Commit Graph

45508 Commits

Author SHA1 Message Date
Wolftallemo be556ef17b
FIX: Skip CSRF token check on webhook routes (#16982)
The `WebhookController` inherits directly from `ActionController::Base`. Since Rails 5.2, forgery protection has been enabled by default. When we applied those new defaults in 0403a8633b, it took effect on this controller and broke integrations.

This commit explicitly disables CSRF protection on these webhook routes, and updates the specs so they'll catch this kind of regression in future.
2022-06-13 15:36:45 +01:00
Jarek Radosz 77632d2d36
DEV: Explicitly allow NavItem customization (#17061)
Allow overriding NavItem's title and displayName. Fixes multiple instances of `computed-property.override` warnings in plugins.
2022-06-13 12:46:04 +02:00
Jarek Radosz 8d0c2cd4f8
DEV: Allow disabling composer submit (#17062)
…without overriding the computed property. Will fix warnings in discourse-perspective-api plugin.
2022-06-13 12:45:47 +02:00
Alan Guo Xiang Tan e9a77e7f19
FEATURE: Add new/unread counts to tags section links exp sidebar (#17057) 2022-06-13 14:54:01 +08:00
Alan Guo Xiang Tan 95fa4c5d52
DEV: Ensure topic-tracking-state state change callbacks are cleaned up (#17069) 2022-06-13 14:53:02 +08:00
Alan Guo Xiang Tan 94c3bbc2d1
DEV: Centralize user updates to a single MessageBus channel. (#17058)
Introduces an interface to publish user updates on the server side and
helps to reduce the growing number of subscriptions on the client side.
2022-06-13 14:27:43 +08:00
Alan Guo Xiang Tan bd32656157
DEV: Skip flaky test. (#17068) 2022-06-13 13:48:08 +08:00
Alan Guo Xiang Tan 36f5d5eada
DEV: Skip flaky spec. (#17067) 2022-06-13 13:10:00 +08:00
dependabot[bot] 65929ed128
Build(deps): Bump multipart-post from 2.2.2 to 2.2.3 (#17066)
Bumps [multipart-post](https://github.com/socketry/multipart-post) from 2.2.2 to 2.2.3.
- [Release notes](https://github.com/socketry/multipart-post/releases)
- [Changelog](https://github.com/socketry/multipart-post/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketry/multipart-post/compare/v2.2.2...v2.2.3)

---
updated-dependencies:
- dependency-name: multipart-post
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-13 11:26:25 +08:00
dependabot[bot] 357ef528de
Build(deps): Bump diffy from 3.4.0 to 3.4.1 (#17065)
Bumps [diffy](https://github.com/samg/diffy) from 3.4.0 to 3.4.1.
- [Release notes](https://github.com/samg/diffy/releases)
- [Changelog](https://github.com/samg/diffy/blob/main/CHANGELOG)
- [Commits](https://github.com/samg/diffy/commits)

---
updated-dependencies:
- dependency-name: diffy
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-13 11:15:29 +08:00
dependabot[bot] 69e5da448e
Build(deps): Bump rails-html-sanitizer from 1.4.2 to 1.4.3 (#17064)
Bumps [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/rails/rails-html-sanitizer/releases)
- [Changelog](https://github.com/rails/rails-html-sanitizer/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rails/rails-html-sanitizer/compare/v1.4.2...v1.4.3)

---
updated-dependencies:
- dependency-name: rails-html-sanitizer
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-13 11:15:14 +08:00
Jarek Radosz e245839c3c
DEV: Remove old deprecations (#14906) 2022-06-12 21:28:20 +02:00
Discourse Translator Bot f38a06f3a5
Update translations (#17022) 2022-06-11 13:20:37 +02:00
Jeff Wong d7d9c10c1d FIX: display translated fallback as the group name for custom emoji groups 2022-06-10 11:10:05 -10:00
Jeff Wong 9a656e18e9 DEV: add translation fallback option for i18n
Allow for a default translation string to be returned when a translation cannot
be found.

Useful in contexts where there is a known fallback, such as custom emoji group
strings.
2022-06-10 11:10:05 -10:00
Joffrey JAFFEUX 532935043c
FIX: allows image to be displayed at the right size 2022-06-10 16:28:58 +02:00
Gabe Pacuilla c04cb223f3
FIX: twitter onebox keeps whitespace for expanded links (#17055) 2022-06-10 01:20:26 -04:00
Alan Guo Xiang Tan ced9a5ee6d
FEATURE: First pass tags section for experimental sidebar. (#17048)
Counts for the section links will be added in a follow up commit.
2022-06-10 09:49:36 +08:00
dependabot[bot] 874e070956
Build(deps): Bump multipart-post from 2.2.0 to 2.2.2 (#17053)
Bumps [multipart-post](https://github.com/socketry/multipart-post) from 2.2.0 to 2.2.2.
- [Release notes](https://github.com/socketry/multipart-post/releases)
- [Changelog](https://github.com/socketry/multipart-post/blob/main/CHANGELOG.md)
- [Commits](https://github.com/socketry/multipart-post/compare/v2.2.0...v2.2.2)

---
updated-dependencies:
- dependency-name: multipart-post
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-10 09:48:34 +08:00
David Taylor 75d9c16156
DEV: Remove jquery from textarea-manipulation, improve undo handling (#17050)
This commit removes many uses of `this._$textarea`, and also switches us to use `document.execCommand("insertText")` for the majority of manipulations. This means that the browser undo history will be preserved when doing things like pasting rich html, using bold/italic shortcuts, etc.

