Commit Graph

51489 Commits

Author SHA1 Message Date
Penar Musaraj
1400d4a8fd
Bump version to v3.2.0.beta3-dev 2023-10-16 11:20:22 -04:00
Penar Musaraj
be04154838
Bump version to v3.2.0.beta2 2023-10-16 11:20:20 -04:00
Penar Musaraj
13afad70a5
DEV: Lint admin-email-preview-test.js 2023-10-16 10:46:02 -04:00
Alan Guo Xiang Tan
cbbe3a808b
SECURITY: Add a default limit as to when logs should be truncated
Why this change?

This ensures that malicious requests cannot end up causing the logs to
quickly fill up. The default chosen is sufficient for most legitimate
requests to the Discourse application.

When truncation happens, parsing of logs in supported format like
lograge may break down.
2023-10-16 10:34:38 -04:00
Kelvin Tan
ee084b754e
SECURITY: Prevent unauthorized access to grouped poll results
This adds access controls for the `/polls/grouped_poll_results`
endpoint, such that only users with appropriate permissions can read
the grouped results of a given poll.
2023-10-16 10:34:37 -04:00
Alan Guo Xiang Tan
4cb7472376
SECURITY: Prevent arbitrary topic custom fields from being set
Why this change?

The `PostsController#create` action allows arbitrary topic custom fields
to be set by any user that can create a topic. Without any restrictions,
this opens us up to potential security issues where plugins may be using
topic custom fields in security sensitive areas.

What does this change do?

1. This change introduces the `register_editable_topic_custom_field` plugin
API which allows plugins to register topic custom fields that are
editable either by staff users only or all users. The registered
editable topic custom fields are stored in `DiscoursePluginRegistry` and
is called by a new method `Topic#editable_custom_fields` which is then
used in the `PostsController#create` controller action. When an unpermitted custom fields is present in the `meta_data` params,
a 400 response code is returned.

2. Removes all reference to `meta_data` on a topic as it is confusing
   since we actually mean topic custom fields instead.
2023-10-16 10:34:35 -04:00
David Taylor
0ed20fe1cd
SECURITY: Correctly escape 'text' email preview 2023-10-16 10:34:34 -04:00
Bianca Nenciu
76bdea5ce2
SECURITY: Hide user profiles from public
User profiles, including the summary, should be private to anonymous
users if hide_user_profiles_from_public is enabled.
2023-10-16 10:34:32 -04:00
Jan Cernik
6350ba2cb3
SECURITY: Add permissions to MessageBus in chat
Add spec

compact
2023-10-16 10:34:30 -04:00
chapoi
9d1726fe2b
UX: better align user count (#23941) 2023-10-16 13:28:35 +02:00
David Taylor
1884b57af3
FIX: Open invite modal correctly from topic share UI (#23940)
This regressed when the create-invite modal was converted to the new component-based API in 8a7b5b00ea
2023-10-16 12:26:18 +01:00
David Taylor
c8c38bea7e
DEV: Write execution file for test failures (#23879)
Followup to 3f8a85ed49
2023-10-16 11:12:13 +01:00
David Taylor
aa4a5add70
DEV: Add system specs for dismiss new on tag routes (#23936) 2023-10-16 10:51:59 +01:00
dependabot[bot]
20a765e3ca
Build(deps-dev): Bump rubocop from 1.57.0 to 1.57.1 (#23937)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.57.0 to 1.57.1.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop/compare/v1.57.0...v1.57.1)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:24:12 +02:00
dependabot[bot]
b0f5e99026
Build(deps-dev): Bump bullet from 7.1.1 to 7.1.2 (#23938)
Bumps [bullet](https://github.com/flyerhzm/bullet) from 7.1.1 to 7.1.2.
- [Changelog](https://github.com/flyerhzm/bullet/blob/main/CHANGELOG.md)
- [Commits](https://github.com/flyerhzm/bullet/compare/7.1.1...7.1.2)

---
updated-dependencies:
- dependency-name: bullet
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:23:53 +02:00
dependabot[bot]
a21a6dbd4d
Build(deps-dev): Bump webpack in /app/assets/javascripts (#23939)
Bumps [webpack](https://github.com/webpack/webpack) from 5.88.2 to 5.89.0.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](https://github.com/webpack/webpack/compare/v5.88.2...v5.89.0)

---
updated-dependencies:
- dependency-name: webpack
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:23:00 +02:00
Renato Atilio
6c818b449a
FIX: add missing type to form template upload (#23935) 2023-10-15 11:17:11 -03:00
Penar Musaraj
1a70817962
DEV: Add UI for passkeys (3/3) (#23853)
Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). 

