Commit Graph

48783 Commits

Author SHA1 Message Date
Blake Erickson 6dcb099547 FIX: Escaped mentions in chat excerpts
Mentions are now displayed as using the non-cooked message which fixes
the problem. This is not ideal. I think we might want to rework how
these excerpts are created and rendered in the near future.

Co-authored-by: Jan Cernik <jancernik12@gmail.com>
2023-03-16 15:27:09 -06:00
Blake Erickson a373bf2a01 SECURITY: XSS on chat excerpts
Non-markdown tags weren't being escaped in chat excerpts. This could be
triggered by editing a chat message containing a tag (self XSS), or by
replying to a chat message with a tag (XSS).

Co-authored-by: Jan Cernik <jancernik12@gmail.com>
2023-03-16 15:27:09 -06:00
Alan Guo Xiang Tan fd16eade7f SECURITY: SSRF protection bypass with IPv4-mapped IPv6 addresses
As part of this commit, we've also expanded our list of private IP
ranges based on
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
and https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
2023-03-16 15:27:09 -06:00
Alan Guo Xiang Tan 52ef44f43b SECURITY: Monkey-patch web-push gem to use safer HTTP client
`FinalDestination::HTTP` is our patch of `Net::HTTP` which defend us
against SSRF and DNS rebinding attacks.
2023-03-16 15:27:09 -06:00
Blake Erickson d89b537d8f SECURITY: Fix XSS in full name composer reply
We are using htmlSafe when rendering the name field so we need to escape
any html being passed in.
2023-03-16 15:27:09 -06:00
Andrei Prigorshnev 7dd317b875
DEV: add test cases for email notifications about channel-wide mentions (#20691)
A follow-up to e6c04e2d.
2023-03-16 21:43:56 +04:00
Penar Musaraj c213cc7211
DEV: Fix tag route fixture param (#20693)
This tag route is /tag/important/l/latest.json so the tag name should also be important.
2023-03-16 11:27:04 -04:00
Loïc Guitaut 0bd64788d2 SECURITY: Rate limit the creation of backups 2023-03-16 16:09:22 +01:00
TheJammiestDodger 272c31023d
UX: Change JPEG to JPG for search consistency (#20698) 2023-03-16 14:53:29 +00:00
David Taylor 150a6601c0
DEV: Check Zeitwerk eager loading in GitHub CI (#20699)
In production, `eager_load=true`. This sometimes leads to boot errors which are not present in dev/test environments. Running `zeitwerk:check` in CI will help us to pick up on any errors early.

This commit also introduces a `DISCOURSE_ZEITWERK_EAGER_LOAD` environment variable to make it easier to toggle the behaviour when developing locally.
2023-03-16 14:22:16 +00:00
David Taylor 9d1423b5aa
DEV: Drop impossible conditional from admin-logs-staff-action-logs (#20687)
`Object.keys(filters)` will never return 0
2023-03-16 12:27:27 +00:00
David Taylor 5d46a16ca5
DEV: Cleanup unrelated comment from `development.rb` (#20697)
This comment has nothing to do with the `eager_load` configuration. It must be left over from some historical refactoring. Removing to avoid confusion.
2023-03-16 11:23:34 +00:00
Daniel Waterworth 164b60cd07 DEV: Optionally, run system tests in docker:test 2023-03-15 16:46:48 -05:00
Daniel Waterworth 5324216740 DEV: Use rspec instead of turbo_rspec with one core 2023-03-15 16:46:48 -05:00
Andrei Prigorshnev 94fd884297
DEV: remove unused string (#20662)
The button was removed in fca6805a
2023-03-16 00:15:07 +04:00
David Taylor c190994046
DEV: Update admin modal controllers to native class syntax (#20685)
This commit was generated using the ember-native-class-codemod along with a handful of manual updates
2023-03-15 17:39:33 +00:00
dependabot[bot] 62bbdd25ab
Build(deps): Bump @babel/core in /app/assets/javascripts (#20681)
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.21.0 to 7.21.3.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.21.3/packages/babel-core)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-15 14:29:16 +01:00
dependabot[bot] 2ea6675671
Build(deps): Bump sass from 1.59.2 to 1.59.3 in /app/assets/javascripts (#20682)
Bumps [sass](https://github.com/sass/dart-sass) from 1.59.2 to 1.59.3.
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sass/dart-sass/compare/1.59.2...1.59.3)

---
updated-dependencies:
- dependency-name: sass
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-15 14:27:17 +01:00
dependabot[bot] e50f51fa85
Build(deps): Bump rack-test from 2.0.2 to 2.1.0 (#20679)
Bumps [rack-test](https://github.com/rack/rack-test) from 2.0.2 to 2.1.0.
- [Release notes](https://github.com/rack/rack-test/releases)
- [Changelog](https://github.com/rack/rack-test/blob/main/History.md)
- [Commits](https://github.com/rack/rack-test/compare/v2.0.2...v2.1.0)

