Commit Graph

34458 Commits

Author SHA1 Message Date
Sam Saffron
5aa9a567f8 FEATURE: allow themes to upload js files as assets
This helps unlock the ability for themes to defer load larger js payloads.

The change is safe as themes are allowed to include inline js anyway.
2019-08-26 09:16:00 +10:00
Sam Saffron
8cea78c833 Revert "FEATURE: Protect against replay attacks when using TLS 1.3 0-RTT (#8020)"
This reverts commit 39c31a3d76.

Sorry about this, we have decided againse supporting 0-RTT directly in
core, this can be supported with similar hacks to this commit in a
plugin.

That said, we recommend against using a 0-RTT proxy for the Discourse
app due to inherit risk of replay attacks.
2019-08-26 08:56:49 +10:00
Joffrey JAFFEUX
bf05a8da96
FEATURE: adds countdown attribute to [date] (#8037)
When used, dates will be displayed as a countdown in a human friendly way.
2019-08-24 11:39:20 -05:00
Rafael dos Santos Silva
39c31a3d76
FEATURE: Protect against replay attacks when using TLS 1.3 0-RTT (#8020) 2019-08-23 11:52:47 -03:00
Joffrey JAFFEUX
171618e7d6 FIX: allows mini-tag-chooser to fetch tags in background (#8033)
This is useful when changing the category in the composer for example. When opening mini-tag-chooser after, tags will be correctly updated for the selected category.
2019-08-23 06:45:29 -06:00
Régis Hanol
2ff5592941 FIX: Filter out hidden posts for wordpress 2019-08-23 11:50:03 +02:00
Osama Sayegh
68708db721 DEV: S3Inventory#unsorted_files should always return an array (#8034) 2019-08-23 17:59:31 +10:00
Gerhard Schlager
1f118b1309 FEATURE: Allow plugins to manipulate site settings during backup restore 2019-08-22 22:41:26 +02:00
Dan Ungureanu
34a76bf106 FIX: Do not set destination_url cookie after deleting own account. (#8028)
destination_url cookie is used to redirect the user to the a private
page after they have logged in. After deleting own account, a user's
pages would be refreshed which would set the destination_url, cookie
that can cause a redirect to an invalid page after logging in again.

Reproduction steps:

1. User is at `/u/:username/preferences/account` and deletes account by
requesting DELETE `/u/:username.json`.

2. User is being destroyed and a MessageBus message (`file-change`,
`['refresh']`) is published.

3. User receives response to DELETE request, but page may be or not
refreshed. Anyway, since they can no longer see the preferences page,
they are redirected to `/login` and `destination_url` cookie is set,
that will redirect on next login (but to the previous preferences page).
2019-08-22 17:42:45 +02:00
Joffrey JAFFEUX
e94f67e2da
prettier (#8031) 2019-08-22 15:27:45 +02:00
Régis Hanol
1e4f0ac216 FIX: infinite loop when mentioning in IE11 2019-08-22 14:47:25 +02:00
Joffrey JAFFEUX
74931eedfd
DEV: prevents deprecation of overriding computed property (#8030)
https://deprecations.emberjs.com/v3.x/#toc_computed-property-override
2019-08-22 12:31:18 +02:00
Joffrey JAFFEUX
78eb05e4ea
DEV: bumping for customHref nav item API (#8029) 2019-08-22 12:25:02 +02:00
Sam Saffron
7fe6d295b8 DEV: correct regression in registry test suite
Previously we started with a non blank registry, new code blanks it out
so we need to check for nils
2019-08-22 16:22:52 +10:00
Arpit Jalan
6b621ceb06 DEV: consistent plugin nomenclature. 2019-08-22 11:08:06 +05:30
Vinoth Kannan
1c79a6cc3a SPEC: fix the discourse_plugin_registry spec.
41f22946c3
2019-08-22 11:02:18 +05:30
Vinoth Kannan
41f22946c3 FIX: properly load desktop and mobile only plugin css assets.
5bd6b70d98
2019-08-22 08:39:10 +05:30
Sam Saffron
741d5bf541 DEV: improvement to stripping quote logic
Followup one afc7830b we needed handling for nested quotes
2019-08-22 12:09:32 +10:00
Sam Saffron
afc7830be5 PERF: faster length calculation of composer body
Every time we type a letter the composer issues a reply length check.

