Commit Graph

51789 Commits

Author SHA1 Message Date
Penar Musaraj
a814348176
DEV: Rename experimental_passkeys to enable_passkeys (#24349)
Also includes a migration.
2023-11-13 15:04:15 -05:00
David Taylor
e2e454c480
DEV: Update specs to avoid dependence on ember-cli build (#24347)
The `src` of js files is now dependent on the ember-cli/webpack build, so it's not a good thing to check in specs. In CI it passes because the ember-cli build is not run. But locally it would fail if you had a build in `app/assets/javascripts/discourse/dist`.

This commit updates the specs to check for the presence of a stable data attribute instead.
2023-11-13 14:26:43 -05:00
Joffrey JAFFEUX
1dad379412
DEV: allows to wrap wizard checkbox with outlet (#24334) 2023-11-13 14:02:14 -05:00
David Taylor
f395130429
FEATURE: Configure poll 'public' default via site setting (#24348)
Followup to 7e37e3e824
2023-11-13 18:54:21 +00:00
Kris
797da5870b
FEATURE: remove category badge style options, set bullet style as default (#24198) 2023-11-13 10:46:15 -05:00
Jordan Vidrine
70b72ee893
FIX: Hide chat message header with new argument (#24346) 2023-11-13 09:05:18 -06:00
Joffrey JAFFEUX
7f3f682f67
DEV: removes dead code (#24345) 2023-11-13 15:18:15 +01:00
Joffrey JAFFEUX
208491fa00
DEV: uses alphanumeric to avoid flakey specs (#24344)
Faker text with quotes or thread dots for example would cause issues in tests due to cooking.
2023-11-13 14:54:26 +01:00
Godfrey Chan
8444c865e9
DEV: remove slightly less trivial {{action}} usages (#24289)
Follow-up to #24278 that is slightly less trivial.

* Some were "trivial" usages that were missed in the previous PR because the same file that had at least one other non-trivial usage.
* These involve extra arguments or inheritance but I have checked that they seem correct.
2023-11-13 13:29:20 +01:00
dependabot[bot]
fcafc8872f
Build(deps): Bump ember-route-template in /app/assets/javascripts (#24338)
Bumps [ember-route-template](https://github.com/discourse/ember-route-template) from 1.0.1 to 1.0.2.
- [Commits](https://github.com/discourse/ember-route-template/commits)

---
updated-dependencies:
- dependency-name: ember-route-template
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-13 11:13:19 +00:00
David Taylor
4982f95472
FIX: EmberCli cache clearance issue in production (#24343) 2023-11-13 10:34:06 +00:00
David Battersby
4b78254065
FIX: Post moved small action links should respect subfolder installs (#24336)
This change fixes an issue with small action links (when post is moved) to add the subfolder path to the url.
2023-11-13 11:06:25 +08:00
Jarek Radosz
1e1bb45b96
FIX: Add a missing service injection (#24341)
Fixes the reorder-categories modal.
2023-11-13 01:31:04 +01:00
Martin Brennan
ea0b37c1cf
FIX: Hide old min_trust_level_for_here_mention setting (#24342)
Followup to 67ac4c5616
2023-11-13 09:23:56 +10:00
David Taylor
7e37e3e824
UX: Create polls with public=true by default (#24332)
In the vast majority of cases, people want poll voters to be public. Previously, the checkbox for this was hidden behind the 'show advanced' settings in the poll builder UI.

This commit makes three changes to improve the experience:

1. Add `public=true|false` to poll markup (previously it would only be added when true

2. Bring the 'public' switch outside the 'show advanced' section for improved visibility

3. Change the default to 'true'
2023-11-13 09:07:51 +11:00
David Taylor
cdbe0f74e8
FIX: Load highlightjs bundle via CDN (#24335) 2023-11-10 22:19:06 +00:00
David Taylor
0878dde213
DEV: Modernise highlightjs loading (#24197)
- Remove vendored copy
- Update Rails implementation to look for language definitions in node_modules
- Use webpack-based dynamic import for hljs core
- Use browser-native dynamic import for site-specific language bundle (and fallback to webpack-based dynamic import in tests)
- Simplify markdown implementation to allow all languages into the `lang-{blah}` className
- Now that all languages are passed through, resolve aliases at runtime to avoid the need for the pre-built `highlightjs-aliases` index
2023-11-10 20:39:48 +00:00
Daniel Waterworth
e845138bc1
FIX: Updating presence status in readonly mode should fail gracefully (#24333) 2023-11-10 14:27:43 -06:00
Blake Erickson
bed4b3ee91
DEV: Remove .github/workflows/check-branches.yml (#24331)
We no longer need this workflow.
2023-11-10 08:49:38 -07:00
David Taylor
ac896755bb
DEV: Simplify ember-cli proxy strategy (#24242)
Previously, the app HTML served by the Ember-CLI proxy was generated based on a 'bootstrap json' payload generated by Rails. This inevitably leads to differences between the Rails HTML and the Ember-CLI HTML.

