Because:
- Chrome 78 and Firefox Fenix have support for it
- The icons will look better by using all the availiable space
- Admins can control the icon and add appropriate padding since we have a
dedicated asset for the manifest logo. Read more about it on
https://css-tricks.com/maskable-icons-android-adaptive-icons-for-your-pwa/
This commit:
- Adds a new key under the icons array in the webmanifest, named purpose
with maskable value.
Previously, calculating thresholds for reviewables was done based on the
50th and 85th percentile across all reviewables. However, many forum
owners provided feedback that these thresholds were too easy to hit, in
particular when it came to auto hiding content.
The calculation has been adjusted to base the priorities on reviewables
that have a minimum of 2 scores (flags). This should push the amount of
flags required to hide something higher then before.
On forums with very few flags you don't want to calculate averages
because they won't be very useful. Stick with the defaults until we hit
15 reviewables at least.
Forums without previously calculated scores would return the same values
for low/medium/high sensitivity. Now those are scaled based on the
default value.
The default value has also been changed from 10.0 to 12.5 based on
observing data from live discourse forums.
We were counting all the oneboxes in the DOM instead of just the ones in the preview.
Also refactored the logic to count up to 'max_oneboxes_per_post` instead of down to 0.
That also ensured we don't load 11 oneboxes when the setting is limiting to 10.
The dollar sign (`$`) is a special replace pattern, and `$&` inserts the
matched string. Thus dollars signs need to be escaped with the special
pattern `$$`, which inserts a single `$`.
In development, we track the last requested theme id, and use that to refresh the correct stylesheet targets. The after_action hook runs on every request, but the preview_theme_id parameter is only sent on the initial HTML request. This commit ensures we only fetch the development theme_id on HTML requests
To demonstrate the issue:
- Visit https://meta.discourse.org/#somethingHere while logged in
- Click "log out"
- You will be logged out, but the page will not be reloaded
Setting `window.location.pathname = "/"` will not reload the page if there is a hash present. Using `window.location = "/"` gives us the desired behavior.
In IE11, the browser returns the cached HTML response, rather than the JSON formatted response. A better solution may be to add a `Vary: Accept` header to all of our HTML responses, but this commit should solve the immediate issue.
`fancy_title` is already escaped by Rails. Escaping it again would print
the HTML entity as-is, e.g. `"` instead of `"`.
This fixes the issue by introducing a new `escapedContent` attribute on
the `QuickAccessItem` widget.
* FIX: Cast all numerical values in reports
The backend can return some numerical values in report as strings. That results in unexpected order of values when sorting report tables.
* Create `toNumber()` helper
The `typeof` and `parseFloat` seem to be the fastest path: https://jsperf.com/number-vs-typeof-vs-parsefloat#results
* Adjustments to pass specs on Rails 6.0.0
* Use classic autoloader instead of Zeitwerk
* Update Rails 6.0.0 deprecated methods
* Rails 6.0.0 not allowing column with integer name
* Drop freedom_patches/rails6.rb
* Default value for trigger_transactional_callbacks? is true
* Bump rspec-rails version to 4.0.0.beta2
* FIX: inline_uploads and subfolder
* if subfolder, also look for images with a path containing
cdn_url + relative_url_root
* FIX: migrate_to_s3 task and subfolder
New site setting: `embed_any_origin` that will send postMessages to
wildcard origins `*` instead of the referer.
Most of the time you won't want to do this, so the setting is default to
`false`. However, there are certain situations where you want to allow
embedding to send post messages when there is no HTTP REFERER.
For example, if you created a native mobile app and you wanted to embed a list
of Discourse topics as HTML. In the code your HTML would be a
static file/string, which would not be able to send a referer. In this
case, the site setting will allow the embed to work.
From a security standpoint we currently only use `postMessage` to send
data about the size of the HTML document and scroll position, so it
should be enable if required with minimal security ramifications.
* Extract QuickAccessPanel from UserNotifications.
* FEATURE: Quick access panels in user menu.
This feature adds quick access panels for bookmarks and personal
messages. It allows uses to browse recent items directly in the user
menu, without being redirected to the full pages.
* REFACTOR: Use QuickAccessItem for messages.
