Commit Graph

53442 Commits

Author SHA1 Message Date
David Taylor
1672a24490
DEV: Memoize CSP nonce placeholder on response (#25724)
That way, the same value is used even if the helper is called in the context of different controllers

Followup to c8a1b49ddd
2024-02-16 12:15:55 +00:00
David Taylor
b1f74ab59e
FEATURE: Add experimental option for strict-dynamic CSP (#25664)
The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction.

This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts.

All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags.

This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
Osama Sayegh
9329a5395a
FEATURE: Groundwork for schema theme settings UI (#25673)
This commit is the first of a series of commits that will allow themes to define complex settings types by declaring a schema of the setting structure that Discourse core will use to build a UI for the setting automatically. We implement the navigation logic and support for multiple levels of nesting in this commit and we'll continue building this new system gradually in future commits.

Internal topic: t/116870.
2024-02-16 09:31:49 +03:00
Martin Brennan
5935148bd8
FIX: Respect homepage prefs on admin sidebar Back to Forum link (#25642) 2024-02-16 14:31:42 +10:00
Martin Brennan
3094f32ff5
FIX: is_my_own? check for users who are anonymously doing actions (#25716)
Followup to 978d52841a

It's complicated...we have multiple "anonymous" user concepts
in core, and even two classes called the exact same thing --
AnonymousUser.

The first case is Guardian::AnonymousUser, which is used for
people who are browsing the forum without being authenticated.

The second case is the model AnonymousUser, which is used when
a user is liking or posting anonymously via allow_anonymous_likes
or allow_anonymous_posting site settings.

We will untangle this naming nightmare later on...but for the
time being, only authenticated users who are pretending to be
anonymous should be able to like posts if allow_anonymous_likes
is on.
2024-02-16 14:28:12 +10:00
Alan Guo Xiang Tan
ad900ef9dd
Revert "DEV: Debug AR connection pool queue on CI (#25687)" (#25714)
This reverts commit 796af077c5.

We have not seen checkout timeout errors since c30aeafd9d
2024-02-16 10:11:46 +08:00
Alan Guo Xiang Tan
64b4e0d08d
DEV: First pass of ThemeSettingsObjectValidator (#25624)
Why this change?

This is a first pass at adding an objects validator which main's job is
to validate an object against a defined schema which we will support. In
this pass, we are simply validating that properties that has been marked
as required are present in the object.
2024-02-16 09:35:16 +08:00
Martin Brennan
ae24e04a5e
DEV: Add a plugin modifier for user_action_stream_builder (#25691)
Reactions needs this to be able to filter out likes received
actions, where there is also an associated reaction, since
now most reactions also count as a like.
2024-02-16 10:24:39 +10:00
Alan Guo Xiang Tan
cc9480b24a
PERF: Use -ping option to ImageMagick identify command (#25713)
Why this change?

This adds the `-ping` option to the spots we missed in
cfdb461e9a.
2024-02-16 07:39:49 +08:00
Alan Guo Xiang Tan
d119ec617e
DEV: Disable BlockRequestsMiddleware before every test (#25712)
Why this change?

This is a follow up to c30aeafd9d. The
commit was calling `BlockRequestsMiddleware.allow_requests!` only before
`type: :system` tests but non system type tests could be running as well
and needs the `BlockRequestsMiddleware.allow_requests!` middleware to be
disabled too.
2024-02-16 07:01:36 +08:00
Sam
9e5e5d4078
FEATURE: shift+j and shift+k will scroll entire posts (#25684)
* FEATURE: shift+j and shift+k will scroll entire posts

When scrolling through topics with very long posts we would like to use
`shift+j` and `shift+k` to quickly move between posts.

This allows users to bypass the scroll within post behavior when zooming
through topics with keyboard shortcuts

This overloads the behavior of shift+k and j which can be used to scroll
through sections (new/latest/etc...)

* remove useless tests

These tests are testing nothing, no point carrying them around
2024-02-16 08:50:29 +11:00
dependabot[bot]
ef59fcea68
Build(deps): Bump terser from 5.27.0 to 5.27.1 in /app/assets/javascripts (#25711)
* Build(deps): Bump terser in /app/assets/javascripts

Bumps [terser](https://github.com/terser/terser) from 5.27.0 to 5.27.1.
- [Changelog](https://github.com/terser/terser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/terser/terser/compare/v5.27.0...v5.27.1)

---
updated-dependencies:
- dependency-name: terser
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update lockfiles for ember version flag

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: discoursebuild <build@discourse.org>
2024-02-15 22:34:05 +01:00
dependabot[bot]
fe0a36eee0
Build(deps-dev): Bump webpack from 5.90.1 to 5.90.2 in /app/assets/javascripts (#25710)
* Build(deps-dev): Bump webpack in /app/assets/javascripts

