Commit Graph

44667 Commits

Author SHA1 Message Date
Osama Sayegh b0656f3ed0
FIX: Apply onebox blocked domain checks on every redirect (#16150)
The `blocked onebox domains` setting lets site owners change what sites
are allowed to be oneboxed. When a link is entered into a post,
Discourse checks the domain of the link against that setting and blocks
the onebox if the domain is blocked. But if there's a chain of
redirects, then only the final destination website is checked against
the site setting.

This commit amends that behavior so that every website in the redirect
chain is checked against the site setting, and if anything is blocked
the original link doesn't onebox at all in the post. The
`Discourse-No-Onebox` header is also checked in every response and the
onebox is blocked if the header is set to "1".

Additionally, Discourse will now include the `Discourse-No-Onebox`
header with every response if the site requires login to access content.
This is done to signal to a Discourse instance that it shouldn't attempt
to onebox other Discourse instances if they're login-only. Non-Discourse
websites can also use include that header if they don't wish to have
Discourse onebox their content.

Internal ticket: t59305.
2022-03-11 09:18:12 +03:00
maiki 8e010aecfb
Remove a few words for clarity (#16162)
Remove extra words from two descriptions for user like reports
2022-03-11 09:33:16 +08:00
dependabot[bot] 799f35a49d
Build(deps): Bump pg from 1.3.3 to 1.3.4 (#16161)
Bumps [pg](https://github.com/ged/ruby-pg) from 1.3.3 to 1.3.4.
- [Release notes](https://github.com/ged/ruby-pg/releases)
- [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc)
- [Commits](https://github.com/ged/ruby-pg/compare/v1.3.3...v1.3.4)

---
updated-dependencies:
- dependency-name: pg
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-10 22:32:17 +01:00
Jarek Radosz b0702337df
DEV: Fix rake qunit logging (#16159)
It was logging just the first passed object, which resulted printing out empty lines instead of actual messages (e.g. deprecation warnings)
2022-03-10 20:43:17 +01:00
Penar Musaraj 3a817d2377
FIX: Buggy jump-to-post on Firefox (#16153) 2022-03-10 20:39:39 +01:00
Osama Sayegh 8d96761a4f
FIX: Include engine mount path for API scopes added by plugins (#16154)
In the API keys page where admins can create API keys with restricted scopes, each scope shows a list of URLs that it allows. But currently, this list of allowed URLs shows incomplete URLs for scopes that are added by plugins. For example, the allowed URL for the "run queries" scope of the data-explorer plugin is shown as `/queries/:id/run` when the correct URL for this scope is `/admin/plugins/explorer/queries/:id/run`. The first 3 segments of the path are the mount path of the plugin's engine and it's missing because the routes set of the engine doesn't include the mount path. To fix this, this commit gets the mount path and prepends it to the URL so the complete URL is shown to the user.

It's not possible to write tests for this change because plugins are not loaded in the test environment by default when core's tests suite is running.
2022-03-10 22:01:22 +03:00
Discourse Translator Bot 93407005b5
Update translations (#16132) 2022-03-10 16:51:47 +01:00
David Taylor 8a69de7964
DEV: Enable Ember CLI tests in GitHub Actions for official plugins (#16148) 2022-03-10 12:36:58 +00:00
Osama Sayegh 9b5cc1424f
DEV: Don't mutate `Excon.defaults[:middlewares]` (#16151)
`Excon.defaults` and its middlewares array are constants that we
shouldn't mutate everytime `FinalDestination#resolve` is called.
2022-03-10 14:21:45 +03:00
dependabot[bot] 892f7e0506
Build(deps): Bump rubocop from 1.25.1 to 1.26.0 (#16149)
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.25.1 to 1.26.0.
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rubocop/rubocop/compare/v1.25.1...v1.26.0)

