Commit Graph

51424 Commits

Author SHA1 Message Date
Jarek Radosz 75c9635d8b
DEV: Remove the transpilation message (#23998) 2023-10-19 01:00:15 +02:00
Ella E bec53210e8
DEV: remove unused root max width in wizard (#23996) 2023-10-18 16:25:04 -06:00
dependabot[bot] d5b18bcbbf
Build(deps): Bump sass-embedded from 1.69.3 to 1.69.4 (#23993)
Bumps [sass-embedded](https://github.com/ntkme/sass-embedded-host-ruby) from 1.69.3 to 1.69.4.
- [Commits](https://github.com/ntkme/sass-embedded-host-ruby/compare/v1.69.3...v1.69.4)

---
updated-dependencies:
- dependency-name: sass-embedded
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-19 00:22:45 +02:00
dependabot[bot] 67594f8d74
Build(deps-dev): Bump the types group (#23994)
Bumps the types group in /app/assets/javascripts with 12 updates:

| Package | From | To |
| --- | --- | --- |
| [@types/ember](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember) | `4.0.7` | `4.0.8` |
| [@types/ember__application](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__application) | `4.0.8` | `4.0.9` |
| [@types/ember__array](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__array) | `4.0.6` | `4.0.7` |
| [@types/ember__component](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__component) | `4.0.18` | `4.0.19` |
| [@types/ember__engine](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__engine) | `4.0.7` | `4.0.8` |
| [@types/ember__object](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__object) | `4.0.8` | `4.0.9` |
| [@types/ember__routing](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__routing) | `4.0.16` | `4.0.17` |
| [@types/ember__runloop](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__runloop) | `4.0.6` | `4.0.7` |
| [@types/ember__test](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/ember__test) | `4.0.3` | `4.0.4` |
| [@types/jquery](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jquery) | `3.5.23` | `3.5.24` |
| [@types/qunit](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/qunit) | `2.19.6` | `2.19.7` |
| [@types/rsvp](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/rsvp) | `4.0.5` | `4.0.6` |


Updates `@types/ember` from 4.0.7 to 4.0.8
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember)

Updates `@types/ember__application` from 4.0.8 to 4.0.9
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__application)

Updates `@types/ember__array` from 4.0.6 to 4.0.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__array)

Updates `@types/ember__component` from 4.0.18 to 4.0.19
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__component)

Updates `@types/ember__engine` from 4.0.7 to 4.0.8
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__engine)

Updates `@types/ember__object` from 4.0.8 to 4.0.9
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__object)

Updates `@types/ember__routing` from 4.0.16 to 4.0.17
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Changelog](https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/types/ember__routing/history-location.d.ts)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__routing)

Updates `@types/ember__runloop` from 4.0.6 to 4.0.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__runloop)

Updates `@types/ember__test` from 4.0.3 to 4.0.4
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/ember__test)

Updates `@types/jquery` from 3.5.23 to 3.5.24
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jquery)

Updates `@types/qunit` from 2.19.6 to 2.19.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/qunit)

Updates `@types/rsvp` from 4.0.5 to 4.0.6
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/rsvp)

---
updated-dependencies:
- dependency-name: "@types/ember"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/ember__application"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/ember__array"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/ember__component"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/ember__engine"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/ember__object"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/ember__routing"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/ember__runloop"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/ember__test"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/jquery"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/qunit"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
- dependency-name: "@types/rsvp"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: types
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-19 00:22:30 +02:00
dependabot[bot] 9b22b7fd92
Build(deps): Bump thor from 1.2.2 to 1.3.0 (#23991)
Bumps [thor](https://github.com/rails/thor) from 1.2.2 to 1.3.0.
- [Release notes](https://github.com/rails/thor/releases)
- [Commits](https://github.com/rails/thor/compare/v1.2.2...v1.3.0)

---
updated-dependencies:
- dependency-name: thor
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-19 00:10:40 +02:00
Jarek Radosz dca23d3a53
DEV: Group `@types/*` updates (#23992) 2023-10-19 00:01:16 +02:00
Ella E 7af291b40d
UX: Wizard static confetti (#23973)
* UX: add static confetti bacgkround image on wizard steps

