Commit Graph

44950 Commits

Author SHA1 Message Date
Alan Guo Xiang Tan
3ac1b3a5c9 SECURITY: Update Nokogiri to 1.13.4.
Nokogiri 1.13.4 updates zlib to 1.2.12 to address CVE-2018-25032.

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
2022-04-12 15:19:46 +08:00
Jarek Radosz
6bbc822495 DEV: Don't check this.element in @afterRender (#16033)
This would allow to use the decorator in tag-less components and in controllers.
2022-04-11 13:03:54 +08:00
Alan Guo Xiang Tan
72c69a644f DEV: Add pretender endpoint for category visible groups.
This was causing our build to become flaky.
2022-04-11 13:03:54 +08:00
Alan Guo Xiang Tan
3d581ce159 SECURITY: Category group permissions leaked to normal users.
After this commit, category group permissions can only be seen by users
that are allowed to manage a category. In the past, we inadvertently
included a category's group permissions settings in `CategoriesController#show`
and `CategoriesController#find_by_slug` endpoints for normal users when
those settings are only a concern to users that can manage a category.
2022-04-08 11:04:59 +02:00
Bianca Nenciu
dcbd788412 FIX: Serialize permissions for everyone group
The permissions for the 'everyone' group were not serialized because
the list of groups a user can view did not include it. This bug was
introduced in commit dfaf9831f7.
2022-04-08 11:04:59 +02:00
Martin Brennan
f0574564c4 DEV: Fix failing share topic tests (#16309)
Since 3fd7b31a2a some tests
were failing with this error:

> Error: Unhandled request in test environment: /c/feature/find_by_slug.json
> (GET) at http://localhost:7357/assets/test-helpers.js

This commit fixes the issue by adding the missing pretender. Also
noticed while fixing this that the parameter for the translation
was incorrect -- it was `group` instead of `groupNames`, so that
is fixed here too, along with moving the onShow functions into
@afterRender decorated private functions. There is no need for the
appevent listeners.
2022-04-08 11:04:59 +02:00
Bianca Nenciu
1516dd75f5 FIX: Show restricted groups warning when necessary (#16236)
It was displayed for the "everyone" group too, but that was not
necessary.
2022-04-08 11:04:59 +02:00
Alan Guo Xiang Tan
7b5ef41a43 DEV: Restore order assertion in category serializer tests. (#16344)
Our group fabrication creates groups with name "my_group_#{n}" where n
is the sequence number of the group being created. However, this can
cause the test to be flaky if and when a group with name `my_group_10`
is created as it will be ordered before
`my_group_9`. This commits makes the group names determinstic to
eliminate any flakiness.

This reverts commit 558bc6b746.
2022-04-01 09:17:58 +08:00
David Taylor
62cde96c70 DEV: Fix flaky specs (#16340)
`group_permissions` are not serialized in a consistent order

Follow-up to dfaf9831f7
2022-04-01 09:17:58 +08:00
Alan Guo Xiang Tan
09e7dd00b8
SECURITY: Avoid leaking private group name when viewing category. (#16339)
In certain instances when viewing a category, the name of a group with
restricted visilbity may be revealed to users which do not have the
required permission.
2022-03-31 15:07:48 +08:00
Martin Brennan
bd0f10a50b
SECURITY: Hide private categories in user activity export (#16276)
In some of the user's own activity export data,
we sometimes showed a secure category's name or
exposed the existence of a secure category.
2022-03-24 15:56:50 +10:00
Neil Lalonde
74ce2fe2e7
Version bump to v2.8.2 2022-03-22 14:51:41 -04:00
Alan Guo Xiang Tan
79da89fd06
DEV: Don't load bundler when installing plugin gem. (#16176)
when bundler is loaded, it sets the `RUBYOPT` environment variable to setup bundler. However, it was causing weird errors like the following when we try to install
custom plugin gems into a specific directory.

```
/home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:214:in `rescue in load_spec_files': https://github.com/discourse/mail.git is not yet checked out. Run `bundle install` first. (Bundler::GitError)
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:210:in `load_spec_files'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/path.rb:107:in `local_specs'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:178:in `specs'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/lazy_specification.rb:88:in `__materialize__'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:75:in `block in materialize'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:72:in `map!'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:72:in `materialize'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:468:in `materialize'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:190:in `specs'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:238:in `specs_for'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/runtime.rb:18:in `setup'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler.rb:151:in `setup'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/setup.rb:20:in `block in <top (required)>'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/ui/shell.rb:136:in `with_level'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/ui/shell.rb:88:in `silence'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/setup.rb:20:in `<top (required)>'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
```
2022-03-18 11:27:20 +08:00
Alan Guo Xiang Tan
43c744cdc8
DEV: Pull compatible version for plugins in Github test workflow. (#16212)
We have 3 branches which we care about, main, beta and stable.
However, each of this branch has different compatibilties with plugins
and we want to respect that.
2022-03-18 10:30:43 +08:00
Alan Guo Xiang Tan
1d2654f91f
DEV: Backport Github test workflow to stable. (#16210) 2022-03-17 14:02:45 +08:00
David Taylor
d7b48d0229
FIX: Handle nil values in DistributedCache#defer_get_set (stable) (#15980)
Themes often cache `nil` values in a DistributedCache. This bug meant that we were re-calculating some values on every request, AND triggering message-bus publishing on every request.