Reusing `DefaultNotificationItem` feels nice but it actually requires a
lot of extra work that is not needed for a quick access item.
Also, `DefaultNotificationItem` shows an incorrect tooptip ("unread
private message"), and it is not trivial to remove / override that.
* Use a plain JS object instead.
An Ember object was required when `DefaultNotificationItem` was used.
* Prefix instead suffix `_` for private helpers.
* Set to null instead of deleting object keys.
JavaScript engines can optimize object property access based on the
object’s shape. https://mathiasbynens.be/notes/shapes-ics
* Change trivial try/catch to one-liners.
* Return the promise in case needs to be waited on.
* Refactor showAll to a link with href
* Store `emptyStatePlaceholderItemText` in state.
* Store items in Session singleton instead.
We can drop `staleItems` (and `findStaleItems`) altogether. Because
`(old) items === staleItems` when switching back to a quick access
panel.
* Add `limit` parameter to the `user_actions` API.
* Explicitly import Session instead.
This reverts commit 310a8ac242.
It seems this breaks google authentication. My suspicion is opening
the URL twice invalidates the CSRF after the first access.
* FEATURE: Add tl2 threshold for editing new posts
* Adds a new setting and for tl2 editing posts (30 days same as old value)
* Sets the tl0/tl1 editing period as 1 day
* FIX: Spec uses wrong setting
* Fix site setting on guardian spec
* FIX: post editing period specs
* Avoid shared examples
* Use update_columns to avoid callbacks on user during tests
If you click a (?) icon beside the reviewable status a pop up will
appear with expanded informatio that explains how the reviewable got its
score, and how it compares to system thresholds.
- prevents keyboard from being invoked when textarea is disabled
- avoids scrolling up when switching focus from title to textarea on new topic creation
Start tracking the date an api key was last used. This has already been
the case for user_api_keys.
This information can provide us with the ability to automatically expire
unused api keys after N days.
The URL '/images/transparent.png' will be used in the cooked content if upload record not found. In that case we have to use 'short_url' as image src in 'post.each_upload_url' method.
This was primarily an issue on mobile, where after clicking the "Messsage" button in the user card, the composer would load behind the user card overlay.
When opening authentication popup, start with an on-site URL. Opening "about:blank", and then POSTing the form does not send same-site=Lax cookies. Opening the popup to a page on the site domain, and then POSTing the form, works successfully.
* FIX: User should get notified when a post is deleted
* FEATURE: Notify posters when restoring flagged posts
* Fix typo
Co-Authored-By: Régis Hanol <regis@hanol.fr>
* Improve tests
We refactored some code to avoid app event leak in tests at c462c2f2
Unfortunately this broke all background notifications in title and they
were broken for the past multiple months.
This reverts commit e805d44965.
We now have mechanisms in place to ensure heartbeat will always
be scheduled even if the scheduler is overloaded per: 098f938b
When there is an overridden text in the database that belongs to
a pluralized key which doesn't exist in English anymore, the
Customize Texts admin page was unusable. This stops those keys from
ever being returned by a search.
* The read indicator now shows up when no member has read the last post of the topic (written by a non-member)
* The read indicator works on mobile and receives live updates from message bus
* The icon we display in the topic list was changed
* Added a title to the indicator to indicate its purpose when hovering over it
The client-side theme-selector would always apply the first in a series of file change notifications. This has been fixed, so it now applies the most recent notification.
Duplicate notifications were being sent because
- The remote_theme autosave was causing every change notification to be doubled
- Color scheme change notifications were being sent every time a theme was uploaded, even if the colors were unchanged
These duplicate notifications have been fixed, and a spec added to ensure it does not regress in future
Databases can have a lot of user actions, self joining and running an
aggregate on millions of rows can be very costly
This optimisation will reduce the regular window of consistency down to 13
hours, this ensures the job runs much faster
When activating a user via an external provider, this would cause the "this account is not activated" message to show on the first attempt, even though the account had been activated correctly.
* Removes unused styles
This commit only removes unnecessary / duplicate styles. It does not cause any visual changes.
* adds class to `<h1>` tag in header topic info.
