Commit Graph

3686 Commits

Author SHA1 Message Date
Martin Brennan
45df579db0
DEV: Improving topic tracking state code (#12555)
The aim of this PR is to improve the topic tracking state JavaScript code and test coverage so further modifications can be made in plugins and in core. This is focused on making topic tracking state changes easier to respond to with callbacks, and changing it so all state modifications go through a single method instead of modifying `this.state` all over the place. I have also tried to improve documentation, make the code clearer and easier to follow, and make it clear what are public and private methods.

The changes I have made here should not break backwards compatibility, though there is no way to tell for sure if other plugin/theme authors are using tracking state methods that are essentially private methods. Any name changes made in the tracking-state.js code have been reflected in core.

----

We now have a `_trackedTopicLimit` in the tracking state. Previously, if a topic was neither new nor unread it was removed from the tracking state; now it is only removed if we are tracking more than `_trackedTopicLimit` topics (which is set to 4000). This is so plugins/themes adding topics with `TopicTrackingState.register_refine_method` can add topics to track that aren't necessarily new or unread, e.g. for totals counts.

Anywhere where we were doing `tracker.states["t" + data.topic_id] = newObject` has now been changed to flow through central `modifyState` and `modifyStateProp` methods. This is so state objects are not modified until they need to be (e.g. sometimes properties are set based on certain conditions) and also so we can run callback functions when the state is modified.

I added `onStateChange` and `onMessageIncrement` methods to register callbacks that are called when the state is changed and when the message count is incremented, respectively. This was done so we no longer need to do things like `@observes("trackingState.states")` in other Ember classes.

I split up giant functions like `sync` and `establishChannels` into smaller functions for readability and testability, and renamed many small functions to _functionName to designate them as private functions which not be called by consumers of `topicTrackingState`. Public functions are now all documented (well...at least ones that are not immediately obvious).

----

On the backend side, I have changed the MessageBus publish events for TopicTrackingState to send back tags and tag IDs for more channels, and done some extra code cleanup and refactoring. Plugins may override `TopicTrackingState.report` so I have made its footprint as small as possible and externalised the main parts of it into other methods.
2021-04-28 09:54:45 +10:00
Roman Rizzi
cdbdb04909
UX: The Site's logo is the selected option when changing the system's user avatar. (#12861)
If the "use_site_small_logo_as_system_avatar" setting is enabled, the site's small logo is displayed as the selected option by the avatar-selector. Choosing a different avatar disables the setting.
2021-04-27 17:28:15 -03:00
David Taylor
657dff3544
PERF: Remove N+1s from ThemeController#update and #show (#12842)
These endpoints only return one `Theme` row, but the one-many relations were not being preloaded efficiently. This commit moves the `includes` statement to a scope, and makes use of it in `#index`, `#show`, and `#update`.
2021-04-27 12:30:29 +01:00
Krzysztof Kotlarek
e29605b79f
FEATURE: the ability to search users by custom fields (#12762)
When the admin creates a new custom field they can specify if that field should be searchable or not.

That setting is taken into consideration for quick search results.
2021-04-27 15:52:45 +10:00
Rafael dos Santos Silva
a74783d157
FEATURE: Allow using 'top' view for topic list embed (#12825) 2021-04-26 18:10:04 -03:00
Osama Sayegh
a169dc6832
Revert "FEATURE: Allow theme tests to be run in production (#12815)" (#12840)
This reverts commit 7217dcb67a.

https://meta.discourse.org/t/failed-to-bootstrap-due-to-out-of-memory-killer/188141/18?u=osama

Precompiling test_helper.js is so expensive that it can make bootstrap
fail on servers with limited resources (2GB RAM). We will find another
way that doesn't require much resources.
2021-04-26 23:05:58 +03:00
Osama Sayegh
7217dcb67a
FEATURE: Allow theme tests to be run in production (#12815)
This commit allows site admins to run theme tests in production via a new `/theme-qunit` route. When you visit `/theme-qunit`, you'll see a list of the themes/components installed on your site that have tests, and from there you can select a theme or component that you run its tests.

We also have a new rake task `themes:install_and_test` that can be used to install a list of themes/components on a temporary database and run the tests of the themes/components that are installed. This rake task can be useful when upgrading/deploying a Discourse instance to make sure that the installed themes/components are compatible with the new Discourse version being deployed, and if the tests fail you can abort the build/deploy process so you don't end up with a broken site.
2021-04-26 12:56:45 +03:00
Dan Ungureanu
cfee2728ce
FEATURE: New share topic modal (#12804)
The old share modal used to host both share and invite functionality,
under two tabs. The new "Share Topic" modal can be used only for
sharing, but has a link to the invite modal.

Among the sharing methods, there is also "Notify" which points out
that existing users will simply be notified (this was not clear
before). Staff members can notify as many users as they want, but
regular users are restricted to one at a time, no more than
max_topic_invitations_per_day. The user will not receive another
notification if they have been notified of the same topic in past hour.

The "Create Invite" modal also suffered some changes: the two radio
boxes for selecting the type (invite or email) have been replaced by a
single checkbox (is email?) and then the two labels about emails have
been replaced by a single one, some fields were reordered and the
advanced options toggle was moved to the bottom right of the modal.
2021-04-23 19:18:23 +03:00
Robin Ward
e3b1d1a718
DEV: Improve Ember CLI's bootstrap logic (#12792)
* DEV: Give a nicer error when `--proxy` argument is missing

* DEV: Improve Ember CLI's bootstrap logic

Instead of having Ember CLI know which URLs to proxy or not, have it try
the URL with a special header `HTTP_X_DISCOURSE_EMBER_CLI`. If present,
and Discourse thinks we should bootstrap the application, it will
instead stop rendering and return a HTTP HEAD with a response header
telling Ember CLI to bootstrap.

In other words, any time Rails would otherwise serve up the HTML for the
Ember app, it stops and says "no, you do it."

* DEV: Support asset filters by path using a new options object

Without this, Ember CLI's bootstrap would not get the assets it wants
because the path it was requesting was different than the browser path.
This adds an optional request header to fix it.

So far this is only used by the styleguide.
2021-04-23 10:24:42 -04:00
Jarek Radosz
a172a6cd9c
FIX: Allow finding non-lowercase tag groups (#12787) 2021-04-21 19:15:53 +02:00
Osama Sayegh
45ccadeeeb
DEV: Upgrade Rails to 6.1.3.1 (#12688)
Rails 6.1.3.1 deprecates a few API and has some internal changes that break our tests suite, so this commit fixes all the deprecations and errors and now Discourse should be fully compatible with Rails 6.1.3.1. We also have a new release of the rails_failover gem that's compatible with Rails 6.1.3.1.
2021-04-21 12:36:32 +03:00
Sam
5c49009c6c
PERF: properly preload emails to speed up user exports (#12778)
scopes are incredibly annoying to preload, simply adding :user_emails is not
enough.

