When issuing the discobot certificate, we were not closing the
iframe tag, which meant that the final message instruction to
the user was swallowed up.
When invited by email, users will receive an invite URL which contains
a token. If that token is present when the invite is redeemed, their
account will be automatically activated.
This moves the way we add the user avatar and site logo
to the discobot certificates from embeded base64 png to
just using the files urls in the href to the image tag.
This will make generation faster and the certificate
smaller overall, but it can't be used in a `img` tag
anymore, since SVGs in `img` tags don't load the external images
In order to work around that we will move the certificate
in posts to an iframe, which works fine without any user
visible changes. For this to be possible the plugin automatically
adds the site current domain to the list of allowed iframe origins.
Because the site admin is sending a message to themselves, there is only one user in the topic_allowed_users, and `.last` returns nil.
Attempt to recognize this situation and continue, or bail without doing anything if this somehow happens another way.
Due to the new enhanced copy-paste handling, the URL would be included in the user's reply as code, too!
By surrounding the link in angle brackets, we prevent the bot from accidentally including the link itself and spoiling the surprise.
I considered having the bot automatically edit the user's post to remove the backticks. I very quickly ran into a problem with spurious whitespace, and it would also look _super weird_ for the bot to edit your post when that's not what's being taught.
The seemingly bare link not automatically embedding is also weird, but slightly less so.
Fun fact: this doesn't work on localhost, because the onebox engine refuses to issue requests to localhost :)
More seriously: discobot wasn't reacting properly if users used their
emoji keyboard to insert a real herb emoji, which works just as well
in a real post.
While we're here, use String#include? instead of constructing a new regexp.
https://meta.discourse.org/t/capybaras-dont-eat-real-emojis/168361
DEV: Replace instances of Discourse.base_uri with Discourse.base_path
This is clearer because the base_uri is actually just a path prefix. This continues the work started in 555f467.
eslint --fix is capable of fix it automatically for you, ensure prettier is run after eslint as eslint --fix could leave the code in an invalid prettier state.
This is a little bit of refactoring. Core Discourse should have default promotion message for TL2.
In addition, when the Discobot plugin is enabled, the user is invited to advanced training
* FIX - make Discobot new user tutorial a little more robust
Plugin allows reply, regardless of other SiteSettings
Skip image upload step if user can’t upload images, calls new ‘likes’ step instead
* Test that the images step is skipped
* Slight optimization
Ensure that the inappropriate flag is used and not some other flag
type. If some other flag is used a message will be posted letting the
user know they used the wrong flag and the original flag will be removed
so that they can try again.
Bug reported on meta: https://meta.discourse.org/t/-/157075
Previously it would sleep for either 2 or 3 seconds instead of sleeping
between a range of 2 to 3 seconds. Also, 2 to 3 seconds seems to be
excessivly long when I tried out discobot again.
When doing a migration, there might be some cases where the discobot user
doesn't have a user_option / user_profile record(s).
This ensures we always create one during the seed phase.
In French, the help trigger has a raw content of "afficher l'aider" which is then cooked into "afficher l’aide" (note the different quote character).
Since we were checking the raw content of the trigger against the cooked version of the post, this trigger never worked in French.
This changes so that we cook the trigger before checking in against the cooked version of the post.
DEV: new 'discobot_username' method that is used everywhere instead of 'discobot_user.username' / 'discobot_user.username_lower'
This reverts commit 20780a1eee.
* SECURITY: re-adds accidentally reverted commit:
03d26cd6: ensure embed_url contains valid http(s) uri
* when the merge commit e62a85cf was reverted, git chose the 2660c2e2 parent to land on
instead of the 03d26cd6 parent (which contains security fixes)
Previously the image was imported from a Discourse hosted CDN but the
URL has since become invalid. However, it was not caught since all
errors are rescued. This commit fixes the issue by shipping the user
avatar with the plugin.
* Rename all instances of bookmarkWithReminder and bookmark_with_reminder to just bookmark
* Delete old bookmark code at the same time
* Add migration to remove the bookmarkWithReminder post menu item if people have it set in site settings
* Bookmarks with reminders is a core feature now, no need to have a separate URL
* Keep around the old /u/:username/activity/bookmarks-with-reminders route for backwards compat in Ember but just redirect to user activity bookmarks.
The main thrust of this PR is to take all the conditional checks based on the `enable_bookmarks_with_reminders` away and only keep the code from the `true` path, making bookmarks with reminders the core bookmarks feature. There is also a migration to create `Bookmark` records out of `PostAction` bookmarks for a site.
### Summary
* Remove logic based on whether enable_bookmarks_with_reminders is true. This site setting is now obsolete, the old bookmark functionality is being removed. Retain the setting and set the value to `true` in a migration.
* Use the code from the rake task to create a database migration that creates bookmarks from post actions.
* Change the bookmark report to read from the new table.
* Get rid of old endpoints for bookmarks
* Link to the new bookmarks list from the user summary page
This is to streamline the new user narrative. only works when creating the bookmark, if editing/deleting the modal is shown. This is done via the plugin initializer.
This change refactors the code a bit so that a plugin could easily
replace which badge is awarded when completing the discobot new user
tutorial and advanced tutorial.
By adding a static method and putting the BADGE_NAME constant inside of
that method we can simply call that method now instead of the constant.
A plugin could then `class_eval` that method and replace it with
whatever badge name they choose. This is way cleaner than having the
plugin change the frozen constant! eeek.
* Do not grant badges for posts with no user
* Ensure instructions are correct in Change Owner modal
* Hide user-dependent actions from posts with no user
* Make PostRevisor work with posts with no user
* Ensure posts with no user can be deleted
* discourse-narrative-bot should ignore posts with no user
* Skip TopicLink creation for posts with no user
When a user accepts an invite with an email address that matches a group
which automatically awards its members Trust Level 2, a race condition might happen
when the 'send_advanced_tutorial_message' job runs.
That job is enqueued inside the 'user_promoted' event which is triggered inside a
transaction on the user record. If the job runs before the transaction is done,
the user record is invisible and this generates an exception.
FileHelper.download requires a string not a URI. I also found another
instance of using open-uri directly and swapped it out to use
FileHelper.
I also updated it to not `read` a file if it comes back nil.
Follow up to: fe01099a38
By requiring open-uri this will fix the following error:
```
NoMethodError (private method `open' called for #<URI::Generic...
```
also switched to the shorter syntax and removed default options. Since
ruby 2.4 redirect is on by default.
To eliminate a DDOS attack vector, we're taking the following measures:
The endpoint will be rate-limited to 3 requests every 60 seconds (per user).
A 24 hours max-age cache header is sent with the response.
The route will be hijacked to generate the certificate in the background.
AppEvents was always a service object in disguise, so we should move it
to the correct place in the application. Doing this allows other service
objects to inject it easily without container access.
In the future we should also deprecate `this.appEvents` without an
explicit injection too.
Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains.
We no longer need to use Rails "require_dependency" anywhere and instead can just use standard
Ruby patterns to require files.
This is a far reaching change and we expect some followups here.