4382fb5fac
DEV: Allow plugins to whitelist specific user custom_fields for editing ( #6358 )
2018-09-04 20:45:36 +10:00
f5e0356fb2
correct miscellaneous issues with user login history
2018-09-02 17:24:54 +10:00
931cffcebe
FEATURE: Let users see their user auth tokens. ( #6313 )
2018-08-31 10:18:06 +02:00
103509b9dd
SECURITY: Prevent users from modifying custom fields
2018-08-30 12:59:36 +01:00
9bf4333491
FIX: redirect to wrong URL after account creation on subfolder install
2018-08-24 10:34:44 -04:00
6f6b4ff988
regression: don't return from a block
...
also clean up some warnings (shadowed var, unused var)
2018-08-10 14:53:55 +10:00
812add18bd
REFACTOR: Serve auth provider information in the site serializer.
...
At the moment core providers are hard-coded in Javascript, and plugin providers get added to the JS payload at compile time. This refactor means that we only ship enabled providers to the client.
2018-08-06 09:25:48 +01:00
eda1462b3b
FEATURE: List, revoke and reconnect associated accounts. Phase 1 ( #6099 )
...
Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook.
2018-07-23 16:51:57 +01:00
6d6e026e3c
FEATURE: selectable avatars
2018-07-18 12:57:43 +02:00
f3868fd646
FIX: Create empty user_avatar row if not exist
2018-07-16 14:06:49 +05:30
21ebb1cd54
FEATURE: Secondary emails support.
2018-07-16 11:09:49 +08:00
decf1f27cf
FEATURE: Groundwork for user-selectable theme components
...
* Phase 0 for user-selectable theme components
- Drops `key` column from the `themes` table
- Drops `theme_key` column from the `user_options` table
- Adds `theme_ids` (array of ints default []) column to the `user_options` table and migrates data from `theme_key` to the new column.
- Removes the `default_theme_key` site setting and adds `default_theme_id` instead.
- Replaces `theme_key` cookie with a new one called `theme_ids`
- no longer need Theme.settings_for_client
2018-07-12 14:18:21 +10:00
ec3e6a81a4
FEATURE: Second factor backup
2018-06-28 10:12:32 +02:00
ad5082d969
Make rubocop happy again.
2018-06-07 13:28:18 +08:00
95f9b72351
FIX: Update activation email route was returning a generic json error.
2018-05-31 14:19:43 +08:00
449399bef3
return 403 forbidden when local logins disabled
2018-05-26 05:18:19 +03:00
be6404d651
FIX: redirect users after signing up with a social login when using SSO provider
2018-05-13 16:03:11 +02:00
09cf35c760
FIX: redirect users after signing up using SSO provider
2018-05-12 00:41:27 +02:00
abda21a41f
Revert "FIX: redirect to sso_destination_url after account activation"
...
This reverts commit 0402e97368
2018-05-11 22:55:45 +02:00
0402e97368
FIX: redirect to sso_destination_url after account activation
2018-05-11 19:57:04 +02:00
bd77795d7a
REFACTOR: move support for user card badge images to a plugin discourse-user-card-badges
2018-04-26 13:25:24 -04:00
185d6ac747
FIX: use safe navigation operator when checking for totp_enabled
2018-04-09 12:33:41 +05:30
73c1d3e7fe
FIX: tag notification preferences were being cleared when other preferences were changed
2018-03-29 15:08:32 -04:00
7a4b70ef58
UX cleanup changes to 2FA flow.
2018-03-23 11:05:36 +08:00
939180efa8
FIX: Missing 2FA guards when sso is enabled or when local login is disabled.
2018-03-02 10:39:10 +08:00
964624f3ab
FIX: No error displayed when 2FA token is invalid on admin login page.
2018-02-22 09:45:57 +08:00
14f3594f9f
Review Changes for f4f8a293e7.
2018-02-21 14:55:49 +08:00
f4f8a293e7
FEATURE: Implement 2factor login TOTP
...
implemented review items.
Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator
add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests
add qunit tests - password reset, preferences
fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.
Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP
add two factor to email signin link
rate limit if second factor token present
add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
02093ecbdd
Extensibility: Allow plugins to munge user params
2018-02-16 19:12:02 -05:00
96e5a7da46
Prefer `success_Json` over custom success JSON payload.
