Commit Graph

2610 Commits

Author SHA1 Message Date
Sam b2187301fd FEATURE: allow users to easily track/watch/mute topics via email
If you reply to an email with the word "mute" a topic will be muted
If you reply to an email with the word "track" a topic will be tracked
If you reply to an email with the word "watch" a topic will be watched

These ninja command can help advanced mailing list ex-users, saves a trip
to the website
2019-03-06 18:38:49 +11:00
Tarek Khalil 7b78a1a2cd
FIX: anonymous user filtering bug in PostView (#7089)
* FIX: anonymous user filtering bug in PostView
2019-03-04 14:29:05 +00:00
Joffrey JAFFEUX 703c724cf3
REFACTOR: Migrate InstagramAuthenticator to use ManagedAuthenticator (#7081) 2019-03-04 14:54:28 +01:00
Joffrey JAFFEUX dc4001370c
FEATURE: displays groups in menu search (#7090) 2019-03-04 10:30:09 +01:00
David Taylor b907924c93 FIX: ManagedAuthenticator should automatically update last_used time 2019-02-27 15:29:26 +00:00
Dan Ungureanu f68a7a16a4 FIX: Use field name to name files in theme export. (#7009) 2019-02-27 10:45:22 +01:00
Maja Komel 3d9981ac5c FIX: strip invalid byte sequences 2019-02-26 10:09:51 +01:00
Robin Ward 45db98dd3e FIX: Heisentest - Stored uploads don't always start with 1X
This is a common pattern we see in tests. The `id` of the upload
is used to create the URL and we assume the `id` will always be
in a certain range which depends on the database.
2019-02-25 15:21:33 -05:00
Penar Musaraj 9bf11a7c02
FEATURE: Add localized timezone names (#7004)
Uses github.com/discourse/moment-timezone-names-translations to translate timezone names.
Plugins can also provide their own timezone name translations.
2019-02-25 14:40:02 -05:00
Sam 0a357299b7 FEATURE: add `f` and `t` search shortcuts for first post / title
Previously with had `in:title` and `in:first` search shortcuts for
searching in first post or title only. They are a bit of handful to type.

This add 2 shortcuts (t and f) for searching titles of first posts.

This commit also cleans up all advanced filters, they were not properly
regex terminated allowing for weird clauses like `in:firstinator` acting
the same as `in:first`
2019-02-25 10:55:24 +11:00
Régis Hanol 664e90bd17 FIX: ensure local images use local CDN when uploads are stored on S3
When the S3 store was enabled, we were only applying the S3 CDN.
So all images stored locally, like the emojis, were never put on the local CDN.

Fixed a bunch of CookedPostProcessor test by adding a call to 'optimize_urls'
in order to get final URLs.

I also removed the unnecessary PrettyText.add_s3_cdn method since this is already
handled in the CookedPostProcessor.
2019-02-20 19:24:38 +01:00
Dan Ungureanu 10dad7d013 FIX: Use CDN for optimized loading images. (#7006)
We missed a few spots in the cooked post processor where images where not loaded using CDN, causing
uneeded load and requests against the server
2019-02-20 13:55:08 +11:00
Guo Xiang Tan 4d31b425e3 DEV: Validity of distributed mutex configurable once per instance.
Follow up to 4f9e5e19c8.
2019-02-20 09:29:45 +08:00
Guo Xiang Tan f2efa0da66
DEV: Allow validity of lock to be customizable for `DistributedMutex`. (#7025)
- Allows a user to override the default lock validity of 60 seconds.
- Also clean up test which was leaking a redis key
2019-02-20 09:23:42 +08:00
Robin Ward 34b2157b8c FIX: Slow test (deadlock)
It was getting caught in a `DistributedMutex` deadlock (twice!), which
meant this test was taking 120s to run.

