Commit Graph

3438 Commits

Author SHA1 Message Date
Guo Xiang Tan 181c4eb760 PERF: Avoid parsing `Post#cooked` with Nokogiri for every search. 2020-07-24 10:43:09 +08:00
Guo Xiang Tan b979579c1b
DEV: Refactor draft attributes for `CategoryList` and `TopicList`.
Avoid repeating the same logic in a bunch of places which will allow us
to make changes to the draft attributes easier in the future.
2020-07-24 10:11:30 +08:00
Krzysztof Kotlarek 4b053462c0
FIX: display correct status on unsubscribe page (#10294)
There was a bug that even when `email_digest` was set to false but
`digest_after_minutes` was positive, we were not displaying correct
status.

In addition, the message is improved when the user is unsubscribed +
unsubscribe from all is hidden.
2020-07-23 16:20:10 +10:00
Blake Erickson 395d17e2ac DEV: Show failed to remove members from bulk groups api
Before this commit if you were bulk removing group members and passed in
a user who wasn't currently a member of that group the whole request
would fail. This change will return a 200 response now listing the users
that were removed and those that were skipped.
2020-07-22 14:32:31 -06:00
David Taylor c09b5807f3
FIX: Include resolved locale in anonymous cache key (#10289)
This only applies when set_locale_from_accept_language_header is enabled
2020-07-22 18:00:07 +01:00
David Taylor bcb0e62363
FIX: Make set_locale an around_action to avoid leaking between requests (#10282) 2020-07-22 17:30:26 +01:00
Vinoth Kannan 0884d570b1
FEATURE: add support for `top` filter in tag page. (#10281)
Currently, tag pages only have the `latest` filter.
2020-07-22 19:26:36 +05:30
Guo Xiang Tan 16961dee76
FIX: Typo in `NotificationsController#index` not caught by tests. 2020-07-22 09:22:26 +08:00
jbrw 0ed784b4fc
FEATURE: Create logs for Group Moderator changes (#10271) 2020-07-21 14:29:02 -04:00
Martin Brennan 41b43a2a25
FEATURE: Add "delete on owner reply" bookmark functionality (#10231)
This adds an option to "delete on owner reply" to bookmarks. If you select this option in the modal, then reply to the topic the bookmark is in, the bookmark will be deleted on reply.

This PR also changes the checkboxes for these additional bookmark options to an Integer column in the DB with a combobox to select the option you want.

The use cases are:

* Sometimes I will bookmark the topics to read it later. In this case we definitely don’t need to keep the bookmark after I replied to it.
* Sometimes I will read the topic in mobile and I will prefer to reply in PC later. Or I may have to do some research before reply. So I will bookmark it for reply later.
2020-07-21 10:00:39 +10:00
Blake Erickson 690f17bcbe
FEATURE: Allow List for PMs (#10270)
* FEATURE: Allow List for PMs

This feature adds a new user setting that is disabled by default that
allows them to specify a list of users that are allowed to send them
private messages. This way they don't have to maintain a large list of
users they don't want to here from and instead just list the people they
know they do want. Staff will still always be able to send messages to
the user.

* Update PR based on feedback
2020-07-20 15:23:49 -06:00
Roman Rizzi 98eb7a3f00
FIX: Users should be able to delete their own queued posts (#10265) 2020-07-20 17:21:20 -03:00
jbrw 7ab5658462
FEATURE: Allow group moderators to add/remove staff notes (#10252)
* FEATURE: Allow group moderators to add/remove staff notes
2020-07-20 15:53:47 -04:00
Daniel Waterworth 0b800d307f SECURITY: Bound the amount of work that embed#topics can do
This commit adds a hidden site setting that limits the maximum number of
topics that can be fetched at once via the embed controller.
2020-07-20 13:25:34 +01:00
Roman Rizzi f13ec11c64
FEATURE: Add scopes to API keys (#9844)
* Added scopes UI

* Create scopes when creating a new API key

* Show scopes on the API key show route

* Apply scopes on API requests

* Extend scopes from plugins

* Add missing scopes. A mapping can be associated with multiple controller actions

* Only send scopes if the use global key option is disabled. Use the discourse plugin registry to add new scopes

* Add not null validations and index for api_key_id

* Annotate model

* DEV: Move default mappings to ApiKeyScope

* Remove unused attribute and improve UI for existing keys

* Support multiple parameters separated by a comma
2020-07-16 15:51:24 -03:00
Vinoth Kannan 3252cb847c FIX: : trigger `user_updated` event only if email changed after user creation.
Follow-up to 1460d7957c
2020-07-16 18:21:30 +05:30
Vinoth Kannan 4f4d8d683f FIX: add noindex header to user summary page. 2020-07-16 02:32:55 +05:30
jbrw 06073fe8c6
FEATURE: Allow group moderators to close/archive topics
* FEATURE: Allow group moderators to close/archive topics
2020-07-14 12:36:19 -04:00
Guo Xiang Tan ce39733b1a
FIX: Incorrect search blurb when advanced search filters are used take2
Also remove include_blurbs attribute which isn't used.
2020-07-14 11:50:40 +08:00
Rafael dos Santos Silva e0f97c707e PERF: Cache user summary data 2020-07-13 15:26:56 -03:00
Dan Ungureanu cf02c518b9
DEV: Merge category and tag hashtags code paths (#10216)
Category and tag hashtags used to be handled differently even though
most of the code was very similar. This design was the root cause of
multiple issues related to hashtags.

