Commit Graph

860 Commits

Author SHA1 Message Date
Guo Xiang Tan 964624f3ab FIX: No error displayed when 2FA token is invalid on admin login page. 2018-02-22 09:45:57 +08:00
Guo Xiang Tan edf326a9a5 Fix incorrect translation. 2018-02-22 08:06:37 +08:00
Guo Xiang Tan 14f3594f9f Review Changes for f4f8a293e7. 2018-02-21 14:55:49 +08:00
Jeff Wong f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Guo Xiang Tan 7902296c11 Oops we should register a service worker as long as it is supported. 2018-02-15 15:02:14 +08:00
Guo Xiang Tan 28365f8ae5 PERF: Have nginx cache and serve the service worker file. 2018-02-15 10:50:39 +08:00
Erick Guan 03b3e57a44 FEATURE: login by a link from email
Co-authored-by: tgxworld <tgx@discourse.org>
2018-02-13 16:14:39 +08:00
Robin Ward 0776340b29 SECURITY: Prevent robots from indexing more routes
These routes could contain sensitive material and should never be
indexed for content.
2018-02-04 13:24:36 -05:00
Neil Lalonde 2493648f9c PERF: calculate topic_counts for tags in an async job so tag queries that include counts are much faster 2018-01-12 11:03:03 -05:00
Sam 8ff5f5f2ef FIX: cache admin locale file for 24 hours 2018-01-09 10:23:49 +11:00
Vinoth Kannan f08995c390 Remove unused code lines 2017-12-29 12:32:18 +05:30
Gerhard Schlager 44ee388070 FEATURE: omit images from og and twitter description tags 2017-11-28 21:34:02 +01:00
Kris c2da25dd5c
Cleaning up the 404 page (#5363) 2017-11-24 12:41:31 -05:00
Neil Lalonde 66e53f449a UX: Auth complete page/modal has a link to continue to the site to accomodate auth methods that can't automatically redirect to Discourse 2017-11-21 13:56:19 -05:00
Robin Ward cef64e8f03 UX: Use `no_ember` styling for omniauth error page 2017-11-15 14:04:26 -05:00
Robin Ward d07ebf9d4c UX: Support for custom error pages and headers in plugins 2017-11-14 16:31:44 -05:00
Robin Ward 1c56e1c063 Support for HTML builders on the no-ember view 2017-11-14 16:04:27 -05:00
Robin Ward 52480d554a UX: Support for custom 404 pages 2017-11-14 11:57:17 -05:00
Sam dfe9f70747 UX: warn that something must be selected with safe mode 2017-11-13 15:59:51 +11:00
Michael Howell 38b8d68c68 FEATURE: Allow the user to select a custom home page (#5268)
* Add user_home configuration option

* Use the new user_home preference to actually show the right home page

* Fix trailing whitespace

* Update user_option_serializer.rb

* Fix JavaScript default homepage tests

* Use an object instead of a giant switch

* Remove trailing whitespace

* Make the default `user_home` set to `null` instead of `0`

* Rename user_home to homepage_id
2017-11-10 06:45:19 +11:00
Neil Lalonde 7eb5f78343 UX: increase max length of topic titles in summary email html by 40 characters 2017-11-06 10:00:01 -05:00
Neil Lalonde 7dc3671490 FEATURE: remove obsolete settings ga_tracking_code and ga_domain_name. Use ga_universal_tracking_code and ga_universal_domain_name instead. 2017-11-01 11:41:51 -04:00
Penar Musaraj bd1616d3d9 Add offline route and service worker to fix Android app install banner (#5217)
* set up static offline.html route and service worker for Android Web App Banner

