Commit Graph

8737 Commits

Author SHA1 Message Date
David Taylor 22a7905f2d
DEV: Allow Ember CLI assets to be used by development Rails app (#16511)
Previously, accessing the Rails app directly in development mode would give you assets from our 'legacy' Ember asset pipeline. The only way to run with Ember CLI assets was to run ember-cli as a proxy. This was quite limiting when working on things which are bypassed when using the ember-cli proxy (e.g. changes to `application.html.erb`). Also, since `ember-auto-import` introduced chunking, visiting `/theme-qunit` under Ember CLI was failing to include all necessary chunks.

This commit teaches Sprockets about our Ember CLI assets so that they can be used in development mode, and are automatically collected up under `/public/assets` during `assets:precompile`. As a bonus, this allows us to remove all the custom manifest modification from `assets:precompile`.

The key changes are:
- Introduce a shared `EmberCli.enabled?` helper
- When ember-cli is enabled, add ember-cli `/dist/assets` as the top-priority Rails asset directory
- Have ember-cli output a `chunks.json` manifest, and teach `preload_script` to read it and append the correct chunks to their associated `afterFile`
- Remove most custom ember-cli logic from the `assets:precompile` step. Instead, rely on Rails to take care of pulling the 'precompiled' assets into the `public/assets` directory. Move the 'renaming' logic to runtime, so it can be used in development mode as well.
- Remove fingerprinting from `ember-cli-build`, and allow Rails to take care of things

Long-term, we may want to replace Sprockets with the lighter-weight Propshaft. The changes made in this commit have been made with that long-term goal in mind.

tldr: when you visit the rails app directly, you'll now be served the current ember-cli assets. To keep these up-to-date make sure either `ember serve`, or `ember build --watch` is running. If you really want to load the old non-ember-cli assets, then you should start the server with `EMBER_CLI_PROD_ASSETS=0`. (the legacy asset pipeline will be removed very soon)
2022-04-21 16:26:34 +01:00
David Taylor e5fb884695
FEATURE: Show prompt for required tag groups (#16458) 2022-04-21 13:13:52 +01:00
David Taylor c88ca23e8f
Revert "DEV: Update to Sprockets 4.0 (#16467)" (#16524)
This reverts commit 01107e418e.

We have seen some random occurrences of corrupted assets, and think it may be related to the sprockets 4 update. Reverting for investigation
2022-04-20 22:17:29 +01:00
David Taylor 1551eaab01
FIX: Do not error when json-serialized cookies are used (#16522)
We intend to switch to the `:json` serializer, which will stringify all keys. However, we need a clean revert path. This commit ensures that our `_t` cookie handling works with both marshal (the current default) and json (the new default) serialization.
2022-04-20 19:15:40 +01:00
Isaac Janzen 692e0140e2
FEATURE: Enables support for dark mode emails (#16520)
This PR enables custom email dark mode styles by default that were added here.

There is currently poor support for dark mode queries in mail clients. The main beneficiary of these changes will be Apple Mail and Outlook.

Enjoy the darkness 🕶️
2022-04-20 13:00:04 -05:00
Martin Brennan 154afa60eb
FIX: Skip upload extension validation when changing security (#16498)
When changing upload security using `Upload#update_secure_status`,
we may not have the context of how an upload is being created, because
this code path can be run through scheduled jobs. When calling
update_secure_status, the normal ActiveRecord validations are run,
and ours include validating extensions. In some cases the upload
is created in an automated way, such as user export zips, and the
security is applied later, with the extension prohibited from
use when normally uploading.

