Commit Graph

4386 Commits

Author SHA1 Message Date
Loïc Guitaut 41584ab40c DEV: Provide user input to services using `params` key
Currently in services, we don’t make a distinction between input
parameters, options and dependencies.

This can lead to user input modifying the service behavior, whereas it
was not the developer intention.

This patch addresses the issue by changing how data is provided to
services:
- `params` is now used to hold all data coming from outside (typically
  user input from a controller) and a contract will take its values from
  `params`.
- `options` is a new key to provide options to a service. This typically
  allows changing a service behavior at runtime. It is, of course,
  totally optional.
- `dependencies` is actually anything else provided to the service (like
  `guardian`) and available directly from the context object.

The `service_params` helper in controllers has been updated to reflect
those changes, so most of the existing services didn’t need specific
changes.

The options block has the same DSL as contracts, as it’s also based on
`ActiveModel`. There aren’t any validations, though. Here’s an example:
```ruby
options do
  attribute :allow_changing_hidden, :boolean, default: false
end
```
And here’s an example of how to call a service with the new keys:
```ruby
MyService.call(params: { key1: value1, … }, options: { my_option: true }, guardian:, …)
```
2024-10-25 09:57:59 +02:00
Bianca Nenciu 2f1d1cd062
FIX: Skip CSRF check for POST /categories/search (#29392)
This endpoint used to be a GET request, but was changed to POST to allow
larger payloads.

Follow up to commit ebc1763aa5.
2024-10-24 17:06:21 +03:00
Loïc Guitaut f79dd5c8b5 DEV: Stop injecting a service result object in the caller object
Currently, when calling a service with its block form, a `#result`
method is automatically created on the caller object. Even if it never
clashed so far, this could happen.

This patch removes that method, and instead use a more classical way of
doing things: the result object is now provided as an argument to the
main block. This means if we need to access the result object in an
outcome block, it will be done like this from now on:
```ruby
MyService.call(params) do |result|
  on_success do
    # do something with the result object
    do_something(result)
  end
end
```

In the same vein, this patch introduces the ability to match keys from
the result object in the outcome blocks, like we already do with step
definitions in a service. For example:
```ruby
on_success do |model:, contract:|
  do_something(model, contract)
end
```
Instead of
```ruby
on_success do
  do_something(result.model, result.contract)
end
```
2024-10-22 16:58:54 +02:00
Martin Brennan bd4e8422fe
FEATURE: Revive legacy pageview reports (#29308)
This commit brings back some reports hidden or changed
by the commit in 14b436923c if
the site setting `use_legacy_pageviews` is false.

* Unhide the old “Consolidated Pageviews” report and rename it
  to “Legacy Consolidated Pageviews”
* Add a legacy_page_view_total_reqs report called “Legacy Pageviews”,
  which calculates pageviews in the same way the old page_view_total_reqs
  report did.

This will allow admins to better compare old and new pageview
stats which are based on browser detection if they have switched
over to _not_ use legacy pageviews.
2024-10-22 10:06:22 +10:00
Krzysztof Kotlarek 433fadbd52
FEATURE: allow admins to enable announced experimental features (#29244)
Toggle the button to enable the experimental site setting from "What's new" announcement.

The toggle button is displayed when:
- site setting exists and is boolean;
- potentially required plugin is enabled.
2024-10-22 10:56:58 +11:00
Ted Johansson b1321b985a
DEV: Allow enabling safe-mode even when missing required fields (#29310)
When a user is missing required fields, they are required to fill those up before continuing to interact with the forum. This applies to admins as well.

We keep a whitelist of paths that can still be visited in this mode: FAQ, About, 2FA setup, and any admin route for admins.

We concluded that admins should still be able to enable safe mode even with missing required fields. Since plugins etc. can potentially mess with the ability to fill those up.
2024-10-21 17:11:43 +08:00
Régis Hanol 425643bbd8
FIX: staff only mode blocks admin password resets (#29289)
When staff only mode is enabled - Discourse.enable_readonly_mode(Discourse::STAFF_WRITES_ONLY_MODE_KEY)

Staff members couldn't reset their password via the "forgot password" link.

This fixes it.

Internal ref. t/133990
2024-10-21 09:29:37 +02:00
Régis Hanol 97ba39e60f
FIX: bump the number of svg icons we return to first 500 (#29286)
instead of the first 200 which would "hide" some icons from the list when picking an icon for a badge or a sidebar link.

Internal ref - t/119652
2024-10-18 19:22:13 +02:00
Loïc Guitaut e95edd079b DEV: Refactor some core services
Extracted from https://github.com/discourse/discourse/pull/29129.

This patch makes the code more compliant with the upcoming service docs
best practices.
2024-10-18 16:06:58 +02:00
Ted Johansson f8360f9665
FIX: Don't error out on nested topic show id param (#29274)
We're expecting the ID param to be something that neatly coerces into an ID. If we receive something like a nested parameter, this will blow up. (We already handle the case of arrays.)

