879067d000
FIX: check admin theme cookie against user selectable
...
previously admin got a free pass and could set theme via cookie to anything
including themes that are not selectable
this refactor ensures that only "preview" gets a free pass, all the rest
goes through the same pipeline
2018-09-07 10:47:28 +10:00
2f5c21e28c
FIX: return a 400 error instead of 500 for null injections
...
Many security scanners like to inject NULL in inputs causing application
to exception out and return a 500
We now handle this exception and render a 400 status back
2018-09-04 12:11:52 +10:00
2d96160192
FEATURE: improve API error reporting for invalid records
2018-08-21 11:54:34 +10:00
ce4b12ae59
FIX: if we have not target available do not redirect
2018-08-20 13:10:59 +10:00
d4fd19d49a
UX: Replace Google search with Discourse search on not found page
...
* UX: Replace Google search with Discourse search on not found page.
* FIX: Update application_controller_spec.rb.
2018-08-15 11:53:04 +10:00
2c4d7225d8
FIX: permalink redirects with subfolder
2018-08-09 11:05:27 -04:00
ed4c0f256e
FIX: check permalinks for deleted topics
...
- allow to specify 410 vs 404 in Discourse::NotFound exception
- remove unused `permalink_redirect_or_not_found` which
- handle JS side links to topics via Discourse-Xhr-Redirect mechanism
2018-08-09 15:05:12 +10:00
0b7ed8ffaf
FEATURE: backend support for user-selectable components
...
* FEATURE: backend support for user-selectable components
* fix problems with previewing default theme
* rename preview_key => preview_theme_id
* omit default theme from child themes dropdown and try a different fix
* cache & freeze stylesheets arrays
2018-08-08 14:46:34 +10:00
decf1f27cf
FEATURE: Groundwork for user-selectable theme components
...
* Phase 0 for user-selectable theme components
- Drops `key` column from the `themes` table
- Drops `theme_key` column from the `user_options` table
- Adds `theme_ids` (array of ints default []) column to the `user_options` table and migrates data from `theme_key` to the new column.
- Removes the `default_theme_key` site setting and adds `default_theme_id` instead.
- Replaces `theme_key` cookie with a new one called `theme_ids`
- no longer need Theme.settings_for_client
2018-07-12 14:18:21 +10:00
e72fd7ae4e
FIX: move crawler blocking into anon cache
...
This refinement of previous fix moves the crawler blocking into
anonymous cache
This ensures we never poison the cache incorrectly when blocking crawlers
2018-07-04 11:14:43 +10:00
7f98ed69cd
FIX: move crawler blocking to app controller
...
We need access to site settings in multisite, we do not have access
yet if we attempt to get them in request tracker middleware
2018-07-04 10:30:50 +10:00
fd7bb8e656
FIX: Scope the `cn` to the subfolder
2018-06-28 11:03:36 -04:00
ad5082d969
Make rubocop happy again.
2018-06-07 13:28:18 +08:00
89ad2b5900
DEV: Rails 5.2 upgrade and global gem upgrade
...
This updates tests to use latest rails 5 practice
and updates ALL dependencies that could be updated
Performance testing shows that performance has not regressed
if anything it is marginally faster now.
2018-06-07 14:21:33 +10:00
5b2e7c8d10
fix the build
2018-05-26 03:11:10 +02:00
3db1032bfd
FIX: not found page shouldn't include the Google search form for sites with login_required enabled
2018-05-23 16:59:02 -04:00
ff90881238
DEV: fix live refresh if you have a custom theme selected in dev
2018-05-16 17:25:49 +10:00
a5172a37e0
Allow staff members to enable safe mode, even if disabled
2018-04-25 11:49:57 -04:00
fd14ee4797
FEATURE: Allow safe mode to be disabled
2018-04-24 11:03:33 -04:00
ff9d7a9bfb
FIX: authComplete query param should carry-forward to login page
2018-03-27 17:22:07 +05:30
ba15273d3f
FEATURE: maintain preview theme, while previewing
...
This means you can browse around in preview mode without losing the theme.
At any point you can refresh page and maintain the preview theme.
2018-03-15 16:17:22 +11:00
2097f5330c
FIX: Login redirect path was broken in subfolder installs
2018-03-15 11:49:35 +08:00
f7bd05e534
FEATURE: set 'Retry-After' header for 429 responses ( #5659 )
2018-03-13 23:12:41 +08:00
f0d5f83424
FEATURE: limit assets less that non asset paths
...
