Commit Graph

13106 Commits

Author SHA1 Message Date
Sam Saffron
f09ca88c47 SECURITY: prefer render plain/html to render text where possible 2017-04-10 08:09:55 -04:00
Sam Saffron
e5c6d0ea65 SECURITY: do not send push notifications to suspended users 2017-04-05 08:29:43 -04:00
Guo Xiang Tan
db41af1c3c SECURITY: CSRF vulnerabilities in Admin::BackupsController. 2017-03-23 10:42:21 +08:00
Robin Ward
c14d98354b SECURITY: Don't use backticks for exporting your archive 2017-03-16 16:27:52 -04:00
Sam
0f6a2b912a SECURITY: always allow staff to resend activation mails 2017-03-13 10:33:21 -04:00
Guo Xiang Tan
1c44c87945 FIX: Store user's id instead for sending activation email.
* Email and username are both allowed to be used for logging in.
  Therefore, it is easier to just store the user's id rather than
  to store the username and email in the session.
2017-03-13 20:57:21 +08:00
Guo Xiang Tan
8c5e13afd6 SECURITY: Only allow users to resend activation email with a valid session.
* Improve error when an active user tries to request for an activation email.
2017-03-13 20:57:17 +08:00
Guo Xiang Tan
395f43d92f FIX: Don't mark user as active if verified email is different. 2017-03-13 20:57:02 +08:00
Robin Ward
2c9a43e4fd Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email."
This reverts commit 1060239e2d.
2017-02-27 13:37:08 -05:00
Guo Xiang Tan
415bad645e FIX: Mobile topic timeline broken on Chrome 56.
* See https://developers.google.com/web/updates/2017/01/scrolling-intervention.
  From Chrome 56 onwards, `touchstart` event listeners are treated as passive
  by default which does not call `preventDefault` resulting in the page
  scrolling when topic timeline handle is being dragged.
2017-02-27 13:21:41 +08:00
Guo Xiang Tan
5cd680b0be SECURITY: Ensure oAuth authenticated email is the same as created user's email. 2017-02-24 15:40:31 +08:00
Guo Xiang Tan
465660bdfc Revert "SECURITY: Ensure that user has been authenticated."
This reverts commit d1091f7f57.
2017-02-24 15:39:56 +08:00
Guo Xiang Tan
d1091f7f57 SECURITY: Ensure that user has been authenticated. 2017-02-24 11:46:59 +08:00
Sam
47b9eb6dbb new: server plugin outlet for indexable robots.txt 2017-02-13 14:05:08 -05:00
Sam
1d3f04d4bb SECURITY: correctly validate input when admin searches for screened ips 2017-02-06 16:11:48 -05:00
Sam
5fc70471be UX: less restrictive selector to allow for plugin outlets
Currently plugin outlets in LIs will generate a wrapping SPAN,
this makes an allowence in core for nave extenstions (like solved does)
2017-02-02 12:18:22 -05:00
Régis Hanol
f49c9f6c43 FIX: log backups download/destroy staff action
FIX: clean up junk left by the specs
RENAME: 'backup_operation' to 'backup_create' to match other backup log types
2017-01-16 19:58:04 +01:00
Robin Ward
8f34c2332d Version bump to v1.7.1 2017-01-13 11:08:58 -05:00
Guo Xiang Tan
0f574f641e UX: Truncate topic link title/URL on desktop to prevent overflow. 2017-01-12 12:24:39 +08:00
Guo Xiang Tan
515f50e42e FEATURE: Log admin action when readonly mode is changed. 2017-01-12 09:41:02 +08:00
Jeff Atwood
240c4870cf FIX: add noopener to website field in user profile 2017-01-11 15:38:37 -08:00