This commit raises an InvalidParameters exception in the case of a nested ID.
2024-10-18 14:37:52 +08:00
Ted Johansson 9dafbe47dc
FIX: Don't error out on nested categories index page param (#29273)
We're expecting the page param to be something that neatly coerces into an integer. If we receive something like a nested parameter, this will blow up. (I'm sure there are other examples as well.)

This commit falls back to a page value of 1 if the coercion fails.
2024-10-18 14:37:39 +08:00
Bianca Nenciu 305927fa4b
DEV: Refactor categories controller to reuse code (#29172) 2024-10-16 11:41:26 +03:00
Alan Guo Xiang Tan 35284c77f1
Build(deps-dev): Bump rubocop from 1.66.1 to 1.67.0 (#29226)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.66.1 to 1.67.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/rubocop/rubocop/releases">rubocop's releases</a>.</em></p>
<blockquote>
<h2>RuboCop 1.67</h2>
<h3>New features</h3>
<ul>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13259">#13259</a>: Add new <code>Lint/DuplicateSetElement</code> cop. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13223">#13223</a>: Add <code>AllowRBSInlineAnnotation</code> config option to <code>Layout/LeadingCommentSpace</code> to support RBS::Inline style annotation comments. ([<a href="https://github.com/tk0miya"><code>@​tk0miya</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13310">#13310</a>: Display analysis Ruby version in <code>rubocop -V</code>. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13314">#13314</a>: Fix a false negative for <code>Style/Semicolon</code> when using a semicolon between a closing parenthesis after a line break and a consequent expression. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13217">#13217</a>: Fix a false positive in <code>Lint/ParenthesesAsGroupedExpression</code> with compound ranges. ([<a href="https://github.com/gsamokovarov"><code>@​gsamokovarov</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13268">#13268</a>: Fix a false positive for <code>Style/BlockDelimiters</code> when a single line do-end block with an inline <code>rescue</code> with a semicolon before <code>rescue</code>. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13298">#13298</a>: Fix an error for <code>Layout/AccessModifierIndentation</code> when the access modifier is on the same line as the class definition. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13198">#13198</a>: Fix an error for <code>Style/OneLineConditional</code> when using nested if/then/else/end. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13316">#13316</a>: Fix an incorrect autocorrect for <code>Lint/ImplicitStringConcatenation</code> with <code>Lint/TripleQuotes</code> when string literals with triple quotes are used. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13220">#13220</a>: Fix an incorrect autocorrect for <code>Style/ArgumentsForwarding</code> when using only forwarded arguments in brackets. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13202">#13202</a>: Fix an incorrect autocorrect for <code>Style/CombinableLoops</code> when looping over the same data with different block variable names. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13291">#13291</a>: Fix an incorrect autocorrect for <code>Style/RescueModifier</code> when using modifier rescue for method call with heredoc argument. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13226">#13226</a>: Fix <code>--auto-gen-config</code> when passing an absolute config path. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13225">#13225</a>: Avoid syntax error when correcting <code>Style/OperatorMethodCall</code> with <code>/</code> operations followed by a parenthesized argument. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13235">#13235</a>: Fix an error for <code>Style/IfUnlessModifier</code> when multiline <code>if</code> that fits on one line and using implicit method call with hash value omission syntax. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13219">#13219</a>: Fix a false positive for <code>Style/ArgumentsForwarding</code> with Ruby 3.0 and optional position arguments. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13271">#13271</a>: Fix a false positive for <code>Lint/AmbiguousRange</code> when using rational literals. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13260">#13260</a>: Fix a false positive for <code>Lint/RedundantSafeNavigation</code> with namespaced constants. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13224">#13224</a>: Fix false positives for <code>Style/OperatorMethodCall</code> with named forwarding. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13213">#13213</a>: Fix false positives for <code>Style/AccessModifierDeclarations</code> when <code>AllowModifiersOnAttrs: true</code> and using splat with a percent symbol array, or with a constant. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13145">#13145</a>: Fix false positives for <code>Style/RedundantLineContinuation</code> when line continuations with comparison operator and the LHS is wrapped in parentheses. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/12875">#12875</a>: Fix false positive for <code>Style/ArgumentsForwarding</code> when argument is used inside a block. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13239">#13239</a>: Fix false positive for <code>Style/CollectionCompact</code> when using <code>delete_if</code>. ([<a href="https://github.com/masato-bkn"><code>@​masato-bkn</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13210">#13210</a>: Fix omit_parentheses style for pattern match with value omission in single-line branch. ([<a href="https://github.com/gsamokovarov"><code>@​gsamokovarov</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13149">#13149</a>: Handle crashes in custom Ruby extractors more gracefully. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13319">#13319</a>: Handle literal forward slashes inside a <code>regexp</code> in <code>Lint/LiteralInInterpolation</code>. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13208">#13208</a>: Fix an incorrect autocorrect for <code>Style/IfWithSemicolon</code> when single-line <code>if/;/end</code> when the then body contains a method call with <code>[]</code> or <code>[]=</code>. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13318">#13318</a>: Prevent modifying blocks with <code>Style/HashEachMethods</code> if the hash is modified within the block. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13293">#13293</a>: Fix <code>TargetRubyVersion</code> from a gemspec when the gemspec is not named like the folder it is located in. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13211">#13211</a>: Fix wrong autocorrect for <code>Style/GuardClause</code> when using heredoc without <code>else</code> branch. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13215">#13215</a>: Fix wrong autocorrect for <code>Lint/BigDecimalNew</code> when using <code>::BigDecimal.new</code>. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13215">#13215</a>: Fix wrong autocorrect for <code>Style/MethodCallWithArgsParentheses</code> with <code>EnforcedStyle: omit_parentheses</code> and whitespace. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13302">#13302</a>: Fix incompatible autocorrect between <code>Style/RedundantBegin</code> and <code>Style/BlockDelimiters</code> with <code>EnforcedStyle: braces_for_chaining</code>. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
</ul>
<h3>Changes</h3>
<ul>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13221">#13221</a>: Do not group accessors having RBS::Inline annotation comments in <code>Style/AccessorGrouping</code>. ([<a href="https://github.com/tk0miya"><code>@​tk0miya</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13286">#13286</a>: Add <code>AllowedMethods</code> configuration to <code>Layout/FirstMethodArgumentLineBreak</code>. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13110">#13110</a>: Add support in <code>Style/ArgumentsForwarding</code> for detecting forwarding of all anonymous arguments. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13222">#13222</a>: Allow to write RBS::Inline annotation comments after method definition in <code>Style/CommentedKeyword</code>. ([<a href="https://github.com/tk0miya"><code>@​tk0miya</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13253">#13253</a>: Emit a deprecation when custom cops inherit from <code>RuboCop::Cop::Cop</code>. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13300">#13300</a>: Set <code>EnforcedShorthandSyntax: either</code> by default for <code>Style/HashSyntax</code>. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13254">#13254</a>: Enhance the autocorrect for <code>Naming/InclusiveLanguage</code> when a sole suggestion is set. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13232">#13232</a>: Make server mode aware of auto-restart for local config update. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md">rubocop's changelog</a>.</em></p>
<blockquote>
<h2>1.67.0 (2024-10-15)</h2>
<h3>New features</h3>
<ul>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13259">#13259</a>: Add new <code>Lint/DuplicateSetElement</code> cop. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13223">#13223</a>: Add <code>AllowRBSInlineAnnotation</code> config option to <code>Layout/LeadingCommentSpace</code> to support RBS::Inline style annotation comments. ([<a href="https://github.com/tk0miya"><code>@​tk0miya</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13310">#13310</a>: Display analysis Ruby version in <code>rubocop -V</code>. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13314">#13314</a>: Fix a false negative for <code>Style/Semicolon</code> when using a semicolon between a closing parenthesis after a line break and a consequent expression. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13217">#13217</a>: Fix a false positive in <code>Lint/ParenthesesAsGroupedExpression</code> with compound ranges. ([<a href="https://github.com/gsamokovarov"><code>@​gsamokovarov</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13268">#13268</a>: Fix a false positive for <code>Style/BlockDelimiters</code> when a single line do-end block with an inline <code>rescue</code> with a semicolon before <code>rescue</code>. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13298">#13298</a>: Fix an error for <code>Layout/AccessModifierIndentation</code> when the access modifier is on the same line as the class definition. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13198">#13198</a>: Fix an error for <code>Style/OneLineConditional</code> when using nested if/then/else/end. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13316">#13316</a>: Fix an incorrect autocorrect for <code>Lint/ImplicitStringConcatenation</code> with <code>Lint/TripleQuotes</code> when string literals with triple quotes are used. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13220">#13220</a>: Fix an incorrect autocorrect for <code>Style/ArgumentsForwarding</code> when using only forwarded arguments in brackets. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13202">#13202</a>: Fix an incorrect autocorrect for <code>Style/CombinableLoops</code> when looping over the same data with different block variable names. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13291">#13291</a>: Fix an incorrect autocorrect for <code>Style/RescueModifier</code> when using modifier rescue for method call with heredoc argument. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13226">#13226</a>: Fix <code>--auto-gen-config</code> when passing an absolute config path. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13225">#13225</a>: Avoid syntax error when correcting <code>Style/OperatorMethodCall</code> with <code>/</code> operations followed by a parenthesized argument. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13235">#13235</a>: Fix an error for <code>Style/IfUnlessModifier</code> when multiline <code>if</code> that fits on one line and using implicit method call with hash value omission syntax. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13219">#13219</a>: Fix a false positive for <code>Style/ArgumentsForwarding</code> with Ruby 3.0 and optional position arguments. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13271">#13271</a>: Fix a false positive for <code>Lint/AmbiguousRange</code> when using rational literals. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13260">#13260</a>: Fix a false positive for <code>Lint/RedundantSafeNavigation</code> with namespaced constants. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13224">#13224</a>: Fix false positives for <code>Style/OperatorMethodCall</code> with named forwarding. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13213">#13213</a>: Fix false positives for <code>Style/AccessModifierDeclarations</code> when <code>AllowModifiersOnAttrs: true</code> and using splat with a percent symbol array, or with a constant. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13145">#13145</a>: Fix false positives for <code>Style/RedundantLineContinuation</code> when line continuations with comparison operator and the LHS is wrapped in parentheses. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/12875">#12875</a>: Fix false positive for <code>Style/ArgumentsForwarding</code> when argument is used inside a block. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13239">#13239</a>: Fix false positive for <code>Style/CollectionCompact</code> when using <code>delete_if</code>. ([<a href="https://github.com/masato-bkn"><code>@​masato-bkn</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13210">#13210</a>: Fix omit_parentheses style for pattern match with value omission in single-line branch. ([<a href="https://github.com/gsamokovarov"><code>@​gsamokovarov</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13149">#13149</a>: Handle crashes in custom Ruby extractors more gracefully. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13319">#13319</a>: Handle literal forward slashes inside a <code>regexp</code> in <code>Lint/LiteralInInterpolation</code>. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13208">#13208</a>: Fix an incorrect autocorrect for <code>Style/IfWithSemicolon</code> when single-line <code>if/;/end</code> when the then body contains a method call with <code>[]</code> or <code>[]=</code>. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13318">#13318</a>: Prevent modifying blocks with <code>Style/HashEachMethods</code> if the hash is modified within the block. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13293">#13293</a>: Fix <code>TargetRubyVersion</code> from a gemspec when the gemspec is not named like the folder it is located in. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13211">#13211</a>: Fix wrong autocorrect for <code>Style/GuardClause</code> when using heredoc without <code>else</code> branch. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13215">#13215</a>: Fix wrong autocorrect for <code>Lint/BigDecimalNew</code> when using <code>::BigDecimal.new</code>. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13215">#13215</a>: Fix wrong autocorrect for <code>Style/MethodCallWithArgsParentheses</code> with <code>EnforcedStyle: omit_parentheses</code> and whitespace. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13302">#13302</a>: Fix incompatible autocorrect between <code>Style/RedundantBegin</code> and <code>Style/BlockDelimiters</code> with <code>EnforcedStyle: braces_for_chaining</code>. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
</ul>
<h3>Changes</h3>
<ul>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13221">#13221</a>: Do not group accessors having RBS::Inline annotation comments in <code>Style/AccessorGrouping</code>. ([<a href="https://github.com/tk0miya"><code>@​tk0miya</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13286">#13286</a>: Add <code>AllowedMethods</code> configuration to <code>Layout/FirstMethodArgumentLineBreak</code>. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/issues/13110">#13110</a>: Add support in <code>Style/ArgumentsForwarding</code> for detecting forwarding of all anonymous arguments. ([<a href="https://github.com/dvandersluis"><code>@​dvandersluis</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13222">#13222</a>: Allow to write RBS::Inline annotation comments after method definition in <code>Style/CommentedKeyword</code>. ([<a href="https://github.com/tk0miya"><code>@​tk0miya</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13253">#13253</a>: Emit a deprecation when custom cops inherit from <code>RuboCop::Cop::Cop</code>. ([<a href="https://github.com/earlopain"><code>@​earlopain</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13300">#13300</a>: Set <code>EnforcedShorthandSyntax: either</code> by default for <code>Style/HashSyntax</code>. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
<li><a href="https://redirect.github.com/rubocop/rubocop/pull/13254">#13254</a>: Enhance the autocorrect for <code>Naming/InclusiveLanguage</code> when a sole suggestion is set. ([<a href="https://github.com/koic"><code>@​koic</code></a>][])</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="c108ac0822"><code>c108ac0</code></a> Cut 1.67</li>
<li><a href="74ddd9bb96"><code>74ddd9b</code></a> Update Changelog</li>
<li><a href="b5c12aea89"><code>b5c12ae</code></a> Update Changelog</li>
<li><a href="c936160665"><code>c936160</code></a> [Fix <a href="https://redirect.github.com/rubocop/rubocop/issues/13331">#13331</a>] Fix an error when using release task</li>
<li><a href="60ecb00dd7"><code>60ecb00</code></a> [Fix <a href="https://redirect.github.com/rubocop/rubocop/issues/13328">#13328</a>] Declare <code>Enabled</code> as a common config key</li>
<li><a href="99022d9880"><code>99022d9</code></a> Merge pull request <a href="https://redirect.github.com/rubocop/rubocop/issues/13327">#13327</a> from koic/make_server_mode_aware_of_auto_restart_fo...</li>
<li><a href="60432f5e44"><code>60432f5</code></a> Apply <code>RESTRICT_ON_SEND</code> to <code>Bundler/GemVersion</code></li>
<li><a href="6b31c39f1e"><code>6b31c39</code></a> Make server mode aware of auto-restart for .rubocop_todo.yml update</li>
<li><a href="adb7ceed43"><code>adb7cee</code></a> [Fix <a href="https://redirect.github.com/rubocop/rubocop/issues/9816">#9816</a>] Refine <code>Lint/SafeNavigationConsistency</code></li>
<li><a href="7d6797cf9d"><code>7d6797c</code></a> [Fix <a href="https://redirect.github.com/rubocop/rubocop/issues/13286">#13286</a>] Add <code>AllowedMethods</code> and <code>AllowedPatterns</code> configuration to `Lay...</li>
<li>Additional commits viewable in <a href="https://github.com/rubocop/rubocop/compare/v1.66.1...v1.67.0">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=rubocop&package-manager=bundler&previous-version=1.66.1&new-version=1.67.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>
2024-10-16 10:56:58 +08:00
Alan Guo Xiang Tan 322a3be2db
DEV: Remove logical OR assignment of constants (#29201)
Constants should always be only assigned once. The logical OR assignment
of a constant is a relic of the past before we used zeitwerk for
autoloading and had bugs where a file could be loaded twice resulting in
constant redefinition warnings.
2024-10-16 10:09:07 +08:00
Jordan Vidrine 3ad2fd032b
FEATURE: Initial themes config area with grid (#28828)
* UX: More additions

