github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-16 07:04:20 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
21,871 Commits 214 Branches 500 Tags 960 MiB
db41af1c3c
Commit Graph

889 Commits

Author SHA1 Message Date
Guo Xiang Tan
db41af1c3c SECURITY: CSRF vulnerabilities in Admin::BackupsController. 2017-03-23 10:42:21 +08:00
Sam
0f6a2b912a SECURITY: always allow staff to resend activation mails 2017-03-13 10:33:21 -04:00
Guo Xiang Tan
1c44c87945 FIX: Store user's id instead for sending activation email. 
* Email and username are both allowed to be used for logging in.
  Therefore, it is easier to just store the user's id rather than
  to store the username and email in the session.
 2017-03-13 20:57:21 +08:00
Guo Xiang Tan
8c5e13afd6 SECURITY: Only allow users to resend activation email with a valid session. 
* Improve error when an active user tries to request for an activation email.
 2017-03-13 20:57:17 +08:00
Robin Ward
2c9a43e4fd Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email." 
This reverts commit 1060239e2d.
 2017-02-27 13:37:08 -05:00
Guo Xiang Tan
5cd680b0be SECURITY: Ensure oAuth authenticated email is the same as created user's email. 2017-02-24 15:40:31 +08:00
Guo Xiang Tan
465660bdfc Revert "SECURITY: Ensure that user has been authenticated." 
This reverts commit d1091f7f57.
 2017-02-24 15:39:56 +08:00
Guo Xiang Tan
d1091f7f57 SECURITY: Ensure that user has been authenticated. 2017-02-24 11:46:59 +08:00
Sam
1d3f04d4bb SECURITY: correctly validate input when admin searches for screened ips 2017-02-06 16:11:48 -05:00
Régis Hanol
f49c9f6c43 FIX: log backups download/destroy staff action 
FIX: clean up junk left by the specs
RENAME: 'backup_operation' to 'backup_create' to match other backup log types
 2017-01-16 19:58:04 +01:00
Guo Xiang Tan
515f50e42e FEATURE: Log admin action when readonly mode is changed. 2017-01-12 09:41:02 +08:00
Guo Xiang Tan
68300f515c FIX: Return 404 if id is not valid. 2017-01-06 10:39:44 +08:00
Sam
c531f4ded5 remove rails-observers 
Rails yanked out observers many many years ago, instead the functionality
was yanked out to a gem that is very lightly maintained.

For example: if we want to upgrade to rails 5 there is no published gem

Internally the usage of observers had quite a few problem.

The series of refactors renamed a bunch of classes to give us more clarity
and removed some magic.
 2016-12-22 16:46:53 +11:00
Sam
2f6a4cc6de remove UserActionObserver, replace with after_save and service 
interestingly there was some left over dead code from when stars
existed in the topic_users table
 2016-12-22 16:46:53 +11:00
Sam
0a78ae739d Remove SearchObserver, aim is to remove all observers 
rails-observers gem is mostly unmaintained and is a pain to carry forward
new implementation contains significantly less magic as a bonus
 2016-12-22 13:13:14 +11:00
Guo Xiang Tan
5d7f3223f0 SECURITY: Users can only bookmark posts which they can see. 2016-12-21 12:01:26 +08:00
Guo Xiang Tan
7c7c233c1c FIX: Can't update Groups#allow_membership_requests in admin. 2016-12-20 15:14:35 +08:00
Régis Hanol
52cd9972bb FIX: prevent DDoS with lots of _oneboxable_ links 
FIX: ensure the onebox route is only allowed to logged in users
FIX: only allow 1 outgoing onebox preview per user
FIX: client should only do 1 preview at a time
 2016-12-20 00:31:10 +01:00
Arpit Jalan
a2096a01fb add test case for handling uploads without extension 2016-12-20 00:46:47 +05:30
Sam
eb2db23b40 FEATURE: remove email_token_grace_period_hours 
The site setting email_token_grace_period_hours just causes confusion and
should not be used anyway.

