Commit Graph

721 Commits

Author SHA1 Message Date
Penar Musaraj 5c02bfb000 FEATURE: Site settings for linking with iOS/Android native apps
- Adds support for iOS Universal Links via an `apple-app-site-association` endpoint

 Adds support for Google Digital Asset Links at the `.well-known/assetlinks.json` endpoint
2019-08-27 14:05:37 -04:00
David Taylor 8e5a8d1d54 Merge pull request from GHSA-7cmh-wm9h-j63f 2019-08-27 09:11:19 -07:00
romanrizzi 03d51d6519 FIX: Display actual readers on the first post 2019-08-27 12:13:38 -03:00
Roman Rizzi 7c741fa0d6
FEATURE: Publish read state on group messages. (Originally introduced in #7989) (#8025)
* Revert "Revert "FEATURE: Publish read state on group messages. (#7989) [Undo revert] (#8024)""

This reverts commit 36425eb9f0.

* Fix: Show who read only if the attribute is enabled

* PERF: Precalculate the last post  readed by a group member

* Use book-reader icon instear of far-eye

* FIX: update topic groups correctly

* DEV: Tidy up read indicator update on write
2019-08-27 09:09:00 -03:00
Roman Rizzi 3259ea60a6
DEV: Remove code deprecated by the new Reviewable API (#8023)
* Remove flag hooks and endpoints

* Remove #reject_bulk for users

* Remove code for quued_posts_controller
2019-08-26 10:33:26 -03:00
Penar Musaraj 14cdb01254 FIX: Allow topic edits when using a hidden tag
Previously, a regular user could not edit the title or category
of a topic if a hidden tag had already been applied.

This also stops hidden tag names from leaking in the error message.
2019-08-21 16:33:01 -04:00
romanrizzi 36425eb9f0 Revert "FEATURE: Publish read state on group messages. (#7989) [Undo revert] (#8024)"
This reverts commit 5dda5c2f7c.
2019-08-20 13:29:22 -03:00
Roman Rizzi 5dda5c2f7c
FEATURE: Publish read state on group messages. (#7989) [Undo revert] (#8024)
* Reenable: "FEATURE: Publish read state on group messages. (#7989)"

This reverts commit 67f5cc1ce8.

* FIX: Read indicator only appears when the group setting is enabled
2019-08-20 11:57:25 -03:00
romanrizzi 67f5cc1ce8 Revert "FEATURE: Publish read state on group messages. (#7989)"
This reverts commit 1630dae2db.
2019-08-20 10:24:34 -03:00
Roman Rizzi 1630dae2db
FEATURE: Publish read state on group messages. (#7989)
* Enable or disable read state based on group attribute

* When read state needs to be published, the minimum unread count is calculated in the topic query. This way, we can know if someone reads the last post

* The option can be enabled/disabled from the UI

* The read indicator will live-updated using message bus

* Show read indicator on every post

* The read indicator now shows read count and can be expanded to see user avatars

* Read count gets updated everytime someone reads a message

* Simplify topic-list read indicator logic

* Unsubscribe from message bus on willDestroyElement, removed unnecesarry values from post-menu, and added a comment to explain where does minimum_unread_count comes from
2019-08-20 09:46:57 -03:00
Régis Hanol 53667a01c2 FIX: ensure extra locales are only available to staff 2019-08-20 12:38:46 +02:00
Arpit Jalan 24f94c40a6 SECURITY: don't reveal category details to users that do not have access 2019-08-19 12:38:28 +05:30
Robin Ward 23367e79ea
FEATURE: Embed topics list on remote sites via Javascript API. (#8008)
This adds support for a `<d-topics-list>` tag you can embed in your site
that will be rendered as a list of discourse topics. Any attributes on
the tag will be passed as filters. For example:

`<d-topics-list discourse-url="URL" category="1234">` will filter to category 1234.

To use this feature, enable the `embed topics list` site setting. Then
on the site you want to embed, include the following javascript:

`<script
src="http://URL/javascripts/embed-topics.js"></script>`

Where `URL` is your discourse forum's URL.

