discourse/discourse/pull/27484 but was not staged.
2024-07-03 09:46:53 +10:00
Krzysztof Kotlarek
c3fadc7330
FEATURE: created edit and delete flags (#27484)
Allow admins to create edit and delete flags.
2024-07-03 08:45:37 +10:00
Leonardo Mosquera
a86590ffd6
UX: Add a rake task to monitor progress for long rebakes (#27517)
* UX: Add a rake task to monitor progress for long rebakes

When doing mass rebaking, this task will print progress, speed and
expected time to completion (ETC) on a loop. It is meant for rebakes
that take several hours or days.

It will calculate a 10m moving average over the past 6 hours, and print
ETC accordingly.

It also shows Sidekiq stats in case Sidekiq jobs for rebaking were
enqueued separately, instead of using the rebake_posts tasks in this
file (which are 100% synchronous and do not touch Sidekiq at all).

NOTE: only the currently unbaked count at task start time is considered;
this is useful in live communities with lots of traffic, where new posts
might otherwise change the goal posts continuously.

* Satisfy stree
2024-07-03 07:52:47 +10:00
Keegan George
ea58140032
DEV: Remove summarization code (#27373) 2024-07-02 08:51:47 -07:00
Discourse Translator Bot
052550c6e0
Update translations (#27680) 2024-07-02 16:42:56 +02:00
David Taylor
0a72b21e8f
DEV: Add admin warnings for plugin-outlet deprecations (#27679)
Adds warnings for:
- `discourse.plugin-outlet-tag-name`
- `discourse.plugin-outlet-parent-view`

Also updates the ID list to be strings rather than regex (so that `.` is not treated as a wildcard).
2024-07-02 15:01:41 +01:00
dependabot[bot]
53e150716e
Build(deps-dev): Bump esbuild from 0.21.5 to 0.22.0 (#27652)
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.21.5 to 0.22.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.21.5...v0.22.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-02 12:03:17 +02:00
Sam
61610a61fa
FIX: disallow concurrent downloads of hotlinked images (#27676) 2024-07-02 10:06:46 +01:00
Gerhard Schlager
7c26d5d084
FIX: Import script was broken after upgrade of sqlite3 gem (#27648) 2024-07-02 17:38:15 +10:00
Martin Brennan
2ab4913d13
DEV: Disable smart lists for now on Firefox (#27677)
Firefox is having a lot of inconsistent issues with this
feature introduced in 30fdd7738e,
disabling it there for now until further investigation can
be done.
2024-07-02 13:36:24 +10:00
Krzysztof Kotlarek
a1d2c46d28
FIX: increase secure session for OAuth expiration time (#27674)
By default, secure sessions expire after 1 hour.
For OAuth authentication it should expire at the same time when the authentication cookie expires - `SiteSetting.maximum_session_age.hours`.

It is possible that the forum will not have persistent sessions, based on `persistent_sessions` site setting. In that case, with next username and password authentication we need to reset information about OAuth.

Bug introduced in this PR - https://github.com/discourse/discourse/pull/27547
2024-07-02 11:43:59 +10:00
dependabot[bot]
592b5ceed1
Build(deps-dev): Bump typescript from 5.5.2 to 5.5.3 (#27673)
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.5.2 to 5.5.3.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.5.2...v5.5.3)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-02 09:36:46 +08:00
Jan Cernik
7b94cfcb1e
FIX: Hide message button for current user if can't message (#27672)
Hide message button for current user if can't message
2024-07-02 10:01:58 +10:00
Amanda Alves Branquinho
0acd6bea4c
PERF: Eager load field causing N+1 issue (#27626)
* PERF: Fix N+1 issue for javascript_cache

* FIX: missing upload fields should still appear in stylesheets

Sass is still expected to compile successfully even without uploads.
Revert a blank upload to have a blank URL

* DEV: remove unneeded test comment

---------

Co-authored-by: Jeff Wong <awole20@gmail.com>
2024-07-01 20:55:06 -03:00
Martin Brennan
947990b7f6
FIX: Small delay when auto-adding list item in composer (#27661)
Followup 30fdd7738e,

The issue with keyup is that it happens too late. maybeContinueList
itself runs in about 1 or 2 ms. But we show the linebreak in the
textarea on keydown and we handle it in keyup, which causes the “lag”.