This commit reduces the number of requests (just one and debounced
better), removes the use of CSS classes which marked resolved hashtags,
simplifies a lot of the code as there is a single source of truth and
previous race condition fixes are now useless.

It also includes a very minor security fix which let unauthorized users
to guess hidden tags.
2020-07-13 19:13:17 +03:00
Arpit Jalan 7532f24668 UX: better error message if moderator is not allowed to invite to group
UX: do not show invite to group option if mod is not owner of any group
2020-07-13 18:09:36 +05:30
Dan Ungureanu c72bc27888
FEATURE: Implement support for IMAP and SMTP email protocols. (#8301)
Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2020-07-10 12:05:55 +03:00
Dan Ungureanu e88b17c044
FIX: Sync client and server side behavior for category hashtag lookup
Category.query_from_hashtag_slug is the only source of truth.
2020-07-10 10:45:39 +03:00
Rafael dos Santos Silva e866e3d609
FEATURE: Add global rate limit for anon searches (#10208) 2020-07-10 09:08:34 +10:00
Robin Ward c2ce7f2673 FIX: Flaky test
The previous solution was not always working, I believe this one
will be consistent.
2020-07-09 14:48:49 -04:00
Martin Brennan 31e31ef449
SECURITY: Add content-disposition: attachment for SVG uploads
* strip out the href and xlink:href attributes from use element that
  are _not_ anchors in svgs which can be used for XSS
* adding the content-disposition: attachment ensures that
  uploaded SVGs cannot be opened and executed using the XSS exploit.
  svgs embedded using an img tag do not suffer from the same exploit
2020-07-09 13:31:48 +10:00
Kane York c86b1ee9d1
FIX: Disable security keys at same time as TOTP 2FA (#10144)
Previously, the "Remove 2FA" button could result in an error. This syncs button visibility with behavior.

* FIX: Only offer disabling 2FA to admins
2020-07-07 12:19:30 -07:00
Dan Ungureanu 333d4f9a98
FIX: Redirect user to the URL with the correct category slug (#10167)
This commit implements a category redirect similar to the one for topic
URLs with wrong slug.
2020-07-07 15:25:36 +03:00
Dan Ungureanu e08b860e88
FIX: Improve category hashtag lookup (#10133)
* FIX: Improve category hashtag lookup

This commit improves support for sub-sub-categories and does not include
the ID of the category in the slug, which fixes the composer preview.

* FIX: Sub-sub-categories can be mentioned using only two levels

* FIX: Remove support for three-level hashtags

* DEV: Simplify code
2020-07-07 10:19:01 +10:00
David Taylor 977766e7a8
FEATURE: sso_overrides_(email|username|name) for all auth methods
These settings previously applied only to discourse-sso. Now they work for all external authentication methods.
2020-07-06 10:18:45 +01:00
Régis Hanol 48b4ed41f5 FIX: uploading an existing image as a site setting
The previous fix (f43c0a5d85) wasn't working for images that were already uploaded.
The "metadata" (eg. 'for_*' and 'secure' attributes) were not added to existing uploads.

Also used 'Upload.get_from_url' is the admin/site_setting controller to properly retrieve
an upload from its URL.

Fixed the Upload::URL_REGEX to use the \h (hexadecimal) for the SHA

Follow-up-to: f43c0a5d85
2020-07-03 19:16:54 +02:00
Martin Brennan 8ef782bdbd
FIX: Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes (#10160)
* Change S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes, which controls presigned URL expiry and secure-media route cache time.
* This is done because of the composer preview refreshing while typing causes a lot of requests sent to our server because of the short URL expiry. If this ends up being not enough we can always increase the time or explore other avenues (e.g. GitHub has a 7 day validity for secure URLs)
2020-07-03 13:42:36 +10:00
Osama Sayegh de243426c4
FIX: Negative limit values shouldn't cause error 500 (#10162) 2020-07-02 19:52:37 +03:00
Ahmed Gagan 04d7693355
FIX: Filter read/unread notifications on the server side (#10152)
https://meta.discourse.org/t/notifications-unread-only-filter/37621/32
2020-07-02 11:06:00 +01:00
Sam Saffron ac968f5363
PERF: cache all metadata for 60 seconds
Clients tend to request webmanifests and such very often.