---
updated-dependencies:
- dependency-name: rubocop
  dependency-type: indirect
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-09 23:39:41 +01:00
Jarek Radosz 99b2cfe26e
DEV: Disallow `Ember` global usage (#16147)
…and sprinkle `// eslint-disable-next-line no-undef` throughout the code where is unavoidable for now
2022-03-09 17:54:07 +01:00
Jarek Radosz 2ba602708a
DEV: A manual test waiter might not be needed (#16142) 2022-03-09 15:38:10 +01:00
Jarek Radosz fbef828ab2
DEV: Remove "empty" template code (#16140)
Its only use seems to have been removed back in 2016 in a9ed15e11a.
2022-03-09 13:57:39 +01:00
Sam 43da88db6c
PERF: avoid following links in topic RSS feeds (#16145)
Topic RSS feeds contain many non canonical links such as:

- https://site.com/t/a-b-c/111/1
- https://site.com/t/a-b-c/111/2
- https://site.com/t/a-b-c/111/3
- https://site.com/t/a-b-c/111/4
- https://site.com/t/a-b-c/111/5
- https://site.com/t/a-b-c/111/6

Previously we were not indexing RSS feeds yet still following these
links.


This change means we totally ignore links in the RSS feeds which
avoids expensive work scanning them just to find we should not
include them.
2022-03-09 18:25:20 +11:00
Ayke Halder 28bb9e11f4
FEATURE: add nofollow to RSS alternate link in topics and categories (#16013)
* FEATURE: add nofollow to RSS alternate link in topics and categories

* Rspec tests for category and topic view: add nofollow to RSS alternate link
2022-03-09 16:34:02 +11:00
Martin Brennan ca93e5e68b
FIX: Allow admins to change user ignore list (#16129)
Previously, if an admin user tried to add/remove
users to another user's ignored list, it would
be added to their own ignore list because the
controller used current_user. Now for admins only
a source_user_id parameter can be passed through,
which will be used to ignore the target user for
that source user.
2022-03-09 14:51:30 +10:00
dependabot[bot] efd8bb9008
Build(deps): Bump redis-namespace from 1.8.1 to 1.8.2 (#16126)
Bumps [redis-namespace](https://github.com/resque/redis-namespace) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/resque/redis-namespace/releases)
- [Changelog](https://github.com/resque/redis-namespace/blob/master/CHANGELOG.md)
- [Commits](https://github.com/resque/redis-namespace/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: redis-namespace
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-09 10:11:12 +08:00
Alan Guo Xiang Tan 01c5f9337a
DEV: Upgrade Rails to 6.1.4.7. (#16143)
There was a security release in 6.1.4.6 to fix: https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

It doesn't affect us as Discourse doesn't use thread local variables
but we should still upgrade as a matter of caution.
2022-03-09 10:10:51 +08:00
Joshua Rosenfeld a29b133d33
DEV: Update security policy (#16144)
Add note regarding low quality reports being received via email.
2022-03-09 10:02:20 +08:00
Jarek Radosz 9892844507
DEV: Fix a flaky validation message (#16141)
The order of tags in the validation error message could be random, which we don't really care about, but it made the specs flake out once in a while.

The flaky specs were:

```
spec/lib/discourse_tagging_spec.rb:511
spec/lib/discourse_tagging_spec.rb:519
```
2022-03-09 09:38:05 +08:00
David Taylor 3ad9c2cdb6
FEATURE: Add mobile support for subcategories-with-featured-topics (#16118)
Follow-up to eb2e3b510d
2022-03-08 22:06:27 +00:00
dependabot[bot] 5335b40a87
Build(deps): Bump bootsnap from 1.10.3 to 1.11.1 (#16139)
Bumps [bootsnap](https://github.com/Shopify/bootsnap) from 1.10.3 to 1.11.1.
- [Release notes](https://github.com/Shopify/bootsnap/releases)
- [Changelog](https://github.com/Shopify/bootsnap/blob/main/CHANGELOG.md)
- [Commits](https://github.com/Shopify/bootsnap/compare/v1.10.3...v1.11.1)

