Commit Graph

9319 Commits

Author SHA1 Message Date
GuteLaune a2c08e8159
Fix typo (#26437) 2024-03-30 11:50:59 -07:00
Blake Erickson ba806eec74
DEV: Various bulk-select dropdown tweaks (#26424)
* DEV: Various bulk-select dropdown tweaks

- Setting is no longer hidden
- descriptions have been moved to the modal
- Removed ... from one of the dropdown titles
2024-03-29 12:29:24 -06:00
jbrw 74d55f14fe
DEV: Add skip_email_bulk_invites hidden site setting (#26430)
This adds a hidden site setting of `skip_email_bulk_invites`

If set to `true`, the `BulkInvite` job will pass the value to `Invite`, meaning the generated invite wont trigger an email notification being sent to the newly invited user.

(This is useful if you want to manage the sending of the invite emails outside of Discourse.)
2024-03-29 13:22:00 -04:00
Tobias Eigen 95e4b53aab
Improved description of `allow_anonymous_likes` (#26269)
improved description of  `allow_anonymous_likes` setting so it no longer refers to not-logged-in-users
2024-03-29 06:08:12 -07:00
Tobias Eigen 140b9f556c
update desc of personal message enabled groups setting (#26296)
The personal message enabled groups site setting is overridden by the group interaction settings for specifying who is allowed to write to groups. This was not clearly explained in the description here and I think I fixed it!
2024-03-29 06:07:48 -07:00
Tobias Eigen 36b0d5c2ae
removed link to TOS from community guidelines (#26326)
Not all sites will want to have a terms of service page, so we do not want to link to it from the community guidelines.
2024-03-29 06:07:09 -07:00
Alan Guo Xiang Tan a670d6d4af
DEV: Change group type to groups type for theme object schema (#26417)
Why this change?

This is a follow-up to 86b2e3a.

Basically, we want to allow people to select more than 1 group as well.

What does this change do?

1. Change `type: group` to `type: groups` and support `min` and `max`
   validations for `type: groups`.

2. Fix the `<SchemaThemeSetting::Types::Groups>` component to support the
   `min` and `max` validations and switch it to use the `<GroupChooser>` component
   instead of the `<ComboBoxComponent>` component which previously only supported
   selecting a single group.
2024-03-28 22:05:48 +08:00
Martin Brennan e04b35a184
FIX: Hide footgun max_notifications_per_user site setting (#26414)
It's not really intentional to have regular admins change
this in all but pathological cases. It deletes all notifications
over this threshold for users without warning. If admins
really want to turn this on, they can do it via the app.yml file
2024-03-28 14:42:22 +10:00
Alan Guo Xiang Tan 69af29cc40
DEV: Add a test to ensure that our SMTP settings are correct (#26410)
Why this change?

This is a follow up to 897be75941.

When updating `net-smtp` from `0.4.x` to `0.5.x`, our test suite passed
but the error `ArgumentError: SMTP-AUTH requested but missing user name`
was being thrown in production leading to emails being failed to send
out via SMTP.

This commit adds a test to ensure that our production SMTP settings will
at least attemp to connect to an SMTP server.
2024-03-28 10:18:19 +08:00
Alan Guo Xiang Tan 9d94cee898
DEV: Drop unused cloud66 configuration files (#26409)
Why this change?

These files were added 10 years ago and are no longer maintained or
relevant. Please see https://github.com/discourse/discourse/blob/main/docs/INSTALL-cloud.md
instead.
2024-03-28 09:19:20 +08:00
Daniel Waterworth 897be75941 FIX: Don't set smtp authentication type when there's no user or password
... otherwise net-smtp, starting with 0.5.0, complains.
2024-03-27 14:20:29 -05:00
Angus McLeod 7dc552c9cc
DEV: Add `import_embed_unlisted` site setting (#26222) 2024-03-27 08:57:43 -04:00
Osama Sayegh 0b34b4cbe9
DEV: Better error message when user is not allowed to user tags (#26380)
When a topic fails to be created due to the user not having permission to add tags to the topic, the error message that you get is `There was an error tagging the topic` which is very generic and doesn't explain where/what the problem is. This commit adds a clearer error message for this scenario.
2024-03-27 12:57:10 +03:00
David Taylor 1cc8c72a98
DEV: Consolidate experimental 'Link' header implementations (#26377)
This commit removes the 'experimental_preconnect_link_header' site setting, and the 'preload_link_header' site setting, and introduces two new global settings: early_hint_header_mode and early_hint_header_name.

We don't actually send 103 Early Hint responses from Discourse. However, upstream proxies can be configured to cache a response header from the app and use that to send an Early Hint response to future clients.

- `early_hint_header_mode` specifies the mode for the early hint header. Can be nil (disabled), "preconnect" (lists just CDN domains) or "preload" (lists all assets).
- `early_hint_header_name` specifies which header name to use for the early hint. Defaults to "Link", but can be changed to support different proxy mechanisms.
2024-03-27 09:06:50 +00:00
Krzysztof Kotlarek 0932b146d9
FEATURE: the ability to expand/collapse all admin sections (#26358)
By default, admin sections should be collapsed.
In addition, a button to expand/collapse all sections has been added.
2024-03-27 14:42:06 +11:00
Alan Guo Xiang Tan 476d91d233
DEV: Change category type to categories type for theme object schema (#26339)
Why this change?

This is a follow-up to 86b2e3aa3e.

Basically, we want to allow people to select more than 1 category as well.

What does this change do?

