We currently make an AJAX request every time someone opens the hamburger menu, resulting in a forbidden response when a user can't see the review queue.
This commit ensures that email validation is skipped when the email is
obfuscated, that the email is no longer send when it is not an invite
link and no username is suggested if the email is hidden as it may
reveal the first part of the email.
Follow up to commit 033d6b6437.
* DEV: Use custom tags rather than handlebars server side
These will be skipped if they are ever rendered in a document. The
handlebars really messes stuff up.
* DEV: Build our own locale file for testing purposes
We can't practically proxy everything in test mode, but we can
approximate the logic and build our own locale file for testing purposes
that works quite well. This allows us to run tests without a proxy.
* DEV: Support for testem runner for ember cli tests
We previously included this option conditionally when users were replying
or creating a new topic while they had content already in the composer.
This makes the dialog always include three buttons:
- Close and discard
- Close and save draft for later
- Keed editing
This also changes how the backend notifies the frontend when there is
a current draft topic. This is now sent via the `has_topic_draft`
property in the current user serializer.
This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic.
The invitation methods that are supported include:
* Inviting people to groups via email address
* Inviting people to topics via email address
* Using invitation links generated by the Invite Users UI in the /my/invited/pending route
The flow works like this:
1. User visits an invite URL
2. The normal invitation validations (redemptions/expiry) happen at that point
3. We store the invite key in a secure session
4. The user clicks "Accept Invitation and Continue" (see below)
5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login
6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email
7. If the invite is OK we create the user via the normal SSO methods
8. We redeem the invite and activate the user. We clear the invite key in secure session.
9. If the invite had a topic we redirect the user there, otherwise we redirect to /
Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case.
Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
Highlight.js changed their default branch from master to main. This switches to the @highlightjs/cdn-assets package, thus sidestepping the problem. It's a slightly cleaner integration though (no need to build locally anymore).
We override the default replacements rule to no longer replace "(c)", "(p)", and "(p)". Additionally, we merged the custom arrows rule into the replacement function.
When syncing code elements, the inner text used to be escaped, which
rendered the actual HTML code instead. This commit overwrites default
parser settings to fix the way code tags are handled.
* UX: Move modal footer into better container
This commit moves the modal footer under the sign-up form for a more cohesive feel between the login + create account modals.
This is not a security issue because regular users are not allowed to insert FA icons anywhere in the app. Admins can insert icons via custom badges, but they do have the ability to create themes with JS.
Currently the process of adding a custom image to badge is quite clunky; you have to upload your image to a topic, and then copy the image URL and pasting it in a text field. Besides being clucky, if the topic or post that contains the image is deleted, the image will be garbage-collected in a few days and the badge will lose the image because the application is not that the image is referenced by a badge.
This commit improves that by adding a proper image uploader widget for badge images.
This commit extends functionality of the expired invites tab, making
it more similar to the pending tab. It also implements a different
layout for mobile.
Some git repos have a different ssh url scheme than github and we should
support them.
This change updates our regex format to account for repos that don't
start with "git", but are still valid ssh urls.
Also I added some tests to account for the various formats and to ensure
we don't show the public key when using https urls.
See: https://meta.discourse.org/t/182668
* FIX: Invite acceptance tests were broken in Ember CLI
They relied on old Ember behavior where the app does not boot until
`visit` is called and this is no longer true.
This refactors the test to DRY stuff up a bit, and modify the DOM where
necessary in `needs.hooks.beforeEach`.
* Update app/assets/javascripts/discourse/tests/acceptance/invite-accept-test.js
Co-authored-by: Jarek Radosz <jradosz@gmail.com>
Co-authored-by: Jarek Radosz <jradosz@gmail.com>
* UX: Add class to body on first unread notification
This commit adds `first-notification` class to the body element when there is a first unread notification. This will fix any issues with certain themes who use custom headers where z-index issues sometimes cause those custom headers to not be hidden by the transparent shadow over the page.
This commit ensures that "prioritize username in ux" setting is
respected in following places:
- user directory
- user summary
- badge detail
- group detail
Staff can send a post to the review queue by clicking the "Flag Post" button next to "Take Action...". Clicking it flags the post using the "Notify moderators" score type and hides it. A custom message will be sent to the user.
The recalculation of the `forceActive` function for the nav items was being run _before_ the querystring parameters are getting updated. For example for the Unassigned link:
```javascript
i.addNavigationBarItem({
name: "unassigned",
customFilter: (category) => {
return category && category.enable_unassigned_filter;
},
customHref: (category) => {
if (category) {
return getURL(category.url) + "/l/latest?status=open&assigned=nobody";
}
},
forceActive: (category, args, router) => {
const queryParams = router.currentRoute.queryParams;
return (
queryParams &&
Object.keys(queryParams).length === 2 &&
queryParams["assigned"] === "nobody" &&
queryParams["status"] === "open"
);
},
before: "top",
});
```
When forceActive is hit going from e.g.`http://localhost:3000/c/some-category/5/l/top` to `http://localhost:3000/c/some-category/5/l/latest?assigned=nobody&status=open` the `queryParams` are empty and the URL does not seem to change until after the transition and so `active` ends up being false in this `navigation-item` function which controls whether or not to do the highlight:
```javascript
@discourseComputed("content.filterType", "filterType", "content.active")
active(contentFilterType, filterType, active) {
if (active !== undefined) {
return active;
}
return contentFilterType === filterType;
},
```
Also sometimes this is not even recalculated, for example going from `http://localhost:3000/c/some-category/5/l/latest?status=open` to `http://localhost:3000/c/some-category/5/l/latest?assigned=nobody&status=open`. This PR fixes the issue where the query parameters changing was not forcing this recalculation. This was especially noticable in conjunction with https://github.com/discourse/discourse-loading-slider.
The title of Twitter oneboxes is always the name of the Twitter user,
which is not a descriptive topic title. Leave the title field blank so
that users must enter their own title.
By default our QUnit test runner starts automatically. This is normally
fine but for our `run-qunit.js` script we add a bunch of QUnit events
using `eval` and sometimes those events were added after the tests
already started/finished resulting in a hang.
This adds a new parameter that will cause QUnit not to run
automatically, which the runner uses, then triggers a `start()` when it
knows it's ready.
The signup boolean was being passed in the third _autoLogin argument, when it should have been the fourth. The third parameter to _autoLogin was optional, which is confusing. This commit cleans things up so both optional arguments are supplied via keywords.
Followup to cbef2ba151
Roman Rizzi
Dan Ungureanu
Osama Sayegh
Robin Ward
Penar Musaraj
Robert
Martin Brennan
jbrw
Joffrey JAFFEUX
Bianca Nenciu
Kris
Jordan Vidrine
Blake Erickson
Neil Lalonde
Rafael dos Santos Silva
Arpit Jalan
David Taylor