df45e82377
SECURITY: only allow picking of avatars created by self ( #6417 )
...
* SECURITY: only allow picking of avatars created by self
Also adds origin tracking to all uploads including de-duplicated uploads
2018-09-19 22:33:10 -07:00
9281b72308
FEATURE: Log entity export in staff logs
2018-09-19 03:16:45 +05:30
0e9841b995
SECURITY: remove admin memory diagnostics routes
2018-09-18 08:35:09 +10:00
6f1b8ad16d
FIX: tag groups page should only be visible to staff
...
No security concern here because nothing private was visible,
and no actions could be taken by non-staff users.
2018-09-17 11:41:18 -04:00
7b19ed06c1
reworked specs of existing group behavior
2018-09-17 17:46:43 +10:00
5bdf476de7
raise error early in drafts controller
2018-09-13 08:40:57 -04:00
aa614e393c
return 403 when trying drafts of another user
2018-09-12 13:08:02 -04:00
d1984a0b4d
FIX: display a correct error when attempting to agree on a deferred flag
...
Previously we would raise a 500 error if a moderator tried to agree on a
flag another moderator deferred.
This can happen cause the UX for flags does not live refresh as flags
are handled
2018-09-12 13:16:59 +10:00
71185c13b5
Merge pull request #6377 from tgxworld/remove_tif_tiff
...
Drop `tif`, `tiff`, `webp` and `bmp` from supported images.
2018-09-12 09:32:32 +08:00
e1b16e445e
Rename `FileHelper.is_image?` -> `FileHelper.is_supported_image?`.
2018-09-12 09:22:28 +08:00
16bd3f2cf2
FIX: use current user color scheme when filling `theme-color` attribute ( #6384 )
...
* FIX: use current user color scheme when filling `meta` attribute `theme-color`
* update manifest.webmanifest colors
2018-09-12 11:04:58 +10:00
9e77fd8fc3
FIX: wrong category links on subfolder install in rss feed for a category topic list
2018-09-07 10:03:30 -04:00
879067d000
FIX: check admin theme cookie against user selectable
...
previously admin got a free pass and could set theme via cookie to anything
including themes that are not selectable
this refactor ensures that only "preview" gets a free pass, all the rest
goes through the same pipeline
2018-09-07 10:47:28 +10:00
797cbf8653
FIX: Remove user fields when anonymizing user
2018-09-07 00:02:56 +02:00
d8b543bb67
FIX: redirect to original URL after social signup
2018-09-05 01:44:23 +05:30
4382fb5fac
DEV: Allow plugins to whitelist specific user custom_fields for editing ( #6358 )
2018-09-04 20:45:36 +10:00
2f5c21e28c
FIX: return a 400 error instead of 500 for null injections
...
Many security scanners like to inject NULL in inputs causing application
to exception out and return a 500
We now handle this exception and render a 400 status back
2018-09-04 12:11:52 +10:00
f33433bf9e
Validation of params should restrict to max int ( #6331 )
...
* FIX: Validation of params should restrict to max int
* FIX: Send status 400 when "page" param isn't between 1 and max int
2018-09-03 14:45:32 +10:00
59c9051a2e
REFACTOR: Rescue error at the specific spot that is raising the error.
2018-09-03 11:04:58 +08:00
f5e0356fb2
correct miscellaneous issues with user login history
2018-09-02 17:24:54 +10:00
931cffcebe
FEATURE: Let users see their user auth tokens. ( #6313 )
2018-08-31 10:18:06 +02:00
b3aab1770f
FIX: set old last modified date for invalid avatars
...
In some cases Akami was holding tight to these invalid avatars,
to avoid this happening we explain the avatar image is ancient
then when a new upload is added it automatically is older than
this.
2018-08-31 17:07:31 +10:00
ae532f8548
FIX: return 422 for an invalid group name on category create
2018-08-30 14:28:55 -06:00
103509b9dd
SECURITY: Prevent users from modifying custom fields
2018-08-30 12:59:36 +01:00
72ffabf619
UX: Improve email testing admin tool. ( #6308 )
2018-08-29 23:14:16 +02:00
9bf4333491
FIX: redirect to wrong URL after account creation on subfolder install
2018-08-24 10:34:44 -04:00
82dcc5cbfa
FEATURE: makes reports loadable in bulk ( #6309 )
2018-08-24 15:28:01 +02:00
e0cc29d658
FEATURE: themes and components split
...
