Commit Graph

938 Commits

Author SHA1 Message Date
Kyle Zhao a6eca28ec6
CSP - extract all other inline JavaScripts (#6528)
* wizard page inline js

* print topic inline js

* drop JS for preventing double submission

this is the default behavior with Rails' UJS `disable_with` helper

* omniauth complete redirect JS

* account activate inline js
2018-10-25 09:52:01 -04:00
Sam Saffron abaa3f0650 FEATURE: add server:before-head-close-crawler outlet for plugins
This outlet allows plugins to inject html prior to closing head tag
2018-10-25 16:31:05 +11:00
Kris c219a5fb1e
Add btn-default class to all default buttons (#6521) 2018-10-24 16:09:36 -04:00
Sam 4c8fe13500 FIX: remove code that restricted "header" theme field from admin
There was some old code that restricted a percentage of a themes code from
admin, only when admin was refreshed, this leads to lots of confusion

Conditional is now removed
2018-10-15 17:29:10 +11:00
Robin Ward c2add85e75 FIX: Typo, should be `authentication`
cc @xrav3nz
2018-10-11 14:58:46 -04:00
Kyle Zhao acba7d2a5d Extract `discourse_javascript.html.erb` to a scrip include
* extract omniauth auth complete inline JS

* extract Ember error logging inline JS

* transpile `authentication-complete`

This is CSP related work
2018-10-09 16:50:45 +11:00
Kyle Zhao ab448ca8f3 extract client side `Discourse` setup inline JS (#6409) 2018-10-01 21:29:04 -07:00
Kyle Zhao d0f660806d FIX: close `data-preloaded` div tag 2018-10-01 15:24:27 +08:00
Kyle Zhao 819f090d6a move large blobs out of `<head>` (#6428)
it unnecessarily bloats the section and increases the payload
dramatically for open graph tags.
2018-09-28 17:28:33 +08:00
Kyle Zhao 7a0232249a
extract inline JS that's used to store preloaded data (#6370) 2018-09-17 16:31:46 +08:00
Kyle Zhao f666d72606 extract inline JS for google tag manager 2018-09-17 09:56:00 +10:00
Kyle Zhao 38c70bfda2 extract inline JS for google analytics 2018-09-17 09:56:00 +10:00
OsamaSayegh a4f057a589 UX: improvements to admin theme UI 2018-09-17 09:49:53 +10:00
Osama Sayegh 16bd3f2cf2 FIX: use current user color scheme when filling `theme-color` attribute (#6384)
* FIX: use current user color scheme when filling `meta` attribute `theme-color`

* update manifest.webmanifest colors
2018-09-12 11:04:58 +10:00
Guo Xiang Tan a033327b93 Manage qunit via yarn. 2018-09-11 15:07:28 +08:00
Gerhard Schlager 2801376df5 FIX: Wizard didn't load translations correctly
* Translations from the js.* namespace were not found, because the i18n-patches were not loaded.
* The extra-locales didn't use a hash in the URL.
2018-09-05 15:14:09 +02:00
Neil Lalonde ebe7835316 FIX: links in rss feeds are sometimes wrong on subfolder installs 2018-08-27 18:05:15 -04:00
Gerhard Schlager bed34b52b5 UX: Blue "Resend Activation Email" button in wizzard 2018-08-21 22:18:08 +02:00
Gerhard Schlager cc851af750 FIX: HTML lang attribute expects hyphen instead of underscore 2018-08-20 13:55:58 +02:00
Misaka 0x4e21 d4fd19d49a UX: Replace Google search with Discourse search on not found page
* UX: Replace Google search with Discourse search on not found page.

* FIX: Update application_controller_spec.rb.
2018-08-15 11:53:04 +10:00
Neil Lalonde 71b65be6f6 SECURITY: prevent use of X-Forwarded-Host to perform XSS 2018-08-13 16:45:22 -04:00
Sam 7aef604f7d regression, if there is not excerpt skip 2018-08-09 15:07:18 +10:00
Osama Sayegh 0b7ed8ffaf FEATURE: backend support for user-selectable components
* FEATURE: backend support for user-selectable components