Bumps [webpack](https://github.com/webpack/webpack) from 5.90.1 to 5.90.2.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](https://github.com/webpack/webpack/compare/v5.90.1...v5.90.2)

---
updated-dependencies:
- dependency-name: webpack
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update lockfiles for ember version flag

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: discoursebuild <build@discourse.org>
2024-02-15 22:33:45 +01:00
dependabot[bot]
8ce9842352
Build(deps): Bump google-protobuf from 3.25.2 to 3.25.3 (#25709)
Bumps [google-protobuf](https://github.com/protocolbuffers/protobuf) from 3.25.2 to 3.25.3.
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

---
updated-dependencies:
- dependency-name: google-protobuf
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-15 22:18:48 +01:00
Kris
5e59f1f22f
DEV: add matching plugin outlet to mobile template (#25706) 2024-02-15 16:01:56 -05:00
Isaac Janzen
5a67c8f0ca
UX: Show search history for more contexts (#25705)
Add search history to 👇 contexts:

  - "topic",
  - "category",
  - "tag",
  - "tagIntersection",
  - "user",
  
  We display the search history when no search term is present.
  
  # Demo

https://github.com/discourse/discourse/assets/50783505/c720f70e-0c4c-4dbd-9f28-8b046deef674
  
  ## Topic
<img width="1003" alt="Screenshot 2024-02-15 at 12 36 37 PM" src="https://github.com/discourse/discourse/assets/50783505/5a254d94-2489-4c0f-976d-0eb1e2d6d775">


  ## Category
<img width="1003" alt="Screenshot 2024-02-15 at 12 36 23 PM" src="https://github.com/discourse/discourse/assets/50783505/247ec625-0bc2-431b-ae4f-b4e664647cfe">


  ## Tag  
<img width="1020" alt="Screenshot 2024-02-15 at 12 35 50 PM" src="https://github.com/discourse/discourse/assets/50783505/e416a935-00c2-4e8a-aef4-8de6903864bf">


  ## Tag Intersection
<img width="1004" alt="Screenshot 2024-02-15 at 12 35 28 PM" src="https://github.com/discourse/discourse/assets/50783505/d06cb287-52dd-4df4-ade8-75f30f67f07e">

  
  ## User
  <img width="1001" alt="Screenshot 2024-02-15 at 12 34 51 PM" src="https://github.com/discourse/discourse/assets/50783505/85a7a682-46f5-404c-a441-affb6bad05b6">
2024-02-15 13:25:50 -07:00
Isaac Janzen
45a130e696
FIX: Make recent search items populate input with value (#25704)
- Make clicking a recent search item populate the search input with said value
- Don't add empty search strings to recent search history.
2024-02-15 12:18:35 -07:00
Penar Musaraj
974b3a2a6f
DEV: Do not require session confirmation for new users (#24799)
When making sensitive changes to an account (adding 2FA or passkeys), we
require users to confirm their password. This is to prevent an attacker
from adding 2FA to an account they have access to.

However, on newly created accounts, we should not require this, it's an
extra step and it doesn't provide extra security (since the account was
just created). This commit makes it so that we don't require session
confirmation for accounts created less than 5 minutes ago.
2024-02-15 12:29:16 -05:00
chapoi
292685d3de
UX: Chat browse redesign (#25698)
* UX: fix search input placeholder cutoff

* UX: use transparent button for new-channel

* UX: remove settings link

* UX: removed joined tag

* UX: increase lock icon size

* UX: use grid for channel card

* UX: chat-channel-card styling + cleanup

* UX: dont space about tabs on mobile

* specs

* PR feedback

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>

* PR feedback > translation

* Remove import

* UX: update copy

---------

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2024-02-15 18:00:22 +01:00
dependabot[bot]
95bf1e1e9a
Build(deps): Bump logster from 2.17.1 to 2.18.0 (#25702)
Bumps [logster](https://github.com/discourse/logster) from 2.17.1 to 2.18.0.
- [Changelog](https://github.com/discourse/logster/blob/main/CHANGELOG.md)
- [Commits](https://github.com/discourse/logster/compare/v2.17.1...v2.18.0)

---
updated-dependencies:
- dependency-name: logster
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-15 16:44:36 +00:00
Kris
9374baab93
UX: clean up some label and form inconsistencies, reduce excess bolding (#25701) 2024-02-15 11:27:51 -05:00
Osama Sayegh
cfdb461e9a
PERF: Pass the -ping option to the identify ImageMagick command to speed it up (#25697)
The `-ping` option significantly speeds up the ImageMagick `identify` command per our testing and the [documentation](https://imagemagick.org/script/command-line-options.php#ping):

> -ping
Efficiently determine these image characteristics: image number, the file name, the width and height of the image, whether the image is colormapped or not, the number of colors in the image, the number of bytes in the image, the format of the image (JPEG, PNM, etc.). Use +ping to ensure accurate image properties.

