Commit Graph

47609 Commits

Author SHA1 Message Date
Alan Guo Xiang Tan bf6b08670a
SECURITY: Check the length of raw post body (#19733)
Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2023-01-05 06:08:43 +08:00
Alan Guo Xiang Tan 692329896a
SECURITY: escape quotes in tag description when rendering (#19730)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2023-01-05 06:08:32 +08:00
Alan Guo Xiang Tan cbcf8a064b
SECURITY: Don't expose user post counts to users who can't see the topic (#19728)
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>

Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
2023-01-05 06:08:19 +08:00
Alan Guo Xiang Tan c0e2d7bada
SECURITY: Sanitize PendingPost titles before rendering to prevent XSS (#19726)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2023-01-05 06:08:05 +08:00
Alan Guo Xiang Tan ab3a032b4b
SECURITY: BCC active user emails from group SMTP (#19725)
When sending emails out via group SMTP, if we
are sending them to non-staged users we want
to mask those emails with BCC, just so we don't
expose them to anyone we shouldn't. Staged users
are ones that have likely only interacted with
support via email, and will likely include other
people who were CC'd on the original email to the
group.

Co-authored-by: Martin Brennan <martin@discourse.org>
2023-01-05 06:07:50 +08:00
dependabot[bot] f4ab3f4543
Build(deps): Bump @babel/core in /app/assets/javascripts (#19723)
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.20.7 to 7.20.12.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.20.12/packages/babel-core)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 22:50:20 +01:00
dependabot[bot] ec1c8d3353
Build(deps): Bump @babel/standalone in /app/assets/javascripts (#19722)
Bumps [@babel/standalone](https://github.com/babel/babel/tree/HEAD/packages/babel-standalone) from 7.20.11 to 7.20.12.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.20.12/packages/babel-standalone)

---
updated-dependencies:
- dependency-name: "@babel/standalone"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 22:42:24 +01:00
dependabot[bot] fb2c0ed548
Build(deps): Bump excon from 0.95.0 to 0.96.0 (#19721)
Bumps [excon](https://github.com/excon/excon) from 0.95.0 to 0.96.0.
- [Release notes](https://github.com/excon/excon/releases)
- [Changelog](https://github.com/excon/excon/blob/master/changelog.txt)
- [Commits](https://github.com/excon/excon/compare/v0.95.0...v0.96.0)

---
updated-dependencies:
- dependency-name: excon
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 22:38:22 +01:00
dependabot[bot] f6c683e58c
Build(deps): Bump unicode-display_width from 2.4.0 to 2.4.2 (#19720)
Bumps [unicode-display_width](https://github.com/janlelis/unicode-display_width) from 2.4.0 to 2.4.2.
- [Release notes](https://github.com/janlelis/unicode-display_width/releases)
- [Changelog](https://github.com/janlelis/unicode-display_width/blob/main/CHANGELOG.md)
- [Commits](https://github.com/janlelis/unicode-display_width/compare/v2.4.0...v2.4.2)

---
updated-dependencies:
- dependency-name: unicode-display_width
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 22:37:48 +01:00
David Taylor 45435cbbd5
PERF: Use user-specific channel for message-bus logout (#19719)
Using a shared channel means that every user receives an update to the 'last_id' when *any* other user is logged out. If many users are being programmatically logged out at the same time, this can cause a very large number of message-bus polls.

This commit switches to use a user-specific channel, which means that each user has its own 'last id' which will only increment when they are logged out
2023-01-04 19:55:52 +00:00
dependabot[bot] 5c39e4b1c0
Build(deps-dev): Bump simplecov from 0.21.2 to 0.22.0 (#19626)
Bumps [simplecov](https://github.com/simplecov-ruby/simplecov) from 0.21.2 to 0.22.0.
- [Release notes](https://github.com/simplecov-ruby/simplecov/releases)
- [Changelog](https://github.com/simplecov-ruby/simplecov/blob/main/CHANGELOG.md)
- [Commits](https://github.com/simplecov-ruby/simplecov/compare/v0.21.2...v0.22.0)

---
updated-dependencies:
- dependency-name: simplecov
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 19:47:12 +01:00
Kris dedf19803b
UX: more descriptive sidebar titles, casing (#19717) 2023-01-04 13:40:35 -05:00
Meghna a9f2b62ac0
UX: fix the positioning of topic admin popup menu (#19713) 2023-01-04 17:45:24 +01:00
dependabot[bot] 696ec39327
Build(deps): Bump racc from 1.6.1 to 1.6.2 (#19625)
Bumps [racc](https://github.com/tenderlove/racc) from 1.6.1 to 1.6.2.
- [Release notes](https://github.com/tenderlove/racc/releases)
- [Changelog](https://github.com/ruby/racc/blob/master/ChangeLog)
- [Commits](https://github.com/tenderlove/racc/compare/v1.6.1...v1.6.2)