1. Change `type: category` to `type: categories` and support `min` and `max`
   validations for `type: categories`.

2. Fix the `<SchemaThemeSetting::Types::Categories>` component to support the
   `min` and `max` validations and switch it to use the `<CategorySelector>` component
   instead of the `<CategoryChooser>` component which only supports selecting one category.
2024-03-27 10:54:30 +08:00
Sam e765e84941
DEV: allow developers to use HTTPS if they wish (#26384)
Warning is getting tiring on local and I have https://l.discourse working just fine (tm)
2024-03-27 10:48:04 +11:00
David Taylor 312a5ead1f
DEV: Add Google-InspectionTool as a crawler user agent (#26375)
This user-agent is sent when URLs are inspected via the UI of Google's search console. It makes sense for us to serve it the same content as other bots, including GoogleBot.
2024-03-26 15:56:36 +00:00
Discourse Translator Bot f2a781bcd0
Update translations (#26368) 2024-03-26 16:30:01 +01:00
David Taylor 3329484e2d
FEATURE: Simplify crawler content for non-canonical post URLs (#26324)
When crawlers visit a post-specific URL like `/t/-/{topic-id}/{post-number}`, we use the canonical to direct them to the appropriate crawler-optimised paginated view (e.g. `?page=3`).

However, analysis of google results shows that the post-specific URLs are still being included in the index. Google doesn't tell us exactly why this is happening. However, as a general rule, 'A large portion of the duplicate page's content should be present on the canonical version'.

In our previous implementation, this wasn't 100% true all the time. That's because a request for a post-specific URL would include posts 'surrounding' that post, and won't exactly conform to the page boundaries which are used in the canonical version of the page. Essentially: in some cases, the content of the post-specific pages would include many posts which were not present on the canonical paginated version.

This commit aims to resolve that problem by simplifying the implementation. Instead of rendering posts surrounding the target post_number, we will only render the target post, and include a link to 'show post in topic'. With this new implementation, 100% of the post-specific page content will be present on the canonical paginated version, which will hopefully mean google reduces their  indexing of the non-canonical post-specific pages.
2024-03-26 15:18:46 +00:00
Alan Guo Xiang Tan ef99b97ea7
DEV: Load theme objects typed setting metadata when routing to editor (#26354)
Why this change?

Previously, we were preloading the necessary metadata for
`adminCustomizeThemes.show.schema` route in the
`adminCustomizeThemes.show` route. This is wasteful because we're
loading data upfront when the objects setting editor may not be used.

This change also lays the ground work for a future commit where we need
to be shipping down additional metadata which may further add to the
payload.
2024-03-26 14:02:05 +08:00
Alan Guo Xiang Tan 8a6e43a3d4
FIX: Fix broken translation in tags input field objects setting editor (#26340)
Why this change?

When a property of `type: tags` is required, we should be displaying the
"at least 1 tag is required" validation error message when there are no
tags selected in the `TagChooser` compoment. However, we were passing
`this.min` as the `count` attribute when generating the translation
string which is incorrect as `this.min` is not always set.
2024-03-25 16:06:32 +08:00
David Taylor 4a7e69d8ee
UX: Include message when crawler content is omitted (#26325)
To improve performance, we omit the basic-HTML version of pages when users are logged in, or when they are using a modern mobile device. This can be confusing when analysing the SEO of sites, so this commit adds a short static message when content is omitted.
2024-03-22 17:24:57 +00:00
Kris 9cadc402e6
UX: add title attribute to composer preview image controls (#26301) 2024-03-22 09:49:10 -04:00
Alan Guo Xiang Tan 86b2e3aa3e
DEV: Change `tag` type to `tags` type for theme object schema (#26315)
Why this change?

While working on the tag selector for the theme object editor, I
realised that there is an extremely high possibility that users might want to select
more than one tag. By supporting the ability to select more than one
tag, it also means that we get support for a single tag for free as
well.

What does this change do?

1. Change `type: tag` to `type: tags` and support `min` and `max`
   validations for `type: tags`.

2. Fix the `<SchemaThemeSetting::Types::Tags>` component to support the
   `min` and `max` validations
2024-03-22 15:32:00 +08:00
Alan Guo Xiang Tan dfc406fdc2
FIX: Validate tags using `Tag#name` instead of `Tag#id` in `ThemeSettingsObjectValidator` (#26314)
Why this change?

Fortunately or unfortunately in Discourse core, we mainly use `Tag#name`
to look up tags and not its id. This assumption is built into the
frontend as well so we need to use the tag's name instead of the id
here.
2024-03-22 11:05:16 +08:00
David Taylor 26db3be4dd
DEV: Improve UX when user profiles are hidden from public (#26293)
Previously, we had an instant redirect back to the homepage, and clicking avatars would do nothing. This made things feel 'broken' for anon when 'hide_user_profiles_from_public' was enabled.

This commit does a few things to resolve this:

1. Improve our 'exception' system for routes so that developers can deliberately trigger it without an ajax error

2. Improve 'exception' system so that the browser URL bar is updated correctly, and the 'back' button works as expected

3. Replace the redirect-to-home with an 'access denied' error page, with specific copy for 'You must log in to view user profiles'

4. Update user-card logic to display this new page instead of doing nothing on click
2024-03-21 17:53:52 +00:00
Alan Guo Xiang Tan a30d73f255
DEV: Add validation message to integer fields in theme object editora (#26284)
Why this change?

This is a continuation of 8de869630f.

In our schema, we support the `min` and `max` validation
rules like so:

```
some_objects_setting
  type: objects
  schema:
    name: some_object
    properties:
      id:
        type: integer
        validations:
          min: 5
          max: 10
```

While the validations used to validate the objects on the server side,
we should also add client side validation for better UX.
2024-03-21 15:03:07 +08:00
Alan Guo Xiang Tan 8de869630f
DEV: Add validation message to string fields in theme object editor (#26257)
Why this change?