Then include the `<d-topics-list discourse-url="URL">` tag in your HTML document and it will
be replaced with the list of topics.
2019-08-15 13:41:06 -04:00
Vinoth Kannan 88359b0f16
FEATURE: add support for group members visibility level (#8004)
There are 5 visibility levels (similar to group visibility)

public (default)
logged-in users
members only
staff
owners

Admins & group owners always have visibility to group members.
2019-08-14 19:00:04 +05:30
Bianca Nenciu ba396a5384
DEV: Use ResultSet with staff action logs. (#7661) 2019-08-13 20:55:05 +03:00
David Taylor 1a8fee11a0 DEV: If only one auth provider is enabled allow GET request
In this case, the auth provider is acting as a SSO provider, and can be trusted to maintain its own CSRF protections.
2019-08-12 11:03:05 +01:00
David Taylor 750802bf56
UX: Improve error handling for common OmniAuth exceptions (#7991)
This displays more useful messages for the most common issues we see:
- CSRF (when the user switches browser)
- Invalid IAT (when the server clock is wrong)
- OAuth::Unauthorized for OAuth1 providers, when the credentials are incorrect

This commit also stops earlier for disabled authenticators. Now we stop at the request phase, rather than the callback phase.
2019-08-12 10:55:02 +01:00
David Taylor 90108b2450 FIX: Correct OmniAuth route ordering
/auth/failure should be given higher precedence than /auth/:provider
2019-08-08 15:49:09 +01:00
David Taylor 3b8c468832 SECURITY: Require POST with CSRF token for OmniAuth request phase 2019-08-08 11:58:00 +01:00
Gerhard Schlager 24877a7b8c FIX: Correctly encode non-ASCII filenames in HTTP header
Backport of fix from Rails 6: 890485cfce
2019-08-07 19:10:50 +02:00
Bianca Nenciu b60b2a342f
FIX: Show membership requests link just for group owners. (#7543) 2019-08-06 13:28:22 +03:00
Daniel Waterworth 4ae8065f2c
DEV: Default to skipping creating a topic when fabricating categories (#7976)
This speeds up the test suite by 9%
2019-08-06 11:26:54 +01:00
Guo Xiang Tan 3b575b82f3 Fix the build.
1481ea640c broke it.
2019-08-01 15:23:50 +08:00
Arpit Jalan 1481ea640c FIX: better error message on username update from Admin user page. 2019-08-01 10:23:42 +05:30
Neil Lalonde 9656a21fdb
FEATURE: customization of html emails (#7934)
This feature adds the ability to customize the HTML part of all emails using a custom HTML template and optionally some CSS to style it. The CSS will be parsed and converted into inline styles because CSS is poorly supported by email clients. When writing the custom HTML and CSS, be aware of what email clients support. Keep customizations very simple.

Customizations can be added and edited in Admin > Customize > Email Style.

Since the summary email is already heavily styled, there is a setting to disable custom styles for summary emails called "apply custom styles to digest" found in Admin > Settings > Email.

As part of this work, RTL locales are now rendered correctly for all emails.
2019-07-30 15:05:08 -04:00
Sam Saffron 5feb342914 Revert "FEATURE: add Noindex to robots.txt for disallowed routes"
This reverts commit d84256a876.

This is not supported by Google and causes robots.txt to be flagged as
invalid

Removing Noindex
2019-07-30 11:33:38 +10:00
Osama Sayegh 525920a979
FIX: Better error when SSO fails due to blank secret (#7946)
* FIX: Better error when SSO fails due to blank secret

* Update spec/requests/session_controller_spec.rb

Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-26 17:37:23 +03:00
Robin Ward a727968112 FIX: Provide an error message if no valid tags were selected 2019-07-25 12:46:16 -04:00
David Taylor 864f68725a DEV: Correct test from 9c1c8b45 2019-07-24 11:45:36 +01:00
David Taylor 0a6cae654b SECURITY: Add confirmation screen when connecting associated accounts 2019-07-24 10:28:15 +01:00
Osama Sayegh 8b5f44a9a7
FIX: apply defaults constraints to routes format (take 2) (#7920)
Reapplies 7d01c5de1a
2019-07-23 20:17:44 +03:00
Saurabh Patel 9e0a3b8229 bug: keep query params present in auth_redirect (#7923)
https://meta.discourse.org/t/user-api-keys-payload-and-existing-query-string-leads-to-a-double-question-mark/123617
2019-07-23 12:16:03 -04:00
Joffrey JAFFEUX e117b10ea8
FIX: improves tags checking when updating category of topic (#7921)
- will ensure this tag is not restricted to another category, and not only ensure this category can use it
- will clean tags param, in case client is sending an empty array, eg: [""], this could be solved client-side, but we ensure it won't happen ever this way
2019-07-23 17:06:25 +02:00
Osama Sayegh f14c6d81f4
FEATURE: Watched words improvements (#7899)
This commit contains 3 features:

