Commit Graph

38296 Commits

Author SHA1 Message Date
Martin Brennan
31e31ef449
SECURITY: Add content-disposition: attachment for SVG uploads
* strip out the href and xlink:href attributes from use element that
  are _not_ anchors in svgs which can be used for XSS
* adding the content-disposition: attachment ensures that
  uploaded SVGs cannot be opened and executed using the XSS exploit.
  svgs embedded using an img tag do not suffer from the same exploit
2020-07-09 13:31:48 +10:00
Guo Xiang Tan
fd38c2fac3
FIX: Force ActiveRecord reading role if Redis is down take 2.
follow-up f03c7a1ba1
2020-07-09 11:14:19 +08:00
Guo Xiang Tan
f03c7a1ba1
FIX: Force ActiveRecord reading role if Redis is down. 2020-07-09 11:13:02 +08:00
Guo Xiang Tan
cbe1dd8ec7
Revert "FIX: Delete related search data when record has been deleted."
This reverts commit ecc799ab56.

This commit does not fix anything because we've always been deleting
records in `Searchable`.
2020-07-09 10:08:35 +08:00
Jordan Vidrine
9eedc83e00
UI: Markdown Code Wrapping (#10195) 2020-07-08 20:50:42 -04:00
Blake Erickson
abb01148fa DEV: Rubocop fixes
Follow up to: 3314654ab3
2020-07-08 18:27:19 -06:00
Blake Erickson
3314654ab3 DEV: Add API Doc specs for topic endpoints
Added some more specs that will be used to auto generate the api docs.
2020-07-08 18:08:14 -06:00
romanrizzi
720a7f88e2 Revert "Add License"
This reverts commit ba1c4b3ee9.
2020-07-08 15:11:04 -03:00
Roman Rizzi
ba1c4b3ee9
Add License 2020-07-08 15:09:42 -03:00
Penar Musaraj
bd511c004c
UX: Fix missing icon when merging selected posts 2020-07-08 13:57:05 -04:00
Penar Musaraj
67582e7d27
FIX: Do not send system emails to suspended users (#10192) 2020-07-08 13:30:32 -04:00
Mark VanLandingham
90512d723c
UX: Use group-chooser in invite modal (#10186) 2020-07-08 12:02:26 -05:00
Robin Ward
f3ff9d5625 FIX: getURL deprecation 2020-07-08 11:40:53 -04:00
Arpit Jalan
78beb4368a FIX: 'resend all invite' button was not working as expected 2020-07-08 15:52:44 +05:30
marielaSAG
e45307a105
DEV: Added before-create-topic-button plugin-outlet (#10109) 2020-07-08 18:21:30 +10:00
Mark VanLandingham
a9292086f4
DEV: Add classes to quick-access-profile items (#10185) 2020-07-08 17:30:12 +10:00
Martin Brennan
6be7a66ba7
FIX: Cap bookmark name at 100 chars and truncate existing names (#10189)
We have a couple of examples of enormous amounts of text being entered in the name column of bookmarks. This is not desirable...it is just meant to be a short note / reminder of why you bookmarked this.

This PR caps the column at 100 characters and truncates existing names in the database to 100 characters.
2020-07-08 17:19:01 +10:00
Sam Saffron
bac25e6dd7
DEV: upgrade rack to version 2.2.3
This is very minor, see: https://github.com/advisories/GHSA-j6w9-fv6q-3q52

An attacker can elevate own cookie usage to bypass server cookie restrictions

Technically this is a security commit, but the surface area is extremely
low, we do not expect any real world impact.
2020-07-08 16:42:31 +10:00
Sam Saffron
8af5194e39
DEV: upgrade rails to version 6.0.3.2
This includes a fix for CVE-2020-8185 we are not vulnerable as we do not use
the impacted middleware. However it still makes sense to stay upgraded, other
small fixes exist in this release.
2020-07-08 16:34:29 +10:00
Bianca Nenciu
bd842cd2b0
FEATURE: Parse images in email signatures (#10137)
* FEATURE: Parse images in email signatures

* DEV: Fix tests

* Code review
2020-07-08 15:50:30 +10:00
Martin Brennan
07ad243603
FIX: Stop updating bookmarked column from TopicUser.update_post_action_cache (#10188)
* This is causing issues where sometimes bookmarked is out of sync with what is in the Bookmark table. The BookmarkManager handles updating this column now.
* Add migration to fix bookmarked column that is incorrectly marked false when a Bookmark record exists.
2020-07-08 15:27:42 +10:00
Guo Xiang Tan
2e1eafae06
FIX: Incorrect search blurb when advanced search filters are used. 2020-07-08 11:59:49 +08:00
dependabot-preview[bot]
26dc981285 Build(deps): Bump rubocop from 0.86.0 to 0.87.1
Bumps [rubocop](https://github.com/rubocop-hq/rubocop) from 0.86.0 to 0.87.1.
- [Release notes](https://github.com/rubocop-hq/rubocop/releases)
- [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop-hq/rubocop/compare/v0.86.0...v0.87.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-07-08 08:54:38 +08:00
dependabot-preview[bot]
b973ffe8e0 Build(deps): Bump onebox from 1.9.29 to 1.9.30
Bumps [onebox](https://github.com/discourse/onebox) from 1.9.29 to 1.9.30.
- [Release notes](https://github.com/discourse/onebox/releases)
- [Changelog](https://github.com/discourse/onebox/blob/master/CHANGELOG.md)
- [Commits](https://github.com/discourse/onebox/compare/v1.9.29...v1.9.30)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-07-08 08:54:20 +08:00
Kane York
c86b1ee9d1
FIX: Disable security keys at same time as TOTP 2FA (#10144)
Previously, the "Remove 2FA" button could result in an error. This syncs button visibility with behavior.