This is much better to target than `h1`
* removes unused styles
* header title margin adjustment
* minor header-title margin adjustments
* One more header-title margin adjustment
This minor refactor extracts `UserMenuLinks#profileLink` &
`UserMenuLinks#linkHtml` to allow plugins / themes to control the
profile link definition, and more importantly, how it is rendered.
- Adds support for iOS Universal Links via an `apple-app-site-association` endpoint
Adds support for Google Digital Asset Links at the `.well-known/assetlinks.json` endpoint
When showing the native app banner, we include an app argument to automatically add the current site to the official DiscourseHub app. However, the app id can be changed via a hidden site setting, and when changed, that argument is no longer useful. This ensures the argument is only included for the official iOS app banner.
* Revert "Revert "FEATURE: Publish read state on group messages. (#7989) [Undo revert] (#8024)""
This reverts commit 36425eb9f0.
* Fix: Show who read only if the attribute is enabled
* PERF: Precalculate the last post readed by a group member
* Use book-reader icon instear of far-eye
* FIX: update topic groups correctly
* DEV: Tidy up read indicator update on write
* FIX: Heartbeat check per sidekiq process
* Rename method
* Remove heartbeat queues of previous bootups
* Regis feedback
* Refactor before_start
* Update lib/demon/sidekiq.rb
Co-Authored-By: Régis Hanol <regis@hanol.fr>
* Update lib/demon/sidekiq.rb
Co-Authored-By: Régis Hanol <regis@hanol.fr>
* Expire redis keys after 3600 seconds
* Don't use redis to store the list of queues
This is useful when changing the category in the composer for example. When opening mini-tag-chooser after, tags will be correctly updated for the selected category.
destination_url cookie is used to redirect the user to the a private
page after they have logged in. After deleting own account, a user's
pages would be refreshed which would set the destination_url, cookie
that can cause a redirect to an invalid page after logging in again.
Reproduction steps:
1. User is at `/u/:username/preferences/account` and deletes account by
requesting DELETE `/u/:username.json`.
2. User is being destroyed and a MessageBus message (`file-change`,
`['refresh']`) is published.
3. User receives response to DELETE request, but page may be or not
refreshed. Anyway, since they can no longer see the preferences page,
they are redirected to `/login` and `destination_url` cookie is set,
that will redirect on next login (but to the previous preferences page).
Every time we type a letter the composer issues a reply length check.
This is due to the interconnecting components, the title one depends on the
body which means that this decision making is passed along each time, even
if the title does not need it strictly.
Anyway...
This optimisation has 3 parts:
1. If the composer string is super long (10000 chars) we will bypass, quote
stripping and space squashing.
2. Quote stripping is now done much more efficiently, we strip them all in
one go
3. Space squashing eg: `hello world` to `hello world` is done in an
efficient loop to avoid needing to generate superflous strings that need
GC
Previously, a regular user could not edit the title or category
of a topic if a hidden tag had already been applied.
This also stops hidden tag names from leaking in the error message.
This change allows themes and components access to theme assets.
This means that inside theme js you can now get the URL for an asset with:
```
settings.theme_uploads.name
```
* Reenable: "FEATURE: Publish read state on group messages. (#7989)"
This reverts commit 67f5cc1ce8.
* FIX: Read indicator only appears when the group setting is enabled
* Enable or disable read state based on group attribute
* When read state needs to be published, the minimum unread count is calculated in the topic query. This way, we can know if someone reads the last post
* The option can be enabled/disabled from the UI
* The read indicator will live-updated using message bus
* Show read indicator on every post
* The read indicator now shows read count and can be expanded to see user avatars
* Read count gets updated everytime someone reads a message
* Simplify topic-list read indicator logic
* Unsubscribe from message bus on willDestroyElement, removed unnecesarry values from post-menu, and added a comment to explain where does minimum_unread_count comes from
This adds a 1 minute rate limit to all JS error reporting per IP. Previously
we would only use the global rate limit.
This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to
false then no JS error reporting will be allowed on the site.
* FEATURE: Incorporate PWA install prompt into Discourse UI
This is mainly done so Discourse forums stop nagging people to install
on the very first visits to a website.
We will prevent the native install "mini-info" bar from ever appearing,
capture the event that pops with it, and delay it until the user meets
our criteria, which currently is trust_level 1.