Instead of relying on scopes simply iterate through user_emails which is
properly preloaded.

This removes 2 * N+1 when generating user reports.
2021-04-21 10:42:07 +10:00
Joffrey JAFFEUX
69f8c3b305
UX: displays a descriptive error when theme is not allowed (#12763) 2021-04-20 13:28:59 +02:00
Arpit Jalan
af6d0342b6
FIX: user group message route should not be case-sensitive (#12753) 2021-04-20 10:25:31 +05:30
Roman Rizzi
fd8441d6d5
DEV: Pass a list of tag group names when using the search endpoint. (#12721)
Accepting a list of names instead of ids is more convenient when searching for tag groups using data from the `category.allowed_tag_groups` method.
2021-04-16 08:41:10 -03:00
Dan Ungureanu
bfa301bd7b
FIX: Show invite validation errors to users (#12717)
The server used to respond with a generic 'error, contact admin' message
which did not offer any hint what the error was. This happened even when
the error could be easily corrected by the user (for example, if they
chose a very common password).
2021-04-15 15:23:49 +03:00
Dan Ungureanu
85d4b60a45
FIX: Improve error messages for invites (#12714)
The error messages used to include an unnecessary 'Validation failed:
Email' prefix which was removed.
2021-04-15 14:46:32 +03:00
Dan Ungureanu
8c24a848e0
FEATURE: Reduce invite key length (#12692)
We used to generate invite keys that were 32-characters long which were
not very friendly and lead to very long links. This commit changes the
generation method to use almost all alphanumeric characters to produce
a 10-character long invite key.

This commit also introduces a rate limit for redeeming invites because
the probability of guessing an invite key has increased.
2021-04-14 19:22:16 +03:00
Dan Ungureanu
528cfea079
FEATURE: Auto-activate users invited by email (#12675)
When invited by email, users will receive an invite URL which contains
a token. If that token is present when the invite is redeemed, their
account will be automatically activated.
2021-04-14 12:15:56 +03:00
Martin Brennan
eeaecd4fd2
FEATURE: Category setting to allow unlimited first post edits by the owner of the topic (#12690)
This PR adds a new category setting which is a column in the `categories` table, `allow_unlimited_owner_edits_on_first_post`.

What this does is:

* Inside the `can_edit_post?` method of `PostGuardian`, if the current user editing a post is the owner of the post, it is the first post, and the topic's category has `allow_unlimited_owner_edits_on_first_post`, then we bypass the check for `LimitedEdit#edit_time_limit_expired?` on that post.
* Also, similar to wiki topics, in `PostActionNotifier#after_create_post_revision` we send a notification to all users watching a topic when the OP is edited in a topic with the category setting `allow_unlimited_owner_edits_on_first_post` enabled.

This is useful for forums where there is a Marketplace or similar category, where topics are created and then updated indefinitely by the OP rather than the OP making new topics or additional replies. In a way this acts similar to a wiki that only one person can edit.
2021-04-14 15:54:09 +10:00
Ryan Mulligan
d837ad8386
DEV: user suspension use .present? (#12676)
As suggested by eviltrout in

https://github.com/discourse/discourse/pull/12666
2021-04-12 12:53:40 -04:00
Ryan Mulligan
045adb76f2
FIX: only send user suspension emails if email message provided (#12666)
This makes behavior consistent with documentation:

API:

> Will send an email with this message when present

Web UI:

> Optionally, provide more information about the suspension and it will be emailed to the user
2021-04-12 11:03:10 -04:00
Osama Sayegh
cd24eff5d9
FEATURE: Introduce theme/component QUnit tests (take 2) (#12661)
This commit allows themes and theme components to have QUnit tests. To add tests to your theme/component, create a top-level directory in your theme and name it `test`, and Discourse will save all the files in that directory (and its sub-directories) as "tests files" in the database. While tests files/directories are not required to be organized in a specific way, we recommend that you follow Discourse core's tests [structure](https://github.com/discourse/discourse/tree/master/app/assets/javascripts/discourse/tests).

Writing theme tests should be identical to writing plugins or core tests; all the `import` statements and APIs that you see in core (or plugins) to define/setup tests should just work in themes.

You do need a working Discourse install to run theme tests, and you have 2 ways to run theme tests:

* In the browser at the `/qunit` route. `/qunit` will run tests of all active themes/components as well as core and plugins. The `/qunit` now accepts a `theme_name` or `theme_url` params that you can use to run tests of a specific theme/component like so: `/qunit?theme_name=<your_theme_name>`.

* In the command line using the `themes:qunit` rake task. This take is meant to run tests of a single theme/component so you need to provide it with a theme name or URL like so: `bundle exec rake themes:qunit[name=<theme_name>]` or `bundle exec rake themes:qunit[url=<theme_url>]`.

There are some refactors to how Discourse processes JavaScript that comes with themes/components, and these refactors may break your JS customizations; see https://meta.discourse.org/t/upcoming-core-changes-that-may-break-some-themes-components-april-12/186252?u=osama for details on how you can check if your themes/components are affected and what you need to do to fix them.

This commit also improves theme error handling in Discourse. We will now be able to catch errors that occur when theme initializers are run and prevent them from breaking the site and other themes/components.
2021-04-12 15:02:58 +03:00
Roman Rizzi
8339b8f412
FEATURE: Make the tag_groups#search endpoint public. (#12643)
The method uses the "TagGroup#visible" method to respect the tag group visibility settings.
2021-04-08 14:23:13 -03:00
Roman Rizzi
5e4c0e2caa
FEATURE: Treat site settings as plain text and add a new HTML type. (#12618)
To add an extra layer of security, we sanitize settings before shipping them to the client. We don't sanitize those that have the "html" type.

The CookedPostProcessor already uses Loofah for sanitization, so I chose to also use it for this. I added it to our gemfile since we installed it as a transitive dependency.
2021-04-07 12:51:19 -03:00
Osama Sayegh
2b9ab3a0d9
Revert "FEATURE: Introduce theme/component QUnit tests (#12517)" (#12632)
This reverts commit a53d8d3e61 and 105634435f.

Reverted because the change broke some components. Will be added back in a few days.
2021-04-07 17:45:49 +03:00
Osama Sayegh
a53d8d3e61
FEATURE: Introduce theme/component QUnit tests (#12517)
This commit allows themes and theme components to have QUnit tests. To add tests to your theme/component, create a top-level directory in your theme and name it `test`, and Discourse will save all the files in that directory (and its sub-directories) as "tests files" in the database. While tests files/directories are not required to be organized in a specific way, we recommend that you follow Discourse core's tests [structure](https://github.com/discourse/discourse/tree/master/app/assets/javascripts/discourse/tests).