* FIX: Only offer disabling 2FA to admins
2020-07-07 12:19:30 -07:00
Mark VanLandingham
81fe8a50d4
DEV: Plugin API function to add items to quick access profile (#10182) 2020-07-07 13:53:40 -05:00
Kris
d09a953f53 UX: Fix layout for long bookmark notes 2020-07-07 13:42:51 -04:00
Kris
66257ca8b6 FEATURE: Add "smallest" option to user text size preferences 2020-07-07 13:08:19 -04:00
Régis Hanol
44aaf4415d DEV: ensure discobot has a user_option & user_profile
When doing a migration, there might be some cases where the discobot user
doesn't have a user_option / user_profile record(s).

This ensures we always create one during the seed phase.
2020-07-07 18:24:31 +02:00
Mark VanLandingham
d2e320d4f7
FIX: Bookmarks shortcut goes to new bookmarks with reminders (#10181) 2020-07-07 11:12:41 -05:00
Bianca Nenciu
4a90464619
FIX: Do not highlight large code blocks (#10125) 2020-07-07 18:51:19 +03:00
Bianca Nenciu
6705c45156
FEATURE: Add reply_as_new_group_message composer action (#10168) 2020-07-07 18:30:48 +03:00
Gerhard Schlager
ab4c0a4970 FEATURE: Create SQL-only backup if there are no uploads
It doesn't make sense to compress the database dump twice if the backup doesn't contain any uploaded files.
2020-07-07 16:23:47 +02:00
Bianca Nenciu
10e2578751
FIX: Set default value for poll result field (#10178) 2020-07-07 17:23:21 +03:00
Dan Ungureanu
57d46694c5
DEV: Fix flaky test 2020-07-07 17:10:24 +03:00
Dan Ungureanu
333d4f9a98
FIX: Redirect user to the URL with the correct category slug (#10167)
This commit implements a category redirect similar to the one for topic
URLs with wrong slug.
2020-07-07 15:25:36 +03:00
jjaffeux
f92116d695 Revert "DEV: flexify post actions (#9926)"
This reverts commit 6ef0e98f4e.
2020-07-07 12:42:49 +02:00
Joffrey JAFFEUX
56475f57c5
UX: simplifies editing email templates by always having a default (#10179) 2020-07-07 11:44:13 +02:00
Joffrey JAFFEUX
9b7000dbf1
FIX: ensures category order keeps consistent (#10165)
Before this change:
- first full page load would get category defaults defined un cateory settings
- a navigation to a topic and then back to categories list would reset defaut to the ones defined in discovery/topics
2020-07-07 09:56:38 +02:00
Guo Xiang Tan
0c742dd022
DEV: Simple formatting fix. 2020-07-07 15:46:14 +08:00
Vinoth Kannan
f3f30edf3f SPEC: use post number to create canoncial path in mega topics.
6d17765924
2020-07-07 12:20:31 +05:30
Krzysztof Kotlarek
72861f4e1c
FIX: add table CSS rules to normalize (#10176)
* FIX: add table CSS rules to normalize

In the new version of normalize - 8.0.1 `  `table` and `td` CSS rules are missing
https://github.com/necolas/normalize.css/blob/master/normalize.css

They existed in version `3.0.1` https://github.com/necolas/normalize.css/blob/3.0.1/normalize.css#L417

Also, extracted custom rules to new file
2020-07-07 16:47:03 +10:00
Martin Brennan
280cd99c62
DEV: Add extra appEvents to composer workflow
* add composer:saved, composer:created-post, and composer:edited-post
  appEvents inside the composer controller, to make it easier to detect
  these events in plugins
2020-07-07 14:13:45 +10:00
Sam Saffron
9075d5a9f5
Revert "FIX: Set default value for poll result field (#10044)"
This reverts commit 40de535224.

Sadly this appears to break the JS test suite
2020-07-07 10:24:37 +10:00
Dan Ungureanu
556f7dc9c0
FIX: Fix race condition when resolving tag and category hashtags (#10153)
* FIX: Fix race condition when resolving tag and category hashtags

If the category hashtags were resolved first and then tag hashtags, then
the tags would overwrite the categories. Similarly, if the category
hashtags were resolved last it would overwrite even hashtags which ended
with '::tag'.

* DEV: Add test

* DEV: Fix test
2020-07-07 10:20:51 +10:00
Bianca Nenciu
b9e3db6387
UX: Add link to user email preferences in admin view (#10169) 2020-07-07 10:20:14 +10:00
Dan Ungureanu
e08b860e88
FIX: Improve category hashtag lookup (#10133)
* FIX: Improve category hashtag lookup

This commit improves support for sub-sub-categories and does not include
the ID of the category in the slug, which fixes the composer preview.

* FIX: Sub-sub-categories can be mentioned using only two levels

* FIX: Remove support for three-level hashtags

* DEV: Simplify code
2020-07-07 10:19:01 +10:00
Joffrey JAFFEUX
6ef0e98f4e
DEV: flexify post actions (#9926)
* DEV: flexify post actions

* more tweaks
2020-07-07 10:18:01 +10:00
Bianca Nenciu
40de535224
FIX: Set default value for poll result field (#10044) 2020-07-07 10:16:21 +10:00
Kris
1f5cecaf28 Minor follow up fix to 4f12768 for mobile 2020-07-06 19:17:30 -04:00