Commit Graph

47197 Commits

Author SHA1 Message Date
Blake Erickson fefd938520
UX: Hide welcome topic from admins as well if not edited (#18807)
Depends on: #18806

We have a banner that prompts to edit the welcome topic, so let's not
show it in the topic list until it has been edited. Previously this
banner covered the welcome topic, now the banner will be above the topic
list, so we need to hide the welcome topic.
2022-11-01 16:17:17 -06:00
dependabot[bot] e79208888c
Build(deps): Bump zeitwerk from 2.6.3 to 2.6.4 (#18830)
Bumps [zeitwerk](https://github.com/fxn/zeitwerk) from 2.6.3 to 2.6.4.
- [Release notes](https://github.com/fxn/zeitwerk/releases)
- [Changelog](https://github.com/fxn/zeitwerk/blob/main/CHANGELOG.md)
- [Commits](https://github.com/fxn/zeitwerk/compare/v2.6.3...v2.6.4)

---
updated-dependencies:
- dependency-name: zeitwerk
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-11-01 21:48:10 +01:00
dependabot[bot] 6029c6a4dc
Build(deps-dev): Bump mocha from 1.16.0 to 2.0.0 (#18819)
Bumps [mocha](https://github.com/freerange/mocha) from 1.16.0 to 2.0.0.
- [Release notes](https://github.com/freerange/mocha/releases)
- [Changelog](https://github.com/freerange/mocha/blob/main/RELEASE.md)
- [Commits](https://github.com/freerange/mocha/compare/v1.16.0...v2.0.0)

---
updated-dependencies:
- dependency-name: mocha
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-11-01 21:33:39 +01:00
Jordan Vidrine 208d22cfc2
UX: Change placement of welcome cta (#18806) 2022-11-01 14:07:40 -05:00
Daniel Waterworth 167181f4b7
DEV: Quote values when constructing SQL (#18827)
All of these cases should already be safe, but still good to quote for
"defense in depth".
2022-11-01 14:05:13 -05:00
Kris a356e2fe30
UX: update and consolodate published page styles (#18792) 2022-11-01 14:31:39 -04:00
dependabot[bot] 10ea279bc9
Build(deps): Bump rubocop from 1.37.1 to 1.38.0 (#18821)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.37.1 to 1.38.0.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop/compare/v1.37.1...v1.38.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-11-01 18:59:19 +01:00
David Taylor e3da085e31
Version bump to v2.9.0.beta11 (#18822) 2022-11-01 17:00:05 +00:00
David Taylor 07ef1a80a1
SECURITY: Fix invite link email validation (#18817)
See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278

Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 16:33:32 +00:00
David Taylor 68b4fe4cf8
SECURITY: Expand and improve SSRF Protections (#18815)
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2022-11-01 16:33:17 +00:00
David Taylor 695b44269b
DEV: Do not remove `debugger` statements from themes (#18814) 2022-11-01 13:56:33 +00:00
Alan Guo Xiang Tan 02304cae83
FIX: Can't change notification level of categories set to regular (#18801)
This commit fixes a bug on the client site where we would include the
`regular_category_ids` field when trying to update the notification levels of
categories for a user. The `regulary_category_ids` field should only be
included when the `mute_all_categories_by_default` is enabled
2022-11-01 07:15:53 +08:00
dependabot[bot] d1c5529aad
Build(deps): Bump zeitwerk from 2.6.1 to 2.6.3 (#18809)
Bumps [zeitwerk](https://github.com/fxn/zeitwerk) from 2.6.1 to 2.6.3.
- [Release notes](https://github.com/fxn/zeitwerk/releases)
- [Changelog](https://github.com/fxn/zeitwerk/blob/main/CHANGELOG.md)
- [Commits](https://github.com/fxn/zeitwerk/compare/v2.6.1...v2.6.3)

---
updated-dependencies:
- dependency-name: zeitwerk
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-11-01 06:54:19 +08:00
Penar Musaraj b912bb955f
DEV: Mark `bootbox` as deprecated (#18795) 2022-10-31 14:08:35 -04:00
David Taylor d22fddf00a
UX: Ensure image size is maintained even after loading error (#18805) 2022-10-31 17:55:24 +00:00
Selase Krakani 586454bcf1
Refactor admin base controller (#18453)
* DEV: Add a dedicated Admin::StaffController base controller

The current parent(Admin:AdminController) for all admin-related controllers
uses a filter that allows only staff(admin, moderator) users.

This refactor makes Admin::AdminController filter for only admins as the name suggests and
introduces a base controller dedicated for staff-related endpoints.

