Commit Graph

633 Commits

Author SHA1 Message Date
David Battersby 967010e545
FEATURE: Add an emoji deny list site setting (#20929)
This feature will allow sites to define which emoji are not allowed. Emoji in this list should be excluded from the set we show in the core emoji picker used in the composer for posts when emoji are enabled. And they should not be allowed to be chosen to be added to messages or as reactions in chat.

This feature prevents denied emoji from appearing in the following scenarios:
- topic title and page title
- private messages (topic title and body)
- inserting emojis into a chat
- reacting to chat messages
- using the emoji picker (composer, user status etc)
- using search within emoji picker

It also takes into account the various ways that emojis can be accessed, such as:
- emoji autocomplete suggestions
- emoji favourites (auto populates when adding to emoji deny list for example)
- emoji inline translations
- emoji skintones (ie. for certain hand gestures)
2023-04-13 15:38:54 +08:00
David Taylor a0140f6f75
DEV: Introduce regex_timeout_seconds global setting (#20774)
This is introduced as `nil` by default. We intend to set a sensible default once we have performed some real-world testing.
2023-03-22 12:01:35 +00:00
Keegan George 15cf62411a
DEV: Add `/theme-qunit` to skipped mini profiler paths (#20551) 2023-03-06 14:56:27 -08:00
David Taylor 62dc37ac35
DEV: Improve mini_profiler skipped paths (#20544)
- Remove no-longer-used `commits-widget` and `site_customizations` paths
- Add `/presence/`
- Move from regex to strings. The unanchored regexes were causing unexpected behaviour (e.g. if a topic had the word `assets` in its slug, it would be skipped). When passed strings, mini-profiler uses `String#starts_with?` for comparison
- Add `Discourse.base_path` to ensure proper functionality in subfolder environments
2023-03-06 11:39:15 +00:00
David Taylor 41f933ce89
PERF: Skip metadata routes for mini_profiler (#20543)
Mini-profiler causes routes to become uncacheable. When using mini_profiler in production, the lack of cache on these routes can have a noticeable impact on performance/rate-limiting.
2023-03-06 11:08:32 +00:00
Martin Brennan 7a593e2fb5
DEV: Use internal __autoloads for zeitwork reload check (#20260)
Since ad6c028484
in the zeitwork repo which was introduced to discourse/discourse in PR #20253,
the `autoloads` attribute on the loader has been marked `internal`, which means
that it errors if we try to access it directly.

Instead we should access it via the "mangled" version so it is clear
we're accessing an internal property, which is `__autoloads`.

Without this, any time a ruby file is saved the
000-development_reload_warnings.rb initializer will error.
2023-02-13 16:26:40 +10:00
Blake Erickson 64986244d7
DEV: Change default bootstrap min users for private sites (#19810)
* DEV: Change default bootstrap min users for private sites

Private sites should have a lower min users to escape bootstrap mode.

* reset back to 50 if site is changed to public, added some tests

* fix formatting

* Remove comment

* Move constant declaration

* Update config/initializers/014-track-setting-changes.rb

Shaving a bit of repetition

Co-authored-by: Jarek Radosz <jradosz@gmail.com>

* Remove commented out code

* stree

---------

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2023-01-31 09:09:03 -07:00
David Taylor eee97ad29a
DEV: Patch capybara to ignore client-triggered errors (#19972)
In dev/prod, these are absorbed by unicorn. Most commonly, they occur when a client interrupts a message-bus long-polling request.

Also reverts the EPIPE workaround introduced in 011c9b9973
2023-01-24 11:07:29 +00:00
David Taylor e2db764cdd
DEV: Remove older ruby version logic (#19971)
Discourse no longer boots on anything less than 3.1, so these code paths will never be used
2023-01-24 10:42:56 +00:00
David Taylor 5406e24acb
FEATURE: Introduce pg_force_readonly_mode GlobalSetting (#19612)
This allows the entire cluster to be forced into pg readonly mode. Equivalent to running `Discourse.enable_pg_force_readonly_mode` on the console.
2023-01-19 13:59:11 +00:00
David Taylor 011c9b9973
DEV: Use message-bus chunked encoding in development (#19878)
This was previously disabled because of incompatibility with the ember-cli proxy. This commit fixes that incompatibility, and restores the development behaviour to match production.

