Jeff Wong
b72dbb0be0
FEATURE: add before-topic-progress plugin outlet
2019-09-04 11:29:05 -07:00
Sam Saffron
6477531098
SECURITY: add rate limiting to anon JS error reporting
...
This adds a 1 minute rate limit to all JS error reporting per IP. Previously
we would only use the global rate limit.
This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to
false then no JS error reporting will be allowed on the site.
2019-08-20 11:31:58 +10:00
David Taylor
d237da16c5
SECURITY: Restrict message-bus access on login_required sites
2019-08-14 10:11:28 +01:00
Gerhard Schlager
ab3e18090f
FIX: Disallow user self-delete when user posted in PMs
...
All posts created by the user are counted unless they are deleted,
belong to a PM sent between a non-human user and the user or belong
to a PM created by the user which doesn't have any other recipients.
It also makes the guardian prevent self-deletes when SSO is enabled.
2019-08-10 12:06:40 +02:00
Roman Rizzi
0be47023d4
FIX: Use unescaped title as combo-box id ( #7979 )
2019-08-08 12:52:34 -03:00
David Taylor
b1d2e4daf3
FIX: Composer preview on IE11 ( #7970 )
...
Add the Array.from polyfill for IE11. This is required to support the transpiled ES6 spread syntex generated by babel: https://babeljs.io/docs/en/caveats/
2019-08-05 14:44:13 +01:00
David Taylor
85cdf213e1
FIX: Hide live-loaded posts from ignored users
2019-07-27 14:00:34 +01:00
David Taylor
c4ff66e1a5
DEV: Correct merge conflicts for 9cfe3f99
2019-07-24 13:31:16 +01:00
David Taylor
9cfe3f9948
SECURITY: Add confirmation screen when connecting associated accounts
2019-07-24 13:29:59 +01:00
Guo Xiang Tan
477bacb3ae
SECURITY: XSS when displaying watched words in admin panel.
...
The XSS here is only possible if CSP is disabled. Low impact since CSP
is enabled by default in SiteSettings.
2019-07-15 10:58:52 +08:00
Robin Ward
d1c12539dd
SECURITY: XSS with title selector on preferences page
...
Note this is very low severity as the group needs to be created with a
default title that contains HTML, and group creation is restricted to
staff members right now.
2019-07-09 17:35:26 -04:00
romanrizzi
2a7d270fd6
Revert "FIX: remove misplaced save button"
...
This reverts commit f1381a274b
.
2019-07-03 10:58:33 -03:00
romanrizzi
f1381a274b
FIX: remove misplaced save button
2019-07-03 10:47:54 -03:00
romanrizzi
34d548dbd3
FIX: Remove misplaced outlet
2019-07-03 10:47:43 -03:00
Arpit Jalan
867eebb55e
FIX: creating new badge is failing on empty SQL query ( #7837 )
2019-07-02 15:17:32 +05:30
Sam Saffron
467e03a2ec
DEV: lint file
...
We no longer need that isAppleDevice require
2019-06-27 11:29:51 +02:00
Joffrey JAFFEUX
a91881280d
FIX: closes search-menu on escape ( #7804 )
2019-06-27 09:34:34 +02:00
Joffrey JAFFEUX
690fb5c4fb
FIX: prevents failure when TL was mutated on internal object ( #7808 )
2019-06-27 09:34:31 +02:00
Gerhard Schlager
9c8aa0a906
SECURITY: XSS in routes
...
Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com>
Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 16:45:33 +02:00
Penar Musaraj
8b963bce37
FIX: Do not refresh all settings on save for all settings, limit to only a few
...
- Followup to 0e303c7f5d
- Automatically reloads site settings after saving only for the logo, logo_small and large_icon settings.
2019-06-25 11:49:09 -04:00
Penar Musaraj
e1822034dc
FIX: use correct name for selectable_avatars_enabled site setting
2019-06-25 11:48:56 -04:00
Maja Komel
faf059e018
FIX: remove temporary hack for fixed iOS bug ( #7773 )
...
A bug where input focus is displaced on modals was fixed in iOS 11.3 update. This hack was causing problems on topic page since hiding main-outlet results in lost read position after opening and closing a modal.
2019-06-25 11:48:42 -04:00
Joffrey JAFFEUX
f2d5cde24c
FIX: category-chooser search should be scoped to category ( #7794 )
2019-06-24 11:31:41 +02:00
David Taylor
52387be4a4
SECURITY: Add confirmation screen when logging in via email link
2019-06-17 16:18:37 +01:00
David Taylor
5f6f707080
Revert "Merge pull request from GHSA-hv9p-jfm4-gpr9"
...
This reverts commit b8340c6c8e
.
