Commit Graph

55044 Commits

Author SHA1 Message Date
Jan Cernik 33c68b28b6
DEV: Use serializers for `user_notification_schedule` and `featured_topic` (#27719)
Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2024-07-05 00:00:24 -03:00
Alan Guo Xiang Tan 906da0f3d1
DEV: Skip flaky poll QUnit acceptance tests (#27728)
The skipped tests have become flaky after
e3b6be15b8, skip those tests for now while
we sort things out.
2024-07-05 10:59:51 +08:00
锦心 df544a51ba
FIX: Make table builder escape `|` (#27726)
The original table builder does not escape |, which causes syntax like ![image|50x50](url) to be recognized as two different cells.
This commit fixes this issue

Related meta topic: https://meta.discourse.org/t/table-editor-breaks-embedded-images/314831
2024-07-05 10:42:56 +08:00
Alan Guo Xiang Tan 37413c0ecd
DEV: Fix unicorn not booting due to 8e10878 (#27727)
`String#present?` is a method defined by Rails on the `String` class but
this class is used before Rails has been loaded.
2024-07-05 10:36:13 +08:00
Alan Guo Xiang Tan 8e10878e1a
DEV: Redo `DiscourseLogstashLogger` to not rely on `logstash-logger` (#27663)
This commit rewrites `DiscourseLogstashLogger` to not be an instance
of `LogstashLogger`. The reason we don't want it to be an instance of
`LogstashLogger` is because we want the new logger to be chained to
Logster's logger which can then pass down useful information like the
request's env and error backtraces which Logster has already gathered.

Note that this commit does not bother to maintain backwards
compatibility and drops the `LOGSTASH_URI` and `UNICORN_LOGSTASH_URI`
ENV variables which were previously used to configure the destination in
which `logstash-logger` would send the logs to. Instead, we introduce
the `ENABLE_LOGSTASH_LOGGER` ENV variable to replace both ENV and remove
the need for the log paths to be specified. Note that the previous
feature was considered experimental as stated in d888d3c54c
and the new feature should be considered experimental as well. The code
may be moved into a plugin in the future.
2024-07-05 09:41:52 +08:00
Alan Guo Xiang Tan d8e7fc4f5d
DEV: `check_pending` -> `check_all_pending!` (#27724)
Fixes the following deprecation warning:

> DEPRECATION WARNING: The `check_pending!` method is deprecated in favor of `check_all_pending!`. The new implementation will loop through all available database configurations and find pending migrations. The prior implementation did not permit this.
2024-07-05 09:29:32 +08:00
dependabot[bot] bcd014c99d
Build(deps-dev): Bump chrome-remote-interface from 0.33.0 to 0.33.2 (#27718)
Bumps [chrome-remote-interface](https://github.com/cyrus-and/chrome-remote-interface) from 0.33.0 to 0.33.2.
- [Commits](https://github.com/cyrus-and/chrome-remote-interface/compare/v0.33.0...v0.33.2)

---
updated-dependencies:
- dependency-name: chrome-remote-interface
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-05 09:07:14 +08:00
dependabot[bot] e73a8383df
Build(deps): Bump irb from 1.13.1 to 1.13.2 (#27722)
Bumps [irb](https://github.com/ruby/irb) from 1.13.1 to 1.13.2.
- [Release notes](https://github.com/ruby/irb/releases)
- [Commits](https://github.com/ruby/irb/compare/v1.13.1...v1.13.2)

---
updated-dependencies:
- dependency-name: irb
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-05 09:04:45 +08:00
Martin Brennan db993cf8fd
FIX: Do not allow , or . in site setting integer input (#27618)
Followup to e113eff663

We previously sanitized input for integer site settings
on the server side only, which was a bit confusing when
users would enter e.g. 100.5 and end up with 1005, and
not see this reflected in the UI.

Now that we are using native number inputs for these settings,
we can improve the experience a bit by not allowing `.` or `,`
in the input, because it should be whole numbers only, and
add a step size of 1. All other characters are already prevented
in this native number input.
2024-07-05 10:36:41 +10:00
锦心 59b061ccfe
FIX: uses `\n` for line breaks in table builder (#27711)
The old implementation used unnecessary `\r\n` and caused the table generator to incorrectly add extra empty lines.
This commit replaces it with `\n`, fixing the bug
2024-07-05 07:38:11 +08:00
Jan Cernik 09b57bff11
FIX: Use the correct color scheme for default inputs (#27716) 2024-07-04 15:56:58 -03:00
Régis Hanol 0dbcc54d4b
DEV: use new 'ignore allowed groups' site settings (#27670)
Instead of the deprecated 'min trust level to allow ignore' in order to reduce the number of deprecation notices in the logs.

