Commit Graph

8983 Commits

Author SHA1 Message Date
Krzysztof Kotlarek 4773f5d720
FEATURE: predefined simple list for admin setting (#23953)
Some admin settings are multiple list with predefined values. In that case, we should not allow to input any value which later will fail validation.
2023-10-18 00:25:32 +00:00
Bianca Nenciu 2e68ead45b
FEATURE: Use async search for category dropdowns (#23774)
This commit introduces a new endpoint to search categories and uses it
instead of the categories map that is preloaded using SiteSerializer.

This feature is enabled only when the hidden site setting
lazy_load_categories is enabled and should be used only on sites with
many categories.
2023-10-17 19:46:54 +03:00
Blake Erickson 60ae69027c
DEV: Add category style deprecation check warning (#23951)
The category style site setting is being deprecated. This commit will
show a warning on the admin dashboard if a site isn't using the default
category style (bullet).
2023-10-17 10:40:31 -06:00
Bianca Nenciu c95ffb98ef
DEV: Serialize categories in topic lists (#23597)
At this moment, this feature is under a site setting named
lazy_load_categories.

In the future, categories will no longer be preloaded through site data.
This commit add information about categories in topic list and ensures
that data is used to display topic list items.

Parent categories are serialized too because they are necessary to
render {{category-link}}.
2023-10-17 19:06:01 +03:00
Discourse Translator Bot 5e6c63901f
Update translations (#23955) 2023-10-17 10:57:06 -04:00
Martin Brennan 3cde7f125d
DEV: Remove hashtag autocomplete experimental setting (#23954)
Everything relying on this was removed in
09223e5ae7
2023-10-17 15:05:58 +10:00
Alan Guo Xiang Tan cbbe3a808b
SECURITY: Add a default limit as to when logs should be truncated
Why this change?

This ensures that malicious requests cannot end up causing the logs to
quickly fill up. The default chosen is sufficient for most legitimate
requests to the Discourse application.

When truncation happens, parsing of logs in supported format like
lograge may break down.
2023-10-16 10:34:38 -04:00
Penar Musaraj 1a70817962
DEV: Add UI for passkeys (3/3) (#23853)
Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). 

See PR for more details. 
---------

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2023-10-13 12:24:06 -04:00
Martin Brennan 9762e65758
FEATURE: Add Revise... option for queued post reviewable (#23454)
This commit adds a new Revise... action that can be taken
for queued post reviewables. This will open a modal where
the user can select a Reason from a preconfigured list
(or by choosing Other..., a custom reason) and provide feedback
to the user about their post.

The post will be rejected still, but a PM will also be sent to
the user so they have an opportunity to improve their post when
they resubmit it.
2023-10-13 11:28:31 +10:00
Tobias Eigen 460e702887
improve desc of review every post admin setting (#23899)
Adds more information about what the "review every post" admin setting does. All new posts are sent to the review queue so they can be reviewed by moderators, but are still published.
2023-10-12 09:43:14 -07:00
Krzysztof Kotlarek cb8190d32f
FEATURE: option to automatically delete unused tags (#23864)
Introduced a new site setting that enables the automatic and daily removal of unused tags.
2023-10-11 23:58:56 +00:00
Penar Musaraj e3e73a3091
DEV: Add routes and controller actions for passkeys (2/3) (#23587)
This is part 2 (of 3) for passkeys support.

This adds a hidden site setting plus routes and controller actions.

1. registering passkeys

Passkeys are registered in a two-step process. First, `create_passkey`
returns details for the browser to create a passkey. This includes
- a challenge
- the relying party ID and Origin
- the user's secure identifier
- the supported algorithms
- the user's existing passkeys (if any)

Then the browser creates a key with this information, and submits it to
the server via `register_passkey`.

2. authenticating passkeys

A similar process happens here as well. First, a challenge is created
and sent to the browser. Then the browser makes a public key credential
and submits it to the server via `passkey_auth_perform`.

3. renaming/deleting passkeys

These routes allow changing the name of a key and deleting it.

4. checking if session is trusted for sensitive actions

Since a passkey is a password replacement, we want to make sure to confirm the user's identity before allowing adding/deleting passkeys. The u/trusted-session GET route returns success if user has confirmed their session (and failed if user hasn't). In the frontend (in the next PR), we're using these routes to show the password confirmation screen. 

The `/u/confirm-session` route allows the user to confirm their session with a password. The latter route's functionality already existed in core, under the 2FA flow, but it has been abstracted into its own here so it can be used independently.


Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2023-10-11 14:36:54 -04:00
Discourse Translator Bot 88f851432b
Update translations (#23873) 2023-10-11 11:18:02 +02:00
David Taylor f4aeebeb64
UX: Correct description on 'create topic' composer dropdown (#23871)
The 'create topic' entry in the dropdown was incorrectly using the 'reply as new topic' description. This fixes the logic to use a separate locale key for the description.
2023-10-10 13:23:00 +01:00
Tobias Eigen 00b1b88a86
updated description of company_name field (#23818)
If company name field is left blank, no boilerplate TOS or Privacy Notice is provided. Updated the description to make this explicit. For more info, see: https://meta.discourse.org/t/updates-to-new-site-experience-and-the-getting-started-guide/273189#login-page-is-more-welcoming-on-private-sites-3
2023-10-09 15:52:48 -07:00
Krzysztof Kotlarek c468110929
FEATURE: granular webhooks (#23070)
Before this change, webhooks could be only configured for specific groups like for example, all topic events.

