Commit Graph

7749 Commits

Author SHA1 Message Date
Jeff Wong a9d92f338e
SECURITY: make find topic by slug adhere to SiteSetting.detailed_404 (#9898) 2020-05-27 11:28:38 -07:00
Joffrey JAFFEUX 77801aa9be
FIX: allows to have custom emoji translation without static file (#9893) 2020-05-27 20:11:52 +02:00
Artem Vasiliev 12544c02c1
FIX: add X-Robots-Tag header for check_xhr-covered GET actions, too (#9868)
* FIX: add X-Robots-Tag header for check_xhr-covered GET actions, too

see https://meta.discourse.org/t/missing-x-robots-tag/152593/3 for context

* test: a spec making sure X-Robots-Tag header is present when needed

/groups path responds to anonymous requests and doesn't skip `check_xhr` method, so we can use it here.
2020-05-27 11:57:05 -04:00
Roman Rizzi 461df7d050
UX: Rename Priority to score for sorting. (#9846) 2020-05-27 12:50:28 -03:00
Blake Erickson da839e6d26 SECURITY: Use FinalDestination for topic embeds 2020-05-27 09:26:09 -06:00
Régis Hanol 2a4db15544 FIX: don't send digests to users with no primary email
It might happen that some User records have no associated primary emails.
In which case we don't ever want to send them a digest.

Also added a new "user_email_no_email" skipped email log to ensure these cases
are properly handled and surfaced.
2020-05-27 17:09:40 +02:00
Sam Saffron 5bfb6830c9
SECURITY: missing security check prior to redirect
In some rare cases, if a user knows the exact title of a topic
they could possibly determine that it really exists in the system
2020-05-27 10:58:22 +10:00
Krzysztof Kotlarek 34e5f0a9a3
Revert "FEATURE: notify admins about old credentials (#9854)" (#9886)
This reverts commit 349a67bee6.
2020-05-27 09:52:53 +10:00
Krzysztof Kotlarek 349a67bee6
FEATURE: notify admins about old credentials (#9854)
* FEATURE: notify admins about old credentials

Security and API keys should be renewed periodically.
This additional notification should help admins keep their Discourse safe and secure.
2020-05-27 08:13:47 +10:00
Penar Musaraj b1c726be0d
Remove support for FontAwesome 4.7 icon names (#9871) 2020-05-26 14:53:32 -04:00
Gerhard Schlager 69ee94b526 FIX: XML files could be detected as SVG files 2020-05-26 18:18:20 +02:00
Roman Rizzi b61a291cf3
FIX: returns false if the upload url is an invalid mailto link (#9877) 2020-05-26 10:32:48 -03:00
Bianca Nenciu f47400475e
FEATURE: Send a private message when a group membership is accepted (#9822)
* FEATURE: Send a private message when a group membership is accepted

* DEV: Small code improvements

* FIX: Send PM as group owner

* Copy edits
2020-05-26 16:28:03 +03:00
Osama Sayegh 2211581a85
FIX: Don't responde with error 500 if domain is invalid when adding automatic membership domain (#9655) 2020-05-26 15:40:09 +10:00
Arpit Jalan 5462fe9462
FIX: do not allow tag with name 'none' (#9867)
https://meta.discourse.org/t/none-tag-is-uneditable/152003
2020-05-26 08:15:45 +05:30
Sam Saffron fc97f7e0e7
FIX: properly ban non human users from draft system
Previously we had a partial fix in place where non human users
were not allowed draft sequences, this left edges around where non
human users asked for drafts yet had none.

For example system could already have a few drafts in place.

This also removes and extensibility point we added that is not in use
2020-05-26 10:07:09 +10:00
Vinoth Kannan 5fb9271878
DEV: ignore `flair_url` column in group model. (#9873) 2020-05-26 00:43:50 +05:30
Robin Ward fd2d7ca992 FIX: Email Styles were evaluated out of order
`yield` puts the content in the template right away unless explicitly
`capture`'d.
2020-05-25 12:47:23 -04:00
Arpit Jalan e8fb9d4066 FIX: when creating new PM username/groupname should be case-insensitive
(take 2)

https://meta.discourse.org/t/case-sensitivity-in-links-to-groupname/147596
https://meta.discourse.org/t/remove-case-sensitive-in-adding-users-to-a-message/151275
2020-05-25 21:34:05 +05:30
Arpit Jalan 302b37c805 Revert "FIX: when creating new PM username/groupname should be case-insensitive"
This reverts commit 2be79d94f5.