Writing theme tests should be identical to writing plugins or core tests; all the `import` statements and APIs that you see in core (or plugins) to define/setup tests should just work in themes.

You do need a working Discourse install to run theme tests, and you have 2 ways to run theme tests:

* In the browser at the `/qunit` route. `/qunit` will run tests of all active themes/components as well as core and plugins. The `/qunit` now accepts a `theme_name` or `theme_url` params that you can use to run tests of a specific theme/component like so: `/qunit?theme_name=<your_theme_name>`.

* In the command line using the `themes:qunit` rake task. This take is meant to run tests of a single theme/component so you need to provide it with a theme name or URL like so: `bundle exec rake themes:qunit[name=<theme_name>]` or `bundle exec rake themes:qunit[url=<theme_url>]`.

There are some refactors to internal code that's responsible for processing themes/components in Discourse, most notably:

* `<script type="text/discourse-plugin">` tags are automatically converted to modules.

* The `theme-settings` service is removed in favor of a simple `lib` file responsible for managing theme settings. This was done to allow us to register/lookup theme settings very early in our Ember app lifecycle and because there was no reason for it to be an Ember service.

These refactors should 100% backward compatible and invisible to theme developers.
2021-04-07 10:39:57 +03:00
Neil Lalonde
e8a9917db1
FEATURE: Allow setting avatar flair for automatic groups (#12586) 2021-04-06 11:13:06 -04:00
Jessica Hamilton
0052fcf7c4
FEATURE: Retrieve an existing link only invite (#12575)
In Improve invite system, a newly created link only invite cannot
be retrieved via API with the invitee's email once created. A new
route, /invites/retrieve, is introduced to fetch an already
created invite by email address.
2021-04-06 11:01:07 -04:00
Dan Ungureanu
81e5352e01
FIX: Better error message for redeemed invite (#12580)
This commit improves the error message when a user tries to redeem a
completely redeemed invite link.
2021-04-02 11:11:07 +03:00
Arpit Jalan
c478ffc662
FIX: post merging was failing silently (#12566)
https://meta.discourse.org/t/merging-very-long-posts-removes-them/183597
2021-04-01 06:46:18 +05:30
David Taylor
198c960b52
FIX: Handle staged users as unregistered users for external auth (#12567)
For 'local logins', the UX for staged users is designed to be identical to unregistered users. However, staged users logging in via external auth were being automatically unstaged, and skipping the registration/invite flow. In the past this made sense because the registration/invite flows didn't work perfectly with external auth. Now, both registration and invites work well with external auth, so it's best to leave the 'unstage' logic to those endpoints.

This problem was particularly noticeable when using the 'bulk invite' feature to invite users with pre-configured User Fields. In that situation, staged user accounts are used to preserve the user field data.
2021-03-31 13:40:58 +01:00
Dan Ungureanu
dce48d8aa7
FIX: Redirect to provided origin after auth (#12558)
It used to redirect to the destination_url cookie which sometimes is set
incorrectly.
2021-03-31 10:23:12 +01:00
Penar Musaraj
65ad8750c7
DEV: Remove draft attributes from topic lists (#12525) 2021-03-30 11:42:26 -04:00
Dan Ungureanu
8335c8dc1a
FEATURE: Allow admins to pre-populate user fields (#12361)
Admins can use bulk invites to pre-populate user fields. The imported
CSV file must have a header with "email" column (first position) and
names of the user fields (exact match).

Under the hood, the bulk invite will create staged users and populate
the user fields of those.
2021-03-29 14:03:19 +03:00
Dan Ungureanu
dffc3a2f8e
DEV: Add tests for invite system (#12524) 2021-03-25 18:26:22 +02:00
Mark VanLandingham
371afc45e0
DEV: API for plugins to add post update params and handlers (#12505) 2021-03-24 10:22:16 -05:00
Bianca Nenciu
f3eab6a86a
FIX: Perform better email validation (#12497)
Using UserEmail for validation is not sufficient because it checks the
emails of staged users too.
2021-03-24 08:44:51 +11:00
Jarek Radosz
6ff888bd2c
DEV: Retry-after header values should be strings (#12475)
Fixes `Rack::Lint::LintError: a header value must be a String, but the value of 'Retry-After' is a Integer`. (see: 14a236b4f0/lib/rack/lint.rb (L676))

I found it when I got flooded by those warning a while back in a test-related accident 😉 (ember CLI tests were hitting a local rails server at a fast rate)
2021-03-23 20:32:36 +01:00
Bianca Nenciu
437c9a554b
FEATURE: Import and export watched word (#12444)
Find & Replace and Autotag watched words were not completely exported
and import did not work with these either. This commit changes the
input and output format to CSV, which allows for a secondary column.

This change is backwards compatible because a CSV file with only one
column has one value per line.
2021-03-22 22:32:18 +02:00
Rafael dos Santos Silva
fb4486d5f1
FEATURE: Add CSP frame-ancestors support (#12404) 2021-03-22 16:00:25 -03:00
Dan Ungureanu
4e46732346
FEATURE: Implement browser update in crawler view (#12448)
browser-update script does not work correctly in some very old browsers
because the contents of <noscript> is not accessible in JavaScript.
For these browsers, the server can display the crawler page and add the
browser update notice.

Simply loading the browser-update script in the crawler view is not a
solution because that means all crawlers will also see it.
2021-03-22 19:41:42 +02:00
Bianca Nenciu
ec7415ff49
FEATURE: Check email availability in signup form (#12328)
* FEATURE: Check email availability on focus out

* FIX: Properly debounce username availability
2021-03-22 17:46:03 +02:00
Martin Brennan
49f4c548ef
FEATURE: Bookmark pinning (#12431)
Users can now pin bookmarks from their bookmark list. This will anchor the bookmark to the top of the list, and show a pin icon next to it. This also applies in the nav bookmarks panel. If there are multiple pinned bookmarks they sort by last updated order.
2021-03-22 09:50:22 +10:00
Dan Ungureanu
534008ba24
FIX: Improve handling when email is obfuscated (#12450)
This commit ensures that email validation is skipped when the email is
obfuscated, that the email is no longer send when it is not an invite
link and no username is suggested if the email is hidden as it may
reveal the first part of the email.

Follow up to commit 033d6b6437.
2021-03-19 17:15:46 +02:00
Martin Brennan
355d51afde
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419)
This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic.

