Commit Graph

53424 Commits

Author SHA1 Message Date
Bianca Nenciu
b425fbc2a2
SECURITY: Generate more category CSS on client
This commit moves the generation of category background CSS from the
server side to the client side. This simplifies the server side code
because it does not need to check which categories are visible to the
current user.
2024-03-15 14:24:11 +08:00
Penar Musaraj
62ea382247
SECURITY: Limit invites params length 2024-03-15 14:24:07 +08:00
Daniel Waterworth
8cade1e825
SECURITY: Prevent large staff actions causing DoS
This commit operates at three levels of abstraction:

 1. We want to prevent user history rows from being unbounded in size.
    This commit adds rails validations to limit the sizes of columns on
    user_histories,

 2. However, we don't want to prevent certain actions from being
    completed if these columns are too long. In those cases, we truncate
    the values that are given and store the truncated versions,

 3. For endpoints that perform staff actions, we can further control
    what is permitted by explicitly validating the params that are given
    before attempting the action,
2024-03-15 14:24:04 +08:00
Alan Guo Xiang Tan
003b80e62f
SECURITY: Add rate limits for uploads 2024-03-15 14:24:00 +08:00
Daniel Waterworth
819361ba28
SECURITY: Don't disclose the existence of secret subcategories 2024-03-15 14:23:55 +08:00
dependabot[bot]
085edb170d
Build(deps): Bump sassc-embedded from 1.70.0 to 1.70.1 (#26184)
Bumps sassc-embedded from 1.70.0 to 1.70.1.

---
updated-dependencies:
- dependency-name: sassc-embedded
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-15 07:48:54 +08:00
dependabot[bot]
f2914bafd3
Build(deps): Bump follow-redirects from 1.15.4 to 1.15.6 (#26191)
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.4 to 1.15.6.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.4...v1.15.6)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-15 07:48:39 +08:00
Alan Guo Xiang Tan
cdba864598
DEV: Support description for properties in objects schema (#26172)
Why this change?

When editing a objects typed theme setting, the input fields which are
rendered should include a description so that the user knows the purpose
of the field which they are changing.

What does this change do?

This change adds support for adding description to each property in the
schema for an object by following a given convention in the locale file.

For a schema like this:

```
objects_setting:
  type: objects
  schema:
    name: section
    properties:
      name:
        type: string
        required: true
      links:
        type: objects
        schema:
          name: link
          properties:
            name:
              type: string
              required: true
              validations:
                max_length: 20
            url:
              type: string
```

Description for each property in the object can be added like so:

```
en:
  theme_metadata:
    settings:
      objects_setting:
        description: <description> for the setting
        schema:
          properties:
            name: <description for the name property>
            links:
              name: <description for the name property in link>
              url: <description for the url property in link>
```

If the a description is not present, the input field will simply not
have an description.

Also note that a description for a theme setting can now be added like
so:

```
en:
  theme_metadata:
    settings:
      some_other_setting: <This will be used as the description>
      objects_setting:
        description: <This will also be used as the description>
```
2024-03-15 07:47:42 +08:00
dependabot[bot]
ede6118f69
Build(deps): Bump terser from 5.29.1 to 5.29.2 (#26186)
Bumps [terser](https://github.com/terser/terser) from 5.29.1 to 5.29.2.
- [Changelog](https://github.com/terser/terser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/terser/terser/compare/v5.29.1...v5.29.2)

---
updated-dependencies:
- dependency-name: terser
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-15 06:36:08 +08:00
dependabot[bot]
70d27de7fe
Build(deps-dev): Bump esbuild from 0.20.1 to 0.20.2 (#26187)
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.20.1 to 0.20.2.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.20.1...v0.20.2)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-15 06:35:52 +08:00
dependabot[bot]
1a7ea82198
Build(deps-dev): Bump lefthook from 1.6.5 to 1.6.6 (#26188)
Bumps [lefthook](https://github.com/evilmartians/lefthook) from 1.6.5 to 1.6.6.
- [Release notes](https://github.com/evilmartians/lefthook/releases)
- [Changelog](https://github.com/evilmartians/lefthook/blob/master/CHANGELOG.md)
- [Commits](https://github.com/evilmartians/lefthook/compare/v1.6.5...v1.6.6)

---
updated-dependencies:
- dependency-name: lefthook
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-15 06:35:37 +08:00
dependabot[bot]
31c41dd013
Build(deps): Bump sass-embedded from 1.71.1 to 1.72.0 (#26189)
Bumps sass-embedded from 1.71.1 to 1.72.0.

