Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/app/controllers
History
Daniel Waterworth 8cade1e825
SECURITY: Prevent large staff actions causing DoS 
This commit operates at three levels of abstraction:

 1. We want to prevent user history rows from being unbounded in size.
    This commit adds rails validations to limit the sizes of columns on
    user_histories,

 2. However, we don't want to prevent certain actions from being
    completed if these columns are too long. In those cases, we truncate
    the values that are given and store the truncated versions,

 3. For endpoints that perform staff actions, we can further control
    what is permitted by explicitly validating the params that are given
    before attempting the action,
 		2024-03-15 14:24:04 +08:00
..
admin SECURITY: Prevent large staff actions causing DoS 2024-03-15 14:24:04 +08:00
users
about_controller.rb DEV: Revert guardian changes (#24742) 2023-12-06 16:37:32 +10:00
application_controller.rb FEATURE: filter additional keywords for the sidebar (#26148) 2024-03-14 12:28:08 +11:00
associated_groups_controller.rb
badges_controller.rb
bookmarks_controller.rb
bootstrap_controller.rb DEV: Simplify ember-cli proxy strategy (#24242) 2023-11-10 11:16:06 +00:00
categories_controller.rb FEATURE: Show remaining count in category-drop (#25938) 2024-03-07 16:14:50 +02:00
clicks_controller.rb
composer_controller.rb UX: hide warning if all users mentioned via group are already invited. (#23557) 2023-09-13 19:21:44 +05:30
composer_messages_controller.rb DEV: Move distance_of_time_in_words/time_ago_in_words (#21745) 2023-05-25 14:53:59 +02:00
csp_reports_controller.rb
directory_columns_controller.rb
directory_items_controller.rb FIX: Validate page/limit params for directory, user-badges and groups (#22877) 2023-07-31 15:00:05 +01:00
do_not_disturb_controller.rb
drafts_controller.rb SECURITY: Limit number of drafts per user and length of `draft_key` 2023-09-12 15:31:26 -03:00
edit_directory_columns_controller.rb DEV: Implement staff logs for user columns edits (#21774) 2023-06-07 17:19:58 -05:00
email_controller.rb DEV: Revert guardian changes (#24742) 2023-12-06 16:37:32 +10:00
embed_controller.rb
exceptions_controller.rb
export_csv_controller.rb SECURITY: Prevent large staff actions causing DoS 2024-03-15 14:24:04 +08:00
extra_locales_controller.rb DEV: Fix Lint/BooleanSymbol (#24747) 2023-12-06 13:19:09 +01:00
finish_installation_controller.rb
form_templates_controller.rb DEV: Show form templates in the composer (#21190) 2023-05-29 14:47:18 -07:00
forums_controller.rb
groups_controller.rb FIX: Allow staff to change group members visibility level for automatic groups (#25281) 2024-01-17 12:54:52 -05:00
hashtags_controller.rb FEATURE: Async load of category and chat hashtags (#25526) 2024-02-12 12:07:14 +02:00
highlight_js_controller.rb
inline_onebox_controller.rb
invites_controller.rb FEATURE: change /invites.json api endpoint to optionally accept array of emails (#24853) 2023-12-28 10:16:04 -05:00
list_controller.rb FEATURE: experiment with hot sort order (#25274) 2024-01-17 13:01:04 +11:00
metadata_controller.rb
new_topic_controller.rb
notifications_controller.rb FEATURE: Site setting to display user avatars in user menu (#24514) 2023-12-07 11:30:44 -06:00
offline_controller.rb
onebox_controller.rb
permalinks_controller.rb
post_action_users_controller.rb DEV: Add post_action_users_list modifier for PostActionUsersController (#25740) 2024-02-20 09:48:09 +10:00
post_actions_controller.rb
post_readers_controller.rb
posts_controller.rb DEV: Remove deprecated PostsController#all_reply_ids (#24128) 2023-10-27 12:40:49 +08:00
presence_controller.rb FIX: Updating presence status in readonly mode should fail gracefully (#24333) 2023-11-10 14:27:43 -06:00
published_pages_controller.rb
push_notification_controller.rb
qunit_controller.rb DEV: Stop building test assets in production under Embroider (#23388) 2023-09-11 09:12:37 +01:00
reviewable_claimed_topics_controller.rb FEATURE: Remove support for legacy navigation menu (#23752) 2023-10-09 07:24:10 +08:00
reviewables_controller.rb FEATURE: Add Revise... option for queued post reviewable (#23454) 2023-10-13 11:28:31 +10:00
robots_txt_controller.rb
safe_mode_controller.rb DEV: Add `safe_mode=deprecation_errors` mode (#24870) 2023-12-13 14:06:59 +00:00
search_controller.rb FIX: Search by tag context was broken (#23006) 2023-08-08 15:15:34 -04:00
session_controller.rb UX: Improve error handling for DiscourseConnect (#26140) 2024-03-12 16:16:04 +00:00
sidebar_sections_controller.rb FIX: reliably reorder link in custom sections (#24188) 2023-11-02 08:46:45 +11:00
similar_topics_controller.rb
site_controller.rb FEATURE: call hub API to update Discourse discover enrollment. (#25634) 2024-02-23 11:42:28 +05:30
sitemap_controller.rb
slugs_controller.rb
static_controller.rb DEV: Remove legacy `/brotli_asset` workaround (#24243) 2023-11-06 15:57:00 +00:00
steps_controller.rb
stylesheets_controller.rb DEV: Fix subfolder setup in dev env (#21983) 2023-06-12 12:49:26 +02:00
svg_sprite_controller.rb FIX: Searching for svg sprite icons connecting to default database (#21605) 2023-05-17 14:25:06 +08:00
tag_groups_controller.rb SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
tags_controller.rb SECURITY: Impose a upper bound on limit params in various controllers 2023-07-28 12:53:46 +01:00
theme_javascripts_controller.rb
topics_controller.rb DEV: Add post_id parameter to reset_bump_date route (#25372) 2024-02-15 16:42:42 +11:00
uploads_controller.rb SECURITY: Add rate limits for uploads 2024-03-15 14:24:00 +08:00
user_actions_controller.rb PERF: Preload user information when visiting user messages routes (#21929) 2023-06-05 19:24:22 +08:00
user_api_keys_controller.rb DEV: Convert min_trust_level_for_user_api_key to groups (#25299) 2024-01-19 11:25:24 +08:00
user_avatars_controller.rb
user_badges_controller.rb FIX: Validate page/limit params for directory, user-badges and groups (#22877) 2023-07-31 15:00:05 +01:00
user_status_controller.rb
users_controller.rb FEATURE: Hide user status when user is hiding public profile and presence (#24300) 2024-02-26 17:40:48 +04:00
users_email_controller.rb DEV: Update confirm-email flows to use central 2fa and ember rendering (#25404) 2024-01-30 10:32:42 +00:00
webhooks_controller.rb FEATURE: Add Mailpace webhook (#21981) 2023-06-08 20:06:20 +03:00
wizard_controller.rb