Commit Graph

50587 Commits

Author SHA1 Message Date
Penar Musaraj
dcc825bda5
SECURITY: Limit length of edit reason column 2023-07-28 12:53:49 +01:00
Blake Erickson
62a609ea2d
SECURITY: Handle concurrent invite accepts
Raise an error on concurrent invite accept attempts.
2023-07-28 12:53:48 +01:00
Alan Guo Xiang Tan
bfc3132bb2
SECURITY: Impose a upper bound on limit params in various controllers
What is the problem here?

In multiple controllers, we are accepting a `limit` params but do not
impose any upper bound on the values being accepted. Without an upper
bound, we may be allowing arbituary users from generating DB queries
which may end up exhausing the resources on the server.

What is the fix here?

A new `fetch_limit_from_params` helper method is introduced in
`ApplicationController` that can be used by controller actions to safely
get the limit from the params as a default limit and maximum limit has
to be set. When an invalid limit params is encountered, the server will
respond with the 400 response code.
2023-07-28 12:53:46 +01:00
OsamaSayegh
0976c8fad6
SECURITY: Don't reuse CSP nonce between anonymous requests 2023-07-28 12:53:44 +01:00
Alan Guo Xiang Tan
672f3e7e41
Revert "DEV: Skip flaky QUnit tests (#22847)" (#22850)
This reverts commit 26fc5d2d1f.

Flaky test has been fixed in e7208ab4c6
2023-07-28 17:37:31 +08:00
David Battersby
383f48c688
FIX: reset scrollbar position for mobile on lightbox images (#22822)
Using pinch-zoom on mobile devices with lightbox images can lead to scrolling of background content.

This change handles this by capturing the window.scrollY value when opening the lightbox, then when exiting we check if the scroll position has changed and reset it.
2023-07-28 15:03:04 +08:00
Alan Guo Xiang Tan
32d4810e2b
FIX: Can't dismiss new topics that belong to a sub-sub category (#22849)
What is the context for this change?

Prior to this change, there is a bug in `TopicsController#reset_new`
where it does not dismiss new topics in sub-subcategories when the
`category_id` and `include_subcategories=true` params are present. This
is because the controller did not account for sub-subcategories when
fetching the category ids of the new topics that should be dismissed.

This commit fixes the problem by relying on the `Category.subcategory_ids` class
method which accounts for sub-subcategories.
2023-07-28 12:06:42 +08:00
Alan Guo Xiang Tan
26fc5d2d1f
DEV: Skip flaky QUnit tests (#22847)
See
https://github.com/discourse/discourse/actions/runs/5683868303/job/15405355263
and https://github.com/discourse/discourse/actions/runs/5684998320/job/15408941916
2023-07-28 11:05:15 +08:00
Martin Brennan
3c8cc0c73e
DEV: Remove chat TODO (#22846)
This is unnecessary, I already fixed this problem
2023-07-28 09:10:14 +08:00
dependabot[bot]
3c236fb44d
Build(deps-dev): Bump patch-package in /app/assets/javascripts (#22844)
Bumps [patch-package](https://github.com/ds300/patch-package) from 7.0.2 to 8.0.0.
- [Release notes](https://github.com/ds300/patch-package/releases)
- [Changelog](https://github.com/ds300/patch-package/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ds300/patch-package/commits)

---
updated-dependencies:
- dependency-name: patch-package
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-28 00:58:36 +02:00
dependabot[bot]
4cc895ed40
Build(deps-dev): Bump mocha from 2.0.4 to 2.1.0 (#22841)
Bumps [mocha](https://github.com/freerange/mocha) from 2.0.4 to 2.1.0.
- [Changelog](https://github.com/freerange/mocha/blob/main/RELEASE.md)
- [Commits](https://github.com/freerange/mocha/compare/v2.0.4...v2.1.0)

---
updated-dependencies:
- dependency-name: mocha
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-28 00:42:39 +02:00
dependabot[bot]
028cd2a79e
Build(deps): Bump lograge from 0.12.0 to 0.13.0 (#22842)
Bumps [lograge](https://github.com/roidrage/lograge) from 0.12.0 to 0.13.0.
- [Release notes](https://github.com/roidrage/lograge/releases)
- [Changelog](https://github.com/roidrage/lograge/blob/master/CHANGELOG.md)
- [Commits](https://github.com/roidrage/lograge/compare/v0.12.0...v0.13.0)