2018-02-15 07:47:35 +08:00
03b3e57a44
FEATURE: login by a link from email
...
Co-authored-by: tgxworld <tgx@discourse.org>
2018-02-13 16:14:39 +08:00
b34b1b6fe3
FIX: invite to message was not allowing groups
...
Previously we were incorrectly checking mentionable instead of messageable
Also fix edge case where multiple groups sharing a name mean that exact match override is not working
Also cleans up params sent to user selector
2018-02-13 13:28:46 +11:00
41986cdb2f
Refactor requires login logic, reduce duplicate code
...
This also corrects the positioning in the chain of the check
and removes misuse of prepend_before_action
2018-02-01 15:17:59 +11:00
f2e7b74d88
FIX: don't return 200s when login is required to paths
...
When running `ensure_login_required` it should always happen prior to
`check_xhr` cause check xhr will trigger a 200 response
2018-02-01 12:26:45 +11:00
2d340d1122
FIX: Don't allow username update via update route
...
It's not using the UsernameChanger
2018-01-26 16:53:43 -05:00
dde0fcc658
FEATURE: Allow sending invites to staged users
2018-01-22 15:37:18 +01:00
f74ac826c5
slightly more meaningful error message
2018-01-22 12:20:53 +01:00
672888f526
FIX: handle invalid password reset token
2018-01-09 23:48:17 +05:30
642645ba9a
FIX: broken select badge as user title ( #5474 )
...
* FIX: broken select badge as user title
* selected id wasn’t pass to underlying component
* <none> was rendered as an html tag <none></none>
* overriding a badge name wouldn’t work as it was using badge.name and not badge.display_name
* adds a spec to ensure this behavior is correct
2018-01-05 16:58:15 +01:00
62a27f9d57
FEATURE: warn if attempting to mention a group with too many members
2017-12-21 16:13:57 +11:00
6a2bce1931
FIX: Data loss on update of single user_field.
...
https://meta.discourse.org/t/api-data-loss-caused-by-changed-behaviour-of-custom-user-field-update/74990
2017-12-20 16:33:23 +08:00
96584403cd
SECURITY: prevent staged accounts from changing email
2017-12-14 17:16:49 +11:00
a393d3bcbb
FIX: ensure staged accounts are always inactive
...
If for any reason active is stored in the user model, clear it out
prior to creating an account
2017-12-13 14:22:16 +11:00
e2b64257b3
Fix undefined method for `NilClass` error.
2017-12-12 18:54:29 +08:00
5003f07b2c
FEATURE: new site setting show_inactive_accounts
2017-12-07 19:22:41 +05:30
628275fc31
FIX: Some badge routes were still working even with badges disabled
2017-11-21 12:22:44 -05:00
ed16cba77f
REFACTOR: Raise error if email token fails to create.
2017-11-08 12:02:33 +08:00
d7880af0bb
FIX: change password form validation should instruct admins to use min password length for admin accounts
2017-11-07 16:14:56 -05:00
d320f4840d
FIX: Unable to invite groups that are not public visible into pms.
...
https://meta.discourse.org/t/inviting-groups-broken-in-head/73346/6
2017-11-03 21:40:33 +08:00
edf4af608e
FIX: Better match when searching for groups.
2017-11-02 10:20:14 +08:00
defea6245c
REFACTOR: Always validate email by default.
2017-10-25 13:48:34 +08:00
2db66072d7
SECURITY: signup without verified email using Google auth
2017-10-16 13:51:41 -04:00
1faae3c765
rename forgot_password_strict to hide_email_address_taken
2017-10-03 15:28:31 -04:00
e47f5cedd2
FEATURE: forgot_password_strict setting also prevents reporting that an email address is taken during signup
2017-10-03 15:28:30 -04:00
daf1dda700
FIX: username autocomplete in assign modal wasn't working
2017-10-03 12:49:45 +02:00
8140e54675
FIX: More fixes for `Group#mentionable` and `Group#messageable` feature.
2017-10-02 17:45:58 +08:00
f6c484881b
FIX: wasn't able to save watched/tracked/muted categories/tags
2017-09-29 13:09:48 +02:00
cd6dff58dd
FIX: add user option/profile fields that were not permitted
2017-09-28 14:59:53 +02:00
af01e62b14
FIX: wasn't allowed to set a user's title anymore
2017-09-26 20:13:24 +02:00
28c54b42c5
FIX: wasn't able to update user options anymore
2017-09-26 20:00:10 +02:00
77d4c4d8dc
Fix all the errors to get our tests green on Rails 5.1.
