Category and tag hashtags used to be handled differently even though
most of the code was very similar. This design was the root cause of
multiple issues related to hashtags.
This commit reduces the number of requests (just one and debounced
better), removes the use of CSS classes which marked resolved hashtags,
simplifies a lot of the code as there is a single source of truth and
previous race condition fixes are now useless.
It also includes a very minor security fix which let unauthorized users
to guess hidden tags.
* DEV: Remove the margin from widget-dropdown
Generic components should not have a margin. Those should be styled in the place where they are used.
* DEV: Remove margin from the dropdown body
It triggered a warning in popper and was effectively a no-op as popper positions dropdowns on its own using `position: fixed` and `top/right/bottom/left` properties.
When creating a bookmark reminder that deletes the bookmark on reminder, if the user clicked on the notification and got taken to the post in the topic the bookmark icon still showed as blue with the reminder clock indicator. This was because the response JSON for reloading a topic post was not including the bookmark attributes, not even the bookmarked boolean.
We now return the correct attributes in the serializer, and if bookmarked is false we clear all the bookmark related attributes on the post for the notification to make sure nothing of the old bookmark remains in the UI.
This was only a problem if the user did not refresh the app completely inbetween setting the reminder and receiving the notification.
* strip out the href and xlink:href attributes from use element that
are _not_ anchors in svgs which can be used for XSS
* adding the content-disposition: attachment ensures that
uploaded SVGs cannot be opened and executed using the XSS exploit.
svgs embedded using an img tag do not suffer from the same exploit
We have a couple of examples of enormous amounts of text being entered in the name column of bookmarks. This is not desirable...it is just meant to be a short note / reminder of why you bookmarked this.
This PR caps the column at 100 characters and truncates existing names in the database to 100 characters.
* This is causing issues where sometimes bookmarked is out of sync with what is in the Bookmark table. The BookmarkManager handles updating this column now.
* Add migration to fix bookmarked column that is incorrectly marked false when a Bookmark record exists.
Before this change:
- first full page load would get category defaults defined un cateory settings
- a navigation to a topic and then back to categories list would reset defaut to the ones defined in discovery/topics
* add composer:saved, composer:created-post, and composer:edited-post
appEvents inside the composer controller, to make it easier to detect
these events in plugins
* FIX: Fix race condition when resolving tag and category hashtags
If the category hashtags were resolved first and then tag hashtags, then
the tags would overwrite the categories. Similarly, if the category
hashtags were resolved last it would overwrite even hashtags which ended
with '::tag'.
* DEV: Add test
* DEV: Fix test
* FIX: Improve category hashtag lookup
This commit improves support for sub-sub-categories and does not include
the ID of the category in the slug, which fixes the composer preview.
* FIX: Sub-sub-categories can be mentioned using only two levels
* FIX: Remove support for three-level hashtags
* DEV: Simplify code
If any value, including nil, is passed in as an argument the default
won't be set, so we need to handle when a non-Array value is passed in
to the `generate_thumbnails!` method.
Because of how the dropdown was structured, as long it was in the DOM, all clicks outside the widget would rerender it.
This commit introduces `widget-dropdown-body` that handles the `clickOutside` callback and is rendered conditionally, so it won't get called when the dropdown is closed.
* FIX: CookText may be gone before promise resolves
Bug introduced in 293467a37a.
* DEV: Drop the window.requireModule in cook-text
It was introduced in 2017 in 232311aa8c but doesn't seem to be necessary anymore.
`OptimizedImage#filesize` calls `Discourse.store.download` with an OptimizedImage as an argument. It would in turn attempt to call `#original_filename` and `#secure?` on that object. Both would fail as these methods do not exist on OptimizedImage, only on Upload. We didn't know about these issues because:
1. `#calculate_filesize` is not called often, because the filesize is saved on OptimizedImage creation, so it's used mostly for manual filesize recalculation
2. we were using `rescue nil` which swallows all errors
Newer versions of Normalize remove the `border-collapse: collapse;` property and fallback to browser defaults. This commit restores that property because we're using it in quite a few places.
Previously, basic-topic-list had its own implementation of topic-list-item on mobile, which made it more difficult to maintain and extend. The visible difference was that the basic-topic-list implementation had no large avatar on the left. This commit adds a new hideMobileAvatar parameter to topic-list-item and topic-list, and sets it to `true` for the basic-topic-list component.
It is a second attempt to this update. First one was reverted here https://github.com/discourse/discourse/pull/8618
We noticed a problem that `like` counter had incorrect colour on mobile.
