Commit Graph

49343 Commits

Author SHA1 Message Date
Jarek Radosz
fc17045876
DEV: Clean up workflow files (#21526) 2023-05-12 14:00:04 +02:00
Dan Dascalescu
b34767d88e
DEV: Minor copyedit in ADMIN-QUICK-START-GUIDE.md (#21528) 2023-05-12 13:58:55 +02:00
Jarek Radosz
d8e5426bba
FIX: Incorrect PLUGIN_NAME for "poll" (#21525)
This resulted in `Required plugin 'discourse_poll' not found` warnings in logs
2023-05-12 12:54:14 +02:00
dependabot[bot]
57d66f705d
Build(deps): Bump loofah from 2.21.1 to 2.21.2 (#21519)
Bumps [loofah](https://github.com/flavorjones/loofah) from 2.21.1 to 2.21.2.
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md)
- [Commits](https://github.com/flavorjones/loofah/compare/v2.21.1...v2.21.2)

---
updated-dependencies:
- dependency-name: loofah
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-12 11:28:23 +02:00
dependabot[bot]
69c7ac70a1
Build(deps): Bump nokogiri from 1.14.3 to 1.14.4 (#21518)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.14.3 to 1.14.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.14.3...v1.14.4)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-12 11:27:51 +02:00
Jarek Radosz
19ac90536f
DEV: Restore the documentation format in system tests (#21471) 2023-05-12 11:13:52 +02:00
David Taylor
177651fdbb
FIX: Avoid double-encoding featured topic title in user profile (#21507)
a373bf2 updated the behavior of replace-emoji so that the input is treated as unsafe-by-default. fancy_title is already escaped, so we need to mark it as html-safe to avoid it being double-escaped.

There is no need to html-safe the result of replace-emoji - it's already done as part of the helper.
2023-05-12 10:11:59 +01:00
Ted Johansson
07f87ff7a8
DEV: Strictly filter tag search limit parameter input (#21524)
### What is the problem?

It is possible to pass an arbitrary value to the limit parameter in `TagsController#search`, and have it flow through `DiscourseTagging.filter_allowed_tags` where it will raise an error deep in the database driver. MiniSql ensures there's no injection happening, but that ultimately results in an invalid query.

### How does this fix it?

This change checks more strictly that the parameter can be cleanly converted to an integer by replacing the loose `#to_i` conversion semantics with the stronger `Kernel#Integer` ones.

**Example:**

```ruby
"1; SELECT 1".to_i
#=> 1

Integer("1; SELECT 1")
#=> ArgumentError
```

As part of the change, I also went ahead to disallow a limit of "0", as that doesn't seem to be a useful option. Previously only negative limits were disallowed.
2023-05-12 16:49:14 +08:00
Ted Johansson
59867cc091
DEV: Gracefully handle user avatar download SSRF errors (#21523)
### Background

When SSRF detection fails, the exception bubbles all the way up, causing a log alert. This isn't actionable, and should instead be ignored. The existing `rescue` does already ignore network errors, but fails to account for SSRF exceptions coming from `FinalDestination`.

### What is this change?

This PR does two things.

---

Firstly, it introduces a common root exception class, `FinalDestination::SSRFError` for SSRF errors. This serves two functions: 1) it makes it easier to rescue both errors at once, which is generally what one wants to do and 2) prevents having to dig deep into the class hierarchy for the constant.

This change is fully backwards compatible thanks to how inheritance and exception handling works.

---

Secondly, it rescues this new exception in `UserAvatar.import_url_for_user`, which is causing sporadic errors to be logged in production. After this SSRF errors are handled the same as network errors.
2023-05-12 15:32:02 +08:00
Joffrey JAFFEUX
e10b262eb9
DEV: fix flakey spec (#21515)
Similar fix to the one made in aab6fb13a0

Instead of checking last object, check against all modified objects in no specific order.
2023-05-11 23:27:26 +02:00
Joffrey JAFFEUX
f20be4b092
FIX: prevents subscribing with an old id (#21509)
This issue was for example possibly causing the last visit indicator to be reset by `sent` messages events.