* fix problems with previewing default theme

* rename preview_key => preview_theme_id

* omit default theme from child themes dropdown and try a different fix

* cache & freeze stylesheets arrays
2018-08-08 14:46:34 +10:00
Sam 3f6ad65aec FEATURE: include excerpt in HTML view for pinned topics 2018-08-08 11:15:49 +10:00
Neil Lalonde 4e6e4a83df FIX: subfolder digest emails have incorrect URLs 2018-08-07 16:38:17 -04:00
Joffrey JAFFEUX d494feaa32
FIX: should not be needed as we have itemprop='url' 2018-07-30 09:31:27 -04:00
Arpit Jalan dfcb2a0d42 FEATURE: include published_time in metadata 2018-07-30 17:09:56 +05:30
Neil Lalonde f4b5eccad3 FIX: categories page crawler view had incorrect URLs 2018-07-23 14:54:41 -04:00
OsamaSayegh decf1f27cf FEATURE: Groundwork for user-selectable theme components
* Phase 0 for user-selectable theme components

- Drops `key` column from the `themes` table
- Drops `theme_key` column from the `user_options` table
- Adds `theme_ids` (array of ints default []) column to the `user_options` table and migrates data from `theme_key` to the new column.
- Removes the `default_theme_key` site setting and adds `default_theme_id` instead.
- Replaces `theme_key` cookie with a new one called `theme_ids`
- no longer need Theme.settings_for_client
2018-07-12 14:18:21 +10:00
Guo Xiang Tan 875008522d FIX: `Discourse.S3BaseUrl` did not account for subfolder bucket names. 2018-07-06 15:53:57 +08:00
Guo Xiang Tan 73e30ff4c2 Revert "Rename s3 vars, change condition when displaying s3 uploads"
The new variables do not reflect that they represent S3 settings.

This reverts commit 24dfa1b657.
2018-07-06 15:53:57 +08:00
Christoph Holtermann 68bfe0260a Fix typo (#6043)
typo: state instead of status
2018-07-05 09:26:48 +08:00
Joffrey JAFFEUX 1772b56cda
FIX: minor micro data fixes 2018-06-29 13:41:04 +02:00
Maja Komel ec3e6a81a4 FEATURE: Second factor backup 2018-06-28 10:12:32 +02:00
Maja Komel 24dfa1b657 Rename s3 vars, change condition when displaying s3 uploads 2018-06-25 17:16:01 +02:00
Joffrey JAFFEUX 803968147c
FIX: ListItem can’t have itemprop=url and itemprop=item together 2018-06-25 14:12:55 +02:00
Christoph Holtermann bed26ea0b3 fix indentation 2018-06-25 15:01:39 +10:00
Christoph Holtermann a0af15d525 no redeclaring state 2018-06-25 15:01:39 +10:00
Christoph Holtermann e874afaf31 read embed state info from data attribute 2018-06-25 15:01:39 +10:00
Christoph Holtermann 6eb0b310fe add data attributes to reflect embed status 2018-06-25 15:01:39 +10:00
Christoph Holtermann 5914a3db20 Update embed.html.erb
Small fix
2018-06-25 15:01:39 +10:00
Christoph Holtermann 2244f19ff9 Update embed.html.erb
Add state descriptor to message being sent to parent window
2018-06-25 15:01:39 +10:00
Rafael dos Santos Silva 8fc08aad09 FEATURE: Update the webmanifest
- Remove share target because the spec is changing
- Allow any orientation again because natural is too restrictive
- Use correct file and mime types for the manifest
2018-06-14 00:13:28 -03:00
Joffrey JAFFEUX 276526e30e
FIX: improves micro data support 2018-06-13 23:20:48 +02:00
Angus McLeod 0997eb6486 Add theme stylesheet(s) to the crawler layout 2018-06-12 12:47:48 +10:00
Jeff Wong 4599cc8435 FIX: PM participants listed inline 2018-06-11 18:14:25 -07:00
Régis Hanol 0402e97368 FIX: redirect to sso_destination_url after account activation 2018-05-11 19:57:04 +02:00
Régis Hanol 6a006b3646 FIX: format posts for embedded comments as we do for emails 2018-05-09 19:24:44 +02:00
Arpit Jalan 83245aa508 FIX: better handling of invite links after they are redeemed
FIX: deprecate invite_passthrough_hours setting
2018-05-08 20:17:57 +05:30
Jeff Wong 62a8904729
Feature: Include participants at the bottom of PM emails (#5797)
* Feature: Include participants at the bottom of PM emails

... as undecorated links.

https://meta.discourse.org/t/email-notification-recipients-unclear-when-pm-is-sent-to-multiple-users/26934/13?u=featheredtoast