I added a missing rule to the bottom of the file (that rule existed in normalize-3 and was removed in normalize-8)
```
button,
input,
optgroup,
select,
textarea {
color: inherit;
}
```
The previous fix (f43c0a5d85) wasn't working for images that were already uploaded.
The "metadata" (eg. 'for_*' and 'secure' attributes) were not added to existing uploads.
Also used 'Upload.get_from_url' is the admin/site_setting controller to properly retrieve
an upload from its URL.
Fixed the Upload::URL_REGEX to use the \h (hexadecimal) for the SHA
Follow-up-to: f43c0a5d85
When uploading an image as a site setting, we need to return the "raw" URL, otherwise
when saving the site setting, the upload won't be looked up properly.
Follow-up-to: f11363d446
08044b4f regressed emoji auto complete logic since we (I) forgot to add the
space into the not capturing group at the beginning.
This meant that
`hello 👍t` would not trigger an autocomplete to pick skin tone.
* Change S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes, which controls presigned URL expiry and secure-media route cache time.
* This is done because of the composer preview refreshing while typing causes a lot of requests sent to our server because of the short URL expiry. If this ends up being not enough we can always increase the time or explore other avenues (e.g. GitHub has a 7 day validity for secure URLs)
Previously we were using `$elem.find(...).not($elem.find(...))`. This took approximately 2ms on my machine with a test post.
This commit switches to using a native querySelectorAll method, which takes less than 0.5ms on the same test post.
This code runs on every keyup event in the application, so it needs to be efficient. Previously we were iterating over the whole document using the JQuery :visible selector. Per the JQuery docs at https://api.jquery.com/visible-selector/
> Using this selector heavily can have performance implications, as it may force the browser to re-render the page before it can determine visibility. Tracking the visibility of elements via other methods, using a class for example, can provide better performance.
We already had a `hidden` class on the modal element which we can check, so we can check that instead.
autocomplete resolving to [] was causing it to stop working.
Instead we have a special const (SKIP) which ensures it will
continue to be evaluated and only this instance is skipped.
In 91c89df6, I fixed the onebox to support local topics with a slug-less URL.
This commit fixes all the other spots (search, topic links and user badges) where we look up for a local topic.
Follow-up-to: 91c89df6
There is a feature in search where we take over from the tokenizer
in postgres and attempt to inject more words into search.
So for example: sam.i.am will inject the words i and am.
This is not ideal cause there are many edge cases and this can
cause extreme index bloat.
This is an opening move commit to make it configurable, over the
next few weeks we will evaluate and decide if we disable this by
default or simply remove.
When rebaking a post we were invalidating _regular_ oneboxes but not inline oneboxes.
DEV: also renamed 'InlineOneboxer.purge' to 'InlineOneboxer.invalidate' to keep
the API consistent with 'Oneboxer.invalidate'
#b19dcac2 improved the serializer so it sends default notification
levels to users to work around cases where a category edit would
would result in clients being left with invalid notification state
Unfortunately this did not address the root issue.
When we edit categories we publish state to multiple users this
means that the serializer is executed unscoped with no user.
The client already handles this case per:
dcad720a4c/app/assets/javascripts/discourse/app/models/site.js (L119-L119)
If a property is not shipped to it, it will leave it alone on the
existing category.
This fix ensures that these wide category info updates do not
include notification state to avoid corruption of local state.
The admin permalink list was a little tricky to use because the URLs are easily reduced with a ... if they are too long. This adds a copy to clipboard button for the URL and a title on hover so the full text of the URL can be seen.
* FEATURE: Don't display muted/ignored users under "who liked"
Previously, if you clicked on the heart icon below a post
it would show you the avatar for a user even if you ignored or muted
them.
This commit will instead display a (?) icon. The count of likes will
remain correct, but you needn't be reminded of the person you
preferred not to see.
* Use a circle instead of (?) for unknown user
* The first post was showing as bookmarked incorrectly after pressing f to open the topic modal then pressing escape to cancel without saving, because the closeWithoutSaving option was not being respected.
* Also re-introduce the enter shortcut when the name input is focused to saveAndClose the bookmark modal by pressing enter.
It's a stop gap – ideally we would generate a thumbnail for uploaded videos. For now, a bit of intentionality in the style and a pinch of context should do.
Fixes a bug in search-menu-results (type: "group"), where:
```javascript
const fullName = escapeExpression(group.fullName);
const name = escapeExpression(group.name);
const groupNames = [h("span.name", fullName || name)];
```
`groupNames` could end up having value "undefined" if a group doesn't have a `fullName`.
showPreview is necessary because we need to add 50% width class similar to: class="title-and-category with-preview" on the category and title div if the preview is shown.
