Commit Graph

40722 Commits

Author SHA1 Message Date
Neil Lalonde
f8562d8d2f
Version bump to v2.6.5 2021-04-14 11:01:26 -04:00
David Taylor
a19152f3be
SECURITY: Improve theme git import (#12695) 2021-04-14 15:32:33 +01:00
Sam
5b99cb9275
FIX: automatically timeout long running image magick commands (#12670)
Previously certain images may lead to convert / identify to run for unreasonable
amounts of time

This adds a maximum amount of time these commands can run prior to forcing
them to stop
2021-04-12 14:04:37 +03:00
Neil Lalonde
3aa9ae08c2
Version bump to v2.6.4 2021-04-07 12:22:59 -04:00
David Taylor
5dbac4e58e
FIX: Add platforms to stable Gemfile (#12479)
There are a few issues which require us to do this:
 - We install the latest version of bundler on every rebuild. Therefore we're running 2.2.15 everywhere, even for 'stable' clusters
 - Bundler has changed how gem platforms are managed. That meant that on the stable branch we were building libv8 from source via the 'ruby' package, rather than using the precompiled x86_64-linux binary
 - Building the libv8 from source is currently failing

 Together, these things mean that builds of `stable` are currently failing. Each of the above issues should likely be fixed, but this commit provides the quickest route to get things working again. Note that despite the Gemfile.lock update, no gem versions have changed.
2021-03-22 18:54:17 +00:00
Martin Brennan
3ef594b1f1
SECURITY: Fix is_private_ip for RateLimiter to cover all cases (#12464)
The regular expression to detect private IP addresses did not always detect them successfully.
Changed to use ruby's in-built IPAddr.new(ip_address).private? method instead
which does the same thing but covers all cases.
2021-03-22 14:04:55 +10:00
Neil Lalonde
7b283b5f21
Version bump to v2.6.3 2021-03-04 14:08:53 -05:00
jbrw
53f01874bd
FIX: NewPostManager should respect category_group_moderator settings (#12116)
NewPostManager’s `post_needs_approval_in_its_category` method should allow category group moderators to create topics/reply to topics that where they have appropraite permissions.

(ie, if a user has permission to moderate a post, any posts made by them shouldn’t be sent to moderation)
2021-02-24 13:54:54 -05:00
Neil Lalonde
eb9f15a94a
Version bump to v2.6.2 2021-02-18 12:53:47 -05:00
David Taylor
5489a1c4d9
SECURITY: Attach DiscourseConnect (SSO) nonce to current session (#12124) 2021-02-18 10:57:36 +00:00
Arpit Jalan
a4a37b671a FIX: process new invites when existing users are already group members (#11971)
If a list of email addresses is pasted into a group’s Add Members form
that has one or more email addresses of users who already belong to the
group and all other email addresses are for users who do not yet exist
on the forum then no invites were being sent. This commit ensures that
we send invites to new users.
2021-02-05 10:04:35 +05:30
Martin Brennan
946f4b82fa
DEV: Move logic for rate limiting user second factor to one place (#11941)
This moves all the rate limiting for user second factor (based on `params[:second_factor_token]` existing) to the one place, which rate limits by IP and also by username if a user is found.
2021-02-04 09:06:11 +10:00
Robin Ward
98f775506d
SECURITY: Rate limit MFA by login if possible (#11938)
This ensures we rate limit on logins where possible, we also normalize logins for the rate limiters centrally.
2021-02-03 10:32:08 +11:00
Neil Lalonde
d8627cf43f
Version bump to v2.6.1 2021-01-21 14:13:35 -05:00
Arpit Jalan
5130f73bad Bump onebox gem to 2.2.1
- do not show title only oneboxes
- allow oneboxes with title and image
2020-12-24 11:14:21 +05:30
Rafael dos Santos Silva
3a4bd80d8a
FIX: Autoplay videos must always be muted (#11533)
This automatically adds the muted attribute if it's missing in a video
tag.

Co-authored-by: David Taylor <david@taylorhq.com>
2020-12-21 18:09:41 -03:00
Neil Lalonde
d6121249d3
Version bump to v2.6.0 2020-11-30 16:48:47 -05:00
Neil Lalonde
a502a47197
Merge diffs from master 2020-11-30 16:42:54 -05:00
Neil Lalonde
fef0a0c429
Merge master 2020-11-30 16:41:58 -05:00
dependabot[bot]
c60084a8f1 Build(deps-dev): Bump simplecov from 0.19.1 to 0.20.0
Bumps [simplecov](https://github.com/simplecov-ruby/simplecov) from 0.19.1 to 0.20.0.
- [Release notes](https://github.com/simplecov-ruby/simplecov/releases)
- [Changelog](https://github.com/simplecov-ruby/simplecov/blob/main/CHANGELOG.md)
- [Commits](https://github.com/simplecov-ruby/simplecov/compare/v0.19.1...v0.20.0)