Régis Hanol
887e9af84f FEATURE: new 'max_image_megapixels' site setting 2017-01-11 23:37:12 +01:00
Robin Ward
6c3426d266 Let's not notify for trust levels on Staff, either 2017-01-11 11:25:04 -05:00
Arpit Jalan
e793caf3e3 FIX: only allow CSV file to be uploaded for bulk invite 2017-01-11 16:26:01 +05:30
Guo Xiang Tan
d6bf5b0e78 Use any orientation for web app manifest. 2017-01-11 17:32:24 +08:00
Guo Xiang Tan
1758af9a1d FIX: Perform emoji unescape for topic titles in quotes. 2017-01-11 17:23:13 +08:00
Guo Xiang Tan
cdd550e947 Use a different Redis key when PG failover sets site to readonly mode. 2017-01-11 16:38:49 +08:00
Guo Xiang Tan
77045eb1f1 Merge pull request #4644 from olach/tab-size
Display tabs with smaller widths for code blocks
2017-01-11 14:49:16 +08:00
Neil Lalonde
98bd58df61 Don't show email of deleted users in staff action logs 2017-01-10 17:25:36 -05:00
Neil Lalonde
fc0a0a76a4 Add more info in staff action logs for blocking a user, and add logging for lock trust level, activate, and deactive user 2017-01-10 17:25:36 -05:00
Robin Ward
7341b0d03c Don't give notifications to admins for trust level notifications 2017-01-10 12:18:48 -05:00
Ola Christensson
82fab2343f Display tabs with smaller widths for code blocks
The default browser behavior is a tab width of 8 characters. This changes the width to 4 characters.
2017-01-10 10:06:53 +01:00
Robin Ward
b60bc47a4c Plugins can register providers for global settings 2017-01-09 17:18:58 -05:00
Neil Lalonde
d9146de080 FIX: an image can be shown twice in summary emails 2017-01-09 13:27:43 -05:00
Guo Xiang Tan
3d21ccd4a5 FIX: Add validation to disallow censored words in topic title. 2017-01-09 16:55:41 +08:00
Guo Xiang Tan
cbc6aee137 UX: Display large numbers with delimiters. 2017-01-09 15:56:02 +08:00
Guo Xiang Tan
aa9ac0d8b2 Make eslint happy. 2017-01-09 13:59:00 +08:00
Guo Xiang Tan
fed7218deb UX: Observe changes to plugin to hide/show plugin admin link without refresh. 2017-01-09 13:56:15 +08:00
Guo Xiang Tan
e721e31699 FIX: Login modal on mobile does not submit on enter. 2017-01-09 13:20:53 +08:00
Guo Xiang Tan
98df6db0eb FIX: Respect site setting to hide username in mailing list summary. 2017-01-09 12:18:30 +08:00
Guo Xiang Tan
4a7d6ea751 Make eslint happy. 2017-01-09 11:24:55 +08:00
Guo Xiang Tan
c260a4e34d FIX: Can't add categories when creating a new web hook. 2017-01-09 11:22:35 +08:00
Neil Lalonde
be2fa971df Merge master 2017-01-06 15:56:48 -05:00
Arpit Jalan
c834d591a3 use Ember.set() to set the dasherized_name property 2017-01-06 23:13:31 +05:30
Robin Ward
1b92d44fb2 FIX: A component referenced the controller 2017-01-06 10:45:48 -05:00
Guo Xiang Tan
389e1d0bd5 Add acceptance JS tests for group membership button. 2017-01-06 11:56:10 +08:00
Guo Xiang Tan
a4e7657bbf FIX: Missing action to show login modal on group page. 2017-01-06 11:40:32 +08:00
Guo Xiang Tan
68300f515c FIX: Return 404 if id is not valid. 2017-01-06 10:39:44 +08:00
Guo Xiang Tan
d10fe51b72 Fix broken specs since all urls will be oneboxed. 2017-01-06 10:05:51 +08:00
Neil Lalonde
685e6bdbab FIX: tags canonical url can raise error or be wrong 2017-01-05 15:17:23 -05:00