See PR for more details. 
---------

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2023-10-13 12:24:06 -04:00
Jarek Radosz
a5858e60e1
FIX: Transitioning to tag-intersection route (#23931)
…didn't correctly update location query params.

A followup to 1df3ccc903 (things broke after merging `main` to PR's branch)
2023-10-13 16:23:04 +01:00
David Taylor
b3df0a362b
DEV: Ensure current-post-changed is fired when switching between topics (#23930)
Previously this logic was only checking the post number. That meant that navigating between the first post of two topics would not trigger the event.

In the past, the event would be triggered anyway because the ScrollingPostStream would be destroyed/re-created when navigating between topics. But now that we use the 'loading slider' technique, the same component instance is re-used.

The motivation for this commit is to fix the 'DiscoToc' theme component, which relies on the event firing when navigating between topics.
2023-10-13 15:45:32 +01:00
Gerhard Schlager
ec8ae3fc65 DEV: Add GitHub Actions workflow for testing migrations
This workflow runs only for code underneath the `migrations/` directory. The usual test workflow is skipped for migrations because running frontend and backend tests is a waste of time and resources when only migrations are changed.
2023-10-13 16:03:55 +02:00
Gerhard Schlager
7644419976 DEV: Add codeowner for migrations related code
This allows automatic assignment of reviewers for migrations related code.
2023-10-13 16:03:55 +02:00
Gerhard Schlager
0907c0deb7 DEV: Update labeler for migration related code
This activates the `sync-labels` flag which causes the removal of labels when matching files are reverted or no longer changed by the PR.
2023-10-13 16:03:55 +02:00
Gerhard Schlager
e16537fa9f DEV: Add initial structure for migrations-tooling 2023-10-13 16:03:55 +02:00
chapoi
29beaff25b
FIX: revert (edited) layout in chat message (#23927)
* Revert "UX: place (edited) on same line (#23866)"

This reverts commit c1017a479b.

* Revert "UX: prevent (edited) and following from being copied (#23882)"

This reverts commit 563bff509a.
2023-10-13 13:01:56 +02:00
Joffrey JAFFEUX
b6d9aa5a4c
DEV: simplify reply to message smoke spec (#23928)
We now create threads on reply so the refresh check is not really necessary as there's nothing special about it anymore. We don't refresh every pages in other tests to check they still work.

Hopefully these changes will prevent few flakeys too.
2023-10-13 11:16:26 +02:00
Joffrey JAFFEUX
c1abf8b35c
UX: improves reminder setting text (#23918)
The setting will change from "%{count} days" to "Chat settings have been set to retain channel messages for %{count} day."

This commit also:
- migrates `chat-retention-reminder` to gjs
- adds a "type" property to `chat-retention-reminder-text` to allow use a long or short text depending on where it's used.
2023-10-13 07:55:47 +02:00
Blake Erickson
b607d81d50
DEV: Change video placeholder click target (#23925)
Have the click target be the entire placeholder instead of just the play
button.
2023-10-13 13:26:10 +10:00
Martin Brennan
9762e65758
FEATURE: Add Revise... option for queued post reviewable (#23454)
This commit adds a new Revise... action that can be taken
for queued post reviewables. This will open a modal where
the user can select a Reason from a preconfigured list
(or by choosing Other..., a custom reason) and provide feedback
to the user about their post.