This tweaks a few serializers so that the 'can_ignore_users?` property is always coming from the server and properly used on the client-side.
2024-07-04 19:27:26 +02:00
Robert a30a861546
FIX: Poll: do not attempt to show voter list on private polls (#27714)
* FIX: avoid attempting to enrich results with undefined voters
2024-07-04 18:20:37 +02:00
chapoi 2db35149fd
UX: Chat mobile menu styling update (#27598) 2024-07-04 18:02:30 +02:00
Jarek Radosz 32149e6fa1
FIX: Correctly unhighlight glimmer topic list items (#27713)
set `highlight` to `false` regardless of the animation finishing
2024-07-04 15:46:46 +02:00
Jan Cernik 0d608ceff8
UX: Registration design and validation improvements (#27666) 2024-07-04 09:17:07 -03:00
Natalie Tay 8bbb4c5cca
FIX: Always noindex /u routes (#27712)
SiteSetting.hide_user_profiles_from_public raises a Forbidden, which disallows our after_action: add no index header from triggering.

This fix makes sure that the no index header gets added via before_action instead
2024-07-04 19:48:38 +08:00
Robert e3b6be15b8
FEATURE: Add Instant Run-off Voting to Poll Plugin (Part 1: migrate existing plugin to Glimmer only) (#27204)
The "migration to Glimmer" has been broken out here from #27155 to make the review process less onerous and reduce change risk: 

* DEV: migrates most of the widget code to Glimmer in prep for IRV additions
* NB This already incorporates significant amounts of review and feedback from the prior PR.
* NB because there was significant additional feedback relating to older Poll code that I've improved with feedback, there are some additional changes here that are general improvements to the plugin and not specific to IRV nor Glimmer!
* There should be no trace of IRV code here.

Once this is finalised and merged we can continue to progress with #27155.
2024-07-04 13:34:48 +02:00
David Taylor 32c8bcc3af
DEV: Remove jquery from create-account modal (#27710) 2024-07-04 12:11:25 +01:00
锦心 2900cbefe1
FIX: Make the table builder respect table alignment specifications (#27709)
* FIX: Table Builder editor eradicates column alignment specification

Currently, when you use the table builder to edit an existing table, the table builder does not observe the text-align property of the original table. This results in the original table alignment being lost after editing and reset to no alignment.

This commit fixed this issue

related meta topic: https://meta.discourse.org/t/table-builder-editor-eradicates-column-alignment-specification/299577
2024-07-04 17:57:16 +08:00
Loïc Guitaut 8d249457e8 DEV: Upgrade Rails to version 7.1
---------

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2024-07-04 10:58:21 +02:00
Alan Guo Xiang Tan 7b8863fcd5
DEV: Bump rails_failover 2.1.1 (#27707) 2024-07-04 14:33:34 +08:00
Vinoth Kannan d1ea598fa2
FIX: should not raise error when both group & site tag preferences are same. (#27704)
When tag preference in group and site settings are both used with same default notification level it will break new users signups because it tries to create duplicate records in the tag_users table which can’t happen because we have a unique index set.
2024-07-04 11:53:28 +05:30
Natalie Tay 55bf0e21fb
FIX: Don't show that an existing user is invited_by another user (#27665)
If an existing user (John) accepts an invite created by Kenny to a group, John may be seen as invited by Kenny, despite already having an account on the site.

This fix removes the bug by excluding invites that determine the invited_by after the user's creation date. The delay buffer in the query accounts for invites that also create the user at the same time.
2024-07-04 10:27:37 +08:00
David Taylor eadda77edf
DEV: Drop diffhtml dependency (#27695)
We switched to morphlex via:

- c5f1fc3a08

- bc561eb332
2024-07-04 12:24:51 +10:00
Ted Johansson 6aa8d97f32
FIX: Don't error out when loading a badge with a deleted image (#27688)
Badges can have their associated image uploads deleted. When this happens, any user who has that badge will have their profile page error out.

