Commit Graph

6973 Commits

Author SHA1 Message Date
Roman Rizzi
db5373a87c
UX: Invalid CSV error message now includes information about the malformed line (#8773)
* UX: Invalid CSV error message now includes information about the malformed line

* Update config/locales/server.en.ym and use line_number instead of lineno

Co-Authored-By: Robin Ward <robin.ward@gmail.com>

Co-authored-by: Robin Ward <robin.ward@gmail.com>
2020-01-23 14:04:06 -03:00
Régis Hanol
821e920711 DEV: fix deprecation warnings in specs
Also fixed a typo in a string key "max_pm_recepients" -> "max_pm_recipients"
2020-01-23 16:37:48 +01:00
Neil Lalonde
b63d146128 UX: add confirmation when adding tag synonyms
The new confirmation modal explains that adding a tag as a synonym to
another tag will change all topics to replace the synonyms with the
base tag.
2020-01-22 12:35:42 -05:00
Dan Ungureanu
89bd7ba45f
FIX: Use new tag routes (#8683)
Commit 1fb7a62 added unambiguous routes for tags. This commit ensures
that the new routes are used.
2020-01-21 19:23:08 +02:00
Leo McArdle
8883cca373 enqueue spam/dmarc failing emails instead of hiding (#8674)
* enqueue spam/dmarc failing emails instead of hiding

* add translations for dmarc/spam enqueued reasons

* unescape quote

* if email_in_authserv_id is blank return gray for all emails
2020-01-21 11:12:00 -05:00
Neil Lalonde
2dd1ff79b4 Update translations 2020-01-20 11:00:44 -05:00
Jeff Atwood
1fb81e9f56 omit needless words 2020-01-17 16:16:21 -08:00
romanrizzi
0d08eac1c7 UX: Users must confirm when leaving a private group 2020-01-17 17:58:47 -03:00
Sam Saffron
f8e92298f2 DEV: default Oj to compat mode
Out-of-the-box Oj uses :object mode, this shifts us to use :compat mode
by default which is safer.
It means any de-serialization going forward will default to this mode.

If we wish to serialize or deserialize arbitrary objects going forward with
no json interfaces we will have to opt in.
2020-01-16 07:52:28 +11:00
Arpit Jalan
0f8695958b FIX: better error message when topic deletion fails 2020-01-15 19:30:06 +05:30
Martin Brennan
66f2db4ea4 SECURITY: 2FA with U2F / TOTP 2020-01-15 11:27:12 +01:00
Gerhard Schlager
c351ffe580 FEATURE: Add hidden setting to disable configuration of inventory bucket 2020-01-14 17:23:12 +01:00
romanrizzi
d3091edcea UX: Return a friendlier error when the CSV is invalid. Added a cancel button to return to the /badges view 2020-01-13 15:53:41 -03:00
Robin Ward
e4a85e2a80 Minor tweaks to badge CSV upload 2020-01-13 12:44:22 -05:00
Roman Rizzi
d69c5eebcf
Feature: Mass award badge (#8694)
* UI: Mass grant a badge from the admin ui

* Send the uploaded CSV and badge ID to the backend

* Read the CSV and grant badge in batches

* UX: Communicate the result to the user

* Don't award if badge is disabled

* Create a 'send_notification' method to remove duplicated code, slightly shrink badge image. Replace router transition with href.

* Dynamically discover current route
2020-01-13 11:20:26 -03:00
Martin Brennan
9e399b42b9 DEV: Remove redundant admin_login route, share with email_login 2020-01-13 12:10:07 +10:00
Robin Ward
e616b92511 FIX: If the admin sso sync has no external ID, don't throw an error
Instead, return a HTTP error code and a message explaining the problem,
to avoid log pollution.
2020-01-08 11:47:37 -05:00
David Taylor
c8d438cc63
DEV: Allow CSP to be enabled during QUnit tests (#8668)
The QUnit rake task starts a server in test mode. We need a tweak to allow dynamic CSP hostnames in test mode. This tweak is already present in development mode.

To allow CSP to work, the browser host/port must match what the server sees. Therefore we need to disable the enforce_hostname middleware in test mode. To keep rspec and production as similar as possible, we skip enforce_hostname using an environment variable.

Also move the qunit rake task to use unicorn, for consistency with development and production.
2020-01-07 12:22:58 +00:00
Blake Erickson
b7b85f9ade
FEATURE: Turn csp on by default (#8665)
* turn csp on by default

* remove csp migration for new sites now that is is on by default

* Ensure CSP is off before starting qunit
2020-01-06 13:42:21 -07:00
Risto
e0da8d3ce6 UX: correct validation message for category search priority
The default value is 1.2 so it can surely be set greater than 1.
2020-01-06 17:15:28 +11:00
Sam Saffron
87a8003691 Revert "FEATURE: Turn CSP on by default"
This reverts commit 3193b0f6e6.

This is a temporary revert, we are seeing some CI failures due to this
change so I am reverting till we sort out all the problems.
2020-01-06 11:37:07 +11:00
Blake Erickson
3193b0f6e6 FEATURE: Turn CSP on by default
Turning on CSP by default is one of the 2.4 release features.

https://meta.discourse.org/t/discourse-version-2-4/108194
2020-01-03 13:40:11 -07:00
Sam Saffron
a8ffb6949c FEATURE: support MaxMind DB downloads using a license key
MaxMind now requires an account with a license key to download files.

Discourse admins can register for such an account at:

https://www.maxmind.com/en/geolite2/signup

License key generation is available in the profile section.

Once registered you can set the license key using `DISCOURSE_MAXMIND_LICENSE_KEY`

This amends it so we unconditionally skip MaxMind DB downloads if no license key exists.
2020-01-03 16:32:48 +11:00
Vinoth Kannan
cfd1549abe FIX: allow underscore in file extension while downloading the uploads. 2020-01-03 10:09:07 +05:30
Martin Brennan
2050238d0c
DEV: Log to STDOUT if RAILS_ENABLE_TEST_LOG (#8650)
The env var `RAILS_ENABLE_TEST_LOG` didn't seem to do anything if enabled. This now sets the logger to STDOUT if `RAILS_ENABLE_TEST_LOG` is enabled and also introduces `RAILS_TEST_LOG_LEVEL` so the level of the logging in the console can be provided (default info).

