Commit Graph

18001 Commits

Author SHA1 Message Date
Martin Brennan
27d93b4658
FIX: Backport invite fixes from main (#19218)
Backports the following:

* 40e8912395
* bbcb69461f

Which were showing an error when users were
trying to claim invites multiple times and
a subsequent follow-up fix.
2022-11-28 15:15:00 +10:00
Bianca Nenciu
3a985c82c7
SECURITY: Correctly render link title in draft preview (#18958)
The additional unescaping could cause link titles to be rendered
incorrectly.
2022-11-09 15:54:47 +02:00
David Taylor
7e4e8c8ad2
SECURITY: Fix invite link validation (stable) (#18818)
See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278

Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 16:50:14 +00:00
David Taylor
ec9734bc42
SECURITY: Expand and improve SSRF Protections (stable) (#18816)
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2022-11-01 16:34:12 +00:00
Alan Guo Xiang Tan
576354072e
DEV: Fix auto start for wizard qunit tests (#16988)
`run-qunit.js` does not expect QUnit tests to start automatically but
our wizard QUnit setup did not respect the `qunit_disable_auto_start`
URL param. Hence, tests would start running automatically and when a
subsequent `QUnit.start()` function call is made, we ended up getting a
`QUnit.start cannot be called inside a test context.` error.

This error can be consistently reproduced in the `discourse:discourse_test` container but not in
the local development environment. I do not know why and did not feel
like it is important at this point in time to know why.
2022-06-03 12:44:42 +08:00
David Taylor
d8b68e00c9
FIX: Ensure values are escaped in select-kit dropdowns (#16586)
The values in Discourse dropdown menus only come from admin-defined strings, not unsanitised end-user input, so this lack of escaping was not exploitable.
2022-04-28 16:31:41 +01:00
Penar Musaraj
bb57be95f0 DEV: Cleanup body.scrollTop usage (#16445)
All current browser treat the HTML document (not the body element) as
the scrollable document element. Hence in all current browsers,
`document.body.scrollTop` returns 0. This commit removes all usage of
this property, because it is effectively 0.

Co-authored-by: David Taylor <david@taylorhq.com>
2022-04-14 12:45:34 -04:00
Penar Musaraj
9a9a29b24b FIX: Buggy topic scrolling on iOS 12 (#16422) 2022-04-14 12:45:34 -04:00
Jarek Radosz
6bbc822495 DEV: Don't check this.element in @afterRender (#16033)
This would allow to use the decorator in tag-less components and in controllers.
2022-04-11 13:03:54 +08:00
Alan Guo Xiang Tan
72c69a644f DEV: Add pretender endpoint for category visible groups.
This was causing our build to become flaky.
2022-04-11 13:03:54 +08:00
Alan Guo Xiang Tan
3d581ce159 SECURITY: Category group permissions leaked to normal users.
After this commit, category group permissions can only be seen by users
that are allowed to manage a category. In the past, we inadvertently
included a category's group permissions settings in `CategoriesController#show`
and `CategoriesController#find_by_slug` endpoints for normal users when
those settings are only a concern to users that can manage a category.
2022-04-08 11:04:59 +02:00
Martin Brennan
f0574564c4 DEV: Fix failing share topic tests (#16309)
Since 3fd7b31a2a some tests
were failing with this error:

> Error: Unhandled request in test environment: /c/feature/find_by_slug.json
> (GET) at http://localhost:7357/assets/test-helpers.js

This commit fixes the issue by adding the missing pretender. Also
noticed while fixing this that the parameter for the translation
was incorrect -- it was `group` instead of `groupNames`, so that
is fixed here too, along with moving the onShow functions into
@afterRender decorated private functions. There is no need for the
appevent listeners.
2022-04-08 11:04:59 +02:00
Bianca Nenciu
1516dd75f5 FIX: Show restricted groups warning when necessary (#16236)
It was displayed for the "everyone" group too, but that was not
necessary.
2022-04-08 11:04:59 +02:00
Andrei Prigorshnev
2c8f62e271
FIX: backport caret moves to a wrong position when uploading an image via toolbar (#15865)
* FIX: Caret moves to a wrong position when uploading an image via toolbar

* Skip the test
2022-02-17 13:44:21 +11:00
Bianca Nenciu
0674d07cdf
FIX: Defer upload extension check for iOS (#15890)
accept HTML attribute is not fully supported on iOS yet and can contain
only MIME types. This changes the input to allow all files and the
extension check is performed later in JavaScript.
2022-02-15 19:57:58 +02:00
communiteq
247f70f79c
Fix bug regarding Chat on stable (#15954) 2022-02-15 12:40:48 -05:00
Martin Brennan
7dd9dd848a
FIX: Table pasting issues with uppy (#15787) (#15812)
When changing to uppy for file uploads we forgot to add
these conditions to the paste event from 9c96511ec4

Basically, if you are pasting more than just a file (e.g. text,
html, rtf), then we should not handle the file and upload it, and
instead just paste in the text. This causes issues with spreadsheet
tools, that will copy the text representation and also an image
representation of cells to the user's clipboard.