If the event happens and the user meets our criteria we show a Discourse
alert banner proposing the install to the user. Dismissal of the banner
is recorded so the user ins't bothered anymore on the same device.
Co-Authored-By: Gerhard Schlager <mail@gerhard-schlager.at>
Co-Authored-By: Joffrey JAFFEUX <j.jaffeux@gmail.com>
Serializer is injecting information into cooked and reaching direct to
custom fields that were not preloaded
This amends it so basic post serializer can use the proper interface
That said we should probably follow this up so we don't reach for this
info on every post.
THe main advantage of this solution is that it will be called on each rerendered whereas the other is not once href has been set.
Example API:
```
api.addNavigationBarItem({
name: "foo",
displayName: "Foo",
customHref: function(category, args) {
const router = api.container.lookup("service:router");
const queryParams = { bar: "1" };
return router.urlFor(router.currentRouteName, category, {
queryParams
});
}
});
```
Sometimes, when keeping J or K pressed and scrolling fast, the current
selection would go out of the viewport for a few moments and the
algorithm would try selecting the "best" element that is in viewport.
This bug is reproducible only on certain machines. For example, Linux
machines seem to be passing key events faster to the browser.
Previously we relied on side effects to set tracking state correctly
when inviting groups to messages
Also has a minor optimisation in that we use pluck instead of pulling in
full record
Previously we would unconditionally issue an "invited_to_pm" notification
to all non muting users.
New behavior
- Watching and Watching first post get notified
- Tracking get a new "summary" message
- The rest get nothing
This is consistent with topic creation and way clearer
If enabled, this will fire a webhook whenever a user's notification has
been created. This could potentially be a lot of data depending on your
forum, and should be used carefully since it includes everything all users
will see in their feeds.
This adds support for a `<d-topics-list>` tag you can embed in your site
that will be rendered as a list of discourse topics. Any attributes on
the tag will be passed as filters. For example:
`<d-topics-list discourse-url="URL" category="1234">` will filter to category 1234.
To use this feature, enable the `embed topics list` site setting. Then
on the site you want to embed, include the following javascript:
`<script
src="http://URL/javascripts/embed-topics.js"></script>`
Where `URL` is your discourse forum's URL.
Then include the `<d-topics-list discourse-url="URL">` tag in your HTML document and it will
be replaced with the list of topics.
This commit will for example allow this:
```
api.addDiscoveryQueryParam("my_param", { persist: true });
```
If you page is forum.foo.bar/?my_param=1, when clicking on an "unread" link for example this query string will be kept.
There are 5 visibility levels (similar to group visibility)
public (default)
logged-in users
members only
staff
owners
Admins & group owners always have visibility to group members.
- Use query builder to improve readability
- Remove subquery, so that all `where` filters happen alongside the limit
- Add 'edited at' column to the report
Theme developers can now add any of the transformed color variables to their color scheme in about.json. For example
```
"color_schemes": {
"Light": {
"primary": "333333",
"secondary": "ffffff",
"primary-low": "ff0000"
}
},
```
would override the primary-low variable when compiling SCSS for the color scheme. The primary-low variable will also be visible in administrator color palette UI.
This displays more useful messages for the most common issues we see:
- CSRF (when the user switches browser)
- Invalid IAT (when the server clock is wrong)
- OAuth::Unauthorized for OAuth1 providers, when the credentials are incorrect
This commit also stops earlier for disabled authenticators. Now we stop at the request phase, rather than the callback phase.
This feature (when enabled) will allow for invite_only sites to require
external authentication before they can redeem an invite.
- Created hidden site setting to toggle this
- Enables sending invites with local logins disabled
- OAuth button added to invite form
- Requires OAuth email address to match invite email address
- Prevents redeeming invite if OAuth authentication fails
All posts created by the user are counted unless they are deleted,
belong to a PM sent between a non-human user and the user or belong
to a PM created by the user which doesn't have any other recipients.
It also makes the guardian prevent self-deletes when SSO is enabled.
If a post is flagged after an action was already performed on it, it
will update the previous Reviable instance and not create a new one.
The notification logic was implemented in the :create callback which was
completely skipped in this case.
There are situations where depending on site settings, actions could be
taken due to flags (for example, hiding a post) but those actions were
not visibile in the review queue due to visibility settings.