This caused the upload to fail validation on `update_secure_status`,
causing the security change to silently fail. This fixes the issue
by skipping the file extension validation when the upload security
is being changed.
2022-04-20 14:11:39 +10:00
Joffrey JAFFEUX f0d46c3549
FIX: warn_exception expect hash as second arg (#16490) 2022-04-18 18:41:41 +02:00
Isaac Janzen ee9daec36f
validate markdown_linkify_tlds setting (#16485)
Prevent adding * as a value to markdown_linkify_tlds site setting
2022-04-15 10:14:28 -05:00
Isaac Janzen 10a4bbfa72
update email dark mode styles (#16484)
Update dark mode styles for:

- secure media
- code blocks (they were too dark and had bad contrast)
2022-04-14 15:08:09 -05:00
Penar Musaraj e164ff3085
FIX: Email styles for Gmail app dark mode (#16482) 2022-04-14 15:03:06 -04:00
Isaac Janzen 0acbd63320
update dark mode email styles (#16480)
Update dark mode styles for:

secure media borders
code blocks
quote blocks
2022-04-14 12:51:09 -05:00
Penar Musaraj 7c27c839de
Version bump to v2.9.0.beta4 (#16477) 2022-04-14 10:10:23 -04:00
David Taylor 8f786268be
SECURITY: Ensure user-agent-based responses are cached separately (#16475) 2022-04-14 14:25:52 +01:00
Gerhard Schlager b3cda195b8 REFACTOR: Add `full_url` and `display_name` to `User`
Lets stop writing the same code over and over again.
2022-04-14 11:53:57 +02:00
David Taylor 01107e418e
DEV: Update to Sprockets 4.0 (#16467)
The main difference is that Sprockets 4.0 no longer tries to compile everything by default. This is good for us, because we can remove all our custom 'exclusion' logic which was working around the old sprockets 3.0 behavior.

The other big change is that lambdas can no longer be added to the `config.assets.precompile` array. Instead, we can do the necessary globs ourselves, and add the desired files manually.

A small patch is required to make ember-rails compatible. Since we plan to remove this dependency in the near future, I do not intend to upstream this change.

I have compared the `bin/rake assets:precompile` output before and after this change, and verified that all files are present.
2022-04-13 15:03:50 +01:00
Osama Sayegh eb5a3cfded
FEATURE: Add 2FA support to the Discourse Connect Provider protocol (#16386)
Discourse has the Discourse Connect Provider protocol that makes it possible to
use a Discourse instance as an identity provider for external sites. As a
natural extension to this protocol, this PR adds a new feature that makes it
possible to use Discourse as a 2FA provider as well as an identity provider.

The rationale for this change is that it's very difficult to implement 2FA
support in a website and if you have multiple websites that need to have 2FA,
it's unrealistic to build and maintain a separate 2FA implementation for each
one. But with this change, you can piggyback on Discourse to take care of all
the 2FA details for you for as many sites as you wish.

To use Discourse as a 2FA provider, you'll need to follow this guide:
https://meta.discourse.org/t/-/32974. It walks you through what you need to
implement on your end/site and how to configure your Discourse instance. Once
you're done, there is only one additional thing you need to do which is to
include `require_2fa=true` in the payload that you send to Discourse.

When Discourse sees `require_2fa=true`, it'll prompt the user to confirm their
2FA using whatever methods they've enabled (TOTP or security keys), and once
they confirm they'll be redirected back to the return URL you've configured and
the payload will contain `confirmed_2fa=true`. If the user has no 2FA methods
enabled however, the payload will not contain `confirmed_2fa`, but it will
contain `no_2fa_methods=true`.

You'll need to be careful to re-run all the security checks and ensure the user
can still access the resource on your site after they return from Discourse.
This is very important because there's nothing that guarantees the user that
will come back from Discourse after they confirm 2FA is the same user that
you've redirected to Discourse.

Internal ticket: t62183.
2022-04-13 15:04:09 +03:00
David Taylor 78f7e8fe2f
Revert "DEV: Update to Sprockets 4.0 (#16459)" (#16466)
This reverts commit ec7efbde1a.

This is causing problems in non-ember-cli environments. Reverting for now.
2022-04-13 11:04:13 +01:00
David Taylor ec7efbde1a
DEV: Update to Sprockets 4.0 (#16459)
The main difference is that Sprockets 4.0 no longer tries to compile everything by default. This is good for us, because we can remove all our custom 'exclusion' logic which was working around the old sprockets 3.0 behavior.