---
updated-dependencies:
- dependency-name: sass-embedded
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-15 06:35:22 +08:00
dependabot[bot]
6901fcd254
Build(deps): Bump json_schemer from 2.2.0 to 2.2.1 (#26190)
Bumps json_schemer from 2.2.0 to 2.2.1.

---
updated-dependencies:
- dependency-name: json_schemer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-15 06:35:08 +08:00
Blake Erickson
70c23f11a9
DEV: Add API scopes for post revisions (#26183)
This commit adds API scopes for reading, modifying, and deleting post
revisions.
2024-03-14 15:24:54 -06:00
Joffrey JAFFEUX
c986f9a947
DEV: adds details/location options to downloadCalendar (#26177)
This will now only be used for google to pre-fill the associated fields in: https://calendar.google.com/calendar/u/0/r/eventedit
2024-03-14 21:32:15 +01:00
Penar Musaraj
a71f68afdd
DEV: Improve localizability for a few labels (#26178)
Using separate prefix + date elements makes it harder to translate in
some languages. This moves a few dates inside i18n strings.
2024-03-14 15:01:43 -04:00
David Taylor
2546817d07
FIX: correctly strip unneeded csp directives under strict-dynamic (#26180) 2024-03-14 18:50:09 +00:00
David Taylor
b16f212c47
DEV: Add discourse prefix to d-popover deprecations (#26181) 2024-03-14 18:50:00 +00:00
Régis Hanol
5213bba672
FIX: support [code] in blockquotes (#26182)
> [code]
> line1
> line2
> [/code]

would render as

| line1
| > line2

instead of the correct

| line1
| line2

That was due to the `bbcode-block` code using a `slice` to get the content of a block and not taking into account it being nested in a quote block for example.

The fix was to get the content using the `getLines` utils method.

Context: https://meta.discourse.org/t/markdown-bbcode-code-quote-bug/299047
2024-03-14 19:31:22 +01:00
Rafael dos Santos Silva
679a773411
FIX: Handle nil post_search_data for search result (#26179)
Since we are introducing new ways to search in Discourse, like the AI
semantic search using embeddings, posts can be part of a search result
list without having any search data.

Since the code path already handles this, we only need to add a safety
check when accessing the post_search_data.
2024-03-14 14:40:46 -03:00
Régis Hanol
c662a99db3
FIX: clicking "more..." in emoji autocomplete (#26176)
This reverts the "fix" made in 44f6b24e34 since it wasn't the correct fix and the emoji picker wasn't showing in chat 🤦‍♂️

The proper fix is to `stopPropagation()` on the `click` event since the click handler has been made `async`. `preventDefault()` isn't enough.
2024-03-14 18:15:02 +01:00
Andrei Prigorshnev
dedf1a5e03
Correct versions (#26175)
This is a follow-up to https://github.com/discourse/discourse/pull/25883. 
Somehow I forgot to address this comment –https://github.com/discourse/discourse/pull/25883#discussion_r1503234622
2024-03-14 20:36:56 +04:00
Kris
9376a2e755
FEATURE: optionally show "Powered by Discourse" link to discourse.org (#26162) 2024-03-14 10:30:12 -04:00
Jan Cernik
83495f656d
DEV: Convert time-gap widget to a component (#26165)
* DEV: Convert time-gap widget to a component

* inline timegap component

* Remove top level wrapper

---------

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2024-03-14 10:01:38 -03:00
David Taylor
6da176580b
DEV: Unsilence header-related deprecations (#26173)
https://meta.discourse.org/t/296544
2024-03-14 11:03:03 +00:00
Régis Hanol
44f6b24e34
FIX: clicking "more..." in emoji autocomplete (#26160)
Should open the emoji picker. But it wasn't 😅

The `handleOutsideClick` event was listening too early and would catch the click on the "more..." option in the autocomplete as a click outside the emoji picker and would immediately close it 🤦

