Commit Graph

35736 Commits

Author SHA1 Message Date
Martin Brennan 5b75b8c135 Still redirect to signed URL for secure uploads
if SiteSetting.secure_media is disabled we still want to
redirect to the signed url for uploads that are marked as
secure because their ACLs are probably still private
2020-01-07 14:02:17 +10:00
Martin Brennan abca91cc4d
FEATURE: Add rake task to disable secure media (#8669)
* Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed.
* Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 12:27:24 +10:00
Blake Erickson fc94b6cb9e
DEV: Remove buffered rendering from topic-list-item (#8589)
* DEV: Remove buffered rendering from topic-list-item

This is another refactoring in the multi-step process to remove all uses
of our custom Render Buffer.

Previous commit: 1c7305c0f1 in this
series.

This is just a refactor and should not change any functionality.

* apply prettier fix

* update syntax

* Use computed properties where possible

* switch to using didReceiveAttrs

* Simplify topic.pinned observer
2020-01-06 17:41:45 -07:00
dependabot-preview[bot] 5736b5808c Build(deps): Bump rspec-mocks from 3.9.0 to 3.9.1 (#8644)
Bumps [rspec-mocks](https://github.com/rspec/rspec-mocks) from 3.9.0 to 3.9.1.
- [Release notes](https://github.com/rspec/rspec-mocks/releases)
- [Changelog](https://github.com/rspec/rspec-mocks/blob/master/Changelog.md)
- [Commits](https://github.com/rspec/rspec-mocks/compare/v3.9.0...v3.9.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-01-07 01:12:04 +01:00
dependabot-preview[bot] 4352bc2a78 Build(deps): Bump aws-partitions from 1.260.0 to 1.262.0 (#8666)
Bumps [aws-partitions](https://github.com/aws/aws-sdk-ruby) from 1.260.0 to 1.262.0.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-partitions/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-01-07 00:38:29 +01:00
dependabot-preview[bot] d6e08308e0 Build(deps): Bump aws-sdk-s3 from 1.59.1 to 1.60.1 (#8596)
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.59.1 to 1.60.1.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/compare/v1.59.1...v1.60.1)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-01-07 00:30:14 +01:00
Blake Erickson b7b85f9ade
FEATURE: Turn csp on by default (#8665)
* turn csp on by default

* remove csp migration for new sites now that is is on by default

* Ensure CSP is off before starting qunit
2020-01-06 13:42:21 -07:00
David Taylor d1779346e8 FIX: topic_tracking_state when mute_all_categories_by_default is enabled 2020-01-06 18:22:42 +00:00
Robin Ward ba00d87a16 Update moment and spectrum
These were updated in yarn.lock but not run via rake
2020-01-06 12:56:47 -05:00
Penar Musaraj b1402d9f13 DEV: replace "warning" icons with "exclamation-triangle" 2020-01-06 12:51:44 -05:00
Penar Musaraj f755810906 DEV: replace "trash" icons with "trash-alt" 2020-01-06 12:35:00 -05:00
Penar Musaraj 93a556d9a2 DEV: replace "eye-slash" icons with "far-eye-slash" 2020-01-06 12:27:20 -05:00
Penar Musaraj e2e9420204 DEV: Update deprecated icon name 2020-01-06 11:43:32 -05:00
romanrizzi ca07a571c7 FIX: Only agree with the first post when using the 'Delete post + replies and agree' option 2020-01-06 13:38:23 -03:00
David Taylor 784da19e4c
FIX: Cached new topic data should not be deleted after dismiss new (#8660)
43ddf60cdf introduced a new method for dismissing new topics in topic-tracking-state, which works on a per-category basis.

This commit removes the old mechanism, which was to delete all 'new' topics from the local tracking state, regardless of category.
2020-01-06 16:22:40 +00:00
David Taylor 5df815c2ee
FIX: New/unread count after dismissing new topics in a regular category (#8659)
6e1fe22 introduced the possiblity for category_users to have a NULL notification_level, so that we can store `last_seen_at` dates without locking the notification level. At the time, this did not affect the topic-tracking-state query. However, the query changes in f434de2 introduced a slight change in behavior.

Previously, a subquery would look for a category_user with notification_level=mute. f434de2 refactored this to remove the subquery, and inverted some of the logic to suit.

The new query checked for `notification_level <> :muted`. If `notification_level` is NULL, this comparison will return NULL. In this scenario, notification_level=NULL means that we should fall back to the default tracking level (regular), and so we want the expression to resolve as true, not false. There was already a check for the existence of the category_users row, but it did not check for the existence of a NOT NULL notification_level.