The fix here is “hacking” itsatrap and textarea behavior to allow us to handle
it right away after the linebreak is inserted.

Full credit to Joffrey Jaffeux for this fix, I am making him
"co-author" below.

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2024-07-02 09:37:10 +10:00
Kris
9e8d8d37fa
UX: fix height of lazy youtube embeds (#27671) 2024-07-01 17:27:11 -04:00
Kris
1c67aab135
UX: prevent the tag bullet from shrinking (#27669) 2024-07-01 16:49:49 -04:00
Kris
4311e9df45
UX: truncate too-long names in usercard (#27650) 2024-07-01 16:29:18 -04:00
Jan Cernik
6599b85a75
DEV: Block accidental serialization of entire AR models (#27668) 2024-07-01 17:08:48 -03:00
Gabriel Grubba
1ae902fa60
FIX: Division by zero error on WebHookEventsDailyAggregate (#27667)
* FIX: Division by zero error on WebHookEventsDailyAggregate

* DEV: Update implementation of WebHookEventsDailyAggregate to handle division by zero error
2024-07-01 15:40:52 -03:00
dependabot[bot]
88d259b73a
Build(deps-dev): Bump @floating-ui/dom from 1.6.6 to 1.6.7 (#27653)
Bumps [@floating-ui/dom](https://github.com/floating-ui/floating-ui/tree/HEAD/packages/dom) from 1.6.6 to 1.6.7.
- [Release notes](https://github.com/floating-ui/floating-ui/releases)
- [Changelog](https://github.com/floating-ui/floating-ui/blob/master/packages/dom/CHANGELOG.md)
- [Commits](https://github.com/floating-ui/floating-ui/commits/@floating-ui/dom@1.6.7/packages/dom)

---
updated-dependencies:
- dependency-name: "@floating-ui/dom"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-01 19:28:49 +08:00
dependabot[bot]
7e27ca386d
Build(deps-dev): Bump test-prof from 1.3.3 to 1.3.3.1 (#27654)
Bumps [test-prof](https://github.com/test-prof/test-prof) from 1.3.3 to 1.3.3.1.
- [Release notes](https://github.com/test-prof/test-prof/releases)
- [Changelog](https://github.com/test-prof/test-prof/blob/master/CHANGELOG.md)
- [Commits](https://github.com/test-prof/test-prof/compare/v1.3.3...v1.3.3.1)

---
updated-dependencies:
- dependency-name: test-prof
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-01 19:28:39 +08:00
dependabot[bot]
2586215fa1
Build(deps): Bump minitest from 5.24.0 to 5.24.1 (#27655)
Bumps [minitest](https://github.com/minitest/minitest) from 5.24.0 to 5.24.1.
- [Changelog](https://github.com/minitest/minitest/blob/master/History.rdoc)
- [Commits](https://github.com/minitest/minitest/compare/v5.24.0...v5.24.1)

---
updated-dependencies:
- dependency-name: minitest
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-01 19:28:23 +08:00
dependabot[bot]
909901494a
Build(deps-dev): Bump rubocop-rails from 2.25.0 to 2.25.1 (#27656)
Bumps [rubocop-rails](https://github.com/rubocop/rubocop-rails) from 2.25.0 to 2.25.1.
- [Release notes](https://github.com/rubocop/rubocop-rails/releases)
- [Changelog](https://github.com/rubocop/rubocop-rails/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop-rails/compare/v2.25.0...v2.25.1)