* DEV: slow down speed animation for confetti

* DEV: compress image file size

* UX: use an image that has transparent background

* DEV: use correct image file name
2023-10-18 15:19:00 -06:00
Penar Musaraj a125c9e63e
UX: Minor fixes to passkey handling (#23947)
- don't try to guess the name of the manager (too many options)
- improve error message when registration is not allowed
- output error in console when registration fails
- minor fix to rename dialog layout
- hides action buttons in DiscourseHub (because adding passkeys there is not possible)
- adds acceptance test to ensure action buttons are hidden for admins seeing another user's profile
2023-10-18 11:46:51 -04:00
Mark VanLandingham 585bb0df27
DEV: Add class name of action type for flag-action-type container (#23972) 2023-10-18 10:18:52 -05:00
Kris 31797ebc40
UX: improve handling of long theme names in admin (#23963) 2023-10-18 09:41:21 -04:00
David Taylor 3690fe59cc
DEV: Deprecate `api.registerConnectorClass` (#23721)
This API came from a time when themes had to define JS and templates inside `<script>` tags. Nowadays, it's rarely used, and much better patterns are available for registering connectors.
2023-10-18 13:01:46 +01:00
dependabot[bot] c3bde99cd0
Build(deps): Bump ember-template-imports from 3.4.2 to 4.0.0 in /app/assets/javascripts (#23970)
* Build(deps): Bump ember-template-imports in /app/assets/javascripts

Bumps [ember-template-imports](https://github.com/ember-template-imports/ember-template-imports) from 3.4.2 to 4.0.0.
- [Release notes](https://github.com/ember-template-imports/ember-template-imports/releases)
- [Changelog](https://github.com/ember-template-imports/ember-template-imports/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ember-template-imports/ember-template-imports/compare/v3.4.2...v4.0.0)

---
updated-dependencies:
- dependency-name: ember-template-imports
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Remove legacy decorators from gjs file

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Taylor <david@taylorhq.com>
2023-10-18 12:42:26 +01:00
David Taylor 25ddbd1aa6
DEV: Convert remaining core services to native class syntax (#23756) 2023-10-18 12:28:56 +01:00
David Taylor 93c67eeb4f
DEV: Consolidate and update jsconfig, and add types packages (#23824)
These updates significantly improve IDE tooling for imports across the Discourse core codebase, and also for framework packages. The `@types/ember-*` packages are a temporary solution until we get onto Ember 5, which ships its types in the main package.

The previous approach of having jsconfig files in each package directory did work, but once you start adding all the possible interlinks between them, we hit the file count limit of VSCode's tooling (because it counts every file for every jsconfig its referenced in). Having one file at the root means that a single file can apply to all core packages and plugins.

Long-term, to get the same functionality for all themes/plugins, we may need to look at building/publishing a Discourse types package which can be added to theme/plugin package.json files for development purposes.
2023-10-18 12:13:20 +01:00
Godfrey Chan c34f8b65cb
DEV: Rename I18n imports to discourse-i18n (#23915)
As of #23867 this is now a real package, so updating the imports to
use the real package name, rather than relying on the alias. The
name change in the package name is because `I18n` is not a valid
name as NPM packages must be all lowercase.

This commit also introduces an eslint rule to prevent importing from
the old I18n path.

For themes/plugins, the old 'i18n' name remains functional.
2023-10-18 11:07:09 +01:00
dependabot[bot] 0a6dfee0b9
Build(deps): Bump ember-this-fallback from 0.3.1 to 0.4.0 in /app/assets/javascripts (#23959)
* Build(deps): Bump ember-this-fallback in /app/assets/javascripts

Bumps [ember-this-fallback](https://github.com/tildeio/ember-this-fallback) from 0.3.1 to 0.4.0.
- [Release notes](https://github.com/tildeio/ember-this-fallback/releases)
- [Changelog](https://github.com/tildeio/ember-this-fallback/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tildeio/ember-this-fallback/commits)

---
updated-dependencies:
- dependency-name: ember-this-fallback
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Remove stale patch

* Update patch filenames

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Taylor <david@taylorhq.com>
2023-10-18 10:56:35 +01:00
Alan Guo Xiang Tan 3c26df78ea
UX: Fix deselect text location in edit sidebar category/tag modal (#23966)
Why this change?

