Commit Graph

276 Commits

Author SHA1 Message Date
Penar Musaraj 273db57d6e
FEATURE: Allow admins to delete user SSO records in the UI (#10669)
Also displays the user's last payload in the admin UI to help with debugging SSO issues.
2020-09-15 10:00:10 -04:00
Guo Xiang Tan 0398271f87
FIX: Admin should always be able to view group messages.
Follow-up to b0f22f2523.

Before this fix, `SiteSetting.enable_personal_messages = false` will
prevent admin from viewing group messages.
2020-09-09 08:58:21 +08:00
Blake Erickson 4395e4d165 FIX: Sending a PM through a flag on a deleted post
Because we allow all the other flag types on a deleted post we should be
able to send a pm to the user letting them know why we deleted their
post.

Bug report:

https://meta.discourse.org/t/-/161156
2020-08-19 17:36:52 -06:00
jbrw aa1fc01307
FEATURE - Moderators can create and manage groups (#10432)
Enabling the moderators_manage_categories_and_groups site setting will allow moderator users to create/manage groups.

* show New Group form to moderators

* Allow moderators to update groups and read logs, where appropriate

* Rename site setting from create -> manage

* improved tests

* Migration should rename old log entries

* Log group changes, even if those changes mean you can no longer see the group

* Slight reshuffle

* RouteTo /g if they no longer have permissions to view group
2020-08-19 10:41:40 -04:00
jahan-ggn 65649eaef0
User card settings (#10302)
* settings implemented

* prettier

* settings updated

* rubocop

* prettier

* Revert "rubocop"

This reverts commit 7805145a7d.

* Revert "prettier"

This reverts commit 2c53f4fa12.

* settings updated and changed

* rubocop

* changes applied

* final changes done

* Server side feature added

* spec changed

* changed user_updater and profile file

* Fix user card specs

* web hook serializer solved

* site-setting changed

Co-authored-by: Mark VanLandingham <markvanlan@gmail.com>
2020-08-17 12:37:45 -04:00
jbrw d67f7a7984
Allows mod posts to be created for category group moderators on closed/archived topics (#10399) 2020-08-10 15:21:01 -04:00
jbrw 67e8bc5342
FEATURE - allow category group moderators to split/merge topics (#10351) 2020-08-05 10:33:25 -04:00
jbrw 74ab4f3bff
FEATURE - group modetators visual indicator (#10310) 2020-07-28 17:15:04 -04:00
Krzysztof Kotlarek e0d9232259
FIX: use allowlist and blocklist terminology (#10209)
This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
2020-07-27 10:23:54 +10:00
jbrw 2aec92d0b4
FEATURE - allow Group Moderators to edit category description (#10292)
Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2020-07-23 09:50:00 -04:00
jbrw 7ab5658462
FEATURE: Allow group moderators to add/remove staff notes (#10252)
* FEATURE: Allow group moderators to add/remove staff notes
2020-07-20 15:53:47 -04:00
jbrw 06073fe8c6
FEATURE: Allow group moderators to close/archive topics
* FEATURE: Allow group moderators to close/archive topics
2020-07-14 12:36:19 -04:00
Kane York 8ddd45d524
PERF: topic_view participant post count: don't send back ID list (#10210)
On large topics, the cost of sending the entire post ID list back over to the database is signficant. Just have the DB recalculate the list of visible posts instead.
2020-07-13 18:42:09 -07:00
David Taylor 977766e7a8
FEATURE: sso_overrides_(email|username|name) for all auth methods
These settings previously applied only to discourse-sso. Now they work for all external authentication methods.
2020-07-06 10:18:45 +01:00
Daniel Waterworth 9cf77372a2 FIX: Guardian#can_remove_allowed_users? shouldn't break for ownerless topics
A topic can outlive its original author. TopicGuardian should still work
in this situation.
2020-06-19 10:35:52 +01:00
Bianca Nenciu db1bebddce
FIX: Hide the post history for TL4 (#10065) 2020-06-18 13:27:51 +03:00
Joffrey JAFFEUX 4b793a1072
FIX: allows PM owner to remove any user if >= TL2 (#10036) 2020-06-12 12:54:28 +02:00
Mark VanLandingham bec6bace53
DEV: Allow plugins to hide user stats by new guardian method (#9772) 2020-05-14 11:57:35 -05:00
Roman Rizzi 394babcae3
FIX: Only show the review page to users that can see it. Do not publish the reviewable count update message to everyone. (#9556) 2020-04-27 14:51:25 -03:00
Vinoth Kannan e5c44f6dcf UX: display 'merge' button in all non-staff user profiles. 2020-04-22 17:42:09 +05:30
Vinoth Kannan a511bea4cc
FEATURE: admin UI to merge two users. (#9509) 2020-04-22 14:07:51 +05:30
Martin Brennan 8f0544137a
FEATURE: Allow editing bookmark reminders (#9437)
Users can now edit the bookmark name and reminder time from their list of bookmarks.