The post will be rejected still, but a PM will also be sent to
the user so they have an opportunity to improve their post when
they resubmit it.
2023-10-13 11:28:31 +10:00
dependabot[bot]
5fe4e0ed48
Build(deps-dev): Bump sass in /app/assets/javascripts (#23921)
Bumps [sass](https://github.com/sass/dart-sass) from 1.69.2 to 1.69.3.
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sass/dart-sass/compare/1.69.2...1.69.3)

---
updated-dependencies:
- dependency-name: sass
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 03:22:53 +02:00
dependabot[bot]
2fa9620f77
Build(deps-dev): Bump qunit-dom in /app/assets/javascripts (#23920)
Bumps [qunit-dom](https://github.com/mainmatter/qunit-dom) from 2.0.0 to 3.0.0.
- [Release notes](https://github.com/mainmatter/qunit-dom/releases)
- [Commits](https://github.com/mainmatter/qunit-dom/compare/v2.0.0...v3.0.0)

---
updated-dependencies:
- dependency-name: qunit-dom
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 03:00:58 +02:00
Jarek Radosz
1df3ccc903
FIX: Pass category param on /tags/intersection (#23352) 2023-10-13 02:42:41 +02:00
dependabot[bot]
f33b60ba17
Build(deps-dev): Bump shoulda-matchers from 68f76ce to c17bac4 (#23923)
Bumps [shoulda-matchers](https://github.com/thoughtbot/shoulda-matchers) from `68f76ce` to `c17bac4`.
- [Release notes](https://github.com/thoughtbot/shoulda-matchers/releases)
- [Commits](68f76ce13e...c17bac468c)

---
updated-dependencies:
- dependency-name: shoulda-matchers
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 00:11:52 +02:00
dependabot[bot]
1fac13b405
Build(deps-dev): Bump the babel group (#23919)
Bumps the babel group in /app/assets/javascripts with 1 update: [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core).

- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/@babel/core@7.23.2/packages/babel-core)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: babel
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 00:08:07 +02:00
dependabot[bot]
67d98364a5
Build(deps): Bump sass-embedded from 1.69.2 to 1.69.3 (#23922)
Bumps [sass-embedded](https://github.com/ntkme/sass-embedded-host-ruby) from 1.69.2 to 1.69.3.
- [Commits](https://github.com/ntkme/sass-embedded-host-ruby/compare/v1.69.2...v1.69.3)

---
updated-dependencies:
- dependency-name: sass-embedded
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-13 00:07:20 +02:00
Joffrey JAFFEUX
b122e69ed3
DEV: flakey members list spec (#23917)
No repro but, it's possible that we were at the limit of triggering the scroll, this should ensure we correctly trigger the scroll more.
2023-10-12 22:32:03 +02:00
Sérgio Saquetim
526d2dc582
FEATURE: Allow searching users using a list of usernames (#23902) 2023-10-12 20:00:33 +00:00
Blake Erickson
2443446e62
DEV: Prevent videos from preloading metadata (#23807)
Preloading just metadata is not always respected by browsers, and
sometimes the whole video will be downloaded. This switches to using a
placeholder image for the video and only loads the video when the play
button is clicked.
2023-10-12 13:47:48 -06:00
Tobias Eigen
460e702887
improve desc of review every post admin setting (#23899)
Adds more information about what the "review every post" admin setting does. All new posts are sent to the review queue so they can be reviewed by moderators, but are still published.
2023-10-12 09:43:14 -07:00
Mark VanLandingham
55e4fd63be
DEV: add class to bookmark-list TD (#23914) 2023-10-12 11:27:00 -05:00
Jarek Radosz
90743f162a
DEV: Add a plugin outlet for conditional-loading-spinner (#23911) 2023-10-12 17:53:53 +02:00
Kris
76cbfcd60c
A11Y: move new account disclaimer above buttons (#23884) 2023-10-12 11:30:03 -04:00
Godfrey Chan
2e00482ac4
DEV: convert I18n pseudo package into real package (discourse-i18n) (#23867)
Currently, `window.I18n` is defined in an old school hand written
script, inlined into locale/*.js by the Rails asset pipeline, and
then the global variable is shimmed into a pseudo AMD module later
in `module-shims.js`.

This approach has some problems – for one thing, when we add a new
V2 addon (e.g. in #23859), Embroider/Webpack is stricter about its
dependencies and won't let you `import from "I18n";` when `"I18n"`
isn't listed as one of its `dependencies` or `peerDependencies`.

This moves `I18n` into a real package – `discourse-i18n`. (I was
originally planning to keep the `I18n` name since it's a private
package anyway, but NPM packages are supposed to have lower case
names and that may cause problems with other tools.)

