Commit Graph

8975 Commits

Author SHA1 Message Date
Martin Brennan
9762e65758
FEATURE: Add Revise... option for queued post reviewable (#23454)
This commit adds a new Revise... action that can be taken
for queued post reviewables. This will open a modal where
the user can select a Reason from a preconfigured list
(or by choosing Other..., a custom reason) and provide feedback
to the user about their post.

The post will be rejected still, but a PM will also be sent to
the user so they have an opportunity to improve their post when
they resubmit it.
2023-10-13 11:28:31 +10:00
Tobias Eigen
460e702887
improve desc of review every post admin setting (#23899)
Adds more information about what the "review every post" admin setting does. All new posts are sent to the review queue so they can be reviewed by moderators, but are still published.
2023-10-12 09:43:14 -07:00
Krzysztof Kotlarek
cb8190d32f
FEATURE: option to automatically delete unused tags (#23864)
Introduced a new site setting that enables the automatic and daily removal of unused tags.
2023-10-11 23:58:56 +00:00
Penar Musaraj
e3e73a3091
DEV: Add routes and controller actions for passkeys (2/3) (#23587)
This is part 2 (of 3) for passkeys support.

This adds a hidden site setting plus routes and controller actions.

1. registering passkeys

Passkeys are registered in a two-step process. First, `create_passkey`
returns details for the browser to create a passkey. This includes
- a challenge
- the relying party ID and Origin
- the user's secure identifier
- the supported algorithms
- the user's existing passkeys (if any)

Then the browser creates a key with this information, and submits it to
the server via `register_passkey`.

2. authenticating passkeys

A similar process happens here as well. First, a challenge is created
and sent to the browser. Then the browser makes a public key credential
and submits it to the server via `passkey_auth_perform`.

3. renaming/deleting passkeys

These routes allow changing the name of a key and deleting it.

4. checking if session is trusted for sensitive actions

Since a passkey is a password replacement, we want to make sure to confirm the user's identity before allowing adding/deleting passkeys. The u/trusted-session GET route returns success if user has confirmed their session (and failed if user hasn't). In the frontend (in the next PR), we're using these routes to show the password confirmation screen. 

The `/u/confirm-session` route allows the user to confirm their session with a password. The latter route's functionality already existed in core, under the 2FA flow, but it has been abstracted into its own here so it can be used independently.


Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2023-10-11 14:36:54 -04:00
Discourse Translator Bot
88f851432b
Update translations (#23873) 2023-10-11 11:18:02 +02:00
David Taylor
f4aeebeb64
UX: Correct description on 'create topic' composer dropdown (#23871)
The 'create topic' entry in the dropdown was incorrectly using the 'reply as new topic' description. This fixes the logic to use a separate locale key for the description.
2023-10-10 13:23:00 +01:00
Tobias Eigen
00b1b88a86
updated description of company_name field (#23818)
If company name field is left blank, no boilerplate TOS or Privacy Notice is provided. Updated the description to make this explicit. For more info, see: https://meta.discourse.org/t/updates-to-new-site-experience-and-the-getting-started-guide/273189#login-page-is-more-welcoming-on-private-sites-3
2023-10-09 15:52:48 -07:00
Krzysztof Kotlarek
c468110929
FEATURE: granular webhooks (#23070)
Before this change, webhooks could be only configured for specific groups like for example, all topic events.

We would like to have more granular control like for example topic_created or topic_destroyed.

Test are failing because plugins changed has to be merged as well:
discourse/discourse-assign#498
discourse/discourse-solved#248
discourse/discourse-topic-voting#159
2023-10-09 03:35:31 +00:00
Alan Guo Xiang Tan
832b3b9e60
FEATURE: Remove support for legacy navigation menu (#23752)
Why this change?

Back in May 17 2023 along with the release of Discourse 3.1, we announced
on meta that the legacy hamburger dropdown navigation menu is
deprecated and will be dropped in Discourse 3.2. This is the link to the announcement
on meta: https://meta.discourse.org/t/removing-the-legacy-hamburger-navigation-menu-option/265274

## What does this change do?

This change removes the `legacy` option from the `navigation_menu` site
setting and migrates existing sites on the `legacy` option to the
`header dropdown` option.

All references to the `legacy` option in code and tests have been
removed as well.
2023-10-09 07:24:10 +08:00
Krzysztof Kotlarek
e94b553e9a
FEATURE: delete multiple inactive themes/components (#23788)
Ability to select multiple inactive themes or components and delete them all together
2023-10-08 21:35:53 +00:00
Penar Musaraj
921f1279b9
DEV: Update webauthn authentication documentation (#23787)
Also adds a `userHandle` check for first factor verification, though this is not yet implemented in Rails controllers and UI.
2023-10-05 15:22:43 -04:00
Renato Atilio
1d70cf455e
FEATURE: support a description attribute on form template fields (#23744)
* FEATURE: support a description attribute on form template fields
2023-10-04 17:51:53 -03:00
Discourse Translator Bot
24feb20abc
Update translations (#23757) 2023-10-04 09:54:20 +02:00
Mark Doerr
54d43c688f
UX: Update 'gtm_container_id' site setting description (#23763)
It should point to GTM nonce documentation, which is our preferred implementation when the CSP is enabled.
2023-10-03 15:19:23 -04:00
Penar Musaraj
0af6c5efdc
DEV: Refactor webauthn to support passkeys (1/3) (#23586)
This is part 1 of 3, split up of PR #23529. This PR refactors the
webauthn code to support passkey authentication/registration.

