Commit Graph

619 Commits

Author SHA1 Message Date
Rafael dos Santos Silva 7b53973bd8
DEV: Use WebPush fork for OpenSSL 3 compat (#19627)
* DEV: Use WebPush fork for OpenSSL 3 compat

* add some context on gemfile changes
2022-12-27 15:28:13 -03:00
Martin Brennan b9d4336a20
DEV: Add test-site-settings to asset pipeline (#18935)
Follow up to 59da6c6ea2
2022-11-08 11:54:25 +10:00
David Taylor 68b4fe4cf8
SECURITY: Expand and improve SSRF Protections (#18815)
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2022-11-01 16:33:17 +00:00
Martin Brennan 8ebd5edd1e
DEV: Rename secure_media to secure_uploads (#18376)
This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality.

This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site.

Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing.

This also keeps compatibility with the `secure-media-uploads` path, and changes new
secure URLs to be `secure-uploads`.

Deprecated settings:

* secure_media -> secure_uploads
* secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails
* secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 09:24:33 +10:00
David Taylor e06b9d4a52
DEV: Remove support for legacy plugin JS compilation pipeline (#18293)
This became the default in b1755137
2022-09-21 12:38:02 +01:00
David Taylor 1bd1664ae0
DEV: Compile markdown-it-bundle with ember-cli (#18104)
We were already compiling the markdown bundle via ember-cli, but that version was only being used in the test environment. This commit improves the implementation, and updates the filename so it's also used in production.

This commit also
- Removes the vendored copy of `markdown-it.js` and fetches from node_modules instead
- Updates `pretty_text.rb` to remove the custom sprockets-manifest-parsing
- Removes `pretty-text-bundle.js`, which was only being used by `pretty_text.rb`
2022-08-29 19:11:59 +01:00
Martin Brennan b197ca02b7
DEV: Do not MiniProfile theme-javascripts (#18067)
This creates a huge amount of noise depending on
the themes/theme components installed and doesn't
provide much value.
2022-08-24 16:01:42 +10:00
David Taylor 33a2624f09
DEV: Introduce flag for compiling Plugin JS with Ember CLI (#17965)
When `EMBER_CLI_PLUGIN_ASSETS=1`, plugin application JS will be compiled via Ember CLI. In this mode, the existing `register_asset` API will cause any registered JS files to be made available in `/plugins/{plugin-name}_extra.js`. These 'extra' files will be loaded immediately after the plugin app JS file, so this should not affect functionality.

Plugin compilation in Ember CLI is implemented as an addon, similar to the existing 'admin' addon. We bypass the normal Ember CLI compilation process (which would add the JS to the main app bundle), and reroute the addon Broccoli tree into a separate JS file per-plugin. Previously, Sprockets would add compiled templates directly to `Ember.TEMPLATES`. Under Ember CLI, they are compiled into es6 modules. Some new logic in `discourse-boot.js` takes care of remapping the new module names into the old-style `Ember.TEMPLATES`.

This change has been designed to be a like-for-like replacement of the old plugin compilation system, so we do not expect any breakage. Even so, the environment variable flag will allow us to test this in a range of environments before enabling it by default.

A manual silence implementation is added for the build-time `ember-glimmer.link-to.positional-arguments` deprecation while we work on a better story for plugins.
2022-08-22 09:56:39 +01:00
David Taylor 47824bc69f
DEV: Bump asset compiler versions (#17843)
This will trigger recompilation of theme/plugin assets following 7f9c2c0b
2022-08-09 12:06:15 +01:00
Jarek Radosz 4b935b61eb
FIX: CSS tweak and production position fix for miniprofiler (#17493)
* DEV: Format miniprofiler html
* FIX: Move miniprofiler to the right in production
* UX: Fix and merge miniprofiler css
2022-07-14 13:03:43 +02:00
Alan Guo Xiang Tan b4b87454f2
DEV: Move mini profiler badge to the right (#17468)
In the era where we have left aligned sidebar, the mini profiler badge
gets in the way
2022-07-13 13:40:12 +08:00
Jarek Radosz 040e1650f6
DEV: Remove old redis option (#17427)
`Redis.exists_returns_integer` is now true by default
2022-07-11 22:15:30 +02:00
Jarek Radosz a7284d3b96
DEV: Auto-allow multisite hosts in dev (#17246) 2022-06-27 21:58:33 +02:00
David Taylor 90993e2459
FIX: Precompile admin-plugins.js (#17154) (#17155)
This was inadvertently removed in 1b4692039e
2022-06-20 16:22:49 +01:00
David Taylor 9c6ce0fa3e
FIX: Precompile start-discourse.js (#17154)
This was inadvertently removed in 1b4692039e
2022-06-20 16:02:18 +01:00
Jarek Radosz 2c1fc28d00
DEV: Remove ember-cli flags from the backend (#17147)
…and other auxiliary code

* Restore `QUNIT_EMBER_CLI` flag warning
* Add `ALLOW_EMBER_CLI_PROXY_BYPASS`
2022-06-20 16:33:05 +02:00
David Taylor 1b4692039e DEV: Remove legacy JS manifests and vendored scripts
Now that we've switched to Ember CLI, these things are no longer used.