Note: I am not sure if the original behaviour is expected. I can add an additional env var to enable the STDOUT logging if required
2020-01-03 09:58:01 +10:00
Martin Brennan
c031434b86
FIX: Catch error when unknown COSE algorithm is supplied for Security Key (#8649)
Added a fix to gracefully error with a Webauthn::SecurityKeyError if somehow a user provides an unkown COSE algorithm when logging in with a security key.

If `COSE::Algorithm.find` returns nil we now fail gracefully and log the algorithm used along with the user ID and the security key params for debugging, as this will help us find other common algorithms to implement for webauthn
2020-01-02 10:14:22 +10:00
Sam Saffron
412e1ebbe2 DEV: correct parallel specs rake tasks
This used to work due to side effects.

`rake parallel:migrate` used to work very inconsistently and would only migrate
some of the databases.

This introduces the recommended change to db.yml so the correct database is
found based off TEST_ENV_NUMBER if for some reason we did not set it using
RAILS_DB

Also avoids a bunch of schema dumping which is not needed when migrating
parallel specs



DB number 1 is very odd cause for whatever reason parallel spec is not
setting it.
2019-12-31 14:07:55 +11:00
Rafael dos Santos Silva
d170812e99
FIX: Use cached MaxMind DB for longer
Don't try to update the IP database as it's gone.

This allows users to rebuild Discourse while we work on a proper
fix / alternative database.
2019-12-30 16:41:23 -03:00
David Taylor
bc4c40abd4
DEV: Remove unsafe-eval from development CSP (#8569)
- Refactor source_url to avoid using eval in development
- Precompile handlebars in development
- Include template compilers when running qunit
- Remove unsafe-eval in development CSP
- Include unsafe-eval only for qunit routes in development
2019-12-30 12:17:12 +00:00
Gerhard Schlager
7aea7f2cae FIX: Track correct site setting 2019-12-24 14:11:37 +01:00
Gerhard Schlager
52a59b5811 FIX: English and US date/time formats 2019-12-24 12:17:25 +01:00
Arpit Jalan
2c0574010a FIX: better error message when forum is in read-only mode 2019-12-24 15:49:27 +05:30
Krzysztof Kotlarek
9e4fcb1a0a
FIX: Correct description for out of love badge (#8615)
The bug mentioned here
https://meta.discourse.org/t/badge-not-triggering/135896/8

Basically, descriptions for 3 badges: "Out of Love", "Higher Love" and
"Crazy in Love" are granted based on on "max_likes_per_day" and the
description should reflect that.
2019-12-24 08:30:34 +11:00
Joffrey JAFFEUX
ff22f4cddd
UX: invites#show can't be requested with json and is not configured properly (#8570)
Currently at
tempting to access an invite via json will result in the following error:

```
HTTP_ACCEPT	application/json, text/javascript, */*; q=0.01
GET /invites/xxxxxxx

ActionView::MissingTemplate (Missing template invites/show, application/show with {:locale=>[:en_US, :en], :formats=>[:json], :variants=>[], :handlers=>[:raw, :erb, :html, :builder, :ruby]}. Searched in:
  * "/var/www/discourse/app/views"
)
```
2019-12-20 09:24:55 +01:00
Hector Bustillos
87c04ebe39 FEATURE: Keyboard shortcut for opening the topic admin menu (#8568)
* Keyboard shortcut for opening the topic admin menu

* Review changes

* Attrubute and target class renaming
2019-12-19 14:18:14 -05:00
Neil Lalonde
91b290c784 Update translations 2019-12-19 12:31:52 -05:00
Vinoth Kannan
3b7f5db5ba
FIX: parallel spec system needs a dedicated upload folder for each worker. (#8547) 2019-12-18 11:21:57 +05:30
Penar Musaraj
ea05a68df7
FIX: Use updated_at date to denote expired invites (#8521) 2019-12-17 10:13:49 -05:00
Robin Ward
ce78eff888 FIX: Migration paths were being forgotten
According to the [Rails
Source](https://github.com/rails/rails/blob/master/activerecord/lib/active_record/railties/databases.rake#L20)
the `ActiveRecord::Migrator.migrations_paths` are overwritten with the
value of `ActiveRecord::Tasks::DatabaseTasks.migrations_paths` every
time the config is loaded.

This caused a bug for Discourse development where if you ran:

`rake db:drop db:create db:migrate` in one line, you would not get our
post migrations, as those had a custom value for `migrations_paths`.

The fix is to use `ActiveRecord::Tasks::DatabaseTasks.migrations_paths`
to set up all our custom paths. Everything seems to work as expected.
2019-12-16 14:13:47 -05:00
Mark VanLandingham
8c4ffaea1b
FEATURE: Modal for profile featured topic & admin wrench refactor (#8545) 2019-12-16 08:41:34 -08:00
David Taylor
7b6bafc651 Revert "DEV: Bind to ipv6 loopback address in addition to ipv4 (#8544)"
This reverts commit 1002bf62e5.
2019-12-16 15:51:04 +00:00
David Taylor
1002bf62e5
DEV: Bind to ipv6 loopback address in addition to ipv4 (#8544) 2019-12-16 11:01:02 +00:00
Régis Hanol
1309262569 UX: pluralize "likes/read this"
When expending the number of likes/reads, the text wasn't handling
proper pluralization that might be useful in locales that requires it.
2019-12-13 22:18:28 +01:00
Gerhard Schlager
f62215046f FEATURE: Completely remove unsafe-eval from CSP
Plugins can add it via API if they need to use `eval`:
```
extend_content_security_policy(script_src: [:unsafe_eval])
```

See https://meta.discourse.org/t/104243
2019-12-13 12:38:32 +01:00
Daniel Waterworth
1fb7a6297c DEV: Add unambiguous routes for tags
The trouble with having:

/tags/:tag_id/...

and:

/tags/intersection/*tag_ids

for example, is: what happens if you want a tag called intersection?

