Commit Graph

51873 Commits

Author SHA1 Message Date
David Taylor 0878dde213
DEV: Modernise highlightjs loading (#24197)
- Remove vendored copy
- Update Rails implementation to look for language definitions in node_modules
- Use webpack-based dynamic import for hljs core
- Use browser-native dynamic import for site-specific language bundle (and fallback to webpack-based dynamic import in tests)
- Simplify markdown implementation to allow all languages into the `lang-{blah}` className
- Now that all languages are passed through, resolve aliases at runtime to avoid the need for the pre-built `highlightjs-aliases` index
2023-11-10 20:39:48 +00:00
Daniel Waterworth e845138bc1
FIX: Updating presence status in readonly mode should fail gracefully (#24333) 2023-11-10 14:27:43 -06:00
Blake Erickson bed4b3ee91
DEV: Remove .github/workflows/check-branches.yml (#24331)
We no longer need this workflow.
2023-11-10 08:49:38 -07:00
David Taylor ac896755bb
DEV: Simplify ember-cli proxy strategy (#24242)
Previously, the app HTML served by the Ember-CLI proxy was generated based on a 'bootstrap json' payload generated by Rails. This inevitably leads to differences between the Rails HTML and the Ember-CLI HTML.

This commit overhauls our proxying strategy. Now, we totally ignore the ember-cli `index.html` file. Instead, we take the full HTML from Rails and surgically replace script URLs based on a `data-discourse-entrypoint` attribute. This should be faster (only one request to Rails), more robust, and less confusing for developers.
2023-11-10 11:16:06 +00:00
David Taylor 80208d0ab6
DEV: Support legacy precompiler paths in theme compiler (#24329)
This updates the behaviour to match ember-cli-htmlbars, and should take care of the handful of themes which were relying on runtime compilation in tests (see 4425e99bf9)
2023-11-10 10:37:50 +00:00
Joffrey JAFFEUX ab832cc865
FEATURE: introduces group channels (#24288)
Group channels will allow users to create channels with a name and invite people. It's possible to add people even after creation of the channel. Removing users is not yet possible but will be added in the near future.

Technically a group channel is `direct_message_channel` with a group attribute set to true on its direct message (chatable). This model might evolve in the future but offers much flexibility for now without having to rely on a complex migration.

The commit essentially consists of:
- a migration to set existing direct message channels with more than 2 users to a group
- a new message creator which allows to search, add members, and create groups
- a new `AddUsersToChannel` service
- a modified `SearchChatable` service
2023-11-10 11:29:28 +01:00
Martin Brennan a8d6dc4d3a
DEV: Fix bookmark flaky (#24327)
Fixes this problem that happens sometimes in specs:

> Mocha::StubbingError:
> #<Mock:0x135150> was instantiated in one test but it is receiving
invocations within another test. This can lead to unintended
interactions between tests and hence unexpected test failures. Ensure
that every test correctly cleans up any state that it introduces.
2023-11-10 11:16:22 +01:00
David Taylor de8c8f1d28
DEV: Limit re-use of bundler/yarn caches in CI (#24256)
Using restore-keys means we will always use an old cache, and then add more dependencies to it. This leads to the cache growing over time and becoming increasingly slow. Instead, we should rebuild the cache from scratch each time our dependencies change.
2023-11-10 10:03:15 +00:00
Krzysztof Kotlarek c0c525056f
UX: number site setting validation message (#24303)
Format big numbers validation to easy to read format like 1,000,000
2023-11-10 14:27:35 +11:00
Martin Brennan fb2756537d
DEV: Remove flaky setting deprecation logging specs (#24322)
Followup to baeac8f105,
I tried to fix this in 6bf66ccd1a
but it is still not reliable, just removing since they are
too unreliable for value provided
2023-11-10 10:46:28 +10:00
Martin Brennan 620485ada2
DEV: Skip flaky sidebar mobile spec (#24321) 2023-11-10 10:46:19 +10:00
Martin Brennan 731dffdf92
DEV: Align S3 transfer acceleration global settings (#24302)
Followup to fe05fdae24

For consistency with other S3 settings, make the global setting
the same name as the site setting and use SiteSetting.Upload
too so it reads from the correct place.
2023-11-10 09:50:23 +10:00
Kris 36ab7ff2a9
FIX: update tag-chooser & category-selector action (#24318) 2023-11-10 00:05:02 +01:00
dependabot[bot] 10167ad8ee
Build(deps): Bump the babel group (#24310)
Bumps the babel group in /app/assets/javascripts with 2 updates: [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) and [@babel/standalone](https://github.com/babel/babel/tree/HEAD/packages/babel-standalone).