- FEATURE: Allow downloading watched words
This introduces a button that allows admins to download watched words per action in a `.txt` file.

- FEATURE: Allow clearing watched words in bulk
This adds a "Clear All" button that clears all deleted words per action (e.g. block, flag etc.)

- FEATURE: List all blocked words contained in the post when it's blocked
When a post is rejected because it contains one or more blocked words, the error message now lists all the blocked words contained in the post.

-------

This also changes the format of the file for importing watched words from `.csv` to `.txt` so it becomes inconsistent with the extension of the file when watched words are exported.
2019-07-22 14:59:56 +03:00
Gerhard Schlager 651a5b6e40 SECURITY: Validate backup chunk identifier 2019-07-22 08:43:16 +02:00
Robin Ward 8dd3cbfcb9
FEATURE: Allow choice of category when making a PM public (#7907)
* FEATURE: Allow choice of category when making a PM public

Previously it would default to uncategorized, which was not ideal on
some forums. This gives the staff member more choice about what they'd
like to do.

* Make the optional category more explicit

* Joffrey's feedback
2019-07-19 11:52:50 -04:00
Arpit Jalan 1f1b3e99d1 UX: update invite 'not found' message 2019-07-19 16:39:44 +05:30
Arpit Jalan eb9155f3fe
FEATURE: send max 200 emails every minute for bulk invites (#7875)
DEV: deprecate `invite.via_email` in favor of `invite.emailed_status`

This commit adds a new column `emailed_status` in `invites` table for
 tracking email sending status.
 0 - not required
 1 - pending
 2 - bulk pending
 3 - sending
 4 - sent

For normal email invites, invite record is created with emailed_status
 set to 'pending'.

When bulk invites are sent invite record is created with emailed_status
 set to 'bulk pending'.

For invites that generates link, invite record is created with
 emailed_status set to 'not required'.

When invite email is in queue emailed_status is updated to 'sending'

Once the email is sent via `InviteEmail` job the invite emailed_status
 is updated to 'sent'.
2019-07-19 11:29:12 +05:30
Roman Rizzi f5c707c97a
FEATURE: Gz to zip for exports (#7889)
* Revert "Revert "FEATURE: admin/user exports are compressed using the zip format (#7784)""

This reverts commit f89bd55576.

* Replace .tar.zip with .zip
2019-07-18 09:34:48 -03:00
Osama Sayegh eff1c19e3b FIX: Fallback to gzip compression if brotli isn't supported (#7895) 2019-07-16 11:05:37 -03:00
Michael Brown e8ee392186 Revert "FIX: apply defaults constraints to routes format (#7890)"
This reverts commit 7d01c5de1a.

Trivial get on / was failing with a 404 with this change.
2019-07-15 17:31:24 -04:00
Osama Sayegh 7d01c5de1a
FIX: apply defaults constraints to routes format (#7890)
This fixes the problem where if a route ends with a dynamic segment and the segment contains a period e.g. `my.name`, `name` is interpreted as the format. This applies a default format constraints `/(json|html)/` on all routes. If you'd like a route to have a different format constraints, you can do something like this:

```ruby
get "your-route" => "your_controlller#method", constraints: { format: /(rss|xml)/ }

#or
get "your-route" => "your_controlller#method", constraints: { format: :xml }
```
2019-07-15 21:55:11 +03:00
Osama Sayegh 6515ff19e5
FEATURE: Allow customization of robots.txt (#7884)
* FEATURE: Allow customization of robots.txt

This allows admins to customize/override the content of the robots.txt
file at /admin/customize/robots. That page is not linked to anywhere in
the UI -- admins have to manually type the URL to access that page.