Keep the data cached for 60 seconds so it is not requested aggresively.
2020-07-01 12:58:02 +10:00
Mark VanLandingham cd5cfc1496
FEATURE: Site setting to always show category definitions (#10124) 2020-06-29 13:22:02 -05:00
Régis Hanol 860deeb072 FIX: identify slug-less topic urls everywhere
In 91c89df6, I fixed the onebox to support local topics with a slug-less URL.
This commit fixes all the other spots (search, topic links and user badges) where we look up for a local topic.

Follow-up-to: 91c89df6
2020-06-29 12:31:20 +02:00
Joshua Rosenfeld b52143feff
FIX: Remove paths from robots.txt in favor of noindex header
Google no longer supports the use of robots.txt to block indexing.
See https://support.google.com/webmasters/answer/6062608 and
https://support.google.com/webmasters/answer/93710

Previous commits have added the `noindex` header to appropriate pages,
now we need to remove the paths from robots.txt so the pages can be
crawled.

Follow up to:
13f229808a
b6765aac4b
676be3a853
07b728c5e5
c94e6a9a66
2020-06-25 13:55:06 -04:00
Guo Xiang Tan 9c7d3b2dc0
FIX: Avoid marking notifications as seen in readonly mode. 2020-06-25 10:14:07 +08:00
Bianca Nenciu 685646540a
FIX: Hide PM tags if the site setting is disabled (#10089)
* FIX: Hide PM tags if the site setting is disabled

* Apply code suggestions
2020-06-22 16:48:24 +03:00
Robin Ward 4a2871f7f6
FEATURE: Don't display muted/ignored users under "who liked" (#10084)
* FEATURE: Don't display muted/ignored users under "who liked"

Previously, if you clicked on the heart icon below a post
it would show you the avatar for a user even if you ignored or muted
them.

This commit will instead display a (?) icon. The count of likes will
remain correct, but you needn't be reminded of the person you
preferred not to see.

* Use a circle instead of (?) for unknown user
2020-06-19 10:44:21 -04:00
Bianca Nenciu a1df68d4c4
FIX: Do not change tracked categories for staged users (#10076) 2020-06-18 21:09:54 +03:00
Robin Ward 494a27dc27 FIX: A much nicer error message if you can't ignore/mute a user 2020-06-18 13:41:27 -04:00
Dan Ungureanu d21a08c284
DEV: Deprecate Category#url_with_id in favor of Category#url (#9972) 2020-06-18 11:32:14 +03:00
Dan Ungureanu a60a67c431
FIX: Show unconfirmed emails too when checking emails (#10062)
When checking emails through user preferences, it did not display the
unconfirmed emails.
2020-06-17 21:41:01 +03:00
Joffrey JAFFEUX 9da3a7f436
FEATURE: allows published pages to be public (#10053) 2020-06-17 12:42:20 +02:00
Dan Ungureanu 84dfaad137
FIX: Fill acting_user field instead of target_user in history 2020-06-16 13:30:58 +03:00
Guo Xiang Tan 62ad473716
FIX: Preload readonly mode attribute seperately.
There are two problems I'm trying to tackle here.

1. The site json is cached for anonymous users so readonly mode can be
cached for up to 30 minutes which makes it confusing.

2. We've already checked for readonly mode in the controller so having
to check for readonly mode again in `SiteSerializer` is adding an extra
Redis query on every request.
2020-06-12 09:54:05 +08:00
Dan Ungureanu 5bfe1ee4f1
FEATURE: Improve UX support for multiple email addresses (#9691) 2020-06-10 19:11:49 +03:00
Dan Ungureanu 3a7ca97c36
FIX: Use include-subcategories filter in report export (#10007)
Some filters were renamed and the conversion of the filter names and arguments
was removed.
2020-06-10 18:57:39 +03:00
Guo Xiang Tan 31a527a293
FIX: Return 400 when invalid topic_id is provided when creating invite. 2020-06-10 09:29:28 +08:00
Guo Xiang Tan 45fd668dc5
DEV: Render a proper response that can be handled on the client side. 2020-06-10 09:25:58 +08:00
Arpit Jalan 3094459cd9
FEATURE: multiple use invite links (#9813) 2020-06-09 20:49:32 +05:30
Gerhard Schlager 0bf753a739 DEV: Remove unused routes 2020-06-08 10:26:29 +02:00
Gerhard Schlager 8c6a42c589 FIX: Redirects containing Unicode usernames didn't work 2020-06-08 10:26:29 +02:00
Jeff Wong de29b4a511
PERF: rate limit search, and add anon cache for search results (#9969)
Adds new hidden site settings for rate limits:
30 for logged in users, 15 for anon

Adds an anon cache for searching, caches results of searches for 1 minute
2020-06-04 09:26:08 -07:00
Guo Xiang Tan 2188ccccd5 DEV: Remove `initiating_user` keyword arg from `EmailUpdater`.
The guardian contains the acting user.
2020-06-04 13:21:56 +08:00
Vinoth Kannan 3e7f7fdde8
FEATURE: category setting for default list filter. (#9975) 2020-06-04 00:56:56 +05:30
Robin Ward 22789e0201 New `bootstrap.json` endpoint for starting up Discourse
Discourse needs a bunch of data preloaded before it can start up.
Normally we throw blobs of this into the HTML document that is requested
but in some cases that's awkward to retrieve.