Passkeys aren't used yet, that is coming in PRs 2 and 3.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2023-10-03 14:59:28 -04:00
Kris
c9db9e9319
A11Y: composer tip close link should be a button (#23731) 2023-10-03 09:09:54 -04:00
KThompson-Lane-Unity
607f700c8c
FEATURE: Add API key scopes for tag_groups (#23634) 2023-10-03 16:20:17 +08:00
Kris
0bb7e9e0b8
A11Y: improve about page profile link markup (#23695) 2023-10-02 13:55:28 -04:00
Kris
5884176174
A11Y: correctly markup /about stat table headers, tweak style (#23733) 2023-10-02 13:55:11 -04:00
Kris
f5d4ddbff5
A11Y: add page title to account activation step (#23736) 2023-10-02 13:54:52 -04:00
Ted Johansson
7019dbcfe1
DEV: Change share quote visibility setting default to 'all' (#23720)
As pointed out on Meta, having this default to all (anonymous- and logged in users) is probably more sensible than just anonymous.
2023-09-30 11:41:50 +02:00
Ted Johansson
fd2912f944
FIX: Remove reference to removed site setting from num_users_to_silence_new_user setting (#23718)
The num_users_to_silence_new_user setting is referencing num_spam_flags_to_silence_new_user, which has been superceded twice.

This change updates the description to reflect that it now operates on the new "sensitivity score" system.
2023-09-30 11:28:04 +02:00
Arpit Jalan
b39f823fd3
FEATURE: add custom date range filter for admin dashboard reports (#23702)
* FEATURE: add custom date range filter for admin dashboard reports

* Improvements per David's review
2023-09-29 14:44:17 +05:30
Kris
34cc87db40
A11Y: UI emoji are decorative, use alt="" (#23690) 2023-09-28 13:30:19 -04:00
Kris
a523f17ed7
A11Y: aria-label for mobile topic list avatar (#23693) 2023-09-28 13:29:56 -04:00
Matt Marjanović
619d43ea47
FEATURE: Add prompt=none functionality to SSO Provider protocol (#22393)
This commit adds support for an optional `prompt` parameter in the
payload of the /session/sso_provider endpoint.  If an SSO Consumer
adds a `prompt=none` parameter to the encoded/signed `sso` payload,
then Discourse will avoid trying to login a not-logged-in user:

 * If the user is already logged in, Discourse will immediately
   redirect back to the Consumer with the user's credentials in a
   signed payload, as usual.

 * If the user is not logged in, Discourse will immediately redirect
   back to the Consumer with a signed payload bearing the parameter
   `failed=true`.

This allows the SSO Consumer to simply test whether or not a user is
logged in, without forcing the user to try to log in.  This is useful
when the SSO Consumer allows both anonymous and authenticated access.
(E.g., users that are already logged-in to Discourse can be seamlessly
logged-in to the Consumer site, and anonymous users can remain
anonymous until they explicitly ask to log in.)

This feature is similar to the `prompt=none` functionality in an
OpenID Connect Authentication Request; see
https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
2023-09-28 12:53:28 +01:00
Gerhard Schlager
da313ba49b
FEATURE: Add webhooks for user suspend and unsuspend (#23684) 2023-09-28 10:51:05 +02:00
Sam
a2da2e02e7
FEATURE: improve error message when double liking (#23698)
If a user somehow is looking at an old version of the page and attempts
to like a post they already like. Display a more reasonable error message.

Previously we would display:

> You are not permitted to view the requested resource.

New error message is:

> Oops! You already performed this action. Can you try refreshing the page?

Triggering this error condition is very tricky, you need to stop the
message bus. A possible reason for it could be bad network connectivity.
2023-09-28 16:53:48 +10:00
Kris
1ad60b791c
FIX: copy codeblocks needs client: true (#23686) 2023-09-27 11:03:20 -04:00
Discourse Translator Bot
287d0ec842
Update translations (#23627) 2023-09-27 11:03:00 +02:00
Krzysztof Kotlarek
81f3f56deb
FIX: enable copy code block by default (#23662)
Copy button on code blocks should be enabled by default and this setting should be hidden.
2023-09-27 10:24:19 +10:00
Kris
bbb4e19612
UX: improve history modal layout (#23675) 2023-09-26 17:50:09 -04:00
David Taylor
110fdf0189
DEV: Remove dependence on dartsass-sprockets (#23665)
Discourse has a custom stylesheet pipeline which compiles things 'just in time'. The only place we were still running sass files through sprockets was for the `/tests` route in development mode. This use can be removed by compiling the relevant stylesheets through ember-cli instead (which we were already doing for testem runs)