This patch makes sure that the minimum score required for an action such
as hiding a post needs to meet the visibility for a moderator to see it.
Enable the new setting "post excerpts in emails" to send excerpts
instead of complete posts in notification emails. Control the length of
excerpts with the "post excerpt maxlength" setting.
This feature allows @ mentions to prioritize showing members of a group who
have explicit permission to a category.
This makes it far easier to @ mention group member when composing topics in
categories where only the group has access.
For example:
If Sam, Jane an Joan have access to bugs category.
Then `@` will auto complete to (jane,joan,sam) ordered on last seen at
This feature works on new topics and existing topics. There is an explicit
exclusion of trust level 0,1,2 groups cause they get too big.
Add the Array.from polyfill for IE11. This is required to support the transpiled ES6 spread syntex generated by babel: https://babeljs.io/docs/en/caveats/
Introduces isIpadOS to our capabilities sniffer, which is currently
compatible with latest iPad beta OS. Older iPad versions will match our
isIOS detection.
Using this new feature, fixes the service worker being blocked in Google
Chrome, Firefox and other browsers while running on Mac OS, where they
work just fine. This enables Desktop PWA install in Mac OS.
- Client-side censoring fixed for non-chrome browsers. (Regular expression rewritten to avoid lookback)
- Regex generation is now done on the server, to reduce repeated logic, and make it easier to extend in plugins
- Censor tests are moved to ruby, to ensure everything works end-to-end
- If "watched words regular expressions" is enabled, warn the admin when the generated regex is invalid
This happened because the modal controller was not clearing the `name`
attribute, which is used for looking up the controller to call `onClose`
on.
Every page navigation would call the method over and over, breaking
state in odd ways.
* UX: Rename "Keep Post" to "Keep Post Hidden" when hidden
This is based on this feedback:
https://meta.discourse.org/t/category-group-review-moderation/116478/19
When a post is hidden this makes the operation much more clear.
* REFACTOR: Better support for aliases for actions
Allow calls on alias actions and delegate to the original one.
This is less code but also simplifies tests where the action might
be "agree_and_keep" or "agree_and_keep_hidden" which are the same.
* REFACTOR: Rename SiteSetting.disable_edit_notifications to disable_system_edit_notifications
- The older name could cause some confusion because the setting does not disable all edit notifications, only system ones.
* FIX: Add frozen_string_literal: true in the migration
* DEV: Deprecate 'disable_edit_notifications'
This feature adds the ability to customize the HTML part of all emails using a custom HTML template and optionally some CSS to style it. The CSS will be parsed and converted into inline styles because CSS is poorly supported by email clients. When writing the custom HTML and CSS, be aware of what email clients support. Keep customizations very simple.
Customizations can be added and edited in Admin > Customize > Email Style.
Since the summary email is already heavily styled, there is a setting to disable custom styles for summary emails called "apply custom styles to digest" found in Admin > Settings > Email.
As part of this work, RTL locales are now rendered correctly for all emails.
* UX: Show a warning when admin clicks save without adding group when changing category permissions
* Use div rather than pseudo element
* Don't pass controller to component
* Use observer instead of a delay
* Refactor
* Rename to validator
* validator is much better than saveValidator
Only restricting cache per age wasn't enough for instances with lots of
multimedia usage and high number of posts.
MaxEntries is also more effective on cleanup, and purgeOnQuotaError
advertise that Discourse cache can be purged if necessary.
https://developers.google.com/web/tools/workbox/guides/storage-quota
Related to https://meta.discourse.org/t/host-is-invalid-error-when-tld-is-longer-than-7-characters/46081.
Using Discourse `v2.4.0.beta2 +119`, I can't add an host (when embedding, cf. `/admin/customize/embedding`) ending with `.engineering`.
Turns out current regex limits to 10 characters.
Fix is dumb: it only allows for up to 24 chars, which is the **current** max TLD length, see https://stackoverflow.com/a/22038535/1907212.
---
Maybe a better (and longer-term) fix would be to allow for up to 64 chars, which I understand comes from the RFC.