In our schema, we support the `min_length` and `max_length` validation
rules like so:

```
some_objects_setting
  type: objects
  schema:
    name: some_object
    properties:
      title:
        type: string
        validations:
          min_length: 1
          max_length: 10
```

While the validations used to validate the objects on the server side,
we should also add client side validation for better UX.
2024-03-21 12:39:25 +08:00
Krzysztof Kotlarek 043117ca13
FEATURE: separate admin page for whats new and reports (#26216)
Currently, a new sidebar link for what's new and reports is going to the main dashboard page and activates the proper tab.

It might be problematic, especially, when the instance has a lot of problems. In that case, it would be difficult for admin to find reports or what’s new which is rendered at the bottom of the page.

Therefore separate pages for reports and what's new were created.

Reports were moved to a component that is shared between a separate page and the dashboard.
2024-03-20 14:23:18 +11:00
Discourse Translator Bot 29752dda2e
Update translations (#26242) 2024-03-19 16:00:07 +01:00
Gabriel Grubba 8ae462c724
FEATURE: add language picker for theme translations in admin UI (#26150)
Allows editing translations of a theme in locales other than the current localy.
2024-03-18 12:00:28 -04:00
Alan Guo Xiang Tan 36cdb1444c
EXPERIMENTAL: preconnect and dns-prefetch resource hints for CDN domains (#26215)
Why this change?

In https://web.dev/articles/preconnect-and-dns-prefetch, it describes
how hinting to the browser to preconnect to domains which we will
eventually use the connection for can help improve the time it takes to
load a page.

We are putting this behind an experimental flag so that we can test and
profile this in a production environment.

What does this change introduce?

Introduce a hidden experimental `experimental_preconnect_link_header`
site setting which when enabled will add the `preconnect` and
`dns-prefetch` resource hints to the response headers for full page load
requests.
2024-03-18 13:45:41 +08:00
Alan Guo Xiang Tan 426c035b80
UX: First pass styling experimental objects typed setting editor (#26194)
Why this change?

This is a first pass at styling the editor for creating/editing/updating
an objects typed theme setting. Only the desktop view is being
considered at the current moment.

The objects typed theme setting is still behind a feature flag at this moment so there is no need for us to get the styling perfect. The purpose of this PR is to get us to a state which we can quickly iterate with a designer on.
2024-03-18 10:03:30 +08:00
Penar Musaraj 8cf2f909f5
DEV: Dedicated route for current user notification counts (#26106)
Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2024-03-15 12:08:37 -04:00
Penar Musaraj 62ea382247
SECURITY: Limit invites params length 2024-03-15 14:24:07 +08:00
Daniel Waterworth 8cade1e825
SECURITY: Prevent large staff actions causing DoS
This commit operates at three levels of abstraction:

 1. We want to prevent user history rows from being unbounded in size.
    This commit adds rails validations to limit the sizes of columns on
    user_histories,

 2. However, we don't want to prevent certain actions from being
    completed if these columns are too long. In those cases, we truncate
    the values that are given and store the truncated versions,

 3. For endpoints that perform staff actions, we can further control
    what is permitted by explicitly validating the params that are given
    before attempting the action,
2024-03-15 14:24:04 +08:00
Alan Guo Xiang Tan 003b80e62f
SECURITY: Add rate limits for uploads 2024-03-15 14:24:00 +08:00
Blake Erickson 70c23f11a9
DEV: Add API scopes for post revisions (#26183)
This commit adds API scopes for reading, modifying, and deleting post
revisions.
2024-03-14 15:24:54 -06:00
Penar Musaraj a71f68afdd
DEV: Improve localizability for a few labels (#26178)
Using separate prefix + date elements makes it harder to translate in
some languages. This moves a few dates inside i18n strings.
2024-03-14 15:01:43 -04:00
Kris 9376a2e755
FEATURE: optionally show "Powered by Discourse" link to discourse.org (#26162) 2024-03-14 10:30:12 -04:00
Krzysztof Kotlarek e12d32a876
FIX: improvements for the admin sidebar (#26168)
- add all settings link
- hide the customize header menu when the admin sidebar
2024-03-14 15:01:47 +11:00
Ted Johansson ea5c3a3bdc
DEV: Move non scheduled problem checks to classes (#26122)
In AdminDashboardData we have a bunch of problem checks implemented as methods on that class. This PR absolves it of the responsibility by promoting each of those checks to a first class ProblemCheck. This way each of them can have their own priority and arbitrary functionality can be isolated in its own class.

Think "extract class" refactoring over and over. Since they were all moved we can also get rid of the @@problem_syms class variable which was basically the old version of the registry now replaced by ProblemCheck.realtime.

In addition AdminDashboardData::Problem value object has been entirely replaced with the new ProblemCheck::Problem (with compatible API).

Lastly, I added some RSpec matchers to simplify testing of problem checks and provide helpful error messages when assertions fail.
2024-03-14 10:55:01 +08:00
Martin Brennan 4e7a75a7ec
DEV: Single admin plugin page for consistent admin plugin UX (#26024)
This commit adds new plugin show routes (`/admin/plugins/:plugin_id`) as we move
towards every plugin having a consistent UI/landing page.

As part of this, we are introducing a consistent way for plugins
to show an inner sidebar in their config page, via a new plugin
API `register_admin_config_nav_routes`

This accepts an array of links with a label/text, and an
ember route. Once this commit is merged we can start the process
of conforming other plugins to follow this pattern, as well
as supporting a single-page version of this for simpler plugins
that don't require an inner sidebar.