I'm not sure why queue jobs was turned off here, because when I turn it
on the test passes and takes <2s instead.
2019-02-19 12:31:23 -05:00
Vinoth Kannan 563b953224 DEV: Add 'backfill_etags_' to the method name since it also backfilling the etags 2019-02-19 21:54:35 +05:30
Gerhard Schlager 4799cf2811 FIX: moment_js locale files provided by plugins were ignored 2019-02-19 15:28:47 +01:00
Guo Xiang Tan 86a2172bda DEV: Fix heisentest.
Unpause sidekiq before clearning up all threads.
2019-02-19 08:21:51 +08:00
Vinoth Kannan 0472bd4adc FIX: Remove 'backfill_etags' keyword argument from 'uploads:missing' rake task
And etags backfilling code is optimized
2019-02-15 00:34:35 +05:30
Vinoth Kannan b5fbd7385f FIX: run the rake task only for uploads created before a day from inventory date 2019-02-14 17:53:08 +05:30
Vinoth Kannan f7d03b2406 Stop the automatic creation of inventory 'gz' file in fixtures 2019-02-14 14:25:45 +05:30
Guo Xiang Tan 53d592ad3b FIX: Add multisite support to Sidekiq::Pausable. (#6960)
Having a global Sidekiq pause switch is problematic because a site in
the cluster can pause Sidekiq for the entire cluster.
2019-02-14 12:22:40 +11:00
Vinoth Kannan 7b5931013a Update rake task to backfill etags from s3 inventory 2019-02-14 05:18:06 +05:30
Vinoth Kannan 1045bbc35b FIX: S3 inventory data can be splitted into multiple csv files 2019-02-14 03:41:52 +05:30
Penar Musaraj 5cef5b34ef DEV: Yarn-manage moment and moment-timezone libraries 2019-02-12 13:57:52 -05:00
Vinoth Kannan cc496de10e FIX: Remove double quotes from etag value in API response
https://github.com/aws/aws-sdk-ruby/issues/1134
2019-02-08 14:31:19 +05:30
Penar Musaraj 2a007bafa2 FEAT: Allow image resize by width or height
`|150x` resizes to 150px wide + auto-height. `x150` resizes to 150px tall and auto-width.

Resize value can be from 1 to 999 (incl. for percentages).
2019-02-07 15:04:39 -05:00
David Taylor f3cfce4a93
FEATURE: Calculate sprite-sheet based on currently active themes (#6973)
Previously there was only one sprite sheet, which always included icons from all themes even if they were disabled
2019-02-06 15:51:23 +00:00
Vinoth Kannan ff12c4b2d4 FIX: Bucket name is missing in S3 inventory data path 2019-02-06 19:16:08 +05:30
David Taylor a3b47c1dd1 FEATURE: Allow string theme settings to display with multiple lines
To use, add `textarea: true` to the theme settings.yml. For example:

```
my_setting:
  default: "some string"
  textarea: true
```
2019-02-05 14:14:53 +00:00
Bianca Nenciu 4f3ee86bbd FIX: in:title should work irrespective of the order. (#6968) 2019-02-05 10:54:52 +01:00
Penar Musaraj edcdbe1946 DEV: Restore textarea type for site settings
Currenty, no settings in core use this, but textareas will be useful in theme settings and plugins.
2019-02-04 15:41:58 -05:00
Vinoth Kannan b4f713ca52
FEATURE: Use amazon s3 inventory to manage upload stats (#6867) 2019-02-01 10:10:48 +05:30
Robin Ward 720e896e17 FIX: `PostActionCreator` was not checking the guardian properly
It also exposed a bug in the EmailReceiver spec, where a test had a user
liking their own post and was not failing.
2019-01-31 14:48:42 -05:00
David Taylor 886ba9dff9 DEV: Correct spec for theme export change 2019-01-31 17:52:03 +00:00
Penar Musaraj 421d47da1e FIX: user and group mentions in subfolder installs 2019-01-29 21:54:29 -05:00
Régis Hanol 51fdf7a11d FIX: don't duplicate attachments 2019-01-28 18:40:52 +01:00
David Taylor fb5c94246c DEV: Remove underscore from `learn_more` key in theme export
Follow up from 033cd4f3
2019-01-28 16:00:33 +00:00
David Taylor 033cd4f31d DEV: Include "_learn_more" key in theme `about.json`
This does not serve any technical purpose. It is there to provide a signpost for any user/developer that wants to know what to do with a theme archive.
2019-01-28 11:34:11 +00:00
David Taylor 99e0820c0b UX: Do not prepend `discourse` to theme filename if it's already there 2019-01-28 11:29:29 +00:00
Régis Hanol db76e5a368 FIX: properly handle attachments in received emails
This regressed in 1ac3e547 when we added support for eml attachments.
2019-01-25 19:13:34 +01:00
David Taylor 2e48c43546 FIX: Fix safe mode regression
Follow up from a48731e
2019-01-25 17:00:30 +00:00
David Taylor a48731e359
FEATURE: Support additional metadata in theme about.json (#6944)
New `about.json` fields (all optional):
 - `authors`: An arbitrary string describing the theme authors
 - `theme_version`: An arbitrary string describing the theme version
 - `minimum_discourse_version`: Theme will be auto-disabled for lower versions. Must be a valid version descriptor.
 - `maximum_discourse_version`: Theme will be auto-disabled for lower versions. Must be a valid version descriptor.