This is affecting multiple code path. Investigating.
2020-05-25 20:10:14 +05:30
Arpit Jalan 2be79d94f5 FIX: when creating new PM username/groupname should be case-insensitive
https://meta.discourse.org/t/case-sensitivity-in-links-to-groupname/147596
https://meta.discourse.org/t/remove-case-sensitive-in-adding-users-to-a-message/151275
2020-05-25 19:04:59 +05:30
Gerhard Schlager 631024ae5d FEATURE: Permalinks for tags 2020-05-25 14:51:01 +02:00
Vinoth Kannan 505122bb45 FIX: skip onceoff job for groups with invalid flair URL. 2020-05-25 13:11:00 +05:30
Sam Saffron c011b817b2
FIX: do not fallback to flair_url column
flair_url is not loaded by our query anymore so avoid falling back
to the old value
2020-05-25 16:25:42 +10:00
Vinoth Kannan 8e56197728
UX: use "icon-picker" & "image-uploader" fields to set group flair. (#9779) 2020-05-25 11:08:47 +05:30
Gerhard Schlager 13d5ccedf5 FIX: Destroying a user failed when it had title
...because updating the user caused a validation of the primary email and the UserEmail records are already deleted at that time.
2020-05-24 22:14:50 +02:00
Michael Brown d9a02d1336
Revert "Revert "Merge branch 'master' of https://github.com/discourse/discourse""
This reverts commit 20780a1eee.

* SECURITY: re-adds accidentally reverted commit:
  03d26cd6: ensure embed_url contains valid http(s) uri
* when the merge commit e62a85cf was reverted, git chose the 2660c2e2 parent to land on
  instead of the 03d26cd6 parent (which contains security fixes)
2020-05-23 00:56:13 -04:00
Jeff Atwood 20780a1eee Revert "Merge branch 'master' of https://github.com/discourse/discourse"
This reverts commit e62a85cf6f, reversing
changes made to 2660c2e21d.
2020-05-22 20:25:56 -07:00
Blake Erickson 03d26cd6f0 SECURITY: ensure embed_url contains valid http(s) uri 2020-05-22 14:54:56 -06:00
Roman Rizzi 671f882fa3
FIX: We don't create a Post object if the queued post gets rejected. We need to count review items directly. (#9856) 2020-05-22 11:50:28 -03:00
Arpit Jalan 61d8955fcb DEV: add spec for tag with unicode name 2020-05-22 14:42:22 +05:30
Martin Brennan f9d55b4941
FEATURE: Update the topic excerpt when the OP is rebaked (#9852)
* We now have a site setting "topic_excerpt_maxlength" that is used when the OP is created or revised to generate a topic excerpt.
* However, posts created before this setting was introduced cannot benefit from this change unless they are revised, and if the topic excerpt length setting is changed that situation is also not covererd.
* This PR makes a change to rebake! to update the topic excerpt IF the post is the OP.
2020-05-22 13:04:15 +10:00
Robin Ward d11c462104 SECURITY: ERB execution in custom Email Style 2020-05-21 14:48:30 -04:00
Guo Xiang Tan f4b82f1dc0
DEV: Fix randomly failing spec.
If a user is created with an id of 999, a `upload.user_id ==
user_avatar.user_id` will return true. This fix increases the id of the
upload to something that we will not hit in the foreseeable future.
2020-05-21 11:41:07 +08:00
Martin Brennan df68d11c38
FEATURE: Add topic excerpt max length site setting (#9847)
Adds a new topic_excerpt_maxlength site setting.

