Commit Graph

38783 Commits

Author SHA1 Message Date
Roman Rizzi
b9cd5ed62a
SECURITY: Ensure users can see the topic before setting a topic timer. (#10841) 2020-10-06 17:05:45 -03:00
Robin Ward
db8b8742c4 DEV: Add support for api-initializers to reduce boilerplate.
You can now create a file in your plugin/theme in the `api-initializers`
directory which has a simpler template than previous initializers.
Example:

```
// api-initializers/my-plugin.js
import { apiInitializer } from "discourse/lib/api";

export default apiInitializer("0.8", api => {
  console.log("hello world from api initializer!");
});
```
2020-09-30 16:07:28 -04:00
jbrw
c8ed4e9868
DEV: deepMerge and deepEqual functions (#10764) 2020-09-28 13:46:48 -04:00
Neil Lalonde
3e564ff466
Version bump to v2.5.2 2020-09-24 14:30:57 -04:00
Krzysztof Kotlarek
875467c1c5 SECURITY: return error on oversized images 2020-09-14 11:31:48 +10:00
Rafael dos Santos Silva
48d161e3b1 PERF: Add partial index on reviewables for topic view (#10492)
On the topic view route we query for reviewables of each post in the stream,
using a query that filters on two unindexed columns. This results in a Parallel Seq Scan
over all rows, which can take quite some time (~20ms was seen) on forums with lots of flags

After index is added PostgreSQL planner opts for a simple Index Scan and runs in sub 1ms.

Before:

```
                                     QUERY PLAN
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Finalize GroupAggregate  (cost=11401.08..11404.87 rows=20 width=28) (actual time=19.209..19.209 rows=1 loops=1)
   Group Key: r.target_id
   ->  Gather Merge  (cost=11401.08..11404.41 rows=26 width=28) (actual time=19.202..20.419 rows=1 loops=1)
         Workers Planned: 2
         Workers Launched: 2
         ->  Partial GroupAggregate  (cost=10401.06..10401.38 rows=13 width=28) (actual time=16.958..16.958 rows=0 loops=3)
               Group Key: r.target_id
               ->  Sort  (cost=10401.06..10401.09 rows=13 width=16) (actual time=16.956..16.956 rows=0 loops=3)
                     Sort Key: r.target_id
                     Sort Method: quicksort  Memory: 25kB
                     Worker 0:  Sort Method: quicksort  Memory: 25kB
                     Worker 1:  Sort Method: quicksort  Memory: 25kB
                     ->  Nested Loop  (cost=0.42..10400.82 rows=13 width=16) (actual time=15.894..16.938 rows=0 loops=3)
                           ->  Parallel Seq Scan on reviewables r  (cost=0.00..10302.47 rows=8 width=12) (actual time=15.882..16.927 rows=0 loops=3)
                                 Filter: (((target_type)::text = 'Post'::text) AND (target_id = ANY ('{7565483,7565563,7565566,7565567,7565568,7565569,7565579,7565580,7565583,7565586,7565588,7565589,7565601,7565602,7565603,7565613,7565620,7565623,7565624,7565626}'::integer[])))
                                 Rows Removed by Filter: 49183
                           ->  Index Scan using index_reviewable_scores_on_reviewable_id on reviewable_scores s  (cost=0.42..12.27 rows=2 width=8) (actual time=0.029..0.030 rows=1 loops=1)
                                 Index Cond: (reviewable_id = r.id)
 Planning Time: 0.318 ms
 Execution Time: 20.470 ms
```