The invitation methods that are supported include:

* Inviting people to groups via email address
* Inviting people to topics via email address
* Using invitation links generated by the Invite Users UI in the /my/invited/pending route

The flow works like this:

1. User visits an invite URL
2. The normal invitation validations (redemptions/expiry) happen at that point
3. We store the invite key in a secure session
4. The user clicks "Accept Invitation and Continue" (see below)
5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login
6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email
7. If the invite is OK we create the user via the normal SSO methods
8. We redeem the invite and activate the user. We clear the invite key in secure session.
9. If the invite had a topic we redirect the user there, otherwise we redirect to /

Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case.

Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-19 10:20:10 +10:00
Dan Ungureanu
033d6b6437
FEATURE: Obfuscate emails on invite show page (#12433)
The email should not be ever displayed in clear text, except the case
when the user authenticates using another service.
2021-03-18 19:09:23 +02:00
Robin Ward
52859bdeab
FIX: Viewing some tag routes wasn't rendering the list without JS (#12344) 2021-03-17 13:02:32 -04:00
Osama Sayegh
a23d0f9961
UX: Add image uploader widget for uploading badge images (#12377)
Currently the process of adding a custom image to badge is quite clunky; you have to upload your image to a topic, and then copy the image URL and pasting it in a text field. Besides being clucky, if the topic or post that contains the image is deleted, the image will be garbage-collected in a few days and the badge will lose the image because the application is not that the image is referenced by a badge.

This commit improves that by adding a proper image uploader widget for badge images.
2021-03-17 08:55:23 +03:00
David Taylor
7970d1d99f
FEATURE: Allow a cluster_name to be configured and used for /srv/status (#12365)
The cluster name can be configured by setting the `DISCOURSE_CLUSTER_NAME` environment variable. If set, you can then call /srv/status with a `?cluster=` parameter. If the cluster does not match, an error will be returned. This is useful if you need a load balancer to be able to verify the identity, as well as the presence, of an application container.
2021-03-15 15:41:59 +11:00
Rafael dos Santos Silva
7fecf1b885
FIX: Move PWA App shortcut for bookmarks to new path (#12388) 2021-03-15 15:36:50 +11:00
Roman Rizzi
9a779ca99a
FIX: Show a proper error message when trying to bulk award a disabled badge. (#12384) 2021-03-12 14:28:27 -03:00
Dan Ungureanu
9c93a62b97
DEV: Update API documentation for invites (#12360) 2021-03-11 18:19:32 +02:00
ByteHamster
36ec09a07b
FIX: Do not block uploads path in robots.txt (#12349)
The `/u` rule also matches the `/uploads` path, which prevents Twitter from showing the site logo in its link previews.
2021-03-11 09:36:49 -05:00
Roman Rizzi
8fcad73b36
FEATURE: Admins can flag posts so they can review them later. (#12311)
Staff can send a post to the review queue by clicking the "Flag Post" button next to "Take Action...". Clicking it flags the post using the "Notify moderators" score type and hides it. A custom message will be sent to the user.
2021-03-11 08:21:24 -03:00
Bianca Nenciu
9bd436c20b
FIX: Do not add same email multiple times (#12322)
The user and an admin could create multiple email change requests for
the same user. If any of the requests was validated and it became
primary, the other request could not be deleted anymore.
2021-03-10 14:49:26 +02:00
jbrw
ac7773a30d
FEATURE: allow category group moderators to pin/unpin topics (#12325)
* FEATURE: allow category group moderators to pin/unpin topics

Category group moderators should be able to pin/unpin any topics within a category where they have appropraite category group moderator permissions.
2021-03-09 16:05:11 -05:00
Vinoth Kannan
e3d8e828b8
FEATURE: allow search engines to index tag pages. (#12248)
Previously, we blocked search engines in tag pages since they may get marked as a duplicate content.

* DEV: block tag inner pages from search engines crawling.
2021-03-09 23:55:57 +05:30
Robin Ward
7435d55ea6
DEV: Use Ember CLI middleware to decorate the index template (#12292)
* DEV: Use Ember CLI middleware to decorate the index template

Previously we'd do this on the client side which did not support our
full plugin API. Now requests for the index template will contact the
dev server for a bootstrap.json and apply it to the current template.

* FIX: Allows logins in development mode for Ember CLI
2021-03-09 10:09:35 -05:00
Alan Guo Xiang Tan
ce04db8610 FEATURE: Allow invites redemption with Omniauth providers. 2021-03-09 09:27:18 +08:00
Dan Ungureanu
7f3240ea31
FEATURE: Various improvements to invite system (#12298)
* FIX: Do not show expired invites under Pending tab

* DEV: Controller action was renamed in previous commit

* FEATURE: Add 'Expired' tab to invites

* FEATURE: Refresh model after removing expired invites

* FEATURE: Do not immediately add invite to the list

Opening the 'create-invite' modal used to automatically generate an
invite to reserve an invite link. If the user did not save it and
closed the modal, the invite would be destroyed. This operations caused
the invite list to change in the background and confuse users.

* FEATURE: Sort redeemed users by creation time

* UX: Improve show / hide advanced options link

* FIX: Show redeemed users even if invites were trashed

* UX: Change modal title when editing invite

* UX: Remove Get Link button

Users can get it from the edit modal

* FEATURE: Add limit for invite links generated by regular users

* FEATURE: Add option to skip email

* UX: Show better error messages

* FIX: Show "Invited by" even if invite was trashed

Follow up to 1fdfa13a099d8e46edd0c481b3aaaafe40455ced.

* FEATURE: Add button to save without sending email

Follow up to c86379a465f28a3cc64a4a8c939cf32cf2931659.

* DEV: Use a buffer to hold all changed data

* FEATURE: Close modal after save

* FEATURE: Rate limit resend invite email

* FEATURE: Make the save buttons smarter

* FEATURE: Do not always send email even for new invites
2021-03-06 13:29:35 +02:00
Rafael dos Santos Silva
4af3c42904
FEATURE: Add opt-in screenshots to the web app manifest (#12288)
This will be used by Chrome on Android on the install prompt,
as show in https://twitter.com/alexey_rodionov/status/1349612958754762753

Follows the spec at https://www.w3.org/TR/manifest-app-info/
2021-03-04 18:39:58 -03:00
Alan Guo Xiang Tan
51483e1aef FIX: Make email a required param when accepting invite links.
A missing email when accepting an invite link does not make sense so we
should make it a required param which helps to catch bugs in our test
suite and also prevent potential bugs in our code base when the code
trips on a `nil` email.
2021-03-04 09:27:04 +08:00
Dan Ungureanu
c047640ad4
FEATURE: Various improvements to invite system (#12023)
The user interface has been reorganized to show email and link invites
in the same screen. Staff has more control over creating and updating
invites. Bulk invite has also been improved with better explanations.