A localized description for a theme can be provided in the language files under the `theme_metadata.description` key

The admin UI has been re-arranged to display this new information, and give more prominence to the remote theme options.
2019-01-25 14:19:01 +00:00
Arpit Jalan fabeba788d
FIX: allow sending PMs to staff via flag even when PMs are disabled (#6938)
* FIX: allow sending PMs to staff via flag even when PMs are disabled
FIX: allow sending PMs to staff via flag even if the user trust level is insufficient

* Update lib/topic_creator.rb

Co-Authored-By: techAPJ <arpit@techapj.com>
2019-01-24 16:56:59 +05:30
David Taylor afd449089f
FEATURE: Import and export themes in a .tar.gz format (#6916) 2019-01-23 14:40:21 +00:00
Guo Xiang Tan 2fe9617dc1 Fix rubocop. 2019-01-22 18:37:55 +08:00
Guo Xiang Tan d32900292d FIX: Don't update `User#last_seen_at` when PG is in readonly take 3. 2019-01-22 18:07:48 +08:00
Guo Xiang Tan f6f2c38183 FIX: Fallback Redis by checking status on master instead of slave. 2019-01-22 12:38:12 +08:00
Guo Xiang Tan b0adffdef5 FIX: Clear anon cache when clearing recently readonly. 2019-01-22 09:53:04 +08:00
Vinoth Kannan 0cf8f10158 SPEC: Use I18n translation instead of using raw text 2019-01-21 20:21:09 +05:30
Guo Xiang Tan 426907cb88 FIX: Incorrect subscription in `PostgreSQLFallbackHandler`. 2019-01-21 17:39:31 +08:00
Vinoth Kannan c5dd4bf5dc fix the build
Use whitespace after code block start for single word languages
2019-01-21 15:04:18 +05:30
Guo Xiang Tan 3c6a8a2bb1 Partially revert 4466fcf1bc. 2019-01-21 15:41:01 +08:00
Vinoth Kannan 9cf4013073 Add raw post content in "flagged post removed by staff" PM 2019-01-21 12:27:23 +05:30
Guo Xiang Tan 4466fcf1bc FIX: Don't update `User#last_seen_at` when PG is readonly take 2. 2019-01-21 13:49:08 +08:00
Guo Xiang Tan c732ae9ca9 FIX: Don't update `User#last_seen_at` when PG is in readonly. 2019-01-21 13:29:29 +08:00
Bianca Nenciu b9b5527c63 DEV: Remove Job stub. 2019-01-18 17:35:45 +02:00
Sam a7628c1d74 FIX: use ordered_posts for last post check, not the posts relation
The `posts` relation on `Topic` is not ordered. Using `Topic.posts.first`
is basically the same as asking for a random post, it will depend on DB
order. This breaks on Topic merge and split for example.

Additionally, a huge problem with that is that it forces active record down
a slow path. `Topic.posts.first` is extremely slow on giant topics, since
it has no default ordering it appears AR materializes the entire set prior
to doing `first`.

This commit also illustrates the importance of testing, initially I only
fixed the second instance of the problem in `post_validator.rb` but testing
revealed that the problem was repeated at the top of the file.

Longer term we should consider a larger change of default ordering the posts
relations so people do not fall down this trap anymore.
2019-01-18 13:18:40 +11:00
Bianca Nenciu 7d84648d11 FEATURE: Remove full quotes only from new posts. (#6862) 2019-01-17 13:24:32 +11:00
Robin Ward bee68bba2e FIX: Heisentest
We use the `id` of the upload to calculate a `depth` partition in the
filename. This test would fail if your database had a higher seed
because the depth it was looking for was hard coded to 1.

