Commit Graph

36025 Commits

Author SHA1 Message Date
Martin Brennan 7c32411881
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664)
### General Changes and Duplication

* We now consider a post `with_secure_media?` if it is in a read-restricted category.
* When uploading we now set an upload's secure status straight away.
* When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. 
* Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is).
* When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload.

### Viewing Secure Media

* The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions
* If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor`

### Removed

We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled.

* We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context.
* We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 13:50:27 +10:00
Gerhard Schlager 5e3fc31f2c DEV: Less hacky way of rolling back DB changes
Some specs use psql to test database restores and dropping the table after the test needs to happen outside of rspec because of transactions. The previous attempt lead to some changes to be stored in the test database.
2020-01-15 23:37:42 +01:00
Gerhard Schlager 68a7ae3091 REFACTOR: Simplify backup version check
Adds specs for inalid version number in metadata file.
Follow-up to c3cd2389fe
2020-01-15 23:37:40 +01:00
Mark VanLandingham 135d09d671
FIX: Styling for feature topic on profile modal (#8727) 2020-01-15 15:20:12 -06:00
Sam Saffron f8e92298f2 DEV: default Oj to compat mode
Out-of-the-box Oj uses :object mode, this shifts us to use :compat mode
by default which is safer.
It means any de-serialization going forward will default to this mode.

If we wish to serialize or deserialize arbitrary objects going forward with
no json interfaces we will have to opt in.
2020-01-16 07:52:28 +11:00
Arpit Jalan 0bc65fa60e
FIX: show error message if the topic deletion fails (#8723) 2020-01-16 00:58:03 +05:30
Roman Rizzi 2db7b3d9c7
FIX: Correctly wrap image and resize controls inside paragraph (#8718) 2020-01-15 14:01:14 -03:00
Arpit Jalan 0f8695958b FIX: better error message when topic deletion fails 2020-01-15 19:30:06 +05:30
Dan Ungureanu ff93c4b2f4
DEV: Fix tests 2020-01-15 15:57:37 +02:00
Dan Ungureanu 31701b7549
DEV: Fix failing 2FA tests 2020-01-15 15:27:21 +02:00
Dan Ungureanu c2d051315d FIX: Create post notices only for public posts (#8708)
This also ensures only public posts are considered when creating post
notices for new and returning users.
2020-01-15 11:40:19 +01:00
Régis Hanol c4817e9ee9 DEV: lint 💅 2020-01-15 11:36:33 +01:00
Martin Brennan 66f2db4ea4 SECURITY: 2FA with U2F / TOTP 2020-01-15 11:27:12 +01:00
Martin Brennan c3cd2389fe SECURITY: use strict JSON parsing when parsing backup metadata 2020-01-15 11:24:41 +01:00
Régis Hanol 5d75f90b27 FIX: group membership leak
FIX: raised a proper NotFound exception when filtering groups by username with invalid username.
FIX: properly filter the groups based on current user visibility when viewing another user's groups.
DEV: Guardian.can_see_group?(group) is now using Guardian.can_see_groups(groups) instead of duplicating the same code.
FIX: spec for groups_controller#index when group directory is disabled for logged in user.
FIX: groups_controller.sortable specs to actually test all sorting combinations.
DEV: s/response_body/body/g for slightly shorter spec code.
FIX: rewrote the "view another user's groups" specs to test all group_visibility and members_group_visibility combinations.
DEV: Various refactoring for cleaner and more consistent code.
2020-01-15 11:21:58 +01:00
Joffrey JAFFEUX ac865112a3
FIX: ensures group-navigation states changes when route changes (#8724) 2020-01-15 10:13:07 +01:00
Joffrey JAFFEUX f4744193bd
FEATURE: allows to define a dissmiss duration on global notices (#8715)
This commit also adds more documentation to various options and defines a 1 week duration for IE global notice dismiss duration.
2020-01-15 09:02:28 +01:00
Joffrey JAFFEUX ec1aeb8a55
FIX: ensures secondary menu of user notifications mobile nav reloads (#8716) 2020-01-15 09:01:44 +01:00
Kris b1508a6f44 UX: Improve appearance of lists and user fields in mobile bios 2020-01-14 16:33:50 -05:00
Mark VanLandingham 5df0ef1e98
FIX: Update user-selector excluded usernames after insert (#8711) 2020-01-14 10:28:35 -06:00
Gerhard Schlager c351ffe580 FEATURE: Add hidden setting to disable configuration of inventory bucket 2020-01-14 17:23:12 +01:00
David Taylor 12d2fe7ff6 UX: Ensure all generated backup codes are displayed on the screen 2020-01-14 15:33:27 +00:00
David Taylor 4fdfc2665d FIX: Update featured badge ranking when mass-awarding badges
Follow-up to cff6e941de
2020-01-14 14:39:20 +00:00
David Taylor cff6e941de
PERF: Cache ranks for featured badges, to simplify user serialization (#8698) 2020-01-14 14:26:49 +00:00
Gerhard Schlager e474cda321 REFACTOR: Restoring of backups and migration of uploads to S3 2020-01-14 11:41:35 +01:00
Joffrey JAFFEUX f10078eab4
FIX: moves back padStart/padEnd to core polyfills (#8714)
Multiple users are on chrome 56 when this is only supported on chrome 57. Given it's only few lines of code, it makes sense to keep supporting this.
2020-01-14 10:54:39 +01:00
Rimian Perkins 609625fa18 Make version the same as install docs (#8713)
https://github.com/techAPJ/install-rails/blob/master/mac
2020-01-14 12:33:37 +11:00
romanrizzi d3091edcea UX: Return a friendlier error when the CSV is invalid. Added a cancel button to return to the /badges view 2020-01-13 15:53:41 -03:00
Robin Ward e4a85e2a80 Minor tweaks to badge CSV upload 2020-01-13 12:44:22 -05:00
David Taylor 4e8aaacce8 UX: Update IE11 deprecation warning, and enable by default 2020-01-13 17:01:28 +00:00
dependabot-preview[bot] 4773cf2933 Build(deps): Bump onebox from 1.9.24 to 1.9.25 (#8707)
Bumps [onebox](https://github.com/discourse/onebox) from 1.9.24 to 1.9.25.
- [Release notes](https://github.com/discourse/onebox/releases)
- [Changelog](https://github.com/discourse/onebox/blob/master/CHANGELOG.md)
- [Commits](https://github.com/discourse/onebox/commits)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-01-13 19:57:16 +05:30
Roman Rizzi d69c5eebcf
Feature: Mass award badge (#8694)
* UI: Mass grant a badge from the admin ui