On the server side, many code paths for email and link invites have
been merged to avoid duplicated logic. The API returns better responses
with more appropriate HTTP status codes.
2021-03-03 11:45:29 +02:00
Mark VanLandingham
4adce0d844
DEV: APIs for plugin to add custom reviewable confirm modal (#12246) 2021-03-02 10:28:27 -06:00
Martin Brennan
6b4d066834
FIX: Skip sending PM email for user silence (#12240)
We were sending 2 emails for user silencing if a message was provided in the UI. Also always send email for user silence and user suspend with reason regardless of whether message provided.
2021-03-02 09:18:09 +10:00
Robin Ward
c0624d45db
FIX: Add appropriate classes to html element including lang (#12245)
This was not working in the Ember CLI version of the application.
2021-03-01 14:04:02 -05:00
Robin Ward
1bbf324415
FIX: When using Ember CLI theme Javascript/HTML was not being inserted (#12227)
This also supports plugins with custom HTML.
2021-02-26 13:00:31 -05:00
Roman Rizzi
bb3d5e9758
FEATURE: Filter reviewables by id. (#12213)
The API now accepts an array called "ids" to select specific items. This parameter is not present on the UI.

Example usage: "yoursite.com/review.json?ids[]=1&ids[]=2"
2021-02-26 07:56:14 -03:00
Rafael dos Santos Silva
6569449ea4
FEATURE: Add site description for the webmanifest (#12217) 2021-02-25 18:23:19 -03:00
Bianca Nenciu
533800a87b
Add watched words of type "replace" (#12020)
This commit includes other various improvements to watched words.

auto_silence_first_post_regex site setting was removed because it overlapped
with 'require approval' watched words.
2021-02-25 14:00:58 +02:00
David Taylor
8cd7c9b259
DEV: Support setting deprecated site settings via the API (#12172) 2021-02-22 18:10:54 +00:00
David Taylor
13d2a1f82c
SECURITY: Attach DiscourseConnect (SSO) nonce to current session (#12124) 2021-02-18 10:35:10 +00:00
Roman Rizzi
07cf0f9460
FIX: Allow plugins to correctly extend API key scopes. (#12113)
Adding a scope from a plugin was broken. This commit fixes it and adds a test.

It also documents the instance method and renames the serialized "id" attribute to "scope_id" to avoid a conflict when the scope also has a parameter with the same name.
2021-02-17 14:42:44 -03:00
Arpit Jalan
a174c8b8d4
FIX: hide sso payload behind a button click and log views (#12110) 2021-02-17 21:27:51 +05:30
David Taylor
9d7dc89d79
DEV: Replace deprecated sso site settings with discourse_connect (#12099) 2021-02-17 09:31:20 +00:00
Simon Cossar
71904277e2
Add bad_destination_address template to email_templates_controller (#12102)
Add bad_destination_address template to email_templates_controller;
Update bad_destination_address email copy
2021-02-17 09:57:38 +01:00
Bianca Nenciu
fa3eb1f7fc
FIX: Category redirect to correct slug should not loop (#11772)
The server responds with a redirect to URLs with wrong slugs, even when
the slug was the correct but in the encoded form (if it contained
special characters).
2021-02-16 17:54:50 +02:00
Bianca Nenciu
d89c5aedbe
FIX: Fix subcategory, tag drops and none values (#11934)
* FIX: Generate correct URLs for category and tag drops

* DEV: Remove unused properties

* FIX: No subcategory and tag filter did not work
2021-02-16 17:54:24 +02:00
Krzysztof Kotlarek
ad3ec5809f
FIX: Dismiss new with better migration (#12062)
Original PR was reverted because of broken migration https://github.com/discourse/discourse/pull/12058

I fixed it by adding this line
```
          AND topics.id IN(SELECT id FROM topics ORDER BY created_at DESC LIMIT :max_new_topics)
```

This time it is left joining a limited amount of topics. I tested it on few databases and it worked quite smooth
2021-02-15 08:50:33 +11:00
Martin Brennan
ff1ac57feb
FIX: Validate duration minutes values for topic timer (#12040)
Add server and client side validations to ensure topic timer durations cannot exceed 2 years and cannot be less than or equal to 0.
2021-02-12 09:05:14 +10:00
Krzysztof Kotlarek
a696cc07d2
Revert "FEATURE: Ability to dismiss all new topics (#12018)" (#12058)
This reverts commits 7426764af4 and f5b18e2a31
2021-02-12 08:50:25 +11:00
Krzysztof Kotlarek
f5b18e2a31
FEATURE: Ability to dismiss all new topics (#12018)
Follow up https://github.com/discourse/discourse/pull/11968

Dismiss all new topics using the same DismissTopicService. In addition, MessageBus receives exact topic ids which should be marked as `seen`.
2021-02-11 13:35:09 +11:00
Penar Musaraj
544a4e4b48
UX: Changes to new features section in admin dashboard (#12029) 2021-02-10 13:12:04 -05:00
Vinoth Kannan
7354636502
FIX: return 404 not found error if a topic is deleted. (#11987)
Currently, it's returning 403 invalid access error which causes issue in Google webmaster tools.
2021-02-09 16:47:06 +11:00
Krzysztof Kotlarek
354ec6694a
FEATURE: Ability to dismiss new topics in a specific tag (#11968)
* FEATURE: Ability to dismiss new topics in a specific tag

Follow up of https://github.com/discourse/discourse/pull/11927

Using the same mechanism to disable new topics in a tag.

* FIX: respect when category and tag is selected
2021-02-09 10:39:30 +11:00
Gerhard Schlager
9ce7ec24e2
FIX: Some error messages used wrong translation key (#12012) 2021-02-08 17:57:59 +01:00
David Taylor
7e6cb1ff2e
FIX: Correct server error for starting SSO login, and add spec (#12010)
Followup to 821bb1e8cb
2021-02-08 10:59:43 +00:00
David Taylor
821bb1e8cb
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978)
The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense.

This commit aims to:
- Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_`
- Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices
- Copy `site_settings` database records to the new names
- Rename relevant translation keys
- Update relevant translations

This commit does **not** aim to:
- Rename any Ruby classes or methods. This might be done in a future commit
- Change any URLs. This would break existing integrations
- Make any changes to the protocol. This would break existing integrations
- Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately

The risks are:
- There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical.
- If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working.