Updates `@babel/core` from 7.23.2 to 7.23.3
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.3/packages/babel-core)

Updates `@babel/standalone` from 7.23.2 to 7.23.3
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.3/packages/babel-standalone)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: babel
- dependency-name: "@babel/standalone"
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: babel
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-10 00:00:05 +01:00
Daniel Waterworth 6e161d3e75
DEV: Allow fab! without block (#24314)
The most common thing that we do with fab! is:

    fab!(:thing) { Fabricate(:thing) }

This commit adds a shorthand for this which is just simply:

    fab!(:thing)

i.e. If you omit the block, then, by default, you'll get a `Fabricate`d object using the fabricator of the same name.
2023-11-09 16:47:59 -06:00
Andrei Prigorshnev d91456fd53
DEV: Ability to collect stats without exposing them via API (#23933)
This adds the ability to collect stats without exposing them 
among other stats via API.

The most important thing I wanted to achieve is to provide 
an API where stats are not exposed by default, and a developer 
has to explicitly specify that they should be 
exposed (`expose_via_api: true`). Implementing an opposite 
solution would be simpler, but that's less safe in terms of 
potential security issues. 

When working on this, I had to refactor the current solution. 
I would go even further with the refactoring, but the next steps 
seem to be going too far in changing the solution we have, 
and that would also take more time. Two things that can be 
improved in the future:
1. Data structures for holding stats can be further improved
2. Core stats are hard-coded in the About template (it's hard 
to fix it without correcting data structures first, see point 1):
    63a0700d45/app/views/about/index.html.erb (L61-L101)

The most significant refactorings are:
1. Introducing the `Stat` model
2. Aligning the way the core and the plugin stats' are registered
2023-11-10 00:44:05 +04:00
Bianca Nenciu bdb81b5346
DEV: Use a single registry for preloaded category custom fields (#24272)
There was a registry for preloaded site categories and a new one has
been introduced recently for categories serialized through a
CategoryList.

Having two registries created a lot of friction for developers and this
commit merges them into a single one, providing a unified API.
2023-11-09 18:23:24 +02:00
Martin Brennan e772bb9fce
DEV: Allow new_features URL to be configurable (#24306)
This is so the new features plugin can be tested
easier locally.
2023-11-09 13:50:21 +10:00
Krzysztof Kotlarek e5e7dd78c2 Bump version to v3.2.0.beta4-dev 2023-11-09 14:25:44 +11:00
Krzysztof Kotlarek 95b7cbd8a1 Bump version to v3.2.0.beta3 2023-11-09 14:25:44 +11:00
Ted Johansson 95a82d608d SECURITY: Prevent Onebox cache overflow by limiting downloads and URL lengths 2023-11-09 13:39:18 +11:00
Martin Brennan 3c5fb871c0 SECURITY: Filter unread bookmark reminders the user cannot see
There is an edge case where the following occurs:

1. The user sets a bookmark reminder on a post/topic
2. The post/topic is changed to a PM before or after the reminder
   fires, and the notification remains unread by the user
3. The user opens their bookmark reminder notification list
   and they can still see the notification even though they cannot
   access the topic anymore

There is a very low chance for information leaking here, since
the only thing that could be exposed is the topic title if it
changes to something sensitive.

This commit filters the bookmark unread notifications by using
the bookmarkable can_see? methods and also prevents sending
reminder notifications for bookmarks the user can no longer see.
2023-11-09 13:39:16 +11:00
Penar Musaraj 6183d9633d SECURITY: Limit height of pre/svg elements
Ensures posts cannot have SVG or PRE elements that are too tall.
2023-11-09 13:39:13 +11:00
Roman Rizzi d78357917c SECURITY: Onebox templates' HTML injections.
The use of triple-curlies on Mustache templates opens the possibility for HTML injections.
2023-11-09 13:39:11 +11:00
Krzysztof Kotlarek 5f20748e40 SECURITY: SSRF vulnerability in TopicEmbed
Block redirects when making the final request in TopicEmbed to prevent Server Side Request Forgery (SSRF)
2023-11-09 13:39:08 +11:00
Régis Hanol 7d484864fe SECURITY: escape display names
Ensure we escape the display names before passing it to the regexp used to update
quotes whenever a user change their display name.
2023-11-09 13:39:06 +11:00
Martin Brennan 67ac4c5616
DEV: Move min_trust_level_for_here_mention to group setting (#24263)
c.f. https://meta.discourse.org/t/-/283408
2023-11-09 12:07:01 +10:00
Jordan Vidrine 37fda6d479
FIX: Adjust border radius (#24301) 2023-11-08 18:36:30 -06:00
Martin Brennan fe5383dbff
FIX: Prevent invalid tos and privacy URLs in cache (#24291)
Followup to 5fc1586abf

