Commit Graph

35230 Commits

Author SHA1 Message Date
Vinoth Kannan 4e4844f4db REFACTOR: reduce the number of db queries. 2019-11-18 12:06:13 +05:30
Sam Saffron 79b8c08d45 DEV: give categories-separator class to HR after cateogries
This allows for better styling of the hamburger menu
2019-11-18 17:31:01 +11:00
Martin Brennan af0cc89b11 Mark upload show paths as is_asset_path (#8365)
* this is to avoid excessive rate limiting, especially
  for secure media on media-heavy topics
2019-11-18 16:56:20 +11:00
Sam Saffron d28de23ac8 FEATURE: block screaming frog SEO spider by default
This crawler is not respectful and often can make 1000s of reqs a minute.

Block by default, site operators can amend this default if they want to.
2019-11-18 16:48:07 +11:00
Dan Ungureanu a9704da34c FIX: A pmOnly tag should link to messages (#8361)
isPrivateMessages represents that the tag list is shown in the context
of private messages and pmOnly represents that the tag is used only in
private messages.
2019-11-18 16:44:08 +11:00
Krzysztof Kotlarek 975165f25f
FIX: Don't error CleanUpInactiveUserJob when user is missing (#8362) 2019-11-18 16:14:15 +11:00
Sam Saffron 7d389df5e7 DEV: correct spec to allow for new default
b4bfc27b changes the default so the spec should be changed as well.
2019-11-18 16:05:58 +11:00
Sam Saffron b4bfc27b19 FEATURE: introduce default application level rate limiting by IP
We have tested rate limiting with admin accounts with block rate limiting for
close to 12 months now on meta.discourse.org.

This has resulted in no degradation of services even to admin accounts that
request a lot of info from the site.

The default of 200 requests a minute and 50 per 10 seconds is very generous.
It simply protects against very aggressive clients.

This setting can be disabled or tweaked using:

DISCOURSE_MAX_REQS_PER_IP_MODE and family.

The only big downside here is in cases when a very large number of users tend
to all come from a single IP.

This can be the case on sites accessing Discourse from an internal network
all sharing the same IP via NAT. Or a misconfigured Discourse that is unable
to resolve IP addresses of users due to proxy mis-configuration.
2019-11-18 15:54:50 +11:00
Sam Saffron e2ccb0c608 DEV: remove NGINX performance report
This report is no longer supported or tested, it was moved to:

https://github.com/SamSaffron/discourse-nginx-performance-report

The new home for the performance report means this is no longer an official
Discourse plugin
2019-11-18 15:30:57 +11:00
Martin Brennan af091c49e9
FIX: Ensure revisions are made to store edit reasons and no reasons get wiped (#8363)
* Fix an issue where if an edit was made to a post with a reason provided, and then another edit was made with no reason, the original edit reason got wiped out
* We now always make a post revision (even with ninja edits) if an edit reason has been provided and it is different from the current edit reason

Co-Authored-By: Sam <sam.saffron@gmail.com>
2019-11-18 13:08:54 +10:00
Penar Musaraj 102909edb3 FEATURE: Add support for secure media (#7888)
This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. 

A few notes: 

- the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads
- the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured
- upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status
- when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error
- when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 11:25:42 +10:00
Vinoth Kannan 56b19ba740 UX: instead of total user count display only the count of users going to be affected.
edec922803
2019-11-18 00:09:38 +05:30
Robin Ward 397852a9a6 FIX: Support for `rake db:rollback` with plugins
For this to work we need to overwrite `db:rollback` in our Rakefile like
we do for migrate, so that it removes the load_config dependency. This
allows our custom migration paths to work.
2019-11-15 16:38:46 -05:00
Blake Erickson eb4d8a43e3 DEV: Improve mail-receiver update instructions 2019-11-15 13:57:43 -07:00
Penar Musaraj 99b4f79a90 FIX: Include 5 participants in topic summary 2019-11-15 15:11:09 -05:00
Roman Rizzi 4cf3c9cccb
FEATURE: Filter reviewables by date range (#8354) 2019-11-15 15:29:59 -03:00
Penar Musaraj 20f5a062f4 Fix Prettier in poll plugin 2019-11-15 11:01:22 -05:00
Penar Musaraj 6e74350f18 Fix Prettier again
Not sure how I missed a few files in the last commit
2019-11-15 10:52:06 -05:00
Penar Musaraj cc8baa1a7c Fix Prettier using correct version (1.19.1) 2019-11-15 10:34:26 -05:00
Penar Musaraj 655e610357 Fix Prettier 2019-11-15 10:28:46 -05:00
Martin Brennan abf215a0e4 Bump prettier to 1.19.1 and lock dependency (#8350) 2019-11-15 10:07:45 -05:00
Penar Musaraj 16cdf94001 DEV: Fix files targetted by Lefthook Prettier
The previous glob rule was skipping files in sub-subfolders, causing discrepancies between Travis and Jenkins results.
2019-11-15 09:21:51 -05:00
Daniel Waterworth 676a1c8749 FIX: Use this.content.category instead of this.category on navigation-item
this.category isn't always available.
2019-11-15 13:47:55 +00:00
Daniel Waterworth 337fdccfeb DEV: Make context available to ExtraNavItems
This context is available to other NavItems so this makes things more
consistent.
2019-11-15 13:46:49 +00:00
Martin Brennan 5c59247c3a Block enabling force 2FA if local logins disabled & vice-versa (#8355) 2019-11-15 17:05:10 +11:00
Sam Saffron e7cf4579a8 DEV: improve usability of subfolder specs
Previously people were not consistent about mocking which left internals in
a fragile state when running subfolder specs.