A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 10:04:33 +00:00
Osama Sayegh
f700e318a4
DEV: Add CSRF meta tags to pages served by Ember CLI server (#11993)
Signed-off-by: OsamaSayegh <asooomaasoooma90@gmail.com>
2021-02-06 01:18:29 +03:00
Martin Brennan
4af77f1e38
FEATURE: Allow durations < 1 hour and < 1 day for topic timers where duration is specified (auto delete replies, close based on last post) (#11961)
This PR allows entering a float value for topic timers e.g. 0.5 for 30 minutes when entering hours, 0.5 for 12 hours when entering days. This is achieved by adding a new column to store the duration of a topic timer in minutes instead of the ambiguous both hours and days that it could be before.

This PR has ommitted the post migration to delete the duration column in topic timers; it will be done in a subsequent PR to ensure that no data is lost if the UPDATE query to set duration_mintues fails.

I have to keep the old keyword of duration in set_or_create_topic_timer for backwards compat, will remove at a later date after plugins are updated.
2021-02-05 10:12:56 +10:00
Arpit Jalan
06225abe93
FIX: process new invites when existing users are already group members (#11971)
If a list of email addresses is pasted into a group’s Add Members form
that has one or more email addresses of users who already belong to the
group and all other email addresses are for users who do not yet exist
on the forum then no invites were being sent. This commit ensures that
we send invites to new users.
2021-02-04 15:36:08 +05:30
Krzysztof Kotlarek
f39e7fe81d
FEATURE: New way to dismiss new topics (#11927)
This is a try to simplify logic around dismiss new topics to have one solution to work in all places - dismiss all-new, dismiss new in a specific category or even in a specific tag.
2021-02-04 11:27:34 +11:00
Martin Brennan
e58f9f7a55
DEV: Move logic for rate limiting user second factor to one place (#11941)
This moves all the rate limiting for user second factor (based on `params[:second_factor_token]` existing) to the one place, which rate limits by IP and also by username if a user is found.
2021-02-04 09:03:30 +10:00
Jarek Radosz
704778f448
FIX: Don't invite new users via group with SSO on or local logins off (#11950)
Issue originally reported in https://meta.discourse.org/t/bypass-sso-by-adding-unkown-email-to-group/177339

Inviting people via email address to a group when SSO is enabled (or local logins are disabled) led to a situation where user records were being created bypassing single sign-on.

We already prevent that in most places. This adds required checks to `GroupsController`.
2021-02-03 18:13:00 +01:00
Jarek Radosz
45931f86be
DEV: Remove bulk group admin endpoints (#11949)
Originally added in 47e25648df. Looks like all related code was removed in c82b2dcc24 and b76731d722.
2021-02-03 18:12:22 +01:00
Bianca Nenciu
901cee55cd
FEATURE: Improve group settings and members management (#11878)
This pull requests contains a series of improvements to groups
settings and member management such as:

- Showing which users have set a group as primary
- Moving similar settings together under Effects
- Adding bulk select and actions to members page
2021-02-03 16:11:08 +02:00
Robin Ward
f39ae8a903
SECURITY: Rate limit MFA by login if possible (#11938)
This ensures we rate limit on logins where possible, we also normalize logins for the rate limiters centrally.
2021-02-03 10:26:28 +11:00
Gerhard Schlager
d055552994
Fix i18n issues reported on Crowdin (#11747)
* Pluralize `groups.errors.adding_too_many_users`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/248/en-ar#53882

* Pluralize `js.composer.error.title_too_short`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#41172

* Pluralize `js.composer.error.title_too_long`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#41174

* Pluralize `js.composer.error.post_length`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#41178

* Pluralize `js.topic.progress.jump_prompt_of`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#41958

* Use translations to join strings about posters
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/248/en-ar#49334
  It also makes some changes to the crawler view:
    * Removes `poster.moreCount` which is only available on the client for PMs
    * CSS class names are actually stored in `poster.extras` instead of `poster.extraClasses`

* Stop concatenating category stats
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#40740

* Pluralize `js.summary.description`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#40782

* Pluralize `js.summary.description_time_MF`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#40784

* Use translation to join list of tags
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#43372

* Pluralize `admin_js.admin.groups.manage.membership.automatic_membership_user_count`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#43720

* Pluralize `js.post.controls.delete_topic_confirm_modal`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#54804

* Stop concatenating `js.post.last_edited_on`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#42358

* Stop concatenating `js.post.wiki_last_edited_on`
  This fixes https://discourse.crowdin.com/translate/f3230e7607a36bb0a2f97fd90605a44e/246/en-ar#42356
  It also fixes a regression because `js.post.wiki_last_edited_on` wasn't used anymore since 2017.
2021-02-02 10:50:04 +01:00
Dan Ungureanu
4b3d34d3d4
FIX: Skip shared drafts logic if disabled (#11918)
It always showed shared drafts if no category was set.

Follow-up to dd175537f3.
2021-02-01 20:29:04 +02:00
Dan Ungureanu
dd175537f3
FIX: Existing shared drafts should be accessible (#11915)
Disabling shared drafts used to leave topics in an inconsistent state
where they were not displayed as shared drafts and thus there was no
way of publishing them. Moreover, they were accessible just to users
who have permissions to create shared drafts.

This commit adds another permission check that is used for most
operations and the old can_create_shared_draft? remains used just when
creating a new shared draft.
2021-02-01 16:16:34 +02:00
Vinoth Kannan
a5923ad603
DEV: apply allow origin response header for CDN requests. (#11893)
Currently, it creates a CORS error while accessing those static files.
2021-01-29 07:44:49 +05:30
Martin Brennan
4af4d36175
FIX: IMAP allow unknown senders to reply to group topics via email (#11877)
Adds a new column/setting to groups, allow_unknown_sender_topic_replies, which is default false. When enabled, this scenario is allowed via IMAP:

* OP sends an email to the support email address which is synced to a group inbox via IMAP, creating a group topic
* Group user replies to the group topic
* An email notification is sent to the OP of the topic via GroupSMTPMailer
* The OP has several email accounts and the reply is sent to all of them, or they forward their reply to another email account
* The OP replies from a different email address than the OP (gloria@gmail.com instead of gloria@hey.com for example)
* The a new staged user is created, the new reply is accepted and added to the topic, and the staged user is added to the topic allowed users

Without allow_unknown_sender_topic_replies enabled the new reply creates an entirely new topic (because the email address it is sent from is not previously part of the topic email chain).
2021-01-29 09:59:10 +10:00
Robin Ward
a20bcd34da
FIX: Approving a user was not sending an email (#11883)
When we made rejection emails optional we accidentally changed the
default for approval emails from true to false.
2021-01-28 12:41:30 -05:00
Bianca Nenciu
80f85167be
FIX: Allow a single invite per email address (#11855) 2021-01-28 13:38:36 +02:00
Mark VanLandingham
809274fe0d
DEV: Replace 'processed' column on notifications with new table (#11864) 2021-01-27 10:29:24 -06:00
Dan Ungureanu
7be556fc19
FIX: Ensure 'tr' is called on a string. (#11853)
It depends on the route, but sometimes 'id' parameter can contain a
slug-like value and sometimes it is just an ID. This should work in
both cases.
2021-01-27 10:43:33 +02:00
Régis Hanol
aa1138ff71
FIX: reindex_search job should work on model with no search data (#11819)
Lots of changes but it's mostly a refactoring.