- These sprockets manifests are superceded by the assets generated by ember cli
- These vendored scripts are now fetched by ember-auto-import at compile time
2022-06-20 15:01:06 +01:00
Jarek Radosz fcb4e5a1a1
DEV: Make wizard an ember addon (#17027)
Co-authored-by: David Taylor <david@taylorhq.com>
2022-06-17 14:50:21 +02:00
Loïc Guitaut aa4b1d9c38 DEV: Use new defaults for ActiveSupport::Digest
Use the `OpenSSL::Digest::SHA256` class for `ActiveSupport::Digest`.
This could lead to cache invalidation.
2022-05-18 16:51:07 +02:00
Loïc Guitaut 0feffa6f88 DEV: Enable Rails 7 cache format version 2022-05-17 17:32:10 +02:00
Loïc Guitaut 9957929a15 DEV: Use hybrid cookies instead of marshal ones
Now that we’re sure about not reverting from Rails 7, we can enable the
hybrid cookie serializer to convert our cookies automatically.
2022-05-12 11:50:15 +02:00
David Taylor 476bd1d237
DEV: Fix production sourcemaps with Ember CLI (#16707)
22a7905f restructured how we load Ember CLI assets in production. Unfortunately, it also broke sourcemaps for those assets. This commit fixes that regression via a couple of changes:

- It adds the necessary `.map` paths to `config.assets.precompile`
- It swaps Sprockets' default `SourcemappingUrlProcessor` with an extended version which maintains relative URLs of maps
2022-05-11 10:23:32 +01:00
Alan Guo Xiang Tan a76256756f
DEV: Fix not being able to boot Sidekiq server in development (#16696) 2022-05-11 10:38:11 +08:00
Daniel Waterworth bc8968fd12
DEV: Move SidekiqLogsterReporter out of initializer (#16687)
This fits more naturally in its own file.
2022-05-09 13:01:31 -05:00
Gerhard Schlager 8442a07c13
DEV: Compatibility with TruffleRuby (#16641) 2022-05-05 09:50:02 +08:00
Jarek Radosz 68ccaa3acb
DEV: Fix typos and outdated comments (#16614) 2022-05-04 14:12:18 +08:00
Loïc Guitaut 008b700a3f DEV: Upgrade to Rails 7
This patch upgrades Rails to version 7.0.2.4.
2022-04-28 11:51:03 +02:00
Loïc Guitaut 357011eb3b DEV: Clean up freedom patches
This patch removes some of our freedom patches that have been deprecated
for some time now.
Some of them have been updated so we’re not shipping code based on an
old version of Rails.
2022-04-06 10:07:14 +02:00
David Taylor ddf9bac094
FIX: Ensure ActiveSupport::Inflector is used by Zeitwerk (#16341)
We want our autoloading to respect custom inflections registered with ActiveSupport::Inflector. `Zeitwek::Inflector` does not call out to ActiveSupport.

Instead, we can define our own DiscourseInflector based on the super-simple Inflector in rails core.

Follow-up to 5743a6ec
2022-03-31 14:43:12 +01:00
Alan Guo Xiang Tan d0c2eb3359
DEV: Drop `enable_long_polling` and `long_polling_interval` settings (#16323)
Scheduled to drop in 2.9.

Co-authored-by: Loïc Guitaut <loic@discourse.org>
2022-03-30 16:32:40 +08:00
Loïc Guitaut 58d6e4e233 FIX: Don’t put the whole sidekiq conf in `to_prepare`
Some of the Sidekiq configuration needs to happen when the initializers
run and not after otherwise our dev env isn’t usable anymore.
2022-03-29 17:40:29 +02:00
Alan Guo Xiang Tan 5743a6ec1e DEV: Remove Zeitwerk inflection monkey patch.
There isn't a good reason we need to patch the inflector.

Co-authored-by: Loïc Guitaut <loic@discourse.org>
2022-03-29 16:04:49 +02:00
Bianca Nenciu 7a416257df
FIX: Invalidate site settings cache in all instances (#16155)
Previous cache implementation did not support multisite instances and
the cache was invalidated only in the instance where the change took
place.
2022-03-11 17:16:56 +02:00
Jarek Radosz 2fc70c5572
DEV: Correctly tag heredocs (#16061)
This allows text editors to use correct syntax coloring for the heredoc sections.