We use "Custom" for the date and time in the modal because if the user set a reminder for "tomorrow" then edit the reminder "tomorrow", the definition of what "tomorrow" is has changed.
2020-04-17 11:08:07 +10:00
Kane York cdaa60b56b FEATURE: Allow admins to disable self-service account deletion
https://meta.discourse.org/t/-/146276
2020-04-01 15:16:07 -07:00
David Taylor 5db41cd578
SECURITY: Respect topic permissions when loading bookmark metadata
Co-authored-by: Martin Brennan <martin@discourse.org>
Co-authored-by: Sam Saffron <sam.saffron@gmail.com>
2020-03-23 11:30:48 +00:00
Dan Ungureanu 0754c7c404
FIX: Various fixes to support posts with no user (#8877)
* Do not grant badges for posts with no user
* Ensure instructions are correct in Change Owner modal
* Hide user-dependent actions from posts with no user
* Make PostRevisor work with posts with no user
* Ensure posts with no user can be deleted
* discourse-narrative-bot should ignore posts with no user
* Skip TopicLink creation for posts with no user
2020-03-11 14:03:20 +02:00
Mark VanLandingham 3ad5cb0cbc
FIX: Error message for 403 when featuring topic on profile (#9149) 2020-03-09 11:41:07 -05:00
David Taylor b37d2f09ba
PERF: Memoize allowed user fields more efficiently (#8968)
Previously we were caching by user_id, but the there are only two possible outcomes. Therefore we only need to cache two values.

This removes another N+1 query when serializing multiple user cards.
2020-02-14 14:47:16 +00:00
Martin Brennan e1e74abd4f
FEATURE: Improving bookmarks part 2 -- Topic Bookmarking (#8954)
### UI Changes

If `SiteSetting.enable_bookmarks_with_reminders` is enabled:

* Clicking "Bookmark" on a topic will create a new Bookmark record instead of a post + user action
* Clicking "Clear Bookmarks" on a topic will delete all the new Bookmark records on a topic
* The topic bookmark buttons control the post bookmark flags correctly and vice-versa
Disabled selecting the "reminder type" for bookmarks in the UI because the backend functionality is not done yet (of sending users notifications etc.)