For example with Ember CLI you have a separate javascript application
that needs to make its own HTML.

This API endpoint returns a JSON object with all the data Discourse needs to
bootstrap and start up.
2020-06-03 14:45:23 -04:00
Vinoth Kannan 7fe414d35d FIX: hide rss feed & json if a user profile is hidden. 2020-06-03 19:03:02 +05:30
Sam Saffron 57a3d4e0d2
FEATURE: whitelist theme repo mode (experimental)
In some restricted setups all JS payloads need tight control.

This setting bans admins from making changes to JS on the site and
requires all themes be whitelisted to be used.

There are edge cases we still need to work through in this mode
hence this is still not supported in production and experimental.

Use an example like this to enable:

`DISCOURSE_WHITELISTED_THEME_REPOS="https://repo.com/repo.git,https://repo.com/repo2.git"`

By default this feature is not enabled and no changes are made.

One exception is that default theme id was missing a security check
this was added for correctness.
2020-06-03 13:19:57 +10:00
Guo Xiang Tan 3dd1778199
PERF: Reduce number of queries from 3 -> 1 when fetching web manifest. 2020-06-02 12:04:02 +08:00
Guo Xiang Tan 370cba451d
DEV: Refactor away conditionals that we don't need. 2020-06-02 10:40:29 +08:00
Vinoth Kannan e1af91f5ae Revert "FEATURE: category setting for default list filter."
This reverts commit 6f03d14c23.
2020-05-30 20:53:53 +05:30
Guo Xiang Tan 81de592804
PERF: Use more efficient query when checking for existence. 2020-05-29 15:47:05 +08:00
Jeff Wong 1509afefba DEV: simplify detailed_404 logic 2020-05-28 10:54:02 -07:00
Blake Erickson 6548cd1a96 FIX: sending messages to groups with non-lowercase names
Fixes a regression in

e8fb9d4066

which caused a bug where you couldn't send a message to a group that
contained an Uppercase letter. Added a test case for this.

Bug report: https://meta.discourse.org/t/-/152999
2020-05-27 14:52:08 -06:00
Jeff Wong a9d92f338e
SECURITY: make find topic by slug adhere to SiteSetting.detailed_404 (#9898) 2020-05-27 11:28:38 -07:00
Dan Ungureanu 570b12a903
FEATURE: Show a detailed 404 page for private topics (#9894) 2020-05-27 20:10:01 +03:00
Artem Vasiliev 12544c02c1
FIX: add X-Robots-Tag header for check_xhr-covered GET actions, too (#9868)
* FIX: add X-Robots-Tag header for check_xhr-covered GET actions, too

see https://meta.discourse.org/t/missing-x-robots-tag/152593/3 for context

* test: a spec making sure X-Robots-Tag header is present when needed

/groups path responds to anonymous requests and doesn't skip `check_xhr` method, so we can use it here.
2020-05-27 11:57:05 -04:00
Sam Saffron 5bfb6830c9
SECURITY: missing security check prior to redirect
In some rare cases, if a user knows the exact title of a topic
they could possibly determine that it really exists in the system
2020-05-27 10:58:22 +10:00
Martin Brennan 2d534bf2e0
FIX: Pass current_user to TopicQuery in for categories_and_top_topics (#9885) 2020-05-27 10:05:06 +10:00
Guo Xiang Tan 26c7fa2c29
FIX: `rescue_from` doesn't bubble up.
See a47e0c19e6/actionpack/lib/action_controller/metal/rescue.rb (L25)
2020-05-26 22:43:29 +08:00
Bianca Nenciu f47400475e
FEATURE: Send a private message when a group membership is accepted (#9822)
* FEATURE: Send a private message when a group membership is accepted

* DEV: Small code improvements

* FIX: Send PM as group owner

* Copy edits
2020-05-26 16:28:03 +03:00
Osama Sayegh 2211581a85
FIX: Don't responde with error 500 if domain is invalid when adding automatic membership domain (#9655) 2020-05-26 15:40:09 +10:00
Arpit Jalan e8fb9d4066 FIX: when creating new PM username/groupname should be case-insensitive
(take 2)

https://meta.discourse.org/t/case-sensitivity-in-links-to-groupname/147596
https://meta.discourse.org/t/remove-case-sensitive-in-adding-users-to-a-message/151275
2020-05-25 21:34:05 +05:30
Arpit Jalan 302b37c805 Revert "FIX: when creating new PM username/groupname should be case-insensitive"
This reverts commit 2be79d94f5.