* UX: more

* DEV: Add admin/config/themes route

* UX: Use admin config card

* syntax merge fixes

* cleanup

* cleanup

* checkbox

* more

* error

* save on click

* more

* fix setter

* DEV: Implement vanilla checkbox

* cleanup

* UX: save themes as default

* DEV: Add component list to card

* DEV: Add placeholder for no screenshots

* DEV: Fix default theme reactivity

Also add content/optionalAction yields to config area
card and put the theme user selectable checkbox there,
along with adding styles.

* DEV: Change to generic "look and feel" config area

* DEV: Auto redirect to themes on base look and feel route

* UX: Remove computed from sorted themes

* linting

* UX: Turn update icon into button that routes to settings

* DEV: remove unused function

* UX: center icons with title

* DEV: Lint

* UX: Hook up theme preview button

* DEV: Minor fixes

---------

Co-authored-by: Martin Brennan <martin@discourse.org>
Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2024-10-15 10:54:38 -05:00
Natalie Tay ede06ffd43
FIX: Allow user to log in another account using the same device (client_id) (#29121)
Allow user to log in another account using the same device (client_id)
2024-10-14 12:39:20 +08:00
Martin Brennan 2193667e1f
FIX: Plugin JS failing to load would break admin interface (#29139)
If a plugin's JS fails to load for some reason, most commonly
ad blockers, the entire admin interface would break. This is because
we are adding links to the admin routes for plugins that define
them in the sidebar.

We have a fix for this already in the plugin list which shows a warning
to the admin. This fix just prevents the broken link from rendering
in the sidebar if the route is not valid.
2024-10-11 09:26:10 +10:00
Régis Hanol 34d04e7507
SECURITY: add pagination to post replies
When a post has some replies, and the user click on the button to show them, we would load ALL the replies. This could lead to DoS if there were a very large number of replies.

This adds support for pagination to these post replies.

Internal ref t/129773

FIX: Duplicated parent posts

DEV: Query refactor
2024-10-07 11:48:48 +08:00
Loïc Guitaut ad8f46f4f1 DEV: Make params explicit for services in controllers 2024-10-03 16:56:39 +09:00
Martin Brennan 8fc34e9323
DEV: Add a skeleton for section landing page & items (#28477)
We are going to start making section landing pages
for admin for each sidebar section. This lays the framework
with routes and simple components that can be further
refined by a designer, but I have taken the base CSS from
AI which Kris made.