---
updated-dependencies:
- dependency-name: racc
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 17:16:39 +01:00
Martin Brennan 9e175a3613
DEV: Add chat system spec for multi-file upload (#19709)
Followup to 29638f0639
2023-01-04 15:26:52 +01:00
Joffrey JAFFEUX ab7f3ee599
DEV: adds basic sorting to avoid flakey test (#19711)
`last_message_sent_at` has a `NOT_NULL` constraint in the DB so it should be safe to use for sorting.

This was causing two flakeys:

```
  1) UserNotifications.chat_summary with public channel email subject with regular mentions includes both channel titles when there are exactly two with unread mentions
     Failure/Error: example.run

       expected: "[Discourse] New message in Random 62 and Test channel"
            got: "[Discourse] New message in Test channel and Random 62"

       (compared using ==)
     # ./plugins/chat/spec/mailers/user_notifications_spec.rb:203:in `block (6 levels) in <main>'
     # ./spec/rails_helper.rb:356:in `block (2 levels) in <top (required)>'
     # ./vendor/bundle/ruby/3.1.0/gems/webmock-3.18.1/lib/webmock/rspec.rb:37:in `block (2 levels) in <top (required)>'

  2) UserNotifications.chat_summary with public channel email subject with regular mentions displays a count when there are more than two channels with unread mentions
     Failure/Error: example.run

       expected: "[Discourse] New message in Random 62 and 2 others"
            got: "[Discourse] New message in Test channel 0 and 2 others"

       (compared using ==)
     # ./plugins/chat/spec/mailers/user_notifications_spec.rb:236:in `block (6 levels) in <main>'
     # ./spec/rails_helper.rb:356:in `block (2 levels) in <top (required)>'
     # ./vendor/bundle/ruby/3.1.0/gems/webmock-3.18.1/lib/webmock/rspec.rb:37:in `block (2 levels) in <top (required)>'
```
2023-01-04 11:00:07 +01:00
Gerhard Schlager 8dfe7a68e6
UX: Remove unused strings (#19701)
* Remove unused strings
* Remove trailing quote from string
* Remove even more unused strings (they were removed in c4e10f2a9d)
* Don't use translations in tests which are only available on server
* Use more specific translation (and fix missing translation)
2023-01-04 10:32:53 +01:00
Osama Sayegh bbcdf74c58
DEV: Flip primary_email_verified? default to false (#19703)
This commit changes the default return value of `Auth::ManagedAuthenticator#primary_email_verified?` to false. We're changing the default to force developers to think about email verification when building a new authentication method. All existing authenticators (in core and official plugins) have been updated to explicitly define the `primary_email_verified?` method in their subclass of `Auth::ManagedAuthenticator` (example commit 65f57a4d05).

Internal topic: t/82084.
2023-01-04 10:51:10 +03:00
Martin Brennan 42cf32169d
DEV: Refactor autocomplete scrolling element detection (#19706)
Rather than hardcoding `.hashtag-autocomplete__fadeout` as the
div element to scroll in autocomplete, instead pass it in as
an option via `scrollElementSelector`, then we don't have hashtag
template specific things in the autocomplete lib.
2023-01-04 14:11:52 +10:00
Alan Guo Xiang Tan 81c3c746d3
DEV: Fix a flaky test (#19705)
We don't really care about the order here so there is no need for us to
assert against a fixed order.
2023-01-04 09:21:21 +08:00
dependabot[bot] 6e0d4b2c1c
Build(deps): Bump unicode-display_width from 2.3.0 to 2.4.0 (#19700)
Bumps [unicode-display_width](https://github.com/janlelis/unicode-display_width) from 2.3.0 to 2.4.0.
- [Release notes](https://github.com/janlelis/unicode-display_width/releases)
- [Changelog](https://github.com/janlelis/unicode-display_width/blob/main/CHANGELOG.md)
- [Commits](https://github.com/janlelis/unicode-display_width/compare/v2.3.0...v2.4.0)

---
updated-dependencies:
- dependency-name: unicode-display_width
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 09:07:41 +08:00
dependabot[bot] fdc64c4555
Build(deps): Bump parser from 3.1.3.0 to 3.2.0.0 (#19699)
Bumps [parser](https://github.com/whitequark/parser) from 3.1.3.0 to 3.2.0.0.
- [Release notes](https://github.com/whitequark/parser/releases)
- [Changelog](https://github.com/whitequark/parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/whitequark/parser/compare/v3.1.3.0...v3.2.0.0)