The solution was to not save the records (which is faster anyway) and
specify the `id` of the upload to make the hash deterministic.
2019-01-16 15:01:50 -05:00
Guo Xiang Tan 51b19e945c DEV: Stablize the multisite tests.
SiteSettingExtension triggers message bus which re-establishes a
DB connection in `SiteSettingExtension#process_message`. That happens
concurrently and a test that requires a connection to the db will
fail when the reconnection is happening.
2019-01-16 10:29:36 +08:00
Guo Xiang Tan ec58c33e9e DEV: Improve postgresql fallover and multisite tests. 2019-01-15 12:52:45 +08:00
Arpit Jalan a121d40771
FIX: do not show PM topics when moving posts to an existing public topic (#6876) 2019-01-14 15:00:45 +05:30
Vinoth Kannan f94c0283b2
FIX: Use correct version when generating file path for optimized image (#6871) 2019-01-11 18:35:38 +05:30
Sam 35b59cfa78 SECURITY: escape title HTML for inline onebox 2019-01-10 12:02:05 +11:00
Guo Xiang Tan ec27db78be FIX: Set unique post key for a user outside of transaction.
Previously, the Redis key was set within the transaction and the key
isn't deleted if the transaction is not successful.

Note that this isn't tested because we don't have a repro of what can
raise an error within the transaction.

https://meta.discourse.org/t/body-is-too-similar-to-what-you-previously-posted-even-when-previous-post-didnt-go-through/105436
2019-01-08 15:22:22 +08:00
Robin Ward 5eaf3cb104 Adjusts the `minimum_flag_threshold` for TL3/TL4 actions
Before this patch, a high trust level user could flag something
and have an action be taken, as well as skipping the flag queue.

Now, if a TL3/TL4 cause an action, the flag will skip the minimum
visibility check and allow staff to review it.
2019-01-04 13:16:44 -05:00
Vinoth Kannan 75dbb98cca FEATURE: Add S3 etag value to uploads table (#6795) 2019-01-04 14:16:22 +08:00
Guo Xiang Tan c666ef556d Fix the build.
Ref 570877da3c
2019-01-03 15:34:39 +08:00
Guo Xiang Tan 38ded77e16 FIX: Make test less fragile. 2019-01-02 16:33:50 +08:00
Sam Saffron 69aa8f18c2 FEATURE: allow for custom excerpt BBCODE
This allows fidelity in controlling excerpt (text that shows up when you pin a topic or link to it externally):

```
I am some text

[excerpt]
This is some **custom** markdown that should be the excerpt
[/excerpt]

More text
```

Previous solution relied on DIVs, unfortunately DIVs do not play well,
by design with mixing markdown unless you have a preceding newline eg:

```
<div class='hello'>

this will be treated properly as markdown

</div>
```

This extra newline is not desirable.

I am also considering adding

```
[div class=excerpt]
[/div]
```

This would offer lots of flexibility to themes and plugins that do not want the extra annoying newline.
2018-12-25 17:02:28 +02:00
Guo Xiang Tan 2cbb513c98 FIX: Don't use `Redis#keys` in production.
As per the documentation for KEYS

```
Warning: consider KEYS as a command that should only be used in production environments with extreme care. It may ruin performance when it is executed against large databases. This command is intended for debugging and special operations, such as changing your keyspace layout.
```

Instead SCAN

```
Since these commands allow for incremental iteration, returning only a small number of elements per call, they can be used in production without the downside of commands like KEYS or SMEMBERS that may block the server for a long time (even several seconds) when called against big collections of keys or elements.
```
2018-12-25 15:12:59 +02:00
Arpit Jalan 1e2b81991f fix the build 2018-12-25 10:27:51 +05:30
David Taylor 7feabd9e49 PERF: Eradicate N+1 queries from the theme admin page 2018-12-21 11:03:58 +02:00
Guo Xiang Tan b64d760bb3 DEV: Improve tests to assert that the right HTML is generated. 2018-12-20 07:14:32 +08:00
Bianca Nenciu 2eefe6d5d6 FIX: Use CDN for logos and icons. (#6698) 2018-12-19 10:20:48 +01:00
Arpit Jalan 1ab91f0474 FIX: preserve github fragment URL 2018-12-19 12:34:47 +05:30
Robin Ward 662cfc416b FEATURE: Show a blurry preview when lazy loading images
This generates a 10x10 PNG thumbnail for each lightboxed image.
If Image Lazy Loading is enabled (IntersectionObserver API) then
we'll load the low res version when offscreen. As the image scrolls
in we'll swap it for the high res version.