2017-09-25 13:48:58 +08:00
797936d2c5
FIX: don't leak whisper count in user card
2017-09-14 20:08:16 +02:00
171d9e5aed
SECURITY: Prevent users from updating to blacklisted email domains
2017-09-12 10:11:08 -04:00
d7d9923b8e
FIX: display email validation error messages
2017-09-11 13:22:14 -04:00
9f0f086b3e
FEATURE: allow API to mark accounts as approved on creation
2017-08-28 15:36:46 -04:00
6c997b65d9
optimize enqueuing activation email code
2017-07-31 22:57:39 +05:30
2e2b5e28aa
FIX: add slight delay when enqueuing activation email
2017-07-31 16:52:07 +05:30
5012d46cbd
Add rubocop to our build. ( #5004 )
2017-07-28 10:20:09 +09:00
d0b027d88d
FEATURE: phase 1 of supporting multiple email addresses
2017-07-20 11:22:27 +09:00
5994c85ea9
FIX: Raise the right error when email params is missing.
2017-06-12 17:48:32 +09:00
54bb2a6bc2
FIX: Don't redirect to wizard when resetting password
2017-06-07 12:36:52 -04:00
2cad739262
FIX: Better error message when username change fails.
...
https://meta.discourse.org/t/500-error-on-username-edit/64064
2017-06-07 10:45:53 +09:00
b584264d82
FIX: Don't show "resend email" option when user approval is on
2017-05-25 15:29:05 -04:00
57a2042ef6
FIX: Quiet server side errors for requesting json for account-created
2017-05-04 12:30:13 -04:00
81190f5d66
FIX: Redirect away from `account-created` if you're logged in
2017-05-03 11:18:01 -04:00
12fb20fe1b
FEATURE: Allow users to resend/update email from confirmation page
2017-05-03 11:18:01 -04:00
b381372184
Use Ember.js for the `/u/account-created` path so we can add controls
2017-05-03 11:18:01 -04:00
0722ffadf1
Remove site settings enforce_global_nicknames and discourse_org_access_key
2017-05-01 14:53:16 -04:00
ea26c56631
FIX: redirect to login page for anonymous user when profiles are hidden
2017-04-20 13:00:45 +05:30
04016f0dec
Support Ruby 2.4.
2017-04-15 12:29:00 +08:00
57788200ec
REFACTOR: Add `User.reserved_username?`.
2017-04-13 10:44:26 +08:00
5943543ec3
FIX: Improve checks for non-human users.
2017-04-06 11:29:34 +08:00
40ab2e5667
FEATURE: Let users update their emails before confirming
...
This allows users who entered a typo or invalid email address when
signing up an opportunity to fix it and resending the confirmation
email to that address.
2017-04-05 16:44:49 -04:00
17f2974d0a
SECURITY: Confirm new administrator accounts via email
2017-04-04 15:59:01 -04:00
406d721f11
Fix `NilClass` error in `UsersController`.
2017-04-04 14:17:45 +08:00
14410b71fb
Convert server side paths to use `/u/`
2017-03-30 10:23:24 -04:00
7c3ae50dcd
FIX: send activation email if user have unconfirmed email
2017-03-21 09:41:50 +05:30
ca965bb455
FEATURE: Redirect to groups page after login/registration flow.
2017-03-16 09:48:51 +08:00
a690121805
SECURITY: always allow staff to resend activation mails
2017-03-13 10:32:24 -04:00
1a745ca16a
else @user makes no sense :)
2017-03-13 10:22:23 -04:00
9364d8ce71
FIX: Store user's id instead for sending activation email.
...
* Email and username are both allowed to be used for logging in.
Therefore, it is easier to just store the user's id rather than
to store the username and email in the session.
2017-03-13 20:24:55 +08:00
7ebfa3c901
SECURITY: Only allow users to resend activation email with a valid session.
...
* Improve error when an active user tries to request for an activation email.
2017-03-13 19:35:29 +08:00
d0fbb27f3e
FEATURE: new invite acceptance page, where username can be chosen and password can be set
2017-02-15 16:51:57 -05:00
4332f0dde1
FEATURE: allow user search API to restrict to group
2017-02-09 18:45:39 -05:00
ff49f72ad9
FEATURE: per client user tokens
...
