Commit Graph

21248 Commits

Author SHA1 Message Date
Gerhard Schlager f216c6d60b FEATURE: Drop "backup" schema 7 days after restore
The "backup" schema is used to rollback a failed restore. It isn't useful after a longer period of time and turns into a waste of disk space.
2020-01-16 17:48:47 +01:00
Joffrey JAFFEUX 948bd00340
FEATURE: line with only 1 to 3 emojis will now display as large emojis 2020-01-16 09:54:26 +01:00
Martin Brennan 18bba860b5 Fix mobile topic-timeline not closing on scrolling past last post (#8730)
* when we dragged the topic-timeline handle past the last post
  in a topic we were not closing the timeline as we would if
  scrolling to a specific post
* this also fixes the issue where when scrolling past the end of
  the topic with a massive last post, none of the post could be
  seen
2020-01-16 17:23:44 +11:00
Martin Brennan 7c32411881
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664)
### General Changes and Duplication

* We now consider a post `with_secure_media?` if it is in a read-restricted category.
* When uploading we now set an upload's secure status straight away.
* When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. 
* Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is).
* When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload.

### Viewing Secure Media

* The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions
* If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor`

### Removed

We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled.

* We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context.
* We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 13:50:27 +10:00
Mark VanLandingham 135d09d671
FIX: Styling for feature topic on profile modal (#8727) 2020-01-15 15:20:12 -06:00
Arpit Jalan 0bc65fa60e
FIX: show error message if the topic deletion fails (#8723) 2020-01-16 00:58:03 +05:30
Roman Rizzi 2db7b3d9c7
FIX: Correctly wrap image and resize controls inside paragraph (#8718) 2020-01-15 14:01:14 -03:00
Arpit Jalan 0f8695958b FIX: better error message when topic deletion fails 2020-01-15 19:30:06 +05:30
Régis Hanol c4817e9ee9 DEV: lint 💅 2020-01-15 11:36:33 +01:00
Martin Brennan 66f2db4ea4 SECURITY: 2FA with U2F / TOTP 2020-01-15 11:27:12 +01:00
Régis Hanol 5d75f90b27 FIX: group membership leak
FIX: raised a proper NotFound exception when filtering groups by username with invalid username.
FIX: properly filter the groups based on current user visibility when viewing another user's groups.
DEV: Guardian.can_see_group?(group) is now using Guardian.can_see_groups(groups) instead of duplicating the same code.
FIX: spec for groups_controller#index when group directory is disabled for logged in user.
FIX: groups_controller.sortable specs to actually test all sorting combinations.
DEV: s/response_body/body/g for slightly shorter spec code.
FIX: rewrote the "view another user's groups" specs to test all group_visibility and members_group_visibility combinations.
DEV: Various refactoring for cleaner and more consistent code.
2020-01-15 11:21:58 +01:00
Joffrey JAFFEUX ac865112a3
FIX: ensures group-navigation states changes when route changes (#8724) 2020-01-15 10:13:07 +01:00
Joffrey JAFFEUX f4744193bd
FEATURE: allows to define a dissmiss duration on global notices (#8715)
This commit also adds more documentation to various options and defines a 1 week duration for IE global notice dismiss duration.
2020-01-15 09:02:28 +01:00
Joffrey JAFFEUX ec1aeb8a55
FIX: ensures secondary menu of user notifications mobile nav reloads (#8716) 2020-01-15 09:01:44 +01:00
Kris b1508a6f44 UX: Improve appearance of lists and user fields in mobile bios 2020-01-14 16:33:50 -05:00
Mark VanLandingham 5df0ef1e98
FIX: Update user-selector excluded usernames after insert (#8711) 2020-01-14 10:28:35 -06:00
Gerhard Schlager c351ffe580 FEATURE: Add hidden setting to disable configuration of inventory bucket 2020-01-14 17:23:12 +01:00
David Taylor 12d2fe7ff6 UX: Ensure all generated backup codes are displayed on the screen 2020-01-14 15:33:27 +00:00
David Taylor 4fdfc2665d FIX: Update featured badge ranking when mass-awarding badges
Follow-up to cff6e941de
2020-01-14 14:39:20 +00:00
David Taylor cff6e941de
PERF: Cache ranks for featured badges, to simplify user serialization (#8698) 2020-01-14 14:26:49 +00:00
Joffrey JAFFEUX f10078eab4
FIX: moves back padStart/padEnd to core polyfills (#8714)
Multiple users are on chrome 56 when this is only supported on chrome 57. Given it's only few lines of code, it makes sense to keep supporting this.
2020-01-14 10:54:39 +01:00
romanrizzi d3091edcea UX: Return a friendlier error when the CSV is invalid. Added a cancel button to return to the /badges view 2020-01-13 15:53:41 -03:00
Robin Ward e4a85e2a80 Minor tweaks to badge CSV upload 2020-01-13 12:44:22 -05:00
Roman Rizzi d69c5eebcf
Feature: Mass award badge (#8694)
* UI: Mass grant a badge from the admin ui

* Send the uploaded CSV and badge ID to the backend

* Read the CSV and grant badge in batches

* UX: Communicate the result to the user

* Don't award if badge is disabled

* Create a 'send_notification' method to remove duplicated code, slightly shrink badge image. Replace router transition with href.

* Dynamically discover current route
2020-01-13 11:20:26 -03:00
Martin Brennan 9e399b42b9 DEV: Remove redundant admin_login route, share with email_login 2020-01-13 12:10:07 +10:00
Blake Erickson 1a31a403ce DEV: Remove buffered-render file
This is the last and final commit in a multi-commit refactor to remove
all uses of buffered-render.