We use a WeakMap to track the old image attributes. It's much less
memory than storing them as `data-*` attributes and swapping them
back and forth all the time.
2018-12-19 01:57:30 +08:00
Rishabh c279792130 FIX: Allow sending test e-mails to any email address when disable_email is set to non-staff (#6792) 2018-12-18 16:12:05 +01:00
Bianca Nenciu 825ae86857 FEATURE: Remove full quote only if first paragraph. (#6793) 2018-12-18 15:46:20 +01:00
Gerhard Schlager 577af81e76 FIX: Font tag resulted in wrong email trimming 2018-12-18 11:40:54 +01:00
Gerhard Schlager 37461a6398 FIX: Weird mixture of line breaks resulted in wrong email trimming 2018-12-18 11:40:54 +01:00
Guo Xiang Tan 5c2e194d01 SECURITY: Users can pick non-avatar uploads.
https://meta.discourse.org/t/bug-report-idor-on-avatar-pick-function-discussions-udacity-com/103564
2018-12-18 13:38:25 +08:00
Guo Xiang Tan 899caf35ba Revert "SECURITY: User could non-avatar uploads."
This reverts commit 89581fa301.
2018-12-18 13:37:31 +08:00
Guo Xiang Tan 89581fa301 SECURITY: User could non-avatar uploads.
https://meta.discourse.org/t/bug-report-idor-on-avatar-pick-function-discussions-udacity-com/103564
2018-12-18 13:35:33 +08:00
Guo Xiang Tan d7660dfe40 FIX: Enabling readonly mode should clear anon cache as well. 2018-12-18 11:56:25 +08:00
Vinoth Kannan efcea148eb DEV: Use destroy! method to raise error if any (#0d3c1cde) 2018-12-18 03:05:43 +05:30
Guo Xiang Tan c0aae16f6b FIX: Clear anon cache when disabling readonly mode.
`SiteSerializer#is_readonly` is cached for an anonymous user so we have
to clear the cache when disabling readonly mode. Otherwise, the site may
appear to be in readonly mode for an extended period of time.
2018-12-17 17:27:44 +08:00
Vinoth Kannan 0d3c1cde90 FIX: Use find_by_id method to prevent record not found exception 2018-12-15 03:19:45 +05:30
Maja Komel 73c776d881 Update wizard updater spec (dbbadb5c follow-up) 2018-12-13 11:20:01 +01:00
Sam 94b8ba4f8f FIX: remove slow platform detection from server side
Historically due to https://meta.discourse.org/t/why-is-discourse-so-slow-on-android/8823
we decreased page sizes of both home page and topic page on android by half.

This was done on the server side and as a side effect and caused page sizes on android
to mismatch between Android and non Android.

Unfortunately about a year ago googlebot started pretending it is Android,
this cause Google to start indexing pages as what android would see. So
it saw double the amount of pages in the index as what exists on desktop.
This in turn caused double the amount of indexing work and a large amount
of broken links on long topics.

This fix removes all special behavior which is no longer needed due to
other performance work in Discourse including raw handlebars on home page
and virtual dom on topic pages.

I tested we do not need this on Blu Advance 5.0 it has 1.3 GHZ mediatec mt6580
This phone retails for around $50 USD.