* add viewport meta tag to offline view for android app banner

* add i18n support for offline.html pages, cleanup

* fix html syntax, add page title, remove license for service-worker.js
2017-10-31 10:46:48 +11:00
Neil Lalonde a5afc08363 FIX: html links in text part of summary email 2017-10-30 15:43:01 -04:00
Neil Lalonde 28bc5ac10a FIX: link to about page on subfolder 2017-10-30 14:34:12 -04:00
Neil Lalonde fec5691064 FIX: unsubscribe links in summary emails were missing subfolder 2017-10-30 14:28:43 -04:00
Neil Lalonde bf00ab5d4a FIX: grant admin on subfolder 2017-10-27 16:46:02 -04:00
Arpit Jalan 33f0d80ed5 UX: better title on search page 2017-10-27 09:13:04 +05:30
Guo Xiang Tan ad9553ff86 Merge pull request #5238 from discourse/jomaxro-patch-1
Add div to login-required text
2017-10-24 17:04:18 +08:00
Robin Ward e9159e49f3 FEATURE: Site Setting to determine whether flags defaults to topics 2017-10-20 12:37:20 -04:00
Arpit Jalan cafbf506cc better error message when confirming email change 2017-10-20 20:58:00 +05:30
Joshua Rosenfeld 64e5532b90 Add div to login-required text 2017-10-15 14:45:24 -04:00
Guo Xiang Tan 6fe604b93e Revert "SECURITY: Fix XSS on unsubscribed page."
This reverts commit 190558db9d.
2017-10-09 09:03:07 +08:00
Guo Xiang Tan 190558db9d SECURITY: Fix XSS on unsubscribed page. 2017-10-09 08:59:03 +08:00
Sam 70bb2aa426 FEATURE: allow specifying s3 config via globals
This refactors handling of s3 so it can be specified via GlobalSetting

This means that in a multisite environment you can configure s3 uploads
without actual sites knowing credentials in s3

It is a critical setting for situations where assets are mirrored to s3.
2017-10-06 16:20:01 +11:00
Sam ebdf8d6718 remove uneeded code 2017-10-04 15:05:58 +11:00
Sam 14310d2eee UX: title in JS must match title on Server
Corrects title flashing with incorrect value on front page reloads
2017-10-04 15:04:42 +11:00
Guo Xiang Tan 77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Arpit Jalan 6d35b62238 add image type attribute to icon link tag 2017-09-08 12:48:30 +05:30
Leo McArdle e183600563 FIX: redirect loop for new users visiting /new-topic using full screen login 2017-09-07 21:02:41 +01:00
Bianca Nenciu fa69e0dd77 Improved metadata for tags. (#5067) 2017-08-28 13:11:34 -04:00
Neil Lalonde d506e577a5 FEATURE: if full search returns no results, show google search form 2017-08-15 16:46:41 -04:00
Arpit Jalan b354099252 FEATURE: add custom open graph tag for ignoring canonical url 2017-08-15 19:24:20 +05:30
David Taylor 37300d6777 SECURITY: Do not show latest/top topics on 404 for login_required sites 2017-08-13 19:02:44 +03:00
Arpit Jalan bf2c35aa99 FEATURE: add RSS feed for badge pages 2017-08-09 13:43:49 +05:30
Robin Ward 2e4b3e9b06 Don't include all html builders on client and server side 2017-08-07 11:29:35 -04:00
Arpit Jalan 2d95b9dfbf FIX: prevent Cloudflare from obfuscating emails
https://support.cloudflare.com/hc/en-us/articles/200170016-What-is-Email-Address-Obfuscation-
2017-08-03 15:06:13 +05:30
Ryan Mulligan f3f7dd02d1 safely call html_safe on category description
The `categories.description` column is not modified as "not null", so it is possible for the description to be nil. This changes the code not call html_safe on nil.
2017-07-25 11:40:02 -07:00
Benjamin Elijah Griffin 4f77ca72a3 Stop Rails from escaping the HTML in this description. 2017-07-24 17:15:15 -07:00
Sam Saffron d0c5205a52 Feature: Change markdown engine to markdown it
This commit removes the old evilstreak markdownjs engine.

- Adds specs to WhiteLister and changes it to stop using globals
    (Fixes large memory leak)
- Fixes edge cases around bbcode handling
- Removes mdtest which is no longer valid (to be replaced with
    CommonMark)
- Updates MiniRacer to correct minor unmanaged memory leak
- Fixes plugin specs
2017-07-17 11:41:34 -04:00
Neil Lalonde 3ebd8838af FEATURE: cross-domain tracking for Google universal analytics 2017-07-13 15:21:44 -04:00
Sam 79a084dd58 Revert "remove old markdown engine work-in-progress"
This reverts commit ee470b5317.
2017-07-12 18:10:51 -04:00
Sam Saffron ee470b5317 remove old markdown engine work-in-progress 2017-07-12 17:44:40 -04:00
Guo Xiang Tan 7b35c55a1e FIX: Display Google search form when 404 page is rendered by Ember. 2017-06-29 14:37:24 +09:00
Neil Lalonde eee00b5bb5 UX: include a link to change email preferences at the bottom of summary emails as an alternative to unsubscribing 2017-06-26 12:27:22 -04:00
Sam 234694b50f Feature: CommonMark support
This adds the markdown.it engine to Discourse.
https://github.com/markdown-it/markdown-it

As the migration is going to take a while the new engine is default
disabled. To enable it you must change the hidden site setting:
enable_experimental_markdown_it.