The initial section landing items will be used in AI to replace
the placeholders added in this commit b8b3c61451
2024-10-02 12:19:38 +10:00
Krzysztof Kotlarek c5a024f8df
FIX: custom flag name should be unique (#28869)
Validation to ensure that the custom flag name is unique.
2024-09-30 09:17:19 +10:00
Linca a1e5796ba1
FEAT: Allow admin delete user's associated accounts (#29018)
This commit introduces a feature that allows an admin to delete a user's
associated account. After deletion, a log will be recorded in staff
actions.

ref=t/136675
2024-09-27 20:08:05 +08:00
Ted Johansson be33363f13
FEATURE: Add ability to dismiss admin notices (#28916)
his is a new feature that lets admins dismiss notices from the dashboard. This helps with self-service in cases where a notice is "stuck", while we work on provisions to prevent "sticking" in the first place.
2024-09-17 14:43:34 +08:00
Linca 741e9d70ad
FIX: Don't show move topic for private messages for TL4 (#28871)
In TopicController, in addition to ensure_can_move_posts!, we also
checked if the topic is private message in this line:

```ruby
raise Discourse::InvalidAccess if params[:archetype] == "private_message" && !guardian.is_staff?
```

However, this was not present in `guardian.can_move_posts?`. As a result,
the frontend topic view got an incorrect serialized result, thinking
that TL4 could move the private message post. In fact, once they tried
to move it, they got the `InvalidAccess` error message.

This commit fixes that TL4 will no longer sees the "move to" option in
the "select post" panel for a private message.
2024-09-16 11:30:05 +08:00
Loïc Guitaut b806dce13d DEV: Refactor suspend/silence user services
- fetch models inside services
- validate `user_id` in contracts
- use policy objects
- extract more logic to actions
- write specs for services and action
2024-09-12 10:28:48 +02:00
Martin Brennan 14b436923c
FEATURE: Switch to new methods of pageview measurement and reporting (#28729)
### UI changes

All of the UI changes described are gated behind the `use_legacy_pageviews`
site setting.

This commit changes the admin dashboard pageviews report to
use the "Consolidated Pageviews with Browser Detection" report
introduced in 2f2da72747 with
the following changes:

* The report name is changed to "Site traffic"
* The pageview count on the dashboard is counting only using the new method
* The old "Consolidated Pageviews" report is renamed as "Consolidated Legacy Pageviews"
* By default "known crawlers" and "other" sources of pageviews are hidden on the report

When `use_legacy_pageviews` is `true`, we do not show or allow running
the "Site traffic" report for admins. When `use_legacy_pageviews` is `false`,
we do not show or allow running the following legacy reports:

* consolidated_page_views
* consolidated_page_views_browser_detection
* page_view_anon_reqs
* page_view_logged_in_reqs

### Historical data changes

Also part of this change is that, since we introduced our new "Consolidated
Pageviews with Browser Detection" report, some admins are confused at either:

* The lack of data before a certain date , which didn’t exist before
  we started collecting it
* Comparing this and the current "Consolidated Pageviews" report data,
  which rolls up "Other Pageviews" into "Anonymous Browser" and so it
  appears inaccurate

All pageview data in the new report before the date where the _first_
anon or logged in browser pageview was recorded is now hidden.
2024-09-10 09:51:49 +10:00
Linca aab2987438
FEATURE: Log tag group changes in staff action log (#28787)
* FEATURE: Log tag group changes in staff action log

This commit records every change (add, change, delete) to a tag group in
the staff action log.

It uses a modal that was originally called ThemeChangeModal to display
changes, allowing staffs to see the specific changes clearly. The modal
is renamed to StaffActionLogChangeModal in this PR.

ref: https://meta.discourse.org/t/-/325011/14

Co-authored-by: Keegan George <kgeorge13@gmail.com>
2024-09-09 10:50:48 +08:00
Ted Johansson 776b4ec8e2
DEV: Remove old problem check system - Part 1 (#28772)
We're now using the new, database-backed problem check system. This PR removes parts of the old, Redis-backed system that is now defunct.
2024-09-06 17:00:25 +08:00
Loïc Guitaut e94707acdf DEV: Drop `WithServiceHelper`
This patch removes the `with_service` helper from the code base.
Instead, we can pass a block with actions directly to the `.call` method
of a service.

This simplifies how to use services:
- use `.call` without a block to run the service and get its result
  object.
- use `.call` with a block of actions to run the service and execute
  arbitrary code depending on the service outcome.

It also means a service is now “self-contained” and can be used anywhere
without having to include a helper or whatever.
2024-09-05 09:58:20 +02:00
Osama Sayegh 280adda09c
FEATURE: Support designating multiple groups as mods on category (#28655)
Currently, categories support designating only 1 group as a moderation group on the category. This commit removes the one group limitation and makes it possible to designate multiple groups as mods on a category.

Internal topic: t/124648.
2024-09-04 04:38:46 +03:00
Penar Musaraj 8c19104866
FIX: Passkey login when Discourse used as SSO provider (#28672)
Co-authored-by: Osama Sayegh <asooomaasoooma90@gmail.com>
2024-09-03 11:46:23 -04:00
Krzysztof Kotlarek 7577231ba2
DEV: the ability to define setting areas (#28570)
A new setting attribute is used to define the areas (separated by `|`).