This is affecting multiple code path. Investigating.
2020-05-25 20:10:14 +05:30
Arpit Jalan 2be79d94f5 FIX: when creating new PM username/groupname should be case-insensitive
https://meta.discourse.org/t/case-sensitivity-in-links-to-groupname/147596
https://meta.discourse.org/t/remove-case-sensitive-in-adding-users-to-a-message/151275
2020-05-25 19:04:59 +05:30
Gerhard Schlager 631024ae5d FEATURE: Permalinks for tags 2020-05-25 14:51:01 +02:00
Vinoth Kannan 47c6fe9bfa Merge branch 'master' of github.com:discourse/discourse 2020-05-25 11:36:18 +05:30
Vinoth Kannan 8e56197728
UX: use "icon-picker" & "image-uploader" fields to set group flair. (#9779) 2020-05-25 11:08:47 +05:30
Vinoth Kannan 6f03d14c23 FEATURE: category setting for default list filter. 2020-05-25 00:04:06 +05:30
Michael Brown d9a02d1336
Revert "Revert "Merge branch 'master' of https://github.com/discourse/discourse""
This reverts commit 20780a1eee.

* SECURITY: re-adds accidentally reverted commit:
  03d26cd6: ensure embed_url contains valid http(s) uri
* when the merge commit e62a85cf was reverted, git chose the 2660c2e2 parent to land on
  instead of the 03d26cd6 parent (which contains security fixes)
2020-05-23 00:56:13 -04:00
Jeff Atwood 20780a1eee Revert "Merge branch 'master' of https://github.com/discourse/discourse"
This reverts commit e62a85cf6f, reversing
changes made to 2660c2e21d.
2020-05-22 20:25:56 -07:00
Mark VanLandingham 1a5bcf2a64
UX: Remove live theme previewing in favor of refresh (#9798) 2020-05-21 08:32:50 -05:00
Mark VanLandingham bd57ae83f1
DEV: Guardian for hiding about stats (#9841) 2020-05-20 10:26:20 -05:00
Arpit Jalan f038f8f154 FIX: description for 'uncategorized' category was blank 2020-05-19 18:45:43 +05:30
David Taylor 96848b7649
UX: Allow secure media URLs to be cached for a short period of time
Signed S3 URLs are valid for 15 seconds, so we can safely allow the browser to cache them for 10 seconds. This should help with large numbers of requests when composing a post with many images.
2020-05-18 15:00:41 +01:00
Joffrey JAFFEUX 918bd75909
FIX: allows to remove a topic timer with delete_replies as type (#9800) 2020-05-18 11:47:08 +02:00
David Taylor eee20a9814
FIX: Include plugin CSS assets when previewing themes 2020-05-15 18:12:53 +01:00
David Taylor 461b4e5cc6
DEV: Add framework for filtered plugin registers (#9763)
* DEV: Add framework for filtered plugin registers

Plugins often need to add values to a list, and we need to filter those lists at runtime to ignore values from disabled plugins. This commit provides a re-usable way to do that, which should make it easier to add new registers in future, and also reduce repeated code.

Follow-up commits will migrate existing registers to use this new system

* DEV: Migrate user and group custom field APIs to plugin registry

This gives us a consistent system for checking plugin enabled state, so we are repeating less logic. API changes are backwards compatible
2020-05-15 14:04:38 +01:00
Guo Xiang Tan e37ea4a4a1
Revert "FIX: don't compute draft for bots on categories index route"
This reverts commit 1b7f23a1bc.
2020-05-15 10:40:35 +08:00
Blake Erickson 1a2b9435b0
DEV: Standardize table sorting verbiage (#9757)
* DEV: Standardize table sorting verbiage

This commit creates a common component that tables can use to make their
headers sortable. This commit also standardizes on using `desc` as the
default and passing in the `asc=true` flag to adjust the sorting
direction.

* Add deprecation warnings

Adds deprecation warnings if using previous params and maintains
backwards compatibility. Set the default sort value for group members to
be asc.

* switch group requests to use common table-header-toggle

* update fixture
2020-05-14 20:10:59 -06:00
Rafael dos Santos Silva 11cd149122
FIX: WebAPK minting was broken due to shortcut icons
SVG support is very flaky, but this way at least minting works again
2020-05-14 21:56:35 -03:00
Rafael dos Santos Silva 675c9c38c8
Revert "FIX: Workaround WebAPK server bug with images without sizes"
This reverts commit bb7fca832f.
2020-05-14 19:33:54 -03:00
Rafael dos Santos Silva bb7fca832f
FIX: Workaround WebAPK server bug with images without sizes
Google WebAPK server was returning 500 with `any` sized svgs,
which is a spec violation.

Workaround for now setting a static size.