This commit overhauls our proxying strategy. Now, we totally ignore the ember-cli `index.html` file. Instead, we take the full HTML from Rails and surgically replace script URLs based on a `data-discourse-entrypoint` attribute. This should be faster (only one request to Rails), more robust, and less confusing for developers.
2023-11-10 11:16:06 +00:00
David Taylor
80208d0ab6
DEV: Support legacy precompiler paths in theme compiler (#24329)
This updates the behaviour to match ember-cli-htmlbars, and should take care of the handful of themes which were relying on runtime compilation in tests (see 4425e99bf9)
2023-11-10 10:37:50 +00:00
Joffrey JAFFEUX
ab832cc865
FEATURE: introduces group channels (#24288)
Group channels will allow users to create channels with a name and invite people. It's possible to add people even after creation of the channel. Removing users is not yet possible but will be added in the near future.

Technically a group channel is `direct_message_channel` with a group attribute set to true on its direct message (chatable). This model might evolve in the future but offers much flexibility for now without having to rely on a complex migration.

The commit essentially consists of:
- a migration to set existing direct message channels with more than 2 users to a group
- a new message creator which allows to search, add members, and create groups
- a new `AddUsersToChannel` service
- a modified `SearchChatable` service
2023-11-10 11:29:28 +01:00
Martin Brennan
a8d6dc4d3a
DEV: Fix bookmark flaky (#24327)
Fixes this problem that happens sometimes in specs:

> Mocha::StubbingError:
> #<Mock:0x135150> was instantiated in one test but it is receiving
invocations within another test. This can lead to unintended
interactions between tests and hence unexpected test failures. Ensure
that every test correctly cleans up any state that it introduces.
2023-11-10 11:16:22 +01:00
David Taylor
de8c8f1d28
DEV: Limit re-use of bundler/yarn caches in CI (#24256)
Using restore-keys means we will always use an old cache, and then add more dependencies to it. This leads to the cache growing over time and becoming increasingly slow. Instead, we should rebuild the cache from scratch each time our dependencies change.
2023-11-10 10:03:15 +00:00
Krzysztof Kotlarek
c0c525056f
UX: number site setting validation message (#24303)
Format big numbers validation to easy to read format like 1,000,000
2023-11-10 14:27:35 +11:00
Martin Brennan
fb2756537d
DEV: Remove flaky setting deprecation logging specs (#24322)
Followup to baeac8f105,
I tried to fix this in 6bf66ccd1a
but it is still not reliable, just removing since they are
too unreliable for value provided
2023-11-10 10:46:28 +10:00
Martin Brennan
620485ada2
DEV: Skip flaky sidebar mobile spec (#24321) 2023-11-10 10:46:19 +10:00
Martin Brennan
731dffdf92
DEV: Align S3 transfer acceleration global settings (#24302)
Followup to fe05fdae24

For consistency with other S3 settings, make the global setting
the same name as the site setting and use SiteSetting.Upload
too so it reads from the correct place.
2023-11-10 09:50:23 +10:00
Kris
36ab7ff2a9
FIX: update tag-chooser & category-selector action (#24318) 2023-11-10 00:05:02 +01:00
dependabot[bot]
10167ad8ee
Build(deps): Bump the babel group (#24310)
Bumps the babel group in /app/assets/javascripts with 2 updates: [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) and [@babel/standalone](https://github.com/babel/babel/tree/HEAD/packages/babel-standalone).


Updates `@babel/core` from 7.23.2 to 7.23.3
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.3/packages/babel-core)

Updates `@babel/standalone` from 7.23.2 to 7.23.3
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.3/packages/babel-standalone)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: babel
- dependency-name: "@babel/standalone"
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: babel
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-10 00:00:05 +01:00
Daniel Waterworth
6e161d3e75
DEV: Allow fab! without block (#24314)
The most common thing that we do with fab! is:

    fab!(:thing) { Fabricate(:thing) }

This commit adds a shorthand for this which is just simply:

    fab!(:thing)

i.e. If you omit the block, then, by default, you'll get a `Fabricate`d object using the fabricator of the same name.
2023-11-09 16:47:59 -06:00
Andrei Prigorshnev
d91456fd53
DEV: Ability to collect stats without exposing them via API (#23933)
This adds the ability to collect stats without exposing them 
among other stats via API.

The most important thing I wanted to achieve is to provide 
an API where stats are not exposed by default, and a developer 
has to explicitly specify that they should be 
exposed (`expose_via_api: true`). Implementing an opposite 
solution would be simpler, but that's less safe in terms of 
potential security issues. 

When working on this, I had to refactor the current solution. 
I would go even further with the refactoring, but the next steps 
seem to be going too far in changing the solution we have, 
and that would also take more time. Two things that can be 
improved in the future:
1. Data structures for holding stats can be further improved
2. Core stats are hard-coded in the About template (it's hard 
to fix it without correcting data structures first, see point 1):
    63a0700d45/app/views/about/index.html.erb (L61-L101)

The most significant refactorings are:
1. Introducing the `Stat` model
2. Aligning the way the core and the plugin stats' are registered
2023-11-10 00:44:05 +04:00
Bianca Nenciu
bdb81b5346
DEV: Use a single registry for preloaded category custom fields (#24272)
There was a registry for preloaded site categories and a new one has
been introduced recently for categories serialized through a
CategoryList.