The other big change is that lambdas can no longer be added to the `config.assets.precompile` array. Instead, we can do the necessary globs ourselves, and add the desired files manually.

A small patch is required to make ember-rails compatible. Since we plan to remove this dependency in the near future, I do not intend to upstream this change.

I have compared the `bin/rake assets:precompile` output before and after this change, and verified that all files are present.
2022-04-13 10:21:59 +01:00
Isaac Janzen 5f9c98dfc1
FIX: update dark mode emails styles (#16461)
- divider sometimes is too bright
- lists have dark text on dark copy
- border around the “secure media” message is bright
2022-04-12 13:13:34 -05:00
Martin Brennan 9f2138dc92
FEATURE: Add a sidekiq job for syncing S3 ACLs (#16449)
Sometimes we need to update a _lot_ of ACLs on S3 (such as when secure media
is enabled), and since it takes ~1s per upload to update the ACL, this is
best spread out over many jobs instead of having to do the whole thing serially.

In future, it will be better to have a job that can be run based on
a column on uploads (e.g. acl_stale) so we can track progress, similar
to how we can set the baked_version to nil to rebake posts.
2022-04-12 14:26:42 +10:00
Isaac Janzen 6c0abe15e0
FEATURE: Add email dark mode (#16104)
implement dark mode emails when `SiteSetting.dark_mode_emails_active` is active.
2022-04-11 12:27:50 -05:00
Rafael dos Santos Silva be519d2aec
PERF: Speed up admin user list main query (#16412)
This drops the join with the emails table since primary emails is already
on the users table.

Makes query 10x faster on large (6M+ users) sites.
2022-04-08 11:59:44 -03:00
Sam cedcdb0057
FEATURE: allow for local theme js assets (#16374)
Due to default CSP web workers instantiated from CDN based assets are still
treated as "same-origin" meaning that we had no way of safely instansiating
a web worker from a theme.

This limits the theme system and adds the arbitrary restriction that WASM
based components can not be safely used.

To resolve this limitation all js assets in about.json are also cached on
local domain.

{
  "name": "Header Icons",
  "assets" : {
    "worker" : "assets/worker.js"
  }
}

This can then be referenced in JS via:

settings.theme_uploads_local.worker

local_js_assets are unconditionally served from the site directly and
bypass the entire CDN, using the pre-existing JavascriptCache

Previous to this change this code was completely dormant on sites which
used s3 based uploads, this reuses the very well tested and cached asset
system on s3 based sites.

Note, when creating local_js_assets it is highly recommended to keep the
assets lean and keep all the heavy working in CDN based assets. For example
wasm files can still live on the CDN but the lean worker that loads it can
live on local.

This change unlocks wasm in theme components, so wasm is now also allowed
in `theme_authorized_extensions`

* more usages of upload.content

* add a specific test for upload.content

* Adjust logic to ensure that after upgrades we still get a cached local js
on save
2022-04-07 07:58:10 +10:00
Jarek Radosz 69dbc207ab
DEV: Improve `plugin:versions` task (#16391)
1. Sort plugins by name
2. Include plugins that are a symbolic link to a submodule repo (in those cases `.git` isn't a directory but a file that looks like e.g. `gitdir: ../../.git/modules/plugins/name-here`)
2022-04-06 18:29:39 +02:00
Loïc Guitaut 46176b7dd7 DEV: Don’t patch Sanitize::Config
Currently we’re reopening the `Sanitize::Config` class (which is part of
the `sanitize` gem) to put our custom config for Onebox in it. This is
unnecessary as we can simply create a dedicated module to hold our
custom configuration.
2022-04-06 17:10:51 +02:00
Rafael dos Santos Silva 1203121ac1
PERF: Throttle updates to API key last_used_at (#16390)
Co-authored-by: David Taylor <david@taylorhq.com>
2022-04-06 11:01:52 -03:00
David Taylor 68c74e9b93
FEATURE: Allow multiple required tag groups for a category (#16381)
Previously we only supported a single 'required tag group' for a category. This commit allows admins to specify multiple required tag groups, each with their own minimum tag count.