Revamped system for managing authentication tokens.
- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes
New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.
Also introduces weekly job to expire old auth tokens.
2017-02-07 09:22:16 -05:00
c4e10f2a9d
FEATURE: redesign the change password page to use javascript and validations
2017-02-03 16:09:24 -05:00
43671b1fda
UX: Display group fullname in mention autocomplete.
2017-01-04 11:40:14 +08:00
e0ff57ca75
SECURITY: prevent reuse of password reset
2016-12-19 18:00:22 +11:00
c04d4171ff
FIX: whisper no longer experimental
...
- Regular users are not notified of whispers
- Regular users no longer have "stuck" topics in unread
- Additional tracking for staff highest post number
- Remove a bunch of unused columns in topics table
2016-12-02 17:03:31 +11:00
f824afb4d3
FEATURE: Allow date_of_field column to be updated.
2016-11-17 15:16:58 +08:00
c3d4c949f1
Add comments to relevant sections denoting "create new topic" scenario is not supported for cannot-see-mention (per @coding-horror instruction)
2016-11-16 06:26:36 -05:00
824c235760
FEATURE: Notify user when mention can't see the reply they were mentioned in
...
FIX: Group Mention Notifications
2016-11-14 22:03:16 -05:00
c03d25f170
FEATURE: Configure Admin Account
...
Adds a "Step 0" to the wizard if the site has no admin accounts where
the user is prompted to finish setting up their admin account from the
list of acceptable email addresses.
Once confirmed, the wizard begins.
2016-10-19 11:27:56 -04:00
f62d01ff1b
FIX: Clear the session after a reset token was used
2016-09-30 12:20:23 -04:00
4e663998af
PERF: N+1 query on user summary page.
2016-09-23 12:44:08 +08:00
afaba56de3
FEATURE: missing API endpoint for topic tracking states
2016-08-12 17:10:35 +10:00
429f27ec96
SECURITY: Avoid mass assignment on user create
2016-08-05 11:57:13 -04:00
4161ee210a
FEATURE: improved tag and category watching and tracking
...
- present tags watched on the user prefs page
- automatically watch or unwatch old topics based on watch status
New watching and tracking logic takes care of handling old topics
(either with or without read state)
When you watch a topic you now watch historically
Also removes confusing warnings from user.
2016-07-08 12:58:30 +10:00
1411eedad3
FEATURE: offer to unwatch categories when unwatching category
2016-06-28 18:34:20 +10:00
5bfc9cf69e
Allow API to create staged users
2016-06-23 12:27:05 +02:00
f387dfe226
FIX: mixed case group mentions were not getting highligted in composer
2016-05-22 18:32:49 +05:30
89e506551a
Add body class to `account-created` route
2016-05-05 14:37:09 -04:00
a130cb8305
FEATURE: move more urgent emails notifications to critical queue
...
Move signup, admin login and password change email notifications
to critical queue
2016-04-07 14:39:01 +10:00
c3507a3242
Fix: Added underscore to my_redirect regex
2016-03-20 13:00:56 +05:30
5771d2aee2
SECURITY: Support for confirm old as well as new email accounts
2016-03-08 14:52:22 -05:00
d62689fa76
Move updating a user's email to its own controller
2016-03-08 14:52:22 -05:00
1135d2094a
Merge pull request #4006 from scossar/set-locale-from-header
...
Feature: (WIP) Set locale from Accept-Language header
2016-03-04 09:12:30 +01:00
36f82aa68c
FEATURE: enforce admin password validation when signing up via developer email
2016-03-04 00:28:47 +05:30
0a396583ed
set locale for anonymous from header
...
set locale on signup
update spec
add locale option
2016-02-26 13:45:00 -08:00
0064927077
FIX: do not allow new email to be duplicate
...
FIX: return proper error message when email already exists
2016-01-23 13:42:53 +05:30
7303f8f309
FEATURE: first pass at user summary page
2016-01-20 15:14:25 +11:00
380764dc92
FIX: validate email when changing via user preferences page
2016-01-16 10:50:49 +05:30
c7df6783a9
FIX: only invalidate password reset links using javascript
2016-01-04 11:48:54 -05:00
a8b5192efd
FEATURE: User page refactor
...