This commit amends the expression so that the notification_level will only be compared if it is non-null.
2020-01-06 16:15:24 +00:00
Joffrey JAFFEUX ff151cb580
FIX: allows scroll on load for discovery topic list (#8661) 2020-01-06 15:43:36 +01:00
Krzysztof Kotlarek afff96ce54 DEV: Improved performance of report spec (#8642)
* FIX: bulk insert to create application requests
* FIX: bulk insert to create topics
* FIX: no need to create separate user for each topic, post etc.
* FIX: Another bulk_insert of ApplicationRequests
* FIX: dont create user and topic instances when not neccessary
* FIX: merge examples with expensive setup into one example
2020-01-06 17:17:07 +11:00
Risto e0da8d3ce6 UX: correct validation message for category search priority
The default value is 1.2 so it can surely be set greater than 1.
2020-01-06 17:15:28 +11:00
dependabot-preview[bot] c2b83f4dfa DEV: Bump rake-compiler from 1.0.8 to 1.1.0 (#8636)
Bumps [rake-compiler](https://github.com/luislavena/rake-compiler) from 1.0.8 to 1.1.0.
- [Release notes](https://github.com/luislavena/rake-compiler/releases)
- [Changelog](https://github.com/rake-compiler/rake-compiler/blob/master/History.txt)
- [Commits](https://github.com/luislavena/rake-compiler/compare/v1.0.8...v1.1.0)

Ruby 2.7 support.
2020-01-06 17:12:28 +11:00
dependabot-preview[bot] b789fa9a50 DEV: Bump rack-protection from 2.0.7 to 2.0.8.1 (#8648)
Bumps [rack-protection](https://github.com/sinatra/sinatra) from 2.0.7 to 2.0.8.1.
- [Release notes](https://github.com/sinatra/sinatra/releases)
- [Changelog](https://github.com/sinatra/sinatra/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sinatra/sinatra/compare/v2.0.7...v2.0.8.1)

Minor performance update and Ruby 2.7 deprecation removal.
2020-01-06 17:11:37 +11:00
dependabot-preview[bot] 01358e2b42 DEV: Bump pg from 1.2.0 to 1.2.1 (#8657)
Bumps [pg](https://github.com/ged/ruby-pg) from 1.2.0 to 1.2.1.
- [Release notes](https://github.com/ged/ruby-pg/releases)
- [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc)
- [Commits](https://github.com/ged/ruby-pg/compare/v1.2.0...v1.2.1)

Very minor update, adds some functionality we do not use, specifically better support for the sequel orm.
2020-01-06 17:10:24 +11:00
Sam Saffron 87a8003691 Revert "FEATURE: Turn CSP on by default"
This reverts commit 3193b0f6e6.

This is a temporary revert, we are seeing some CI failures due to this
change so I am reverting till we sort out all the problems.
2020-01-06 11:37:07 +11:00
Sam Saffron e89935127c DEV: correct flaky spec
This ensures that the user object is created fresh for each example.

This is required for this particular spec as we can not risk having a stale
object, which can lead to a flaky spec.
2020-01-06 10:54:18 +11:00
Sam Saffron d0630ea6ee FIX: MaxMind DB file not downloading correctly
Previously we had the ability to download a simple .gz file
new changes mean we have a a tar.gz file that needs some levels
of fiddling to get extracted correctly
2020-01-05 22:08:13 +11:00
Vinoth Kannan 9a6606dd30 DEV: Add option to keep quoted content in post excerpt. 2020-01-04 18:56:52 +05:30
Vinoth Kannan 7dbde18f02 FIX: keep 'rb' & 'rp' tags in html to markdown conversion. 2020-01-04 17:16:23 +05:30
Blake Erickson fc6b093dce FIX: Ensure CSP is off for qunit
If CSP is turned on qunit won't run at all, not even via the CLI, this
is causing the js tests to fail.

Follow up to: 3193b0f6e6
2020-01-03 18:43:19 -07:00
Blake Erickson 3193b0f6e6 FEATURE: Turn CSP on by default
Turning on CSP by default is one of the 2.4 release features.

https://meta.discourse.org/t/discourse-version-2-4/108194
2020-01-03 13:40:11 -07:00
Robin Ward f7a7263164 FIX: Show uncategorized description on categories page 2020-01-03 11:46:18 -05:00
Robin Ward fe7bb62387 FIX: Descriptions were blank for uncategorized in hamburger menu 2020-01-03 11:10:06 -05:00
Jarek Radosz 9e3fc1111d
FIX: Add a blank poll options validation (#8652)
Before, saving a post with a blank poll option resulted in error 500.
2020-01-03 15:09:36 +01:00
Osama Sayegh fac71da605
FIX: Don't give error 500 when invalid date param is given to admin reports (#8658)
Providing invalid dates as the end_date or start_date param causes a 500 error and creates noise in the logs. This will handle the error and returns a proper 400 response to the client with a message that explains what the problem is.
2020-01-03 17:01:38 +03:00
Sam Saffron a8ffb6949c FEATURE: support MaxMind DB downloads using a license key
MaxMind now requires an account with a license key to download files.

Discourse admins can register for such an account at:

https://www.maxmind.com/en/geolite2/signup

License key generation is available in the profile section.