The interesting part that was fix are the 'load_problem_<model>_ids' methods.
They will now return records with no search data associated so they can be properly indexed for the search.
This "bad" state usually happens after a migration.
2021-01-25 11:23:36 +01:00
Penar Musaraj
4f01ca87e3
FEATURE: Add new features section in admin dashboard (#11731) 2021-01-22 10:09:02 -05:00
Robin Ward
53ab3dda5d
FIX: Embedded comments should only return regular posts (#11773)
There shoudln't be a situation where you'd want to see moderator actions
or small posts.
2021-01-21 12:47:03 -05:00
Roman Rizzi
82d2284ce6
FIX: I18n couldn't find translations. (#11774)
"I18n.t(key, locale: locale)" fails to find the correct translation in some cases. We should always wrap it with the "I18n.with_locale(locale)" method.

Also, reverting an override wasn't always possible because the serializer always used "I18n.locale" as the locale.
2021-01-20 17:43:00 -03:00
Mark VanLandingham
1a7922bea2
FEATURE: Create notification schedule to automatically set do not disturb time (#11665)
This adds a new table UserNotificationSchedules which stores monday-friday start and ends times that each user would like to receive notifications (with a Boolean enabled to remove the use of the schedule). There is then a background job that runs every day and creates do_not_disturb_timings for each user with an enabled notification schedule. The job schedules timings 2 days in advance. The job is designed so that it can be run at any point in time, and it will not create duplicate records.

When a users saves their notification schedule, the schedule processing service will run and schedule do_not_disturb_timings. If the user should be in DND due to their schedule, the user will immediately be put in DND (message bus publishes this state).

The UI for a user's notification schedule is in user -> preferences -> notifications. By default every day is 8am - 5pm when first enabled.
2021-01-20 10:31:52 -06:00
Martin Brennan
fb184fed06
DEV: Add created_via column to IncomingEmail (#11751)
This should make it easier to track down how the incoming email was created, which is one of four locations:

The POP3 poller (which picks up reply via email replies)
The admin email controller #handle_mail (which is where hosted mail is sent)
The IMAP sync tool
The group SMTP mailer, which sends emails when replying to IMAP topics, pre-emptively creating IncomingEmail records to avoid double syncing
2021-01-20 13:22:41 +10:00
Martin Brennan
8d3f803b3f
FIX: Make sure login required skipped for confirm new email routes (#11748)
As per @davidtaylorhq 's comment at 6e2be3e#r46069906, this fixes an oversight where if login_required is enabled and an anon user follows a confirm new email link they are forced to login, which is not what the intent of #10830 was.
2021-01-20 10:52:25 +10:00
Martin Brennan
be145ccf2f
FIX: Add bookmark limits (#11725)
Adds a bookmark search per page limit, a total bookmark creation limit, and a rate limit per day for bookmark creation.
2021-01-19 08:53:49 +10:00
Roman Rizzi
ea8b5c18db
UX: Text customization for different languages. (#11729)
Admins can now edit translations in different languages without having to change their locale. We display a warning when there's a fallback language set.
2021-01-18 14:53:45 -03:00
Kane York
e96c373f3a FIX: Prevent users from converting the default theme to a component
This results in some fun disasters if allowed to happen. For now, just issue an oblique error message; a localized message will be added on the client.
2021-01-14 17:20:20 -08:00
Krzysztof Kotlarek
06b7c44593
FEATURE: reason to reject user signup (#11700)
Feature for `Must Approve Users` setup. When a user is rejected, a staff member can optionally set a reason for audit purposes. In addition, feedback email can be sent to the user.

Meta: https://meta.discourse.org/t/account-rejection-email/103112/8
2021-01-15 09:43:26 +11:00
Dan Ungureanu
c3bab3ef38
FIX: Make category change work with shared drafts (#11705)
It used to change the category of the topic, instead of the destination
category (topic.category_id instead of topic.shared_draft.category_id).

The shared drafts controls were displayed only if the current category
matched the 'shared drafts category', which was not true for shared
drafts that had their categories changed (affected by the previous bug).
2021-01-14 19:20:34 +02:00
Roman Rizzi
1ad378f5c5
FEATURE: Log when a group is deleted. (#11706)
We include the group "name" and "granted_trust_level" attributes.
2021-01-13 15:53:18 -03:00
Neil Lalonde
19cbda15e9 FIX: hidden tags returned in extras of tags index json 2021-01-11 10:21:54 -05:00
Arpit Jalan
25b4e82601
FEATURE: allow disabling self-deletions of posts (#11668)
https://meta.discourse.org/t/restoring-deleted-messages/173647/6?u=techapj
2021-01-08 20:35:13 +05:30
Krzysztof Kotlarek
4928f9cceb
FIX: don't error topic RSS when posts are deleted (#11641) 2021-01-08 11:16:15 +11:00
Mark VanLandingham
4601f3be7e
FEATURE: Send notification emails when users leave do not disturb mode (#11643) 2021-01-07 10:49:49 -06:00
Roman Rizzi
afebaf439f
FIX: Validate type when picking an avatar. (#11602)
This change improves the "UsersController#pick_avatar" validations to raise an error when "allow_uploaded_avatars" is disabled.
2021-01-05 10:29:10 -03:00
Sam
758e160862
FEATURE: explicitly ban outlier traffic sources in robots.txt (#11553)
Googlebot handles no-index headers very elegantly. It advises to leave as many routes as possible open and uses headers for high fidelity rules regarding indexes.

Discourse adds special `x-robot-tags` noindex headers to users, badges, groups, search and tag routes.

Following up on b52143feff we now have it so Googlebot gets special handling.

Rest of the crawlers get a far more aggressive disallow list to protect against excessive crawling.
2020-12-23 08:51:14 +11:00
Mark VanLandingham
649ed24bb4
FEATURE: Do not disturb (#11484) 2020-12-18 09:03:51 -06:00
Robin Ward
745a5d84d2
FEATURE: Allow IP anonymization via admin user controller API (#11497)
* FEATURE: Allow IP anonymization via admin user controller API

Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
2020-12-15 15:48:16 -05:00
Roman Rizzi
b45a30c40f
FIX: Users without shared drafts access can still have access to the category. (#11476)
This is an edge-case of 9fb3629. An admin could set the shared draft category to one where both TL2 and TL3 users have access but only give shared draft access to TL3 users. If something like this happens, we need to make sure that TL2 users won't be able to see them, and they won't be listed on latest.