Previous commit: fc94b6cb9e in this
series.
2020-01-10 18:19:23 -07:00
Penar Musaraj 687c79ca1c FIX: Remove padding while composer is saving
Padding on `#main-outlet` while compooser was in "saving" state was causing posts to bounce after replying.
2020-01-10 12:57:16 -05:00
Mark VanLandingham 5898afaa73
FEATURE: pass in excluded usernames to user-selector (#8695) 2020-01-10 09:02:43 -08:00
Rafael dos Santos Silva 5a70f50032
FEATURE: Use new Badging API
Now that the spec is finished use the unprefixed API, which was also moved
from window to navigator.

Still uses feature detection so it fail gracefully when not available in
the user agent.
2020-01-10 13:41:35 -03:00
Dan Ungureanu 815116f6a2
FIX: Make 'findBySlugPathWithID' when URL ends with a slash (#8699)
Make URLs such as 'https://discourse/c/foo/bar/' work the same way
'https://discourse/c/foo/bar' does.
2020-01-10 17:02:36 +02:00
Joffrey JAFFEUX 5ce602ecea FIX: prevents url of file from being pasted when pasting file on iOS (#8693) 2020-01-10 08:39:01 +05:30
Martin Brennan cb660ef952 SECURITY: Improve second factor auth logic 2020-01-10 10:45:56 +10:00
Kris dd52291fb7 UX: Center featured topic on mobile profiles 2020-01-09 16:35:34 -05:00
Kris ef9828b25d UX: Remove reliance on JS for category box links 2020-01-09 16:25:41 -05:00
Robin Ward dcbe527a82 FIX: Don't log a claimed topic database error during tests
We now test the uniqueness validation, but also rescue a DB
exception in case the controller fails this check.
2020-01-09 12:32:05 -05:00
Robin Ward d043a4c6fe FIX: Stop logging errors in postgres on reviewable conflict
The previous concurrency-safe implementation relied on catching an
index conflict and following through appropriately. Unfortunately
those conflicts were logged to Postgres and there is no easy way
to turn them off.

This solution approaches the problem differently. It should still
be safe under concurrency and not log errors.
2020-01-09 12:04:17 -05:00
Jarek Radosz 531016f99b
DEV: Add missing indexes to user_profiles (#8691)
* DEV: Update model annotations
* DEV: Add missing indexes to user_profiles

The columns were changed in 24347ace10 (diff-baa5914c0c7cddf3c8b5cd9139e0d091)
2020-01-09 17:08:55 +01:00
Régis Hanol 92a9ae6ab0
REFACTOR: isValidLink
- Reduced verbose comments
- Merged 2 `if` which had the same logic
2020-01-08 18:14:24 +01:00
David Taylor 5eda44f8f2 FIX: Do not redirect to `/auth/*` urls after authentication
When using the login confirmation screen, the referrer URL is `/auth/{provider}`. That means that the user is redirected back to the confirmation screen after logging in, even though login was successful. This is very confusing. Instead, they should be redirected to the homepage.
2020-01-08 17:06:03 +00:00
Robin Ward e616b92511 FIX: If the admin sso sync has no external ID, don't throw an error
Instead, return a HTTP error code and a message explaining the problem,
to avoid log pollution.
2020-01-08 11:47:37 -05:00
David Taylor 4d5b142f1d DEV: Allow `doLogin` to be called with a set of parameters
This can be used for themes/plugins to specify additional URL parameters to be used when starting authentication. Example usage:

```
LoginMethod.findAll()[0].doLogin({params: {mydata: "myvalue"}});
```
2020-01-08 16:13:12 +00:00
Jarek Radosz 502f154cfc
FIX: Don't leak event listeners in user-activity-drafts (#8682) 2020-01-08 16:55:10 +01:00
David Taylor cf60de59b1 FIX: Allow omniauth confirmation page to pass through GET parameters
Using the rails `form_tag` helper generates a form with the action attribute set to the current URL (without parameters). In this case, we want to include any GET parameters, so it is better to exclude the action attribute from the form tag, and allow browsers to submit to the current URL.
2020-01-08 15:31:51 +00:00
Vinoth Kannan 13f229808a FIX: add noindex header to user profile pages. 2020-01-08 11:26:20 +05:30
Martin Brennan bdff4561d4 FIX: Make scrolling to bottom post in topic more consistent (#8671)
* Make scrolling to bottom post in topic more consistent

* when using the slider to scroll past the bottom post,
  we now scroll to the bottom of the post/page IF the
  post height is > the window height (e.g. really long
  posts). if the post height is smaller, then we lock
  onto and jump to the top of the post
* this also removes the mobile hack that would always jump
  to the top of the last post on mobile

* Prettier lint
2020-01-08 16:37:13 +11:00
Kris a8fbf7c128 minor subcategory box padding adjustments 2020-01-07 20:54:27 -05:00
Mark VanLandingham c01c937151
DEV: Allow returning non-objects from addToolbarPopupMenuOptionsCallback (#8677) 2020-01-07 16:01:11 -06:00
Kris cae60b5900 UX: Sub-sub categories in "Boxes with subcategories" + consistency 2020-01-07 16:38:17 -05:00
Robin Ward abff3716ba
Upgrade handlebars (#8675)
* Upgrade Handlebars to 4.3.0

* Upgrade Handlebars to the latest version
2020-01-07 15:37:37 -05:00
Kris e0539d7ffe remove log 2020-01-07 11:28:56 -05:00