I'm not at ease with regexes, so can't be sure about it, but [this suggestion](https://meta.discourse.org/t/host-is-invalid-error-when-tld-is-longer-than-7-characters/46081/8?u=julienma) seems pretty good:
> rules of DNS labels are:
>
> - All labels are 1 to 63 characters, case insensitive A to Z, 0 to 9 and - (hyphen), all from ASCII.
> - No labels may start with a hyphen.
> - No top level domain label may start with a number.
>
>That means a regexp for a valid domain name would look like:
>
>`/^([a-z0-9][a-z0-9-]{0,62}\.)+[a-z][a-z0-9-]{0,62}\.?$/`
>
>Domains that are just a TLD are sufficiently bizarre as to be worth ignoring.
* FIX: Better error when SSO fails due to blank secret
* Update spec/requests/session_controller_spec.rb
Co-Authored-By: Robin Ward <robin.ward@gmail.com>
When `SiteSetting.embed_truncate` is enabled (by default), the truncated
string is mutatable and does not raise an error.
However, when the setting is disabled, the `contents` string is frozen
and immutable, and will raise a `FrozenError`.
- will ensure this tag is not restricted to another category, and not only ensure this category can use it
- will clean tags param, in case client is sending an empty array, eg: [""], this could be solved client-side, but we ensure it won't happen ever this way
No need to let notifications stay around when users can't access
a topic after it was converted into a PM or posts were moved
into a restricted topic.
Also makes sure that moving to a new topic correctly uses the
guardian for the first post by enqueuing jobs outside of a
transaction.
* FEATURE: Add search operator to see all direct messages from a user
* Only show message if related messages >= 5
* Make "all messages" the hyperlink
* Review
This commit contains 3 features:
- FEATURE: Allow downloading watched words
This introduces a button that allows admins to download watched words per action in a `.txt` file.
- FEATURE: Allow clearing watched words in bulk
This adds a "Clear All" button that clears all deleted words per action (e.g. block, flag etc.)
- FEATURE: List all blocked words contained in the post when it's blocked
When a post is rejected because it contains one or more blocked words, the error message now lists all the blocked words contained in the post.
-------
This also changes the format of the file for importing watched words from `.csv` to `.txt` so it becomes inconsistent with the extension of the file when watched words are exported.
* DEV: group_list site settings should store IDs instead of group names
* Ship site setting to know when we should migrate group_list settings
* Migrate existing group_list site settings
* Bump migration timestamp and don't set null when migrating is not possible.
If a post arrives via email but must be reviewed, we now show an
icon that can be clicked to view the raw contents of the email.
This is useful if Discourse's email parser is acting odd and the user
reviewing the post wants to know what the original contents were before
approving/rejecting the post.
* FEATURE: Allow choice of category when making a PM public
Previously it would default to uncategorized, which was not ideal on
some forums. This gives the staff member more choice about what they'd
like to do.
* Make the optional category more explicit
* Joffrey's feedback
Previously, users who had any penalties (were silenced or suspended)
were not allowed to promote to Trust Level 3.
There is also a more subtle change here: if users were silenced or
suspended and then the operation was reverted (user was un-silenced
or un-suspended), then it would have been like the user was never
penalized in the first place. This is no longer the case. To forgive a
user earlier, administrators can use "Clear Penalty History" feature.
Lastly, Jobs::UnsilenceUsers will automatically unsilence any users who
should no longer be silenced (silenced_till < now()). This made it so
silence_count - unsilence_count == 0 for any user who is not silenced,
which defeated the purpose of this TL3 requirement.
DEV: deprecate `invite.via_email` in favor of `invite.emailed_status`
This commit adds a new column `emailed_status` in `invites` table for
tracking email sending status.
0 - not required
1 - pending
2 - bulk pending
3 - sending
4 - sent
For normal email invites, invite record is created with emailed_status
set to 'pending'.
When bulk invites are sent invite record is created with emailed_status
set to 'bulk pending'.
For invites that generates link, invite record is created with
emailed_status set to 'not required'.
When invite email is in queue emailed_status is updated to 'sending'
Once the email is sent via `InviteEmail` job the invite emailed_status
is updated to 'sent'.