After:
```
                                                                                                          QUERY PLAN
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 GroupAggregate  (cost=0.84..342.54 rows=20 width=28) (actual time=0.038..0.038 rows=1 loops=1)
   Group Key: r.target_id
   ->  Nested Loop  (cost=0.84..341.95 rows=31 width=16) (actual time=0.020..0.033 rows=1 loops=1)
         ->  Index Scan using index_reviewables_on_target_id on reviewables r  (cost=0.42..96.07 rows=20 width=12) (actual time=0.013..0.026 rows=1 loops=1)
               Index Cond: (target_id = ANY ('{7565483,7565563,7565566,7565567,7565568,7565569,7565579,7565580,7565583,7565586,7565588,7565589,7565601,7565602,7565603,7565613,7565620,7565623,7565624,7565626}'::integer[]))
         ->  Index Scan using index_reviewable_scores_on_reviewable_id on reviewable_scores s  (cost=0.42..12.27 rows=2 width=8) (actual time=0.005..0.005 rows=1 loops=1)
               Index Cond: (reviewable_id = r.id)
 Planning Time: 0.253 ms
 Execution Time: 0.067 ms
```
2020-09-08 10:49:08 -07:00
Daniel Waterworth
356491aea8 PERF: Don't load all poll_votes for a poll 2020-09-08 10:48:27 -07:00
Guo Xiang Tan
996765562e DEV: Correct use of sanitize_sql_array in TopicQuery. 2020-09-08 10:44:35 +02:00
Guo Xiang Tan
05691b732d DEV: Address review comments for 5ed84d9885. 2020-09-08 10:44:27 +02:00
Guo Xiang Tan
aa1fb1b1b5 SECURITY: Remove indication that a group exists if user can't see it.
Minor security fix but we should not leak any hints that a group exists
even if a user does not have access to the group.
2020-09-08 10:44:09 +02:00
Guo Xiang Tan
1f6e8b642d SECURITY: Don't allow moderators to list PMs of all groups.
* Also return 404 when a user is trying to list PMs of a group that
cannot be accessed by the user.
2020-09-08 10:43:13 +02:00
Neil Lalonde
265eb1c7f9
Version bump to v2.5.1 2020-08-20 14:28:36 -04:00
Jeff Wong
3510534261 FIX: allow plugin pinning to fetch missing commits
Add update for fetching git commits if they do not exist, eg with
clone --depth 1 - only can fetch via git fetch --depth 1 {remote} {ref}
the ref needs to be a full, non-ambiguous reference.
2020-08-13 11:15:19 -07:00
Matt Palmer
e3b1c3a37b FEATURE: Allow the specification of an arbitrary unicorn listen address
Useful if you want to, say, have your unicorn listen on a Unix domain
socket, rather than a TCP port, or you want to be able to bind to a
single address other than 127.0.0.1.
2020-08-05 13:16:31 +05:30
Vinoth Kannan
c661934d41 FIX: rewrite of /my/URL should work on sub directory site too. 2020-08-05 00:56:49 +05:30
Guo Xiang Tan
d4d210eb60
Update rails_failover to 0.5.5. 2020-08-04 11:14:29 +08:00
Guo Xiang Tan
2a0af17a39
FIX: Exclude DELETE methods from invalid request with payload.
Follow-up 105d560177

Our client side code is sending params as part of the request payload so
that is going to be tricky to fix.
2020-08-03 17:05:50 +08:00
Guo Xiang Tan
4342d08edd
SECURITY: 413 for GET, HEAD or DELETE requests with payload. 2020-08-03 15:01:28 +08:00
Guo Xiang Tan
3260865697
DEV: Refactor anonymouse cache spec.
Mainly to properly categorize `Middleware::AnonymousCache` vs `Middleware::AnonymousCache::Helper` specs.
2020-08-03 15:01:19 +08:00
Sam Saffron
a0d4bc47d7 DEV: upgrade mini_racer and libv8
This pushes v8 from Chrome 73 (March 2019) -> 84 (July 14 2020)