There are two problems I'm trying to tackle here.
1. The site json is cached for anonymous users so readonly mode can be
cached for up to 30 minutes which makes it confusing.
2. We've already checked for readonly mode in the controller so having
to check for readonly mode again in `SiteSerializer` is adding an extra
Redis query on every request.
This came in as a request on meta to include the raw field in the post
webhook serializer.
https://meta.discourse.org/t/-/49045/55?u=blake
Including this field can prevent needing to make a 2nd API request to
get the raw field of a post.
It would be handy down the road if we updated the webhook ui to specify
fields or arguments that you wanted to be included in the serialized
data, but most requests I've seen to update the serializers have been
valid requests that are good to add anyways, so I don't think we have
reached that point yet.
If cooked is unchanged, ember will not re-render the preview area, so we should not re-run the post-processing decorators. This can cause issues when decorateCooked functions are not idempotent.
Users with TL below the "min trust to create topic" setting used to see a prompt to create new topics in the footer message below the topic list. Those topics would never be submitted because those users don't meet the TL requirements to create a new topic (based on that site setting). This PR removes that prompt for those users.
The user-card-additional-controls outlet is outside the `<li>` element, which makes styling difficult. Placing an outlet inside the button list means that themes/plugins can easily reuse core styling.
Previous to this fix the we were checking for non letters.
This was mismatching what pretty-text/addon/emoji.js was doing.
`ù:su`
and
`1:su`
Would lead to an emoji autocomplete popup in the composer.
Safari uses an aggressive back/forward cache, which means the app loads
very quickly when hitting Back. But, in topics with > 30 posts, hitting
Back runs post stream calculations too early, which means that users
get taken back to an earlier point in the stream, consistently.
Using `onpageshow`, we can restore the correct location before the post
stream calculations take place.
- This function now requires an explicit scope. It will never run on the entire document.
- Previously debounce was being used with an anonymous function, which means it was having no effect.
An empty string is a falsey value in javascript, so we were looking for the meta tag every time getURL was called, which took approximately 1.5ms every time.
Behavior was changed in #9966, which made the URL be relative.
If the user landed in a topic, for example, the browser was given a
service worker URL under that specific topic URL, which was a 404.
Fixes broken PWA install and broken push notifications
Adds new hidden site settings for rate limits:
30 for logged in users, 15 for anon
Adds an anon cache for searching, caches results of searches for 1 minute
Discourse needs a bunch of data preloaded before it can start up.
Normally we throw blobs of this into the HTML document that is requested
but in some cases that's awkward to retrieve.
For example with Ember CLI you have a separate javascript application
that needs to make its own HTML.
This API endpoint returns a JSON object with all the data Discourse needs to
bootstrap and start up.
* DEV: Move `Discourse.getURL` and related functions to a module
* DEV: Remove `Discourse.getURL` and `Discourse.getURLWithCDN`
* FIX: `get-url` is required for server side code
* DEV: Deprecate `BaseUri` too.
* FIX: prevents false boolean param to be filtered as non existant
This was preventing to filter top category route to be filtered by replies.
* if order is different ascending should be true on first click
* test
* fix
* just pass params
* more fixxes
In some restricted setups all JS payloads need tight control.
This setting bans admins from making changes to JS on the site and
requires all themes be whitelisted to be used.
There are edge cases we still need to work through in this mode
hence this is still not supported in production and experimental.
Use an example like this to enable:
`DISCOURSE_WHITELISTED_THEME_REPOS="https://repo.com/repo.git,https://repo.com/repo2.git"`
By default this feature is not enabled and no changes are made.
One exception is that default theme id was missing a security check
this was added for correctness.
Robin Ward
Penar Musaraj
Rafael dos Santos Silva
Blake Erickson
Dan Ungureanu
Bianca Nenciu
Jarek Radosz
Arpit Jalan
Bianca Nenciu
Krzysztof Kotlarek
David Taylor
Martin Brennan
Kris
Mark VanLandingham
Martin Brennan
Guo Xiang Tan
Jordan Vidrine
marielaSAG
Kane York
jjaffeux
Joe
Régis Hanol
Sam Saffron
Vinoth Kannan
Osama Sayegh
Roman Rizzi
Ahmed Gagan
tshenry
Neil Lalonde
Joshua Rosenfeld
Vinoth Kannan
Cassius
Bernhard Suttner
Jeff Wong
Faizaan Gagan
Samuel Carvalho Santos
spirobel
Gerhard Schlager
Guo Xiang Tan