This is due to the interconnecting components, the title one depends on the
body which means that this decision making is passed along each time, even
if the title does not need it strictly.

Anyway...

This optimisation has 3 parts:

1. If the composer string is super long (10000 chars) we will bypass, quote
stripping and space squashing.

2. Quote stripping is now done much more efficiently, we strip them all in
one go

3. Space squashing eg: `hello    world` to `hello world` is done in an
efficient loop to avoid needing to generate superflous strings that need
GC
2019-08-22 11:56:38 +10:00
Kris
2d5b928da9 UX: Layout fix for category boxes w/ long subcategory names 2019-08-21 20:03:34 -04:00
Penar Musaraj
14cdb01254 FIX: Allow topic edits when using a hidden tag
Previously, a regular user could not edit the title or category
of a topic if a hidden tag had already been applied.

This also stops hidden tag names from leaking in the error message.
2019-08-21 16:33:01 -04:00
Daniel Waterworth
6924f1ab15 FIX: Race-condition in fallback handlers (#8005)
Calling `verify_master` in multiple threads simultaneously would cause
multiple threads to be spawned.
2019-08-21 15:47:44 +02:00
Gerhard Schlager
00b75b4f4e FIX: Don't try to delete staged, unused admins and mods 2019-08-21 15:29:51 +02:00
Daniel Waterworth
d59746cdc1 SECURITY: Don't send CSRF token in query string
The token is already present in the headers thanks to the csrf-token
initializer.
2019-08-21 13:16:38 +01:00
Arpit Jalan
75f37ac16a Rename lazyYT plugin directory name to lazy-yt 2019-08-21 14:35:14 +05:30
Gerhard Schlager
cc7b24b88b FIX: Regularly reset unknown extension of uploads
Discourse will try to detect the extension the next time the upload is needed. Maybe there was just a transient error the last time.
2019-08-21 10:23:20 +02:00
Sam Saffron
719a93c312 FEATURE: treat theme_uploads as settings in JavaScript
This change allows themes and components access to theme assets.

This means that inside theme js you can now get the URL for an asset with:

```
settings.theme_uploads.name
```
2019-08-21 16:51:10 +10:00
Arpit Jalan
038bf02e33 Bump onebox version.
- strip whitespace from Twitter onebox
2019-08-21 10:19:54 +05:30
Jeff Atwood
8c9a3ccb87
Update INSTALL-cloud.md 2019-08-20 16:24:25 -07:00
Rafael dos Santos Silva
72c2818655 FIX: Limit PWA install banner to Android for now 2019-08-20 14:47:17 -03:00
Vinoth Kannan
5bd6b70d98
DEV: debundle plugin css assets and don't load if disabled (#7646) 2019-08-20 22:09:52 +05:30
romanrizzi
36425eb9f0 Revert "FEATURE: Publish read state on group messages. (#7989) [Undo revert] (#8024)"
This reverts commit 5dda5c2f7c.
2019-08-20 13:29:22 -03:00
Roman Rizzi
5dda5c2f7c
FEATURE: Publish read state on group messages. (#7989) [Undo revert] (#8024)
* Reenable: "FEATURE: Publish read state on group messages. (#7989)"

This reverts commit 67f5cc1ce8.