This also moves the paste event for composer-upload-uppy to the
element found by the `editorClass` property, so it shares the paste
event with d-editor (via TextareaTextManipulation), which makes testing
this possible as the ember paste bindings are not picked up unless both
paste events are on the same element.
2022-02-04 11:44:30 +11:00
Penar Musaraj
be72ae8c49
A11Y: Switch to using autocomplete="off" (#15802) 2022-02-03 17:45:25 +01:00
Martin Brennan
7979708f17
DEV: Remove jQuery UI vendor dependencies (#15782)
Combines 68fe6903f7 and
7b7e707fa2.

We no longer use jQuery UI for anything since getting
rid of jQuery file uploader in 667a8a6,
so we can safely remove these now.

Also removes the blueimp-file-upload and jquery.iframe-transport
dependencies that were formerly used by jQuery file uploader
2022-02-03 11:19:50 +10:00
Neil Lalonde
9830b192f3
Merge diffs from main 2022-01-27 10:12:37 -05:00
Neil Lalonde
42caef4719
Merge main 2022-01-27 10:10:35 -05:00
Alan Guo Xiang Tan
09ec0ce744 DEV: Fix typo in comment. 2022-01-27 14:58:11 +08:00
Robin Ward
a560f9d44b FIX: This was causing a flaky test in Ember CLI
The path should be `/topics/bulk` not `topics/bulk` (leading slash.)
2022-01-26 14:53:25 -05:00
David Taylor
2464839cbf
Revert "DEV: Run Ember CLI tests in random order" (#15717)
This reverts commit f43bba8d59.

Adding randomness has introduced a lot of flakiness in our ember-cli tests. We should fix those issues at the source. However, given the upcoming stable release, this randomness has been reverted so that the stable release includes a stable test suite. Having a stable test suite on stable will make backporting future commits much easier.
2022-01-26 15:30:03 +00:00
Dan Ungureanu
f5b94f152f
FIX: Allow staff to reset passwords by username (#15709)
When staff visits the user profile of another user, the `email` field
in the model is empty. In this case, staff cannot send the reset email
password because nothing is passed in the `login` field.

This commit changes the behavior for staff users to allow resetting
password by username instead.
2022-01-26 10:39:58 +02:00
Robin Ward
f43bba8d59 DEV: Run Ember CLI tests in random order
In browser this uses the `seed` config, in ember exam it adds `--random`
as a parameter.
2022-01-25 14:49:40 -05:00
Osama Sayegh
5dd8b827e8
DEV: Update fixture to fix tests (#15699)
Follow-up to a742952c8d.
2022-01-25 00:44:14 +03:00
Osama Sayegh
a742952c8d
FIX: Client should be able to route ID-less topic URLs (#15697)
The topic ID portion of the topic URL is optional in Discourse as long as the topic slug is unique across the site. If you navigate to a topic without the ID in the URL, Discourse will redirect you to the canonical version of the URL that includes the ID.

However, we have a now regression where the client app doesn't correctly handle ID-less topic URLs displays an error message when the user clicks on such URL. The regression was introduced b537d591b3 when we switched from `DiscourseURL.routeTo` to using Ember's router to perform the redirecting to the canonical version of the URL, but the problem is that the canonical version comes from the server and it contains the hostname which the Ember router doesn't understand because it expects a relative URL.