---
updated-dependencies:
- dependency-name: bootsnap
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-08 22:34:53 +01:00
jbrw 528c3e311a
FIX: Only display the first listed price (#16138)
Multiple prices may be returned by Amazon (e.g. for new, and also for used). We should only display the first price.
2022-03-08 15:24:45 -05:00
Jarek Radosz bf252752e7
FIX: Make reply-ids public by fixing a typo (#16137)
…and spec the endpoint
2022-03-08 21:08:15 +01:00
Bianca Nenciu 6d422a8033
FEATURE: Highlight expired bookmark reminders (#15317)
The user can select what happens with a bookamrk after it expires. New
option allow bookmark's reminder to be kept even after it has expired.
After a bookmark's reminder notification is created, the reminder date
will be highlighted in red until the user resets the reminder date.
User can do that using the new Clear Reminder button from the dropdown.
2022-03-08 19:44:18 +02:00
Bianca Nenciu f5422f91aa
FEATURE: Add link to original image in lightbox (#15640)
Adds a link to the original image next to the download link. It can be
used to view full resolution image in the browser.
2022-03-08 19:39:46 +02:00
Jarek Radosz 14109ea92c
FIX: Show 404 html on /posts/:id/raw and /p/:id (#16131)
It returned a blank page before.
2022-03-08 17:42:07 +01:00
Jarek Radosz 768c80c2a4
DEV: Make `find_post_using` raise only `Discourse::NotFound` (#16133) 2022-03-08 17:39:52 +01:00
Jarek Radosz c212af665c
DEV: Remove unused scss (#16134)
`.report-container` doesn't seem to be used anywhere
2022-03-08 17:39:40 +01:00
Joffrey JAFFEUX 690036225f
DEV: using send can be harmful, public_send is less risky (#16135)
I can't see any harmful use case here, especially because only one param can be used ATM.
2022-03-08 17:13:26 +01:00
Kris 28842d24d6
UX: print view always shows 0 votes, hide it (#15901) 2022-03-08 15:35:31 +01:00
Bianca Nenciu 4fe99e39c3
FEATURE: Add new site setting list type with name and values (#16045)
These changes include a bug fix because allow_any attribute of site
settings was completely ignored before.
2022-03-08 13:18:43 +02:00
dependabot[bot] fd34ddef8a
Build(deps-dev): Bump rspec-rails from 5.1.0 to 5.1.1 (#16127)
Bumps [rspec-rails](https://github.com/rspec/rspec-rails) from 5.1.0 to 5.1.1.
- [Release notes](https://github.com/rspec/rspec-rails/releases)
- [Changelog](https://github.com/rspec/rspec-rails/blob/main/Changelog.md)
- [Commits](https://github.com/rspec/rspec-rails/compare/v5.1.0...v5.1.1)

---
updated-dependencies:
- dependency-name: rspec-rails
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-08 17:11:29 +11:00
dependabot[bot] 9855962834
Build(deps): Bump mini_sql from 1.3.0 to 1.4.0 (#16128)
Bumps [mini_sql](https://github.com/discourse/mini_sql) from 1.3.0 to 1.4.0.
- [Release notes](https://github.com/discourse/mini_sql/releases)
- [Changelog](https://github.com/discourse/mini_sql/blob/main/CHANGELOG)
- [Commits](https://github.com/discourse/mini_sql/compare/v1.3.0...v1.4.0)

---
updated-dependencies:
- dependency-name: mini_sql
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-08 17:11:09 +11:00
dependabot[bot] c1cb635cc0
Build(deps): Bump jmespath from 1.6.0 to 1.6.1 (#16125)
Bumps [jmespath](https://github.com/trevorrowe/jmespath.rb) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/trevorrowe/jmespath.rb/releases)
- [Changelog](https://github.com/jmespath/jmespath.rb/blob/main/CHANGELOG.md)
- [Commits](https://github.com/trevorrowe/jmespath.rb/compare/v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: jmespath
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-07 22:28:29 +01:00
Bianca Nenciu 34b4b53bac
FEATURE: Use Postgres unaccent to ignore accents (#16100)
The search_ignore_accents site setting can be used to make the search
indexer remove the accents before indexing the content. The unaccent
function from PostgreSQL is better than Ruby's unicode_normalize(:nfkd).
2022-03-07 23:03:10 +02:00
Jarek Radosz 6e7cdc5bc3
DEV: Use Ember imports in the styleguide code (#16123) 2022-03-07 21:38:09 +01:00
Jarek Radosz c528de3288
DEV: Make `settled()` work in the legacy env (#16122)
(and await for `focusComposer`)
2022-03-07 20:00:09 +01:00
Jordan Vidrine af20d435ea
UX: Fix misaligned avatar (#16120) 2022-03-07 11:08:00 -06:00
David Taylor 241e34e6cf
FIX: Update and rebake uses of the old centralized avatar service (#16086)
This URL was originally updated in 89cb537fae. However, some sites are not using the proxy, and have configured their forum to hotlink images directly to avatars.discourse.org.