If we decide long term that we want any hacks like this we will shift them
to the client side. It can just hold data in memory without rendering.
2018-12-13 13:57:05 +11:00
Bianca Nenciu 7cac04e1a8 * FEATURE: Adds site setting to let quotes on direct replies.
* DEV: Added test.
* FIX: Do not bump topic when removing full quotes.
2018-12-12 15:42:53 +01:00
David Taylor 3fedb2ad20 DEV: Style and performance improvements
Follow-up from 9db8291
2018-12-11 09:58:20 +00:00
Sam 671469bcc7 FIX: URLs containing two # would fail to work
Some URLs in browsers are non compliant and contain twos `#` this commit adds
special handling for this edge case by auto encoding any fragments containing `#`
2018-12-11 18:03:13 +11:00
David Taylor 9db829134c
FIX: Use database to persist metadata during social registration (#6750)
Previously was using the cookie_store, which is limited to 4kb. This caused issues for providers sending large volumes of metadata about a user.
2018-12-10 15:10:06 +00:00
Sam 502a0fe778 FIX: support connecting GitHub with existing accounts 2018-12-10 09:27:00 +11:00
David Taylor 160d29b18a
REFACTOR: Migrate TwitterAuthenticator to use ManagedAuthenticator (#6739)
No changes to functionality. TwitterAuthenticator goes from 136 lines to 24, and all twitter-specific logic elsewhere has been deleted 🎉
2018-12-07 15:39:06 +00:00
David Taylor 86f8734bc0 FIX: Prioritize explicit 'connect' over matching by email
This is an edge case that was previously handled by TwitterAuthenticator, but not FacebookAuthenticator.
2018-12-07 15:05:51 +00:00
David Taylor 3cad3f9df1 DEV: Add profile fetching support to `ManagedAuthenticator` 2018-12-07 15:05:51 +00:00
David Taylor 6c71395bf6
FIX: Only hide shared draft topics from `latest` (#6737)
Previously we were hiding them from all topic lists, which can result in
topics being "stuck" in an unread state with no easy way to clear them.
2018-12-07 12:44:23 +00:00
Bianca Nenciu 41e184280d FEATURE: Remove full quotes of direct replies. (#6729) 2018-12-07 13:07:11 +01:00
David Taylor 5e09398c5b
FIX: Do not serialize user fields unless they are specified for display (#6736) 2018-12-07 10:57:28 +00:00
David Taylor 0b1d660876
UX: Make shared drafts behaviour consistent for non-staff users (#6734)
This makes it easier to diagnose the problem when a public category
is set as the 'shared drafts category'. Doing this is not recommended.
2018-12-06 18:59:29 +00:00
David Taylor e8f32dd3ba DEV: Fix extremely rare test failure
If this was the first test to run, the Fabricate(:user) would be given
the same ID as the Fabricate.build(:user, id: 1). This works around it.
2018-12-06 13:32:56 +00:00
Xiao Guan 7ec124fc89 FEATURE: Improved deprecation warnings (#6722)
* FEATURE: Discourse.deprecate can report version

* Ember counterpart for deprecation
2018-12-06 11:38:01 +00:00
Guo Xiang Tan 978f0db109 SECURITY: Require groups to be given when inviting to a restricted category. (#6715) 2018-12-05 16:43:07 +01:00
David Taylor e117deb2ba FIX: Improve avatar loading, and add tests
Follow-up from 4e2cc9c
2018-12-04 15:09:32 +00:00
Régis Hanol 3c9c95ac83 Update Rubocop to 0.60 2018-12-04 10:48:16 +01:00
Sam 5c17e46274 FEATURE: allow advanced specification of excerpts for posts
Previously users could control excerpt with `<span class='excerpt'>`
in Markdown, this is somewhat limited for plugins that need to define this
across a section. This adds support for DIV as well
2018-12-04 15:13:34 +11:00
David Taylor 9248ad1905 DEV: Enable `Style/SingleLineMethods` and `Style/Semicolon` in Rubocop (#6717) 2018-12-04 11:48:13 +08:00
Bianca Nenciu 1a4676c6e0 FIX: Fixed tests. (#6716) 2018-12-03 17:03:11 +01:00
Penar Musaraj f8e6a37858 FIX: raise exception when getting dimensions of missing image
- follow-up on 0eacd45ab1
2018-12-03 10:19:49 -05:00
Bianca Nenciu 3f8fa4ad4e FEATURE: Do not check consecutive replies for original poster. (#6714) 2018-12-03 02:32:29 -08:00
Maja Komel 6121d11187 FIX: make staff_edit_locks_post work with download_remote_images_to_local 2018-12-03 14:14:59 +11:00
Maja Komel 1073634271 FIX: show generic title when quoting off-topic secure category posts 2018-12-03 09:42:32 +11:00
David Taylor 4e010382cc REFACTOR: Initialize auth providers after `plugin.activate!`
Also added some helpful functionality for plugin developers:
- Raises RuntimeException if the auth provider has been registered too late
- Logs use of deprecated parameters
2018-11-30 16:58:18 +00:00
Kyle Zhao 488fba3c5f
FEATURE: allow plugins and themes to extend the default CSP (#6704)
* FEATURE: allow plugins and themes to extend the default CSP