---
updated-dependencies:
- dependency-name: parser
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 09:07:13 +08:00
dependabot[bot] 65ba9e3f60
Build(deps-dev): Bump bullet from 7.0.5 to 7.0.7 (#19698)
Bumps [bullet](https://github.com/flyerhzm/bullet) from 7.0.5 to 7.0.7.
- [Release notes](https://github.com/flyerhzm/bullet/releases)
- [Changelog](https://github.com/flyerhzm/bullet/blob/main/CHANGELOG.md)
- [Commits](https://github.com/flyerhzm/bullet/compare/7.0.5...7.0.7)

---
updated-dependencies:
- dependency-name: bullet
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-04 09:06:51 +08:00
Alan Guo Xiang Tan 1e118a271a
DEV: Fix syntax error in spec file (#19702)
Follow-up to b4adb806e5
2023-01-04 05:51:21 +08:00
Roman Rizzi c2e18c41a3
FIX: Check that the node has a src attr when getting size (#19696) 2023-01-03 15:27:05 -03:00
Joffrey JAFFEUX b4adb806e5
DEV: slightly increase wait to avoid flakey tests (#19695) 2023-01-03 17:14:02 +01:00
chapoi 179f13078e
UX: fix for misalignment in autocomplete (#19693) 2023-01-03 15:20:12 +01:00
Discourse Translator Bot 8a0bac7bec
Update translations (#19692) 2023-01-03 14:46:19 +01:00
Jan Cernik 232e1f25f2
DEV: Refactor whispers_allowed_groups_names (#19691)
Refactor whispers_allowed_groups_names to avoid small N+1
2023-01-03 10:28:39 -03:00
Gerhard Schlager 413b9185df
DEV: Update copyright year in README (#19689) 2023-01-03 11:33:00 +01:00
Joffrey JAFFEUX a5dac26769
DEV: attempts to move all Jobs.run_immediately! at top (#19688) 2023-01-03 11:32:27 +01:00
Alan Guo Xiang Tan f04e454628
Version bump to v3.0.0.beta15 (#19685) 2023-01-03 14:29:26 +08:00
Martin Brennan b57f9c73a4
DEV: Skip all chat specs with Jobs.run_immediately! (#19684)
These specs are causing issues around AR connection pools
and busy connections, try skipping them for now, e.g. see
https://github.com/discourse/discourse/actions/runs/3826965835/jobs/6511173680
and /t/82525
2023-01-03 16:02:15 +10:00
Joffrey JAFFEUX b235799792
FIX: more stable system tests (#19678)
This commit is a series of fixes to improve stability of system tests following the use of threadsafe:

* Jobs.run_immediately in before block was causing issues
* During test a js error could be caused by an undefined this.details in chat-live-pane
* Apply the chat composer click trick everywhere when sending a message, it ensures we are not hiding anything with autocomplete
* There was another case not using send_message yet
2023-01-03 14:53:41 +10:00
David Taylor 431b129d8b
DEV: Update bundler to 2.4.1 (#19662) 2023-01-03 10:01:36 +08:00
dependabot[bot] 523f86d422
Build(deps): Bump puma from 6.0.1 to 6.0.2 (#19679)
Bumps [puma](https://github.com/puma/puma) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/master/History.md)
- [Commits](https://github.com/puma/puma/compare/v6.0.1...v6.0.2)

---
updated-dependencies:
- dependency-name: puma
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-03 10:01:00 +08:00
Alan Guo Xiang Tan af76f291e6
PERF: Avoid running redundant bookmarks query for anon viewing topic (#19659)
The `TopicView#bookmarks` method is called by `TopicViewSerializer` and `PostSerializer`
so we want to avoid running a meaningless query when user is not
present.
2023-01-03 10:00:36 +08:00
Alan Guo Xiang Tan 24db6fbb73
PERF: Memoize topic level checks in PostGuardian (#19647)
When loading posts in a topic, the topic level guardian
checks are run multiple times even though all the posts belong to the
same topic. Profiling in production revealed that this accounted for a
significant amount of request time for a user that is not staff or anon.
Therefore, we're optimizing this by adding memoizing the topic level
calls in `PostGuardian`. Speficifally, the result of
`TopicGuardian#can_see_topic?` and `PostGuardian#can_create_post?`
method calls are memoized per topic.

Locally profiling shows a significant improvement for normal users
loading a topic with 100 posts.