The fix was to defer registering to this event.
2024-03-14 09:31:49 +01:00
David Battersby
139e21e37d
UX: fix chat title margin on drawer and side panel (#26171)
Fixes alignment issues within the drawer mode and chat sidebar panel on desktop.
2024-03-14 13:41:42 +08:00
Sam
e05628c079
PERF: omit HTML view from sessions by logged on users. (#26170)
You need JS to log on to Discourse anyway, HTML only serves for debugging
purpose, no need to send it
2024-03-14 15:48:29 +11:00
chapoi
1f786f4972
UX: fix chat navbar header alignment (#26161) 2024-03-14 12:11:08 +08:00
Krzysztof Kotlarek
e12d32a876
FIX: improvements for the admin sidebar (#26168)
- add all settings link
- hide the customize header menu when the admin sidebar
2024-03-14 15:01:47 +11:00
Ted Johansson
ea5c3a3bdc
DEV: Move non scheduled problem checks to classes (#26122)
In AdminDashboardData we have a bunch of problem checks implemented as methods on that class. This PR absolves it of the responsibility by promoting each of those checks to a first class ProblemCheck. This way each of them can have their own priority and arbitrary functionality can be isolated in its own class.

Think "extract class" refactoring over and over. Since they were all moved we can also get rid of the @@problem_syms class variable which was basically the old version of the registry now replaced by ProblemCheck.realtime.

In addition AdminDashboardData::Problem value object has been entirely replaced with the new ProblemCheck::Problem (with compatible API).

Lastly, I added some RSpec matchers to simplify testing of problem checks and provide helpful error messages when assertions fail.
2024-03-14 10:55:01 +08:00
Krzysztof Kotlarek
9afb0b29f8
FEATURE: filter additional keywords for the sidebar (#26148)
With the new admin sidebar restructure, we have a link to "Installed plugins". We would like to ensure that when the admin is searching for a plugin name like "akismet" or "automation" this link will be visible. Also when entering the plugins page, related plugins should be highlighted.
2024-03-14 12:28:08 +11:00
David Taylor
bbb18fa2ce
UX: Update glimmer header with new dnd icon (#26166)
Followup to f2ac9e4c12
2024-03-13 23:02:44 +00:00
dependabot[bot]
e9ef48e3cf
Build(deps): Bump minitest from 5.22.2 to 5.22.3 (#26163)
Bumps [minitest](https://github.com/minitest/minitest) from 5.22.2 to 5.22.3.
- [Changelog](https://github.com/minitest/minitest/blob/master/History.rdoc)
- [Commits](https://github.com/minitest/minitest/commits)

---
updated-dependencies:
- dependency-name: minitest
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-13 22:53:19 +01:00
dependabot[bot]
23d9724671
Build(deps-dev): Bump sass from 1.71.1 to 1.72.0 (#26164)
Bumps [sass](https://github.com/sass/dart-sass) from 1.71.1 to 1.72.0.
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sass/dart-sass/compare/1.71.1...1.72.0)

---
updated-dependencies:
- dependency-name: sass
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-13 22:52:49 +01:00
Jan Cernik
2d074ad4a5
FIX: Hide suggestion to send PMs when PMs are disabled for user (#26157) 2024-03-13 16:29:22 -03:00
David Taylor
551c6022dc
DEV: Introduce rake task to validate discourse-compatibility file (#26158) 2024-03-13 13:57:41 +00:00
Joffrey JAFFEUX
ce3f592275
DEV: remove do-not-disturb widget (#26156)
It seems like this is a legacy widget which was used here f899652422/app/assets/javascripts/discourse/app/widgets/quick-access-panel.js (L106) but usage got removed in https://github.com/discourse/discourse/pull/21308/files#diff-9f7a1e3cde1ef93d38ba40ebf295749fb217eee81b95e95c34f98721274cdca9 and the widget didn't get removed.
2024-03-13 11:37:25 +01:00
Alan Guo Xiang Tan
1f71db426e
DEV: Remove cache PG connection type map freedom patch (#26153)
Why this change?

Previously, we identified that ActiveRecord's PostgreSQL adapter
executes 3 db queries each time a new connection is created. The 3 db
queries was identified when we looked at the `pg_stats_statement` table
on one of our multisite production cluster. At that time, the hypothesis
is that because we were agressively reaping and creating connections,
the db queries executed each time a connection is created is wasting
resources on our database servers. However, we didn't see any the needle
move much on our servers after deploying the patch so we have decided to
drop this patch as it makes it harder for us to upgrade ActiveRecord in
the future.
2024-03-13 13:28:06 +08:00
Alan Guo Xiang Tan
e7f539df10
UX: Display setting description for objects typed theme setting (#26152)
Why this change?

Prior to this change, there is no description being displayed for
objects typed theme setting because we were rendering a button instead
of the components for the various setting types which will render the
setting's description.

