Commit Graph

8583 Commits

Author SHA1 Message Date
Bianca Nenciu 0c8d658ba8
SECURITY: Prefer Loofah for processing cooked HTML 2021-02-24 17:17:49 +02:00
Joffrey JAFFEUX de32fa299d
DEV: adds DiscourseEvent - topic_first_visited_by_user (#12195)
This event would mostly allow plugins to create workflows once users have visited a specific topic.
2021-02-24 10:50:02 +01:00
Penar Musaraj c0fd4ab9d6
DEV: Remove deprecated plugins variables importer (#12168) 2021-02-23 16:20:59 -05:00
Roman Rizzi 95d3877709
FIX: Don't update `posts_read_count` when the post is from a PM. (#12131)
We don't want TL0 users doing the discobot tutorial to increase their read count.
2021-02-23 11:36:00 -03:00
Blake Erickson 0b2b4bc245
DEV: Document the user suspend api endpoint (#12179)
Wrote an api docs rspec test for documenting the user suspend api
endpoint.
2021-02-23 05:58:22 -07:00
Arpit Jalan 73fa4263fb
FIX: log warning when context is missing when a user is destroyed (#12182) 2021-02-23 16:47:54 +05:30
David Taylor 063690d28d
DEV: Correct DeprecatedSettings test cleanup (#12177)
If this test ran before the new SiteSettingsController spec from 8cd7c9b259, it would fail the run. We need to `dup` the array before calling `.clear` on the original
2021-02-22 21:55:15 +00:00
David Taylor 8cd7c9b259
DEV: Support setting deprecated site settings via the API (#12172) 2021-02-22 18:10:54 +00:00
Penar Musaraj 0620f6298e
UX: Remove emoji step in wizard (#12169) 2021-02-22 12:14:18 -05:00
Arpit Jalan f75e1867ff
FIX: do not send rejection emails to auto-deleted reviewable users (#12160)
FIX: add context when user is deleted via auto handle queued reviewable
FIX: do not delete email_log when a user is deleted
2021-02-22 18:37:47 +05:30
David Taylor a040f72f96
FIX: Make email_valid handling consistent (#11556)
Previously we were checking truthiness in some places, and `== true` in
others. That can lead to some inconsistent UX where the interface says
the email is valid, but account creation fails.

This commit ensures values are boolean when set, and raises an error for
other value types.

If this safety check is triggered, it means the specific auth provider
needs to be updated to pass booleans.
2021-02-22 12:05:36 +00:00
David Taylor ef19431e44
DEV: Improve User#email= behavior (#11338)
- Only apply the change after `save` is called on the record
- Automatically remove matching secondary emails
2021-02-22 11:42:37 +00:00
Roman Rizzi 4e716e9ce5
FIX: Reduce the time_read threshold to one minute. (#12159)
* FIX: Reduce the time_read threshold to one minute.

Five minutes is too much and could fill the queue with false positives.

* Update spec/jobs/enqueue_suspect_users_spec.rb

Co-authored-by: Arpit Jalan <arpit@techapj.com>

Co-authored-by: Arpit Jalan <arpit@techapj.com>
2021-02-20 08:25:32 -03:00
Blake Erickson ed0e4582a1
DEV: If disabled do not change setting after import (#12142)
When running an import script there are many site settings that are
changed but we reset them back to where they were originally before the
import. However, there are two settings that we don't roll back:

```
purge_unactivated_users_grace_period_days
purge_deleted_uploads_grace_period_days
```

which could have some unintended consequences.

My first question is do we *really* have to change these settings? I'm
not a huge fan of changing someones settings without them really knowing
they were changed.

If we really do have to change these settings here is my proposed PR
where we don't alter the `purge_unactivated_users_grace_period_days` if
it has been disabled.

As I'm writing this another change we could make is that we don't change
either of these site settings if we detect that they aren't set to the
default values.

The drive behind this PR is that there is a discourse instance which
relies on staged users as part of their workflow and this setting was
changed by accident via the import script causing users to be deleted
that shouldn't have been.
2021-02-19 09:33:35 -07:00
Penar Musaraj 5604ce70d4
DEV: More refactoring of SCSS importers (#12143) 2021-02-19 11:22:24 -05:00
Roman Rizzi 95fb363c2a
FEATURE: Use the "time_read" stat to flag users as suspicious. (#12145)
Completing the discobot tutorial gives you ~3m of reading time, so we set the limit at 5m. Additionally, we use an "OR" clause to cover the case when you just scroll through a single topic.
2021-02-19 13:10:19 -03:00
Penar Musaraj 7ee660a017
FIX: Sort admin dashboard new updates by latest (#12146) 2021-02-19 11:03:36 -05:00
Roman Rizzi aac9e6cb0a
FIX: Don't require a rejection reason if the user is a spammer. (#12141) 2021-02-19 12:57:01 -03:00
romanrizzi 7aae498e3e DEV: Clear custom API Key scopes after testing. 2021-02-18 14:21:14 -05:00
Bianca Nenciu 3246c3cc92
DEV: Update mail and use fork (#10639)
Version 2.8 brings some changes to how address fields are handled and
this commits updates that and should also include a fix which handles
encoded attachment filenames.