Heredoc tag names we use:

languages: SQL, JS, RUBY, LUA, HTML, CSS, SCSS, SH, HBS, XML, YAML/YML, MF, ICS
other: MD, TEXT/TXT, RAW, EMAIL
2022-02-28 20:50:55 +01:00
Osama Sayegh 9c1ab97c01
DEV: Ensure Mini Profiler's `cookie_path` is not empty or nil (#16039)
Follow-up to 9c50c69bd2.
2022-02-23 22:18:58 +03:00
Jeff Wong 9c50c69bd2
FIX: dev subfolder session cookies (#16031)
rack-mini-profiler was setting a cookie path of / which was clobbering
the session cookie path of Discourse.base_path.

Fixes some issues when local dev is unable to read or write from/to
the user session, such as during omniauth CSRF checks.
2022-02-23 06:42:57 -08:00
David Taylor 98a7fa3d1a
PERF: Bump message_bus to 4.2 (#16026)
This includes upstream performance improvements. For details, see 1baa1ea4a5
2022-02-22 16:16:02 +00:00
Joffrey JAFFEUX f5ec32bc8c
FEATURE: adds the user_promoted event to webhooks (#15996) 2022-02-22 10:57:18 +01:00
Rafael dos Santos Silva d83da596be
FIX: Redis may not be availiable on Redis initializer (#15955) 2022-02-15 15:25:22 +00:00
Rafael dos Santos Silva 4d3da70bc6
PERF: Use Redis `SET EX GET` instead of LUA script for counting (#15939)
This will prevent Discourse from booting on Redis < 6.2.0
2022-02-15 10:36:07 -03:00
David Taylor c8c23ba557
DEV: Introduce deprecation warning for non-json Job arguments (#15842)
This commit introduces our own handling and warning for Sidekiq's new 'non-json-serializable' warning. This decouples us from Sidekiq's own deprecation cycle, and allows us to use our own deprecation system. It also means that the dump/parse happens in test mode, which will help us to catch occurrences before they reach production.
2022-02-07 17:59:55 +00:00
David Taylor fe5bfc8d3b
DEV: Route Sidekiq logs to Rails logger (#15817)
Most of our logging goes through Rails.logger, and therefore appears in Logster at `/logs` on a site. The Sidekiq logger was bypassing this and writing directly to STDERR.

Unfortunately it's not possible to do `Sidekiq.logger = Rails.logger` because `Sidekiq#logger=` applies a number of patches to the logger instance, causing our whole logging system to break.

Instead, this commit adds a dedicated Logger instance with no output, which is then patched to forward all messages directly to `Rails.logger`
2022-02-04 16:28:20 +00:00
David Taylor dfcb8a72fd
DEV: Ensure Sidekiq warnings are logged to STDERR (#15800)
The default configuration will log to STOUT, which pollutes the output of scripts/rake-tasks
2022-02-03 14:24:15 +00:00
Roman Rizzi 8b3d50713d
FIX: Pass category and tag IDs to the emit webhook event job. (#15568)
* FIX: Pass category and tag IDs to the emit webhook event job.

Like webhooks won't fire when they're scoped to specific categories or tags because we're not passing the data to the job that emits it.

* Update config/initializers/012-web_hook_events.rb

Co-authored-by: Dan Ungureanu <dan@ungureanu.me>

Co-authored-by: Dan Ungureanu <dan@ungureanu.me>
2022-01-14 11:17:38 -03:00
Jarek Radosz aee9fcd257
DEV: Update message_bus to 4.0.0 (#15553) 2022-01-13 08:14:52 +11:00
Jarek Radosz 5a50f18c0c
DEV: Avoid `$` globals (#15453)
Also:
* Remove an unused method (#fill_email)
* Replace a method that was used just once (#generate_username) with `SecureRandom.alphanumeric`
* Remove an obsolete dev puma `tmp/restart` file logic
2022-01-08 23:39:46 +01:00
Peter Zhu c5fd8c42db
DEV: Fix methods removed in Ruby 3.2 (#15459)
* File.exists? is deprecated and removed in Ruby 3.2 in favor of
File.exist?
* Dir.exists? is deprecated and removed in Ruby 3.2 in favor of
Dir.exist?
2022-01-05 18:45:08 +01:00
David Taylor ad25e4103d DEV: Do not log `MimeNegotiation::InvalidType` to logster
This error is self-inflicted by  clients (often security-scanners attempting injection attacks on the Accept header). No need to log them. Rails itself defines this as a 'silent exception', but this doesn't entirely prevent it from being logged: https://github.com/rails/rails/blob/f2caed1e/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb#L39-L42
2021-12-29 11:47:36 +00:00
David Taylor 86505dd394 DEV: Remove Poll scope ignore pattern from Logster config
We fixed the root cause in 2971d03307, so there is no need for this pattern any more
2021-12-29 11:47:36 +00:00
Alan Guo Xiang Tan bd034485d7 SECURITY: Disable MessageBus::Diagnostics.
MessageBus::Diagnostics allows anyone with access to carry out certain
operations that may result in a denial of service. The impact of this is
greater on multisiite clusters.
2021-12-17 14:45:26 +08:00