Signed-off-by: dependabot[bot] <support@github.com>
2020-11-30 13:07:19 -05:00
David Taylor
e7bad9f05d
FIX: Ensure directory items appear in a consistent order (#11370)
User directory items are sorted by some activity metric. If those metrics have the same value, postgres does not guarantee the order in which they will be returned. This can cause issues in pagination - some users may appear twice, and some may be missed. To illustrate

```
pry(main)> query = DirectoryItem.where(period_type: DirectoryItem.period_types[:weekly]).order(:likes_received).limit(50);
pry(main)> page1 = query.offset(0).pluck(:id);
pry(main)> page2 = query.offset(50).pluck(:id);
pry(main)> (page1 & page2).count # users on both pages
=> 29
```

If we use the primary key to tie-break matching metrics, things are much more reliable

```
pry(main)> query = DirectoryItem.where(period_type: DirectoryItem.period_types[:weekly]).order(:likes_received, :id).limit(50);
pry(main)> page1 = query.offset(0).pluck(:id);
pry(main)> page2 = query.offset(50).pluck(:id);
pry(main)> (page1 & page2).count # users on both pages
=> 0
```

This most commonly effects new sites where all the directory metrics are zero.

The fact that the ordering is indeterminate makes it difficult to write a reliable test case for this.
2020-11-27 18:12:49 +00:00
Robin Ward
65eec147fc FEATURE: Add plugin js / plugin test js to bootstrap.json
This allows 3rd party clients (such as Ember CLI) to run plugins and
their tests.
2020-11-27 12:31:17 -05:00
dependabot[bot]
7af663ca63 Build(deps): Bump loofah from 2.7.0 to 2.8.0
Bumps [loofah](https://github.com/flavorjones/loofah) from 2.7.0 to 2.8.0.
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md)
- [Commits](https://github.com/flavorjones/loofah/compare/v2.7.0...v2.8.0)

Signed-off-by: dependabot[bot] <support@github.com>
2020-11-27 10:50:19 -05:00
Roman Rizzi
5448f3ed9e
Hide imports commit from blame (#11367) 2020-11-27 11:46:27 -03:00
Roman Rizzi
1c2358ba16
DEV: Tidy up imports. (#11364)
Only allow one import definition per file and add a new eslint rule to enforce it.
2020-11-27 11:30:16 -03:00
Gerhard Schlager
2e5e4dbf19
DEV: Make it easier to customize link attributes in quick access menu (#11365)
This allows themes to customize link attributes:

```
api.reopenWidget("quick-access-item", {
  _linkAttributes(href) {
    const attributes = this._super(...arguments);
    // do stuff
    return attributes;
  }
}
```
2020-11-27 12:26:47 +01:00
Bianca Nenciu
eeae657ca5
FIX: No tags should be set if tag chooser is hidden (#11362)
If a user could not set tags because they had a trust level lower than
min_trust_level_to_tag_topics site setting, the "Create Topic" button
from a tag page would still show up and be enabled. Clicking it caused
the composer model to silently have the tags set.
2020-11-27 13:03:37 +02:00
Krzysztof Kotlarek
a0c457120a
Revert "FIX: bump nokogumbo to 2.0.3 with patch (#11357)" (#11366)
This reverts commit 2fee4ee7f3.
2020-11-27 17:14:12 +11:00
Krzysztof Kotlarek
2fee4ee7f3
FIX: bump nokogumbo to 2.0.3 with patch (#11357)
PR lodged to nokogumbo so later we should be able to drop freedom patch - https://github.com/rubys/nokogumbo/pull/158
2020-11-27 08:32:18 +11:00
Robin Ward
dab2f2fdf4 REFACTOR: We can't use Ember.HTMLBars.compile in Ember CLI
Instead we use the inline `hbs` helper. Note in the non-Ember CLI
version this will not actually inline compile, but it will still work
for all our tests.
2020-11-26 09:27:20 -05:00
dependabot[bot]
6ac270aa94 Build(deps): Bump regexp_parser from 1.8.2 to 2.0.0
Bumps [regexp_parser](https://github.com/ammar/regexp_parser) from 1.8.2 to 2.0.0.
- [Release notes](https://github.com/ammar/regexp_parser/releases)
- [Changelog](https://github.com/ammar/regexp_parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ammar/regexp_parser/compare/v1.8.2...v2.0.0)

Signed-off-by: dependabot[bot] <support@github.com>
2020-11-26 09:26:57 -05:00
Joe
eecff3d15b
DEV: Ensures mobile RTL stylesheets are loaded (#11360)
This PR only makes CSS changes that have no visual impact, but they fix an issue in the compiler that causes some stylesheets not to load on mobile RTL.

