Commit Graph

1032 Commits

Author SHA1 Message Date
Guo Xiang Tan ac6c1acbed FIX: Groups that do not have any owners should not allow membership requests. 2017-06-05 10:02:37 +09:00
Sam b4060778d9 FIX: you should always be allowed to see actions you created 2017-06-02 14:24:06 -04:00
Guo Xiang Tan 2ee144c27f FEATURE: Add DiscourseEvent trigger when a user logs in.
* Also adds a event trigger when user logs in for the first time.
2017-06-01 17:44:49 +09:00
Guo Xiang Tan bd486100c0 Remove stubs on DiscourseEvent in tests. 2017-06-01 16:21:00 +09:00
Sam 607998af33 FEATURE: dropdown to filter staff action logs 2017-05-30 11:25:42 -04:00
Guo Xiang Tan 4d9481bf47 Fix build. 2017-05-26 16:04:59 +08:00
Guo Xiang Tan 56f98de7b2 Use webmock to stub external web requests. 2017-05-26 15:19:09 +08:00
Robin Ward b584264d82 FIX: Don't show "resend email" option when user approval is on 2017-05-25 15:29:05 -04:00
Robin Ward d2121ca272 FIX: Missing HTTP stub 2017-05-23 15:08:19 -04:00
Robin Ward 36e477750c FIX: Use same code path for downloading images 2017-05-23 14:51:30 -04:00
Robin Ward 908433a7a0 SECURITY: Validate the `entity` when downloading a CSV 2017-05-19 16:00:51 -04:00
Guo Xiang Tan 8ab9f30bbd FIX: User can't remove bookmark from a deleted post. 2017-05-19 12:25:12 +08:00
Régis Hanol 13e489b4ca replace the upload type whitelist with a sanitizer 2017-05-18 12:13:13 +02:00
Neil Lalonde a0f03936ff FIX: saving invisible primary group field that you don't belong to 2017-05-17 12:46:50 -04:00
Sam 4b449914b8 FIX: admins could never remove self from messages 2017-05-16 16:06:24 -04:00
Sam e1dd543a93 FEATURE: allow users to select theme on single device 2017-05-15 12:48:16 -04:00
Sam 2d96a0785d FEATURE: theme selection is now global per-user 2017-05-12 12:41:34 -04:00
Neil Lalonde 55b61e9bea rename topic_status_update to topic_timer 2017-05-11 18:27:53 -04:00
Pat David 10f2db67ba Add test for class_name in EmbedController 2017-05-11 15:16:16 -04:00
Régis Hanol 9641d2413d REFACTOR: upload workflow creation into UploadCreator
- Automatically convert large-ish PNG/BMP to JPEG
- Updated fast_image to latest version
2017-05-11 00:16:57 +02:00
Sam 7d9b5514ba FIX: correctly invalidate theme css cache on scheme change 2017-05-10 15:47:11 -04:00
Sam 04b5516bf2 improve upload functionality 2017-05-10 15:47:11 -04:00
Sam bc0b9af576 FEATURE: support uploads for themes
This allows themes to bundle various assets
2017-05-10 15:47:11 -04:00
Sam Saffron c2829dce22 FIX: base sql vanishes after badge creation 2017-05-09 09:25:57 -04:00
Robin Ward afe04b8bbb FIX: Possible 500 error if category saved incorrectly 2017-05-08 15:17:58 -04:00
Arpit Jalan e89d0a6b20 FIX: importing a theme via file was broken 2017-05-08 12:03:24 +05:30
Guo Xiang Tan 3eb920e2b0 Merge pull request #4841 from fantasticfears/webhook-ping
add event name for ping webhooks in the header
2017-05-04 04:54:40 +08:00
Sam 342ef5f81a FEATURE: out-of-the-box dark/light user selectable themes 2017-05-03 11:31:33 -04:00
Robin Ward 81190f5d66 FIX: Redirect away from `account-created` if you're logged in 2017-05-03 11:18:01 -04:00
Robin Ward 12fb20fe1b FEATURE: Allow users to resend/update email from confirmation page 2017-05-03 11:18:01 -04:00
Sam 946f25098f Refactor theme fields so they support custom theme defined vars
This paves the way to allowing themes to specify uploads and so on.
2017-05-02 16:02:14 -04:00
Erick Guan 9f8a917d65 add event name for ping webhooks in the header 2017-05-02 08:13:23 +02:00
Neil Lalonde 0722ffadf1 Remove site settings enforce_global_nicknames and discourse_org_access_key 2017-05-01 14:53:16 -04:00
Guo Xiang Tan 304ace926e FIX: Raise right response when post_action does not exist. 2017-04-27 17:29:53 +08:00
Arpit Jalan 285c167fae FEATURE: provide more details when performing a bulk add to group 2017-04-27 01:37:51 +05:30
Guo Xiang Tan 6f7c6b0fd0 FIX: Incorrect error raised. 2017-04-25 09:59:01 +08:00
Guo Xiang Tan 423f2ab228 FIX: Processing incoming email should be done in a background job. 2017-04-24 13:57:28 +08:00
Sam d4111c8676 correct spec 2017-04-20 17:24:21 -04:00
Arpit Jalan ea26c56631 FIX: redirect to login page for anonymous user when profiles are hidden 2017-04-20 13:00:45 +05:30
Sam 2bc3aa7ed4 remove no digest refs
the digestless special dev behavior is no longer needed
2017-04-18 17:05:33 -04:00
Arpit Jalan f968b4e662 Fix the build 2017-04-18 16:34:58 +05:30
Arpit Jalan 1c23aedccf FIX: always send password reset email when accepting invite if password is not set 2017-04-18 14:37:06 +05:30
Arpit Jalan 0954367bf4 FIX: send activation email when accepting invite if password is set 2017-04-15 14:59:50 +05:30
Guo Xiang Tan 04016f0dec Support Ruby 2.4. 2017-04-15 12:29:00 +08:00
Sam 809fbb25ce FIX: blanking theme field was not properly removing it 2017-04-13 17:24:15 -04:00
Guo Xiang Tan 3d76fb9c2c FIX: Don't show category options for reports that can't be scoped to a category. 2017-04-13 17:10:55 +08:00
Sam a3e8c3cd7b FEATURE: Native theme support
This feature introduces the concept of themes. Themes are an evolution
of site customizations.