After this fix, when deleting an upload that's associated with a badge, we nullify the foreign key ID on the badge. This makes the existing safeguard work correctly.
2024-07-04 10:03:09 +08:00
Arpit Jalan 947249719a
FEATURE: add option to delete user associated account on password reset (#27696) 2024-07-04 06:58:00 +05:30
Kris 72a5389459
A11Y: topic list links should not be headings (#27700) 2024-07-04 10:55:24 +10:00
Osama Sayegh 7c12b75a5c
DEV: Fix flaky spec for the /about admin config area (#27697)
There's currently a race condition in the following spec:

65be7a7880/spec/system/admin_about_config_area_spec.rb (L70-L95)

where the form can be saved before the image uploader field has finished uploading the selected image and causing the assertion at line 94 to fail with the following error:

```
Failure/Error: expect(SiteSetting.about_banner_image.sha1).to eq(Upload.generate_digest(image_file))

NoMethodError:
  undefined method `sha1' for nil

[Screenshot Image]: /__w/discourse/discourse/tmp/capybara/failures_r_spec_example_groups_admin_about_config_area_page_the_general_settings_card_can_saves_its_fields_to_their_corresponding_site_settings_312.png

~~~~~~~ JS LOGS ~~~~~~~
http://localhost:31338/assets/vendor.js 15902:14 "WARNING: uppy needs a unique id, pass one in to the component implementing this mixin"
~~~~~ END JS LOGS ~~~~~

./spec/system/admin_about_config_area_spec.rb:94:in `block (3 levels) in <main>'
./spec/rails_helper.rb:552:in `block (3 levels) in <top (required)>'
./spec/rails_helper.rb:552:in `block (2 levels) in <top (required)>'
./spec/rails_helper.rb:513:in `block (3 levels) in <top (required)>'
./spec/rails_helper.rb:503:in `block (2 levels) in <top (required)>'
./spec/rails_helper.rb:460:in `block (2 levels) in <top (required)>'
./vendor/bundle/ruby/3.3.0/gems/webmock-3.23.1/lib/webmock/rspec.rb:39:in `block (2 levels) in <top (required)>'
```

This PR fixes the problem by making the system test wait for the image to finish uploading (with 10 seconds timeout) before carrying out the rest of the system test.
2024-07-04 10:39:22 +10:00
Martin Brennan 5655447aca
FIX: Discrepency between admin page view reports (#27685)
Followup 2f2da72747

When the "Consolidated Pageviews with Browser Detection (Experimental)"
report was introduced, we started counting the original
"page_view_logged_in" and "page_view_anon" ApplicationRequest
data as "Other Pageviews", subtracting
"page_view_anon_browser" and "page_view_logged_in_browser" from
this number.

However we unknowingly automatically started counting these
browser-based page views, which are a subset of the total
"page_view_logged_in" and "page_view_anon" counts, in the
original "Pageviews" report, leading to double counting
which meant that when you looked at the data for each
report side-by-side the data didn't add up.

This commit fixes the issue by not counting the "browser"
pageviews in the Pageviews report, and making the code where
we were only counting certain types of requests for this
report more plain, explicitly stating which types of requests
we want.
2024-07-04 10:16:09 +10:00
dependabot[bot] b0890cac80
Build(deps-dev): Bump @embroider/compat in the embroider group (#27703)
Bumps the embroider group with 1 update: [@embroider/compat](https://github.com/embroider-build/embroider/tree/HEAD/packages/compat).


Updates `@embroider/compat` from 3.5.5 to 3.5.6
- [Release notes](https://github.com/embroider-build/embroider/releases)
- [Changelog](https://github.com/embroider-build/embroider/blob/main/CHANGELOG.md)
- [Commits](https://github.com/embroider-build/embroider/commits/HEAD/packages/compat)

---
updated-dependencies:
- dependency-name: "@embroider/compat"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: embroider
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-04 01:15:00 +02:00
dependabot[bot] 022e8a9655
Build(deps-dev): Bump rubocop-rspec from 3.0.1 to 3.0.2 (#27702)
Bumps [rubocop-rspec](https://github.com/rubocop/rubocop-rspec) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/rubocop/rubocop-rspec/releases)
- [Changelog](https://github.com/rubocop/rubocop-rspec/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop-rspec/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: rubocop-rspec
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-04 01:14:29 +02:00
Jeff Wong 70fc39211b
FIX: topic embed blank tags or passed with nil do not blank out existing topic tags (#27699)
When a topic embed is run with either no tags argument or a nil tag argument
this should not affect any existing tags.