* use Ember.computed.not

* Jeff feedback

* Feedback

* Remove unused import
2019-07-15 20:47:44 +03:00
Vinoth Kannan 839916aa49
DEV: Debundle plugin javascript assets and don't load if disabled (#7566)
And don't load javascript assets if plugin is disabled.

* precompile auto generated plugin js assets

* SPEC: remove spec test functions

* remove plugin js from test_helper

Co-Authored-By: Régis Hanol <regis@hanol.fr>

* DEV: using equality is slightly easier to read than inequality

Co-Authored-By: Régis Hanol <regis@hanol.fr>

* DEV: use `select` method instead of `find_all` for readability

Co-Authored-By: Régis Hanol <regis@hanol.fr>
2019-07-15 20:22:54 +05:30
Arpit Jalan fffca4234c FIX: allow ampersand in site_texts routes 2019-07-15 16:39:57 +05:30
Guo Xiang Tan a4234e9be0 DEV: Minor tweaks to `Admin::WatchedWordsController`. 2019-07-15 10:22:46 +08:00
romanrizzi f89bd55576 Revert "FEATURE: admin/user exports are compressed using the zip format (#7784)"
This reverts commit 8b2580e20f.
2019-07-10 11:38:51 -03:00
Roman Rizzi 8b2580e20f
FEATURE: admin/user exports are compressed using the zip format (#7784)
* FEATURE: admin/user exports are compressed using the zip format

* Update translations. Theme exporter now exports .zip file. Theme importer supports .zip and .gz files

* Fix controller test, updated locale and skip saving the csv export to disk
2019-07-10 11:13:03 -03:00
Dan Ungureanu 9f5cfa192e
FEATURE: Allow Markdown in post notices. (#7864) 2019-07-09 14:42:02 +03:00
Penar Musaraj b690fc3d98
FEATURE: Add new group visibility option for "logged on users" (#7814)
Groups can now be marked as visible to "logged on users". All automatic groups (except `everyone`) are now visible to "logged on users", previously they were marked as public but suppressed in the group page for non-staff.
2019-07-08 15:09:50 -04:00
Arpit Jalan 2cd4e95d82 FIX: show category name in title for crawler view
Show category name in title for crawler view despite presence of `short_site_description`.

Bug reported here: https://meta.discourse.org/t/short-site-description-break-category-title-for-crawler-or-its-the-expected-behavior/122109/
2019-07-08 11:42:39 +05:30
David Taylor 2063d20e9a Revert "DEV: Let OmniAuth strategies return auth result. (#7833)"
This reverts commit dc5eb76551.

It is better to keep any custom redirect logic within omniauth, without relying on the app
2019-07-04 10:06:18 +01:00
Joffrey JAFFEUX 71bf9ec1b2
FEATURE: opt-in guidance on topics for users without access (#7852)
Co-Authored-By: majakomel <maja.komel@gmail.com>
Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-04 10:12:39 +02:00
Arpit Jalan 1708be4f27
FEATURE: support query params when redirecting to internal link on login (#7829) 2019-07-04 11:11:43 +05:30
Osama Sayegh 3d64532273 FEATURE: allow disabling theme components (#7812)
This allows you to temporarily disable components without having to remove them from a theme. 

This feature is very handy when doing quick fix engineering.
2019-07-03 18:18:11 +10:00
Osama Sayegh f1c67729de Different fix (#7815) 2019-07-02 11:53:16 +10:00
Sam Saffron 4dcc5f16f1 FEATURE: when under extreme load disable search
The global setting disable_search_queue_threshold
(DISCOURSE_DISABLE_SEARCH_QUEUE_THRESHOLD) which default to 1 second was
added.

This protection ensures that when the application is unable to keep up with
requests it will simply turn off search till it is not backed up.