* Send the uploaded CSV and badge ID to the backend

* Read the CSV and grant badge in batches

* UX: Communicate the result to the user

* Don't award if badge is disabled

* Create a 'send_notification' method to remove duplicated code, slightly shrink badge image. Replace router transition with href.

* Dynamically discover current route
2020-01-13 11:20:26 -03:00
Sam Saffron eb105ba79d DEV: revert upgrade of rack to version 2.0.8
We can not upgrade rack cause it breaks Sidekiq web.

I can not find a trivial fix short of disabling sessions in Sidekiq which
is a security concern.

We need to figure out how to reuse sessions with our Rails application in
Sidekiq.

This gets extra complex cause we use a special cookie store for sessions.

9e399b42b9/lib/discourse_cookie_store.rb (L3-L21)
2020-01-13 18:07:16 +11:00
Martin Brennan 9e399b42b9 DEV: Remove redundant admin_login route, share with email_login 2020-01-13 12:10:07 +10:00
dependabot-preview[bot] d50eb82d51 DEV: Bump rack from 2.0.8 to 2.1.1 (#8702)
Bumps [rack](https://github.com/rack/rack) from 2.0.8 to 2.1.1.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rack/rack/compare/2.0.8...2.1.1)

On a cursory look none of the changes should impact Discourse, we want to be on latest rack so we can benefit from all the latest bug fixes.
2020-01-13 12:09:50 +11:00
dependabot-preview[bot] 33a9d60569 DEV: Bump shoulda-matchers from 4.1.2 to 4.2.0 (#8689)
Bumps [shoulda-matchers](https://github.com/thoughtbot/shoulda-matchers) from 4.1.2 to 4.2.0.
- [Release notes](https://github.com/thoughtbot/shoulda-matchers/releases)
- [Changelog](https://github.com/thoughtbot/shoulda-matchers/blob/master/NEWS.md)
- [Commits](https://github.com/thoughtbot/shoulda-matchers/compare/v4.1.2...v4.2.0)