This introduces a simple helper `set_subfolder` which you can use to set
the subfolder for the spec. It takes care of proper configuration of subfolder
and teardown.

```
# usage
set_subfolder "/my_amazing_subfolder"
```

You should no longer stub base_uri or global_settings
2019-11-15 16:48:24 +11:00
Jeff Wong 40d14ba166 Fix the actual failing test 2019-11-14 16:20:45 -08:00
Jeff Wong 25dd045ba5 Fix failing test 2019-11-14 16:11:42 -08:00
Jeff Wong 786fcceb62 Return full URLs in review serializer for both post and topic
Return full URLs, this fixes reviewable links to support subfolder
2019-11-14 15:58:21 -08:00
Blake Erickson 3b16eb7abb FIX: Confirm new email with backup codes enabled
This is a fix for this bug:

https://meta.discourse.org/t/-/133185?u=blake

where rails would throw a missing template error when trying to confirm
a new email address when you had two factor backup codes enabled.

Apparently this feature broke during this commit:

68d35b14f4

when a partial that contained a lot of javascript was removed most
likely because it didn't comply with our Content Security Policy, so as
a fix I rewrote the previous js functionality without using any
javascript and then added a spec to verify that the correct backup code
form is displayed when that page is loaded.
2019-11-14 16:27:42 -07:00
romanrizzi ff355ad204 FIX: Don't show bots as post readers 2019-11-14 17:53:52 -03:00
romanrizzi f87d38fc7c Use correct variable name 2019-11-14 17:46:20 -03:00
Penar Musaraj 067696df8f DEV: Apply Rubocop redundant return style 2019-11-14 15:10:51 -05:00
Penar Musaraj be15abcf7f DEV: Add RedundantReturn style check to Rubocop 2019-11-14 14:42:36 -05:00
Penar Musaraj 6c16d5762c No need for return in last statement of method 2019-11-14 14:32:22 -05:00
Penar Musaraj 59ee89f0b7
UX: Adds +n indicator in PM topic list (#8353)
Shows the number of additional PM recipients in list when there are more than 5.
2019-11-14 14:14:23 -05:00
Robin Ward d4b7c028fa REFACTOR: Move upload utilities to their own file 2019-11-14 12:51:08 -05:00
Gerhard Schlager c83ae9a79f DEV: Add option to login at beginning of smoke tests
This is useful for testing sites which do not have any public topics.
2019-11-14 18:28:15 +01:00
Penar Musaraj f175afa0d9 FIX: Revert mobile jump to last post behaviour
Disables jumping to bottom of the page (added in 87f0b56) for mobile devices.

Fixes a regression with the mobile jump tool, and avoids users having to scroll up lots on mobile, since suggested topics and site footers can be lengthy.
2019-11-14 11:15:11 -05:00
Blake Erickson 73e33ce243 DEV: send url string to FileHelper and refactor another open-uri call
FileHelper.download requires a string not a URI. I also found another
instance of using open-uri directly and swapped it out to use
FileHelper.

I also updated it to not `read` a file if it comes back nil.

Follow up to: fe01099a38
2019-11-14 08:25:30 -07:00
Gerhard Schlager f72730703a Update translations 2019-11-14 15:41:42 +01:00
David Taylor f2da630c19 FIX: SVG Sprite version hash should be based on bundle result
This version hash is used for the filename, and so browsers/CDNs cache based on it. Previously the version hash was based only on the list of requested icons. This can cause issues in a couple of situations, most commonly when developing themes with custom icons:

- A requested icon does not exist, and then later is added to the theme. The bundle output changes, but the hash did not
- The SVG content of an icon changes, but the name of the icon does not. The bundle output changes, but the hash did not
2019-11-14 13:20:16 +00:00
Blake Erickson fe01099a38 DEV: Be sure to read the file into string before base64
Follow up to: 08b4753843

If you don't use `read` base64 will error out with: "no implicit
conversion of Tempfile into String"
2019-11-14 05:55:36 -07:00
Blake Erickson 08b4753843 DEV: Use FileHelper instead for downloading narrative bot avatar
Follow up to

b69450bee2

Using FileHelper here allows us to not have to use another require for
open-uri and gives us all the benefits of FileHelper.
2019-11-14 05:23:51 -07:00
Daniel Waterworth 0bb6b64747 DEV: Run prettier 2019-11-14 11:01:22 +00:00
Daniel Waterworth 7b63c92f47 DEV: Remove path building indirection
Tags are now handled just like other context information.
2019-11-14 10:47:14 +00:00
Daniel Waterworth 126b9bd16d FIX: Tag topic lists should pass on noSubcategories when building the top menu 2019-11-14 10:40:14 +00:00
Daniel Waterworth a1cf0b88a8 DEV: Make NavItem.fromText take a filterType instead of a URL
This is step one of removing filterMode URLs entirely.
2019-11-14 09:43:15 +00:00
Krzysztof Kotlarek f434de2536
FIX: Tracking Topic State know about category_seen_at (#8351)
If category got last_seen_at is set TrackingTopicState should know about it and exclude those topics from marking them as new
2019-11-14 16:11:34 +11:00
Blake Erickson b69450bee2 FIX: need to require open-uri for discourse-narrative-bot plugin
By requiring open-uri this will fix the following error:

```
NoMethodError (private method `open' called for #<URI::Generic...
```

also switched to the shorter syntax and removed default options. Since
ruby 2.4 redirect is on by default.
2019-11-13 18:11:50 -07:00