Under this new scheme. Routes referring to a single tag are unambiguous
because they are prefixed with:

/tag/:tag_id

Routes referring to the collection of tags still start with:

/tags/

This commit just adds the new routes. It doesn't remove the old ones or
cause the new ones to be used.
2019-12-13 11:24:59 +00:00
Rishabh
387daaf7b8 UX: Improve copy on Move to Topic and Move to Message modals
Also clarify that messages can be searched for by url, id and not just title.
2019-12-13 14:13:13 +05:30
David Taylor
4c9ca24ccf
FEATURE: Hash API keys in the database (#8438)
API keys are now only visible when first created. After that, only the first four characters are stored in the database for identification, along with an sha256 hash of the full key. This makes key usage easier to audit, and ensures attackers would not have access to the live site in the event of a database leak.

This makes the merge lower risk, because we have some time to revert if needed. Once the change is confirmed to be working, we will add a second commit to drop the `key` column.
2019-12-12 11:45:00 +00:00
Martin Brennan
6261339da9
Improving bookmarks part 1 (#8466)
Note: All of this functionality is hidden behind a hidden, default false, site setting called `enable_bookmarks_with_reminders`. Also, any feedback on Ember code would be greatly appreciated!

This is part 1 of the bookmark improvements. The next PR will address the backend logic to send reminder notifications for bookmarked posts to users. This PR adds the following functionality:

* We are adding a new `bookmarks` table and `Bookmark` model to make the bookmarks a first-class citizen and to allow attaching reminders to them.
* Posts now have a new button in their actions menu that has the icon of an actual book
* Clicking the button opens the new bookmark modal.
* Both name and the reminder type are optional.
* If you close the modal without doing anything, the bookmark is saved with no reminder.
* If you click the Cancel button, no bookmark is saved at all.
* All of the reminder type tiles are dynamic and the times they show will be based on your user timezone set in your profile (this should already be set for you).
* If for some reason a user does not have their timezone set they will not be able to set a reminder, but they will still be able to create a bookmark.
* A bookmark can be deleted by clicking on the book icon again which will be red if the post is bookmarked.

This PR does NOT do anything to migrate or change existing bookmarks in the form of `PostActions`, the two features live side-by-side here. Also this does nothing to the topic bookmarking.
2019-12-11 14:04:02 +10:00
Gerhard Schlager
dfb9fa3b98 Update translations 2019-12-10 13:10:55 +01:00
Krzysztof Kotlarek
5e29ae3ef5
FEATURE: Warning when component is added and not assigned (#8482)
When a component is installed and not assigned to any theme and the user is changing page, we should display a warning.

If the user decides to skip warning or come back later, a warning should not be shown anymore.

Also, when the user clicks "delete" button right after installation, warning about forgotten themes should not be shown.
2019-12-10 08:43:26 +11:00
Mark VanLandingham
14cb386f1e
FEATURE: Featured topic for user profile & card (#8461) 2019-12-09 11:15:47 -08:00
Dan Ungureanu
192ada0067
UX: Remove 'show more' from upload modals (#8470) 2019-12-09 12:57:43 +02:00
Penar Musaraj
78969d7719 DEV: Support custom log level in dev
See https://guides.rubyonrails.org/debugging_rails_applications.html#log-levels
Can be used to reduce noise when running "bundle exec rails server" in dev.

Setting DISCOURSE_DEV_LOG_LEVEL="warn" will make for easier puts debugging with unicorn.
2019-12-06 10:57:10 -05:00
Vinoth Kannan
e51091f199 REFACTOR: do X-Frame-Options header removal in application controller.
Co-authored-by: Sam <sam.saffron@gmail.com>
Previous commit: f7084a4339
2019-12-06 18:25:32 +05:30
Vinoth Kannan
f7084a4339 FEATURE: add site setting to remove X-Frame-Options header. 2019-12-06 03:15:09 +05:30
Neil Lalonde
50b98a47ac Update translations 2019-12-05 11:20:52 -05:00
Vinoth Kannan
e6dfcda0bc DEV: handle all notification consolidations in new 'NotificationConsolidator' class.
481c8314f0
2019-12-05 14:36:06 +05:30
Neil Lalonde
875f0d8fd8
FEATURE: Tag synonyms
This feature adds the ability to define synonyms for tags, and the ability to merge one tag into another while keeping it as a synonym. For example, tags named "js" and "java-script" can be synonyms of "javascript". When searching and creating topics using synonyms, they will be mapped to the base tag.

Along with this change is a new UI found on each tag's page (for example, `/tags/javascript`) where more information about the tag can be shown. It will list the synonyms, which categories it's restricted to (if any), and which tag groups it belongs to (if tag group names are public on the `/tags` page by enabling the "tags listed by group" setting). Staff users will be able to manage tags in this UI, merge tags, and add/remove synonyms.
2019-12-04 13:33:51 -05:00
Daniel Waterworth
2f5adbe1f4 DEV: Allow the creation of sub-sub-categories
This commits adds a new site setting (max_category_nesting), that
determines whether sub-sub-categories are allowable.
2019-12-04 12:07:05 +00:00
Krzysztof Kotlarek
bb69e8942e
FEATURE: ability to add all active components to theme (#8447)
* FEATURE: ability to add all active components to theme

* FIX: add a component to all themes takes only active ones

* FIX: move select components/themes to top

* FIX: improve defaultIsAvailable

* FIX: Add filter(Boolean) and remove btn class
2019-12-04 17:13:41 +11:00
Gerhard Schlager
2cca14d510 FEATURE: Add hidden setting to allow unsafe-eval in CSP
This new setting defaults to `true` for now, until we make sure that all official plugins and theme components work without `unsafe-eval` in the CSP.
2019-12-03 21:09:08 +01:00
Joffrey JAFFEUX
0d3d2c43a0
DEV: s/\$redis/Discourse\.redis (#8431)
This commit also adds a rubocop rule to prevent global variables.
2019-12-03 10:05:53 +01:00
Krzysztof Kotlarek
b120728999
FEATURE: Ability to add components to all themes (#8404)
* FEATURE: Ability to add components to all themes

This is the first and functional step from that topic https://dev.discourse.org/t/adding-a-theme-component-is-too-much-work/15398/16

The idea here is that when a new component is added, the user can easily assign it to all themes (parents).