Themes introduce two very big conceptual changes:

- A theme may include other "child themes", children can include grand
children and so on.

- A theme may specify a color scheme

The change does away with the idea of "enabled" color schemes.

It also adds a bunch of big niceties like

- You can source a theme from a git repo

- History for themes is much improved

- You can only have a single enabled theme. Themes can be selected by
    users, if you opt for it.

On a technical level this change comes with a whole bunch of goodies

- All CSS is now compiled using a custom pipeline that uses libsass
    see /lib/stylesheet

- There is a single pipeline for css compilation (in the past we used
    one for customizations and another one for the rest of the app

- The stylesheet pipeline is now divorced of sprockets, there is no
   reliance on sprockets for CSS bundling

- CSS is generated with source maps everywhere (including themes) this
    makes debugging much easier

- Our "live reloader" is smarter and avoid a flash of unstyled content
   we run a file watcher in "puma" in dev so you no longer need to run
   rake autospec to watch for CSS changes
2017-04-12 10:53:49 -04:00
Guo Xiang Tan 9663a74445 FIX: Ensure `username` param is valid in `NotificationsController`. 2017-04-07 17:32:52 +08:00
Robin Ward 40ab2e5667 FEATURE: Let users update their emails before confirming
This allows users who entered a typo or invalid email address when
signing up an opportunity to fix it and resending the confirmation
email to that address.
2017-04-05 16:44:49 -04:00
Robin Ward 17f2974d0a SECURITY: Confirm new administrator accounts via email 2017-04-04 15:59:01 -04:00
Guo Xiang Tan 0bbad5040a `topic-status-info` component wasn't updated when topic is closed/opened. 2017-03-31 15:58:26 +08:00
Guo Xiang Tan 34b7bee568 FEATURE: Allow admin to auto reopen at topic.
* This commit also introduces a `TopicStatusUpdate`
  model to support other forms of deferred topic
  status update in the future.
2017-03-31 11:14:18 +08:00
Robin Ward 6b976433c9 Support for both `/users/` and `/u/` paths 2017-03-30 10:23:24 -04:00
Guo Xiang Tan 3ef82bb32c SECURITY: CSRF vulnerabilities in `Admin::BackupsController`. 2017-03-23 10:29:35 +08:00
Neil Lalonde 11ce73b8ed FEATURE: category setting for default top period 2017-03-22 16:54:18 -04:00
Arpit Jalan 82c0f5f587 Merge pull request #4767 from techAPJ/activate-account
FIX: send activation email if user have unconfirmed email address
2017-03-21 09:44:23 +05:30
Arpit Jalan 7c3ae50dcd FIX: send activation email if user have unconfirmed email 2017-03-21 09:41:50 +05:30
Sam c106ca6778 FEATURE: fallback asset path for multi host setups 2017-03-20 15:59:17 -04:00
Guo Xiang Tan a1d04a7a9a Fix rspec tests. 2017-03-20 12:35:08 +08:00
Guo Xiang Tan bbc85e1e29 Merge pull request #4750 from discourse/group_login_registration_flow
FEATURE: Redirect to groups page and apply group actions upon login/s…