See https://bugs.chromium.org/p/chromium/issues/detail?id=1061911
2020-05-14 18:08:51 -03:00
Penar Musaraj 5ff2a235f6 DEV: Allow 3-digit HEX color code in single icon route
Followup to aee8e62
2020-05-14 16:37:45 -04:00
Neil Lalonde 1b7f23a1bc
FIX: don't compute draft for bots on categories index route 2020-05-14 16:35:32 -04:00
Rafael dos Santos Silva 4595560537
FIX: Use proper icons for App shortcut menu
Follow up to 3b0fa9b using the new icon URL introduced in e618efe

Will automatically use icons of the primary color of the active theme
 for the user during install.
2020-05-14 16:32:53 -03:00
Penar Musaraj aee8e62e21
FEATURE: Add endpoint for individual SVG icons (#9765) 2020-05-14 14:17:19 -04:00
Rafael dos Santos Silva 2298e14d38
FEATURE: Support for App Shortcuts Menu (#9749)
* FEATURE: Support for App Shortcuts Menu

This adds a list of shortcuts to a installed Discourse instance.

It can be accessed by right clicks or long press on the app icon.

See https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/master/Shortcuts/explainer.md

List of possible follow ups include:

- Making it admin customizable
- Making it user customizable
- Using SVG icons from the site icon sprite
- Picking an accent color for icons

* FIX: Add type to shortcut menu icons
2020-05-12 12:24:33 -03:00
Joshua Rosenfeld c94e6a9a66
FEATURE: add noindex header to tags pages (#9748) 2020-05-12 10:44:46 -04:00
Joffrey JAFFEUX addf9d62f8
FIX: prevents rendering topic-category if empty (#9720) 2020-05-11 17:45:28 +03:00
Joshua Rosenfeld 07b728c5e5
FEATURE: add noindex header to badges, groups, and /my pages (#9736) 2020-05-11 15:05:42 +10:00
Sam Saffron bb4e8899c4
FEATURE: let Google index pages so it can remove them
Google insists on indexing pages so it can figure out if they
can be removed from the index.

see: https://support.google.com/webmasters/answer/6332384?hl=en

This change ensures the we have special behavior for Googlebot
where we allow indexing, but block the actual indexing via
X-Robots-Tag
2020-05-11 12:15:18 +10:00
Sam Saffron 676be3a853
FEATURE: add no_index header if robots is disabled
Expand SiteSetting.allow_index_in_robots_txt so it also adds a
noindex header if set to false.

This makes sure that nothing is indexed even if it somehow reaches
Google.
2020-05-11 11:07:21 +10:00
Sam Saffron d8d54a92f1
FEATURE: tighten rate limiting rules for forgot password
1. Total 6 attempts per day per user
2. Total of 5 per unique email/login that is not found per hour
3. If an admin blocks an IP that IP can not request a reset
2020-05-08 13:30:51 +10:00
Martin Brennan 6fb0f36ce1
FEATURE: Optionally delete bookmark when reminder sent (#9637)
We now show an options gear icon next to the bookmark name.

When expanded we show the "delete bookmark when reminder sent" option. The value of this checkbox is saved in local storage for the user.

If this is ticked, when a reminder is sent for the bookmark the bookmark itself is deleted. This is so people can use the reminder functionality by itself.

Also remove the blue alert reminder section from the "Edit Bookmark" modal as it just added clutter, because the user can already see they had a reminder set:

Adds a default false boolean column `delete_when_reminder_sent` to bookmarks.
2020-05-07 13:37:39 +10:00
David Taylor a51b8d9c66
FIX: Do not use cached settings during theme compilation
We compile within a database transaction, so using a cached value from redis can cause unwanted side effects
2020-05-04 09:43:06 +01:00
Kane York 784bf2a173
FIX: Unassign user titles when a badge is deleted (#9573) 2020-05-02 18:02:28 -07:00
Jeff Wong 2cb9e85d14
FEATURE: add category banner for why a user cannot post (#9576)
* FEATURE: add category banner for why a user cannot post

Adds a category banner for why a user is unable to post in a category.

Also adds an extra alert for the user when a user is unable to create a topic in a
category and they still try and click on the disabled-looking new topic
button.
2020-04-30 10:39:11 -07:00
Vinoth Kannan 71241a50f7 DEV: improve code readability & add tests for user guardian.
a511bea4cc
2020-04-30 20:59:33 +05:30
Sam Saffron d0d5a138c3
DEV: stop freezing frozen strings
We have the `# frozen_string_literal: true` comment on all our
files. This means all string literals are frozen. There is no need
to call #freeze on any literals.