This fix should provide a significant performance improvement for busy sites.
2022-02-18 08:51:14 +00:00
Andrei Prigorshnev
2c8f62e271
FIX: backport caret moves to a wrong position when uploading an image via toolbar (#15865)
* FIX: Caret moves to a wrong position when uploading an image via toolbar

* Skip the test
2022-02-17 13:44:21 +11:00
Bianca Nenciu
0674d07cdf
FIX: Defer upload extension check for iOS (#15890)
accept HTML attribute is not fully supported on iOS yet and can contain
only MIME types. This changes the input to allow all files and the
extension check is performed later in JavaScript.
2022-02-15 19:57:58 +02:00
communiteq
247f70f79c
Fix bug regarding Chat on stable (#15954) 2022-02-15 12:40:48 -05:00
Krzysztof Kotlarek
cb9678ed34 Version bump to v2.8.1 2022-02-14 17:17:31 +11:00
Krzysztof Kotlarek
76195216ff SECURITY: Onebox response timeout and size limit (#15927)
Validation to ensure that Onebox request is no longer than 10 seconds and response size is not bigger than 1 MB
2022-02-14 12:13:22 +11:00
Dan Ungureanu
0b4e16aa2d
FEATURE: RS512, RS384 and RS256 COSE algorithms (#15868)
* FEATURE: RS512, RS384 and RS256 COSE algorithms

These algorithms are not implemented by cose-ruby, but used in the web
authentication API and were marked as supported.

* FEATURE: Use all algorithms supported by cose-ruby

Previously only a subset of the algorithms were allowed.
2022-02-09 13:56:45 +02:00
David Taylor
1cfe5b5c26
Update translations (stable) (#15819)
Combination of 0dfaaf49a5 and 022480b461

Co-authored-by: Discourse Translator Bot <discourse.translator.bot@gmail.com>
2022-02-04 17:00:25 +00:00
Martin Brennan
7dd9dd848a
FIX: Table pasting issues with uppy (#15787) (#15812)
When changing to uppy for file uploads we forgot to add
these conditions to the paste event from 9c96511ec4

Basically, if you are pasting more than just a file (e.g. text,
html, rtf), then we should not handle the file and upload it, and
instead just paste in the text. This causes issues with spreadsheet
tools, that will copy the text representation and also an image
representation of cells to the user's clipboard.

This also moves the paste event for composer-upload-uppy to the
element found by the `editorClass` property, so it shares the paste
event with d-editor (via TextareaTextManipulation), which makes testing
this possible as the ember paste bindings are not picked up unless both
paste events are on the same element.
2022-02-04 11:44:30 +11:00
Penar Musaraj
be72ae8c49
A11Y: Switch to using autocomplete="off" (#15802) 2022-02-03 17:45:25 +01:00
Natalie Tay
2d7e2b3810
FIX: Only block domains at the final destination (#15689) (#15783)
In an earlier PR, we decided that we only want to block a domain if 
the blocked domain in the SiteSetting is the final destination (/t/59305). That 
PR used `FinalDestination#get`. `resolve` however is used several places
 but blocks domains along the redirect chain when certain options are provided.

This commit changes the default options for `resolve` to not do that. Existing
users of `FinalDestination#resolve` are
- `Oneboxer#external_onebox`
- our onebox helper `fetch_html_doc`, which is used in amazon, standard embed 
and youtube
  - these folks already go through `Oneboxer#external_onebox` which already
  blocks correctly
2022-02-03 09:42:06 +08:00
Martin Brennan
7979708f17
DEV: Remove jQuery UI vendor dependencies (#15782)
Combines 68fe6903f7 and
7b7e707fa2.

We no longer use jQuery UI for anything since getting
rid of jQuery file uploader in 667a8a6,
so we can safely remove these now.

Also removes the blueimp-file-upload and jquery.iframe-transport
dependencies that were formerly used by jQuery file uploader
2022-02-03 11:19:50 +10:00
Neil Lalonde
3a5b75435e
Version bump to v2.8.0 2022-01-27 10:22:23 -05:00
Neil Lalonde
9830b192f3
Merge diffs from main 2022-01-27 10:12:37 -05:00
Neil Lalonde
42caef4719
Merge main 2022-01-27 10:10:35 -05:00
Discourse Translator Bot
332266cbee
Update translations (#15731) 2022-01-27 15:18:29 +01:00
Alan Guo Xiang Tan
09ec0ce744 DEV: Fix typo in comment. 2022-01-27 14:58:11 +08:00
Gerhard Schlager
1fef96a2e7
FIX: Prevent "integer out of range" when merging post timings (#15723) 2022-01-26 23:34:28 +01:00
Robin Ward
a560f9d44b FIX: This was causing a flaky test in Ember CLI
The path should be `/topics/bulk` not `topics/bulk` (leading slash.)
2022-01-26 14:53:25 -05:00
David Taylor
2464839cbf
Revert "DEV: Run Ember CLI tests in random order" (#15717)
This reverts commit f43bba8d59.