In addition, endpoint `/admin/config/site_settings.json` accepts new `filter_area` data.
2024-09-03 09:25:45 +10:00
Ted Johansson bfad9a7170
DEV: Gracefully handle an array of IDs passed to Topics#show (#28631)
We're seeing a lot of log noise coming from unhandled exceptions stemming from requests to TopicsController#show where id is passed in as an array.

In the implementation of the method, we assume that if id is present it will be a string. This is because one of the routes to this action uses :id as a URL fragment, and so must be a string. However, there are other routes that go to this endpoint as well. Some of them don't have this URL fragment, so you can pass an arbitrary id query parameter.

Instead of a downstream unhandled exception, we raise a Discourse::InvalidParameters upfront.
2024-08-29 14:22:42 +08:00
Penar Musaraj ee3b175373
DEV: Ignore invalid tag parameter in TagsController (#28557)
This had no effect in the app, but it was resulting in errors in the logs.
2024-08-27 12:06:54 -04:00
Jan Cernik 437d7a0ad1
FIX: Endless loading post history (#28425) 2024-08-27 09:33:13 -03:00
Martin Brennan a16faa27cd
FEATURE: Allow showing site text search in selected locale (#28453)
When searching for site texts for admin using the english
version of the text, previously we would show the english
version in the results _even if_ there was another locale
translated version available when a locale was selected
from the dropdown.

This commit adds a "Only show results in selected locale"
checkbox option which will instead make it so the results
shown are in the target locale, making it easier for translators
to tell when there is actually translations vs. missing tranlsations.
2024-08-26 11:25:36 +10:00
Alan Guo Xiang Tan 21bb28df91
PERF: Ensure suggested topics is only loaded on last page of topic view (#28507)
This commit improves `TopicsController#show` to not load suggested and
related topics unless it is the last page of the topic's view.
Previously, we avoided loading suggested and related topics by the use
of conditionals in the `TopicViewSerializer` to avoid calling
`TopicView#suggested_topics` and `TopicView#related_topics`. However,
this pattern is not reliable as the methods can still be called from
other spots in the code base. Instead, we ensure that
`TopicView#include_suggested` and `TopicView#include_related` is set
correctly on the instance of `TopicView` which ensures that for the
given instance, `TopicView#suggested_topics` and
`TopicView#related_topics` will be a noop.
2024-08-23 16:10:50 +08:00
Osama Sayegh 67cde14a61
DEV: Use `Service::Base` for suspend and silence actions (#28459)
This commit moves the business logic in the `Admin::UsersController#suspend` and `Admin::UsersController#silence` actions to dedicated service classes. There's no functional changes in this commit.

Internal topic: t/130014.
2024-08-22 14:38:56 +03:00
David Taylor 150f5694dc
FIX: Write stylesheet cache atomically (#28457)
In some situations, the filesystem cache will be read and persisted to the database. If the file being read is still being written, then that can lead to empty/partial caches being stored in the database.

This commit ensures that cannot happen by switching to our `atomic_write_file` helper (which writes to a temp file, and then does an atomic `mv` operation to move it to the destination)
2024-08-21 12:44:17 +01:00
Osama Sayegh 35b748e7f4
FIX: Don't show silence button on staff users and display similar users (#28423)
This commit fixes a bug where the silence button is incorrectly displayed on the admin page of a staff user. It's not actually possible to silence a staff user because the backend correctly prevents it, but the frontend isn't checking if the button should be displayed.

Another small bug that this commit fixes is the similar users list not showing up inside the silence/suspend modals due to also a bug in the frontend.

I've also changed the way similar users are loaded so that they're not returned by the `admin/users#show` endpoint anymore and moved them into a new endpoint that the penalize modals (suspend and silence) can call directly to retrieve the list of users. This is done because the similar users list is never shown on the admin user page (`/admin/users/:user_id/:username`); they're only needed when the suspend or silence modals are opened.

Internal topic: t/130014.
2024-08-20 15:27:29 +03:00
Guhyoun Nam 9c1812e071
FEATURE: add `system_user_max_attachment_size_kb` site setting (#28351)
* System user attachment size WIP

* spec check

* controller update

* add max to system_user_max_attachment_size_kb

* DEV: update to use static method for `max_attachment_size_for_user`

add test to use large image.
add check for failure.

* DEV: update `system_user_max_attachment_size_kb` default value to 0

remove unecessary test.
update tests to reflect the new default value of `system_user_max_attachment_size_kb`

* DEV: update maximum_file_size to check when is an attachment made by a system user

Add tests for when `system_user_max_attachment_size_kb` is over and under the limit
Add test for checking interaction with `max_attachment_size_kb`

* DEV: move `max_attachment_size_for_user` to private methods

* DEV: turn `max_attachment_size_for_user` into a static method

* DEV: typo in test case

* DEV: move max_attachment_size_for_user to private class method

* Revert "DEV: move max_attachment_size_for_user to private class method"

This reverts commit 5d5ae0b715.