Part of /t/122841 internally
2024-03-13 13:15:12 +10:00
Krzysztof Kotlarek de00c9a3d3
EXPERIMENTAL: restructure admin sidebar menu (#26047)
New admin sidebar menu
2024-03-13 10:18:08 +11:00
Penar Musaraj 0d64c886da
DEV: Update the description for `include_in_discourse_discover` (#26142) 2024-03-12 15:18:45 -04:00
David Taylor 127214c613
UX: Improve error handling for DiscourseConnect (#26140)
Previously, if the sso= payload was invalid Base64, but signed correctly, there would be no useful log or error. This commit improves things by:

- moving the base64 check before the signature checking so that it's properly surfaced
- split the ParseError exception into PayloadParseError and SignatureError
- add user-facing errors for both of those
- add/improve spec for both
2024-03-12 16:16:04 +00:00
Discourse Translator Bot ec3d29a1fa
Update translations (#26136) 2024-03-12 15:40:11 +01:00
Carson Chang d7a504b3ec
UX: Change default action label from "Message" to "Send Message" in composer when sending a message (#26109) 2024-03-11 09:40:57 +08:00
Blake Erickson f71e9aad60
FEATURE: Silence Close Notifications User Setting (#26072)
This change creates a user setting that they can toggle if
they don't want to receive unread notifications when someone closes a
topic they have read and are watching/tracking it.
2024-03-08 15:14:46 -07:00
Penar Musaraj 32e1eda3fa
A11Y: Update bulk selection keyboard shortcuts (#26069)
* A11Y: Update bulk selection keyboard shortcuts

Still a draft, but in current state this:

- adds `shift+b` as a keyboard shortcut to toggle bulk select
- adds `shift+d` as a keyboard shortcut to dismiss selected topic(s) (this
replaces `x r` and `x t` shortcuts)
- adds `x` as a keyboard shortcut to toggle selection (while in bulk select mode)
- fixes a bug with the `shift+a` shortcut, which was not working properly

Note that there is a breaking change here. Previously we had:

- `x r` to dismiss new topics
- `x t` to dismiss unread topics

However, this meant that we couldn't use `x` for selection, because the
itsatrap library does not allow the same character to be used both as a
single character shortcut and as the start of a sequence. The proposed
solution here is more consistent with other apps (Gmail, Github) that use
`x` to toggle selection.

Also, we never show both "Dismiss New" and "Dismiss Unread" in the same
screen, hence it makes sense to consolidate both actions under `shift+d`.

* Address review
2024-03-08 09:54:10 -05:00
David Taylor 92d357f91a
FEATURE: Enable strict-dynamic Content-Security-Policy by default (#26051)
Ref https://meta.discourse.org/t/298172 and https://meta.discourse.org/t/295603
2024-03-07 15:20:31 +00:00
Bianca Nenciu e89bdea830
FEATURE: Show remaining count in category-drop (#25938)
When "lazy load categories" is enabled, the CategoryDrop component will
render at most 15 categories. If there are more categories, a "Show
more" link pointing to the categories page will be displayed.
2024-03-07 16:14:50 +02:00
Bianca Nenciu 8dbcfef3fd
FEATURE: Add "+ subcategories" option back (#26035)
This option was introduced at some point in the past, but was removed
during the work necessary to make Discourse work with a large number of
categories.

Follow up to commit 2e68ead45b.
2024-03-06 20:14:36 +02:00
Alan Guo Xiang Tan 3491642f98
DEV: Make `discourse_narrative_bot` use Rails autoload (#26044)
Why this change?

Instead of manually loading files, we should just structure the plugin
so that it relies on Rails autoload strategy and avoid all the manual
`require_relative`s.

What does this change do?

1. Structure the plugin to use Rails autoloading convention
2. Remove onceff jobs that were added 5-6 years ago. There is no need to
   carry these jobs anymore after such a long time.
3. Move setting of `SiteSetting.discourse_narrative_bot_enabled` to
   `false` in the test environment from core into the plugin.
2024-03-06 11:14:53 +08:00
Alan Guo Xiang Tan 94b09f3331
DEV: Open theme settings objects editor from admin customize theme page (#26006)
Why this change?

The `/admin/customize/themes/:id/schema/name` route is a work in
progress but we want to be able to start navigating to it from the
`/admin/customize/themes/:id` route.

What does this change do?

1. Move `adminCustomizeThemes.schema` to a child route of
   `adminCustomizeThemes.show`. This is because we need the model
   from the parent route and if it isn't a child route we end up
   having to load the theme model again from the server.

1. Add the `objects_schema` attribute to `ThemeSettingsSerializer`

1. Refactor `SiteSettingComponent` to be able to render a button
   so that we don't have to hardcode the button rendering into the
   `SiteSettings::String` component
2024-03-06 08:24:29 +08:00
Discourse Translator Bot 6791eb1a94
Update translations (#26030) 2024-03-05 16:47:46 +01:00
Blake Erickson 6702babd5e
DEV: More bulk select modal enhancements (#25979)
* Add cancel button

* Add loading spinner

* Add toast message
2024-03-05 08:30:26 -07:00
Jeff Wong 00e76efb7c
FEATURE: site setting to include post in penalty messages (#26025)
Adds a site setting to include a post's content in penalty message.
When silencing/suspending a user from a post, or a reviewable with
a post, adds an option to include a post's content in the email
message by default.
2024-03-04 18:35:21 -08:00
Martin Brennan 718a91c297
UX: Site setting descriptions initial pass (#25829)
This commit changes the wording of the 50 site settings that
previously had the shortest descriptions (e.g. City for Disputes
was described as City for Disputes...) using AI-generated and then
human curated descriptions based on the Forum Helper persona
on Discourse Meta.

In future we may want to do more of these, this is only a first pass.

Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
2024-03-04 13:48:39 +10:00
Martin Brennan eca10e56b8
FEATURE: Allow specific groups to view raw email (#26003)
When a post is created by an incoming email, we show
an envelope icon on it which then opens a modal with the
raw email contents. Previously this was staff (admin+mod)
only, but now this commit adds the `view_raw_email_allowed_groups`
site setting, so any group can be added to give users permission
to see this.
2024-03-04 13:48:16 +10:00
Martin Brennan fef52c2ab7
DEV: Delete old enable_bookmarks_with_reminders setting (#25982)
This setting has not been used for a long time, get rid
of it and also update the historical migration to not
rely on the SiteSetting model.
2024-03-04 13:48:04 +10:00
Lilly b5199eac80
Update a typographer markdown settings text on server.en.yml (#25996)
Remove (c) from enable_markdown_typographer_settings text
2024-03-03 02:48:44 -08:00
Martin Brennan 0b60086ff8
DEV: Hide min_trust_level_to_allow_profile_background setting (#25980)
Followup to a57280cb17,
it was an oversight
2024-03-01 13:32:19 +10:00
Blake Erickson 2d890d73a2
FEATURE: Add recover api scopes (#25978)
This commit adds two new api scopes. One for recovering topics, and the
other for recovering posts.
2024-02-29 15:49:29 -07:00
Krzysztof Kotlarek 8b5204579c
FEATURE: filter admin sidebar (#25853)
Ability to filter admin sidebar. The filter can be cleared. In addition, it can be accessed with ctrl+/ shortcut
2024-02-28 12:15:02 +11:00
Discourse Translator Bot eea7af09fd
Update translations (#25914) 2024-02-27 20:50:30 +01:00
Alan Guo Xiang Tan 52a4912475
DEV: Support topic, post, group, upload and tag type for theme objects setting (#25907)
Why this change?

Previously in cac60a2c6b, I added support
for `type: "category"` for a property in the theme objects schema. This
commit extend the work previously to add support for types `topic`,
`post`, `group`, `upload` and `tag`.
2024-02-27 14:27:10 +08:00
Alan Guo Xiang Tan 7bcfe60a76
DEV: Validate default value for `type: objects` theme settings (#25833)
Why this change?

This change adds validation for the default value for `type: objects` theme
settings when a setting theme field is uploaded. This helps the theme
author to ensure that the objects which they specifc in the default
value adhere to the schema which they have declared.

When an error is encountered in one of the objects, the error
message will look something like:

`"The property at JSON Pointer '/0/title' must be at least 5 characters
long."`

We use a JSON Pointer to reference the property in the object which is
something most json-schema validator uses as well.

What does this change do?

1. This commit once again changes the shape of hash returned by
   `ThemeSettingsObjectValidator.validate`. Instead of using the
   property name as the key previously, we have decided to avoid
   multiple levels of nesting and instead use a JSON Pointer as the key
   which helps to simplify the implementation.

2 Introduces `ThemeSettingsObjectValidator.validate_objects` which
  returns an array of validation error messages for all the objects
  passed to the method.
2024-02-27 09:16:37 +08:00
Blake Erickson 52d357c1d1
DEV: Add loading spinner to install theme modal (#25888)
This commit adds a loading spinner when installing a theme as sometimes
installing a theme can take quite a bit of time this way we have some
indication that things are still working as the theme is being
installed.
2024-02-26 14:14:21 -07:00
David Taylor 542cb22fd4 DEV: Drop Ember 3 feature flag 2024-02-26 12:22:05 +00:00
Ted Johansson ed2496c59d
FEATURE: Add scheduled Twitter login problem check - Part 1 (#25830)
This PR adds a new scheduled problem check that simply tries to connect to Twitter OAuth endpoint to check that it's working. It is using the default retry strategy of 2 retries 30 seconds apart.
2024-02-26 12:08:12 +08:00
Isaac Janzen 21f23cc032
DEV: Convert header to glimmer (#25214)
Here is a breakdown of the changes that will be implemented in this PR.

# Widgets -> Glimmer

Obviously, the intention of the todo here is to convert the header from widgets to glimmer. This PR splits the respective widgets as so:

### widgets/site-header.js
```mermaid height=200
flowchart TB
    A[widgets/site-header.js] 
    A-->B[components/glimmer-site-header.gjs]
```

### widgets/header.js and children
```mermaid height=200
flowchart TB
    A[widgets/header.js] 
    A-->B[components/glimmer-header.gjs]
    B-->C[glimmer-header/contents.gjs]
    C-->D[./auth-buttons.gjs]
    C-->E[./icons.gjs]
    C-->F[./user-menu-wrapper.gjs]
    C-->G[./hamburger-dropdown-wrapper.gjs]
    C-->H[./user-menu-wrapper.gjs]
    C-->I[./sidebar-toggle.gjs]
    C-->J[./topic/info.gjs]
```

There are additional components rendered within the `glimmer-header/*` components, but I will leave those out for now. From this view you can see that we split apart the logic of `widgets/header.js` into 10+ components. Breaking apart these mega files has many benefits (readability, etc).

# Services

I have introduced a [header](cdb42caa04/app/assets/javascripts/discourse/app/services/header.js) service. This simplifies how we pass around data in the header, as well as fixes a bug we have with "swiping" menu panels.


# Modifiers
Added a [close-on-click-outside](cdb42caa04/app/assets/javascripts/discourse/app/modifiers/close-on-click-outside.js) modifier that is built upon the [close-on-click-outside modifier](https://github.com/discourse/discourse/blob/main/app/assets/javascripts/float-kit/addon/modifiers/close-on-click-outside.js) that @jjaffeux built for float-kit. I think we could replace float-kit's implementation with mine and have it in a centralized location as they are extremely similar.