To disable this protection set this to 0.
2019-07-02 11:22:01 +10:00
Dan Ungureanu dc5eb76551 DEV: Let OmniAuth strategies return auth result. (#7833) 2019-07-01 13:13:11 -03:00
Ralph Rooding 4ba35472e6 Don't check for second factor when switching to anonymous account (#7803) 2019-06-27 15:01:26 -07:00
Sam Saffron 5bc5c02af6 FIX: mark topics in sub categories as unread when dismissing parent
Previously we would only dismiss the parent category and leave the
child categories unread
2019-06-27 13:26:48 +10:00
Jeff Wong 88ef5e55fe
FEATURE: add ability to have multiple totp factors (#7626)
Adds a second factor landing page that centralizes a user's second factor configuration.

This contains both TOTP and Backup, and also allows multiple TOTP tokens to be registered and organized by a name. Access to this page is authenticated via password, and cached for 30 minutes via a secure session.
2019-06-26 16:58:06 -07:00
David Taylor afb5ec811d FIX: Don't use DistributedCache to store redis readonly state
This can cause unbound CPU usage in some cases, and excessive logging in other cases. This commit moves redis readonly information into the local process, but maintains the DistributedCache for postgres readonly state.
2019-06-25 11:20:34 +08:00
Penar Musaraj e51de4cc25
FEATURE: Add endpoint to individually update a theme setting (#7789)
- also adds a new staff action type called "change theme setting" for easier logging of staff changes to theme settings
2019-06-21 13:49:14 -04:00
David Taylor e6e47f2fb2 SECURITY: Add confirmation screen when logging in via user-api OTP 2019-06-17 16:18:44 +01:00
David Taylor 52387be4a4 SECURITY: Add confirmation screen when logging in via email link 2019-06-17 16:18:37 +01:00
David Taylor 5f6f707080 Revert "Merge pull request from GHSA-hv9p-jfm4-gpr9"
This reverts commit b8340c6c8e.
2019-06-17 16:17:10 +01:00
David Taylor b8340c6c8e
Merge pull request from GHSA-hv9p-jfm4-gpr9
* SECURITY: Add confirmation screen when logging in via email link

* SECURITY: Add confirmation screen when logging in via user-api OTP

* FIX: Correct translation key in session controller specs

* FIX: Use .email-login class for page
2019-06-17 15:59:41 +01:00
Arpit Jalan 863d8014d0 FIX: respond with 400 error on invalid redirect param 2019-06-17 16:44:30 +05:30
Sam Saffron 704c579550 FIX: do not allow unbound membership lookups
Previously we would allow looking up membership limits in an unbound way
via the API, this introduces an upper limit of 1000 per page.
2019-06-17 15:32:06 +10:00
Arpit Jalan 7b66f8fb46 DEV: optimize bulk invite process 2019-06-12 16:33:19 +05:30
Sam Saffron 89c4332ac1 DEV: correct spec making bad assumptions
bio_cooked is not meant to be touched directly, on save we "cook" the raw
bio.
2019-06-12 16:31:50 +10:00
Arpit Jalan e2636f0ec7 FIX: handle array in redirect param 2019-06-11 17:49:09 +05:30
Sam Saffron 7b17eb06da FEATURE: ban any SSO attempts with invalid external id
We now treat any external_id of blank string (" " or "     " or "", etc) or a
invalid word (none, nil, blank, null) - case insensitive - as invalid.

In this case the client will see "please contact admin" the logs will explain
the reason clearly.
2019-06-11 10:04:26 +10:00
Gerhard Schlager bae7b75e23 FIX: Updating a user profile as admin shouldn't change the user's locale 2019-06-07 17:53:46 +02:00
Penar Musaraj f00275ded3 FEATURE: Support private attachments when using S3 storage (#7677)
* Support private uploads in S3
* Use localStore for local avatars
* Add job to update private upload ACL on S3
* Test multisite paths
* update ACL for private uploads in migrate_to_s3 task
2019-06-06 13:27:24 +10:00
Bianca Nenciu e0c821ebb0 FEATURE: Make staff action logs page support infinite loading 2019-06-06 13:02:53 +10:00
Roman Rizzi c3a38d2304 DEV: Make groups/new extensible by plugins (#7642)
* Expose a new plugin outlet. Pass group model to the group-member-dropdown so it can be accessed by plugins

* Added controller tests for group custom fields. update custom fields when updating a group
2019-06-06 12:05:33 +10:00
Robin Ward f1d547c301 FEATURE: Show "in reply to" on the review queue
We now show if a queued or flagged post is a reply to another when in
the review queue. It's especially helpful for queued posts where
normally they are linked to the topic where they are created, and you
have no context about the reply.