We would like to have more granular control like for example topic_created or topic_destroyed.

Test are failing because plugins changed has to be merged as well:
discourse/discourse-assign#498
discourse/discourse-solved#248
discourse/discourse-topic-voting#159
2023-10-09 03:35:31 +00:00
Alan Guo Xiang Tan 832b3b9e60
FEATURE: Remove support for legacy navigation menu (#23752)
Why this change?

Back in May 17 2023 along with the release of Discourse 3.1, we announced
on meta that the legacy hamburger dropdown navigation menu is
deprecated and will be dropped in Discourse 3.2. This is the link to the announcement
on meta: https://meta.discourse.org/t/removing-the-legacy-hamburger-navigation-menu-option/265274

## What does this change do?

This change removes the `legacy` option from the `navigation_menu` site
setting and migrates existing sites on the `legacy` option to the
`header dropdown` option.

All references to the `legacy` option in code and tests have been
removed as well.
2023-10-09 07:24:10 +08:00
Krzysztof Kotlarek e94b553e9a
FEATURE: delete multiple inactive themes/components (#23788)
Ability to select multiple inactive themes or components and delete them all together
2023-10-08 21:35:53 +00:00
Penar Musaraj 921f1279b9
DEV: Update webauthn authentication documentation (#23787)
Also adds a `userHandle` check for first factor verification, though this is not yet implemented in Rails controllers and UI.
2023-10-05 15:22:43 -04:00
Renato Atilio 1d70cf455e
FEATURE: support a description attribute on form template fields (#23744)
* FEATURE: support a description attribute on form template fields
2023-10-04 17:51:53 -03:00
Discourse Translator Bot 24feb20abc
Update translations (#23757) 2023-10-04 09:54:20 +02:00
Mark Doerr 54d43c688f
UX: Update 'gtm_container_id' site setting description (#23763)
It should point to GTM nonce documentation, which is our preferred implementation when the CSP is enabled.
2023-10-03 15:19:23 -04:00
Penar Musaraj 0af6c5efdc
DEV: Refactor webauthn to support passkeys (1/3) (#23586)
This is part 1 of 3, split up of PR #23529. This PR refactors the
webauthn code to support passkey authentication/registration.

Passkeys aren't used yet, that is coming in PRs 2 and 3.

Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2023-10-03 14:59:28 -04:00
Kris c9db9e9319
A11Y: composer tip close link should be a button (#23731) 2023-10-03 09:09:54 -04:00
KThompson-Lane-Unity 607f700c8c
FEATURE: Add API key scopes for tag_groups (#23634) 2023-10-03 16:20:17 +08:00
Kris 0bb7e9e0b8
A11Y: improve about page profile link markup (#23695) 2023-10-02 13:55:28 -04:00
Kris 5884176174
A11Y: correctly markup `/about` stat table headers, tweak style (#23733) 2023-10-02 13:55:11 -04:00
Kris f5d4ddbff5
A11Y: add page title to account activation step (#23736) 2023-10-02 13:54:52 -04:00
Ted Johansson 7019dbcfe1
DEV: Change share quote visibility setting default to 'all' (#23720)
As pointed out on Meta, having this default to all (anonymous- and logged in users) is probably more sensible than just anonymous.
2023-09-30 11:41:50 +02:00
Ted Johansson fd2912f944
FIX: Remove reference to removed site setting from num_users_to_silence_new_user setting (#23718)
The num_users_to_silence_new_user setting is referencing num_spam_flags_to_silence_new_user, which has been superceded twice.

This change updates the description to reflect that it now operates on the new "sensitivity score" system.
2023-09-30 11:28:04 +02:00
Arpit Jalan b39f823fd3
FEATURE: add custom date range filter for admin dashboard reports (#23702)
* FEATURE: add custom date range filter for admin dashboard reports

* Improvements per David's review
2023-09-29 14:44:17 +05:30
Kris 34cc87db40
A11Y: UI emoji are decorative, use `alt=""` (#23690) 2023-09-28 13:30:19 -04:00
Kris a523f17ed7
A11Y: aria-label for mobile topic list avatar (#23693) 2023-09-28 13:29:56 -04:00
Matt Marjanović 619d43ea47
FEATURE: Add `prompt=none` functionality to SSO Provider protocol (#22393)
This commit adds support for an optional `prompt` parameter in the
payload of the /session/sso_provider endpoint.  If an SSO Consumer
adds a `prompt=none` parameter to the encoded/signed `sso` payload,
then Discourse will avoid trying to login a not-logged-in user:

 * If the user is already logged in, Discourse will immediately
   redirect back to the Consumer with the user's credentials in a
   signed payload, as usual.