Having two registries created a lot of friction for developers and this
commit merges them into a single one, providing a unified API.
2023-11-09 18:23:24 +02:00
Martin Brennan
e772bb9fce
DEV: Allow new_features URL to be configurable (#24306)
This is so the new features plugin can be tested
easier locally.
2023-11-09 13:50:21 +10:00
Krzysztof Kotlarek
e5e7dd78c2 Bump version to v3.2.0.beta4-dev 2023-11-09 14:25:44 +11:00
Krzysztof Kotlarek
95b7cbd8a1 Bump version to v3.2.0.beta3 2023-11-09 14:25:44 +11:00
Ted Johansson
95a82d608d SECURITY: Prevent Onebox cache overflow by limiting downloads and URL lengths 2023-11-09 13:39:18 +11:00
Martin Brennan
3c5fb871c0 SECURITY: Filter unread bookmark reminders the user cannot see
There is an edge case where the following occurs:

1. The user sets a bookmark reminder on a post/topic
2. The post/topic is changed to a PM before or after the reminder
   fires, and the notification remains unread by the user
3. The user opens their bookmark reminder notification list
   and they can still see the notification even though they cannot
   access the topic anymore

There is a very low chance for information leaking here, since
the only thing that could be exposed is the topic title if it
changes to something sensitive.

This commit filters the bookmark unread notifications by using
the bookmarkable can_see? methods and also prevents sending
reminder notifications for bookmarks the user can no longer see.
2023-11-09 13:39:16 +11:00
Penar Musaraj
6183d9633d SECURITY: Limit height of pre/svg elements
Ensures posts cannot have SVG or PRE elements that are too tall.
2023-11-09 13:39:13 +11:00
Roman Rizzi
d78357917c SECURITY: Onebox templates' HTML injections.
The use of triple-curlies on Mustache templates opens the possibility for HTML injections.
2023-11-09 13:39:11 +11:00
Krzysztof Kotlarek
5f20748e40 SECURITY: SSRF vulnerability in TopicEmbed
Block redirects when making the final request in TopicEmbed to prevent Server Side Request Forgery (SSRF)
2023-11-09 13:39:08 +11:00
Régis Hanol
7d484864fe SECURITY: escape display names
Ensure we escape the display names before passing it to the regexp used to update
quotes whenever a user change their display name.
2023-11-09 13:39:06 +11:00
Martin Brennan
67ac4c5616
DEV: Move min_trust_level_for_here_mention to group setting (#24263)
c.f. https://meta.discourse.org/t/-/283408
2023-11-09 12:07:01 +10:00
Jordan Vidrine
37fda6d479
FIX: Adjust border radius (#24301) 2023-11-08 18:36:30 -06:00
Martin Brennan
fe5383dbff
FIX: Prevent invalid tos and privacy URLs in cache (#24291)
Followup to 5fc1586abf

There are certain cases where the tos_url and privacy_policy_url
can end up with a "nil" value in the Discourse.urls_cache.

The cause of this is unclear, but it seems to behave differently
between doing this caching in the rails console and the running
server.

To avoid this we can just not store anything that looks like nil
in the cache; we can delete the cache keys entirely if we don't
need them anymore.
2023-11-09 10:33:38 +10:00
Andrei Prigorshnev
be2eb3df44
FIX: user got notified about a mention inside a chat message quote (#24229)
When quoting a chat message in a post, if that message contains a mention, 
that mention should be ignored. But we've been detecting them and sending 
notifications to users. This PR fixes the problem. Since this fix is for 
the chat plugin, I had to introduce a new API for plugins:

    # We strip posts before detecting mentions, oneboxes, attachments etc. 
    # We strip those elements that shouldn't be detected. For example, 
    # a mention inside a quote should be ignored, so we strip it off. 
    # Using this API plugins can register their own post strippers. 
    def register_post_stripper(&block) 
    end
2023-11-08 23:13:25 +04:00
Blake Erickson
179abfca1a
DEV: Update gh workflow check-branches.yml (#24298)
Without this change the resulting comparison looks like

```
if [ tests-passed == "tests-passed" ]; then
```

and so it was always failing. This way the resulting base branch name will also be in quotes for the comparison.

Follow up to: #24273
2023-11-08 11:56:49 -07:00
Kris
6b6552fe45
DEV: remove wrapping span from discovery-above (#24297) 2023-11-08 13:53:08 -05:00
Jordan Vidrine
9d1e8265da
FEATURE: Add ability to hide modal header (#24290) 2023-11-08 12:15:35 -06:00
Blake Erickson
670692cfa9
DEV: Adds a GitHub workflow to check target branch (#24273)
* DEV: Adds a GitHub workflow to check target branch

Adds a GitHub workflow to check that the target branch for PRs in the
discourse-private-mirror repo aren't set to the tests-passed branch.

* Rename workflow
2023-11-08 10:34:20 -07:00