In 38d3208027, the position of the
`headerBelowTitle` outlet was changed causing the deselect text in the
edit sidebar catgegory/tag modals to appear inline with the title which
we do not want.

What does this change do?

This change introduces the `belowModalTitle` outlet in `DModal` which is
where the `headerBelowTitle` outlet was located before it was changed.
2023-10-18 11:33:35 +08:00
Krzysztof Kotlarek 8c355d9e99
FIX: log for CleanUpTags job (#23964)
In previous [PR](https://github.com/discourse/discourse/pull/23864) we introduced setting to automatically delete unused tags. This action should be logged.
2023-10-18 03:24:14 +00:00
Martin Brennan e91d8feab3
Revert "FEATURE: Count only approved flagged posts in user pages (#22799)" (#23962)
This reverts commit 5f0bc4557f.

Through extensive internal discussion we have decided to revert
this change, as it significantly impacted moderation flow for
some Discourse site moderators, especially around "something else"
flags. We need to re-approach how flags are counted holistically,
so to that end this change is being reverted.
2023-10-18 11:38:17 +10:00
dependabot[bot] 30778e5fa4
Build(deps-dev): Bump sass in /app/assets/javascripts (#23960)
Bumps [sass](https://github.com/sass/dart-sass) from 1.69.3 to 1.69.4.
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sass/dart-sass/compare/1.69.3...1.69.4)

---
updated-dependencies:
- dependency-name: sass
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-18 02:48:43 +02:00
Krzysztof Kotlarek 4773f5d720
FEATURE: predefined simple list for admin setting (#23953)
Some admin settings are multiple list with predefined values. In that case, we should not allow to input any value which later will fail validation.
2023-10-18 00:25:32 +00:00
Bianca Nenciu bf97899029
DEV: Limit preloaded categories (#23958)
Site data is preloaded on the first page load, which includes categories
data. For sites with many categories, site data takes a long time to
serialize and to transfer.

In the future, preloaded category data will be completely removed.
2023-10-17 22:04:56 +03:00
Bianca Nenciu 2e68ead45b
FEATURE: Use async search for category dropdowns (#23774)
This commit introduces a new endpoint to search categories and uses it
instead of the categories map that is preloaded using SiteSerializer.

This feature is enabled only when the hidden site setting
lazy_load_categories is enabled and should be used only on sites with
many categories.
2023-10-17 19:46:54 +03:00
Blake Erickson 60ae69027c
DEV: Add category style deprecation check warning (#23951)
The category style site setting is being deprecated. This commit will
show a warning on the admin dashboard if a site isn't using the default
category style (bullet).
2023-10-17 10:40:31 -06:00
Bianca Nenciu c95ffb98ef
DEV: Serialize categories in topic lists (#23597)
At this moment, this feature is under a site setting named
lazy_load_categories.

In the future, categories will no longer be preloaded through site data.
This commit add information about categories in topic list and ensures
that data is used to display topic list items.

Parent categories are serialized too because they are necessary to
render {{category-link}}.
2023-10-17 19:06:01 +03:00
Discourse Translator Bot 5e6c63901f
Update translations (#23955) 2023-10-17 10:57:06 -04:00
Penar Musaraj 87a635ed32
UX: Fix icon color for video placeholder (#23957)
Also adds a small effect on hover.
2023-10-17 10:25:57 -04:00
Godfrey Chan 6036001667
DEV: stop relying on global jQuery, import "jquery" instead (#23924)
We'll probably have to keep the globals around for compatibility, but we should always import it ourselves. We'll followup with an updated eslint config to enforce this.
2023-10-17 13:56:59 +01:00
dependabot[bot] 070f4e318b
Build(deps): Bump @babel/traverse from 7.23.0 to 7.23.2 (#23949)
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.23.0 to 7.23.2.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse)

---
updated-dependencies:
- dependency-name: "@babel/traverse"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-17 13:43:12 +02:00
Martin Brennan 3cde7f125d
DEV: Remove hashtag autocomplete experimental setting (#23954)
Everything relying on this was removed in
09223e5ae7
2023-10-17 15:05:58 +10:00
Martin Brennan 61c87fb59f
FIX: Properly attach secure images to email for non-secure uploads (#23865)
There are cases where a user can copy image markdown from a public
post (such as via the discourse-templates plugin) into a PM which
is then sent via an email. Since a PM is a secure context (via the
.with_secure_uploads? check on Post), the image will get a secure
URL in the PM post even though the backing upload is not secure.

