github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-01-20 02:52:44 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
22,054 Commits 214 Branches 500 Tags 960 MiB
e27b1b98d1
Commit Graph

905 Commits

Author SHA1 Message Date
Guo Xiang Tan
107d6783a9 Remove use of stubs in tests. 2017-03-01 10:53:03 +08:00
Guo Xiang Tan
76dd6933d2 Revert "Revert "Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email.""" 
This reverts commit e6d75f6844.

This is why we should not be pushing directly to master.
 2017-03-01 10:16:59 +08:00
Guo Xiang Tan
e6d75f6844 Revert "Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email."" 
This reverts commit 0e3def7d2b.
 2017-02-28 11:27:14 +08:00
Robin Ward
0e3def7d2b Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email." 
This reverts commit 1060239e2d.
 2017-02-27 13:19:26 -05:00
Arpit Jalan
877957ae88 Merge pull request #4715 from techAPJ/login-per-ip 
FEATURE: new site setting for max logins per ip per hour/minute
 2017-02-27 18:24:53 +05:30
Arpit Jalan
cba51e1c38 FEATURE: new site setting for max logins per ip per hour/minute 2017-02-27 16:58:03 +05:30
Régis Hanol
a2c04be718 FIX: eradicate I18n fallback issues 💣 
FIX: client's translation overrides were not working when the current locale was missing a key
FIX: ExtraLocalesController.show was not properly handling multiple translations
FIX: JsLocaleHelper#output_locale was not properly handling multiple translations

FIX: ExtraLocalesController.show's spec which was randomly failing
FIX: JsLocaleHelper#output_locale was muting cached translations hashes

REFACTOR: move 'enableVerboseLocalization' to the 'localization' initializer
REFACTOR: remove unused I18n.js methods (getFallbacks, localize, parseDate, toTime, strftime, toCurrency, toPercentage)
REFACTOR: remove all I18n.pluralizationRules and instead use MessageFormat's pluralization rules

TEST: add tests for localization initializer
TEST: add tests for I18n.js
 2017-02-24 11:31:21 +01:00
Guo Xiang Tan
1060239e2d SECURITY: Ensure oAuth authenticated email is the same as created user's email. 2017-02-24 13:13:10 +08:00
Guo Xiang Tan
0847b4258a Revert "SECURITY: Ensure that user has been authenticated." 
This reverts commit fbe51d68a7.

Changing the commit message to correctly reflect what we're actually
fixing.
 2017-02-24 13:12:29 +08:00
Guo Xiang Tan
fbe51d68a7 SECURITY: Ensure that user has been authenticated. 2017-02-24 10:47:48 +08:00
Sam
f15f61da0a FEATURE: add immutable caching to rails site of things 2017-02-23 13:05:00 -05:00
Régis Hanol
f51e3b2131 FIX: should not be able to rename a system badge 2017-02-20 14:35:05 +01:00
Régis Hanol
cb99f59ec3 reset bounce score when email is successfully changed 2017-02-20 10:37:01 +01:00
Neil Lalonde
d0fbb27f3e FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-15 16:51:57 -05:00
Sam
8feb94e13f FIX: password validator was being too strict 2017-02-14 09:18:04 -05:00
Sam
7652901b75 reduce mocking and stubbing in controller spec 2017-02-13 14:31:15 -05:00
Neil Lalonde
94e1105af7 fix unique char counting in password validator 2017-02-10 10:38:17 -05:00
Neil Lalonde
1bcb835446 FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00
Sam
ff49f72ad9 FEATURE: per client user tokens 
Revamped system for managing authentication tokens.

- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes

New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.

Also introduces weekly job to expire old auth tokens.
 2017-02-07 09:22:16 -05:00
Sam
2dec731da3 SECURITY: correctly validate input when admin searches for screened ips 2017-02-06 16:11:16 -05:00
Régis Hanol
27fb9c8804 FIX: bounce webhooks should also use recipient address 2017-02-05 19:06:35 +01:00
Neil Lalonde
c4e10f2a9d FEATURE: redesign the change password page to use javascript and validations 2017-02-03 16:09:24 -05:00
Arpit Jalan
9dd09e453b FEATURE: add explicit confirmation button to accept the invite 2017-01-25 15:50:30 +05:30
Guo Xiang Tan
781d83a46f FIX: Toggling a post's wiki status should not skip revision. 2017-01-25 13:34:55 +08:00
Guo Xiang Tan
32846aad2a FIX: Toggling post's wiki status should not create a new version. 2017-01-20 15:42:33 +08:00
Régis Hanol
fbf9172db8 FIX: log backups download/destroy staff action 
FIX: clean up junk left by the specs
RENAME: 'backup_operation' to 'backup_create' to match other backup log types
 2017-01-16 19:53:31 +01:00
Guo Xiang Tan
515f50e42e FEATURE: Log admin action when readonly mode is changed. 2017-01-12 09:41:02 +08:00
Guo Xiang Tan
68300f515c FIX: Return 404 if id is not valid. 2017-01-06 10:39:44 +08:00
Sam
c531f4ded5 remove rails-observers 
Rails yanked out observers many many years ago, instead the functionality
was yanked out to a gem that is very lightly maintained.