This PR fixes the problem by constructing a relative URL that contains the topic slug and ID and passing that to the Ember route.
2022-01-24 23:19:35 +03:00
Andrei Prigorshnev
cd68279f5c
DEV: use query() instead of queryAll() in tests (#15681) 2022-01-24 11:27:58 +11:00
Penar Musaraj
1f2226270e
FIX: Restore outlet in mobile views (#15683) 2022-01-23 18:41:01 +01:00
Robin Ward
78852e9754 FIX: Tests should never cloak posts
Depending on the load order of modules, the post cloaking code might
not be disabled properly in test mode, which results in flakey failures.
2022-01-21 14:32:26 -05:00
Bianca Nenciu
3bb1cd5c4d
FIX: Select topics instead of posts (#15674)
A code error caused post objects to be added to the selected array.
2022-01-21 19:52:09 +02:00
Dan Ungureanu
984089c94a
DEV: Add test for avatar-uploader (#15633)
Follow up to 64b089072a.
2022-01-21 19:51:24 +02:00
Dan Ungureanu
d0f4f408af
DEV: Simplify emoji-uploader tests (#15672)
Removes one layer of indirection in the tests. `emoji-uploader`'s
`uploadDone` can call the test handler directly without going through
an additional action method.
2022-01-21 19:51:04 +02:00
Robin Ward
d28808e866 FIX: The service observer was using this incorrectly
It was pointing at nothing due to context.
2022-01-20 16:51:36 -05:00
Régis Hanol
a582c49601
FIX: possible ReDOS in markdown newline rule (#15646)
Backport ffc49ab46b
2022-01-20 22:32:01 +01:00
Robin Ward
224f0a2655 DEV: This ensures that teardowns are executed if initializers are run
It does this by creating a new initializer that runs every time the app
is booted to track the current test. Then after each test, we see if the
app needs to be torn down.
2022-01-20 16:23:54 -05:00
Robin Ward
2dc0f36e07 DEV: A bunch of tests (like controller) weren't cleaning up
This creates a helper function with all the cleanup tasks we need to do
after tests, then makes sure to call it after tests that previously
weren't.

This fixes a lot of flakey tests.
2022-01-20 11:58:58 -05:00
Jarek Radosz
23aceedbd5
FIX: Display composer popovers over dropdowns (#15659) 2022-01-20 17:55:55 +01:00
Joffrey JAFFEUX
2426e3510d
FIX: correctly access last poster username (#15661)
Testing this is kinda complicated ATM (especially mobile template with hbr) , this is a component we should definitely aim to test very extensively when we move away from hbr templates.
2022-01-20 17:27:14 +01:00
Kris
1d02b9728d
A11Y: tag should be "role" not "aria-role" (#15653) 2022-01-20 09:58:32 -05:00
Kris
6a48106ed4
A11Y: do not use duplicate IDs (#15654) 2022-01-20 08:58:08 -05:00
Jarek Radosz
b9f650e55e
UX: Fix composer popup placement (#15660) 2022-01-20 14:21:13 +01:00
Dan Ungureanu
5b7bddf966
FIX: Prefer email when resetting password (#15650)
The UI used to request a password reset by username when the user was
logged in. This did not work when hide_email_already_taken site setting
was enabled, which disables the lookup-by-username functionality.

This commit also introduces a check to ensure that the parameter is an
email when hide_email_already_taken is enabled as the single allowed
type is email (no usernames are allowed).
2022-01-20 10:04:45 +02:00
Bianca Nenciu
4951900bbc
FEATURE: Store dismissed state of topic nav popups (#15570)
The dismissed state will be stored between sessions if popupId
attribute is present.
2022-01-19 16:20:05 +02:00
Natalie Tay
3050fe893b
DEV: Quick fix to flaky test (#15644)
We know that the real problem has got to do with cloaking (/t/10298), but while we find out precisely why, here's a quick fix.

Similar to #15627
2022-01-19 11:23:35 +08:00
David Taylor
2d67315c32
FIX: Disable service worker proxying in chrome 97-97.0.4692 (#15638)
https://bugs.chromium.org/p/chromium/issues/detail?id=1286367
2022-01-18 19:41:25 +00:00
Mark VanLandingham
fcc80137ce
DEV: Add chat_group_mention notification type (#15616) 2022-01-18 08:26:27 -06:00
Roman Rizzi
5ee31cbf7d
FIX: Mark invites flash messages as HTML safe. (#15539)
* FIX: Mark invites flash messages as HTML safe.
This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client.

Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220

* If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend.

* Escape user input instead of sanitizing
2022-01-18 09:38:31 -03:00
David Taylor
7329b766cb
FIX: Ensure floating quote button is not positioned under sidebar (#15634)
If themes/plugins introduce a sidebar on the left of the screen, the quote button would sometimes be positioned underneath. This commit ensures that the positioning logic keeps the floating buttons within the width of `.topic-area`
2022-01-18 12:05:36 +00:00