There are certain cases where the tos_url and privacy_policy_url
can end up with a "nil" value in the Discourse.urls_cache.

The cause of this is unclear, but it seems to behave differently
between doing this caching in the rails console and the running
server.

To avoid this we can just not store anything that looks like nil
in the cache; we can delete the cache keys entirely if we don't
need them anymore.
2023-11-09 10:33:38 +10:00
Andrei Prigorshnev be2eb3df44
FIX: user got notified about a mention inside a chat message quote (#24229)
When quoting a chat message in a post, if that message contains a mention, 
that mention should be ignored. But we've been detecting them and sending 
notifications to users. This PR fixes the problem. Since this fix is for 
the chat plugin, I had to introduce a new API for plugins:

    # We strip posts before detecting mentions, oneboxes, attachments etc. 
    # We strip those elements that shouldn't be detected. For example, 
    # a mention inside a quote should be ignored, so we strip it off. 
    # Using this API plugins can register their own post strippers. 
    def register_post_stripper(&block) 
    end
2023-11-08 23:13:25 +04:00
Blake Erickson 179abfca1a
DEV: Update gh workflow check-branches.yml (#24298)
Without this change the resulting comparison looks like

```
if [ tests-passed == "tests-passed" ]; then
```

and so it was always failing. This way the resulting base branch name will also be in quotes for the comparison.

Follow up to: #24273
2023-11-08 11:56:49 -07:00
Kris 6b6552fe45
DEV: remove wrapping `span` from discovery-above (#24297) 2023-11-08 13:53:08 -05:00
Jordan Vidrine 9d1e8265da
FEATURE: Add ability to hide modal header (#24290) 2023-11-08 12:15:35 -06:00
Blake Erickson 670692cfa9
DEV: Adds a GitHub workflow to check target branch (#24273)
* DEV: Adds a GitHub workflow to check target branch

Adds a GitHub workflow to check that the target branch for PRs in the
discourse-private-mirror repo aren't set to the tests-passed branch.

* Rename workflow
2023-11-08 10:34:20 -07:00
Bianca Nenciu 277496b6e0
FIX: Replace watched words with wildcards (#24279)
These have been broken since fd07c943ad
because watched words were not correctly transformed to regexps.
This partially reverts the changes.
2023-11-08 18:51:11 +02:00
Mark VanLandingham e3f8e9c0fb
DEV: Email notification filter plugin API (#24271) 2023-11-08 10:29:00 -06:00
Jarek Radosz daf7608905
DEV: Migrate reorder-categories to the new modal API (#24209) 2023-11-08 16:28:53 +01:00
Kris 1185458b17
UX: adjust bulk selection position to avoid edits (#24231) 2023-11-08 08:08:33 -06:00
Jordan Vidrine 5e3a54eb74
prettier (#24295) 2023-11-08 08:07:04 -06:00
Roman Rizzi 3c29a84d98
DEV: Add support for radar charts when displaying reports. (#24274)
Reports can have the radar type, which will get rendered by the `admin-report-radar` component.
2023-11-08 10:48:12 -03:00
chapoi fe0b0edf57
UX: Invite signup page styling + separation (#24293)
* UX: separate invite-signup styling

* UX: invite page centering

* remove old invites-show css

* UX: invite signup page – mobile

* remove class references in general file

* add styling for instructions
2023-11-08 12:57:06 +01:00
Godfrey Chan 82506096b7
DEV: remove trivial `{{action}}` usages (#24278)
This removes all trivial usages of the `{{action}}` keyword (the helper form, not the modifier form), where trivial means:

1. It's a co-located component (`.hbs` next to `.js`)
2. The JS file has a default export that is native class
3. `{{action "foo"}}` or `(action "foo")` with no extra arguments
4. There is a corresponding `foo()` method defined on the class (not inherited, etc)

There are more usages that is slightly more involved (with arguments, etc) that we can deal with, but this PR seems big enough so I just included the easiest cases here.