For plugins:

```
extend_content_security_policy(
  script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'],
  style_src: ['https://domain.com/style.css']
)
```

For themes and components:

```
extend_content_security_policy:
  type: list
  default: "script_src:https://domain.com/|style_src:https://domain.com"
```

* clear CSP base url before each test

we have a test that stubs `Rails.env.development?` to true

* Only allow extending directives that core includes, for now
2018-11-30 09:51:45 -05:00
David Taylor 208005f9c9 REFACTOR: Migrate FacebookAuthenticator to use ManagedAuthenticator
Changes to functionality
  - Removed syncing of user metadata including gender, location etc.
    These are no longer available to standard Facebook applications.
  - Removed the remote 'revoke' functionality. No other providers have
    it, and it does not appear to be standard practice in other apps.
  - The 'facebook_no_email' event is no longer logged. The system can
    cope fine with a missing email address.

Data is migrated to the new user_associated_accounts table.
facebook_user_infos can be dropped once we are confident the data has
been migrated successfully.
2018-11-30 11:18:11 +00:00
David Taylor 534e1b1b18 DEV: Introduce Auth::ManagedAuthenticator
A generic implementation of Auth::Authenticator which stores data in the
new UserAssociatedAccount model. This should help significantly reduce the duplicated
logic across different auth providers.
2018-11-30 11:18:11 +00:00
Vinoth Kannan fc0b7c9e26 FIX: incoming email matches the wrong user if null bounce key available in db 2018-11-30 12:29:51 +05:30
Penar Musaraj ad665b901a FIX: Refactor commit a8c3ca, add test 2018-11-29 19:12:00 -05:00
Penar Musaraj 0eacd45ab1 FIX: refactor ImageSizer.resize
reverts 140d9c2
2018-11-29 15:28:45 -05:00
Arpit Jalan 40f10855c6
FIX: defer flags (only) when handling a flag and deleting replies (#6702) 2018-11-29 22:44:18 +05:30
Bianca Nenciu ddd260941e FIX: Fix query selecting users not accepting PMs. 2018-11-29 15:59:30 +08:00
Guo Xiang Tan 56034c733a UX: Strip class when link is not oneboxed due to site setting limits. 2018-11-29 14:33:01 +08:00
Drew Stephens 3ae4c9ab6d Suppress tar(1)'s output (#6694) 2018-11-28 17:32:19 +01:00
Vinoth Kannan bfb3c4d9f9 DEV: create bounce alert earlier if email_log detected from bounce_key 2018-11-28 21:13:06 +05:30
Vinoth Kannan 25253dec56 FIX: Get email address from email_log if bounced with verp
We can not access mail.final_recipient attr if it bounced with verp
2018-11-28 19:04:09 +05:30
Arpit Jalan 851ef14096 Revert "FIX: do not agree flags by default when deleting posts"
This reverts commit cb6fc8057b.
2018-11-28 10:21:11 +05:30
Vinoth Kannan 7dbf709467 FIX: create whisper post in PMs when bounces with verp and user is staged 2018-11-28 08:24:23 +05:30
Guo Xiang Tan a1e77aa2ed
FEATURE: Reimplement `SiteSetting.max_oneboxes_per_post`. (#6668)
Previously, the site setting was only effective on the client side of
things. Once the site setting was been reached, all oneboxes are not
rendered. This commit changes it such that the site setting is respected
both on the client and server side. The first N oneboxes are rendered and
once the limit has been reached, subsequent oneboxes will not be
rendered.
2018-11-27 16:00:31 +08:00
Arpit Jalan 6cb49cd42c
Merge pull request #6671 from techAPJ/destroy-posts-flags
FIX: do not agree flags by default when deleting posts
2018-11-27 11:27:23 +05:30
Arpit Jalan cb6fc8057b FIX: do not agree flags by default when deleting posts 2018-11-27 10:57:20 +05:30
Guo Xiang Tan 68bef91dd6 DEV: Minor clean up of specs. 2018-11-27 13:09:58 +08:00
Penar Musaraj 03deda2147
Upgrade to FontAwesome 5 (take two) (#6673)
* Add missing icons to set