Follow up to: [FEATURE: Create a rake task for destroying categories][1]
- `Discourse.system_user` is my friend
- Remove puts statements from rake tasks that don't return anything
- `for_each` is also my friend
- Use `human_users` to also exclude discobot
- Sort/format categories:list
[1]: 092eeb5ca3
user_url() failed for usernames containing Unicode characters because it expects URL encoded usernames. RSS feeds do not support IRIs, so lets convert them to URIs by encoding the usernames.
* DEV: uses with private API for currentPath
router.currentRouteName as a slightly different API and application.currentPath is deprecated
* another fix
* Revert "Revert "FEATURE: admin/user exports are compressed using the zip format (#7784)""
This reverts commit f89bd55576.
* Replace .tar.zip with .zip
Created a rake task for destroying multiple categories along with any
subcategories and topics the belong to those categories.
Also created a rake task for listing all of your categories.
Refactored existing destroy rake tasks to use new logging method, that
allows for puts output in the console but prevents it from showing in
the specs.
There is a bug that when Safari starts up, and reloads the tabs from
the previous session **and** there is a service worker registered for
the scope of the document, all cookies marked as `SameSite=Lax` won't be
sent in the request.
This puts Discourse in a **very** broken state, where:
- You appear as a anon user
- Subsequent xhr requests will come with logged in data
- Refreshing doesn't log you in (cookies are still not sent)
- Clicking on the address bar and hitting enter, will log you in (as it
will finally send those damn `SameSite=Lax` cookies.
Looks a lot like a corner case missed by the fix at
https://trac.webkit.org/changeset/241918/webkit
- adds a migration renaming FA4 icon names in badges
- allows all icons to be used in badges (previously was limited to icons prefixed with fa-)
- renames remaining FA 4.7 icons equivalents
This fixes the problem where if a route ends with a dynamic segment and the segment contains a period e.g. `my.name`, `name` is interpreted as the format. This applies a default format constraints `/(json|html)/` on all routes. If you'd like a route to have a different format constraints, you can do something like this:
```ruby
get "your-route" => "your_controlller#method", constraints: { format: /(rss|xml)/ }
#or
get "your-route" => "your_controlller#method", constraints: { format: :xml }
```
* FEATURE: Allow customization of robots.txt
This allows admins to customize/override the content of the robots.txt
file at /admin/customize/robots. That page is not linked to anywhere in
the UI -- admins have to manually type the URL to access that page.
* use Ember.computed.not
* Jeff feedback
* Feedback
* Remove unused import
And don't load javascript assets if plugin is disabled.
* precompile auto generated plugin js assets
* SPEC: remove spec test functions
* remove plugin js from test_helper
Co-Authored-By: Régis Hanol <regis@hanol.fr>
* DEV: using equality is slightly easier to read than inequality
Co-Authored-By: Régis Hanol <regis@hanol.fr>
* DEV: use `select` method instead of `find_all` for readability
Co-Authored-By: Régis Hanol <regis@hanol.fr>
When we delete a post that has replies, we show a modal asking if the user wants to delete the post, the post and its direct replies or the post and all its replies.
If replies are deleted before a post, that modal would ask the user if they want to delete the post and 0 replies.
That commit ensure we skip the modal and directly delete the post in this case.
This is a low severity security fix because it requires a logged in
admin user to update a site setting via the API directly to an invalid
value.
The fix adds validation for the affected site settings, as well as a
secondary fix to prevent injection in the event of bad data somehow
already exists.
* FIX: ensures routin with hash doesnt stuck history
Original issue: https://meta.discourse.org/t/hash-anchor-in-url-prevents-further-url-updates/122068/4
Basically when the path has a hash, state would be null, and nothing would happen.
* Update app/assets/javascripts/discourse/lib/discourse-location.js.es6
Co-Authored-By: Régis Hanol <regis@hanol.fr>
* FEATURE: admin/user exports are compressed using the zip format
* Update translations. Theme exporter now exports .zip file. Theme importer supports .zip and .gz files
* Fix controller test, updated locale and skip saving the csv export to disk
Note this is very low severity as the group needs to be created with a
default title that contains HTML, and group creation is restricted to
staff members right now.
In order for this to work the Backuper stores a couple of site settings
in the new backup_metadata table, because the old setting values might
not be available on restore anymore.
Context: https://meta.discourse.org/t/121589
This new setting option lets group owners message/mention large groups
without granting that privilege to all members.
Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
If a database exception is raised ActiveRecord will always rollback
even if caught.
Instead we build the query in manual SQL and DO NOTHING when there's a
conflict. If we detect nothing was done, perform an update.
See related topic:
https://meta.discourse.org/t/back-button-history-not-properly-working/122183
The issue here is the transition was not completing properly which meant
if you backed out of a topic quickly and entered a new one, hitting back
in the second topic would sometimes take you to the previous one instead
of back to the topic list.
This changes the label and behaviour of the "No, keep" button in the confirmation modal when user cancels a draft while on a different topic. The new button label is "No, save draft", and when clicked, the composer will be dismissed without destroying the draft.
If an external plugin inserts an element with class "emoji-picker", something probable if they extend EmojiPicker, it could cause troubles as css is added depending on the emoji-picker height. Just by adding a class of a parent <div> as could be d-editor, we prevent this from happening.
This allows you to temporarily disable components without having to remove them from a theme.
This feature is very handy when doing quick fix engineering.
The global setting disable_search_queue_threshold
(DISCOURSE_DISABLE_SEARCH_QUEUE_THRESHOLD) which default to 1 second was
added.
This protection ensures that when the application is unable to keep up with
requests it will simply turn off search till it is not backed up.
To disable this protection set this to 0.
To reproduce:
1. Visit a url in a new tab such as `/latest?order=views`
2. Click a topic link
3. Click the back button
Before this patch, you would not be sent back to the latest list.
Now, I am somewhat hesitant to delete code like this, but the [original
commit](b2b7f4d905)
explains a situation that I cannot reproduce with the code missing.
I cannot seem to keep the filters as sticky even if I try. At the very
least this is better to commit right now than the currently known broken
situation.
The behaviour of #TERM in search has been amended
1. We try category or subcategory slugs
2. We try tags
3. We try tag-groups
The term `hello #my-group` will search for all posts tagged with any of
the tags in the tag group `My Group`
Future work may be introducing a slug cache here or caching it in the table
but the assumption is that the number of tag groups will not be huge
Adds a second factor landing page that centralizes a user's second factor configuration.
This contains both TOTP and Backup, and also allows multiple TOTP tokens to be registered and organized by a name. Access to this page is authenticated via password, and cached for 30 minutes via a secure session.
Look for the specialised version first, before falling back to the
default. This allows the behaviour to be customised based on the type of
notification.
Previously users were still allowed to create topic via API even if
uncategorized was disabled.
Not 100% happy with all this special casing, but I guess we have to do
something.
This also splits up a mega spec now that we have fab! into a more easy to
understand structure (I hope)
This can cause unbound CPU usage in some cases, and excessive logging in other cases. This commit moves redis readonly information into the local process, but maintains the DistributedCache for postgres readonly state.
followup to #bc03c509
There were 2 problems
1. VALUES was not properly getting multiple results ... we need (1),(2),(3)
not (1,2,3)
2. changes was mistakenly lazy evaluated eg `changed ||=` which meant some
queries were not running
* Remove unused method
* Prefabricate user in category_user_spec.rb
* FIX: Remove notification_level from category_users unique indexes
* FIX: CategoryUser#batch_set wasn't updating pre-existing records
* Improve tests for CategoryUser#batch_set
* FIX: changed was being reported incorrectly
* DEV: Rewrote query to do a bulk insert
* DEV: remove unnecessary parentheses
Rafael dos Santos Silva
Osama Sayegh
Robin Ward
Kris
Régis Hanol
David Taylor
Arpit Jalan
Kyle Zhao
Dan Ungureanu
romanrizzi
Penar Musaraj
Vinoth Kannan
hawm
Jarek Radosz
Krzysztof Kotlarek
Neil Lalonde
Gerhard Schlager
Rishabh
Leo McArdle
Sam Saffron
Michael Brown
Joffrey JAFFEUX
Bianca Nenciu
Nick Quaranto
Rimian Perkins
Jeff Wong
Mark VanLandingham
Joe
Daniel Waterworth
Blake Erickson
tshenry
Vinoth Kannan
Faizaan Gagan
Guo Xiang Tan
Julien Ma
Saurabh Patel
Ralph Rooding
Mario Santos
Julian Calvento