Not expecting any user facing changes, but it is super nice to be on latest
v8 :confetti:
2020-07-23 14:31:34 +05:30
Rafael dos Santos Silva
7d30cf707d DEV: Fix search rate limit tests 2020-07-13 10:26:48 -07:00
Rafael dos Santos Silva
6aad9cd0c8 FEATURE: Add global rate limit for anon searches (#10208) 2020-07-13 10:26:42 -07:00
Martin Brennan
3f7658cc6e
SECURITY: Add content-disposition: attachment for SVG uploads
* strip out the href and xlink:href attributes from use element that
  are _not_ anchors in svgs which can be used for XSS
* adding the content-disposition: attachment ensures that
  uploaded SVGs cannot be opened and executed using the XSS exploit.
  svgs embedded using an img tag do not suffer from the same exploit
2020-07-09 13:54:45 +10:00
Jeff Wong
271d6319ce Support plugin and Theme compatibility version manifests (#9995)
Adds a new rake task `plugin:checkout_compatible_all` and
`plugin:checkout_compatible[plugin-name]` that check out compatible plugin
versions.

Supports a .discourse-compatibility file in the root of plugins and themes that
list out a plugin's compatibility with certain discourse versions:

eg: .discourse-compatibility
```
2.5.0.beta6: some-git-hash
2.4.4.beta4: some-git-tag
2.2.0: git-reference
```

This ensures older Discourse installs are able to find and install older
versions of plugins without intervention, through the manifest only.

It iterates through the versions in descending order. If the current Discourse
version matches an item in the manifest, it checks out the listed plugin target.
If the Discourse version is greater than an item in the manifest, it checks out
the next highest version listed in the manifest.

If no versions match, it makes no change.
2020-07-08 15:45:47 -07:00
Régis Hanol
c33847b30d FIX: uploading an existing image as a site setting
The previous fix (f43c0a5d85) wasn't working for images that were already uploaded.
The "metadata" (eg. 'for_*' and 'secure' attributes) were not added to existing uploads.

Also used 'Upload.get_from_url' is the admin/site_setting controller to properly retrieve
an upload from its URL.

Fixed the Upload::URL_REGEX to use the \h (hexadecimal) for the SHA

Follow-up-to: f43c0a5d85
2020-07-03 19:19:14 +02:00
Régis Hanol
08407905ba FIX: uploading an image as a site setting
When uploading an image as a site setting, we need to return the "raw" URL, otherwise
when saving the site setting, the upload won't be looked up properly.

Follow-up-to: f11363d446
2020-07-03 14:59:15 +02:00
Osama Sayegh
4a10350496 FIX: Negative limit values shouldn't cause error 500 (#10162) 2020-07-02 15:15:25 -04:00
Guo Xiang Tan
e94907eea4 FIX: Delete related search data when record has been deleted. 2020-07-02 15:14:17 -04:00
Vinoth Kannan
260bb6f073 FIX: return cdn url for uploads if available.
Currently it is displaying non-cdn urls in the composer preview.
2020-07-02 15:14:01 -04:00
Robin Ward
3a14bd6b14 FIX: Support root paths that omit the trailing slash and have QPs 2020-07-02 15:13:44 -04:00
Robin Ward
81ce3c8e50 FIX: Search was not multisite aware 2020-07-02 15:13:32 -04:00
Sam Saffron
7bfbecad7e PERF: cache all metadata for 60 seconds
Clients tend to request webmanifests and such very often.

Keep the data cached for 60 seconds so it is not requested aggresively.
2020-07-02 15:12:59 -04:00
Gerhard Schlager
f69e5a4d7e FIX: Sometimes not all output of psql was logged during restores
There was a race condition which could prevent Discourse from logging the last couple of lines of output from psql.
2020-07-02 15:12:44 -04:00
Sam Saffron
43a41f3928 FIX: emoji_autocomplete_min_chars failing when not 0
autocomplete resolving to [] was causing it to stop working.
Instead we have a special const (SKIP) which ensures it will
continue to be evaluated and only this instance is skipped.
2020-07-02 15:12:30 -04:00
Mark VanLandingham
67cc6731c6 FIX: update theme fields when updating from ThemesInstallTask (#10143) 2020-07-02 15:12:15 -04:00
Régis Hanol
3de1cf128c FIX: identify slug-less topic urls everywhere
In 91c89df6, I fixed the onebox to support local topics with a slug-less URL.
This commit fixes all the other spots (search, topic links and user badges) where we look up for a local topic.