What does this change do?

1. Introduce `SiteSettings::Description` compoment to centralise the HTML
being rendered across all settings component.

2. Renders the `SiteSettings::Description` component after the edit
   button in `site_setting.hbs`.
2024-03-13 12:38:21 +08:00
Martin Brennan
4e7a75a7ec
DEV: Single admin plugin page for consistent admin plugin UX (#26024)
This commit adds new plugin show routes (`/admin/plugins/:plugin_id`) as we move
towards every plugin having a consistent UI/landing page.

As part of this, we are introducing a consistent way for plugins
to show an inner sidebar in their config page, via a new plugin
API `register_admin_config_nav_routes`

This accepts an array of links with a label/text, and an
ember route. Once this commit is merged we can start the process
of conforming other plugins to follow this pattern, as well
as supporting a single-page version of this for simpler plugins
that don't require an inner sidebar.

Part of /t/122841 internally
2024-03-13 13:15:12 +10:00
Natalie Tay
0b41b236d7
FIX: Avoid sending user emails if @ mentioning a staged user in a topic (#26102)
Avoid sending user emails if @ mentioning a staged user

Some cases, unknowingly mentioning a staged user would invite
them into topics, sending them an email about it.
2024-03-13 11:05:34 +08:00
Alan Guo Xiang Tan
63dd08ad59
DEV: Fix build due to 3a4f4abdc9 (#26151) 2024-03-13 10:32:45 +08:00
David Taylor
e5020617c1
FEATURE: Use browser dir="auto" for support_mixed_text_direction (#26129)
* FEATURE: Use browser `dir="auto"` for support_mixed_text_direction

Previously we were using regex to parse all sorts of user input and guess the direction. All out target browsers now support this behavior out-the-box using `dir=auto`, which should be significantly faster.

https://meta.discourse.org/t/dir-auto-for-composer-and-elsewhere/276330

* test

* Update app/assets/javascripts/discourse/tests/integration/components/text-field-test.js

Co-authored-by: Jarek Radosz <jradosz@gmail.com>

---------

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2024-03-13 12:47:39 +11:00
dependabot[bot]
111042e575
Build(deps): Bump rails_multisite from 5.0.0 to 5.0.1 (#26145)
Bumps [rails_multisite]() from 5.0.0 to 5.0.1.

---
updated-dependencies:
- dependency-name: rails_multisite
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-13 09:47:08 +08:00
Kelv
0353d9fb0d
DEV: refactor topic map to glimmer component (#26119)
* DEV: add toggle to switch to glimmer TopicMap and rename imported hbs-compiler

* DEV: refactor topic-map tests to use assert.dom

* DEV: add topic-map glimmer component

* DEV: remove topic-map widget and switch summary-box to use explicitly passed-in actions

---------

Co-authored-by: David Taylor <david@taylorhq.com>
2024-03-13 09:26:34 +08:00
Osama Sayegh
3a4f4abdc9
DEV: Support category, float, group and tag inputs for objects theme setting (#26113)
Continue from https://github.com/discourse/discourse/pull/25673 and https://github.com/discourse/discourse/pull/25811.

This PR adds support for category, float, group and tag types for schema theme settings.
2024-03-13 09:08:50 +08:00
Krzysztof Kotlarek
de00c9a3d3
EXPERIMENTAL: restructure admin sidebar menu (#26047)
New admin sidebar menu
2024-03-13 10:18:08 +11:00
dependabot[bot]
50eca4d6e4
Build(deps): Bump logster from 2.19.0 to 2.19.1 (#26146)
Bumps [logster](https://github.com/discourse/logster) from 2.19.0 to 2.19.1.
- [Changelog](https://github.com/discourse/logster/blob/main/CHANGELOG.md)
- [Commits](https://github.com/discourse/logster/compare/v2.19.0...v2.19.1)

---
updated-dependencies:
- dependency-name: logster
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-13 06:55:33 +08:00
dependabot[bot]
bb73dbe221
Build(deps): Bump excon from 0.109.0 to 0.110.0 (#26144)
Bumps [excon](https://github.com/excon/excon) from 0.109.0 to 0.110.0.
- [Changelog](https://github.com/excon/excon/blob/master/changelog.txt)
- [Commits](https://github.com/excon/excon/compare/v0.109.0...v0.110.0)

---
updated-dependencies:
- dependency-name: excon
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-13 06:55:17 +08:00