For files with `# frozen_string_literal: true`

```
puts %w{a b}[0].frozen?
=> true

puts "hi".frozen?
=> true

puts "a #{1} b".frozen?
=> true

puts ("a " + "b").frozen?
=> false

puts (-("a " + "b")).frozen?
=> true
```

For more details see: https://samsaffron.com/archive/2018/02/16/reducing-string-duplication-in-ruby
2020-04-30 16:48:53 +10:00
David Taylor 367cbf5d2b
FEATURE: Allow user creation with admin api when local logins disabled (#9587) 2020-04-30 11:39:24 +10:00
Joffrey JAFFEUX a6f986b50f
FEATURE: allows to to style published page with themes/plugins (#9570) 2020-04-28 18:24:24 +02:00
Roman Rizzi 394babcae3
FIX: Only show the review page to users that can see it. Do not publish the reviewable count update message to everyone. (#9556) 2020-04-27 14:51:25 -03:00
Dan Ungureanu 0ae504aece
FIX: Raise a 4xx error instead of a 5xx if draft data is invalid 2020-04-25 11:47:22 +03:00
Vinoth Kannan df0c386f8a
UX: drop the `automatic_membership_retroactive` column from groups model. (#9430) 2020-04-22 22:07:39 +05:30
Robin Ward 13f2723dcb FIX: Don't log an error to logster if a topic could not be updated.
If for some reason an update did not go through (for example,
concurrently updating the same topic twice), we were logging something
like:

```
create_errors_json called with unrecognized type: #<Topic
```

This happened because we knew an error occurred but the active record
object had no errors attached.

This patch fixes the issue by attaching a proper error message in the
event that this happens.
2020-04-22 11:56:04 -04:00
Vinoth Kannan e5c44f6dcf UX: display 'merge' button in all non-staff user profiles. 2020-04-22 17:42:09 +05:30
Daniel Waterworth c8fed90e4e FIX: Handle sub-sub-category paths without an id 2020-04-22 12:19:54 +01:00
Vinoth Kannan a511bea4cc
FEATURE: admin UI to merge two users. (#9509) 2020-04-22 14:07:51 +05:30
Martin Brennan 628ba9d1e2
FEATURE: Promote bookmarks with reminders to core functionality (#9369)
The main thrust of this PR is to take all the conditional checks based on the `enable_bookmarks_with_reminders` away and only keep the code from the `true` path, making bookmarks with reminders the core bookmarks feature. There is also a migration to create `Bookmark` records out of `PostAction` bookmarks for a site.

### Summary

* Remove logic based on whether enable_bookmarks_with_reminders is true. This site setting is now obsolete, the old bookmark functionality is being removed. Retain the setting and set the value to `true` in a migration.
* Use the code from the rake task to create a database migration that creates bookmarks from post actions.
* Change the bookmark report to read from the new table.
* Get rid of old endpoints for bookmarks
* Link to the new bookmarks list from the user summary page
2020-04-22 13:44:19 +10:00
Jarek Radosz 17cf300b71
DEV: Use more specific error responses (#9472)
* DEV: Use `render_json_error` (Adds specs for Admin::GroupsController)
* DEV: Use a specific error on blank category slug (Fixes a `render_json_error` warning)
* DEV: Use a specific error on reviewable claim conflict (Fixes a `render_json_error` warning)
* DEV: Use specific errors in Admin::UsersController (Fixes `render_json_error` warnings)
* FIX: PublishedPages error responses
* FIX: TopicsController error responses (There was an issue of two separate `Topic` instances for the same record. This makes sure there's only one up-to-date instance.)
2020-04-21 03:50:20 +02:00
Krzysztof Kotlarek e9f7262813
FIX: when category or tag is muted, update user (#9456)
Currently, when category or tag is muted, only after hard refresh, these new muted categories are really muted. Without a hard refresh, you will still receive "new topic" messages.

Therefore, when tag or category is muted, we should update the user object right away.
2020-04-21 08:33:55 +10:00
Martin Brennan 344ef5226c
FEATURE: Edit bookmark reminders from post and explicit delete button (#9455)
There is now an explicit "Delete Bookmark" button in the edit modal. A confirmation is shown before deleting.

Along with this, when the bookmarked post icon is clicked the modal is now shown instead of just deleting the bookmark. Also, the "Delete Bookmark" button from the user bookmark list now confirms the action.

Add a `d d` shortcut in the modal to delete the bookmark.
2020-04-20 13:30:04 +10:00
Mark VanLandingham 0e74dd7d7c
FIX: Set user timezone on password reset login (#9461) 2020-04-17 13:39:04 -05:00
Roman Rizzi dce46086f4
FIX: Do not raise an error if the post action type is nil (#9458) 2020-04-17 14:23:33 -03:00
Martin Brennan 8f0544137a
FEATURE: Allow editing bookmark reminders (#9437)
Users can now edit the bookmark name and reminder time from their list of bookmarks.

We use "Custom" for the date and time in the modal because if the user set a reminder for "tomorrow" then edit the reminder "tomorrow", the definition of what "tomorrow" is has changed.
2020-04-17 11:08:07 +10:00
Blake Erickson fec68d3d25 DEV: Confirm email when creating users via the API
This commit is for a frequently requested task on meta so that only 1
API call is needed instead of 3!

In order to create a user via the api and not have them receive an
activation email you can pass in the `active=true` flag. This prevents
sending an email, but it is only half of the solution and puts the db in
a weird state where it has an active user with an unconfirmed email.