Fix: missing translation for PM mentions

* display membership count as `group (count)`
2018-05-03 15:50:06 -07:00
Robin Ward a5172a37e0 Allow staff members to enable safe mode, even if disabled 2018-04-25 11:49:57 -04:00
Robin Ward fd14ee4797 FEATURE: Allow safe mode to be disabled 2018-04-24 11:03:33 -04:00
Sam 54d153068a DEV: remove qunit rails fork and add a couple of async tests 2018-04-23 16:42:40 +10:00
Arpit Jalan 45cfb61af1 FIX: sanitize click track links 2018-04-17 12:35:16 +05:30
Robin Ward 3d7dbdedc0 FEATURE: An API to help sites build robots.txt files programatically
This is mainly useful for subfolder sites, who need to expose their
robots.txt contents to a parent site.
2018-04-16 15:43:20 -04:00
Sam 223379e21a per spec we need to repeat disallow paths per agent 2018-04-16 15:38:10 +10:00
Arpit Jalan a1ef455c78 SECURITY: do not show private topic title on /unsubscribed page 2018-04-16 10:35:57 +05:30
Régis Hanol 1a9271dd2f add a warning in robots.txt when using subfolder 2018-04-12 00:00:15 +02:00
Régis Hanol df7970a6f6 prefix the robots.txt rules with the directory when using subfolder 2018-04-11 22:05:02 +02:00
Sam 489c22d93c FEATURE: Disallow tags and categories rss feeds
This stops crawlers from hitting tags and category rss feeds to discover
new content, instead they should focus on latest/posts if they need to
consume something regular
2018-04-11 14:36:10 +10:00
Sam f40f10240c FEATURE: remove topic rss from robots
Crawlers love hitting the rss feeds (confirmed that both Google and Bing do)

Experimenting with the impact of blocking these feeds and forcing Crawlers to hit
the content direct. It is better if they hit the actual page to start with as opposed to

1. Hit RSS feed
2. Find new content
3. Hit post link
4. Get canonical
5. Hit canonical

Lots of pointless work.

We do not know for sure what impact this will have on newsreader apps,
we will listen for feedback.
2018-04-11 11:57:52 +10:00
Jeff Wong 32f919ea34 Fix - service worker registrations
* register service workers in a development env

* register service worker from ember initialize fn
2018-04-10 15:17:32 -07:00
Sam 3a7b696703 FEATURE: allow for setting crawl delay per user agent
Also moved to default crawl delay bing so no more than a req every 5 seconds is allowed

New site settings:

"slow_down_crawler_user_agents" - list of crawlers that will be slowed down
"slow_down_crawler_rate" - how many seconds to wait between requests

Not enforced server side yet
2018-04-06 10:15:23 +10:00
Neil Lalonde b7ecdb72d6 FIX: update Google Tag Manager javascript 2018-04-03 14:22:06 -04:00
Arpit Jalan 5e4dd20795 Revert "Prevent robots from indexing uploads"
This reverts commit 0fd622e5d1.
2018-04-02 21:29:29 +05:30
Neil Lalonde c9216626d8
Merge pull request #5688 from discourse/fix-embed-comments-template-error
FIX: Make sure a post has replies before accessing the reply_id
2018-03-27 15:30:53 -04:00
Neil Lalonde ced7e9a691 FEATURE: control which web crawlers can access using a whitelist or blacklist 2018-03-22 15:41:02 -04:00
scossar f213dea529 Make sure a post has replies before accessing the reply id 2018-03-20 12:13:41 -07:00
Régis Hanol 89f5c90ce0 FIX: show an error page on click tracking error 2018-03-17 00:33:11 +01:00
Sam 8c1d145f0e FIX: when visiting post on mobile it is not selected 2018-03-13 14:06:08 +11:00
Dan Nicholson 0fd622e5d1 Prevent robots from indexing uploads
Although most user uploads are probably harmless, it's possible someone
has (either maliciously or not) uploaded sensitive information. Prevent
robots from indexing the uploads route.
2018-03-09 05:51:55 -06:00
OsamaSayegh 282f53f0cd FEATURE: Theme settings (2) (#5611)
Allows theme authors to specify custom theme settings for the theme. 