---
updated-dependencies:
- dependency-name: lograge
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-28 00:42:18 +02:00
marstall
e7208ab4c6
FIX: fix flaky test from settings editor PR (discouse:main:80f5018) (#22834) 2023-07-27 17:46:58 -04:00
Isaac Janzen
de6070fac4
DEV: Convert delete-topic-disallowed modal to component-based API (#22830) 2023-07-27 15:08:37 -05:00
Natalie Tay
173de8afe6
DEV: Add logging and rescue when user already exists and connecting via DiscourseConnect (#22833)
This is happening because despite the user already existing in the forum, the `SingleSignOnRecord` doesn't exist and "require_activation" is set on the provider, causing us to skip looking for the email, and resulting in us creating a new User then seeing Validation failed: Primary email has already been taken when DiscourseConnect is attempting to make a new account.
2023-07-28 02:53:33 +08:00
Andrei Prigorshnev
ad05924bdf
DEV: Do one query per month when exporting chat messages (#22746)
We did some testing and saw that making one query per month is 
cheaper than querying all chat messages at ones. Note that even 
though the export job will be performing one query per month, 
the exported messages will be streamed into a single CSV file, so 
nothing changes from the user's point of view.
2023-07-27 21:56:32 +04:00
marstall
80f5018924
FEATURE: JSON editor for theme settings (#21647)
provide the ability to edit theme settings in the json editor, and also copy them as a text file so they can be pasted into another instance.

Reference: /t/65023
2023-07-27 13:48:59 -04:00
Jarek Radosz
a44378a1b6
FIX: Toggling overridden settings broke in #21572 (#22831) 2023-07-27 19:41:42 +02:00
Isaac Janzen
291629834d
DEV: Convert delete-topic-confirm modal to component-based API (#22813)
<img width="677" alt="Screenshot 2023-07-26 at 4 19 52 PM" src="https://github.com/discourse/discourse/assets/50783505/5b969d38-0283-4217-9f70-de3561f82dd5">
2023-07-27 11:52:12 -05:00
Tobias Eigen
84ffea4916
Update ADMIN-QUICK-START-GUIDE.md (#22788)
This is a fairly extensive update to add checklists and to reorganize the presented information so it is more accessible. Some info is relegated to links to docs on meta. For convenience and regular reference, this topic is now linked to from a GETTING STARTED button next to the site title as long as the site is in bootstrap mode.
2023-07-27 08:44:38 -07:00
Joffrey JAFFEUX
db0aef1192
DEV: removes unused group_manager model (#22827)
The associated table has been removed in 2015: 6dd4bc7d57 (diff-53b8234c51c429b92eb91d0212e15bbab16fcd5d1cbd3db64509977c9e1a060d)
2023-07-27 17:10:58 +02:00
David Taylor
507433f45c
FIX: Share topic shortcut (shift+s) (#22826)
This has been broken for a long time (since 04a63cfaaa)
2023-07-27 15:39:42 +01:00
chapoi
7b3f9dc86b
UX: different way of centering chat notice to accommodate longer texts (#22779)
* UX: different way of centering chat notice to accommodate longer

* linting

* UX: keep close button in top right corner
2023-07-27 15:53:43 +02:00
Jan Cernik
807390bb93
DEV: Remove experimental setting row for chat threads (#22730) 2023-07-27 15:29:28 +02:00
Joffrey JAFFEUX
0aa524821e
DEV: skip flaky spec (#22825)
An attempt to make this spec more stable has been made in f76a9aab22 which doesn’t seem to workout: https://github.com/discourse/discourse/actions/runs/5679336462/job/15391318065#step:31:1128
2023-07-27 15:12:22 +02:00
chapoi
d10fd697b4
UX: responsive oneboxing with images in chat (#22824)
* UX: fix narrow oneboxing with images in chat

* UX: more responsive oneboxing

* UX: onebox-avatar limits

* ony flex non onebox-avatars
2023-07-27 13:57:30 +02:00
Jarek Radosz
3a11c82547
DEV: Update minitest to 5.19.0 (#22821) 2023-07-27 12:18:40 +02:00
Loïc Guitaut
1377186d38 DEV: Refactor chat channel fetching
This is extracted from #22390.

This patch introduces a scope to avoid duplication and a new method,
`Chat::Channel.find_by_id_or_slug` to allow finding a channel either by
its id or by its slug (or its category slug).
2023-07-27 11:55:17 +02:00
Joffrey JAFFEUX
05aa55e172
DEV: moves logic from job to a service (#22691)
`Jobs::AutoJoinChannelBatch` was holding a lot of logic which should be in a service. Moreover, this refactoring is the opportunity to address a bug which could cause a duplicate key error.

From now when trying to insert a new membership it won't fail if a membership is already present.