2017-03-16 09:50:56 +08:00
Guo Xiang Tan ca965bb455 FEATURE: Redirect to groups page after login/registration flow. 2017-03-16 09:48:51 +08:00
Guo Xiang Tan 1a7e954e09 FIX: Store custom emojis as uploads.
* Depending on a hardcoded directory was a flawed design
  which made it impossible to debug when custom emojis go
  missing.
2017-03-14 13:07:18 +08:00
Sam a690121805 SECURITY: always allow staff to resend activation mails 2017-03-13 10:32:24 -04:00
Guo Xiang Tan 9364d8ce71 FIX: Store user's id instead for sending activation email.
* Email and username are both allowed to be used for logging in.
  Therefore, it is easier to just store the user's id rather than
  to store the username and email in the session.
2017-03-13 20:24:55 +08:00
Guo Xiang Tan 7ebfa3c901 SECURITY: Only allow users to resend activation email with a valid session.
* Improve error when an active user tries to request for an activation email.
2017-03-13 19:35:29 +08:00
Arpit Jalan 848120c098 FEATURE: RSS feed for top page period filters 2017-03-13 15:23:46 +05:30
Sam bc1a6ccb90 Merge pull request #4741 from tgxworld/allow_bookmark_removal
FIX: Allow user to remove bookmark from posts as long as bookmark is …
2017-03-10 12:49:20 -05:00
Arpit Jalan f7e7ca3937 FEATURE: anonymized site statistics 2017-03-10 18:50:26 +05:30
Arpit Jalan 801b5838e1 FIX: do not show faq/guidelines page to anonymous users for private forums 2017-03-08 16:00:49 +05:30
Arpit Jalan 090236b15b FIX: do not show about page to anonymous users for private forums 2017-03-08 13:15:44 +05:30
Guo Xiang Tan 689dd16be0 FIX: Allow user to remove bookmark from posts as long as bookmark is present.
https://meta.discourse.org/t/bookmark-issue-when-access-to-topic-is-lost-pms/51993
2017-03-08 13:53:49 +08:00
Neil Lalonde d95e4102c1 FIX: tags created in secured categories should not be forbidden outside those categories 2017-03-07 11:46:46 -05:00
Régis Hanol 0abe433495 Merge pull request #4736 from techAPJ/group-bulk-add
FIX: grant trust level when bulk adding users to group
2017-03-06 12:43:26 +01:00
Arpit Jalan d5bcc70e9c FIX: grant trust level when bulk adding users to group 2017-03-06 14:39:53 +05:30
Guo Xiang Tan 477eb0591e FIX: Posts in a deleted topic couldn't be moved.
https://meta.discourse.org/t/moving-posts-to-new-topic/58436/4
2017-03-06 14:56:20 +08:00
Neil Lalonde 6aab8cb331 FEATURE: new category setting for whether to show latest topics or top topics by default 2017-03-03 11:30:44 -05:00
Blake Erickson 80858bae2c FEATURE: further restrict downloading of backups
- send email to logged in admin when they press the "download" button
- show pop-up that email was sent
- create email template
- require a valid token to download backup
2017-03-01 08:28:34 -07:00
Guo Xiang Tan 107d6783a9 Remove use of stubs in tests. 2017-03-01 10:53:03 +08:00
Guo Xiang Tan 76dd6933d2 Revert "Revert "Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email."""
This reverts commit e6d75f6844.