Benchmark script command: `ruby script/bench.rb --unicorn --skip-bundle-assets --iterations 100`

Before:

```
topic user:
  50: 114
  75: 117
  90: 122
  99: 209
topic.json user:
  50: 67
  75: 69
  90: 72
  99: 162
```

After:

```
topic user:
  50: 101
  75: 104
  90: 107
  99: 184
topic.json user:
  50: 53
  75: 53
  90: 56
  99: 138
```
2023-01-03 09:00:42 +08:00
Alan Guo Xiang Tan be1ae9411b
PERF: Remove redundant DB queries from `TopicView` (#19658)
This commit removes 3 redundant DB queries when loading posts.

1. `@posts` will eventually have to be loaded so we can avoid two
additional queries.

2. No need to preload topic association of posts as we're already
dealing with a fixed topic in `TopicView`.
2023-01-03 08:17:52 +08:00
Joffrey JAFFEUX d8a19b2c9a
FIX: correctly uses request_uri to generate load_more_url (#19680)
Before this change we were generating an incorrect absolute URL: `https://chat/api/channels...`
2023-01-03 00:19:13 +01:00
Joffrey JAFFEUX 96e2d92129
FIX: at this point in time component can be destroyed (#19677)
Especially possible in tests
2023-01-02 19:17:10 +01:00
Joffrey JAFFEUX cb2f684a43
FIX: correctly always return a promise from loadMore (#19676)
This commit also fixes an issue where `loading = false` was never called when the server had nothing new to return.
2023-01-02 15:55:45 +01:00
Roman Rizzi 2f61d26e3d
PERF: Make chat mention notifications async. (#19666)
This PR removes the limit added to max_users_notified_per_group_mention during #19034 and improve the performance when expanding mentions for large channel or groups by removing some N+1 queries and making the whole process async.

* Fully async chat message notifications

* Remove mention setting limit and get rid of N+1 queries
2023-01-02 11:54:52 -03:00
Joffrey JAFFEUX b8100ad1ae
DEV: enables threadsafe for system tests
It should fix flakeys we have due to using_session. This commit is also fixing tests which were failing constantly with treadsafe enabled.

A test has also bene skipped as the issue couldn't be found so far.

More info: https://github.com/teamcapybara/capybara#threadsafe-mode
2023-01-02 15:17:21 +01:00
Joffrey JAFFEUX b97fff444e
FIX: ensures loading more doesn’t erase filter on browse (#19675) 2023-01-02 14:40:13 +01:00
dependabot[bot] e82689c1bf
Build(deps): Bump mini_portile2 from 2.8.0 to 2.8.1 (#19624)
Bumps [mini_portile2](https://github.com/flavorjones/mini_portile) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/flavorjones/mini_portile/releases)
- [Changelog](https://github.com/flavorjones/mini_portile/blob/main/CHANGELOG.md)
- [Commits](https://github.com/flavorjones/mini_portile/compare/v2.8.0...v2.8.1)

---
updated-dependencies:
- dependency-name: mini_portile2
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-02 14:25:01 +01:00
dependabot[bot] 129e1429a2
Build(deps): Bump rack from 2.2.4 to 2.2.5 (#19628)
Bumps [rack](https://github.com/rack/rack) from 2.2.4 to 2.2.5.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rack/rack/compare/2.2.4...v2.2.5)

---
updated-dependencies:
- dependency-name: rack
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-02 14:24:04 +01:00
dependabot[bot] a032f45421
Build(deps): Bump css_parser from 1.12.0 to 1.13.0 (#19668)
Bumps [css_parser](https://github.com/premailer/css_parser) from 1.12.0 to 1.13.0.
- [Release notes](https://github.com/premailer/css_parser/releases)
- [Changelog](https://github.com/premailer/css_parser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/premailer/css_parser/compare/v1.12.0...v1.13.0)

---
updated-dependencies:
- dependency-name: css_parser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-02 13:20:11 +01:00
dependabot[bot] 8ed525f9ce
Build(deps): Bump highline from 2.0.3 to 2.1.0 (#19669)
Bumps [highline](https://github.com/JEG2/highline) from 2.0.3 to 2.1.0.
- [Release notes](https://github.com/JEG2/highline/releases)
- [Changelog](https://github.com/JEG2/highline/blob/master/Changelog.md)
- [Commits](https://github.com/JEG2/highline/commits)

---
updated-dependencies:
- dependency-name: highline
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-02 13:20:02 +01:00
dependabot[bot] 94b9cc8de3
Build(deps): Bump rubocop from 1.41.1 to 1.42.0 (#19670)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.41.1 to 1.42.0.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop/compare/v1.41.1...v1.42.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-02 13:19:54 +01:00