These manipulations are already extensively tested. This commit extends a few of the tests to verify the undo behavior.

There are still a few cases (e.g. replacing upload placeholders with true URLs) where we don't necessarily want to bring the composer into focus. In those cases, the old history-breaking behavior remains for now.
2022-06-10 10:42:50 +10:00
David Taylor c054a47d9a
DEV: Add escapeRegExp util (#17051)
This was re-implemented in a number of places - it makes more sense as a utility function.
2022-06-10 10:37:54 +10:00
Isaac Janzen 3ebfde5ea2
DEV: Remove jquery from create-account modal (#16983) 2022-06-09 14:59:33 -05:00
Sérgio Saquetim 300f835703
DEV: Supress logs when RetrieveTitle.crawl fails with Net::ReadTimeout errors (#16971)
This PR changes the rescue block to rescue only Net::TimeoutError exceptions and removes the log line to prevent clutter the logs with errors that are ignored. Other errors can bubble up because they're errors we probably want to know about
2022-06-09 16:30:22 -03:00
Isaac Janzen 9cd165d6b4
DEV: Add deprecation notice to discourse-common/utils/decorators (#17052) 2022-06-09 13:07:58 -05:00
Isaac Janzen 6ae761604a
FIX: Send quote notifications to correct users when prioritizing full names (#17030) 2022-06-09 11:52:28 -05:00
Penar Musaraj 3f569f1185
A11Y: Add keyboard support for do-not-disturb modal (#17043) 2022-06-09 11:05:01 -04:00
David Taylor 002d62b847
FIX: Cleanup invalid historic site setting data (#17049)
`selectable_avatars_urls` contains invalid data (it's a backup from 20200810194943_change_selectable_avatars_site_setting.rb)

This migration is deliberately backdated so that it runs before `20220330160747_copy_site_settings_uploads_to_upload_references`
2022-06-09 09:51:29 +01:00
Martin Brennan 20f118c4c9
FIX: Handle empty string in theme_settings for upload_references (#17047)
Follow up to 9db8f00b3d,
the theme_settings.value field is not an integer and so
can be '', we need to account for this in the migration
otherwise we get this error:

> PG::InvalidTextRepresentation: ERROR:  invalid input syntax for type integer: ""
2022-06-09 10:19:44 +02:00
Alan Guo Xiang Tan 946f8a65fd
FEATURE: Display new/unread count for tracked categories in exp sidebar (#17046) 2022-06-09 13:43:17 +08:00
Alan Guo Xiang Tan cd8c97debc
FEATURE: Add section links to categories section to exp sidebar (#17035)
This commit adds a section link to the categories section for each
category that is tracked by the user in the experimental sidebar.
2022-06-09 11:14:01 +08:00
Alan Guo Xiang Tan 03f674070a
DEV: Remove flaky acceptance test (#17045)
The test was un-skipped in 6f25f17360 but
has since been flaky again. Removing the test completely as it has
resulted in more pain for us than the value the test provides.
2022-06-09 09:56:05 +08:00
Bianca Nenciu 9db8f00b3d
FEATURE: Create upload_references table (#16146)
This table holds associations between uploads and other models. This can be used to prevent removing uploads that are still in use.

* DEV: Create upload_references
* DEV: Use UploadReference instead of PostUpload
* DEV: Use UploadReference for SiteSetting
* DEV: Use UploadReference for Badge
* DEV: Use UploadReference for Category
* DEV: Use UploadReference for CustomEmoji
* DEV: Use UploadReference for Group
* DEV: Use UploadReference for ThemeField
* DEV: Use UploadReference for ThemeSetting
* DEV: Use UploadReference for User
* DEV: Use UploadReference for UserAvatar
* DEV: Use UploadReference for UserExport
* DEV: Use UploadReference for UserProfile
* DEV: Add method to extract uploads from raw text
* DEV: Use UploadReference for Draft
* DEV: Use UploadReference for ReviewableQueuedPost
* DEV: Use UploadReference for UserProfile's bio_raw
* DEV: Do not copy user uploads to upload references
* DEV: Copy post uploads again after deploy
* DEV: Use created_at and updated_at from uploads table
* FIX: Check if upload site setting is empty
* DEV: Copy user uploads to upload references
* DEV: Make upload extraction less strict
2022-06-09 09:24:30 +10:00
tshenry 7fc11327b7
COPY: Use main instead of master for theme installation modal (#17044)
GitHub now uses main as the default branch so it makes sense to update the placeholder in the theme installation modal to use main instead of master.
2022-06-08 11:32:54 -07:00
Penar Musaraj fd2dbdccdc
A11Y: Keyboard access for `/u` table headings (#17041) 2022-06-08 13:54:31 -04:00
Blake Erickson 852a2f1727
DEV: Add spec for not_staged user scope (#17042)
Making sure to test this new scope.