To achieve that, I needed to change a site-setting component to accept `setDefaultValues` action and `setDefaultValuesLabel` translated label.
Also, I needed to add `allowAny` option to disable that for theme selector.

I also refactored backend to accept both parent and child ids with one method to avoid duplication (Renamed `add_child_theme!` to more general `add_relative_theme!`)

* FIX: Improvement after code review

* FIX: Improvement after code review2

* FIX: use mapBy and filterBy directly
2019-11-28 16:19:01 +11:00
Vinoth Kannan
481c8314f0 FEATURE: consolidate group membership request notifications. 2019-11-28 04:02:35 +05:30
Martin Brennan
e7c7a05097
FIX: Mark secure media upload insecure automatically if used for theme component (#8413)
When uploading a file to a theme component, and that file is existing and has already been marked as secure, we now automatically mark the file as secure: false, change the ACL, and log the action as the user (also rebake the posts for the upload)
2019-11-28 07:32:17 +10:00
Gerhard Schlager
d12f2580de FIX: Serve crawler view to Google PageSpeed 2019-11-27 22:15:34 +01:00
Leo McArdle
2714149fd2 FEATURE: hide posts from incoming email based on dmarc verdict (#8333) 2019-11-26 15:55:22 +01:00
Martin Brennan
afb5533581
FEATURE: Add timezone to core user_options (#8380)
* Add timezone to user_options table

* Also migrate existing timezone values from UserCustomField,
  which is where the discourse-calendar plugin is storing them

* Allow user to change their core timezone from Profile

* Auto guess & set timezone on login & invite accept & signup

* Serialize user_options.timezone for group members. this is so discourse-group-timezones can access the core user timezone, as it is being removed in discourse-calendar.

* Annotate user_option with timezone

* Validate timezone values
2019-11-25 10:49:27 +10:00
Sam Saffron
b57e108e84 FEATURE: improve email change workflow
- Show old and new email address during the process
- Ensure correct user is logged on when attempting to make email changes
- Support reloading a page during the email reset process without resubmit
of form
- Improve tests
- Fixed issue where redirect back to site was not linking correctly in
subfolder setups

Internal refactor of single action into 4 distinct actions that are simpler
to reason about.

This also removes the step that logs on an account after you confirm an
email change, since it is no longer needed which leaves us with safer
internals.

This left me no choice but to amend translations cause the old route was
removed.
2019-11-21 16:28:35 +11:00
Kris
09579bffbe UX: More obvious alt auth link 2019-11-20 23:44:10 -05:00
Jeff Wong
c6d8dbd4a9 Revert "FEATURE: Normalize the service worker route (#8359)"
This reverts commit 9799a651b6.
2019-11-20 14:10:17 -08:00
Jeff Wong
9799a651b6
FEATURE: Normalize the service worker route (#8359)
* FEATURE: Normalize the service worker route

Update cache headers so they are not immutable outside of the rails app

Add the ability to purge the service worker cache from localhost

Rails -> nginx will pass immutable flags so the file is cached until reloaded.
In most cases, nginx will have its cache flushed on rebuild (new image)

For those needing dynamic re-caching (such as upgrading via the UI),
a rake task for flushing the service worker script is provided
through `assets:flush_sw`
2019-11-20 11:33:41 -08:00
David Taylor
e1fcbf4aef DEV: Remove new_version_emails global setting reference
All site settings are now shadowed by global settings, so there is no need to lookup the global setting explicitly
2019-11-20 15:54:09 +00:00
Martin Brennan
02cb01406e
FIX: Allow secure uploads if global s3 setting active and enable_s3_uploads validations (#8373)
The secure media functionality relied on `SiteSetting.enable_s3_uploads?` which, as we found in dev, did not take into account global S3 settings via `GlobalSetting.use_s3?`. We now use `SiteSetting.Upload.enable_s3_uploads` instead to be more consistent.

Also, we now validate `enable_s3_uploads` changes, because if `GlobalSetting.use_s3?` is true users should NOT be enabling S3 uploads manually.
2019-11-20 07:46:44 +10:00
Vinoth Kannan
3bb7ad4be1
FEATURE: remove support for 'suppress_from_latest' category setting. (#8308) 2019-11-18 12:28:35 +05:30
Sam Saffron
d28de23ac8 FEATURE: block screaming frog SEO spider by default
This crawler is not respectful and often can make 1000s of reqs a minute.

Block by default, site operators can amend this default if they want to.
2019-11-18 16:48:07 +11:00
Sam Saffron
b4bfc27b19 FEATURE: introduce default application level rate limiting by IP
We have tested rate limiting with admin accounts with block rate limiting for
close to 12 months now on meta.discourse.org.

This has resulted in no degradation of services even to admin accounts that
request a lot of info from the site.

The default of 200 requests a minute and 50 per 10 seconds is very generous.
It simply protects against very aggressive clients.

This setting can be disabled or tweaked using:

DISCOURSE_MAX_REQS_PER_IP_MODE and family.

The only big downside here is in cases when a very large number of users tend
to all come from a single IP.

This can be the case on sites accessing Discourse from an internal network
all sharing the same IP via NAT. Or a misconfigured Discourse that is unable
to resolve IP addresses of users due to proxy mis-configuration.
2019-11-18 15:54:50 +11:00
Penar Musaraj
102909edb3 FEATURE: Add support for secure media (#7888)
This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. 