A new category_required_tag_groups database table replaces the existing columns on the categories table. Data is automatically migrated.
2022-04-06 14:08:06 +01:00
Sam 254f48e568
FIX: include crawler content on old mobile browsers (#16387)
Previous to this change an optimisation stripped crawler content from
all mobile browsers.

This had a side effect that meant that when we dropped support for an old
mobile platform we would stop rendering topic and topic list pages.

The new implementation ensures we only perform the optimisation on modern
mobile browsers.
2022-04-06 11:09:12 +01:00
Loïc Guitaut 357011eb3b DEV: Clean up freedom patches
This patch removes some of our freedom patches that have been deprecated
for some time now.
Some of them have been updated so we’re not shipping code based on an
old version of Rails.
2022-04-06 10:07:14 +02:00
Jarek Radosz 3c44bed545
DEV: Make DistributedMemoizer use DistributedMutex (#16229)
Its implementation was already distributed-mutex-like, with slight differences that did not seem necessary.
2022-04-05 19:29:58 +02:00
Jarek Radosz 9060a045c2
DEV: Minor linting fixes (#16359)
1. `test/run-qunit.js` wasn't eslinted (I'm not adding it to the CI workflow for now, just fixed the issues)
2. "…" utf character isn't rendered correctly in Jenkins, replaced with three dots
3. Don't try to lint `tmp` when doing `eslint .` in the root dir
2022-04-02 21:15:38 +02:00
Martin Brennan b8828d4a2d
FEATURE: Polymorphic bookmarks pt. 1 (CRUD) (#16308)
This commit introduces a new use_polymorphic_bookmarks site setting
that is default false and hidden, that will be used to help continuous
development of polymorphic bookmarks. This setting **should not** be
enabled anywhere in production yet, it is purely for local development.

This commit uses the setting to enable create/update/delete actions
for polymorphic bookmarks on the server and client side. The bookmark
interactions on topics/posts are all usable. Listing, searching,
sending bookmark reminders, and other edge cases will be handled
in subsequent PRs.

Comprehensive UI tests will be added in the final PR -- we already
have them for regular bookmarks, so it will just be a matter of
changing them to be for polymorphic bookmarks.
2022-03-30 12:43:11 +10:00
David Taylor ff93833fdf
UX: Use committed date for GitHub oneboxes (#16318)
Our copy says 'committed {date}`, but we were previously using the commit's authored date
2022-03-30 09:16:28 +08:00
Alan Guo Xiang Tan 5743a6ec1e DEV: Remove Zeitwerk inflection monkey patch.
There isn't a good reason we need to patch the inflector.

Co-authored-by: Loïc Guitaut <loic@discourse.org>
2022-03-29 16:04:49 +02:00
Osama Sayegh e40c4bb7f9
FIX: Validate category tag restrictions before sending new topics to review (#16292)
Tags (and tag groups) can be configured so that they can only be used in specific categories and (optionally) restrict topics in these categories to be able to add/use only these tags. These restrictions work as expected when a topic is created without going through the review queue; however, if the topic has to be reviewed by a moderator then these restrictions currently aren't checked before the topic is sent to the review queue, but they're checked later when a moderator tries to approve the topic. This is because if a user manages to submit a topic that doesn't meet the restrictions, moderators won't be able to approve and it'll be stuck in the review queue.

This PR prevents topics that don't meet the tags requirements from being sent to the review queue and shows the poster an error message that indicates which tags that cannot be used.