---
updated-dependencies:
- dependency-name: rack-test
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-15 14:26:43 +01:00
David Taylor e700f0af93
DEV: Update admin routes to native class syntax (#20686) 2023-03-15 13:17:51 +00:00
David Taylor 7288bc277b
DEV: Update docker_test to checkout specific branch by default (#20684)
Previously, FETCH_HEAD would always point to tests-passed because our base docker image was configured to only fetch the tests-passed branch. Since https://github.com/discourse/discourse_docker/commit/53bbacc882, we switched to a partial clone which means that `git fetch; git checkout FETCH_HEAD` will checkout whichever remote branch is the first alphabetically. This commit makes the checkout more specific to avoid this issue.
2023-03-15 10:54:47 +00:00
David Taylor be354e7950
DEV: Update admin controllers to native class syntax (#20674)
This commit was generated using the ember-native-class-codemod along with a handful of manual updates
2023-03-15 09:42:12 +00:00
Daniel Waterworth 84f590ab83
DEV: Store theme sprites in the DB (#20501)
Let's avoid fetching sprites from the CDN during page rendering.
2023-03-14 13:11:45 -05:00
Andrei Prigorshnev e6c04e2dc2
FIX: do not send emails when channel-wide mentions are disabled in a channel (#20677)
This regressed with the commit fa543cd. Starting from that commit, we create mention records even if a user shouldn't be notified. So when sending emails, we should be making sure if a notification was actually created for a mention. This is essentially the whole fix that we need here. Tests will be provided in a following PR.
2023-03-14 21:45:05 +04:00
Blake Erickson d0c6b33cc2
SECURITY: Bump Rails to v7.0.4.3 (#20675) 2023-03-14 10:19:31 -06:00
Isaac Janzen dfd6d6b999
FIX: Latest post created_at on topic-timeline not updating (#20665)
# Context
https://meta.discourse.org/t/timeline-timestamp-not-updating/256447/1

During the upgrade of the topic-timeline to glimmer the "latest post" timestamp was not updating on the timeline in relation to the relative age of the post. It was only updating on a hard refresh.

# Fix
Use the `age-with-tooltip` helper to update the created_at date automatically as time passes.

# Additional
Add the ability to pass params to `age-with-tooltip` so that we can include options like `addAgo` and `defaultFormat`
2023-03-14 11:08:23 -05:00
Kris 22a7818399
FIX: update LoadMore selector for user tables (#20676) 2023-03-14 11:10:51 -04:00
Penar Musaraj a208ed0925
UX: Improve menu panel height fallback for older browsers (#20673)
Tested with Chrome <100, Firefox <100 and Samsung Internet 20, using
percentage-based height here works better for these browsers.

This was especially a problem for the Samsung Internet browser, because
it previously was hiding the "Dismiss" button on the user profile menu.
2023-03-14 10:41:38 -04:00
Discourse Translator Bot 4cf065c480
Update translations (#20671) 2023-03-14 15:04:54 +01:00
David Taylor d12f1878c9
UX: Improve safe-mode copy (#20670)
Safe-mode only applies to client-side customizations - let's make that clearer
2023-03-14 13:00:52 +00:00
David Taylor b5721b7b4f
FIX: `default_list_filter = none` navigation and preloading (#20641)
When a category has default_list_filter=none, there were a number of issues which this commit resolves:

1. When using the breadcrumbs to navigate a `default_list_filter=none` category, adding a tag filter would not apply the no-subcategories filter, but the subcategories dropdown would still say 'none'. This commit adjusts `getCategoryAndTagUrl` so that `/none` is added to the URL

2. When landing on `/tags/c/{slug}/{id}/{tag}`, for a default_list_filter=none category, it would include subcategories. This commit introduces a client-side redirect to match the behavior of `/c/{slug}/{id}`

3. When directly navigating to `/c/{slug}/{id}`, it was correctly redirecting to `/c/{slug}/{id}/none`, BUT it was still using the preloaded data for the old route. This has been happening since e7a84948. Prior to that, the preloaded data was discarded and a new JSON request was made to the server. This commit restores that discarding behavior. In future we may want to look into making this more efficient.