A few notes: 

- the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads
- the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured
- upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status
- when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error
- when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 11:25:42 +10:00
Vinoth Kannan
56b19ba740 UX: instead of total user count display only the count of users going to be affected.
edec922803
2019-11-18 00:09:38 +05:30
Blake Erickson
eb4d8a43e3 DEV: Improve mail-receiver update instructions 2019-11-15 13:57:43 -07:00
Martin Brennan
5c59247c3a Block enabling force 2FA if local logins disabled & vice-versa (#8355) 2019-11-15 17:05:10 +11:00
Gerhard Schlager
f72730703a Update translations 2019-11-14 15:41:42 +01:00
Martin Brennan
e7226a8c84
FEATURE: Allow scoping search to tag (#8345)
* When viewing a tag, the search widget will now show a checkbox to scope the search by tag, which will limit search results to that tag on desktop and mobile
2019-11-14 10:40:26 +10:00
tshenry
9caec39aef
UX: Add CSP documentation link to content_security_policy_script_src setting 2019-11-12 14:57:47 -08:00
Mark VanLandingham
3dd2f2f701
DEV: Remove RSS feed polling in favor of plugin (#8233) 2019-11-12 09:49:02 -06:00
David Taylor
5f927ceeb3
DEV: Display a warning when themes hard-code optimized image links (#8304) 2019-11-12 14:30:19 +00:00
Blake Erickson
15f6f57cdc DEV: Add update message for an outdated mail-receiver
Previous versions of the mail-receiver used query based api credentials,
if we detect this we will show a message in the admin panel to update
the mail receiver.
2019-11-08 17:32:22 -07:00
Martin Brennan
56d3e29a69
FIX: Badge and user title interaction fixes (#8282)
* Fix user title logic when badge name customized
* Fix an issue where a user's title was not considered a badge granted title when the user used a badge for their title and the badge name was customized. this affected the effectiveness of revoke_ungranted_titles! which only operates on badge_granted_titles.
* When a user's title is set now it is considered a badge_granted_title if the badge name OR the badge custom name from TranslationOverride is the same as the title
* When a user's badge is revoked we now also revoke their title if the user's title matches the badge name OR the badge custom name from TranslationOverride
* Add a user history log when the title is revoked to remove confusion about why titles are revoked
* Add granted_title_badge_id to user_profile, now when we set badge_granted_title on a user profile when updating a user's title based on a badge, we also remember which badge matched the title
* When badge name (or custom text) changes update titles of users in a background job
* When the name of a badge changes, or in the case of system badges when their custom translation text changes, then we need to update the title of all corresponding users who have a badge_granted_title and matching granted_title_badge_id. In the case of system badges we need to first get the proper badge ID based on the translation key e.g. badges.regular.name
* Add migration to backfill all granted_title_badge_ids for both normal badge name titles and titles using custom badge text.
2019-11-08 15:34:24 +10:00
Vinoth Kannan
ba5b78a348
FEATURE: support to mute all categories by default. (#8295)
Instead of enabling `suppress_from_latest` setting on many categories now we can enable `mute_all_categories_by_default` site setting. Then users should opt-in to categories for them to appear in the latest and categories pages.
2019-11-08 08:28:11 +05:30
Blake Erickson
2db2003187 DEV: Add deprecation warning of non-header based API auth
This change adds a message to the admin panel if it detects an api
requests that doesn't use the new header based authentication method.

The message is to warn people to switch to header based auth and links
to the api documention topic on meta for more info.
2019-11-07 17:06:13 -07:00
Arpit Jalan
6a417c308f FIX: include onebox default options in development environment 2019-11-07 15:42:53 +05:30
Vinoth Kannan
5d42f052bc Minor copy edit
671f303b53
2019-11-07 11:39:17 +05:30
Sam Saffron
1d1dd2a4d4 PERF: cache static assets in NGINX for longer
Previously our cache would expire any asset that was not accessed for 10
minutes. This is way too short and was never intended. All the assets we
are serving are usually very long living assets like avatars and css files

1 day is a reasonable setting here cause it offers far better protection.
I would consider upping this to a week though longer term.

Maximum disk space of cache was increased as well to 600m. Very unlikely to
ever hit this except on very large sites.

Additionally, this places all the cached assets in nested directories, we
never want cached files to be in one giant directory cause it is inefficient
2019-11-07 12:12:24 +11:00
Gerhard Schlager
ee5b56914c FIX: Use long version of month names in date formats
Otherwise we'd need to add `date.abbr_month_names` to `server.en.yml`
2019-11-06 22:30:51 +01:00
Neil Lalonde
b151963f18 Update translations 2019-11-06 10:43:13 -05:00
Gerhard Schlager
61b1f9c36b FEATURE: Load translation overrides without JS eval 2019-11-05 19:16:38 +01:00
Gerhard Schlager
94a34af702 Update translations 2019-11-05 16:52:48 +01:00
David Taylor
52c5cf33f8
FEATURE: Overhaul of admin API key system (#8284)
- Allow revoking keys without deleting them
- Auto-revoke keys after a period of no use (default 6 months)
- Allow multiple keys per user
- Allow attaching a description to each key, for easier auditing
- Log changes to keys in the staff action log
- Move all key management to one place, and improve the UI
2019-11-05 14:10:23 +00:00
Daniel Waterworth
fa2c06da93 DEV: Change tag routing for categories on the server-side
These are the changes to tags routing that correspond to the category
routing changes of d84c34ad. The new scheme is:

/tags/c/*slug_path/:id/none/:tag_id/ENDPOINT
/tags/c/*slug_path/:id/none/:tag_id
/tags/c/*slug_path/:id/:tag_id/ENDPOINT
/tags/c/*slug_path/:id/:tag_id
2019-11-05 13:24:36 +00:00
Vinoth Kannan
671f303b53
FEATURE: Add welcome message for admins. (#8293) 2019-11-05 18:15:55 +05:30
Daniel Waterworth
f3f04f1643 REFACTOR: Handle no_subcategories option during routing 2019-11-04 10:58:06 +00:00
Arpit Jalan
b7327d2c34 UX: show user email address on "grant admin access" email and UI 2019-11-04 14:47:00 +05:30
Mark VanLandingham
66e0bdc053
FEATURE: Create New Topic button on embed with params (#8280)
* FEATURE: Create New Topic button on embed with params
2019-11-01 14:19:10 -05:00
Vinoth Kannan
72aa26c8c5
FEATURE: New site settings for default tags in user preferences. (#8283) 2019-11-01 12:40:13 +05:30
Neil Lalonde
d777844ed6 FEATURE: categories can require topics have a tag from a tag group
In a category's settings, the Tags tab has two new fields to
specify the number of tags that must be added to a topic
from a tag group. When creating a new topic, an error will be
shown to the user if the requirement isn't met.
2019-10-31 16:10:19 -04:00
Neil Lalonde
091d058ff2 UX: widen tag group name input field and add placeholder text 2019-10-31 16:10:19 -04:00
Daniel Waterworth
d84c34ad75 DEV: Server-side category routing changes
The routes for categories are changing. The scheme that I intend to move
us to is:

