There is a bug that when Safari starts up, and reloads the tabs from
the previous session **and** there is a service worker registered for
the scope of the document, all cookies marked as `SameSite=Lax` won't be
sent in the request.
This puts Discourse in a **very** broken state, where:
- You appear as a anon user
- Subsequent xhr requests will come with logged in data
- Refreshing doesn't log you in (cookies are still not sent)
- Clicking on the address bar and hitting enter, will log you in (as it
will finally send those damn `SameSite=Lax` cookies.
Looks a lot like a corner case missed by the fix at
https://trac.webkit.org/changeset/241918/webkit
- adds a migration renaming FA4 icon names in badges
- allows all icons to be used in badges (previously was limited to icons prefixed with fa-)
- renames remaining FA 4.7 icons equivalents
This fixes the problem where if a route ends with a dynamic segment and the segment contains a period e.g. `my.name`, `name` is interpreted as the format. This applies a default format constraints `/(json|html)/` on all routes. If you'd like a route to have a different format constraints, you can do something like this:
```ruby
get "your-route" => "your_controlller#method", constraints: { format: /(rss|xml)/ }
#or
get "your-route" => "your_controlller#method", constraints: { format: :xml }
```
* FEATURE: Allow customization of robots.txt
This allows admins to customize/override the content of the robots.txt
file at /admin/customize/robots. That page is not linked to anywhere in
the UI -- admins have to manually type the URL to access that page.
* use Ember.computed.not
* Jeff feedback
* Feedback
* Remove unused import
And don't load javascript assets if plugin is disabled.
* precompile auto generated plugin js assets
* SPEC: remove spec test functions
* remove plugin js from test_helper
Co-Authored-By: Régis Hanol <regis@hanol.fr>
* DEV: using equality is slightly easier to read than inequality
Co-Authored-By: Régis Hanol <regis@hanol.fr>
* DEV: use `select` method instead of `find_all` for readability
Co-Authored-By: Régis Hanol <regis@hanol.fr>
When we delete a post that has replies, we show a modal asking if the user wants to delete the post, the post and its direct replies or the post and all its replies.
If replies are deleted before a post, that modal would ask the user if they want to delete the post and 0 replies.
That commit ensure we skip the modal and directly delete the post in this case.
This is a low severity security fix because it requires a logged in
admin user to update a site setting via the API directly to an invalid
value.
The fix adds validation for the affected site settings, as well as a
secondary fix to prevent injection in the event of bad data somehow
already exists.
* FIX: ensures routin with hash doesnt stuck history
Original issue: https://meta.discourse.org/t/hash-anchor-in-url-prevents-further-url-updates/122068/4
Basically when the path has a hash, state would be null, and nothing would happen.
* Update app/assets/javascripts/discourse/lib/discourse-location.js.es6
Co-Authored-By: Régis Hanol <regis@hanol.fr>
* FEATURE: admin/user exports are compressed using the zip format
* Update translations. Theme exporter now exports .zip file. Theme importer supports .zip and .gz files
* Fix controller test, updated locale and skip saving the csv export to disk
Note this is very low severity as the group needs to be created with a
default title that contains HTML, and group creation is restricted to
staff members right now.
In order for this to work the Backuper stores a couple of site settings
in the new backup_metadata table, because the old setting values might
not be available on restore anymore.
Context: https://meta.discourse.org/t/121589
This new setting option lets group owners message/mention large groups
without granting that privilege to all members.
Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