* Revert FA5 revert

 This reverts commit 42572ff

* use new SVG syntax in locales

* Noscript page changes (remove login button, center "powered by" footer text)

* Cast wider net for SVG icons in settings

- include any _icon setting for SVG registry (offers better support for plugin settings)

- let themes store multiple pipe-delimited icons in a setting

- also replaces broken onebox image icon with SVG reference in cooked post processor

* interpolate icons in locales

* Fix composer whisper icon alignment

* Add support for stacked icons

* SECURITY: enforce hostname to match discourse hostname

This ensures that the hostname rails uses for various helpers always matches
the Discourse hostname

* load SVG sprite with pre-initializers

* FIX: enable caching on SVG sprites

* PERF: use JSONP for SVG sprites so they are served from CDN

This avoids needing to deal with CORS for loading of the SVG

Note, added the svg- prefix to the filename so we can quickly tell in
dev tools what the file is

* Add missing SVG sprite JSONP script to CSP

* Upgrade to FA 5.5.0

* Add support for all FA4.7 icons

- adds complete frontend and backend for renamed FA4.7 icons

- improves performance of SvgSprite.bundle and SvgSprite.all_icons

* Fix group avatar flair preview

- adds an endpoint at /svg-sprites/search/:keyword

- adds frontend ajax call that pulls icon in avatar flair preview even when it is not in subset

* Remove FA 4.7 font files
2018-11-26 16:49:57 -05:00
Vinoth Kannan cedd2118c4
FEATURE: If PM email bounced for staged user then alert in whisper reply (#6648) 2018-11-27 00:29:37 +05:30
David Taylor afcf149c34 FIX: Fix mentions for mixed case group names 2018-11-26 15:34:56 +00:00
Guo Xiang Tan 482013a1d4 FIX: Group mentions missing after post processing. 2018-11-26 12:57:07 +08:00
Guo Xiang Tan 57e2f4990d
PERF: Move processing of inline onebox out of V8 context. (#6658) 2018-11-26 09:21:38 +08:00
Bianca Nenciu 172b3bf4d3 FIX: Fix broken theme field URLs. (#6622) 2018-11-23 16:11:05 +01:00
Gerhard Schlager 2ef16e9f4e FIX: Failed to delete post belonging to non-existent topic 2018-11-22 15:08:37 +01:00
Guo Xiang Tan 28a6cf8228 FIX: Mention lookup should be case insensitive. 2018-11-22 16:32:56 +08:00
Guo Xiang Tan 3f636b2d19 FIX: Check whether group is mentionable by user when cooking post. 2018-11-22 16:16:33 +08:00
Guo Xiang Tan 672e95bcb4 FIX: Staged users should not be mentionable. 2018-11-22 15:00:46 +08:00
Guo Xiang Tan c5a70eca6e
PERF: Move mention lookups out of the V8 context. (#6640)
We were looking up each mention one by one without any form of caching and that results
in a problem somewhat similar to an N+1. When we have to do alot of DB
lookups, it also increased the time spent in the V8 context which may
eventually lead to a timeout. The change here makes it such that mention lookups only does a single
DB query per post that happens outside of the V8 context.
2018-11-22 14:28:48 +08:00
Guo Xiang Tan 596e09aaf9 FIX: Wizard icons step fields have incorrect values.
https://meta.discourse.org/t/is-the-wizard-supposed-to-not-let-you-skip-adding-icons/102417
2018-11-22 14:19:36 +08:00
Gerhard Schlager c376670bd2 FIX: a search term containing '& could lead to errors
This also makes sure that the search term in front or after special characters isn't ignored.
2018-11-21 22:07:56 +01:00
Kyle E. Mitchell 15e793fd3b FEATURE: Terms of Service v1.0.0
Co-authored-by: Gerhard Schlager <mail@gerhard-schlager.at>
2018-11-21 00:45:16 +01:00
Rishabh eacbe28f55 FIX: Skip gsub for normalizing whitespaces when text is nil (#6631) 2018-11-20 09:12:32 +01:00
Régis Hanol 4459665dee
REFACTOR: use tables instead of custom fields for polls (#6359)
Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com>
2018-11-19 14:50:00 +01:00