By default assets can be requested up to 200 times per 10 seconds
from the app, this includes CSS and avatars
2018-03-06 15:20:39 +11:00
282f53f0cd
FEATURE: Theme settings (2) ( #5611 )
...
Allows theme authors to specify custom theme settings for the theme.
Centralizes the theme/site settings into a single construct
2018-03-04 19:04:23 -05:00
a94dc0c731
Revert "FIX: preview theme not working consistently"
...
This reverts commit 845cec3ba0
2018-02-23 17:59:00 +11:00
845cec3ba0
FIX: preview theme not working consistently
...
Avoid flash, this makes debugging much simpler as well.
Additionally URL now clearly shows you are previewing a theme.
2018-02-23 15:25:35 +11:00
a3e5a31674
FIX: Allow 404 pages to use the current theme
2018-02-14 15:29:01 -05:00
38f4acd55a
FIX: rate limiter text is confusing, should not say daily
...
Also, adds easily parseable JSON so users can figure out
how long to wait when the API is limited. ("extras" "wait_seconds")
2018-02-14 15:29:50 +11:00
569e57f0a9
FIX: Delete the invalid auth cookie even if you hit the rate limit
2018-02-09 19:09:54 -05:00
41986cdb2f
Refactor requires login logic, reduce duplicate code
...
This also corrects the positioning in the chain of the check
and removes misuse of prepend_before_action
2018-02-01 15:17:59 +11:00
683be5e555
FIX: Application should not crash when selected locale is missing
2018-01-25 14:57:41 +01:00
2437b0d531
FIX: regression, missing 404 page
2018-01-23 09:00:28 +11:00
5c1eaeca9e
FIX: prevent users from moving whispers to new topic
2018-01-22 17:23:19 +01:00
72b592c395
PERF: add frozen string literals to app controller
2018-01-17 16:32:52 +11:00
d7657d8e47
correct specs, ensure crawler layout only applies to html
2018-01-16 16:28:11 +11:00
49ed382c2a
FIX: return 429 when admin api key is limited on admin route
...
This also handles a general case where exceptions leak out prior to being handled by the application controller
2018-01-12 14:15:26 +11:00
e0e99d4bbd
PERF: hijack onebox requests so they do not use up a unicorn worker
2017-11-24 15:31:40 +11:00
8d98752b57
Allow sites to bootstrap the error page.
...
This will display working dropdowns and such even if the page is a 404.
2017-11-21 16:13:09 -05:00
38b8d68c68
FEATURE: Allow the user to select a custom home page ( #5268 )
...
* Add user_home configuration option
* Use the new user_home preference to actually show the right home page
* Fix trailing whitespace
* Update user_option_serializer.rb
* Fix JavaScript default homepage tests
* Use an object instead of a giant switch
* Remove trailing whitespace
* Make the default `user_home` set to `null` instead of `0`
* Rename user_home to homepage_id
2017-11-10 06:45:19 +11:00
2f0c9793f1
FEATURE: Allow multiple html builders to be registered via plugins
2017-11-03 11:32:32 -04:00
804b4f32f8
better error message when API authentication fails
2017-10-20 20:05:34 +05:30
989280a222
FIX: Don't rotate session in reaodnly mode.
2017-10-20 17:15:28 +08:00
6baea9948b
Revert "fix the build"
...
This reverts commit 8b74c7d325
2017-09-29 08:57:06 +08:00
8b74c7d325
fix the build
2017-09-28 15:50:01 +02:00
5d53eefcab
Fix broken test.
2017-09-28 16:09:58 +08:00
5f1c29e424
FIX: Display json response when `Discourse::InvalidAccess` is raised for
...
non json requests.
2017-09-28 15:31:16 +08:00
373fd8990e
PERF: N+1 when generating not found page.
2017-09-28 15:31:16 +08:00
4319d8a142
FIX: Missing template error when rendering `topics#show` error message.
2017-09-28 11:06:44 +08:00
2568312475
FIX: Use exact patht to ensure we always redirect with the right format.
2017-09-27 11:55:06 +08:00
Sam
Misaka 0x4e21
Neil Lalonde
Osama Sayegh
Robin Ward
Guo Xiang Tan
Régis Hanol
Vinoth Kannan
Rafael dos Santos Silva
Kyle Zhao
OsamaSayegh
Gerhard Schlager
Michael Howell
Arpit Jalan