Once registered you can set the license key using `DISCOURSE_MAXMIND_LICENSE_KEY`

This amends it so we unconditionally skip MaxMind DB downloads if no license key exists.
2020-01-03 16:32:48 +11:00
Vinoth Kannan cfd1549abe FIX: allow underscore in file extension while downloading the uploads. 2020-01-03 10:09:07 +05:30
Sam Saffron 0d757814e5 FIX: correctly account for onebox height when lazy loading images
Page used to jitter when oneboxes loaded images lazily.

Previously we inserted the the "shadow" loading image before the "real" image.

This meant that certain styling with `firstChild` CSS selectors would apply
incorrectly to the shadow image.

Additionally we had special case code for onebox and quoted images that was
not really needed due to this fix.

We had an old fix that used computed style for image height and width in
specific scenarios, we now run it all the time.

On slow devices there was a possibility that the cache fetch after amending
src at the end of the process would cause a flash, this is avoided using a
new onload handler.
2020-01-03 15:15:42 +11:00
Martin Brennan 2050238d0c
DEV: Log to STDOUT if RAILS_ENABLE_TEST_LOG (#8650)
The env var `RAILS_ENABLE_TEST_LOG` didn't seem to do anything if enabled. This now sets the logger to STDOUT if `RAILS_ENABLE_TEST_LOG` is enabled and also introduces `RAILS_TEST_LOG_LEVEL` so the level of the logging in the console can be provided (default info).

Note: I am not sure if the original behaviour is expected. I can add an additional env var to enable the STDOUT logging if required
2020-01-03 09:58:01 +10:00
Joffrey JAFFEUX ec5418fbb4
FIX: any global notice text can contain HTML (#8655) 2020-01-02 19:58:27 +01:00
Roman Rizzi 98853b217f
FIX: Bots accuracy should be zero (#8654) 2020-01-02 13:24:24 -03:00
David Taylor b60b57cddd
FIX: Allow any protocol in wildcard url checker (#8651)
This is required for people using apps with custom protocols. We still verify the entire URL (including protocol) against the site setting value.

Refactored wildcard_url_checker so that it always returns a boolean, rather than sometimes returning a regex match.
2020-01-02 16:03:13 +00:00
David Taylor 45c5f56ffc
PERF: Reduce DB queries when serializing ignore/mute information (#8629)
* PERF: Cache ignored and muted user ids in the current_user object
* PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 13:04:08 +00:00
Sam Saffron a9f90cdec3 FIX: avoid superflous logging when mime type is bad
Many security scanners ship invalid mime types, this ensures we return
a very cheap response to the clients and do not log anything.

Previous attempt still re-dispatched the request to get proper error page
but in this specific case we want no error page.
2020-01-02 12:34:38 +11:00
Sam Saffron 34ede90927 FIX: under rare conditions saving a new draft could error temporarily
Under rare conditions due to bad HTTP timing and so on a draft could be
set at the exact same time from 2 unicorn workers.

When this happened and all the stars aligned, one of the sets would win
and the other would raise an error.

This transparently handles the situation without adding any cost to the
draft system.

The alternative is to add a distributed mutex, tricky DB transaction or handle
the error in the controller. However this seems like a reasonable way to
work around a pretty big edge case.
2020-01-02 11:38:14 +11:00
Martin Brennan c031434b86
FIX: Catch error when unknown COSE algorithm is supplied for Security Key (#8649)
Added a fix to gracefully error with a Webauthn::SecurityKeyError if somehow a user provides an unkown COSE algorithm when logging in with a security key.

If `COSE::Algorithm.find` returns nil we now fail gracefully and log the algorithm used along with the user ID and the security key params for debugging, as this will help us find other common algorithms to implement for webauthn
2020-01-02 10:14:22 +10:00
Arpit Jalan 57081acc08 FIX: trigger commands are different for each locale, account for that. 2020-01-01 16:53:36 +05:30
Régis Hanol ce512452b5 Revert "Revert "DEV: Bump public_suffix from 4.0.1 to 4.0.2 (#8631)""
This reverts commit f04f6cbf01.
2019-12-31 17:12:06 +01:00
David Taylor c7a74e574f FIX: Only show admin wrench when there are actions on mobile
Corrects typo in logic from b725252cd0
2019-12-31 12:35:44 +00:00
David Taylor a4a0d12b39 DEV: Update deprecated FA4 icon name 2019-12-31 11:21:31 +00:00
Krzysztof Kotlarek fd8b98a55e
FIX: don't display cloak on admin tool when the right wrench is clicked (#8641) 2019-12-31 15:16:24 +11:00
Sam Saffron 412e1ebbe2 DEV: correct parallel specs rake tasks
This used to work due to side effects.

`rake parallel:migrate` used to work very inconsistently and would only migrate
some of the databases.

This introduces the recommended change to db.yml so the correct database is
found based off TEST_ENV_NUMBER if for some reason we did not set it using
RAILS_DB

Also avoids a bunch of schema dumping which is not needed when migrating
parallel specs



DB number 1 is very odd cause for whatever reason parallel spec is not
setting it.
2019-12-31 14:07:55 +11:00