Mostly about updating gem dependencies, only used in dev, very safe upgrade.
2020-01-13 12:04:31 +11:00
dependabot-preview[bot] 69779f79d9 DEV: Bump pg from 1.2.1 to 1.2.2 (#8685)
Bumps [pg](https://github.com/ged/ruby-pg) from 1.2.1 to 1.2.2.
- [Release notes](https://github.com/ged/ruby-pg/releases)
- [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc)
- [Commits](https://github.com/ged/ruby-pg/compare/v1.2.1...v1.2.2)

Very safe upgrade, Discourse is not impacted by any of the changes.
2020-01-13 12:02:44 +11:00
dependabot-preview[bot] c9327fce12 Build(deps-dev): Bump minitest from 5.13.0 to 5.14.0 (#8703)
Bumps [minitest](https://github.com/seattlerb/minitest) from 5.13.0 to 5.14.0.
- [Release notes](https://github.com/seattlerb/minitest/releases)
- [Changelog](https://github.com/seattlerb/minitest/blob/master/History.rdoc)
- [Commits](https://github.com/seattlerb/minitest/compare/v5.13.0...v5.14.0)

Very safe change only impacts our test framework.
2020-01-13 12:01:40 +11:00
Sam Saffron d8412f409a DEV: resolve symlinks in docker dev
symlinks where not fully resolved leading to docker not booting when you
had symlinks in the plugins directory pointing at relative paths.
2020-01-13 10:33:34 +11:00
Blake Erickson 1a31a403ce DEV: Remove buffered-render file
This is the last and final commit in a multi-commit refactor to remove
all uses of buffered-render.

Previous commit: fc94b6cb9e in this
series.
2020-01-10 18:19:23 -07:00
Robin Ward 648a1124eb FIX: Specs with old filename 2020-01-10 15:29:35 -05:00
Robin Ward 72c3f36e58 Add optional file to precompile list 2020-01-10 15:14:32 -05:00
Robin Ward 556d66a97c FIX: Use CDN for the `discourse-internet-explorer`
Previously the CDN was skipped because the assets were not in the proper
place to be uploaded.
2020-01-10 15:06:55 -05:00
Penar Musaraj 687c79ca1c FIX: Remove padding while composer is saving
Padding on `#main-outlet` while compooser was in "saving" state was causing posts to bounce after replying.
2020-01-10 12:57:16 -05:00
Mark VanLandingham 7ee09aa0d2
FIX: Ran prettier on user-selector-test (#8700) 2020-01-10 09:27:41 -08:00
Mark VanLandingham 5898afaa73
FEATURE: pass in excluded usernames to user-selector (#8695) 2020-01-10 09:02:43 -08:00
Rafael dos Santos Silva 5a70f50032
FEATURE: Use new Badging API
Now that the spec is finished use the unprefixed API, which was also moved
from window to navigator.

Still uses feature detection so it fail gracefully when not available in
the user agent.
2020-01-10 13:41:35 -03:00
dependabot-preview[bot] 3ddebc61a9 Build(deps): Bump public_suffix from 4.0.2 to 4.0.3 (#8663)
Bumps [public_suffix](https://github.com/weppos/publicsuffix-ruby) from 4.0.2 to 4.0.3.
- [Release notes](https://github.com/weppos/publicsuffix-ruby/releases)
- [Changelog](https://github.com/weppos/publicsuffix-ruby/blob/master/CHANGELOG.md)
- [Commits](https://github.com/weppos/publicsuffix-ruby/compare/4.0.2...4.0.3)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-01-10 10:04:54 -05:00
dependabot-preview[bot] aa9450646b Build(deps-dev): Bump test-prof from 0.10.1 to 0.10.2 (#8676)
Bumps [test-prof](https://github.com/palkan/test-prof) from 0.10.1 to 0.10.2.
- [Release notes](https://github.com/palkan/test-prof/releases)
- [Changelog](https://github.com/palkan/test-prof/blob/master/CHANGELOG.md)
- [Commits](https://github.com/palkan/test-prof/compare/v0.10.1...v0.10.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-01-10 10:03:56 -05:00
dependabot-preview[bot] d0cd08a67c Build(deps): Bump parser from 2.7.0.1 to 2.7.0.2 (#8686)
Bumps [parser](https://github.com/whitequark/parser) from 2.7.0.1 to 2.7.0.2.
- [Release notes](https://github.com/whitequark/parser/releases)
- [Changelog](https://github.com/whitequark/parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/whitequark/parser/compare/v2.7.0.1...v2.7.0.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-01-10 10:03:11 -05:00