* FEATURE: themes and components split
* two seperate methods to switch theme type
* use strict equality operator
2018-08-24 11:30:00 +10:00
29315b73c2
FIX: improve last_modified date returned for avatars
...
instead of hard coding a date:
1. For optimized images use the upload date when on s3
2. For not-found use 10 minutes ago to match the expiry
2018-08-24 09:36:11 +10:00
2711f173dc
FIX: don't allow inviting more than `max_allowed_message_recipients`
...
* FIX: don't allow inviting more than `max_allowed_message_recipients` setting allows
* add specs for guardian
* user preferences for auto track shouldn't be applicable to PMs (it auto watches on visit)
Execlude PMs from "Automatically track topics I enter..." and "When I post in a topic, set that topic to..." user preferences
* groups take only 1 slot in PM
* just return if topic is a PM
2018-08-23 14:36:49 +10:00
cdea969c6a
FEATURE: Make initial admins TL1
...
* Match register controller TL to rake admin:create
* Don't promote if trust_level > 1
2018-08-22 15:45:24 +10:00
5a6d1ee257
FIX: defer actions in a static method
...
This avoids capturing a huge closure and passing to defer
2018-08-22 14:36:56 +10:00
17dc8f2490
UX: Wizard resends activation email when user exists
2018-08-21 19:13:41 +02:00
2d96160192
FEATURE: improve API error reporting for invalid records
2018-08-21 11:54:34 +10:00
dc5fddbfe6
FIX: Do not show an empty modal when an IP address is allowed or blocked. ( #6265 )
2018-08-20 17:37:30 +02:00
b4f92a05b3
FIX: Load more on groups page does not account for params.
...
https://meta.discourse.org/t/cant-scroll-through-list-of-users-groups-if-more-than-one-page/92259
2018-08-20 17:08:50 +08:00
ce4b12ae59
FIX: if we have not target available do not redirect
2018-08-20 13:10:59 +10:00
37d4f27c44
FIX: quality/bugfix dashboard/reports pass ( #6283 )
2018-08-17 16:19:25 +02:00
9628c3cf97
FEATURE: automatically correct extension for bad uploads
...
This fixes with post thumbnails on the fly
2018-08-17 14:00:27 +10:00
baa72d18f8
FIX: simplify so we ban all auth paths
...
previously plugins that have auth paths were not disallowed and robots
tend to call them
2018-08-16 19:16:47 +10:00
796164b58c
FIX: automatically correct bad avatars on access
...
Also start relying on upload extension for optimized images
2018-08-16 16:32:56 +10:00
c8b5e6baae
FEATURE: Use `display: browser` in webmanifest for iOS devices
...
Since iOS doesn't have a back button and can have issues on log in.
See https://twitter.com/firt/status/1021477243909033984
2018-08-15 23:36:08 -03:00
d4fd19d49a
UX: Replace Google search with Discourse search on not found page
...
* UX: Replace Google search with Discourse search on not found page.
* FIX: Update application_controller_spec.rb.
2018-08-15 11:53:04 +10:00
12bab65167
FIX: going from /categories to /latest on mobile might break infinite scrolling
2018-08-15 01:22:03 +02:00
de92913bf4
FIX: store the topic links using the cooked upload url
2018-08-14 12:23:32 +02:00
ad5f502332
FIX: add a basic validator for topic params
...
This cuts down on log noise when people try out sql injection
2018-08-14 17:01:04 +10:00
6f6b4ff988
regression: don't return from a block
...
also clean up some warnings (shadowed var, unused var)
2018-08-10 14:53:55 +10:00
b9072e8292
FEATURE: Add "Reset Bump Date" action to topic admin wrench ( #6246 )
2018-08-10 10:51:03 +10:00
ef4b9f98c1
FEATURE: Allow admins to reply without topic bump
2018-08-10 10:48:30 +10:00
2c4d7225d8
FIX: permalink redirects with subfolder
2018-08-09 11:05:27 -04:00
Sam
Vinoth Kannan
Neil Lalonde
Kyle Zhao
pmusaraj
Guo Xiang Tan
Guo Xiang Tan
Osama Sayegh
Gerhard Schlager
David Taylor
Bianca Nenciu
Blake Erickson
Joffrey JAFFEUX
James Kiesel
Rafael dos Santos Silva
Misaka 0x4e21
Régis Hanol