Out of the box, tokens stop working once confirmed, no need to add complexity here
 2016-12-19 17:15:20 +11:00
Sam
0599bd0154 FEATURE: add referrer never tag to password reset page 2016-12-19 11:01:58 +11:00
Sam
15b5fddd49 SECURITY: protect upload params, only allow very strict filenames 2016-12-19 10:16:18 +11:00
Sam
61eb134181 FEATURE: setting to allow arbitrary redirects from sso origin 
if sso_allows_all_return_paths is set to true you can redirect off-site from sso success
 2016-12-16 13:37:44 +11:00
Sam
98f4a2adcb FIX: on 404 from brotli asset path return a correctly encoded doc 
old implementation would cache the 404 for 1 year with incorrect encoding

hilarity would ensue
 2016-12-15 16:05:20 +11:00
Neil Lalonde
2d61d7d644 update embed_controller_spec 2016-12-13 16:29:51 -05:00
Guo Xiang Tan
43ee9f884e FEATURE: Add Group#full_name. 2016-12-13 16:16:26 +08:00
Guo Xiang Tan
da7009a968 FEATURE: Add request membership button for allowed groups. 2016-12-12 22:48:08 +08:00
Guo Xiang Tan
05f55dbc10 FEATURE: Group logs. 2016-12-12 17:29:54 +08:00
Guo Xiang Tan
be5b5f6bea FEATURE: Public groups. 2016-12-12 17:00:30 +08:00
Guo Xiang Tan
a2da2971af FEATURE: Allow columns on group members page to be sortable. 2016-12-08 10:49:12 +08:00
Sam
1135e00c83 FIX: regression unable to dismiss unread 2016-12-06 08:49:40 +11:00
Erick Guan
52763f5115
FEATURE: Allow posting a link with topics 2016-12-05 17:20:54 +01:00
Guo Xiang Tan
37b256e7f2 Fix specs. 2016-12-05 17:13:58 +08:00
Arpit Jalan
431aa79bb3 Merge pull request #4587 from techAPJ/invite-upload 
FIX: simplify CSV file upload
 2016-12-05 14:30:13 +05:30
Arpit Jalan
ce974da9e5 FIX: simplify CSV file upload 2016-12-05 14:09:08 +05:30
Guo Xiang Tan
31acd311e5 FEATURE: Allow group owners to edit group name and avatar flair. 2016-12-05 14:27:46 +08:00
Guo Xiang Tan
b45fd21ed9 FIX: Clean up specs. 2016-12-05 13:37:33 +08:00
Sam
dc66f6681a add spec for brotli controller, ensure cached correctly 2016-12-05 16:08:36 +11:00
Neil Lalonde
dafd1453d6 FIX: topic list filters for bookmarked, posted, and read now work with tag filter 2016-12-02 15:58:14 -05:00
Guo Xiang Tan
bc0a8142fe PERF: Only show members count on group page. 2016-12-02 16:28:54 +08:00
Sam
b8dc58be90 got to be careful with integrity specs 2016-11-29 18:01:09 +11:00
Sam
266322ce2e FEATURE: add help text for no bookmarks in user page 2016-11-29 17:56:00 +11:00
Guo Xiang Tan
5794f1619d PERF: Fix N+1 queries when loading groups. 2016-11-26 02:20:26 +08:00
Sam
88a46be051 FEATURE: display text excerpts when scrolling on mobile 2016-11-25 11:35:29 +11:00
Sam
bfd0418f07 added a test for safe mode 2016-11-23 13:31:05 +11:00
Robin Ward
32a8d5ed1f Merge pull request #4550 from cpradio/cannot-see-mention 
FEATURE: Notify user when mention can't see the reply they were mentioned in
 2016-11-15 16:40:47 -05:00
Sam
63d9d4f301 FIX: properly specify default on no cache on all resources 2016-11-15 17:00:44 +11:00
cpradio
824c235760 FEATURE: Notify user when mention can't see the reply they were mentioned in 
FIX: Group Mention Notifications
 2016-11-14 22:03:16 -05:00
Neil Lalonde
764a572070 FIX: when subcategories with the same name exist, filtering by tags might use the wrong subcategory 2016-11-02 15:29:33 -04:00
Régis Hanol
71f940d478 FIX: use metadata to hold the message_id with sparkpost 2016-10-27 19:35:50 +02:00