Before this change, `SharedDrafts` were lazily created when a destination category was selected. We now create it alongside the topic and set the destination to the same shared draft category.
2020-12-14 16:08:20 -03:00
Roman Rizzi
c7b9f044a4
FEATURE: Automatically disable slow mode. (#11461)
Staff and TL4 users can decide the slow mode duration. We'll internally set a topic timer to disable it.
2020-12-14 14:06:50 -03:00
jbrw
773c51a633
FEATURE: Allow category group moderators to list/unlist topics (#11470)
* FEATURE: Allow categroy group moderators to list/unlist topics

If enabled via SiteSettings, a user belonging to a group which has been granted category group moderator privileges should be able to list/unlist topics belonging to the appropraite category.
2020-12-14 11:01:22 -05:00
David Taylor
36b4712349
FIX: Logout redirect should only be /login for login_required sites (#11466)
25563357 moved the logout redirect logic from the client-side to the server-side. Unfortunately the login_required check was lost during the refactoring which meant that non-login-required sites would redirect to `/login` after redirect, and immediately restart the login process. Depending on the SSO implementation, that can make it impossible for users to log out cleanly.

This commit restores the login_required check, and prevents the potential redirect loop.
2020-12-11 09:44:16 +00:00
Penar Musaraj
adda53c462
FEATURE: Optional filtered replies view (#11387)
See PR for details
2020-12-10 12:02:07 -05:00
Vinoth Kannan
eb60fc86dc
PERF: run user merging task in a background job. (#10961)
* PERF: run user merging task in a background job.

Currently, admin page is timing out while merging the users with lots of posts.
2020-12-10 15:52:08 +11:00
David Taylor
d1d37473d4
FIX: Only block local edits for git-sourced themes (#11450)
Themes uploaded as zip files are given a row in the `remote_themes` table to store metadata, even though they are not truly remote.
2020-12-09 19:41:42 +00:00
Mark VanLandingham
521934f163
FIX: Only cache reports with exceptions for 1 minute (#11447) 2020-12-09 10:54:41 -06:00
jbrw
4c118e4d7a
FIX: Allow for cateogry edit routes of unknown depth (#11426)
* FIX: Allow for cateogry edit routes of unknown depth

* DEV: remove unused files
2020-12-08 16:50:26 -05:00
Bianca Nenciu
9df2bce538
FIX: Generate correct prev and next topics page URL (#11431)
It did not work well for category + tags pages.
2020-12-08 17:34:28 +02:00
Krzysztof Kotlarek
d5ba854c91
FIX: hide user id when hide_email_address_taken (#11417)
We should always hide user_id in response when `hide_email_address_taken` setting is enabled. Currently, it can be used to determine if the email was used or not.
2020-12-08 08:25:35 +11:00
David Taylor
8b33e2f73d
FIX: Include locale in cache key for not_found_topics (#11406)
This ensures that users are only served cached content in their own language. This commit also refactors to make use of the `Discourse.cache` framework rather than direct redis access
2020-12-07 12:24:18 +00:00
Roman Rizzi
4d9686c494
FEATURE: Reviewed by filter. (#11405)
New reviewable filter to only display reviewables handled by a specific user.
2020-12-04 14:09:05 -03:00
Gerhard Schlager
bcbe2de646
DEV: Make it easier to customize omniauth login complete handler in plugins (#11403)
It also removes the unused `provider` variable and stops Discourse from redirecting to /login after a login.
2020-12-03 22:27:55 +01:00
David Taylor
e7bad9f05d
FIX: Ensure directory items appear in a consistent order (#11370)
User directory items are sorted by some activity metric. If those metrics have the same value, postgres does not guarantee the order in which they will be returned. This can cause issues in pagination - some users may appear twice, and some may be missed. To illustrate

```
pry(main)> query = DirectoryItem.where(period_type: DirectoryItem.period_types[:weekly]).order(:likes_received).limit(50);
pry(main)> page1 = query.offset(0).pluck(:id);
pry(main)> page2 = query.offset(50).pluck(:id);
pry(main)> (page1 & page2).count # users on both pages
=> 29
```

If we use the primary key to tie-break matching metrics, things are much more reliable

```
pry(main)> query = DirectoryItem.where(period_type: DirectoryItem.period_types[:weekly]).order(:likes_received, :id).limit(50);
pry(main)> page1 = query.offset(0).pluck(:id);
pry(main)> page2 = query.offset(50).pluck(:id);
pry(main)> (page1 & page2).count # users on both pages
=> 0
```

This most commonly effects new sites where all the directory metrics are zero.

The fact that the ordering is indeterminate makes it difficult to write a reliable test case for this.
2020-11-27 18:12:49 +00:00
Robin Ward
65eec147fc FEATURE: Add plugin js / plugin test js to bootstrap.json
This allows 3rd party clients (such as Ember CLI) to run plugins and
their tests.
2020-11-27 12:31:17 -05:00
Dan Ungureanu
123107c28f
UX: Add group name to error message (#11333)
The group name used to be part of the error message, but was removed
in a past commit.
2020-11-24 13:06:52 +02:00
David Taylor
20c0da8516
FIX: Improve email validation error handling for external logins (#11307)
- Display reason for validation error when logging in via an authenticator
- Fix email validation handling for 'Discourse SSO', and add a spec

Previously, validation errors (e.g. blocked or already-taken emails) would raise a generic error with no useful information.
2020-11-23 11:06:08 +00:00
David Taylor
a9eb1163e1
UX: Do not include current user in group-filtered directory results (#11310)
At the moment, when filtering by group, the directory will unconditionally return the current user at the top of the list. This is quite unexpected, given that the user is deliberately trying to filter the list. This commit makes sure the 'include current user' logic only triggers for unfiltered directories
2020-11-23 10:22:14 +11:00
Martin Brennan
a6f700d4ef
FIX: Show better error if no bookmarks found from search (#11284)
See https://meta.discourse.org/t/no-results-for-bookmarks-search-confusing-message/169763
2020-11-19 09:10:28 +10:00
David Taylor
475b4892e3
DEV: Remove 'diff local changes' when updating remote themes (#11247)
Since 65e123498b, it is now impossible to make local changes to remote themes, so this warning is not needed.
2020-11-16 19:28:12 +00:00
Dan Ungureanu
bc8423a1bf
FEATURE: Add auto update field to themes (#11102)
Themes marked for auto update will be automatically updated when
Discourse is updated. This is triggered by discourse_docker or
docker_manager running Rake task 'themes:update'.
2020-11-16 14:44:09 +02:00