---
updated-dependencies:
- dependency-name: rubocop-rails
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-01 19:28:11 +08:00
dependabot[bot]
703aeb9429
Build(deps): Bump sassc-embedded from 1.76.0 to 1.77.1 (#27657)
Bumps [sassc-embedded](https://github.com/sass-contrib/sassc-embedded-shim-ruby) from 1.76.0 to 1.77.1.
- [Commits](https://github.com/sass-contrib/sassc-embedded-shim-ruby/compare/v1.76.0...v1.77.1)

---
updated-dependencies:
- dependency-name: sassc-embedded
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-01 19:28:00 +08:00
David Battersby
bee7312f46
FIX: show group based notifications in chat summary email (#27641)
Follow up to #27631 to account for group mentions in channels.

We only want to show mentions for groups that are currently mentionable and those that the current user belongs to.
2024-07-01 12:47:38 +04:00
Martin Brennan
ffc99253fa
DEV: Resolve TODO comments for martin-brennan
I am changing many of these to notes or resolving them as is,
most of these I have not actively worked on in years so someone
else can work on them when we get to these areas again.
2024-07-01 15:32:30 +10:00
Martin Brennan
56f34e2d2b
DEV: Unhide enable_direct_s3_uploads setting (#27659)
This has been around for a long time now and was mentioned
in https://meta.discourse.org/t/a-new-era-for-file-uploads-in-discourse/210469,
there is no need to hide it, self-hosters are free to enable
this.
2024-07-01 13:56:00 +10:00
Osama Sayegh
4c1c25027d
DEV: Wiring for the admin about config page (#27492)
This commit continues work laid out by ffec8163b0 for the admin config page for the /about page. The last commit set up the user interface, and this one sets up all the wiring needed to make the input fields and save buttons actually work.

Internal topic: t/128544.
2024-07-01 05:40:37 +03:00
Vinoth Kannan
e8a41011eb
FIX: should not raise error when minimum_required_tags value not defined for category. (#27658)
While creating a new category if the user didn't specify a value for `minimum_required_tags` input but clicked it then it returned the "PG::NotNullViolation: null value in column 'minimum_required_tags'" error.
2024-07-01 07:14:34 +05:30
Jan Cernik
0b3b101c97
FIX: CalendarDateTimeInput renders the wrong day (#27639) 2024-06-28 19:18:01 -03:00
Jan Cernik
e161086630
FIX: User controls buttons order for admins (#27646) 2024-06-28 18:32:25 -03:00
Régis Hanol
8dc358e4d5 FIX: better iframe sanitization
This improves the way we sanitize `iframe` and correctly strips them from the "raw" before cooking it.

Otherwise, we would show an empty iframe box.

Internal ref - t/131430
2024-06-28 22:53:20 +02:00
Kris
307b207e91
UX: remove redundant nav-pill active border (#27649) 2024-06-28 16:29:50 -04:00
Keegan George
05a5f3c816
DEV: Extract top replies summary out of summary-box (#27647) 2024-06-28 10:43:47 -07:00
Keegan George
f6dfb9d63f
DEV: Add topic-map-expanded-after plugin outlet (#27645) 2024-06-28 07:53:05 -07:00
Discourse Translator Bot
423f92490c Update translations 2024-06-28 16:10:06 +02:00
Loïc Guitaut
232503b3df FIX: Render a 404 error on a bad redirect in list controller
When bad data is provided in the URI for redirecting to a category,
Rails raises an `ActionController::Redirecting::UnsafeRedirectError`
error, leading to a 500 error.

This patch catches the exception to render a 404 instead.
2024-06-28 10:42:10 +02:00
Loïc Guitaut
a442eeb0f4 FIX: Don’t raise an error on permalinks with external URL
Currently redirecting to an external URL through a permalink doesn’t
work because Rails raises a
`ActionController::Redirecting::UnsafeRedirectError` error.

This wasn’t the case before we upgraded to Rails 7.0.

This patch fixes the issue by using `allow_other_host: true` on the
redirect.
2024-06-28 10:09:37 +02:00