### Other Changes

* Added delete bookmark route (but no UI yet)
* Added a rake task to sync the old PostAction bookmarks to the new Bookmark table, which can be run as many times as we want for a site (it will not create duplicates).
2020-02-13 16:26:02 +10:00
Dan Ungureanu c5e3faac00
FIX: Recovered posts with no user will be taken over by system user (#8834) 2020-02-06 10:19:04 +02:00
Mark VanLandingham 089d38e9d3
FIX: Disallow featuring hidden topics (#8814) 2020-01-30 10:00:49 -06:00
Mark VanLandingham e29fef9e99
FEATURE: Users can feature any public topic on his/her profile (#8809) 2020-01-29 10:10:23 -06:00
mintsaxon 4b54791bcc FIX: Notify staged users about private categories (#8765)
group membership and `CategoryUser` notification level should be
respected to determine whether to notify staged users about activity in
private categories, instead of only ever generating notifications for staged
users' own topics (which has been the behaviour since
0c4ac2a7bc)
2020-01-22 16:33:25 -03:00
Roman Rizzi 0c4ac2a7bc
Merge pull request from GHSA-569c-22ff-pj3x 2020-01-16 15:17:16 -03:00
Mark VanLandingham 14cb386f1e
FEATURE: Featured topic for user profile & card (#8461) 2019-12-09 11:15:47 -08:00
Vinoth Kannan 31577b2131 FEATURE: wiki editors are allowed edit tags for wiki topics.
If a wiki editor's TL is greater than 'min trust level to tag topics' site setting then they can edit the tags for any wiki topic.
2019-10-23 23:35:38 +05:30
Dan Ungureanu fdb1d3404c
FEATURE: Add site setting to show more detailed 404 errors. (#8014)
If the setting is turned on, then the user will receive information
about the subject: if it was deleted or requires some special access to
a group (only if the group is public). Otherwise, the user will receive
a generic #404 error message. For now, this change affects only the
topics and categories controller.

This commit also tries to refactor some of the code related to error
handling. To make error pages more consistent (design-wise), the actual
error page will be rendered server-side.
2019-10-08 14:15:08 +03:00
Rimian Perkins 6bbd83067d FEATURE: New post editing period for >= tl2 users (#8070)
* FEATURE: Add tl2 threshold for editing new posts

* Adds a new setting and for tl2 editing posts (30 days same as old value)
* Sets the tl0/tl1 editing period as 1 day

* FIX: Spec uses wrong setting

* Fix site setting on guardian spec

* FIX: post editing period specs

* Avoid shared examples
* Use update_columns to avoid callbacks on user during tests
2019-09-06 07:44:12 -04:00
Gerhard Schlager e4f14ca3d7 FIX: Disallow user self-delete when user posted in PMs
All posts created by the user are counted unless they are deleted,
belong to a PM sent between a non-human user and the user or belong
to a PM created by the user which doesn't have any other recipients.

It also makes the guardian prevent self-deletes when SSO is enabled.
2019-08-10 12:30:16 +02:00
Joffrey JAFFEUX 71bf9ec1b2
FEATURE: opt-in guidance on topics for users without access (#7852)
Co-Authored-By: majakomel <maja.komel@gmail.com>
Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-04 10:12:39 +02:00
Arpit Jalan 3c64dc3e7d
FIX: do not allow creation of topic if there is no category available for posting (#7786) 2019-06-26 16:32:53 +05:30
Sam Saffron 39b856dce7 DEV: correct edge case introduced in 333b5a19
We need to allow users to edit uncategorized topics out of uncategorized
when for some reason admin just turns it off.
2019-06-26 17:53:29 +10:00
Bianca Nenciu 557805249d
FIX: Ensure topic exists before making a banner. (#7781) 2019-06-25 13:49:29 +03:00
Robin Ward e8b9f38374 FIX: Don't allow users to edit topic information when the OP is locked
see:
https://meta.discourse.org/t/user-able-to-edit-title-of-locked-post/104826
2019-06-18 14:22:38 -04:00
Robin Ward 2e0a40007b FIX: Category topics should not be deletable via review queue 2019-05-30 16:43:23 -04:00
Sam Saffron 30990006a9 DEV: enable frozen string literal on all files
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.

Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Robin Ward b380ed5282 FEATURE: Claim Reviewables by Topic
This is a feature that used to be present in discourse-assign but is
much easier to implement in core. It also allows a topic to be assigned
without it claiming for review and vice versa and allows it to work with
category group reviewers.
2019-05-09 13:40:36 -04:00
Blake Erickson 5b5b5a5931 FIX: return an error if a user tries to whisper
This commit fixes a bug where a user creates a whisper post via the api
but is posted as a regular message because they don't have access to
whisper. Now a 403 unauthorized will be returned instead of the whisper
param just being ignored for regular users. Staff users should not be
affected by this change.

https://meta.discourse.org/t/a-whisper-is-posted-as-a-message-if-the-user-is-not-staff-moderator-admin-when-using-the-api/116601
2019-05-07 11:42:26 -06:00
Robin Ward 31e100530f FEATURE: Flag count in post menu
This change shows a notification number besides the flag icon in the
post menu if there is reviewable content associated with the post.
Additionally, if there is pending stuff to review, the icon has a red
background.

We have also removed the list of links below a post with the flag
status. A reviewer is meant to click the number beside the flag icon to
view the flags. As a consequence of losing those links, we've removed
the ability to undo or ignore flags below a post.
2019-05-06 16:13:31 -04:00
Maja Komel 5c795bc480 FIX: prevent anonymous users from changing their email/username/name (#7311) 2019-04-17 18:05:02 +10:00
Guo Xiang Tan ce4c8e957b PERF: Avoid looking up the same group multiple times during bulk invite.
Also cache the guardian check because it does a query to check if the
user is an owner of the group.
2019-04-16 09:42:25 +08:00
Arpit Jalan d68d29f37a FIX: only staff can banner topics 2019-04-02 12:46:55 +05:30
Bianca Nenciu 034b8a7ecc FIX: Let users delete topics.
Follow-up to 31053f30de.
2019-03-29 22:00:36 +02:00
Bianca Nenciu 31053f30de FEATURE: Let users delete their own topics. (#7267) 2019-03-29 17:10:05 +01:00
Robin Ward b58867b6e9 FEATURE: New 'Reviewable' model to make reviewable items generic
Includes support for flags, reviewable users and queued posts, with REST API
backwards compatibility.

Co-Authored-By: romanrizzi <romanalejandro@gmail.com>
Co-Authored-By: jjaffeux <j.jaffeux@gmail.com>
2019-03-28 12:45:10 -04:00
Gerhard Schlager c34a6ba674 REFACTOR: Rename site settings to make them less confusing 2019-03-14 13:40:14 +01:00
Vinoth Kannan d1bad881ea
FEATURE: Allow moderators to change topic timestamps (#7053) 2019-02-22 14:33:52 +05:30
Robin Ward bc3efab816 FIX: When disagreeing with a flag that silenced a user, unsilence them
Previously it would unhide their post but leave them silenced.

This fix also cleans up some of the helper classes to make it easier
to pass extra data to the silencing code (for example, a link to the
post that caused the user to be silenced.)

This patch also refactors the auto_silence specs to avoid using
stubs.
2019-02-08 08:50:50 -05:00
Arpit Jalan fabeba788d
FIX: allow sending PMs to staff via flag even when PMs are disabled (#6938)
* FIX: allow sending PMs to staff via flag even when PMs are disabled
FIX: allow sending PMs to staff via flag even if the user trust level is insufficient