/c/*slug_path/(:id)/ENDPOINT
/c/*slug_path/(:id)

This commit adds support for the new scheme to the server side without
dropping support for existing URLs. It is necessary to support existing
URLs for two reasons:

 * This commit does not change any client side routing code,
 * Posts that contain category hashtags that refer to a root category
   are baked into URLs that do not fit this new scheme, (/c/[id]-[slug])
2019-10-31 18:06:22 +00:00
Kris
4434f419c6 Copy edit: rename profile header to profile background 2019-10-31 13:06:59 -04:00
Sam Saffron
c5e67726fd FIX: under some conditions draft would say it was saving when not
This is a major change to draft internals. Previously there were quite a
few cases where the draft system would say "draft saved", when in fact
we just skipped saving.

This commit ensures the draft system deals with draft ownership handover in
a predictable way.

For example:

- Window 1 editing draft
- Window 2 editing same draft at the same time

Previously we would allow window 1 and 2 to just fight on the same draft
each window overwriting the same draft over an over.

This commit introduces an ownership concept where either window 1 or 2 win
and user is prompted on the loser window to reload screen to correct the issue

This also corrects edge cases where a user could have multiple browser windows
open and posts in 1 window, later to post in the second window. Previously
drafts would break in the second window, this corrects it.
2019-10-31 17:15:58 +11:00
Penar Musaraj
580a4a827b Exclude audio/video URLs from search result blurbs
Displays translatable "[audio]" or "[video]" placeholders instead of ugly (and often long) URLs.
2019-10-30 13:07:16 -04:00
Penar Musaraj
965662d215 Prettify server.en.yml 2019-10-30 12:56:25 -04:00
Jarek Radosz
080e899b8c
DEV: Tag group improvements (#8252)
* DEV: Add the actual "tag_groups/new" route

Allows refreshing the "new" page without an error.

* DEV: Prevent attempts to create group tags if tagging is disabled

* DEV: Refactor the tag-groups controller

Gets rid of `selectedItem`, `selected`, and `selectTagGroup` action.

* DEV: Rename tag-groups-show to tag-groups-edit

* DEV: Refactor tag-groups form

* Extracted the tag-groups-form that's used by tag-groups-new and tag-groups-edit
* The model is now a buffered property
* Serialization relies more heavily on RestAdapter now
* Data is sent as JSON
* Payload is now namespaced ("tag_group")

* Update app/assets/javascripts/discourse/controllers/tag-groups-new.js.es6

Co-Authored-By: Joffrey JAFFEUX <j.jaffeux@gmail.com>

* Update app/assets/javascripts/discourse/components/tag-groups-form.js.es6

Co-Authored-By: Joffrey JAFFEUX <j.jaffeux@gmail.com>

* Update app/assets/javascripts/discourse/controllers/tag-groups-edit.js.es6

Co-Authored-By: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2019-10-30 16:57:13 +01:00
Krzysztof Kotlarek
c32bd8ae48 FEATURE: Remove attachments and truncate raw field for incoming emails (#8253)
Adds the settings: 

raw_email_max_length, raw_rejected_email_max_length, delete_rejected_email_after_days. 

These settings control retention of the "raw" emails logs.

raw_email_max_length ensures that if we get incoming email that is huge we will truncate it removing uploads from the raw log.

raw_rejected_email_max_length introduces an even more aggressive truncation for rejected incoming mail. 

delete_rejected_email_after_days controls how many days we will keep rejected emails for (default 90)
2019-10-30 16:54:35 +11:00
Jeff Atwood
6d381b33a4 copyedits on moderator welcome PM 2019-10-28 17:19:42 -07:00
Jeff Wong
64d51ab45e DEV: add UNICORN_BIND_ALL
listen on local interface by default.
2019-10-28 14:11:19 -07:00
Mark VanLandingham
4eb54f08b2
FEATURE: Site setting/UI to allow users to set their primary group (#8244)
* FEATURE: Site setting/ui to allow users to set their primary group

* prettier and remove logic from account template

* added 1 to 43 to make web_hook_user_serializer_spec pass
2019-10-28 12:46:27 -05:00
Leo McArdle
e7ff6809a3 FEATURE: add SES spam header to recognised spam headers (#8254) 2019-10-28 12:46:53 -04:00
Jarek Radosz
5776251cdd
DEV: Remove an obsolete "preferences/about-me" route (#8251)
User's title and bio can be changed on the "preferences/account" page.
2019-10-28 17:29:14 +01:00
Mark VanLandingham
437edfc415
FEATURE: Welcome moderator message - add copy! (#8246) 2019-10-28 08:58:45 -05:00
tshenry
5d1b34e1b9
Minor Copy Change
Context: https://meta.discourse.org/t/email-with-correct-incoming-email-address-in-bcc-is-being-rejected/131003/2
2019-10-24 11:16:31 -07:00
Neil Lalonde
f061aee818 FEATURE: support SCSS in custom email style
In the CSS tab of Admin > Customize > Email Style, SCSS can now be used.
2019-10-23 15:42:37 -04:00
Vinoth Kannan
31577b2131 FEATURE: wiki editors are allowed edit tags for wiki topics.
If a wiki editor's TL is greater than 'min trust level to tag topics' site setting then they can edit the tags for any wiki topic.
2019-10-23 23:35:38 +05:30
Sam Saffron
98d6cee7c7 FIX: various fixes to draft system
- destroyDraft which is called when we cancel a draft is now async,
  removing race conditions when you click "reply" to a post and are
  already editing. We used to trigger double dialogs for cancelling
  drafts which was confusing.