We already pass the `-ping` option in other places where the `identify` command is used, so it makes sense to use the option everywhere.

Internal topic: t/121431.
2024-02-15 18:55:39 +03:00
chapoi
4deacc4aa8
UX: prevent groupname from wrapping (#25696) 2024-02-15 14:13:21 +01:00
Jarek Radosz
368551da2f
FIX: A regression in b797434 (#25694)
This resulted in showing the unread count on the "Latest" nav item on desktop.
2024-02-15 11:45:36 +01:00
dependabot[bot]
cb8958f204
Build(deps): Bump rack-mini-profiler from 3.3.0 to 3.3.1 (#25693)
Bumps [rack-mini-profiler](https://github.com/MiniProfiler/rack-mini-profiler) from 3.3.0 to 3.3.1.
- [Release notes](https://github.com/MiniProfiler/rack-mini-profiler/releases)
- [Changelog](https://github.com/MiniProfiler/rack-mini-profiler/blob/master/CHANGELOG.md)
- [Commits](https://github.com/MiniProfiler/rack-mini-profiler/compare/v3.3.0...v3.3.1)

---
updated-dependencies:
- dependency-name: rack-mini-profiler
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-15 11:29:17 +01:00
Alan Guo Xiang Tan
c30aeafd9d
DEV: Block all incoming requests before resetting Capybara session (#25692)
Why this change?

We have been debugging flaky system tests and noticed in https://github.com/discourse/discourse/actions/runs/7911902047/job/21596791343?pr=25690
that ActiveRecord connection checkout timeouts are encountered because
the Capybara server thread is processing requests even after
`Capybara.reset_session!` and ActiveRecord's `teardown_fixtures` have already been call.
The theory here is that an inflight request can still hit the Capybara
server even after `Capybara.reset_session!` has been called and end up
eating up an ActiveRecord connection for too long and also messing with
the database outside of a transaction.

What does this change do?

This change adds a `BlockRequestsMiddleware` middleware in the test
environment which is enabled to reject all incoming requests at the end
of each system test and before `Capybara.reset_session!` is called. At
the start of each RSpec test, the middleware is disabled again.
2024-02-15 16:36:12 +08:00
Sam
4346abe260
FEATURE: apply pinning to hot topic lists (#25690)
pinned topics should be pinned even on hot lists so it can be used as a
home page
2024-02-15 18:27:54 +11:00
Alan Guo Xiang Tan
55df52b56d
DEV: Skip consitently flaky tests on CI (#25689)
Why this change?

The tests are consistently flaky and failing with the following error:

```
CapybaraTimeoutExtension::CapybaraTimedOut:
  This spec passed, but capybara waited for the full wait duration (10s) at least once. This will slow down the test suite. Beware of negating the result of selenium's RSpec matchers.
```
2024-02-15 14:14:53 +08:00
Alan Guo Xiang Tan
796af077c5
DEV: Debug AR connection pool queue on CI (#25687)
Why this change?

On CI, we have been seeing flaky system tests because ActiveRecord is
unable to checkout a connection. This patch is meant to help us debug
which thread is not returning the connection to the queue.
2024-02-15 14:00:30 +08:00
Penar Musaraj
c1577019c8
DEV: Add post_id parameter to reset_bump_date route (#25372)
This would allow a theme component (or an API call) to reset the bump
date of a topic to a given post's created_at date.

I picked `post_id` as the parameter here because it provides a bit of
extra protection against accidentally resetting the bump date to a date
that doesn't make sense.
2024-02-15 16:42:42 +11:00
Krzysztof Kotlarek
2b30cca0e4
DEV: bump Logster version to 2.17.1 (#25688) 2024-02-15 16:36:20 +11:00
Krzysztof Kotlarek
52777e2de4
FIX: Logster backlink config in production (#25685)
Bug introduced in this PR https://github.com/discourse/discourse/pull/25669

Config should apply to development and production modes, not just the development environment.
2024-02-15 13:48:36 +11:00
Krzysztof Kotlarek
e61a2fc355
FEATURE: backlink to the site from Logster (#25669)
Configure the backlink to the site from Logster.
Related PR https://github.com/discourse/logster/pull/220
2024-02-15 10:26:30 +11:00
Isaac Janzen
e54c07cf49
FIX: Make similar topics selectable (#25682)
I attempted to add a test for related topics, as they are untested. This was a massive challenge as related topics are only rendered after 
- a user has stopped typing
- there is a timeout after typing

Between system tests, acceptance tests, and stubbing requests, this was difficult. So here is the pr san test.
2024-02-14 16:01:30 -07:00
Kris
41cd01c83a
UX: fix group search result alignment and styles (#25681) 2024-02-14 17:51:44 -05:00
Alan Guo Xiang Tan
a8b4d2e82c
DEV: Drop distributed mutex fromSidebarSiteSettingsBackfiller#backfill! (#25674)
Why this change?