This commit is a squash of many other commits, it also includes some
improvements to autospec (ability to run plugins), and a dev dependency
on the og gem for html normalization.
2017-06-23 12:01:33 -04:00
hosnas 4d62f41fbc RTL digest emails
Allows RTL digest emails. 
For this to work, I have done the following major additions:
1- adding appropriate direction to body and tables
2- making text-direction compatible with rtl
3- making float, padding, and margin tags compatible with rtl
2017-06-16 15:20:20 +04:30
Neil Lalonde 0b41046238 don't force SiteSetting.title into meta title tag 2017-06-12 13:50:50 -04:00
Arpit Jalan 6e37f09b19 UX: add email to '/email/unsubscribed' page 2017-06-10 09:51:12 +05:30
Jeff Atwood 5ff986129a copyedit to unsubscribe email 2017-06-09 00:27:24 -07:00
Arpit Jalan 1c0bbcd580 UX: show user email when unsubscribing 2017-06-09 09:20:24 +05:30
Leo McArdle 59922ce0a4 FEATURE: remove table wrapping posts in notification emails 2017-05-16 10:37:53 -04:00
Pat David aa009dd2b5 Add @embeddable_css_class from embed_controller 2017-05-11 15:16:16 -04:00
Guo Xiang Tan 71a266b673 Remove daily mailing mode option as it doesn't scale.
https://meta.discourse.org/t/daily-updates-option-for-mailing-list-mode/45029/14?u=tgxworld
2017-05-05 12:21:50 +08:00
Robin Ward b381372184 Use Ember.js for the `/u/account-created` path so we can add controls 2017-05-03 11:18:01 -04:00
Guo Xiang Tan 982e3d04f6 PERF: Allow memory to be freed instead of fetching all the objects into memory at once.
```
MemoryProfiler.report do
  Jobs::UserEmail.new.execute(type: :mailing_list, user_id: user.id)
end.pretty_print
```

Before:
```
Total allocated: 180096119 bytes (1962025 objects)
Total retained:  2194 bytes (16 objects)

allocated memory by gem
-----------------------------------
  66979096  activerecord-4.2.8
  43507184  nokogiri-1.7.1
  43365188  mail-2.6.4
   5960201  activesupport-4.2.8
   5056267  discourse/lib
   4835284  rack-mini-profiler-0.10.1
   3825817  arel-6.0.4
   2186088  i18n-0.8.1
   1719330  discourse/app
```

After:
```
Total allocated: 161935975 bytes (1473940 objects)
Total retained:  2234 bytes (17 objects)

allocated memory by gem
-----------------------------------
  45430264  activerecord-4.2.8
  43568627  nokogiri-1.7.1
  43430754  mail-2.6.4
  11233878  rack-mini-profiler-0.10.1
   5260825  activesupport-4.2.8
   5054491  discourse/lib
   2186088  i18n-0.8.1
   1822494  arel-6.0.4
```
2017-05-03 17:01:57 +08:00
Guo Xiang Tan f5b11cb429 PERF: Don't allocate extra array. 2017-05-02 11:54:23 +08:00
Robin Ward 30ebaf6b6a Update FontAwesome to 4.7.0 2017-04-26 15:16:30 -04:00
Robin Ward cd4f0393a8 Add a title tag to the search results page 2017-04-26 15:02:07 -04:00
Robin Ward bf9c4a7828 FEATURE: secure_email site setting to prevent data going out in email 2017-04-26 13:05:56 -04:00
Sam dfe3c162cc move stylesheet after js 2017-04-20 12:34:50 -04:00
Sam bbed29ba57 correct font preloading 2017-04-20 11:18:37 -04:00
Robin Ward 8b8ee2ad61 Pass a context in when using a HTML builder 2017-04-18 12:35:35 -04:00
Sam b43d2e42f4 missing spots 2017-04-17 12:30:20 -04:00
Sam 81ebe853d1 missed a few spots 2017-04-17 12:05:23 -04:00
Sam 5dd752877e FEATURE: try adding some preload hints for chrome 2017-04-17 11:52:43 -04:00
Arpit Jalan fe29fe71c5 FIX: embedding comments was broken 2017-04-14 08:14:22 +05:30
Sam 3f4f0b32a9 FIX: path wizard showing with no style 2017-04-13 15:22:39 -04:00
Sam a3e8c3cd7b FEATURE: Native theme support
This feature introduces the concept of themes. Themes are an evolution
of site customizations.