There were three issues at play:

1. Our bootstrap-js addon handles the forwarding of most requests in the ember-cli proxy. This is not built to handle streaming responses. Solution: skip our custom request processing for `/message-bus/*` and use ember-cli's default `http-proxy`.

2. The request/response size-limiting middleware (`rawMiddleware`) would apply even to unhandled paths, causing request and response bodies to be buffered. Solution: skip it for any paths which are not handled by our custom addon.

3. Expressjs servers will buffer/compress responses. Solution: add `Cache-Control: no-transform` to message-bus responses. For now I've done this in development only, but it may be useful to add it to message-bus's default headers in future
2023-01-17 09:54:33 +00:00
Loïc Guitaut 4093fc6074 Revert "DEV: Migrate existing cookies to Rails 7 format"
This reverts commit 66e8fe9cc6 as it
unexpectedly caused some users to be logged out. We are investigating
the problem.
2023-01-12 12:07:49 +01:00
Loïc Guitaut 66e8fe9cc6 DEV: Migrate existing cookies to Rails 7 format
This patch introduces a cookies rotator as indicated in the Rails
upgrade guide. This allows to migrate from the old SHA1 digest to the
new SHA256 digest.
2023-01-12 11:09:07 +01:00
David Taylor 7c77cc6a58
DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
Rafael dos Santos Silva 7b53973bd8
DEV: Use WebPush fork for OpenSSL 3 compat (#19627)
* DEV: Use WebPush fork for OpenSSL 3 compat

* add some context on gemfile changes
2022-12-27 15:28:13 -03:00
Martin Brennan b9d4336a20
DEV: Add test-site-settings to asset pipeline (#18935)
Follow up to 59da6c6ea2
2022-11-08 11:54:25 +10:00
David Taylor 68b4fe4cf8
SECURITY: Expand and improve SSRF Protections (#18815)
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2022-11-01 16:33:17 +00:00
Martin Brennan 8ebd5edd1e
DEV: Rename secure_media to secure_uploads (#18376)
This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality.

This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site.

Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing.

This also keeps compatibility with the `secure-media-uploads` path, and changes new
secure URLs to be `secure-uploads`.

Deprecated settings:

* secure_media -> secure_uploads
* secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails
* secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 09:24:33 +10:00
David Taylor e06b9d4a52
DEV: Remove support for legacy plugin JS compilation pipeline (#18293)
This became the default in b1755137
2022-09-21 12:38:02 +01:00
David Taylor 1bd1664ae0
DEV: Compile markdown-it-bundle with ember-cli (#18104)
We were already compiling the markdown bundle via ember-cli, but that version was only being used in the test environment. This commit improves the implementation, and updates the filename so it's also used in production.

This commit also
- Removes the vendored copy of `markdown-it.js` and fetches from node_modules instead
- Updates `pretty_text.rb` to remove the custom sprockets-manifest-parsing
- Removes `pretty-text-bundle.js`, which was only being used by `pretty_text.rb`
2022-08-29 19:11:59 +01:00
Martin Brennan b197ca02b7
DEV: Do not MiniProfile theme-javascripts (#18067)
This creates a huge amount of noise depending on
the themes/theme components installed and doesn't
provide much value.
2022-08-24 16:01:42 +10:00
David Taylor 33a2624f09
DEV: Introduce flag for compiling Plugin JS with Ember CLI (#17965)
When `EMBER_CLI_PLUGIN_ASSETS=1`, plugin application JS will be compiled via Ember CLI. In this mode, the existing `register_asset` API will cause any registered JS files to be made available in `/plugins/{plugin-name}_extra.js`. These 'extra' files will be loaded immediately after the plugin app JS file, so this should not affect functionality.