Note that this will only apply to new queued posts going forward.
Previously queued posts will not show the "in reply to"
2019-06-05 12:34:41 -04:00
Sam Saffron 78509eacb7 DEV: lint file
followup to 9779307e
2019-06-05 11:32:47 +10:00
Maja Komel 9779307efc DEV: simpler spec for wayback machine crawler layout (#7696)
follow-up on 42809f4d
2019-06-05 11:24:52 +10:00
Régis Hanol 33bc8c276d FIX: default top timeframe was overriding best_periods_for 2019-06-04 10:57:50 +02:00
Maja Komel 7da875f52a FIX: trigger user_updated webhook when avatar changes 2019-06-04 16:46:46 +08:00
Maja Komel 42809f4d69 FIX: use crawler layout when saving url in Wayback Machine (#7667) 2019-06-03 12:13:32 +10:00
Sam Saffron f415712269 DEV: avoid double sign-in which can lead to flaky tests
We should not be signing in twice in tests, it is both wasteful and risky
2019-06-03 10:15:49 +10:00
Robin Ward 2e0a40007b FIX: Category topics should not be deletable via review queue 2019-05-30 16:43:23 -04:00
romanrizzi e7ee556e87 Support multi-group user search 2019-05-30 08:45:20 +08:00
Sam Saffron b114bcd294 DEV: switch message bus backend to memory for tests
This backend is a bit faster and well tested, this is part of a longer
term plan to have a `backend: :memory, threaded: false` type config for
message bus which we can use in test.

The threading in message bus causes all sorts of surprises in test, it will
be nice not to be beholden to them.
2019-05-29 16:34:55 +10:00
Guo Xiang Tan f0620e7118 FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2.
Previous attempt was missing `post_uploads` records.
2019-05-29 09:26:32 +08:00
Penar Musaraj 7c9fb95c15 Temporarily revert "FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD. (#7603)"
This reverts commit b1d3c678ca.

We need to make sure post_upload records are correctly stored.
2019-05-28 16:37:01 -04:00
Guo Xiang Tan b1d3c678ca FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD. (#7603) 2019-05-28 11:18:21 -04:00
Bianca Nenciu 07b80d491b FIX: Refresh automatic groups after inviting moderators. 2019-05-28 17:19:34 +08:00
Robin Ward d95a68b837 FEATURE: When suspending a user, allow the Delete + Replies action
Previously you could only delete the post
2019-05-27 12:27:16 -04:00
Robin Ward 89b84651c3 Migrate score settings to use sensitivities
We hide scores so these settings no longer made sense.
2019-05-24 15:44:24 -04:00
Gerhard Schlager f4a471f0eb FIX: Correctly cache hash of extra translations 2019-05-24 11:38:26 +02:00
Gerhard Schlager c1e9a70d59 FIX: Fallback locale was not available for extra translations
Translations from fallback locales were not sent to the client
for admin_js and wizard_js.
2019-05-24 11:38:26 +02:00
Robin Ward e74cd54fc6 REFACTOR: Replace score bonuses with low/med/high priorities
We removed score from the UX so it makes more sense to have sites set
priorities instead of score bonuses.
2019-05-23 11:54:45 -04:00
Gerhard Schlager 58f72cd439 Remove duplicate translations 2019-05-22 16:15:22 +02:00
Sam Saffron 307c526840 DEV: correct test that assumed group 123 did not exist
This is an incorrect assumption leading to a flaky test, cause for all we
know, since sequences do not reset every test, group 123 could exist.
2019-05-21 12:57:14 +10:00
Gerhard Schlager b788948985 FEATURE: English locale with international date formats
Makes en_US the new default locale
2019-05-20 13:47:20 +02:00
Guo Xiang Tan 148bfc9be5 DEV: Simplify client and server side code to support removing tags.
Follow up to 834c86678f.
2019-05-17 16:39:20 +08:00