Follow-up-to: 91c89df6
2020-07-02 15:11:36 -04:00
Dan Ungureanu
1f6f1604c9 FIX: Serialize an empty array if no suggested topics exist (#10134)
It used to return nil, which was ambiguous (empty vs absent
result).
2020-07-02 15:10:52 -04:00
Joshua Rosenfeld
8fbc41d993 FIX: Broken specs
`/u/` is no longer in robots.txt, so don't test for it
2020-07-02 15:09:50 -04:00
Joshua Rosenfeld
417bdcb53a FIX: Remove paths from robots.txt in favor of noindex header
Google no longer supports the use of robots.txt to block indexing.
See https://support.google.com/webmasters/answer/6062608 and
https://support.google.com/webmasters/answer/93710

Previous commits have added the `noindex` header to appropriate pages,
now we need to remove the paths from robots.txt so the pages can be
crawled.

Follow up to:
13f229808a
b6765aac4b
676be3a853
07b728c5e5
c94e6a9a66
2020-07-02 15:09:40 -04:00
Régis Hanol
d156b7749d FIX: match discobot triggers on cooked version
In French, the help trigger has a raw content of "afficher l'aider" which is then cooked into "afficher l’aide" (note the different quote character).
Since we were checking the raw content of the trigger against the cooked version of the post, this trigger never worked in French.

This changes so that we cook the trigger before checking in against the cooked version of the post.

DEV: new 'discobot_username' method that is used everywhere instead of 'discobot_user.username' / 'discobot_user.username_lower'
2020-07-02 15:09:22 -04:00
Sam Saffron
17182edab2 FIX: invalid urls should not break store.has_been_uploaded?
Breaking this method has wide ramification including breaking
search indexing.
2020-07-02 15:09:10 -04:00
Sam Saffron
ae520b62e4 FEATURE: allow disabling of extra term injection in search
There is a feature in search where we take over from the tokenizer
in postgres and attempt to inject more words into search.

So for example: sam.i.am will inject the words i and am.

This is not ideal cause there are many edge cases and this can
cause extreme index bloat.

This is an opening move commit to make it configurable, over the
next few weeks we will evaluate and decide if we disable this by
default or simply remove.
2020-07-02 15:08:53 -04:00
Sam Saffron
5f5dd9ea67 PERF: stop adding more topics to search when not needed
The logic of adding additional search results does not seem to be
needed anymore.

It appears to be a relic of an old implementation.

This saves an entire search query for every search made.
2020-07-02 15:08:33 -04:00
Guo Xiang Tan
f10f87cc68 FIX: Avoid marking notifications as seen in readonly mode. 2020-07-02 15:08:13 -04:00
Roman Rizzi
1b17482eab FIX: Uploads cannot be mapped due to the cook-text's element attr being null (#10136) 2020-06-30 12:07:50 -03:00
David Taylor
19db1a7d2a
FIX: Correct version comparison logic when comparing stable to beta (#10135)
* FIX: Correct version comparison logic when comparing stable to beta

For example, version 1.3.0 should be considered higher than 1.3.0.beta3. So `Discourse.has_needed_version?('1.3.0', '1.3.0.beta3')` should return true

* Switch to use Gem::Version to compare versions
2020-06-30 09:37:01 +01:00
tshenry
c271b0c394
FIX: published-page-header should be a sibling to published-page-body not a parent (#10126) 2020-06-25 14:59:33 -07:00
Neil Lalonde
6a42acbfb7
Version bump to v2.5.0 2020-06-24 13:56:53 -04:00
Neil Lalonde
eb10109c99
Merge diffs from master 2020-06-24 13:48:37 -04:00
Neil Lalonde
607d00f780
Merge master 2020-06-24 13:47:36 -04:00