* FIX: Read indicator only appears when the group setting is enabled
2019-08-20 11:57:25 -03:00
romanrizzi
67f5cc1ce8 Revert "FEATURE: Publish read state on group messages. (#7989)"
This reverts commit 1630dae2db.
2019-08-20 10:24:34 -03:00
Roman Rizzi
1630dae2db
FEATURE: Publish read state on group messages. (#7989)
* Enable or disable read state based on group attribute

* When read state needs to be published, the minimum unread count is calculated in the topic query. This way, we can know if someone reads the last post

* The option can be enabled/disabled from the UI

* The read indicator will live-updated using message bus

* Show read indicator on every post

* The read indicator now shows read count and can be expanded to see user avatars

* Read count gets updated everytime someone reads a message

* Simplify topic-list read indicator logic

* Unsubscribe from message bus on willDestroyElement, removed unnecesarry values from post-menu, and added a comment to explain where does minimum_unread_count comes from
2019-08-20 09:46:57 -03:00
Joe
15e70cc4b4
UX: prevents non-lightboxed images in quotes from stretching/squeezing (#8021) 2019-08-20 18:59:02 +08:00
Rishabh
f1f1fd4690 DEV: Remove unused "Email Reject No Account" template (#8022) 2019-08-20 12:43:51 +02:00
Régis Hanol
53667a01c2 FIX: ensure extra locales are only available to staff 2019-08-20 12:38:46 +02:00
Régis Hanol
d18c9b2d4d FIX: ensure offset is always positive 2019-08-20 12:03:16 +02:00
Régis Hanol
727430aacf SECURITY: bump nokogiri
We're not using the vulnerable method but there's no harm in upgrading.
2019-08-20 10:58:18 +02:00
Sam Saffron
8db38de9d7 SECURITY: add rate limiting to anon JS error reporting
This adds a 1 minute rate limit to all JS error reporting per IP. Previously
we would only use the global rate limit.

This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to
false then no JS error reporting will be allowed on the site.
2019-08-20 11:29:11 +10:00
Rafael dos Santos Silva
0a5b332b8c
FEATURE: Incorporate PWA install prompt into Discourse UI (#8013)
* FEATURE: Incorporate PWA install prompt into Discourse UI

This is mainly done so Discourse forums stop nagging people to install
on the very first visits to a website.

We will prevent the native install "mini-info" bar from ever appearing,
capture the event that pops with it, and delay it until the user meets
our criteria, which currently is trust_level 1.

If the event happens and the user meets our criteria we show a Discourse
alert banner proposing the install to the user. Dismissal of the banner
is recorded so the user ins't bothered anymore on the same device.


Co-Authored-By: Gerhard Schlager <mail@gerhard-schlager.at>
Co-Authored-By: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2019-08-19 14:09:21 -03:00
Joffrey JAFFEUX
6f70138f4a
DEV: injects router in customHref/customFilter of addNavigationBarItem (#8018) 2019-08-19 18:33:12 +02:00
Arpit Jalan
f27564a0a0 Bump onebox version.
- normalize and decode html entities for image URL
2019-08-19 19:01:23 +05:30
Joffrey JAFFEUX
08e7211d7d
DEV: attempts to fix an heisentest in date-time-input-range (#8017) 2019-08-19 12:39:30 +02:00
Dan Ungureanu
0b1146add4
UX: Hide "Create Tag" option if user cannot create tag. (#7723) 2019-08-19 11:40:56 +03:00
Joffrey JAFFEUX
1a731dcff1
FIX: prevents mobile nav to create an error when unregistering click events (#8016)
This what happening when clickin on "All groups", as it was trying to get element of a destroying component.
2019-08-19 09:33:54 +02:00
Sam Saffron
47638ffea4 Merge branch 'master' of github.com:discourse/discourse 2019-08-19 17:21:17 +10:00
Sam Saffron
accbbded15 PERF: avoid N+1 on topic view
Serializer is injecting information into cooked and reaching direct to
custom fields that were not preloaded

This amends it so basic post serializer can use the proper interface

That said we should probably follow this up so we don't reach for this
info on every post.
2019-08-19 17:20:56 +10:00
Arpit Jalan
24f94c40a6 SECURITY: don't reveal category details to users that do not have access 2019-08-19 12:38:28 +05:30