* Update lib/topic_creator.rb

Co-Authored-By: techAPJ <arpit@techapj.com>
2019-01-24 16:56:59 +05:30
Gerhard Schlager b089ac1537 FIX: Posting without bump raised an error for TL4 2019-01-03 14:14:02 +01:00
Gerhard Schlager c30996129f FEATURE: Allow TL4 users to reset bump date 2019-01-02 16:57:05 +01:00
Guo Xiang Tan 5c2e194d01 SECURITY: Users can pick non-avatar uploads.
https://meta.discourse.org/t/bug-report-idor-on-avatar-pick-function-discussions-udacity-com/103564
2018-12-18 13:38:25 +08:00
Guo Xiang Tan 899caf35ba Revert "SECURITY: User could non-avatar uploads."
This reverts commit 89581fa301.
2018-12-18 13:37:31 +08:00
Guo Xiang Tan 89581fa301 SECURITY: User could non-avatar uploads.
https://meta.discourse.org/t/bug-report-idor-on-avatar-pick-function-discussions-udacity-com/103564
2018-12-18 13:35:33 +08:00
David Taylor 5e09398c5b
FIX: Do not serialize user fields unless they are specified for display (#6736) 2018-12-07 10:57:28 +00:00
Guo Xiang Tan fe131c5ea2 Fix missing avatars on topic list page.
Introduced in b50fab2d72
2018-11-19 14:55:41 +08:00
Penar Musaraj 7b3432f711 Enforce disabling flagging hidden posts server-side 2018-11-05 10:00:59 -05:00
Robin Ward a566ed42ae FEATURE: Option to disable user presence and profile
This allows users who are privacy conscious to disable the presence
features of the forum as well as their public profile.
2018-10-10 17:34:33 -04:00
Jeff Wong 632ca42db9 FIX: edit checks for editing posts with no topic 2018-10-03 18:34:47 -07:00
Sam df45e82377 SECURITY: only allow picking of avatars created by self (#6417)
* SECURITY: only allow picking of avatars created by self

Also adds origin tracking to all uploads including de-duplicated uploads
2018-09-19 22:33:10 -07:00
Robin Ward a83f662492 FIX: Allow silenced users to like / bookmark, just not flag. 2018-08-17 11:06:18 -04:00
Guo Xiang Tan fae8757cd4 FIX: `Guardian#post_can_act?` shouldn't raise an error if user of post has been deleted. 2018-08-17 15:11:30 +08:00
Sam 91e0a77a60 FEATURE: silenced users should not be allowed to edit posts 2018-08-15 14:29:36 +10:00
Robin Ward 87fa26b6c8 FIX: Silenced users shouldn't be able to act on posts 2018-08-14 11:43:39 -04:00
Gerhard Schlager b9072e8292 FEATURE: Add "Reset Bump Date" action to topic admin wrench (#6246) 2018-08-10 10:51:03 +10:00
Gerhard Schlager ef4b9f98c1 FEATURE: Allow admins to reply without topic bump 2018-08-10 10:48:30 +10:00
Penar Musaraj 4a872823e7 Improvements to user drafts (#6226)
* drafts in user profile: only show to user herself (not to admins), use avatar replying to (instead of topic OP), add keyboard shortcut for drafts, simplify display labels

* use JSON when testing Draft.stream
2018-08-02 07:41:27 +10:00
Penar Musaraj 1f45215537 FEATURE: Drafts view in user profile
* add drafts.json endpoint, user profile tab with drafts stream

* improve drafts stream display in user profile

* truncate excerpts in drafts list, better handling for resume draft action

* improve draft stream SQL query, add rspec tests

* if composer is open, quietly close it when user opens another draft from drafts stream; load PM draft only when user is in /u/username/messages (instead of /u/username)

* cleanup

* linting fixes

* apply prettier styling to modified files

* add client tests for drafts, includes a fixture for drafts.json

* improvements to code following review

* refresh drafts route when user deletes a draft open in the composer while being in the drafts route; minor prettier scss fix

* added more spec tests, deleted an acceptance test for removing drafts that was too finicky, formatting and code style fixes, added appEvent for draft:destroyed

* prettier, eslint fixes

* use "username_lower" from users table, added error handling for rejected promises

* adds guardian spec for can_see_drafts, adds improvements following code review

* move DraftsController spec to its own file

* fix failing drafts qunit test, use getOwner instead of deprecated this.container