# Tests
Rewrote the existing header tests ([1](https://github.com/discourse/discourse/blob/main/app/assets/javascripts/discourse/tests/integration/components/widgets/header-test.js), [2](https://github.com/discourse/discourse/blob/main/app/assets/javascripts/discourse/tests/integration/components/site-header-test.js)) as system tests. 

# Other
- Converted `widgets/user-status-bubble.js` to a gjs component
- Converted `widgets/sidebar-toggle.js` to a gjs component
- Converted `topicFeaturedLinkNode()` to a gjs component
- Deprecated the [docking mixin](https://github.com/discourse/discourse/blob/main/app/assets/javascripts/discourse/app/mixins/docking.js)
2024-02-23 11:08:15 -07:00
David Taylor 20a36f0b8f
DEV: Include deprecation link in warning banner (#25839) 2024-02-23 14:28:23 +00:00
Alan Guo Xiang Tan ad0824b7e3
DEV: Fix connections timeout in system test (#25835)
Why this change?

This regressed in 6e9fbb5bab because we
had a `request.xhr?` check before we decide to block requests. However,
there could not none-xhr requests which we need to block as well at the
end of each system test when `@@block_requests` is true.

This also reverts commit 6437f27f90.
2024-02-23 16:03:46 +08:00
Sam 207cb2052f
FIX: muted tags breaking hot page when filtered to tags (#25824)
Also, remove experimental setting and simply use top_menu for feature detection

This means that when people eventually enable the hot top menu, there will
be topics in it


Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2024-02-23 17:11:39 +11:00
Alan Guo Xiang Tan b64a58071d
DEV: Ensure that `BlockRequestsMiddleware` cookie is always set (#25826)
Why this change?

This reverts 725561cf4b as it did not
address the root cause of the problem even though it fixed the failing tests we were seeing 
when running `bundle exec rspec --tag ~type:multisite --order random:776 spec/system/admin_customize_form_templates_spec.rb spec/system/admin_sidebar_navigation_spec.rb spec/system/admin_site_setting_search_spec.rb spec/system/composer/dont_feed_the_trolls_popup_spec.rb spec/system/composer/review_media_unless_trust_level_spec.rb spec/system/create_account_spec.rb spec/system/editing_sidebar_tags_navigation_spec.rb spec/system/email_change_spec.rb spec/system/emojis/emoji_deny_list_spec.rb spec/system/group_activity_spec.rb spec/system/hashtag_autocomplete_spec.rb spec/system/network_disconnected_spec.rb spec/system/post_menu_spec.rb spec/system/post_small_action_spec.rb spec/system/tags_intersection_spec.rb spec/system/topic_list_focus_spec.rb spec/system/topic_page_spec.rb spec/system/user_page/user_profile_info_panel_spec.rb spec/system/viewing_group_members_spec.rb spec/system/viewing_navigation_menu_preferences_spec.rb`.

The root cause here is that `before_action`s added to a controller is
order dependent. As such, some requests were not setting the cookie
because the `before_action` callback was not even hit as a prior
`before_action` callbacks has raised an error such as the `check_xhr`
`before_action` callback.

To resolve the problem, we need to add the `prepend: true` option in
our monkey patch of `ApplicationController` to ensure that the
`before_action` callback which we have added is always run first.

This change also makes a couple of changes:

1. Improve the response body when a request is blocked by the `BlockRequestsMiddleware` middleware
   so that it makes debugging easier.

2. Only set the cookies for non-xhr HTML format requests. Setting it for
   other formats is kind of pointless.
2024-02-23 07:51:51 +08:00
Selase Krakani 725561cf4b
DEV: Ensure `rspec_current_example_location` is actually present before blocking request (#25818) 2024-02-22 20:44:15 +00:00
Alan Guo Xiang Tan 6e9fbb5bab
DEV: Do not process requests initiated by browser in a different example (#25809)
Why this change?

We noticed that running `LOAD_PLUGINS=1 rspec --seed=38855 plugins/chat/spec/system/chat_new_message_spec.rb` locally
results in the system tests randomly failing. When we inspected the
request logs closely, we noticed that a `/presence/get` request from a
previous rspec example was being processed when a new rspec example is
already being run. We know it was from the previous rspec example
because inspecting the auth token showed the request using the auth
token of a user from the previous example. However, when a request using
an auth token from a previous example is used it ends up logging out the
same user on the server side because the user id in the cookie is the same
due to the use of `fab!`.

I did some research and there is apparently no way to wait until all
inflight requests by the browser has completed through capybara or
selenium. Therefore, we will add an identifier by attaching a cookie to all non-xhr requests so that
xhr requests which are triggered subsequently will contain the cookie in the request.

In the `BlockRequestsMiddleware` middleware, we will then reject any
requests when the value of the identifier in the cookie does not match the current rspec's example
location.

To see the problem locally, change `Auth::DefaultCurrentUserProvider.find_v1_auth_cookie` to the following:

```
  def self.find_v1_auth_cookie(env)
    return env[DECRYPTED_AUTH_COOKIE] if env.key?(DECRYPTED_AUTH_COOKIE)

    env[DECRYPTED_AUTH_COOKIE] = begin
      request = ActionDispatch::Request.new(env)
      cookie = request.cookies[TOKEN_COOKIE]

      # don't even initialize a cookie jar if we don't have a cookie at all
      if cookie&.valid_encoding? && cookie.present?
        puts "#{env["REQUEST_PATH"]} #{request.cookie_jar.encrypted[TOKEN_COOKIE]&.with_indifferent_access}"
        request.cookie_jar.encrypted[TOKEN_COOKIE]&.with_indifferent_access
      end
    end
  end
```

After which run the following command: `LOAD_PLUGINS=1 rspec --format documentation --seed=38855 plugins/chat/spec/system/chat_new_message_spec.rb`