This fixes the bug in that case where the image would be stripped
from the email (since it had a /secure-uploads/ URL) but not re-attached
further down the line using the secure_uploads_allow_embed_images_in_emails
setting because the upload itself was not secure.

The flow in Email::Sender for doing this is still not ideal, but
there are chicken and egg problems around when to strip the images,
how to fit in with other attachments and email size limits, and
when to apply the images inline via Email::Styles. It's convoluted,
but at least this fixes the Template use case for now.
2023-10-17 14:08:21 +10:00
Krzysztof Kotlarek 09eca87c76
FIX: synonym tags are not considered as unused (#23950)
Currently, `Tag.unused` scope is used to delete unused tags on `/tags` and by CleanUpTags job. Synonym tags, should not be included and treated as unused. Synonyms are only deleted when main tag is deleted:

https://github.com/discourse/discourse/blob/main/app/models/tag.rb#L57
2023-10-16 23:53:02 +00:00
dependabot[bot] ee9aa02ab3
Build(deps): Bump terser in /app/assets/javascripts (#23948)
Bumps [terser](https://github.com/terser/terser) from 5.21.0 to 5.22.0.
- [Changelog](https://github.com/terser/terser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/terser/terser/compare/v5.21.0...v5.22.0)

---
updated-dependencies:
- dependency-name: terser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 23:45:02 +02:00
Jeff Wong d208396c5c
UX: improve touch, swipe, panning performance on mobile menus (#23775)
PERF: improve touch, swipe, panning performance on mobile menus
---

* stop event propagation on swipe events: other touch events were stealing a huge amount of time here. Stop event
propagation when handling pan events.
* animate with [web animations api](https://developer.mozilla.org/en-US/docs/Web/API/Web_Animations_API/Using_the_Web_Animations_API)
* prefer translate3d to hint for gpu rendering.
* query document for elements only on start move event, not on subsequent move
events
* remove unused calculations for directioned velocity and distance: all swipe/pan elements function in x/y direction only.
* re-implement scroll locking behavior.

re-implemented scroll lock behavior
---

With stop event propagation, we need to re-implement scroll locking on menu swipes.
Previously, this was using onTouchMove which was costly.

We may now use styling with overflow-y:hidden to lock scroll behavior.

overflow:hidden on html/body elements is now supported by iOS as of 2022
https://bugs.webkit.org/show_bug.cgi?id=153852
https://bugs.webkit.org/show_bug.cgi?id=220908

UX: improve swipe
---

Some improvements to get gestures and swipes feeling a little more polished.

This focuses on end gesture, and how we transfer it to a css animation to
complete a menu open/close action.

Multitouch: events may pan, scroll, and zoom - especially on iOS safari.
Cancelling the swipe event allows for a more pleasant zooming experience.

* ease-out on menus opening, linear on close
* calculate animation duration for opening and closing,
attempt to better transfer user swipe velocity to css animation.
* more timely close/open and cleanup from calculated animation timing.
* add animation to closing menus on cloak tap
* correctly animate menus with ease-in and ease-out
* add swipe cancel event on multitouch event

DEV
---

* lean on promises

js animations api gives us promises to listen to. Update test waiters
to use waitForPromise from @ember/test-waiters instead of reigster/unregister.

* convert swipe mixin to its own class.

Convert swipe callbacks to custom events on the element.
Move shared functions for max animation time and close logic to
new shared class.

swipe-events lib uses custom events to trigger callbacks, rather than assuming
implemented hard coded function from the mixin's base class. Custom events are
triggered from the bound element as swipestart, swipeend, swipe

Add shared convenience functions for swipe events so they can be more easily
shared.

A client receives an initial swipe event and can check some state to see if it
wants to handle the swipe event and if it doesn't, calling
`event.preventDefault();` will prevent `swipe` and `swipeend` events from firing
until another distinct swipestart event is fired. Swipe events will auto-cancel on multitouch.