Backfilling can take a long time on a site with many users. As a
result, the `DistriburedMutex` will warn in the logs when the block takes
more than 60 seconds to complete. We can increase the lock validity but
the method is currently only called from a job which has a
`cluster_concurrency` set to `1`. Therefore, it is actually not
necessary for us to hold a `DistributedMutex` here.

What does this change do?

1. Removes the distributed mutex and adds a comment about the risk of
   calling the `SidebarSiteSettingsBackfiller#backfill!` method.a

2. Delete old sidebar category section links in batches for all users
   to avoid a single long running query.
2024-02-15 06:21:03 +08:00
Kris
52fb523bbb
UX: show the full mobile read-state indicator (#25678) 2024-02-14 15:52:02 -05:00
Blake Erickson
bb261094cf
FEATURE: Auto generate and display video preview image (#25633)
This change will allow auto generated video thumbnails to be used
instead of the black video thumbnail that overlays videos.

Follow up to: 2443446e62
2024-02-14 13:43:53 -07:00
Andrei Prigorshnev
e83d8fb3e2
FIX: Allow several chat channels to have an empty slug (#25680)
In certain cases, chat channels may have empty slugs, it happens when:

1. The `slug_generation_method` setting is set to `None`
2. `slug_generation_method` is set to `ASCII` and a channel with 
a Unicode name and an empty slug is created (in this case, the code 
that creates channels tries to generate a slug and fallbacks to an empty slug)

At the moment, we have a unique index on the `chat_channels.slug` column 
which leads to errors when creating several channels with empty slugs 
(Discourse is able to create one such channel, but when trying to create 
the second one fails because of the unique constraint). This PR fixes that 
by adding a `where` condition to the index. Slugs still have to be unique, 
but now many channels may have empty slugs.

This fix is similar to the one we made to the category slugs – 7ba914f1e1.
2024-02-15 00:39:39 +04:00
Keegan George
10b33bc601
DEV: API extra markup to image wrapper (#25575) 2024-02-14 12:20:53 -08:00
Shane Scanlon
53a198ad55
FIX: Hide timer info on topic status toggle (#25596)
Use topic.topic_status_update value to hide timer info after status
change.
2024-02-14 11:40:40 -05:00
Kris
2323f09eb0
A11Y: change composer role to dialog, improve aria-labels (#25666) 2024-02-14 11:09:54 -05:00
Ella E
acca39036b
Update INSTALL-cloud.md screenshots and copy when landed on the forum homepage (#25671) 2024-02-14 07:31:44 -07:00
Ted Johansson
7522957aaa
FIX: Touch up illegal flag type translations (#25670)
When we launched the new illegal flag type, there were a few problems with the translations:

The translation for the message in the e-mail was missing and in the review queue, the message read: "Is this it's illegal?"

In this PR the missing translation key has been added. For the review queue there was a coupling of the name rendering to whether the flag is of "custom" type, but this is also used for deciding whether we render the textbox for additional details. I think these two things should not be coupled together. For now I have instead hard-coded the existing "custom" types when formatting the name. We can potentially improve this later.
2024-02-14 18:44:32 +08:00
David Taylor
915f7cdb27
FIX: Do not add "tag-" class to pages with no tag filter (#25677) 2024-02-14 10:24:02 +00:00
David Taylor
02177bb46d
UX: Add loading indicator to 'new or updated' PM banner (#25676)
Same as 9883e6a0c8, but for lists of PMs
2024-02-14 10:08:31 +00:00
Krzysztof Kotlarek
c03d22f633
FIX: serialize can_ignore_users (#25672)
Bug introduced in this PR https://github.com/discourse/discourse/pull/25585/files#diff-55dea7dea5b8655da575a2f23156240686c956d081d36ea9976d38b29b72b5d2R130

`can_ignore_users` method was created but not added to attributes and therefore it was not serialized.
2024-02-14 15:17:19 +11:00
Tobias Eigen
709bed5d1c
removed broken link and comments from no_index.erb (#25648)
We intend to move guidance about how to configure robots.txt to the admin interface and a documentation topic on meta.
2024-02-14 12:09:24 +08:00
Jeff Wong
cd99e20fd1
DEV: Add conflict resolution to migration min trust level for here mention to group (#25667) 2024-02-13 17:19:17 -08:00
Kris
037def8624
UX: clarify old dates with YYYY instead of 'YY (#25661)
* UX: clarify old dates with YYYY instead of 'YY

* update formatter test
2024-02-14 10:32:50 +11:00