Internal ticket: t60562.
2022-03-28 21:25:26 +03:00
Penar Musaraj b1211bee97
FIX: Resetting selectable avatars was failing (#16302) 2022-03-28 14:15:28 -04:00
Bianca Nenciu 6eb3d658ca
FIX: Do not wrap unaccent around tsqueries (#16284)
tsqueries use quotes and having other characters that when unaccented
become quotes results in invalid tsqueries.
2022-03-25 19:10:05 +02:00
Bianca Nenciu cbaf7c949b
FIX: Make sure max_oneboxes_per_post is enforced (#16215)
PostAnalyzer and CookedPostProcessor both replace URLs with oneboxes.
PostAnalyzer did not use the max_oneboxes_per_post site and setting and
CookedPostProcessor replaced at most max_oneboxes_per_post URLs ignoring
the oneboxes that were replaced already by PostAnalyzer.
2022-03-23 17:36:08 +02:00
Neil Lalonde 9bbddd2cb3
Version bump to v2.9.0.beta3 (#16256) 2022-03-22 14:46:23 -04:00
Dan Ungureanu 8e9cbe9db4
FIX: Do not raise if title cannot be crawled (#16247)
If the crawled page returned an error, `FinalDestination#safe_get`
yielded `nil` for `uri` and `chunk` arguments. Another problem is that
`get` did not handle the case when `safe_get` failed and did not return
the `location` and `set_cookie` headers.
2022-03-22 20:13:27 +02:00
Jarek Radosz 3f98af73ce
DEV: Add discourse-bcc to the official plugins (#16251) 2022-03-22 18:18:09 +01:00
David Taylor 9df28fe4b3
DEV: Only raise `rake themes:update` errors when flag provided (#16254)
Switching behavior based on multisite/single-site configuration can create some difficult-to-debug situations. The flag is much more obvious.
2022-03-22 17:02:14 +00:00
Vinoth Kannan 8a9a7a77d8
FIX: staff should not be able to PM groups that "Nobody" can message (#16163)
If a group's messageable_level is set to nobody then staff can't should not be able to send PMs to it.

Co-authored-by: Martin Brennan <martin@discourse.org>
2022-03-22 10:23:14 +10:00
Roman Rizzi 581d435d09
Revert "FEATURE: Let reviewables override the score type title. (#16234)" (#16238)
This reverts commit 746f8f3797.
2022-03-21 16:32:47 -03:00
Roman Rizzi 746f8f3797
FEATURE: Let reviewables override the score type title. (#16234)
Plugins like chat add custom score type to override the title in the UI, but that should be reserved for situations when you need to manage the flag priority separately, which is configurable in the queue settings page.

Currently, if a plugin creates a custom score type, it won't be able to associate a priority, so there's no real gain from doing so. Priorities are tightly related to post-action types, which is something we might want to revise. For now, this change lets plugins move away from custom score types without compromises.
2022-03-21 14:29:57 -03:00
Jarek Radosz e4a92a8113
DEV: Add `SKIP_DB_CREATE` option to docker:test (#16225)
So that the database creation can be run separately from the specs.
2022-03-21 13:21:06 +01:00
Jarek Radosz bf8dc394bd
DEV: Add chromium to ChromeInstalledChecker (#16224) 2022-03-19 11:00:06 +01:00
Bianca Nenciu b0f414f7f5
DEV: Remove unused uri parameter (#16179)
The parameter is not used and it did not work properly anyway
because sometimes `@uri` is used instead of `uri`, which can
be different.
2022-03-16 16:42:25 +02:00
David Taylor c58c2f53e8
FIX: Skip ember-cli build memory optimisation for multiple rake tasks (#16198) 2022-03-16 12:02:21 +00:00
Jarek Radosz dec68d780c
DEV: Don't install plugin gems twice (#16192)
Missing plugin gems are installed when the app is being loaded.

That means when you run `bin/rails plugin:install_all_gems` it first installs missing gems and then reinstalls all gems…

Also, the method these rake tasks were using to install gems was very crude, and the regex there was incorrect which resulted in failures in certain cases. Though that didn't matter since those gems were being installed using a correct method just moments before…
2022-03-15 15:08:05 +01:00