It takes a few tries but the last spec should fail and you should see something like this:

```
assets/chunk.c16f6ba8b6824baa47ac.d41d8cd9.js {"token"=>"37d995a4b65395d3b343ec70fff915b4", "user_id"=>3382, "username"=>"bruce0", "trust_level"=>1, "issued_at"=>1708591735}
/assets/chunk.050148142e1d2dc992dd.d41d8cd9.js {"token"=>"37d995a4b65395d3b343ec70fff915b4", "user_id"=>3382, "username"=>"bruce0", "trust_level"=>1, "issued_at"=>1708591735}
/chat/api/channels/527/messages {"token"=>"37d995a4b65395d3b343ec70fff915b4", "user_id"=>3382, "username"=>"bruce0", "trust_level"=>1, "issued_at"=>1708591735}
/uploads/default/test_0/optimized/1X/_129430568242d1b7f853bb13ebea28b3f6af4e7_2_512x512.png {"token"=>"37d995a4b65395d3b343ec70fff915b4", "user_id"=>3382, "username"=>"bruce0", "trust_level"=>1, "issued_at"=>1708591735}
    redirects to existing chat channel
    redirects to chat channel if recipients param is missing (PENDING: Temporarily skipped with xit)
  with multiple users
/favicon.ico {"token"=>"9a75c114c4d3401509a23d240f0a46d4", "user_id"=>3382, "username"=>"bruce0", "trust_level"=>1, "issued_at"=>1708591736}
/chat/new-message {"token"=>"9a75c114c4d3401509a23d240f0a46d4", "user_id"=>3382, "username"=>"bruce0", "trust_level"=>1, "issued_at"=>1708591736}
/presence/get {"token"=>"37d995a4b65395d3b343ec70fff915b4", "user_id"=>3382, "username"=>"bruce0", "trust_level"=>1, "issued_at"=>1708591735}
 ```
 
 Note how the `/presence/get` request is using a token from the previous example. 

Co-authored-by: David Taylor <david@taylorhq.com>
2024-02-22 19:41:10 +08:00
Blake Erickson 368bd2697a
DEV: Add more bulk-select-dropdown options (#25574)
This change updates the experimental bulk-select-dropdown (that is
currently feature-flagged) with more options.
2024-02-21 20:56:27 -07:00
David Taylor a30b54be87
DEV: Update deprecation banner to include id and remove Ember 5 link (#25786)
We're starting to use this system for non-ember-5 deprecations, so linking to the Ember 5 topic doesn't make sense. Instead, we can include the deprecation ID to help with identifying the issue.
2024-02-21 10:59:09 +00:00
Ted Johansson 533b91dec6
FEATURE: Add a checkbox for users to confirm before flagging as illegal (#25762)
The Digital Services Act requires a checkbox for any user who's flagging a post as illegal to confirm that they are flagging in good faith. This PR adds that.
2024-02-21 10:49:19 +08:00
Alan Guo Xiang Tan cac60a2c6b
DEV: Support category type in theme setting object schema (#25760)
Why this change?

This change supports a property of `type: category` in the schema that
is declared for a theme setting object. Example:

```
sections:
  type: objects
  schema:
    name: section
    properties:
      category_property:
        type: category
```

The value of a property declared as `type: category` will have to be a
valid id of a row in the `categories` table.

What does this change do?

Adds a property value validation step for `type: category`. Care has
been taken to ensure that we do not spam the database with a ton of
requests if there are alot of category typed properties. This is done by
walking through the entire object and collecting all the values for
properties typed category. After which, a single database query is
executed to validate which values are valid.
2024-02-21 08:11:15 +08:00
Alan Guo Xiang Tan 3e331b1725
DEV: Set a bytesize limit for `ThemeSetting#json_value` (#25761)
Why this change?

Firstly, note that this is not a security commit because this feature is
still in development and should not be used anywhere.

The reason we want to set a limit here is to greatly reduce the
possibility of a DoS attack in the future via `ThemeSetting` where
someone would set an arbituary large json string in
`ThemeSetting#json_value` and causing the server to run out of resources
trying to serialize/deserialize the value.

What does this change do?

Adds an ActiveRecord validation to ensure that the bytesize of the json
string being stored is smaller than or equal to 0.5mb. We believe 0.5mb
is a decent limit for now but we can review the limit in the future if
we believe it is too small.
2024-02-21 08:09:37 +08:00
Alan Guo Xiang Tan 6ca2396b12
DEV: Centralise logic for validating a theme setting value (#25764)
Why this change?

The logic for validating a theme setting's value and default value was
not consistent as each part of the code would implement its own logic.
This is not ideal as the default value may be validated differently than
when we are setting a new value. Therefore, this commit seeks to
refactor all the validation logic for a theme setting's value into a
single service class.

What does this change do?

Introduce the `ThemeSettingsValidator` service class which holds all the
necessary helper methods required to validate a theme setting's value
2024-02-21 08:08:26 +08:00
Martin Brennan ed47b55026
DEV: Increase default SMTP read timeout to 30s (#25763)
A while ago we increased group SMTP read and open timeouts
to address issues we were seeing with Gmail sometimes giving
really long timeouts for these values. The commit was:

3e639e4aa7

Now, we want to increase all SMTP read timeouts to 30s,
since the 5s is too low sometimes, and the ruby Net::SMTP
stdlib also defaults to 30s.

Also, we want to slightly tweak the group smtp email job
not to fail if the IncomingEmail log fails to create, or if
a ReadTimeout is encountered, to avoid retrying the job in sidekiq
again and sending the same email out.
2024-02-21 07:13:18 +10:00
Discourse Translator Bot 716e3a4dd5
Update translations (#25767) 2024-02-20 09:42:19 -05:00
Osama Sayegh 866193e8f3
FEATURE: Back button for schema theme settings (#25743)
Continue from https://github.com/discourse/discourse/pull/25673.