This commit fixes that and ensures that if the `active=true` flag is set
the user's email is also marked as confirmed.

This change only applies to admins using the API.

Related topics on meta:

 - https://meta.discourse.org/t/-/68663
 - https://meta.discourse.org/t/-/33133
 - https://meta.discourse.org/t/-/36133
2020-04-14 14:56:32 -06:00
Justin DiRose 5471c065cd
FIX: Missing timezone guess on email session login (#9404)
Timezone is guessed by moment.js if unset upon a normal login, but was not when
logging in via an email link. This adds logic to update a guessed
timezone upon email login so timezones don't end up blank.
2020-04-10 13:19:39 -05:00
Robin Ward e1f8014acd
FEATURE: Support for publishing topics as pages (#9364)
If the feature is enabled, staff members can construct a URL and publish a
topic for others to browse without the regular Discourse chrome.

This is useful if you want to use Discourse like a CMS and publish
topics as articles, which can then be embedded into other systems.
2020-04-08 12:52:36 -04:00
Sam Saffron 0375a5ac0b
DEV: reduce logging when no external id is specified
Previously we were returning an unknown sso error and logging a message
when external id was blank. This noise is not needed.
2020-04-08 12:42:28 +10:00
Neil Lalonde e8fad7a69e
DEV: changes so plugins can customize invites UI (#9365)
* DEV: changes so plugins can customize invites UI

Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2020-04-07 11:58:49 -04:00
Dan Ungureanu 0653750fbf
FEATURE: Hash user API keys in the database (#9344)
The 'key' column will be dropped in a future commit.
2020-04-07 16:42:52 +03:00
David Taylor 91fff746a4
FIX: Check active themes for all requests
Previously, the list of active themes was only used in html views. Now we have theme modifiers, themes can affect .json routes.
2020-04-03 15:50:13 +01:00
Vinoth Kannan 2f9879a9a1 FIX: move total rows count & load more URL inside meta.
We're fetching "total rows count" from root attributes only if meta object not found. 2b78bd01ab/app/assets/javascripts/discourse/models/store.js (L236)
2020-04-03 07:32:50 +05:30
Penar Musaraj 724d2e99de
DEV: Only include "report-sample" CSP directive when reporting is enabled (#9337) 2020-04-02 11:16:38 -04:00
Martin Brennan c07dd0d22a
FEATURE: Add lazy loading to user bookmarks list (#9317)
This is so users with huge amount of bookmarks do not have to wait a long time to see results.

* Add a bookmark list and list serializer to server-side to be able to handle paging and load more URL
* Use load-more component to load more bookmark items, 20 at a time in user activity
* Change the way current user is loaded for bookmark ember models because it was breaking/losing resolvedTimezone when loading more items
2020-04-01 14:09:07 +10:00
Arpit Jalan b2a0d34bb7
FEATURE: add setting `auto_approve_email_domains` to auto approve users (#9323)
* FEATURE: add setting `auto_approve_email_domains` to auto approve users

This commit adds a new site setting `auto_approve_email_domains` to
auto approve users based on their email address domain.

Note that if a domain already exists in `email_domains_whitelist` then
`auto_approve_email_domains` needs to be duplicated there as well,
since users won’t be able to register with email address that is
not allowed in `email_domains_whitelist`.

* Update config/locales/server.en.yml

Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2020-03-31 23:59:15 +05:30
Neil Lalonde 29e733832d
FIX: error when changing a topic's category and creating a tag 2020-03-30 16:43:01 -04:00
Robin Ward db35baba26 FEATURE: Display "Last Updated At" on user directory 2020-03-30 14:34:48 -04:00
Joffrey JAFFEUX 0996c3b7b3
FEATURE: allows multiple custom emoji groups (#9308)
Note: DBHelper would fail with a sql syntax error on columns like "group".

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2020-03-30 20:16:10 +02:00
Vinoth Kannan 257f59f366 FEATURE: option to update child theme components via theme CLI.
423ce44112
2020-03-27 03:41:56 +05:30
Sam Saffron ecbccab159
FEATURE: invite_code is case-insensitive
Previously we required exact casing for invite code, this can cause a lot
of confusion. Relax the requirement.
2020-03-26 13:44:02 +11:00
Martin Brennan 097851c135
FIX: Change secure media to encompass attachments as well (#9271)
If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”.

This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-26 07:16:02 +10:00
Bianca Nenciu 61c1af0124 SECURITY: Ensure user can see group and group members 2020-03-24 11:59:41 +02:00
Bianca Nenciu d8640fd042
DEV: Move requested_group_id custom field from post to topic (#9127)
Follow-up-to accbbded15
2020-03-24 11:12:52 +02:00
Kane York 4b8acce92b FIX: Check for permalinks before showing the 404 page
Limitations: the user profile "open external links in new tab setting" is
slightly broken for "External URL" permalinks.

Remove the copy from the admin permalinks page stating that this doesn't work.
2020-03-23 16:31:07 -07:00