The fork contains a bugfix to correctly decode mail attachments.
2021-02-18 20:15:02 +02:00
jbrw 447ea3f888
FIX: NewPostManager should respect category_group_moderator settings (#12116)
NewPostManager’s `post_needs_approval_in_its_category` method should allow category group moderators to create topics/reply to topics that where they have appropraite permissions.

(ie, if a user has permission to moderate a post, any posts made by them shouldn’t be sent to moderation)
2021-02-18 13:00:06 -05:00
Osama Sayegh 69017298e8
FIX: Limit post read time to the max integer value (#12126)
Some users somehow manage to keep a topic open for a very long time that it causes the post read time to exceed the max integer value (2^31 - 1) which causes errors when we try to update the read time in the database to values above the integer limit.

This PR will cap posts read time at 2^31 - 1 to prevent these errors.
2021-02-18 17:48:15 +03:00
David Taylor 13d2a1f82c
SECURITY: Attach DiscourseConnect (SSO) nonce to current session (#12124) 2021-02-18 10:35:10 +00:00
Martin Brennan e0f0fe5624
FIX: Bump max topic timer duration to 20 years (#12107)
This way it has some sort of cap, even if it seems pretty
high, and we don't have to worry about requests for increasing
it from 2 to 5 to 10 etc.
2021-02-18 11:52:30 +10:00
Krzysztof Kotlarek 7829558c6d
FIX: dismiss new when topic_user exists without last read (#12103)
The bug was mentioned on meta: https://meta.discourse.org/t/pressing-dismiss-new-doesnt-clear-new-topics/179858

Problem is that sometimes the user has TopicUser records with `last_read_post_number` set as NULL. In that case, the topic is still "new" to them and should be dismissed when they click dismiss button.

In addition, I added that condition to post_migration and bumped the number to fix existing records. Migration is written to be idempotent so it will make no harm to already deployed instances.
2021-02-18 10:39:05 +11:00
Roman Rizzi 07cf0f9460
FIX: Allow plugins to correctly extend API key scopes. (#12113)
Adding a scope from a plugin was broken. This commit fixes it and adds a test.

It also documents the instance method and renames the serialized "id" attribute to "scope_id" to avoid a conflict when the scope also has a parameter with the same name.
2021-02-17 14:42:44 -03:00
Arpit Jalan a174c8b8d4
FIX: hide sso payload behind a button click and log views (#12110) 2021-02-17 21:27:51 +05:30
Joffrey JAFFEUX 8f5233a7bf
DEV: adds within_one_minute time matcher (#12109) 2021-02-17 10:52:49 +01:00
David Taylor 9d7dc89d79
DEV: Replace deprecated sso site settings with discourse_connect (#12099) 2021-02-17 09:31:20 +00:00
Joffrey JAFFEUX 7cad5dfa83
DEV: prevents time difference causing flaky spec (#12108) 2021-02-17 10:04:25 +01:00
Martin Brennan 3bfb1b34a1
DEV: Fix topic timer flaky spec for inheriting from category (#12106) 2021-02-17 15:00:06 +10:00
Martin Brennan fb83757edb
FIX: Auto close topic from category settings based on topic created_at (#12082)
Previously when inheriting category auto-close settings for a topic, those settings were disrupted if another topic timer was assigned or if a topic was closed then manually re-opened.

This PR makes it so that when a topic is manually re-opened the topic auto-close settings are inherited from the category. However, they will now be based on the topic created_at date. As an example, for a topic with a category auto close hours setting of 72 (3 days):

* Topic was created on 2021-02-15 08:00
* Topic was closed on 2021-02-16 10:00
* Topic was opened again on 2021-02-17 06:00

Now, the topic will inherit the auto close timer again and will close automatically at **2021-02-18 08:00**, which is based on the creation date. If the current date and time is greater than the original auto-close time (e.g. we were at 2021-02-20 13:45) then no auto-close timer is created.

Note, this will not happen if the topic category auto-close setting is "based on last post".
2021-02-17 07:51:39 +10:00
Bianca Nenciu fa3eb1f7fc
FIX: Category redirect to correct slug should not loop (#11772)
The server responds with a redirect to URLs with wrong slugs, even when
the slug was the correct but in the encoded form (if it contained
special characters).
2021-02-16 17:54:50 +02:00
Bianca Nenciu fad1fac196
FIX: Update topic_count when updating visibility (#11946)
Updating a topic's visibility did not increase or decrease the
topic_count of a category, but Category.update_stats does ignore
unlisted topics which resulted in inconsistencies when deleting
such topics.
2021-02-16 17:45:12 +02:00
Arpit Jalan 2aac657da7
DEV: fix flaky specs in ExportUserArchive (#12095) 2021-02-16 16:35:47 +05:30
Martin Brennan 9f0f801ae3
FIX: Do not mark group_flair images as secure on upload (#12081)
See https://meta.discourse.org/t/secure-media-uploads-breaks-group-flair-image/173671/4