The scroll lock has also exposed as its own utility class.
2023-10-16 11:27:00 -07:00
Joffrey JAFFEUX d1ef6ab99f
FIX: do not serialize status when profile is hidden (#23946)
Users can decide to hide their profile and presence. It seems more correct to also not return the status in this case.

Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
2023-10-16 17:43:39 +02:00
Penar Musaraj 1400d4a8fd
Bump version to v3.2.0.beta3-dev 2023-10-16 11:20:22 -04:00
Penar Musaraj be04154838
Bump version to v3.2.0.beta2 2023-10-16 11:20:20 -04:00
Penar Musaraj 13afad70a5
DEV: Lint admin-email-preview-test.js 2023-10-16 10:46:02 -04:00
Alan Guo Xiang Tan cbbe3a808b
SECURITY: Add a default limit as to when logs should be truncated
Why this change?

This ensures that malicious requests cannot end up causing the logs to
quickly fill up. The default chosen is sufficient for most legitimate
requests to the Discourse application.

When truncation happens, parsing of logs in supported format like
lograge may break down.
2023-10-16 10:34:38 -04:00
Kelvin Tan ee084b754e
SECURITY: Prevent unauthorized access to grouped poll results
This adds access controls for the `/polls/grouped_poll_results`
endpoint, such that only users with appropriate permissions can read
the grouped results of a given poll.
2023-10-16 10:34:37 -04:00
Alan Guo Xiang Tan 4cb7472376
SECURITY: Prevent arbitrary topic custom fields from being set
Why this change?

The `PostsController#create` action allows arbitrary topic custom fields
to be set by any user that can create a topic. Without any restrictions,
this opens us up to potential security issues where plugins may be using
topic custom fields in security sensitive areas.

What does this change do?

1. This change introduces the `register_editable_topic_custom_field` plugin
API which allows plugins to register topic custom fields that are
editable either by staff users only or all users. The registered
editable topic custom fields are stored in `DiscoursePluginRegistry` and
is called by a new method `Topic#editable_custom_fields` which is then
used in the `PostsController#create` controller action. When an unpermitted custom fields is present in the `meta_data` params,
a 400 response code is returned.

2. Removes all reference to `meta_data` on a topic as it is confusing
   since we actually mean topic custom fields instead.
2023-10-16 10:34:35 -04:00
David Taylor 0ed20fe1cd
SECURITY: Correctly escape 'text' email preview 2023-10-16 10:34:34 -04:00
Bianca Nenciu 76bdea5ce2
SECURITY: Hide user profiles from public
User profiles, including the summary, should be private to anonymous
users if hide_user_profiles_from_public is enabled.
2023-10-16 10:34:32 -04:00
Jan Cernik 6350ba2cb3
SECURITY: Add permissions to MessageBus in chat
Add spec

compact
2023-10-16 10:34:30 -04:00
chapoi 9d1726fe2b
UX: better align user count (#23941) 2023-10-16 13:28:35 +02:00
David Taylor 1884b57af3
FIX: Open invite modal correctly from topic share UI (#23940)
This regressed when the create-invite modal was converted to the new component-based API in 8a7b5b00ea
2023-10-16 12:26:18 +01:00
David Taylor c8c38bea7e
DEV: Write execution file for test failures (#23879)
Followup to 3f8a85ed49
2023-10-16 11:12:13 +01:00
David Taylor aa4a5add70
DEV: Add system specs for dismiss new on tag routes (#23936) 2023-10-16 10:51:59 +01:00
dependabot[bot] 20a765e3ca
Build(deps-dev): Bump rubocop from 1.57.0 to 1.57.1 (#23937)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.57.0 to 1.57.1.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop/compare/v1.57.0...v1.57.1)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:24:12 +02:00
dependabot[bot] b0f5e99026
Build(deps-dev): Bump bullet from 7.1.1 to 7.1.2 (#23938)
Bumps [bullet](https://github.com/flyerhzm/bullet) from 7.1.1 to 7.1.2.
- [Changelog](https://github.com/flyerhzm/bullet/blob/main/CHANGELOG.md)
- [Commits](https://github.com/flyerhzm/bullet/compare/7.1.1...7.1.2)

---
updated-dependencies:
- dependency-name: bullet
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-16 11:23:53 +02:00