* DEV: Set staff-only controllers parent to Admin::StaffController

Refactor staff-only controllers to inherit newly introduced
Admin::StaffController abstract controller. This conveys the
purpose of the parent controller better unlike the previously used parent
controller.
2022-10-31 12:02:26 +00:00
Natalie Tay 5e4bad0d8f
FIX: Evaluate all callbacks rather than override them (#18788) 2022-10-31 10:13:56 +08:00
Alan Guo Xiang Tan cfefdf0832
UX: Switch no categories/tags configured text in sidebar to a link (#18787)
Internal Ref: /t/73500
2022-10-31 06:42:55 +08:00
Osama Sayegh fa9e708cb7
FIX: Don't notify topic author about small action posts (#18789) 2022-10-31 06:26:20 +08:00
Gaurang Tandon 5ee5031bfa
UX: Fix grammar typo in trust_level_unlocked_tip (#18793) 2022-10-31 06:25:37 +08:00
dependabot[bot] 33946efd28
Build(deps): Bump jsdom from 20.0.1 to 20.0.2 in /app/assets/javascripts (#18800)
Bumps [jsdom](https://github.com/jsdom/jsdom) from 20.0.1 to 20.0.2.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/master/Changelog.md)
- [Commits](https://github.com/jsdom/jsdom/compare/20.0.1...20.0.2)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-30 22:40:43 +01:00
dependabot[bot] 20b083354d
Build(deps): Bump cose from 1.2.1 to 1.3.0 (#18799)
Bumps [cose](https://github.com/cedarcode/cose-ruby) from 1.2.1 to 1.3.0.
- [Release notes](https://github.com/cedarcode/cose-ruby/releases)
- [Changelog](https://github.com/cedarcode/cose-ruby/blob/master/CHANGELOG.md)
- [Commits](https://github.com/cedarcode/cose-ruby/compare/v1.2.1...v1.3.0)

---
updated-dependencies:
- dependency-name: cose
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-30 22:24:50 +01:00
dependabot[bot] 128b97d810
Build(deps): Bump net-smtp from 0.3.2 to 0.3.3 (#18798)
Bumps [net-smtp](https://github.com/ruby/net-smtp) from 0.3.2 to 0.3.3.
- [Release notes](https://github.com/ruby/net-smtp/releases)
- [Changelog](https://github.com/ruby/net-smtp/blob/master/NEWS.md)
- [Commits](https://github.com/ruby/net-smtp/compare/v0.3.2...v0.3.3)

---
updated-dependencies:
- dependency-name: net-smtp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-30 22:24:42 +01:00
dependabot[bot] cfe264ee39
Build(deps): Bump @babel/standalone in /app/assets/javascripts (#18784)
Bumps [@babel/standalone](https://github.com/babel/babel/tree/HEAD/packages/babel-standalone) from 7.19.6 to 7.20.0.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.20.0/packages/babel-standalone)

---
updated-dependencies:
- dependency-name: "@babel/standalone"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-30 21:32:41 +01:00
Blake Erickson f7a4fd1f49
FIX: Follow up fixes for password-reset error page (#18794)
* FIX: Follow up fixes for password-reset error page

Pass in `base_url` to the template
Use `.html_safe` since the message now contains html

Follow up to: 9b1536fb83

* Update specs to pass in the base_url
2022-10-28 15:41:26 -06:00
Blake Erickson f70d71c5e3
UX: Change emoji graphic on invite error page (#18790)
Switch to using the sweat-smile emoji instead of the cry emoji on the
error page when you have already redeemed your invite.
2022-10-28 11:34:38 -06:00
Penar Musaraj 0297c79cbe
FIX: simplify display of multiple AJAX errors (#18763)
Our dialog service doesn't accept HTML by default and we shouldn't include HTML in the error message string. And given that the Ajax error handler is called in multiple contexts, it's tricky to properly support line breaks via either HTML or `\n` so we are opting for plain text in AJAX error messages.
2022-10-28 08:37:08 -04:00
Osama Sayegh e120c94236
FIX: Don't attempt to add user again to a group when syncing groups via SSO (#18772)
This commit fixes a regression introduced in 8979adc where under certain conditions the groups syncing logic in Discourse Connect would try to add users to groups they're already members of and cause errors when users try to sign in using Discourse Connect.
2022-10-28 13:27:12 +03:00
Jarek Radosz fa5f43e7c0
DEV: Delete old `buffered-render` attributes (#18786)
That mixin was removed in 1a31a403ce (January 2020)
2022-10-28 08:30:14 +08:00
Alan Guo Xiang Tan 4244b1c57d
FIX: Ignore unique conflicts when backfilling sidebar defaults (#18785)
`insert_all!` raises an error when the insertion violates any unique
constraints which is not what we want here.