For example: if we want to upgrade to rails 5 there is no published gem

Internally the usage of observers had quite a few problem.

The series of refactors renamed a bunch of classes to give us more clarity
and removed some magic.
 2016-12-22 16:46:53 +11:00
Sam
2f6a4cc6de remove UserActionObserver, replace with after_save and service 
interestingly there was some left over dead code from when stars
existed in the topic_users table
 2016-12-22 16:46:53 +11:00
Sam
0a78ae739d Remove SearchObserver, aim is to remove all observers 
rails-observers gem is mostly unmaintained and is a pain to carry forward
new implementation contains significantly less magic as a bonus
 2016-12-22 13:13:14 +11:00
Guo Xiang Tan
5d7f3223f0 SECURITY: Users can only bookmark posts which they can see. 2016-12-21 12:01:26 +08:00
Guo Xiang Tan
7c7c233c1c FIX: Can't update Groups#allow_membership_requests in admin. 2016-12-20 15:14:35 +08:00
Régis Hanol
52cd9972bb FIX: prevent DDoS with lots of _oneboxable_ links 
FIX: ensure the onebox route is only allowed to logged in users
FIX: only allow 1 outgoing onebox preview per user
FIX: client should only do 1 preview at a time
 2016-12-20 00:31:10 +01:00
Arpit Jalan
a2096a01fb add test case for handling uploads without extension 2016-12-20 00:46:47 +05:30
Sam
eb2db23b40 FEATURE: remove email_token_grace_period_hours 
The site setting email_token_grace_period_hours just causes confusion and
should not be used anyway.

Out of the box, tokens stop working once confirmed, no need to add complexity here
 2016-12-19 17:15:20 +11:00
Sam
0599bd0154 FEATURE: add referrer never tag to password reset page 2016-12-19 11:01:58 +11:00
Sam
15b5fddd49 SECURITY: protect upload params, only allow very strict filenames 2016-12-19 10:16:18 +11:00
Sam
61eb134181 FEATURE: setting to allow arbitrary redirects from sso origin 
if sso_allows_all_return_paths is set to true you can redirect off-site from sso success
 2016-12-16 13:37:44 +11:00
Sam
98f4a2adcb FIX: on 404 from brotli asset path return a correctly encoded doc 
old implementation would cache the 404 for 1 year with incorrect encoding

hilarity would ensue
 2016-12-15 16:05:20 +11:00
Neil Lalonde
2d61d7d644 update embed_controller_spec 2016-12-13 16:29:51 -05:00
Guo Xiang Tan
43ee9f884e FEATURE: Add Group#full_name. 2016-12-13 16:16:26 +08:00
Guo Xiang Tan
da7009a968 FEATURE: Add request membership button for allowed groups. 2016-12-12 22:48:08 +08:00
Guo Xiang Tan
05f55dbc10 FEATURE: Group logs. 2016-12-12 17:29:54 +08:00
Guo Xiang Tan
be5b5f6bea FEATURE: Public groups. 2016-12-12 17:00:30 +08:00
Guo Xiang Tan
a2da2971af FEATURE: Allow columns on group members page to be sortable. 2016-12-08 10:49:12 +08:00
Sam
1135e00c83 FIX: regression unable to dismiss unread 2016-12-06 08:49:40 +11:00
Erick Guan
52763f5115
FEATURE: Allow posting a link with topics 2016-12-05 17:20:54 +01:00
Guo Xiang Tan
37b256e7f2 Fix specs. 2016-12-05 17:13:58 +08:00
Arpit Jalan
431aa79bb3 Merge pull request #4587 from techAPJ/invite-upload 
FIX: simplify CSV file upload
 2016-12-05 14:30:13 +05:30