Example error:

```
Job exception: ERROR:  duplicate key value violates unique constraint "user_chat_channel_unique_memberships"
DETAIL:  Key (user_id, chat_channel_id)=(1, 2) already exists.

Backtrace
rack-mini-profiler-3.1.0/lib/patches/db/pg.rb:110:in `exec'
rack-mini-profiler-3.1.0/lib/patches/db/pg.rb:110:in `async_exec'
(eval):29:in `async_exec'
mini_sql-1.4.0/lib/mini_sql/postgres/connection.rb:209:in `run'
mini_sql-1.4.0/lib/mini_sql/active_record_postgres/connection.rb:38:in `block in run'
mini_sql-1.4.0/lib/mini_sql/active_record_postgres/connection.rb:34:in `block in with_lock'
activesupport-7.0.5.1/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `handle_interrupt'
activesupport-7.0.5.1/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `block in synchronize'
activesupport-7.0.5.1/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `handle_interrupt'
activesupport-7.0.5.1/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `synchronize'
mini_sql-1.4.0/lib/mini_sql/active_record_postgres/connection.rb:34:in `with_lock'
mini_sql-1.4.0/lib/mini_sql/active_record_postgres/connection.rb:38:in `run'
mini_sql-1.4.0/lib/mini_sql/postgres/connection.rb:64:in `query_single'
/var/www/discourse/plugins/chat/app/jobs/regular/chat/auto_join_channel_batch.rb:38:in `execute'
```

Note this commit is also using main branch of `shoulda-matchers` as the gem has not been released yet.

Co-authored-by: Loïc Guitaut <5648+Flink@users.noreply.github.com>
2023-07-27 10:25:41 +02:00
Joffrey JAFFEUX
2d567cee26
FEATURE: thread pagination (#22624)
Prior to this commit we were loading a large number of thread messages without any pagination. This commit attempts to fix this and also improves the following points:

- code sharing between channels and threads:
Attempts to reuse/share the code use in channels for threads. To make it possible part of this code has been extracted in dedicated helpers or has been improved to reduce the duplication needed.

Examples of extracted helpers:
- `stackingContextFix`: the ios hack for rendering bug when momentum scrolling is interrupted
- `scrollListToMessage`, `scrollListToTop`, `scrollListToBottom`:  a series of helper to correctly scroll to a specific position in the list of messages

- better general performance of listing messages:
One of the main changes which has been made is to remove the computation of visible message during scroll, it will only happen when needed (update last read for example). This constant recomputation of `message.visible` on intersection observer event while scrolling was consuming a lot of CPU time.
2023-07-27 09:57:03 +02:00
Krzysztof Kotlarek
7fb4bd3f43
FIX: move main sidebar panel name to constant (#22819)
Small improvement of moving panel name to constant.
2023-07-27 13:17:13 +08:00
Jarek Radosz
83043bd453
DEV: Enable some of the skipped Firefox tests (#22800) 2023-07-27 10:56:50 +08:00
dependabot[bot]
0369839bd3
Build(deps-dev): Bump ember-cached-decorator-polyfill from 1.0.1 to 1.0.2 in /app/assets/javascripts (#22816)
Bumps [ember-cached-decorator-polyfill](https://github.com/ember-polyfills/ember-cached-decorator-polyfill) from 1.0.1 to 1.0.2.
- [Release notes](https://github.com/ember-polyfills/ember-cached-decorator-polyfill/releases)
- [Changelog](https://github.com/ember-polyfills/ember-cached-decorator-polyfill/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ember-polyfills/ember-cached-decorator-polyfill/compare/v1.0.1...v1.0.2)

---
updated-dependencies:
- dependency-name: ember-cached-decorator-polyfill
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-27 10:56:03 +08:00
dependabot[bot]
aac0743bfa
Build(deps): Bump net-imap from 0.3.6 to 0.3.7 (#22814)
Bumps [net-imap](https://github.com/ruby/net-imap) from 0.3.6 to 0.3.7.
- [Release notes](https://github.com/ruby/net-imap/releases)
- [Commits](https://github.com/ruby/net-imap/compare/v0.3.6...v0.3.7)

---
updated-dependencies:
- dependency-name: net-imap
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-27 10:55:49 +08:00
Alan Guo Xiang Tan
fe5cd479eb
PERF: Add index on topic_id and created_at to posts table (#22818)
Why this change?

In `PostDestroyer#make_previous_post_the_last_one` and
`Topic.reset_highest`, we have a query that looks something like this:

```
SELECT user_id FROM posts
WHERE topic_id = :topic_id AND
      deleted_at IS NULL AND
      post_type <> 4
      #{post_type}
ORDER BY created_at desc
LIMIT 1
```

However, we currently don't have an index that caters directly to this
query. As a result, we have seen this query performing poorly on large
sites if the PG planner ends up using an index that is suboptimal for
the query.