Plugin compilation in Ember CLI is implemented as an addon, similar to the existing 'admin' addon. We bypass the normal Ember CLI compilation process (which would add the JS to the main app bundle), and reroute the addon Broccoli tree into a separate JS file per-plugin. Previously, Sprockets would add compiled templates directly to `Ember.TEMPLATES`. Under Ember CLI, they are compiled into es6 modules. Some new logic in `discourse-boot.js` takes care of remapping the new module names into the old-style `Ember.TEMPLATES`.

This change has been designed to be a like-for-like replacement of the old plugin compilation system, so we do not expect any breakage. Even so, the environment variable flag will allow us to test this in a range of environments before enabling it by default.

A manual silence implementation is added for the build-time `ember-glimmer.link-to.positional-arguments` deprecation while we work on a better story for plugins.
2022-08-22 09:56:39 +01:00
David Taylor 47824bc69f
DEV: Bump asset compiler versions (#17843)
This will trigger recompilation of theme/plugin assets following 7f9c2c0b
2022-08-09 12:06:15 +01:00
Jarek Radosz 4b935b61eb
FIX: CSS tweak and production position fix for miniprofiler (#17493)
* DEV: Format miniprofiler html
* FIX: Move miniprofiler to the right in production
* UX: Fix and merge miniprofiler css
2022-07-14 13:03:43 +02:00
Alan Guo Xiang Tan b4b87454f2
DEV: Move mini profiler badge to the right (#17468)
In the era where we have left aligned sidebar, the mini profiler badge
gets in the way
2022-07-13 13:40:12 +08:00
Jarek Radosz 040e1650f6
DEV: Remove old redis option (#17427)
`Redis.exists_returns_integer` is now true by default
2022-07-11 22:15:30 +02:00
Jarek Radosz a7284d3b96
DEV: Auto-allow multisite hosts in dev (#17246) 2022-06-27 21:58:33 +02:00
David Taylor 90993e2459
FIX: Precompile admin-plugins.js (#17154) (#17155)
This was inadvertently removed in 1b4692039e
2022-06-20 16:22:49 +01:00
David Taylor 9c6ce0fa3e
FIX: Precompile start-discourse.js (#17154)
This was inadvertently removed in 1b4692039e
2022-06-20 16:02:18 +01:00
Jarek Radosz 2c1fc28d00
DEV: Remove ember-cli flags from the backend (#17147)
…and other auxiliary code

* Restore `QUNIT_EMBER_CLI` flag warning
* Add `ALLOW_EMBER_CLI_PROXY_BYPASS`
2022-06-20 16:33:05 +02:00
David Taylor 1b4692039e DEV: Remove legacy JS manifests and vendored scripts
Now that we've switched to Ember CLI, these things are no longer used.

- These sprockets manifests are superceded by the assets generated by ember cli
- These vendored scripts are now fetched by ember-auto-import at compile time
2022-06-20 15:01:06 +01:00
Jarek Radosz fcb4e5a1a1
DEV: Make wizard an ember addon (#17027)
Co-authored-by: David Taylor <david@taylorhq.com>
2022-06-17 14:50:21 +02:00
Loïc Guitaut aa4b1d9c38 DEV: Use new defaults for ActiveSupport::Digest
Use the `OpenSSL::Digest::SHA256` class for `ActiveSupport::Digest`.
This could lead to cache invalidation.
2022-05-18 16:51:07 +02:00
Loïc Guitaut 0feffa6f88 DEV: Enable Rails 7 cache format version 2022-05-17 17:32:10 +02:00
Loïc Guitaut 9957929a15 DEV: Use hybrid cookies instead of marshal ones
Now that we’re sure about not reverting from Rails 7, we can enable the
hybrid cookie serializer to convert our cookies automatically.
2022-05-12 11:50:15 +02:00
David Taylor 476bd1d237
DEV: Fix production sourcemaps with Ember CLI (#16707)
22a7905f restructured how we load Ember CLI assets in production. Unfortunately, it also broke sourcemaps for those assets. This commit fixes that regression via a couple of changes:

- It adds the necessary `.map` paths to `config.assets.precompile`
- It swaps Sprockets' default `SourcemappingUrlProcessor` with an extended version which maintains relative URLs of maps
2022-05-11 10:23:32 +01:00
Alan Guo Xiang Tan a76256756f
DEV: Fix not being able to boot Sidekiq server in development (#16696) 2022-05-11 10:38:11 +08:00
Daniel Waterworth bc8968fd12
DEV: Move SidekiqLogsterReporter out of initializer (#16687)
This fits more naturally in its own file.
2022-05-09 13:01:31 -05:00
Gerhard Schlager 8442a07c13
DEV: Compatibility with TruffleRuby (#16641) 2022-05-05 09:50:02 +08:00
Jarek Radosz 68ccaa3acb
DEV: Fix typos and outdated comments (#16614) 2022-05-04 14:12:18 +08:00
Loïc Guitaut 008b700a3f DEV: Upgrade to Rails 7
This patch upgrades Rails to version 7.0.2.4.
2022-04-28 11:51:03 +02:00
Loïc Guitaut 357011eb3b DEV: Clean up freedom patches
This patch removes some of our freedom patches that have been deprecated
for some time now.
Some of them have been updated so we’re not shipping code based on an
old version of Rails.
2022-04-06 10:07:14 +02:00
David Taylor ddf9bac094
FIX: Ensure ActiveSupport::Inflector is used by Zeitwerk (#16341)
We want our autoloading to respect custom inflections registered with ActiveSupport::Inflector. `Zeitwek::Inflector` does not call out to ActiveSupport.

Instead, we can define our own DiscourseInflector based on the super-simple Inflector in rails core.

Follow-up to 5743a6ec
2022-03-31 14:43:12 +01:00
Alan Guo Xiang Tan d0c2eb3359
DEV: Drop `enable_long_polling` and `long_polling_interval` settings (#16323)
Scheduled to drop in 2.9.

Co-authored-by: Loïc Guitaut <loic@discourse.org>
2022-03-30 16:32:40 +08:00
Loïc Guitaut 58d6e4e233 FIX: Don’t put the whole sidekiq conf in `to_prepare`
Some of the Sidekiq configuration needs to happen when the initializers
run and not after otherwise our dev env isn’t usable anymore.
2022-03-29 17:40:29 +02:00
Alan Guo Xiang Tan 5743a6ec1e DEV: Remove Zeitwerk inflection monkey patch.
There isn't a good reason we need to patch the inflector.

Co-authored-by: Loïc Guitaut <loic@discourse.org>
2022-03-29 16:04:49 +02:00
Bianca Nenciu 7a416257df
FIX: Invalidate site settings cache in all instances (#16155)
Previous cache implementation did not support multisite instances and
the cache was invalidated only in the instance where the change took
place.
2022-03-11 17:16:56 +02:00
Jarek Radosz 2fc70c5572
DEV: Correctly tag heredocs (#16061)
This allows text editors to use correct syntax coloring for the heredoc sections.

Heredoc tag names we use:

languages: SQL, JS, RUBY, LUA, HTML, CSS, SCSS, SH, HBS, XML, YAML/YML, MF, ICS
other: MD, TEXT/TXT, RAW, EMAIL
2022-02-28 20:50:55 +01:00
Osama Sayegh 9c1ab97c01
DEV: Ensure Mini Profiler's `cookie_path` is not empty or nil (#16039)
Follow-up to 9c50c69bd2.
2022-02-23 22:18:58 +03:00
Jeff Wong 9c50c69bd2
FIX: dev subfolder session cookies (#16031)
rack-mini-profiler was setting a cookie path of / which was clobbering
the session cookie path of Discourse.base_path.

Fixes some issues when local dev is unable to read or write from/to
the user session, such as during omniauth CSRF checks.
2022-02-23 06:42:57 -08:00