This package defines and exports a regular class, but also defines
the default global instance for backwards compatibility. We should
use the exported class in tests to make one-off instances without
mutating the global instance and having to clean it up after the
test run. However, I did not attempt that refactor in this PR.

Since `discourse-i18n` is now included by the app, the locale
scripts needs to be loaded after the app chunks. Since no "real"
work happens until later on when we kick things off in the boot
script, the order in which the script tags appear shouldn't be a
problem. Alternatively, we can rework the locale bundles to be more
lazy like everything else, and require/import them into the app.

I avoided renaming the imports in this commit since that would be
quite noisy and drowns out the actual changes here. Instead, I used
a Webpack alias to redirect the current `"I18n"` import to the new
package for the time being. In a separate commit later on, I'll
rename all the imports in oneshot and remove the alias. As always,
plugins and the legacy bundles (admin/wizard) still relies on the
runtime AMD shims regardless.

For the most part, I avoided refactoring the actual I18n code too
much other than making it a class, and some light stuff like `var`
into `let`.

However, now that it is in a reasonable format to work with (no
longer inside the global script context!) it may also be a good
opportunity to refactor and make clear what is intended to be
public API vs internal implementation details.

Speaking of, I took the librety to make `PLACEHOLDER`, `SEPARATOR`
and `I18nMissingInterpolationArgument` actual constants since it
seemed pretty clear to me those were just previously stashed on to
the `I18n` global to avoid polluting the global namespace, rather
than something we expect the consumers to set/replace.
2023-10-12 14:44:01 +01:00
Jan Cernik
5d632fd30a
FIX: Chat layout shift with GitHub onebox (#23909) 2023-10-12 07:54:11 -03:00
David Taylor
525cfcbe0e
FIX: Ensure nested ember components can be used with mustache syntax (#23912)
We run the ember-this-fallback transformation on plugin and theme code so that they can continue omitting `this.` in `.hbs` templates. A bug in the implementation meant that it was incorrectly transforming things like `{{dir/some-component}}` into `<DirSomeComponent />` (rather than `<Dir::SomeComponent />`).

This commit uses patch-package to apply the fix from https://github.com/tildeio/ember-this-fallback/pull/56
2023-10-12 11:08:57 +01:00
dependabot[bot]
7c6a8fa09a
Build(deps-dev): Bump rswag-specs from 2.10.1 to 2.11.0 (#23905)
Bumps [rswag-specs](https://github.com/rswag/rswag) from 2.10.1 to 2.11.0.
- [Release notes](https://github.com/rswag/rswag/releases)
- [Changelog](https://github.com/rswag/rswag/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rswag/rswag/compare/2.10.1...2.11.0)

---
updated-dependencies:
- dependency-name: rswag-specs
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 12:05:24 +02:00
dependabot[bot]
7ec167892d
Build(deps-dev): Bump rubocop from 1.56.4 to 1.57.0 (#23906)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.56.4 to 1.57.0.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop/compare/v1.56.4...v1.57.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 12:05:00 +02:00
David Taylor
6e004b04e1
FIX: Support PluginOutlet invocations with deprecated tagName (#23913)
This regressed in af305366
2023-10-12 11:03:44 +01:00
dependabot[bot]
88951e03bf
Build(deps): Bump the babel group (#23907)
Bumps the babel group in /app/assets/javascripts with 1 update: [@babel/standalone](https://github.com/babel/babel/tree/HEAD/packages/babel-standalone).

- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-standalone)

---
updated-dependencies:
- dependency-name: "@babel/standalone"
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: babel
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 12:02:35 +02:00
dependabot[bot]
bf74d06a86
Build(deps-dev): Bump @ember/legacy-built-in-components (#23908)
Bumps [@ember/legacy-built-in-components](https://github.com/emberjs/ember-legacy-built-in-components) from 0.5.0-alpha.0 to 0.5.0.
- [Release notes](https://github.com/emberjs/ember-legacy-built-in-components/releases)
- [Commits](https://github.com/emberjs/ember-legacy-built-in-components/commits)

---
updated-dependencies:
- dependency-name: "@ember/legacy-built-in-components"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 12:02:08 +02:00