* When topic excerpt is requested for a post, use the new topic_excerpt_maxlength site setting to limit the size of the excerpt
* Remove code for getting/setting Post.excerpt_size as it is not used anywhere
2020-05-21 13:19:48 +10:00
Guo Xiang Tan 68db5deaec
FIX: Badge granter was disabled by default. 2020-05-21 06:55:22 +08:00
Robin Ward 096eca0ee8 FIX: Requests were not being logged correctly
`enable` was defaulting to `nil` which is not what we wanted.
2020-05-20 15:09:17 -04:00
Mark VanLandingham e1bd57007b
DEV: Specs for AboutController can_see_about_stats? impact (#9843) 2020-05-20 11:30:27 -05:00
Osama Sayegh 02f44def56
FIX: Don't blow up when trying to parse invalid or non-ASCII URLs (#9838)
* FIX: Don't blow up when trying to parseinvalid or non-ASCII URLs

Follow-up to 72f139191e
2020-05-20 12:46:27 +03:00
Bianca Nenciu fb15da43da
Remove old web hooks in favor of 'reviewable' web hook (#9776)
* FIX: Emit web hooks for flags

* FEATURE: Remove 'flag' web hook in favor of 'reviewable' web hook

* FEATURE: Remove 'queued post' web hook in favor of 'reviewable' web hook

* FIX: Do not set a default value for web hooks with no events
2020-05-20 12:07:48 +03:00
Martin Brennan 72f139191e
FIX: S3 store has_been_uploaded? was not taking into account s3 bucket path (#9810)
In some cases, between Discourse forums the hostname of a URL could match if they are hosting S3 files on the same bucket but the S3 bucket path might not. So e.g. https://testbucket.somesite.com/testpath/some/file/url.png vs https://testbucket.somesite.com/prodpath/some/file/url.png. So has_been_uploaded? was returning true for the second URL, even though it may have been uploaded on a different Discourse forum.

This is a very rare case but must be accounted for, because this impacts UrlHelper.is_local which mistakenly thinks the file has already been downloaded and thus allows the URL to be cooked, where we want to return the full URL to be downloaded using PullHotlinkedImages.
2020-05-20 10:40:38 +10:00
David Taylor e9f579bd3f
DEV: Clean up thumbnail tests correctly 2020-05-19 11:04:02 +01:00
David Taylor 725e38f9d7
DEV: Allow plugins to request topic thumbnail sizes (#9828)
In plugin.rb, you can register new sizes like

```
register_topic_thumbnail_size [512, 512]
```

For more information about thumbnails see 03818e642a
2020-05-19 10:38:58 +01:00
Guo Xiang Tan 96c02caba7
DEV: Change use of Redis `flushall` to `flushdb`.
FLUSHALL removes all keys from all databases. Instead we only want to
remove keys from the current Redis database.
2020-05-19 10:20:00 +08:00
Krzysztof Kotlarek f99f6ca111
FIX: randomize file name when created from fixtures (#9731)
* FIX: randomize file name when created from fixtures

When a temporary file is created from fixtures it should have a unique name.
It is to prevent a collision in parallel specs evaluation

* FIX: use /tmp/pid folder to keep fixture files
2020-05-19 09:09:36 +10:00
Gerhard Schlager 6d5e9db883 FIX: Restoring backup didn't clear cached translation overrides 2020-05-18 18:51:51 +02:00
Gerhard Schlager 27c611b1d1 FIX: Reverting multiple translation overrides didn't clear cache 2020-05-18 18:51:29 +02:00
David Taylor 96848b7649
UX: Allow secure media URLs to be cached for a short period of time
Signed S3 URLs are valid for 15 seconds, so we can safely allow the browser to cache them for 10 seconds. This should help with large numbers of requests when composing a post with many images.
2020-05-18 15:00:41 +01:00
Joffrey JAFFEUX 918bd75909
FIX: allows to remove a topic timer with delete_replies as type (#9800) 2020-05-18 11:47:08 +02:00
Guo Xiang Tan d01c336899
DEV: Clean up some Redis leaks in test env. 2020-05-18 17:27:37 +08:00