 * If the user is not logged in, Discourse will immediately redirect
   back to the Consumer with a signed payload bearing the parameter
   `failed=true`.

This allows the SSO Consumer to simply test whether or not a user is
logged in, without forcing the user to try to log in.  This is useful
when the SSO Consumer allows both anonymous and authenticated access.
(E.g., users that are already logged-in to Discourse can be seamlessly
logged-in to the Consumer site, and anonymous users can remain
anonymous until they explicitly ask to log in.)

This feature is similar to the `prompt=none` functionality in an
OpenID Connect Authentication Request; see
https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
2023-09-28 12:53:28 +01:00
Gerhard Schlager da313ba49b
FEATURE: Add webhooks for user suspend and unsuspend (#23684) 2023-09-28 10:51:05 +02:00
Sam a2da2e02e7
FEATURE: improve error message when double liking (#23698)
If a user somehow is looking at an old version of the page and attempts
to like a post they already like. Display a more reasonable error message.

Previously we would display:

> You are not permitted to view the requested resource.

New error message is:

> Oops! You already performed this action. Can you try refreshing the page?

Triggering this error condition is very tricky, you need to stop the
message bus. A possible reason for it could be bad network connectivity.
2023-09-28 16:53:48 +10:00
Kris 1ad60b791c
FIX: copy codeblocks needs `client: true` (#23686) 2023-09-27 11:03:20 -04:00
Discourse Translator Bot 287d0ec842
Update translations (#23627) 2023-09-27 11:03:00 +02:00
Krzysztof Kotlarek 81f3f56deb
FIX: enable copy code block by default (#23662)
Copy button on code blocks should be enabled by default and this setting should be hidden.
2023-09-27 10:24:19 +10:00
Kris bbb4e19612
UX: improve history modal layout (#23675) 2023-09-26 17:50:09 -04:00
David Taylor 110fdf0189
DEV: Remove dependence on dartsass-sprockets (#23665)
Discourse has a custom stylesheet pipeline which compiles things 'just in time'. The only place we were still running sass files through sprockets was for the `/tests` route in development mode. This use can be removed by compiling the relevant stylesheets through ember-cli instead (which we were already doing for testem runs)

This work was prompted by the incompatibility of dartsass-sprockets with the latest sass-embedded release (https://github.com/tablecheck/dartsass-sprockets/issues/13)
2023-09-26 16:25:07 +01:00
Kris cbf8d85e6b
UX: improve activity column title data (#23614) 2023-09-25 15:53:16 -04:00
Renato Atilio 1cc2c8fcb6
UX: unhide experimental_form_templates (#23615)
* UX: unhide experimental_form_templates

* UX: add description to experimental_form_templates setting
2023-09-25 13:38:06 -03:00
Renato Atilio d93c2cb3d2
FEATURE: site settings to revoke api keys older than a number of days (#23595)
* FEATURE: site settings to revoke api keys older than a number of days
2023-09-15 16:31:29 -03:00
David Taylor a60d7a2bc7
DEV: Modernize admin-site-text route/controller (#23581)
- Switch to `@tracked` and native getters
- Remove queryParam defaults which are awkward to work with. Instead, add `resolvedBlah` getters
- Add 'no results found' text
- Use standard 'model' key instead of a custom `setupController` method
- Remove use of `route-action`
- Remove `{{action` helper

Default queryParams in ember controllers are tricky to work with, especially when combined with the new router service. Instead, we can handle defaults ourselves
2023-09-14 11:27:09 +01:00
Sam 267e8ebaa6
FIX: min_personal_message_post_length not applying to first post (#23531)
* FIX: min_personal_message_post_length not applying to first post

Due to the way PostCreator is wired, we were not applying min_personal_message_post_length
to the first post.

This meant that admins could not configure it so PMs have different
limits.

The code was already pretending that this works, but had no reliable way
of figuring out if we were dealing with a private message
2023-09-13 15:43:54 +10:00
Bianca Nenciu 6f782d8e45
SECURITY: Add limits for themes and theme assets
This commit adds limits to themes and theme components on the:

- file size of about.json and .discourse-compatibility
- file size of theme assets
- number of files in a theme
2023-09-12 15:31:31 -03:00
Gerhard Schlager e3a2446874
SECURITY: Limit number of drafts per user and length of `draft_key`
The hidden site setting max_drafts_per_user defaults to 10_000 drafts per user.
The longest key should be "topic_<MAX_BIG_INT>" which is 25 characters.
2023-09-12 15:31:26 -03:00
OsamaSayegh c1b5faa5fd
SECURITY: Limit name field length of TOTP authenticators and security keys 2023-09-12 15:31:17 -03:00
Blake Erickson 9ac5e09179
DEV: Show separate error message for backup uploads (#23480)
Due to server upload limits backups may receive a 413 error so we need
to display a different error message than the default one we have set
for attachments.
2023-09-12 09:58:29 -06:00