Follow up to: 27d7b0c6de

as well as: 3941bad075
2022-06-08 10:43:21 -06:00
Loïc Guitaut 03732049ed DEV: Use nested form for `FreedomPatches` module
It seems that not using the nested form for the `FreedomPatches`
namespace is breaking stuff in some dev env.
2022-06-08 15:10:26 +02:00
David Taylor c65c23b48d
DEV: Fix openapi definition logo URL (#17038)
See 887e4087d5
2022-06-08 13:10:20 +01:00
Loïc Guitaut fff3ff11c0 FIX: Make disabling TLS in mail possible again
Following the Rails 7 upgrade, the `DISCOURSE_SMTP_ENABLE_START_TLS`
setting doesn’t work anymore. This is because Rails upgraded the
`net-smtp` gem to the 0.3.1 version which enables `starttls` by default.
The `mail` gem doesn’t support this new behavior yet and doesn’t know
how to disable TLS. This should be fixed in an upcoming release.

Meanwhile applying this patch allows us to get back the previous
behavior which is expected by many.
2022-06-08 14:04:05 +02:00
dependabot[bot] 284db78055
Build(deps): Bump jwt from 2.4.0 to 2.4.1 (#17032)
Bumps [jwt](https://github.com/jwt/ruby-jwt) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/jwt/ruby-jwt/releases)
- [Changelog](https://github.com/jwt/ruby-jwt/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jwt/ruby-jwt/compare/v2.4.0...v2.4.1)

---
updated-dependencies:
- dependency-name: jwt
  dependency-type: indirect
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-08 13:39:11 +02:00
Arpit Jalan 4bc2d54685
DEV: include `time_left` information in rate limiting error messages (#17037) 2022-06-08 14:30:41 +05:30
dependabot[bot] 55d7aa0190
Build(deps): Bump faraday-multipart from 1.0.3 to 1.0.4 (#17033) 2022-06-08 10:17:15 +02:00
Mayfield 99b0578b4c
FIX: escape youtube title when constructing onebox preview html (#16999) 2022-06-08 13:42:37 +08:00
Alan Guo Xiang Tan 82ac698d4f
FIX: Missing tracked sub category topics from tracked topic list (#17034)
Follow-up to 7ae647d092
2022-06-08 10:45:59 +08:00
Blake Erickson 3941bad075
DEV: Remove this chained user scope (#17029)
This reverts one of the changes introduced just now in:

27d7b0c6de

I don't think we need this `activated_not_suspended_not_staged` scope
because we can just compose it ourselves via method chaining like
`User.activated.not_suspended.not_staged`.
2022-06-07 15:21:42 -06:00
Blake Erickson 27d7b0c6de
DEV: Add new user scopes (#17026)
Adds two new user scopes:

- `not_staged`
- `activated_not_suspended_not_staged`

This will allow us to easily grab activated users that are not suspended
or staged.

See this PR feedback:

https://github.com/discourse/discourse-chat/pull/913#discussion_r890692266
2022-06-07 12:58:58 -06:00
Isaac Janzen de1153286d
DEV: Remove reply_as_new_topic from PM composer actions (#17023) 2022-06-07 11:06:42 -05:00
Penar Musaraj 86ab82f057
UX: Remove limit for emoji search in composer (#17014) 2022-06-07 12:00:52 -04:00
Penar Musaraj 4be67ef9a7
UX: Larger images in mobile emoji picker (#17013) 2022-06-07 12:00:09 -04:00
David Taylor 5238f6788c
FEATURE: Allow hotlinked media to be blocked (#16940)
This commit introduces a new site setting: `block_hotlinked_media`. When enabled, all attempts to hotlink media (images, videos, and audio) will fail, and be replaced with a linked placeholder. Exceptions to the rule can be added via `block_hotlinked_media_exceptions`.

`download_remote_image_to_local` can be used alongside this feature. In that case, hotlinked images will be blocked immediately when the post is created, but will then be replaced with the downloaded version a few seconds later.

This implementation is purely server-side, and does not impact the composer preview.

Technically, there are two stages to this feature:

1. `PrettyText.sanitize_hotlinked_media` is called during `PrettyText.cook`, and whenever new images are introduced by Onebox. It will iterate over all src/srcset attributes in the post HTML and check if they're allowed. If not, the attributes will be removed and replaced with a `data-blocked-hotlinked-src(set)` attribute

2. In the `CookedPostProcessor`, we iterate over all `data-blocked-hotlinked-src(set)` attributes and check whether we have a downloaded version of the media. If yes, we update the src to use the downloaded version. If not, the entire media element is replaced with a placeholder. The placeholder is labelled 'external media', and is a link to the offsite media.
2022-06-07 15:23:04 +01:00
Jarek Radosz 1a5dbbf430
FIX: Correctly handle invalid auth cookies (#16995)
Previously it would blow up on invalid utf byte sequences. This was a source of spec flakiness.
2022-06-07 13:00:25 +02:00