This work was prompted by the incompatibility of dartsass-sprockets with the latest sass-embedded release (https://github.com/tablecheck/dartsass-sprockets/issues/13)
2023-09-26 16:25:07 +01:00
Kris
cbf8d85e6b
UX: improve activity column title data (#23614) 2023-09-25 15:53:16 -04:00
Renato Atilio
1cc2c8fcb6
UX: unhide experimental_form_templates (#23615)
* UX: unhide experimental_form_templates

* UX: add description to experimental_form_templates setting
2023-09-25 13:38:06 -03:00
Renato Atilio
d93c2cb3d2
FEATURE: site settings to revoke api keys older than a number of days (#23595)
* FEATURE: site settings to revoke api keys older than a number of days
2023-09-15 16:31:29 -03:00
David Taylor
a60d7a2bc7
DEV: Modernize admin-site-text route/controller (#23581)
- Switch to `@tracked` and native getters
- Remove queryParam defaults which are awkward to work with. Instead, add `resolvedBlah` getters
- Add 'no results found' text
- Use standard 'model' key instead of a custom `setupController` method
- Remove use of `route-action`
- Remove `{{action` helper

Default queryParams in ember controllers are tricky to work with, especially when combined with the new router service. Instead, we can handle defaults ourselves
2023-09-14 11:27:09 +01:00
Sam
267e8ebaa6
FIX: min_personal_message_post_length not applying to first post (#23531)
* FIX: min_personal_message_post_length not applying to first post

Due to the way PostCreator is wired, we were not applying min_personal_message_post_length
to the first post.

This meant that admins could not configure it so PMs have different
limits.

The code was already pretending that this works, but had no reliable way
of figuring out if we were dealing with a private message
2023-09-13 15:43:54 +10:00
Bianca Nenciu
6f782d8e45
SECURITY: Add limits for themes and theme assets
This commit adds limits to themes and theme components on the:

- file size of about.json and .discourse-compatibility
- file size of theme assets
- number of files in a theme
2023-09-12 15:31:31 -03:00
Gerhard Schlager
e3a2446874
SECURITY: Limit number of drafts per user and length of draft_key
The hidden site setting max_drafts_per_user defaults to 10_000 drafts per user.
The longest key should be "topic_<MAX_BIG_INT>" which is 25 characters.
2023-09-12 15:31:26 -03:00
OsamaSayegh
c1b5faa5fd
SECURITY: Limit name field length of TOTP authenticators and security keys 2023-09-12 15:31:17 -03:00
Blake Erickson
9ac5e09179
DEV: Show separate error message for backup uploads (#23480)
Due to server upload limits backups may receive a 413 error so we need
to display a different error message than the default one we have set
for attachments.
2023-09-12 09:58:29 -06:00
Discourse Translator Bot
93de8c8daa
Update translations (#23538) 2023-09-12 15:27:48 +02:00
Renato Atilio
abae6ecadc
UX: remove unsupported features from form template help text (#23482) 2023-09-08 15:39:27 -03:00
Michael Brown
30528eac5c FIX: add missing translation key
This is used when browsing/filtering on all categories and new results appear.
2023-09-06 13:40:45 -04:00
Discourse Translator Bot
9ef5cefe26
Update translations (#23433) 2023-09-06 12:23:34 +02:00
Meghna
48951bb35e
UX: show only one username on multiple likes notification (#23385)
To adjust for small width screen and multiple locales only show one
username on multiple likes notification.
2023-09-06 15:30:56 +05:30
Ted Johansson
ede73f923f
DEV: Change fast typer trust level setting to enum type (#23429)
We have one site setting, `auto_silence_fast_typers_max_trust_level`, which expects a trust level. However, the type is set to integer, which makes it very hard for a layman to enter the correct thing.

This PR changes the type of the site setting to the `TrustLevelSetting` enum.

The use of these are interchangeable in the back-end, since `SiteSetting.auto_silence_fast_typers_max_trust_level` still returns the integer value with the enum.
2023-09-06 17:35:11 +08:00
Martin Brennan
c532f6eb3d
FEATURE: Secure uploads in PMs only (#23398)
This adds a new secure_uploads_pm_only site setting. When secure_uploads
is true with this setting, only uploads created in PMs will be marked
secure; no uploads in secure categories will be marked as secure, and
the login_required site setting has no bearing on upload security
either.

This is meant to be a stopgap solution to prevent secure uploads
in a single place (private messages) for sensitive admin data exports.
Ideally we would want a more comprehensive way of saying that certain
upload types get secured which is a hybrid/mixed mode secure uploads,
but for now this will do the trick.
2023-09-06 09:39:09 +10:00
Discourse Translator Bot
2768f3a968
Update translations (#23408) 2023-09-05 15:42:34 +02:00