This commit adds a back button to the navigation tree of the schema.
2024-02-20 13:43:18 +03:00
Joffrey JAFFEUX d8d756cd2f
DEV: chat streaming (#25736)
This commit introduces the possibility to stream messages. To allow plugins to use streaming this commit also ships a `ChatSDK` library to allow to interact with few parts of discourse chat.

```ruby
ChatSDK::Message.create_with_stream(raw: "test") do |helper|
  5.times do |i|
    is_streaming = helper.stream(raw: "more #{i}")
    next if !is_streaming
    sleep 2
  end
end
```

This commit also introduces all the frontend parts:
- messages can now be marked as streaming
- when streaming their content will be updated when a new content is appended
- a special UI will be showing (a blinking indicator)
- a cancel button allows the user to stop the streaming, when cancelled `helper.stream(...)` will return `false`, and the plugin can decide exit early
2024-02-20 09:49:19 +01:00
Alan Guo Xiang Tan bf3c4b634a
DEV: Support validations options for string and numeral types (#25719)
Why this change?

This commit updates `ThemeSettingsObjectValidator` to validate a
property's value against the validations listed in the schema.

For string types, `min_length`, `max_length` and `url` are supported.
For integer and float types, `min` and `max` are supported.
2024-02-20 09:17:27 +08:00
Alan Guo Xiang Tan a64f558f32
DEV: Add property value validation to ThemeSettingsObjectValidator (#25718)
Why this change?

This change adds property value validation to `ThemeSettingsObjectValidator`
for the following types: "string", "integer", "float", "boolean", "enum". Note
that this class is not being used anywhere yet and is still in
development.
2024-02-19 13:19:35 +08:00
Alan Guo Xiang Tan bdd91b3928
PERF: Stop running bootsnap in development mode on all environments (#25737)
Why this change?

For some reason, we were setting up bootsnap manually even though the
official documentation suggests requiring `bootsnap/setup` which will
setup bootsnap using the default configuration. Because we were calling
`Bootsnap.setup` manually, we did not set the `development_mode` option
which defaults to `true`. Hence, we were running bootsnap in development
mode even in the production environment which I suppose is not ideal.

What does this change do?

Instead of calling `Bootsnap.setup` manually, we can just use `require
'bootsnap/setup' instead.`
2024-02-19 11:33:52 +08:00
Krzysztof Kotlarek fc9648578b
DEV: Make more group-based settings client: false (#25735)
Affects the following settings:

delete_all_posts_and_topics_allowed_groups
experimental_new_new_view_groups
enable_experimental_admin_ui_groups
custom_summarization_allowed_groups
pm_tags_allowed_for_groups
chat_allowed_groups
direct_message_enabled_groups
chat_message_flag_allowed_groups

This turns off client: true for these group-based settings,
because there is no guarantee that the current user gets all
their group memberships serialized to the client. Better to check
server-side first.
2024-02-19 13:25:59 +11:00
Martin Brennan a57280cb17
DEV: Change min_trust_level_to_allow_profile_background to trust level setting (#25721)
New setting name is profile_background_allowed_groups

c.f. https://meta.discourse.org/t/changes-coming-to-settings-for-giving-access-to-features-from-trust-levels-to-groups/283408
2024-02-19 10:47:47 +10:00
Penar Musaraj e497f6bf9b
UX: Allow resetting password when confirming session (#25708)
This is particularly useful in scenarios where 2FA is enforced and users have forgotten their password.
2024-02-16 12:18:07 -05:00
David Taylor 1c58395bca
DEV: Disable service worker caching by default (#25723)
Followup to c4559ae575
2024-02-16 15:03:05 +00:00
David Taylor b1f74ab59e
FEATURE: Add experimental option for strict-dynamic CSP (#25664)
The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction.

This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts.

All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags.

This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
Osama Sayegh 9329a5395a
FEATURE: Groundwork for schema theme settings UI (#25673)
This commit is the first of a series of commits that will allow themes to define complex settings types by declaring a schema of the setting structure that Discourse core will use to build a UI for the setting automatically. We implement the navigation logic and support for multiple levels of nesting in this commit and we'll continue building this new system gradually in future commits.

Internal topic: t/116870.
2024-02-16 09:31:49 +03:00
Alan Guo Xiang Tan 64b4e0d08d
DEV: First pass of ThemeSettingsObjectValidator (#25624)
Why this change?

This is a first pass at adding an objects validator which main's job is
to validate an object against a defined schema which we will support. In
this pass, we are simply validating that properties that has been marked
as required are present in the object.
2024-02-16 09:35:16 +08:00
Alan Guo Xiang Tan c30aeafd9d
DEV: Block all incoming requests before resetting Capybara session (#25692)
Why this change?

We have been debugging flaky system tests and noticed in https://github.com/discourse/discourse/actions/runs/7911902047/job/21596791343?pr=25690
that ActiveRecord connection checkout timeouts are encountered because
the Capybara server thread is processing requests even after
`Capybara.reset_session!` and ActiveRecord's `teardown_fixtures` have already been call.
The theory here is that an inflight request can still hit the Capybara
server even after `Capybara.reset_session!` has been called and end up
eating up an ActiveRecord connection for too long and also messing with
the database outside of a transaction.

What does this change do?

This change adds a `BlockRequestsMiddleware` middleware in the test
environment which is enabled to reject all incoming requests at the end
of each system test and before `Capybara.reset_session!` is called. At
the start of each RSpec test, the middleware is disabled again.
2024-02-15 16:36:12 +08:00