Centralizes the theme/site settings into a single construct
2018-03-04 19:04:23 -05:00
Sam e19ae6c55e FEATURE: disallow groups from being indexed 2018-03-02 13:38:30 +11:00
Guo Xiang Tan 70f14da732 UX: Use 'tel' input type for 2FA token inputs. 2018-02-27 09:30:44 +08:00
Joffrey JAFFEUX ac701696b3
FEATURE: replaces tag-chooser/tag-group-chooser with select-kit component
These component were also the last using select2. As a consequence select2 is removed from Discourse in this commit.
2018-02-26 11:42:57 +01:00
Guo Xiang Tan a9699da672 UX: Specify pattern and maxlength for 2FA input fields. 2018-02-26 18:29:46 +08:00
Guo Xiang Tan 1f74509a75 FIX: 2FA prompt incorrectly displayed on admin login page. 2018-02-23 11:05:39 +08:00
Maja Komel 76a2fc3d07 UX: Add og metadata for groups.
https://meta.discourse.org/t/onebox-for-groups/79155
2018-02-22 15:03:41 +08:00
Guo Xiang Tan 964624f3ab FIX: No error displayed when 2FA token is invalid on admin login page. 2018-02-22 09:45:57 +08:00
Guo Xiang Tan edf326a9a5 Fix incorrect translation. 2018-02-22 08:06:37 +08:00
Guo Xiang Tan 14f3594f9f Review Changes for f4f8a293e7. 2018-02-21 14:55:49 +08:00
Jeff Wong f4f8a293e7 FEATURE: Implement 2factor login TOTP
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00
Guo Xiang Tan 7902296c11 Oops we should register a service worker as long as it is supported. 2018-02-15 15:02:14 +08:00
Guo Xiang Tan 28365f8ae5 PERF: Have nginx cache and serve the service worker file. 2018-02-15 10:50:39 +08:00
Erick Guan 03b3e57a44 FEATURE: login by a link from email
Co-authored-by: tgxworld <tgx@discourse.org>
2018-02-13 16:14:39 +08:00
Robin Ward 0776340b29 SECURITY: Prevent robots from indexing more routes
These routes could contain sensitive material and should never be
indexed for content.
2018-02-04 13:24:36 -05:00
Neil Lalonde 2493648f9c PERF: calculate topic_counts for tags in an async job so tag queries that include counts are much faster 2018-01-12 11:03:03 -05:00
Sam 8ff5f5f2ef FIX: cache admin locale file for 24 hours 2018-01-09 10:23:49 +11:00
Vinoth Kannan f08995c390 Remove unused code lines 2017-12-29 12:32:18 +05:30
Gerhard Schlager 44ee388070 FEATURE: omit images from og and twitter description tags 2017-11-28 21:34:02 +01:00
Kris c2da25dd5c
Cleaning up the 404 page (#5363) 2017-11-24 12:41:31 -05:00
Neil Lalonde 66e53f449a UX: Auth complete page/modal has a link to continue to the site to accomodate auth methods that can't automatically redirect to Discourse 2017-11-21 13:56:19 -05:00
Robin Ward cef64e8f03 UX: Use `no_ember` styling for omniauth error page 2017-11-15 14:04:26 -05:00
Robin Ward d07ebf9d4c UX: Support for custom error pages and headers in plugins 2017-11-14 16:31:44 -05:00
Robin Ward 1c56e1c063 Support for HTML builders on the no-ember view 2017-11-14 16:04:27 -05:00
Robin Ward 52480d554a UX: Support for custom 404 pages 2017-11-14 11:57:17 -05:00
Sam dfe9f70747 UX: warn that something must be selected with safe mode 2017-11-13 15:59:51 +11:00
Michael Howell 38b8d68c68 FEATURE: Allow the user to select a custom home page (#5268)
* Add user_home configuration option

* Use the new user_home preference to actually show the right home page

* Fix trailing whitespace

* Update user_option_serializer.rb

* Fix JavaScript default homepage tests

* Use an object instead of a giant switch

* Remove trailing whitespace

* Make the default `user_home` set to `null` instead of `0`

* Rename user_home to homepage_id
2017-11-10 06:45:19 +11:00
Neil Lalonde 7eb5f78343 UX: increase max length of topic titles in summary email html by 40 characters 2017-11-06 10:00:01 -05:00
Neil Lalonde 7dc3671490 FEATURE: remove obsolete settings ga_tracking_code and ga_domain_name. Use ga_universal_tracking_code and ga_universal_domain_name instead. 2017-11-01 11:41:51 -04:00