Full context here

https://meta.discourse.org/t/user-card-will-not-open-on-the-mobile/171268/6?u=johani
2020-11-26 21:03:25 +08:00
David Taylor
f56c4b78da
FEATURE: Add users:log_out API key scope (#11359) 2020-11-26 10:39:38 +00:00
Sam
97eae4e3ad
PERF: avoid using destroy_all when removing stats (#11358)
destroy_all will load all the active record relation and iterate, this
can get extremely expensive.
2020-11-26 15:29:39 +10:00
Roman Rizzi
c9df679ba1
FIX: Only use full slugs when compiling category backgrounds. (#11353)
If a category and a sub-category have the same slug, adding a background to one of them will also show it on the other one. This was introduced in 8e3f667 to fix a discrepancy, which was later fixed in 214b4c3.
2020-11-25 15:40:16 -03:00
Robin Ward
059e9cb1d2 REFACTOR: Remove .erb from emoji-picker
We can't use erb in ember-cli, and it seems the emoji groups rarely
change anyway. This commit migrates the ERB to pre-rendered javascript
that is updated via the `rake javascript:update_constants` task.
2020-11-25 11:23:02 -05:00
dependabot[bot]
9ec0359022
Build(deps): Bump rubocop from 1.4.1 to 1.4.2 (#11349)
Bumps [rubocop](https://github.com/rubocop-hq/rubocop) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/rubocop-hq/rubocop/releases)
- [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop-hq/rubocop/compare/v1.4.1...v1.4.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-11-25 12:42:36 +01:00
dependabot[bot]
834d71d1f7
Build(deps): Bump rails_failover from 0.6.1 to 0.6.2 (#11350)
Bumps rails_failover from 0.6.1 to 0.6.2.

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-11-25 11:21:50 +00:00
Sam
f5945efae7
DEV: watch more test directories (#11346)
Much has moved and autospec stopped picking up certain tests.
2020-11-25 11:12:23 +00:00
Joffrey JAFFEUX
abb89475a3
FIX: issues with frowning/grinning (#11235)
- frowning was using slighty_frowning
- slightly_frowning was using frowning
- grinning_face_with_smiling_eyes was not defined
- fronwing_face_with_open_mouth was not defined
2020-11-25 09:09:35 +01:00
Martin Brennan
5028aaf446
FIX: Add secure media url to SERVER_SIDE_ONLY list (#11348) 2020-11-25 15:31:31 +11:00
Martin Brennan
2348a7972e
FIX: When quoting an attachment, keep the |attachment in markdown (#11347) 2020-11-25 15:31:14 +11:00
Sam
3e1b94c227
PERF: avoid checking card background and user background when not supplied (#11299)
Previously we were performing a bunch of needless work when SSO failed
to supply profile and card backgrounds.
2020-11-25 10:53:44 +11:00
jbrw
51f9a56137
FEATURE: Onebox local categories (#11311)
* FEATURE: onebox for local categories

This commit adjusts the category onebox to look more like the category boxes do on the category page.

Co-authored-by: Jordan Vidrine <jordan@jordanvidrine.com>
2020-11-25 10:53:05 +11:00
jbrw
416f984c5e
FEATURE: Update onebox and add styling for githubfolder onebox (#11313) 2020-11-25 10:51:29 +11:00
Robin Ward
436d68d54f
UX: Don't show selected posts interface twice on mobile (#11328)
Note to reproduce you need a topic with over 3 posts.
2020-11-25 10:50:05 +11:00
Bianca Nenciu
f9ff51870b
FIX: Rebake theme fields if upload changes (#11341)
Updating SVG sprites of a theme did not take effect immediately because
the cache was not cleared.
2020-11-25 10:49:12 +11:00
dependabot[bot]
e527741577
Build(deps): Bump rubocop-ast from 1.1.1 to 1.2.0 (#11343)
Bumps [rubocop-ast](https://github.com/rubocop-hq/rubocop-ast) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/rubocop-hq/rubocop-ast/releases)
- [Changelog](https://github.com/rubocop-hq/rubocop-ast/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop-hq/rubocop-ast/compare/v1.1.1...v1.2.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-11-25 09:17:55 +11:00
Joffrey JAFFEUX
ad1a10e6e9
FIX: hides votes from regular users when poll is staff only (#11342) 2020-11-24 22:19:06 +01:00
Rafael dos Santos Silva
a6613d15f4
Adds discourse-gifs to suggested components (#11339) 2020-11-24 14:58:45 -03:00