- Remove reply as new topic / reply as pm keys, they are no longer
  used and only caused confustion. For example we used to pop up a
  warning when you are composing a reply and flick to reply as
  new topic

- Remove createTopic key, this was a bug that proliferated. Whenever
  creating a topic via the C shortcut or clicking on new topic on full
  screen search the correct new topic draft key will be used
  consistently

- When abandoning an edit we now say "Are you sure you want to discard
  your changes" (instead of abandon your post which is confusing)
2019-10-21 17:24:06 +11:00
Krzysztof Kotlarek
858cf5836c
FIX: update Redis gem to version 4.1.3
I run our benchmark on commit with hiredis and redis-4.1.3

Results:
type | hidredis | redis 4.1.3 | percent
--- | --- | --- | ---
Categories-50 | 49 | 50 | 102.04%
Categories-75 | 51 | 51 | 100.00%
Categories-90 | 63 | 64 | 101.59%
Categories-99 | 86 | 85 | 98.84%
Home-50 | 55 | 55 | 100.00%
Home-75 | 56 | 57 | 101.79%
Home-90 | 68 | 69 | 101.47%
Home-99 | 102 | 104 | 101.96%
Topic-50 | 36 | 37 | 102.78%
Topic-75 | 37 | 37 | 100.00%
Topic-90 | 47 | 48 | 102.13%
Topic-99 | 60 | 61 | 101.67%
Categories-admin-50 | 124 | 117 | 94.35%
Categories-admin-75 | 130 | 129 | 99.23%
Categories-admin-90 | 147 | 143 | 97.28%
Categories-admin-99 | 204 | 199 | 97.55%
Home-admin-50 | 146 | 148 | 101.37%
Home-admin-75 | 150 | 152 | 101.33%
Home-admin-90 | 169 | 168 | 99.41%
Home-admin-99 | 232 | 223 | 96.12%
Topic-admin-50 | 60 | 61 | 101.67%
Topic-admin-75 | 64 | 63 | 98.44%
Topic-admin-90 | 76 | 73 | 96.05%
Topic-admin-99 | 124 | 94 | 75.81%
Load rails | 2412 | 2360 | 97.84%
rss | 290204 | 295828 | 101.94%
pss | 277948 | 283624 | 102.04%

Redis gem is manipulating Redis config https://github.com/redis/redis-rb/blob/master/lib/redis/client.rb#L95
therefore we cannot pass the frozen config object.

Pass of the copy of the object is protecting original config
2019-10-21 09:59:24 +11:00
tshenry
95114f87ae
Improve spam_hosts copy (#8203)
- Increase size of the reviewable's conversation excerpt to prevent truncation of the new copy
- Remove the `domain` parameter from the `flag_linked_posts_as_spam` method in the user model since it is no longer needed
- Remove the `domain` interpolation variable from all translation files
- Add "All posts from this user that include links should be reviewed." to server.en.yml for added clarity on why the posts entered the queue
2019-10-18 09:31:15 -07:00
Blake Erickson
80d8830c17 DEV: Make max_tags_in_filter_list available clientside
This will allow plugins that use this setting to read the value using
javascript.
2019-10-17 15:22:27 -06:00
David Taylor
d1b86352d4
UX: Make group membership UI clearer (#8210)
The 'automatically set primary group' checkbox looked like it was associated with the email membership. In fact, it applies to all members who join the group. This commit moves it next to the 'automatic trust level' setting, and puts them both under an 'Effects' heading
2019-10-17 18:05:42 +01:00
Sam Saffron
f5d1aff8dd FEATURE: experimental hidden setting for draft backups
Under exceptional situations the automatic draft feature can fail.

This new **hidden, default off** site setting
`backup_drafts_to_pm_length` will automatically backup any draft that is
saved by the system to a dedicated PM (originating from self)

The body of that PM will contain the text of the reply.

We can enable this feature strategically on sites exhibiting issues to
diagnose issues with the draft system and offer a recourse to users who
appear to lose drafts. We automatically checkpoint these drafts every 5
minutes forcing a new revision each 5 minutes so you can revert to old
content.

Longer term we are considering automatically enabling this kind of feature
for extremely long drafts where the risk is really high one could lose
days of writing.
2019-10-17 16:58:21 +11:00
Sam Saffron
ae2a56999e Revert "FIX: update Redis gem to version 4.1.3 (#8197)"
This reverts commit ab74a50d85.

We really want to upgrade redis, but discovered some edge cases
around failover we need to test.

Holding off on the upgrade till a bit more testing happens
2019-10-17 11:41:46 +11:00
Krzysztof Kotlarek
ab74a50d85 FIX: update Redis gem to version 4.1.3 (#8197)
* FIX: update Redis gem to version 4.1.3

I run our benchmark on commit with hiredis and redis-4.1.3

Results:
type | hidredis | redis 4.1.3 | percent
--- | --- | --- | ---
Categories-50 | 49 | 50 | 102.04%
Categories-75 | 51 | 51 | 100.00%
Categories-90 | 63 | 64 | 101.59%
Categories-99 | 86 | 85 | 98.84%
Home-50 | 55 | 55 | 100.00%
Home-75 | 56 | 57 | 101.79%
Home-90 | 68 | 69 | 101.47%
Home-99 | 102 | 104 | 101.96%
Topic-50 | 36 | 37 | 102.78%
Topic-75 | 37 | 37 | 100.00%
Topic-90 | 47 | 48 | 102.13%
Topic-99 | 60 | 61 | 101.67%
Categories-admin-50 | 124 | 117 | 94.35%
Categories-admin-75 | 130 | 129 | 99.23%
Categories-admin-90 | 147 | 143 | 97.28%
Categories-admin-99 | 204 | 199 | 97.55%
Home-admin-50 | 146 | 148 | 101.37%
Home-admin-75 | 150 | 152 | 101.33%
Home-admin-90 | 169 | 168 | 99.41%
Home-admin-99 | 232 | 223 | 96.12%
Topic-admin-50 | 60 | 61 | 101.67%
Topic-admin-75 | 64 | 63 | 98.44%
Topic-admin-90 | 76 | 73 | 96.05%
Topic-admin-99 | 124 | 94 | 75.81%
Load rails | 2412 | 2360 | 97.84%
rss | 290204 | 295828 | 101.94%
pss | 277948 | 283624 | 102.04%

* FIX: get rid of redis freedom patch
2019-10-17 08:49:23 +11:00
Rafael dos Santos Silva
6e9c8fe854
FIX: More encoded slug fixes (#8191)
* FIX: Do not encode the URL twice

Now that we encode slugs in the server we don't need this anymore.