Adding randomness has introduced a lot of flakiness in our ember-cli tests. We should fix those issues at the source. However, given the upcoming stable release, this randomness has been reverted so that the stable release includes a stable test suite. Having a stable test suite on stable will make backporting future commits much easier.
2022-01-26 15:30:03 +00:00
Dan Ungureanu
f5b94f152f
FIX: Allow staff to reset passwords by username (#15709)
When staff visits the user profile of another user, the `email` field
in the model is empty. In this case, staff cannot send the reset email
password because nothing is passed in the `login` field.

This commit changes the behavior for staff users to allow resetting
password by username instead.
2022-01-26 10:39:58 +02:00
Robin Ward
f43bba8d59 DEV: Run Ember CLI tests in random order
In browser this uses the `seed` config, in ember exam it adds `--random`
as a parameter.
2022-01-25 14:49:40 -05:00
Discourse Translator Bot
5fd13380d8
Update translations (#15705) 2022-01-25 14:27:05 +01:00
David Taylor
c6f8729b5c
DEV: Move OAuth2UserInfo deprecation to after_save (#15704)
We initialize models as part of the warmup process in production, so this was being logged on every boot. We only want to log if a plugin is actually using the model, so after_save is a safer bet.
2022-01-25 10:29:31 +00:00
Osama Sayegh
5dd8b827e8
DEV: Update fixture to fix tests (#15699)
Follow-up to a742952c8d.
2022-01-25 00:44:14 +03:00
Osama Sayegh
a742952c8d
FIX: Client should be able to route ID-less topic URLs (#15697)
The topic ID portion of the topic URL is optional in Discourse as long as the topic slug is unique across the site. If you navigate to a topic without the ID in the URL, Discourse will redirect you to the canonical version of the URL that includes the ID.

However, we have a now regression where the client app doesn't correctly handle ID-less topic URLs displays an error message when the user clicks on such URL. The regression was introduced b537d591b3 when we switched from `DiscourseURL.routeTo` to using Ember's router to perform the redirecting to the canonical version of the URL, but the problem is that the canonical version comes from the server and it contains the hostname which the Ember router doesn't understand because it expects a relative URL.

This PR fixes the problem by constructing a relative URL that contains the topic slug and ID and passing that to the Ember route.
2022-01-24 23:19:35 +03:00
Discourse Translator Bot
a5cb6ab8a0
Update translations (#15696) 2022-01-24 20:13:10 +01:00
Alan Guo Xiang Tan
77137c5d29 FIX: Single line emojis has emoji metadata indexed twice.
This commit fixes a bug where we our `HTMLScrubber` was only searching
for emoji img tags which contains only the "emoji" class. However, our emoji image tags
may contain more than just the "emoji" class like "only-emoji" when an
emoji exists by itself on a single line.
2022-01-24 14:03:17 +08:00
Bianca Nenciu
48e5d1af03
FIX: Improve top links section from user summary (#15675)
* Do not extract links for hotlinked images
* Include only links that have been clicked at least once in user
summary
2022-01-24 11:33:23 +11:00
Andrei Prigorshnev
cd68279f5c
DEV: use query() instead of queryAll() in tests (#15681) 2022-01-24 11:27:58 +11:00
Penar Musaraj
1f2226270e
FIX: Restore outlet in mobile views (#15683) 2022-01-23 18:41:01 +01:00
Discourse Translator Bot
f0435ca1a7
Update translations (#15673) 2022-01-23 11:14:20 +01:00
Blake Erickson
4bf6789bd7
DEV: Do not use hard-coded everyone group id (#15679)
Follow up to: 12f041de5d

Probably best to lookup the "everyone" group_id instead of hard-coding
it to `0`. Also now its more clear what this `0` means.
2022-01-21 15:56:45 -07:00
Robin Ward
78852e9754 FIX: Tests should never cloak posts
Depending on the load order of modules, the post cloaking code might
not be disabled properly in test mode, which results in flakey failures.
2022-01-21 14:32:26 -05:00
David Taylor
6c3df84a93
DEV: In themes:update, only update themes which are out-of-date (#15676)
Running `update_from_remote` and `save!` cause a number of side-effects, including instructing all clients to reload CSS files. If there are no changes, then this is wasteful, and can even cause a 'flicker' effect on clients as they reload CSS.

This commit checks if any updates are available before triggering `update_from_remote` / `save!`. This should be much faster, and stop the 'flickering' UX from happening on every themes:update run.

It also improves the output of the command to include the from/to commit hashes, which may be useful for debugging issues. For example:

```
Checking 'Alien Night | A Dark Discourse Theme' for 'default'... already up to date
Checking 'Star Wars' for 'default'... updating from d8a170dd to 66b9756f
Checking 'Media Overlay' for 'default'... already up to date
```
2022-01-21 18:23:26 +00:00