System specs are introduced to provide end-end testing of this functionality
2023-03-14 10:46:05 +00:00
Jarek Radosz bb317bd554
DEV: Update the rubocop setup (#20668) 2023-03-14 11:42:11 +01:00
dependabot[bot] f75afc0979
Build(deps): Bump rack from 2.2.6.3 to 2.2.6.4 (#20667)
Bumps [rack](https://github.com/rack/rack) from 2.2.6.3 to 2.2.6.4.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rack/rack/compare/v2.2.6.3...v2.2.6.4)

---
updated-dependencies:
- dependency-name: rack
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-14 09:40:46 +01:00
Loïc Guitaut 8a8f2758d5 DEV: Refactor `Jobs::UserEmail` a little 2023-03-14 09:23:06 +01:00
David Taylor 964f37476d
FIX: TopicQuery for NULL `category.topic_id` (#20664)
Our schema allows `category.topic_id` to be NULL. Null values shouldn't actually happen in production, but it is very common in tests because `Fabricate(:category)` skips creating the definition topic to improve performance. Before this commit, a NULL category.topic_id would cause all subcategory topics to be excluded from a TopicQuery result. This is because, in postgres, `NULL <> anything` is falsy. Instead, we can use `IS DISTINCT FROM`, which will return true when NULL is compared to a non-NULL value.
2023-03-13 19:33:26 +00:00
Rafael dos Santos Silva 0a5b078ac7
FEATURE: Hook for suggested topic customization (#20618) 2023-03-13 15:37:49 -03:00
Isaac Janzen ab442058c0
FIX: Broken topic-timeline summarize topic button (#20661)
# Context
During the octane upgrade of the Topic Timeline the `summarize-topic` button was neglected, leaving it in a broken state. 

# Fix
Update the button to replicate the original functionality


<img width="351" alt="Screenshot 2023-03-13 at 12 41 25 PM" src="https://user-images.githubusercontent.com/50783505/224785657-fc8124fe-f1d9-4cc8-917b-9cd859517da3.png">

_updated timeline with summarize button_
2023-03-13 13:12:33 -05:00
Andrei Prigorshnev 72726830b5
FIX: anonymous users cannot load topics with mentions with a user status that has an end date (#20660)
Steps to reproduce:
1. Create a post with a mention of a user that has user status with an end date
2. Try to load the topic with that post as an anonymous user

You'll see a topic with blank content.
2023-03-13 19:57:09 +04:00
David Taylor f91af69ec4
FIX: Avatar upload error (#20658)
Followup to 4f9afabf87
2023-03-13 10:59:42 +00:00
dependabot[bot] 59e5485408
Build(deps): Bump sass from 1.58.3 to 1.59.2 in /app/assets/javascripts (#20656)
Bumps [sass](https://github.com/sass/dart-sass) from 1.58.3 to 1.59.2.
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sass/dart-sass/compare/1.58.3...1.59.2)

---
updated-dependencies:
- dependency-name: sass
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 11:01:41 +01:00
dependabot[bot] 05e713d098
Build(deps): Bump node-fetch from 3.3.0 to 3.3.1 in /app/assets/javascripts (#20655)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:45:43 +08:00
dependabot[bot] b5bb41493a
Build(deps): Bump eslint from 8.35.0 to 8.36.0 in /app/assets/javascripts (#20652)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:45:24 +08:00
dependabot[bot] 8c653cbc91
Build(deps): Bump sinon from 15.0.1 to 15.0.2 in /app/assets/javascripts (#20653)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:12:35 +08:00
dependabot[bot] ad6edfc08a
Build(deps): Bump jsdom from 21.1.0 to 21.1.1 in /app/assets/javascripts (#20651)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:12:19 +08:00
dependabot[bot] 06848eaf49
Build(deps): Bump sass-embedded from 1.58.3 to 1.59.2 (#20649)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:11:06 +08:00
dependabot[bot] e9a04dd6f1
Build(deps): Bump rspec-mocks from 3.12.3 to 3.12.4 (#20648)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:10:48 +08:00
dependabot[bot] 8793297792
Build(deps): Bump logster from 2.11.4 to 2.12.2 (#20647)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:10:31 +08:00
dependabot[bot] 173a3b4d02
Build(deps): Bump webpack from 5.76.0 to 5.76.1 in /app/assets/javascripts (#20654)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:10:09 +08:00
Alan Guo Xiang Tan e4b11e7643
FEATURE: Only list watching group messages in messages notifications panel (#20630)
Why is this change required?

Prior to this change, we would list all group messages that a user
has access to in the user menu messages notifications panel dropdown.
However, this did not respect the topic's notification level setting and
group messages which the user has set to 'normal' notification level were
being displayed

What does this commit do?

With this commit, we no longer display all group messages that a user
has access to. Instead, we only display group messages that a user is
watching in the user menu messages notifications panel dropdown.

Internal Ref: /t/94392
2023-03-13 08:09:38 +08:00
Kris 44bc284e0f
UX: avoid overflow clipping descenders (#20643) 2023-03-10 16:49:06 -05:00