Reverts fe5na33

* FIX: More places do deal with encoded slugs

* the param is a string now, not a hash

* FIX: Handle the nil slug on /categories

* DEV: Add seeded? method to identity default categories

* DEV: Use SiteSetting to keep track of seeded categories
2019-10-16 17:08:43 -03:00
David Taylor
1b8be069e5
DEV: Disable better_errors when developing with more than one worker (#8201)
From the better_errors README:

> Better Errors works by leaving a lot of context in server process memory. If you're using a web server that runs multiple "workers" it's likely that a second request (as happens when you click on a stack frame) will hit a different worker. That worker won't have the necessary context in memory, and you'll see a Session Expired message.
2019-10-16 14:44:48 +01:00
Arpit Jalan
600233482f FIX: include topic link when inviting existing users to a topic/PM
FEATURE: allow staff to use topic_url for customizing email template
2019-10-16 12:36:16 +05:30
Krzysztof Kotlarek
0bf55fe2ff
Revert "FIX: public_file_server.enabled is false in test (#8192)" (#8196)
This reverts commit 5a8fdd02fe.
2019-10-16 10:39:31 +11:00
Krzysztof Kotlarek
5a8fdd02fe FIX: public_file_server.enabled is false in test (#8192)
After a small conversation, we decided that we can set `public_file_server.enabled` to false in the `test` environment to have the same value as `production`.
2019-10-16 09:18:48 +11:00
Vinoth Kannan
b2f682f35e
FEATURE: Option to update category preferences of all users when site setting changed (#8180) 2019-10-15 18:41:27 +05:30
Dan Ungureanu
5b84307774
FIX: Ensure that scheduled jobs are loaded. (#8183)
In development, the scheduled jobs are loaded lazily and MiniScheduler
cannot discover them (/sidekiq/scheduler does not show any jobs).
2019-10-14 12:14:16 +03:00
Jeff Atwood
16d8e3f872 minor copyedit 2019-10-12 20:05:34 -07:00
Roman Rizzi
01bc465db8
DEV: Split max decompressed setting for themes and backups (#8179) 2019-10-11 14:38:10 -03:00
Penar Musaraj
3a469a79cf
FEATURE: search topics when adding a link in composer (#8178) 2019-10-11 11:37:44 -04:00
Neil Lalonde
3007c93205 Update translations 2019-10-10 11:15:24 -04:00
David Taylor
445a3851d6 FEATURE: Display created and last_used dates for API keys 2019-10-09 14:24:41 +01:00
Régis Hanol
349c1cd085 FIX: remove site setting 'shadowed-by-global' option (#8061) 2019-10-08 12:43:26 -04:00
Daniel Waterworth
4c9ed7bd85 FIX: Fix rake db:create after zeitwerk changes
Post-zeitwerk, rails has deprecated autoloading modules during
initialization and forces all autoloaded modules to be reloaded after
initialization.

Requiring the file explicitly prevents autoloading and therefore
prevents the state on SiteSetting being trashed which was causing the
problem here.
2019-10-08 12:22:34 +01:00
Dan Ungureanu
fdb1d3404c
FEATURE: Add site setting to show more detailed 404 errors. (#8014)
If the setting is turned on, then the user will receive information
about the subject: if it was deleted or requires some special access to
a group (only if the group is public). Otherwise, the user will receive
a generic #404 error message. For now, this change affects only the
topics and categories controller.

This commit also tries to refactor some of the code related to error
handling. To make error pages more consistent (design-wise), the actual
error page will be rendered server-side.
2019-10-08 14:15:08 +03:00
David Taylor
d2bceff133
FEATURE: Use full page redirection for all external auth methods (#8092)
Using popups is becoming increasingly rare. Full page redirects are already used on mobile, and for some providers. This commit removes all logic related to popup authentication, leaving only the full page redirect method.

For more info, see https://meta.discourse.org/t/do-we-need-popups-for-login/127988
2019-10-08 12:10:43 +01:00
Gerhard Schlager
3dfe9f3b8d Update translations 2019-10-08 12:25:24 +02:00
Sam Saffron
8d5f47dded PREF: optimise preloading application
We preload to ensure as much memory as possible is reused from unicorn master
to various workers using copy-on-write (sidekiq, unicorn)

This migrates the preloading code into the Discourse module for easier
reuse and adds 3 notable preloading changes

1. We attempt to localize a string on each site, ensuring we warmup
the i18n

2. We preload all our templates (compiling .erb to class)

3. We warm-up our search tokenizer which uses cppjieba which is a large
memory consumer, this will only cause a warmup on CJK sites or sites with
the special site setting enabled.
2019-10-07 00:33:37 -04:00
Jarek Radosz
87be6fe98c
DEV: Add a plugin incompatibility message (#8151)
* DEV: Add a plugin incompatibility message

* Extract the plugin_initialization_guard
2019-10-06 20:47:33 +02:00
Mark VanLandingham
30087beb72
UX: Input for name when creating a new authenticator (#8153)
* FEATURE: Added input for name when creating a new authenticator in user preferences

* FEATURE: Added placeholders to authenticator inputs

* Ran prettier on second-factor-add-totp.js.es6
2019-10-04 13:46:48 -05:00