This commit adds an index to the `posts` table on `topic_id` and then
`created_at`. For the query above, PG will be able to do a backwards
index scan efficiently.
2023-07-27 10:55:10 +08:00
Alan Guo Xiang Tan
0a56274596
FIX: Seed all categories and tags configured as defaults for nav menu (#22793)
Context of this change:

There are two site settings which an admin can configured to set the
default categories and tags that are shown for a new user. `default_navigation_menu_categories`
is used to determine the default categories while
`default_navigation_menu_tags` is used to determine the default tags.

Prior to this change when seeding the defaults, we will filter out the
categories/tags that the user do not have permission to see. However,
this means that when the user does eventually gain permission down the
line, the default categories and tags do not appear.

What does this change do?

With this commit, we have changed it such that all the categories and tags
configured in the `default_navigation_menu_categories` and
`default_navigation_menu_tags` site settings are seeded regardless of
whether the user's visibility of the categories or tags. During
serialization, we will then filter out the categories and tags which the
user does not have visibility of.
2023-07-27 10:52:33 +08:00
Penar Musaraj
f3db8579d6
UX: Minor alignment fix for compact tag selector (#22810) 2023-07-26 14:13:39 -04:00
Jarek Radosz
92d2ea008e
DEV: Fix no-negated-condition linting issues (#22808) 2023-07-26 19:53:37 +02:00
Isaac Janzen
f3b7351ff6
DEV: Convert theme-upload modal to component-based API (#22699) 2023-07-26 12:46:02 -05:00
Isaac Janzen
a5b810fe18
FIX: Flashing history modal when changing versions (#22785)
## Problem
History modal is flashing when changing revision versions

## Context
This was introduced in https://github.com/discourse/discourse/pull/22666

We need to have a conditional loading spinner for the initial paint of the history modal as we don't have the revision yet loaded, so this can cause some odd rendering issues. At the same time we don't want to display the loading spinner each time we toggle between the revision versions, because the loading spinner replaces the revision body causing the modal sizes to be drastically different resulting in _jumping_ or _flashing_.

## Fix
Render the loading spinner only on the first paint of the modal.

https://github.com/discourse/discourse/assets/50783505/8d19275e-86a5-4132-8a1f-af4b4f5301a6
2023-07-26 11:08:59 -05:00
Penar Musaraj
f2048eeb4c
UX: Minor change to compact tag chooser (#22796)
Followup to f5e8e73.

This switches the placeholder label to the existing string "optional
tags" and only shows it if there are no items picked.

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2023-07-26 11:43:46 -04:00
David Taylor
6222a60335
DEV: Refactor Discourse::VERSION and add -dev support (#22807)
For the Discourse 3.2 beta series, we intend to use a `-dev` suffix while beta versions are being developed in `main`/`tests-passed`. When a beta version is ready, it will be 'released' without the `-dev` suffix.

This commit adds support for the `-dev` suffix, and also refactors `Discourse::VERSION` so that the canonical representation is a simple human-readable string. Constants for each segment are derived  from that, so the interface remains unchanged.
2023-07-26 14:48:08 +01:00
Jordan Vidrine
3f29a2ab90
FIX: Remove unnecessary ellipsis (#22806) 2023-07-26 07:54:07 -05:00
Jarek Radosz
c6a23b90f6
DEV: Don't stub an imported module (#22805)
Stub a service's getter instead (embroider compat issue)
2023-07-26 13:01:29 +02:00
Jarek Radosz
1de0fa020e
DEV: Use waitFor instead of waitUntil (#22803)
Short and to the point 😉
2023-07-26 12:59:17 +02:00
Jan Cernik
a2eb2b0490
DEV: Remove experimental site setting for chat threads (#22720)
We are removing the experimental site setting. Admins can now decide on a per channel basis to enable/disable threading. It's disabled by default.
2023-07-26 12:46:23 +02:00
Jarek Radosz
d06431ba9b
DEV: Fix random typos (#22804)
A fresh batch of stashed changes :P
2023-07-26 12:45:35 +02:00
Jan Cernik
c43271eb9b
FIX: Chat emoji picker focus offset (#22795) 2023-07-26 12:18:10 +02:00
Joffrey JAFFEUX
5346e7f693
FIX: attempt to fix multi sessions reaction spec (#22797)
I was only able to get one failure out of 100 tries, this failure didn't get me more info. My best guess  ATM is  that sometimes, the first session was still loading while receiving the reaction and created some unexpected situation.

The commit attempts to start the "check" session before the session making the reaction hoping that will be enough to prevent this case, if this is the issue.
2023-07-26 11:58:35 +02:00
Jarek Radosz
62d3979870
DEV: Convert quote-button to a glimmer component (#22787)
Native class, glimmer, no jQ, async/await

Co-authored-by: Isaac Janzen <50783505+janzenisaac@users.noreply.github.com>
2023-07-26 11:50:55 +02:00