Themes introduce two very big conceptual changes:

- A theme may include other "child themes", children can include grand
children and so on.

- A theme may specify a color scheme

The change does away with the idea of "enabled" color schemes.

It also adds a bunch of big niceties like

- You can source a theme from a git repo

- History for themes is much improved

- You can only have a single enabled theme. Themes can be selected by
    users, if you opt for it.

On a technical level this change comes with a whole bunch of goodies

- All CSS is now compiled using a custom pipeline that uses libsass
    see /lib/stylesheet

- There is a single pipeline for css compilation (in the past we used
    one for customizations and another one for the rest of the app

- The stylesheet pipeline is now divorced of sprockets, there is no
   reliance on sprockets for CSS bundling

- CSS is generated with source maps everywhere (including themes) this
    makes debugging much easier

- Our "live reloader" is smarter and avoid a flash of unstyled content
   we run a file watcher in "puma" in dev so you no longer need to run
   rake autospec to watch for CSS changes
2017-04-12 10:53:49 -04:00
Arpit Jalan b3761653b3 FIX: render emoji in title tag on topic page 2017-04-11 00:25:22 +05:30
Neil Lalonde 3957540dd1 FIX: convert emoji to unicode in topic titles in emails 2017-04-10 13:15:25 -04:00
Arpit Jalan f960505359 FIX: translate badge metadata title 2017-04-06 09:57:52 +05:30
Aashaka Shah 402eaaa773 FEATURE: add og tags to metadata in individual badges page 2017-04-06 09:32:53 +05:30
Robin Ward 17f2974d0a SECURITY: Confirm new administrator accounts via email 2017-04-04 15:59:01 -04:00
Robin Ward 14410b71fb Convert server side paths to use `/u/` 2017-03-30 10:23:24 -04:00
Robin Ward 45a257815a Convert front end paths from `/users/` to `/u/` 2017-03-30 10:23:24 -04:00
Robin Ward 2fedf1c668 FIX: jQuery include was incorrect for `finish-installation` 2017-03-27 10:29:25 -04:00
Robin Ward 874e8900af Display email address in SSO error message. 2017-03-21 15:37:46 -04:00
Robin Ward aeaf5075bf Custom errors for when Email is invalid via SSO 2017-03-21 15:23:38 -04:00
Robin Ward 52d78294cc Render a layout when there's an SSO error 2017-03-21 15:23:38 -04:00
Arpit Jalan 801b5838e1 FIX: do not show faq/guidelines page to anonymous users for private forums 2017-03-08 16:00:49 +05:30
Arpit Jalan 090236b15b FIX: do not show about page to anonymous users for private forums 2017-03-08 13:15:44 +05:30
Neil Lalonde ca20cb9941 FEATURE: subcategories can be discovered by web crawlers on page 1 of the parent category topics list 2017-03-02 15:06:56 -05:00
Neil Lalonde 7496f373cd add headline itemprop to DiscussionForumPosting for crawlers 2017-03-02 12:35:50 -05:00
Blake Erickson 80858bae2c FEATURE: further restrict downloading of backups
- send email to logged in admin when they press the "download" button
- show pop-up that email was sent
- create email template
- require a valid token to download backup
2017-03-01 08:28:34 -07:00
Guo Xiang Tan 0e8c849572 UX: "See more" on not found page should redirect to /top. 2017-02-27 13:33:19 +08:00
Arpit Jalan 068ce19ae2 FEATURE: linked topics should be rendered under posts for crawlers 2017-02-21 12:43:24 +05:30
Neil Lalonde aa2c527c60 Remove "From" from every post in Popular Posts section of summary emails 2017-02-20 11:04:12 -05:00
Neil Lalonde d0fbb27f3e FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-15 16:51:57 -05:00
Sam 07b9c351a4 Merge pull request #4705 from vinothkannans/dev
new: server plugin outlet for indexable robots.txt
2017-02-13 11:18:51 -05:00