To aid review, each file is converted in an individual commit, and the matching method is temporary annotated with `@__action__` instead of the normal `@action`. This forces a git diff when it is already annotated as `@action`.

* DEV: {{action}} -> @action admin-penalty-post-action.hbs
* DEV: {{action}} -> @action admin-report.hbs
* DEV: {{action}} -> @action admin-watched-word.hbs
* DEV: {{action}} -> @action emoji-value-list.hbs
* DEV: {{action}} -> @action bool.hbs
* DEV: {{action}} -> @action category.hbs
* DEV: {{action}} -> @action secret-value-list.hbs
* DEV: {{action}} -> @action category-list.hbs
* DEV: {{action}} -> @action color.hbs
* DEV: {{action}} -> @action compact-list.hbs
* DEV: {{action}} -> @action group-list.hbs
* DEV: {{action}} -> @action host-list.hbs
* DEV: {{action}} -> @action named-list.hbs
* DEV: {{action}} -> @action simple-list.hbs
* DEV: {{action}} -> @action tag-group-list.hbs
* DEV: {{action}} -> @action tag-list.hbs
* DEV: {{action}} -> @action value-list.hbs
* DEV: {{action}} -> @action watched-word-form.hbs
* DEV: {{action}} -> @action composer-messages.hbs
* DEV: {{action}} -> @action section.hbs
* DEV: {{action}} -> @action user-status-picker.hbs
* DEV: cleanup @__action__ -> @action
2023-11-08 10:53:06 +01:00
Martin Brennan 184f038cbf
FIX: Fix hashtag decoration on later pages of user activity stream (#24261)
Followup to 545e92039c

This commit fixes an issue where hashtags on user activity stream
items past page 1 did not get decorated. This is because of a bug
in the user stream component, where it was trying to get stream
items to decorate after the AJAX call but before they had been
rendered by Ember. This can be fixed by wrapping this decoration
logic in later() to run on the next runloop.
2023-11-08 14:34:03 +10:00
Martin Brennan 986fb522be
FEATURE: Add theme-components route for admin (#24264)
This commit adds an /admin/customize/theme-components route,
that opens the theme page with the components tab pre-selected,
so people can navigate to that directly.
2023-11-08 13:42:27 +10:00
Martin Brennan 0ef3836e0a
DEV: Add keywords for shared_drafts_allowed_groups (#24262)
Followup to b90b7ac705
2023-11-08 10:04:47 +10:00
Martin Brennan c2b143860a
Update plugin.rb metadata (#24213)
Co-authored-by: AlexDev <104522507+alexdevlaeminck@users.noreply.github.com>
2023-11-07 15:14:10 -08:00
Kris 096462b5b0
FIX: relocate `above-discovery-categories` outlet (#24287) 2023-11-07 17:29:44 -05:00
dependabot[bot] fcf0b725ed
Build(deps): Bump date from 3.3.3 to 3.3.4 (#24286)
Bumps [date](https://github.com/ruby/date) from 3.3.3 to 3.3.4.
- [Release notes](https://github.com/ruby/date/releases)
- [Commits](https://github.com/ruby/date/compare/v3.3.3...v3.3.4)

---
updated-dependencies:
- dependency-name: date
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-07 23:10:48 +01:00
dependabot[bot] 819db096b1
Build(deps): Bump base64 from 0.1.1 to 0.2.0 (#24285)
Bumps [base64](https://github.com/ruby/base64) from 0.1.1 to 0.2.0.
- [Release notes](https://github.com/ruby/base64/releases)
- [Commits](https://github.com/ruby/base64/compare/v0.1.1...v0.2.0)

---
updated-dependencies:
- dependency-name: base64
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-07 22:54:43 +01:00
dependabot[bot] 4632f021bc
Build(deps): Bump cgi from 0.3.6 to 0.4.0 (#24284)
Bumps [cgi](https://github.com/ruby/cgi) from 0.3.6 to 0.4.0.
- [Release notes](https://github.com/ruby/cgi/releases)
- [Commits](https://github.com/ruby/cgi/compare/v0.3.6...v0.4.0)

---
updated-dependencies:
- dependency-name: cgi
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-07 22:54:08 +01:00