---------

Co-authored-by: Gabriel Grubba <gabriel@discourse.org>
2024-08-16 11:03:39 -03:00
Martin Brennan 3e5976f843
FEATURE: Always show full page "New Features" to admins (#28383)
We used to show New Features in a tab on the dashboard,
but this could get pushed down the page especially on
our hosting. In 043117ca13
we made a separate What's New page, so this commit removes
the dashboard tab and changes the admin notification to
send the admin to /admin/whats-new instead of the dashboard
tab.
2024-08-16 09:12:24 +10:00
Krzysztof Kotlarek e82e255531
FIX: serialize Flags instead of PostActionType (#28362)
### Why?
Before, all flags were static. Therefore, they were stored in class variables and serialized by SiteSerializer. Recently, we added an option for admins to add their own flags or disable existing flags. Therefore, the class variable had to be dropped because it was unsafe for a multisite environment. However, it started causing performance problems. 

### Solution
When a new Flag system is used, instead of using PostActionType, we can serialize Flags and use fragment cache for performance reasons. 

At the same time, we are still supporting deprecated `replace_flags` API call. When it is used, we fall back to the old solution and the admin cannot add custom flags. In a couple of months, we will be able to drop that API function and clean that code properly. However, because it may still be used, redis cache was introduced to improve performance.

To test backward compatibility you can add this code to any plugin
```ruby
  replace_flags do |flag_settings|
    flag_settings.add(
      4,
      :inappropriate,
      topic_type: true,
      notify_type: true,
      auto_action_type: true,
    )
    flag_settings.add(1001, :trolling, topic_type: true, notify_type: true, auto_action_type: true)
  end
```
2024-08-14 12:13:46 +10:00
Krzysztof Kotlarek 559c9dfe0a
REVERT: FIX: serialize Flags instead of PostActionType (#28334) 2024-08-13 18:32:11 +10:00
Krzysztof Kotlarek 094052c1ff
FIX: serialize Flags instead of PostActionType (#28259)
### Why?
Before, all flags were static. Therefore, they were stored in class variables and serialized by SiteSerializer. Recently, we added an option for admins to add their own flags or disable existing flags. Therefore, the class variable had to be dropped because it was unsafe for a multisite environment. However, it started causing performance problems. 

### Solution
When a new Flag system is used, instead of using PostActionType, we can serialize Flags and use fragment cache for performance reasons. 

At the same time, we are still supporting deprecated `replace_flags` API call. When it is used, we fall back to the old solution and the admin cannot add custom flags. In a couple of months, we will be able to drop that API function and clean that code properly. However, because it may still be used, redis cache was introduced to improve performance.

To test backward compatibility you can add this code to any plugin
```ruby
  replace_flags do |flag_settings|
    flag_settings.add(
      4,
      :inappropriate,
      topic_type: true,
      notify_type: true,
      auto_action_type: true,
    )
    flag_settings.add(1001, :trolling, topic_type: true, notify_type: true, auto_action_type: true)
  end
```
2024-08-13 11:22:37 +10:00
Jan Cernik 5b78bbd138
DEV: Convert account activation pages to use Ember (#28206) 2024-08-12 18:02:00 -03:00
Loïc Guitaut bf3d8a0a94 FIX: Don’t log an error when rendering a 404
Currently, in the list controller, when encountering an unsafe redirect
error, a 404 is rendered. The problem is that it’s done in a way that it
also logs a fatal error (because a `Discourse::NotFound` exception was
raised inside a `rescue_from` block).

This patch addresses that issue by simply rendering a 404 without
raising any error.
2024-08-08 09:21:27 +02:00
Loïc Guitaut e494bafed3 FIX: Unescape URI properly when redirecting to a category
Currently, when a badly named category slug is provided, it can lead to
an infinite redirect.

This patch addresses the issue by properly unescaping `request.fullpath`
so the path is successfully rewritten and the redirect happens as
expected.
2024-08-07 15:53:21 +02:00
Alan Guo Xiang Tan 2492fe7715
FIX: Set sane default for `Net::HTTP` when processing a request (#28141)
This commit patches `Net::HTTP` to reduce the default timeouts of 60
seconds when we are processing a request. There are certain routes in
Discourse which makes external requests and if the proper timeouts are
not set, we risk having the Unicorn master process force restarting the
Unicorn workers once the `30` seconds timeout is reached. This can
potentially become a vector for DoS attacks and this commit is aimed at
reducing the risk here.
2024-08-06 07:12:42 +08:00
Ted Johansson a32390f5dc
FIX: Don't count draft views towards topic view stats (#28162)
When creating a shared draft, we're recording topic view stats on the draft and then pass those on when the draft is published, conflating the actual view count.

This fixes that by not registering topic views if the topic is a shared draft.
2024-07-31 11:10:50 +08:00