We intend to shut down this domain in favor of `avatars.discourse-cdn.com`, so this migration will re-write any matching site setting values and queue affected posts for rebaking.
2022-03-07 09:45:20 +00:00
Joffrey JAFFEUX 36e7163d16
FIX: prevents self-reference to discoveryTopics from discoveryTopics (#16114) 2022-03-07 09:27:19 +01:00
Alan Guo Xiang Tan 6b8c622762
DEV: Don't load bundler when installing plugin gem. (#16117)
when bundler is loaded, it sets the `RUBYOPT` environment variable to setup bundler. However, it was causing weird errors like the following when we try to install
custom plugin gems into a specific directory.

```
/home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:214:in `rescue in load_spec_files': https://github.com/discourse/mail.git is not yet checked out. Run `bundle install` first. (Bundler::GitError)
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:210:in `load_spec_files'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/path.rb:107:in `local_specs'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:178:in `specs'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/lazy_specification.rb:88:in `__materialize__'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:75:in `block in materialize'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:72:in `map!'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:72:in `materialize'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:468:in `materialize'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:190:in `specs'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:238:in `specs_for'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/runtime.rb:18:in `setup'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler.rb:151:in `setup'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/setup.rb:20:in `block in <top (required)>'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/ui/shell.rb:136:in `with_level'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/ui/shell.rb:88:in `silence'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/setup.rb:20:in `<top (required)>'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
	from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
```
2022-03-07 13:20:43 +08:00
Martin Brennan 7af01d88d2
FIX: Better 0 file size detection and logging (#16116)
When creating files with create-multipart, if the file
size was somehow zero we were showing a very unhelpful
error message to the user. Now we show a nicer message,
and proactively don't call the API if we know the file
size is 0 bytes in JS, along with extra console logging
to help with debugging.
2022-03-07 12:39:33 +10:00
dependabot[bot] 5f5acfa064
Build(deps-dev): Bump faker from 2.19.0 to 2.20.0 (#16115)
Bumps [faker](https://github.com/faker-ruby/faker) from 2.19.0 to 2.20.0.
- [Release notes](https://github.com/faker-ruby/faker/releases)
- [Changelog](https://github.com/faker-ruby/faker/blob/master/CHANGELOG.md)
- [Commits](https://github.com/faker-ruby/faker/compare/v2.19.0...v2.20.0)

---
updated-dependencies:
- dependency-name: faker
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-07 00:48:27 +01:00
Jarek Radosz 3db4b3bc5e
DEV: Drop lodash (#16110) 2022-03-06 18:15:25 +01:00
Jarek Radosz d5be02dac5
DEV: Bump eslint-config-discourse (#16109) 2022-03-06 18:15:15 +01:00
Jarek Radosz b9c90d6a06
DEV: Use `Map()` to store emoji groups (#16065) 2022-03-05 18:58:49 +01:00
dependabot[bot] b135961b56
Build(deps): Bump rails_multisite from 4.0.0 to 4.0.1 (#15575)
Bumps [rails_multisite]() from 4.0.0 to 4.0.1.

---
updated-dependencies:
- dependency-name: rails_multisite
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-05 18:41:22 +01:00
Jarek Radosz f9e1ba4f8f
DEV: Remove remnants of nginx-perf-report plugin (#16107)
The plugin is no longer official as of Nov 18, 2019 (e2ccb0c608)
2022-03-05 17:22:23 +01:00
Jarek Radosz 3918e5b74a
DEV: Actually focus stuff in tests (#16102)
PSA: `focus("selector")` does not focus elements. It "makes a request to bring the window to the front."
2022-03-05 17:20:22 +01:00