This is why we should not be pushing directly to master.
2017-03-01 10:16:59 +08:00
Guo Xiang Tan e6d75f6844 Revert "Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email.""
This reverts commit 0e3def7d2b.
2017-02-28 11:27:14 +08:00
Robin Ward 0e3def7d2b Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email."
This reverts commit 1060239e2d.
2017-02-27 13:19:26 -05:00
Arpit Jalan 877957ae88 Merge pull request #4715 from techAPJ/login-per-ip
FEATURE: new site setting for max logins per ip per hour/minute
2017-02-27 18:24:53 +05:30
Arpit Jalan cba51e1c38 FEATURE: new site setting for max logins per ip per hour/minute 2017-02-27 16:58:03 +05:30
Régis Hanol a2c04be718 FIX: eradicate I18n fallback issues 💣
FIX: client's translation overrides were not working when the current locale was missing a key
FIX: ExtraLocalesController.show was not properly handling multiple translations
FIX: JsLocaleHelper#output_locale was not properly handling multiple translations

FIX: ExtraLocalesController.show's spec which was randomly failing
FIX: JsLocaleHelper#output_locale was muting cached translations hashes

REFACTOR: move 'enableVerboseLocalization' to the 'localization' initializer
REFACTOR: remove unused I18n.js methods (getFallbacks, localize, parseDate, toTime, strftime, toCurrency, toPercentage)
REFACTOR: remove all I18n.pluralizationRules and instead use MessageFormat's pluralization rules

TEST: add tests for localization initializer
TEST: add tests for I18n.js
2017-02-24 11:31:21 +01:00
Guo Xiang Tan 1060239e2d SECURITY: Ensure oAuth authenticated email is the same as created user's email. 2017-02-24 13:13:10 +08:00
Guo Xiang Tan 0847b4258a Revert "SECURITY: Ensure that user has been authenticated."
This reverts commit fbe51d68a7.

Changing the commit message to correctly reflect what we're actually
fixing.
2017-02-24 13:12:29 +08:00
Guo Xiang Tan fbe51d68a7 SECURITY: Ensure that user has been authenticated. 2017-02-24 10:47:48 +08:00
Sam f15f61da0a FEATURE: add immutable caching to rails site of things 2017-02-23 13:05:00 -05:00
Régis Hanol f51e3b2131 FIX: should not be able to rename a system badge 2017-02-20 14:35:05 +01:00
Régis Hanol cb99f59ec3 reset bounce score when email is successfully changed 2017-02-20 10:37:01 +01:00
Neil Lalonde d0fbb27f3e FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-15 16:51:57 -05:00
Sam 8feb94e13f FIX: password validator was being too strict 2017-02-14 09:18:04 -05:00
Sam 7652901b75 reduce mocking and stubbing in controller spec 2017-02-13 14:31:15 -05:00
Neil Lalonde 94e1105af7 fix unique char counting in password validator 2017-02-10 10:38:17 -05:00
Neil Lalonde 1bcb835446 FEATURE: passwords must have a minimum number of unique characters, configurable with a new setting 2017-02-09 15:00:22 -05:00
Sam ff49f72ad9 FEATURE: per client user tokens
Revamped system for managing authentication tokens.

- Every user has 1 token per client (web browser)
- Tokens are rotated every 10 minutes

New system migrates the old tokens to "legacy" tokens,
so users still remain logged on.

Also introduces weekly job to expire old auth tokens.
2017-02-07 09:22:16 -05:00
Sam 2dec731da3 SECURITY: correctly validate input when admin searches for screened ips 2017-02-06 16:11:16 -05:00
Régis Hanol 27fb9c8804 FIX: bounce webhooks should also use recipient address 2017-02-05 19:06:35 +01:00
Neil Lalonde c4e10f2a9d FEATURE: redesign the change password page to use javascript and validations 2017-02-03 16:09:24 -05:00
Arpit Jalan 9dd09e453b FEATURE: add explicit confirmation button to accept the invite 2017-01-25 15:50:30 +05:30