2019-06-17 16:17:10 +01:00
David Taylor
b8340c6c8e
Merge pull request from GHSA-hv9p-jfm4-gpr9
...
* SECURITY: Add confirmation screen when logging in via email link
* SECURITY: Add confirmation screen when logging in via user-api OTP
* FIX: Correct translation key in session controller specs
* FIX: Use .email-login class for page
2019-06-17 15:59:41 +01:00
Arpit Jalan
102be5a9e3
DEV: optimize fix for sub-categories not getting pre-filled.
2019-06-17 13:28:08 +05:30
tshenry
c909033f2b
Add plugin outlets to login/create-account modals ( #7770 )
2019-06-17 16:22:00 +10:00
Arpit Jalan
48b9e0d749
FIX: sub-categories was not getting selected for pre-filled topics
2019-06-15 13:46:15 +05:30
Kris
9cb656250d
FIX: Allow tall tables to scroll vertically on iOS
2019-06-14 14:26:59 -04:00
Arpit Jalan
efc05e7224
FIX: remove topic timer info on completion
2019-06-13 17:01:43 +05:30
Joffrey JAFFEUX
fbbce235ce
UX: improves change-timestamp modal ( #7766 )
2019-06-13 13:30:33 +02:00
Joffrey JAFFEUX
19ca2d4772
DEV: reset widget clean callback between tests ( #7761 )
2019-06-12 17:49:02 +02:00
Robin Ward
13b979cb71
FIX: Performing actions on a particular reviewable was displaying an error
...
It was expecting a method to remove the reviewable from the current
list, only we were not displaying a list.
Instead, we refresh the reviewable model with the latest result.
2019-06-12 10:56:30 -04:00
David Taylor
0ebe5ec1f8
FIX: Check postStream.gaps
exists before trying postSteam.gaps.after
2019-06-11 23:48:21 +01:00
Robin Ward
f6e0c79742
FIX: Trigger change event when inserting text
...
This would normally not fire and result in odd behavior in the review
queue when inserting links.
2019-06-11 17:27:34 -04:00
Robin Ward
3d7c26c15e
FIX: Memory Leaks w/ Container ( #7750 )
...
Gives instance initializers the ability to add a `teardown` method that
will be called between tests to clean up after themselves.
2019-06-11 18:41:27 +02:00
Robin Ward
47095a7fa1
FIX: Memory leak when adding ajax prefilter repeatedly.
2019-06-11 11:50:35 -04:00
Robin Ward
c322cccd53
FIX: Memory Leaks when decorating posts ( #7749 )
...
* Remove long-deprecated method
* FIX: Memory Leaks when decorating posts
Previously we'd keep creating mixins dynamically when decorating the
same class.
This code changes the API to recommend an `id` parameter for each
decorator which will avoid leaks. All plugins should be updated to
include this parameter, although if they don't in the meantime it'll
just mean a warning in the console (and a continued leak.)
2019-06-11 17:21:23 +02:00
David Taylor
f4fd75aea4
DEV: Rename variable to avoid conflict
2019-06-11 13:02:40 +01:00
David Taylor
f1d5b992bf
DEV: Correct linting error
2019-06-11 12:51:18 +01:00
Joffrey JAFFEUX
dc15486f0a
Revert "DEV: resets csrf ajax prefilter only if present ( #7747 )"
...
This reverts commit 6612218a4e
.
2019-06-11 13:34:25 +02:00
David Taylor
61b587f66e
FIX: Mark ignored posts as 'read', if last visible post is read ( #7739 )
2019-06-11 12:16:28 +01:00
David Taylor
000a35b219
FIX: Do not live-load posts from ignored users
2019-06-11 12:07:14 +01:00
Joffrey JAFFEUX
6612218a4e
DEV: resets csrf ajax prefilter only if present ( #7747 )
2019-06-11 12:50:20 +02:00
Joffrey JAFFEUX
ebf77f74b7
Revert "DEV: prevents csrf token to leak state between tests ( #7746 )"
...
This reverts commit b29d63a52d
.
2019-06-11 12:19:49 +02:00
Joffrey JAFFEUX
b29d63a52d
DEV: prevents csrf token to leak state between tests ( #7746 )
2019-06-11 11:54:23 +02:00
Joffrey JAFFEUX
e6714d3531
Revert "DEV: attempts to prevent session object to be retain in csrf init ( #7743 )"
...
This reverts commit 62c56b6e59
.
2019-06-11 10:58:32 +02:00
Joffrey JAFFEUX
4deb0f6d59
DEV: prevents post-cooked decorators to leak between tests ( #7744 )
2019-06-11 10:02:10 +02:00
Joffrey JAFFEUX
62c56b6e59
DEV: attempts to prevent session object to be retain in csrf init ( #7743 )
2019-06-11 09:59:14 +02:00