Follow-up to 1b56a55f50
2022-10-28 07:47:41 +08:00
Sam d99293d837
FEATURE: reduce suspicious distance logins warning to 100km (#18767)
Suspicious login emails are incredibly rare, we are concerned they are in
fact too rare. Attempt to reduce the distance down to 100km.
2022-10-28 07:01:11 +08:00
dependabot[bot] 249f322ac9
Build(deps-dev): Bump test-prof from 1.0.10 to 1.0.11 (#18781)
Bumps [test-prof](https://github.com/test-prof/test-prof) from 1.0.10 to 1.0.11.
- [Release notes](https://github.com/test-prof/test-prof/releases)
- [Changelog](https://github.com/test-prof/test-prof/blob/master/CHANGELOG.md)
- [Commits](https://github.com/test-prof/test-prof/compare/v1.0.10...v1.0.11)

---
updated-dependencies:
- dependency-name: test-prof
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-28 06:37:58 +08:00
dependabot[bot] 3e5d0f2e99
Build(deps): Bump json_schemer from 0.2.21 to 0.2.22 (#18782)
Bumps [json_schemer](https://github.com/davishmcclurg/json_schemer) from 0.2.21 to 0.2.22.
- [Release notes](https://github.com/davishmcclurg/json_schemer/releases)
- [Commits](https://github.com/davishmcclurg/json_schemer/compare/v0.2.21...v0.2.22)

---
updated-dependencies:
- dependency-name: json_schemer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-28 06:36:18 +08:00
Kris 9c2f0edbec
UX: make whole category box clickable (#18780) 2022-10-27 15:27:53 -04:00
Dan Gebhardt 952b033165
FIX: Ensure that custom {{action}} modifier works with actions hash (#18779)
A callback that's provided as a string, such as `{{action "doSomething"}}`, may target the method `doSomething` on the context OR the context's `action` hash (if it exists).
2022-10-27 20:12:34 +01:00
Blake Erickson 9b1536fb83
DEV: Update expired reset password copy (#18778) 2022-10-27 12:29:50 -06:00
David Taylor a9f5af1065
UX: Allow linebreaks mid-word in github onebox file paths (#18777) 2022-10-27 18:16:18 +01:00
Kris 2556e5a715
FIX: a couple of topic elements are too wide (#18775) 2022-10-27 10:59:58 -04:00
David Taylor 6388637931
FIX: Move group-box group name from class to data attribute (#18773)
Having the group name in the `class` attribute can cause a clash with 'real' CSS classes. Putting it in a data attribute is much safer, and can still be targetted via CSS if desired.
2022-10-27 13:07:24 +01:00
Natalie Tay 4b6a5f08fa
FIX: Allow users already in automatic groups to log in (#18771) 2022-10-27 14:59:27 +08:00
Alan Guo Xiang Tan 101ec21bc9
SECURITY: Restrict display of topic titles associated with user badges (#18768)
Before this commit, we did not have guardian checks in place to determine if a
topic's title associated with a user badge should be displayed or not.
This means that the topic title of topics with restricted access
could be leaked to anon and users without access if certain conditions
are met. While we will not specify the conditions required, we have internally
assessed that the odds of meeting such conditions are low.

With this commit, we will now apply a guardian check to ensure that the
current user is able to see a topic before the topic's title is included
in the serialized object of a `UserBadge`.
2022-10-27 11:26:14 +08:00
Alan Guo Xiang Tan 1b56a55f50
DEV: Sidebar default tags and categories are determined at user creation (#18620)
The previous sidebar default tags and categories implementation did not
allow for a user to configure their sidebar to have no categories or
tags. This commit changes how the defaults are applied. When a user is being created,
we create the SidebarSectionLink records based on the `default_sidebar_categories` and
`default_sidebar_tags` site settings. SidebarSectionLink records are
only created for categories and tags which the user has visibility on at
the point of user creation.

With this change, we're also adding the ability for admins to apply
changes to the `default_sidebar_categories` and `default_sidebar_tags`
site settings historically when changing their site setting. When a new
category/tag has been added to the default, the new category/tag will be
added to the sidebar for all users if the admin elects to apply the changes historically.
Like wise when a tag/category is removed, the tag/category will be
removed from the sidebar for all users if the admin elects to apply the
changes historically.