* limit test fixture for draft.json testing to new_topic request only
2018-08-01 16:34:54 +10:00
Kyle Zhao 2901691e87 FEATURE: per-category approval settings (#5778)
- disallow moving topics to a category that requires topic approval
2018-07-13 12:51:08 +10:00
misaka4e21 47cb46671a FEATURE: Support disabling tag creation for non-staff users. 2018-06-27 07:15:02 +08:00
Arpit Jalan 6bcdc3ba4b FEATURE: allow author to delete posts irrespective of post_edit_time_limit 2018-06-26 21:43:06 +05:30
Robin Ward fd54c92a52 FEATURE: New site setting, whitelisted_link_domains
If provided, users who normally couldn't post links (say, due to a
low trust level), can post links to those specific hosts.
2018-06-13 16:11:22 -04:00
Guo Xiang Tan 3bfd9698c7 PERF: Avoid running the same query twice in `TopicViewSerializer#details`. 2018-05-24 16:46:13 +08:00
Arpit Jalan c74c933996 SECURITY: escape HTML entities from topic title 2018-04-15 18:44:28 +05:30
Robin Ward b9abd7dc9e FEATURE: Shared Drafts
This feature can be enabled by choosing a destination for the
`shared drafts category` site setting.

* Staff members can create shared drafts, choosing a destination
category for the topic when it is published.

* Shared Drafts can be viewed in their category, or above the
topic list for the destination category where it will end up.

* When the shared draft is ready, it can be published to the
appropriate category by clicking a button on the topic view.

* When published, Drafts change their timestamps to the current
time, and any edits to the original post are removed.
2018-03-20 17:15:26 -04:00
Guo Xiang Tan 2ad2ed2eb2 FIX: Couldn't move a topic into the uncategorized category. 2018-03-13 10:20:47 +08:00
Arpit Jalan 003b03d939 allow staff to delete user if posts are 5 or less irrespective of delete_user_max_post_age 2018-03-05 23:31:29 +05:30
Robin Ward cd6c5fc5fb FIX: Disable "Make Personal Message" if they are disabled 2018-03-02 20:28:39 -05:00
Sam 75172024ca SECURITY: ensure users have permission when moving categories 2018-03-02 12:13:27 +11:00
Guo Xiang Tan e7a7356986 Remove ancient votes code that is no longer used. 2018-02-28 14:37:22 +08:00
Guo Xiang Tan 902c5d11cf FIX: Don't allow other flag actions after `notify_moderator` has happened.
https://meta.discourse.org/t/receiving-sorry-an-error-has-occurred-during-flagging-step-of-discobot-tutorial/77233/5
2018-02-28 11:27:56 +08:00
Robin Ward 69af881f7f New site setting `trusted_users_can_edit_others`
The default is true to keep with previous discourse behavior. If
disabled, high trust level users cannot edit the topics or posts of
other users.
2018-02-22 20:39:24 -05:00
Vinoth Kannan 84867c1c07 Rename site setting to allow_staff_to_tag_pms from allow_staff_to_tag_in_pm 2018-02-22 06:48:34 +05:30
Vinoth Kannan 2b509eaa91
Merge branch 'master' into pm-tags 2018-02-21 23:55:59 +05:30
Vinoth Kannan 84ce1acfef FEATURE: Allow staffs to tag PMs 2018-02-21 20:11:46 +05:30
Jeff Wong f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Robin Ward b4aa0b096e FIX: Couldn't like staff when `allow_flagging_staff` was set 2018-02-14 15:46:04 -05:00
Robin Ward 4dfe659189 Rename `allow staff flags` to `allow flagging staff` 2018-02-12 15:27:26 -05:00
Robin Ward 6287631745 FEATURE: New site setting, `allow staff flags`, false by default
For some large communities, it makes sense to disable flagging of
staff posts.
2018-02-12 14:56:21 -05:00
Guo Xiang Tan 932a1a1187 Remove use of deprecated site setting. 2018-02-12 14:26:22 +08:00
Robin Ward dedeb2deb8 FIX: Don't show the link button in the composer if linking is disabled 2018-02-08 12:56:10 -05:00