Only update topic tags when tags argument is explicitly empty.
2024-07-03 14:50:59 -07:00
Kris 3a6762d2be
A11Y: improve /badges structure for screen readers (#27698) 2024-07-03 17:16:21 -04:00
Nat 65be7a7880
Bump version to v3.3.0.beta4-dev 2024-07-03 20:56:17 +08:00
Nat a29ec30985
Bump version to v3.3.0.beta3 2024-07-03 20:56:17 +08:00
OsamaSayegh 9c4a5f39d3
SECURITY: Don't allow suspending staff users via other_user_ids param 2024-07-03 20:49:29 +08:00
Alan Guo Xiang Tan 10afe5fcf1
SECURITY: Avoid the use of `Object#send` in `Onebox::Engine::StandardEmbed`
Use `Object#public_send` instead which is much safer
2024-07-03 20:49:25 +08:00
Jan Cernik 311b737c91
SECURITY: Fix Stored-dom XSS via Facebook Oneboxes 2024-07-03 20:49:22 +08:00
Blake Erickson e2a7265dba
SECURITY: Update reviewable user serializer payload
Exclude email from reviewable user serializer based on user scope.
2024-07-03 20:49:19 +08:00
Ted Johansson 67e7808603
SECURITY: Add FastImage SSRF safe freedom patch 2024-07-03 20:49:15 +08:00
Jarek Radosz 89c0123b3a
FIX: Redo relative-time-picker (#27651)
Fixes various issues with the picker
2024-07-03 14:15:21 +02:00
Natalie Tay 751750c7f8
FIX: Do not schedule avatar download if image is '' (#27687) 2024-07-03 19:50:31 +08:00
锦心 f3130bc6d9
FIX: Inline footnotes doesn’t work in the table at fullscreen (#27686)
* FIX: Inline footnotes doesn’t work in the table at fullscreen

meta topic: https://meta.discourse.org/t/inline-footnotes-doesnt-work-in-the-table-at-fullscreen/313445
2024-07-03 18:52:36 +08:00
dependabot[bot] 395cbbfe67
Build(deps-dev): Bump esbuild from 0.22.0 to 0.23.0 (#27681)
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.22.0 to 0.23.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.22.0...v0.23.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-03 11:03:10 +02:00
Krzysztof Kotlarek 4157161578
DEV: flaky reorder flags specs (#27684)
Before checking if flags were reordered on the topic page, we need to ensure that the reorder action was finished. To achieve it "saving" CSS is added and removed when AJAX call is completed.
2024-07-03 12:02:18 +10:00
dependabot[bot] 13c297e4ff
Build(deps): Bump sassc-embedded from 1.77.1 to 1.77.2 (#27682)
Bumps [sassc-embedded](https://github.com/sass-contrib/sassc-embedded-shim-ruby) from 1.77.1 to 1.77.2.
- [Commits](https://github.com/sass-contrib/sassc-embedded-shim-ruby/compare/v1.77.1...v1.77.2)

---
updated-dependencies:
- dependency-name: sassc-embedded
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-07-03 09:13:40 +08:00
Martin Brennan 527f02e99f
FEATURE: Only count topic views for explicit/deferred tracked views (#27533)
Followup 2f2da72747

This commit moves topic view tracking from happening
every time a Topic is requested, which is susceptible
to inflating numbers of views from web crawlers, to
our request tracker middleware.

In this new location, topic views are only tracked when
the following headers are sent:

* HTTP_DISCOURSE_TRACK_VIEW - This is sent on every page navigation when
  clicking around the ember app. We count these as browser page views
  because we know it comes from the AJAX call in our app. The topic ID
  is extracted from HTTP_DISCOURSE_TRACK_VIEW_TOPIC_ID
* HTTP_DISCOURSE_DEFERRED_TRACK_VIEW - Sent when MessageBus initializes
  after first loading the page to count the initial page load view. The
  topic ID is extracted from HTTP_DISCOURSE_DEFERRED_TRACK_VIEW.

This will bring topic views more in line with the change we
made to page views in the referenced commit and result in
more realistic topic view counts.
2024-07-03 10:38:49 +10:00
Krzysztof Kotlarek 57af5d6f0d
FIX: missing flag serializer (#27683)
FlagSerializer is using in this PR
https://github.com/discourse/discourse/pull/27484 but was not staged.
2024-07-03 09:46:53 +10:00
Krzysztof Kotlarek c3fadc7330
FEATURE: created edit and delete flags (#27484)
Allow admins to create edit and delete flags.
2024-07-03 08:45:37 +10:00