Internal Ref: /t/73500
2022-10-27 06:38:50 +08:00
Alan Guo Xiang Tan a473e352de
DEV: Introduce TopicGuardian#can_see_topic_ids method (#18692)
Before this commit, there was no way for us to efficiently check an
array of topics for which a user can see. Therefore, this commit
introduces the `TopicGuardian#can_see_topic_ids` method which accepts an
array of `Topic#id`s and filters out the ids which the user is not
allowed to see. The `TopicGuardian#can_see_topic_ids` method is meant to
maintain feature parity with `TopicGuardian#can_see_topic?` at all
times so a consistency check has been added in our tests to ensure that
`TopicGuardian#can_see_topic_ids` returns the same result as
`TopicGuardian#can_see_topic?`. In the near future, the plan is for us
to switch to `TopicGuardian#can_see_topic_ids` completely but I'm not
doing that in this commit as we have to be careful with the performance
impact of such a change.

This method is currently not being used in the current commit but will
be relied on in a subsequent commit.
2022-10-27 06:13:21 +08:00
dependabot[bot] d4583357cb
Build(deps-dev): Bump rspec from 3.11.0 to 3.12.0 (#18761)
Bumps [rspec](https://github.com/rspec/rspec-metagem) from 3.11.0 to 3.12.0.
- [Release notes](https://github.com/rspec/rspec-metagem/releases)
- [Commits](https://github.com/rspec/rspec-metagem/compare/v3.11.0...v3.12.0)

---
updated-dependencies:
- dependency-name: rspec
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-27 05:30:51 +08:00
dependabot[bot] e12413dc0e
Build(deps): Bump memory_profiler from 1.0.0 to 1.0.1 (#18762)
Bumps [memory_profiler](https://github.com/SamSaffron/memory_profiler) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/SamSaffron/memory_profiler/releases)
- [Changelog](https://github.com/SamSaffron/memory_profiler/blob/master/CHANGELOG.md)
- [Commits](https://github.com/SamSaffron/memory_profiler/compare/v1.0.0...v1.0.1)

---
updated-dependencies:
- dependency-name: memory_profiler
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-10-27 05:30:27 +08:00
Penar Musaraj 9ec62091c6
DEV: Update upload mismatch error message (#18759)
Following feedback from translators, it does not look like we need to
refer to an "upload stub" here.
2022-10-26 15:41:50 -04:00
Gerhard Schlager 3fbae5dd03
UX: Use a friendlier educational message (#18760)
See /t/82115/3
2022-10-26 20:53:57 +02:00
Jarek Radosz a727476fb7
DEV: Revert topic loading async changes (#18757)
This reverts commits 2c5e8f1763 (#18585) and 589a249a65 (#18727)

Those changes caused race conditions with scroll-to-post/lockOn code.
2022-10-26 20:16:01 +02:00
Dan Gebhardt 0221855ba7
DEV: Normalize event handling to improve Glimmer + Classic component compat (Take 2) (#18742)
Classic Ember components (i.e. "@ember/component") rely upon "event
delegation" to listen for events at the application root and then dispatch
those events to any event handlers defined on individual Classic components.
This coordination is handled by Ember's EventDispatcher.

In contrast, Glimmer components (i.e. "@glimmer/component") expect event
listeners to be added to elements using modifiers (such as `{{on "click"}}`).
These event listeners are added directly to DOM elements using
`addEventListener`. There is no need for an event dispatcher.

Issues may arise when using Classic and Glimmer components together, since it
requires reconciling the two event handling approaches. For instance, event
propagation may not work as expected when a Classic component is nested
inside a Glimmer component.

`normalizeEmberEventHandling` helps an application standardize upon the
Glimmer event handling approach by eliminating usage of event delegation and
instead rewiring Classic components to directly use `addEventListener`.

Specifically, it performs the following:

- Invokes `eliminateClassicEventDelegation()` to remove all events associated
  with Ember's EventDispatcher to reduce its runtime overhead and ensure that
  it is effectively not in use.

- Invokes `rewireClassicComponentEvents(app)` to rewire each Classic
  component to add its own event listeners for standard event handlers (e.g.
  `click`, `mouseDown`, `submit`, etc.).

- Configures an instance initializer that invokes
  `rewireActionModifier(appInstance)` to redefine the `action` modifier with
    a substitute that uses `addEventListener`.

Additional changes include:
* d-button: only preventDefault / stopPropagation for handled actions
   This allows unhandled events to propagate as expected.
* d-editor: avoid adding duplicate event listener for tests
   This extra event listener causes duplicate paste events in tests.
* group-manage-email-settings: Monitor `input` instead of `change` event for checkboxes
2022-10-26 14:44:12 +01:00
Andrei Prigorshnev 20efd494ef
DEV: move BasicUserWithStatusSerializer from Discourse Chat (#18745) 2022-10-26 16:41:31 +04:00