Re-organise user page so it is easier to find interesting info
split it into tabs
- Introduce notifications and messages tabs
- Stop couting stuff for the user page to speed up rendering
- Suppress more information when viewing your own profile
2015-12-20 16:45:49 +11:00
7917316f6f
FEATURE: display warning on top of composer for group mentions
...
If users attempt to mention a group that is "mentionable" display a warning
informing them that people will be notified.
2015-12-04 13:41:07 +11:00
9899e8d4a5
FEATURE: First class messages to groups, you can select a group as a target of a message
2015-12-02 15:49:43 +11:00
f6390c8ad6
correct bad merge
2015-11-30 17:12:51 +11:00
ad3dd161e7
FEATURE: first class group mentions built in
...
If you allow a group to be mentioned it can be mentioned with the @ symbol.
Keep in mind as a safety mechanism max_users_notified_per_group_mention is set to 100
2015-11-30 17:08:43 +11:00
16b3d26d7b
allow staff members to view staged accounts user card/profile
2015-11-27 20:02:24 +01:00
76692235ae
FIX: don't ever fetch staged accounts in unseen mentions
2015-11-27 18:16:50 +01:00
43614439e6
FEATURE: can take over a staged account
2015-11-13 19:07:28 +01:00
16f509afb9
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side
2015-11-12 10:26:45 +01:00
bb79e6aff7
FEATURE: new hide_user_profiles_from_public site setting
2015-10-28 19:56:08 +01:00
46ca66771b
FIX: Better error message for resending activation. Don't limit staff.
2015-10-27 16:25:30 -04:00
a527c58c7d
UX: Show a nicer "Log In" screen if the user follows `/my/preferences`
2015-10-14 13:39:31 -04:00
d66a545dd2
FIX: `/my/preferences` should prompt users to log in
2015-10-14 12:40:13 -04:00
36309e50cc
Merge pull request #3767 from tgxworld/track_user_profile_views
...
Track user profile views
2015-09-23 11:38:18 +02:00
07e7b07b63
FIX: refreshing gravatar wasn't working
2015-09-17 19:42:44 +02:00
7acc93b2a0
FEATURE: Track user profile views.
2015-09-16 14:48:31 +08:00
18d7c1c75d
fix the build - take 2
2015-09-11 15:47:48 +02:00
93f9dcfcec
FIX: don't overwrite custom uploaded avatar when selecting gravatar
...
FIX: remove unecessary serialized fields
2015-09-11 15:10:56 +02:00
6437cd0341
FEATURE: add support for generic external avatar services
...
This changes it so we only ship an avatar template down to the client
it has no magic, all it knows is how to plug in size
2015-09-11 15:10:56 +02:00
2742602254
FEATURE: support for external letter avatars service
2015-09-11 02:12:40 +02:00
32e2d7963a
FEATURE: Show FAQ at top of the hamburger until the user reads it
2015-09-04 16:56:02 -04:00
99edcddafb
FEATURE: show pending/redeemed invite count in tabs
2015-08-25 01:12:46 +05:30
91519fdfe7
FIX: do not persist error message
2015-08-24 00:29:58 +05:30
2a897a8a6b
SECURITY: Remove email validation check bypass
...
- Increase size of email column to varchar(513)
- Give error message on signup when email is too large
Overall impact: Low, allows signups from blocked domains. Main risk is increased spam.
2015-07-13 15:36:17 -07:00
e0c9054748
FEATURE: invite page tabs
2015-07-13 09:42:51 +05:30
5e615ef26e
Fixed bug that caused substrings of reserved usernames to be treated as reserved.
2015-07-06 23:54:25 -07:00
df988a20eb
FEATURE: Reserved usernames
...
A list of usernames that will be blocked from being used to sign up.
2015-07-01 13:50:55 -07:00
David Taylor
Bianca Nenciu
Neil Lalonde
Sam
Régis Hanol
Vinoth Kannan
Leo McArdle
OsamaSayegh
Maja Komel
Guo Xiang Tan
Arpit Jalan
Jeff Wong
Robin Ward
Erick Guan
Gerhard Schlager
Joffrey JAFFEUX
Philipp Daniels
Guo Xiang Tan
cpradio
Aryan Raj
scossar
Kane York
Doug