Group flair image uploads definitely do not need to be secure.
2021-02-16 12:34:03 +10:00
Arpit Jalan 85c4e8fd32
FEATURE: support `mark` tag (#12088)
This commit adds support for `mark` tag for highlighting text content.
2021-02-15 21:47:30 +05:30
Arpit Jalan 901d6080df
FIX: do not show SSO last payload to moderators (#12084) 2021-02-15 16:12:06 +05:30
Krzysztof Kotlarek ad3ec5809f
FIX: Dismiss new with better migration (#12062)
Original PR was reverted because of broken migration https://github.com/discourse/discourse/pull/12058

I fixed it by adding this line
```
          AND topics.id IN(SELECT id FROM topics ORDER BY created_at DESC LIMIT :max_new_topics)
```

This time it is left joining a limited amount of topics. I tested it on few databases and it worked quite smooth
2021-02-15 08:50:33 +11:00
jbrw 70050a8ba3
FIX: should_alter_quality should respect png_to_jpg_quality (#12055)
`convert_to_jpeg!` is only called if `convert_png_to_jpeg?` and/or `should_alter_quality?` is true.

`convert_png_to_jpeg?` can be disabled by setting `SiteSetting.png_to_jpg_quality` to 100.

However, `should_alter_quality?` could be true if `SiteSetting.recompress_original_jpg_quality` was lower than the quality of the uploaded file, regardless of file type.

This commits changes `should_alter_quality?` so that uploaded png files will use the `SiteSetting.png_to_jpg_quality` value, rather than ``SiteSetting.recompress_original_jpg_quality` value.
2021-02-12 13:37:35 -05:00
Joffrey JAFFEUX 3b874f1b2d
DEV: prevents heisentest in processor spec (#12066)
This test failure was caused by rails calling `.debug` on our FakeLogger which was not supporting it, resulting in more errors than what the test was expecting.
2021-02-12 14:53:36 +01:00
Penar Musaraj 900d4187ef
DEV: Prevents rate limits for new feature checks on multisite (#12053) 2021-02-12 08:52:59 -05:00
Martin Brennan ff1ac57feb
FIX: Validate duration minutes values for topic timer (#12040)
Add server and client side validations to ensure topic timer durations cannot exceed 2 years and cannot be less than or equal to 0.
2021-02-12 09:05:14 +10:00
Krzysztof Kotlarek a696cc07d2
Revert "FEATURE: Ability to dismiss all new topics (#12018)" (#12058)
This reverts commits 7426764af4 and f5b18e2a31
2021-02-12 08:50:25 +11:00
Blake Erickson 395a903cf6
DEV: Show warning message when using ember css selectors (#12036)
* DEV: Show warning message when using ember css selectors

When editing the theme css via the admin UI a warning message
will be displayed if it detects that the `#emberXXX` or `.ember-view`
css selectors are being used. These are dynamic selectors that ember
generates, but they can change so they should not be used.

* Update error message text to be more helpful

* Display a warning instead of erroring out

This allows the theme to still be saved, but a warning is displayed.

Updated the tests to check for the error message.

Updated the pre tags css so that it wraps for long messages.
2021-02-11 13:48:57 -07:00
Daniel Waterworth df8436cd7f
FIX: Don't add a slug to constructed quote urls (#12052)
A topic with the slug 'topic' might exist and may end up being linked to
by mistake when malformed (i.e. cross-site) quotes are posted.
2021-02-11 12:21:13 -06:00
David Taylor 66151d8056
FIX: Handle empty email address from authentication provider (#12046)
If no email is provided, email_valid should be set false, so that
Discourse can prompt the user for an email and verify it.

This fixes signups via twitter for accounts with no email address.
2021-02-11 16:26:43 +00:00
David Taylor 830797a9c3
FEATURE: Allow post/topic thumbnails to be prioritized via markdown (#12044)
Previously we would always take the first image in a post to use as the
thumbnail. On media-heavy sites, users may want to manually select a
specific image as the topic thumbnail. This commit allows this to be
done via a `|thumbnail` attribute in markdown.

For example, in this case, bbb would be chosen as the thumbnail:

```
![alttext|100x100](upload://aaa)
![alttext|100x100|thumbnail](upload://bbb)
```
2021-02-11 15:44:41 +00:00
Krzysztof Kotlarek f5b18e2a31
FEATURE: Ability to dismiss all new topics (#12018)
Follow up https://github.com/discourse/discourse/pull/11968

Dismiss all new topics using the same DismissTopicService. In addition, MessageBus receives exact topic ids which should be marked as `seen`.
2021-02-11 13:35:09 +11:00
Krzysztof Kotlarek a1aa37758c
FIX: do not notify when the hidden tag is added or removed (#12025)
The bug was mentioned on meta https://meta.discourse.org/t/users-are-seeing-handling-of-unhandled-tag-again/155367

It was related to users who are watching a specific topic. In that case, when the hidden tag was added or removed to the topic they were notified by `NotifyTagChangeJob`.

That job should take hidden tags into consideration. If all changed tags are in a hidden group, it should exclude user not belong to that group.

At the same time, if visible to anyone tag is added or removed users watching topic should be notified.
2021-02-11 10:03:45 +11:00