The following was happening:
- a user (bob) had a last message bus ID of 1 on a channel (id:1) subscription
- bob then go to another channel (id:2), unsubscribing from updates of channel (id:1)
- another user (laura) then send messages to channel (id:1)
- bob goes back to channel (id:1)

At this point we we doing in the same sequence:
- loading channel with messages, getting a new last message bus id
- subscribing to updates using the last known message bus id

Most of the times we were lucky enough for this to work (no events while away, or just got the new id in time...) but it was also very likely to do a double fetch of messages as MessageBus would think we were late.
2023-05-11 22:27:48 +02:00
David Taylor
d6f94e0916
DEV: Revert buildjet (#21475)
This reverts commits 17603794b5 and 41bdf8cfcd.
2023-05-11 22:25:30 +02:00
Jarek Radosz
f9db5d5ea6
DEV: Stub stderr instead of manual change (#21511)
Fixes "stack too deep" issues in CI
2023-05-11 21:18:55 +02:00
Joffrey JAFFEUX
e905de66ff
FIX: close panel earlier (#21512)
deactivate was happening too late and sometimes after we did reopen for next panel causing the panel to stay effectively closed
2023-05-11 21:15:31 +02:00
Blake Erickson
bd6e487df0
FIX: Allow integer group_ids for create invite api (#21494)
This fixes a bug in the create invite API where if you passed in an
integer for the group_ids field it would fail to add the user to the
specified group.
2023-05-11 11:39:33 -06:00
Jarek Radosz
ce5430adc1
DEV: Rework static controllers/routes (#19466)
The issues fixed:

1. Previously all static pages (e.g. login-required landing page, /tos, /privacy, forgot-password) were wrapped in the faq-read-tracking component
2. All these pages shared one controller with methods that were relevant to one route
3. There were two route-generating functions: `static-route-builder` and `build-static-route` 🤣 
4. They were using the deprecated `renderTemplate()` API
5. A slight misuse of Ember API (`controllerFor()`)
6. Small mark-faq-read related bugs
2023-05-11 19:02:11 +02:00
Andrei Prigorshnev
f4fde4e49b
DEV: When deleting a chat message, do not delete mention records (#21486)
A chat message may be restored later, so we shouldn't be deleting `chat_mentions` records for it.

But we still have to remove notifications (see 082cd139).
2023-05-11 20:05:59 +04:00
Joffrey JAFFEUX
92bb845db2
FIX: messages selection with shift + click (#21506)
This commit fixes the shift+click multi selection in threads. We were not correctly using the manager of the message and would attempt to find messages in the channel instead of the thread.

The `activeThread` was also not correctly set sometimes.

Also adds tests for message selection in threads.
2023-05-11 17:52:53 +02:00
Andrei Prigorshnev
2703f2311a
DEV: Create a chat_mention record when self mentioning (#21438)
In the past, we create a `chat_mention` records only when we wanted to notify a user about a mention. Since we don't send notifications when a user mentioning himself, we didn't create a `chat_mention` records in those cases.

Now we use `chat_mentions` records in other scenarios too, so when a user is mentioning himself we want to:
1. Create a `chat_mention` record for that mention
2. Do not create a notification for that mention
2023-05-11 19:30:26 +04:00
dependabot[bot]
f494e54128
Build(deps): Bump webpack in /app/assets/javascripts (#21496)
Bumps [webpack](https://github.com/webpack/webpack) from 5.82.0 to 5.82.1.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](https://github.com/webpack/webpack/compare/v5.82.0...v5.82.1)

---
updated-dependencies:
- dependency-name: webpack
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-11 17:27:09 +02:00
Joffrey JAFFEUX
0c27baef76
FIX: keyboard on android (#21505) 2023-05-11 16:12:48 +02:00
Martin Brennan
26f9ccd8bb
FEATURE: Create and update thread memberships (#21501)
When the user sends a message in a thread, we want to
create a membership for them in the background (default
to notification level of Watching) so we can track whether
they have read the thread.

Then, for now since we don't have granular message reading/
scrolling in the thread panel, we just update the thread
last_read_message_id for the user to the latest reply in the
thread when they open the thread panel. This at least will
mark the thread as read.

In future PRs we want to show the blue dot indicator in various
places in the UI for unread threads which will also require
some MessageBus functionality.

This takes into account the same issue fixed for channels
in ae3231e140
2023-05-11 14:35:26 +02:00
Ted Johansson
b837459e1d
DEV: Add both safe and unsafe Discourse.store.download methods (#21498)
* DEV: Add both safe and unsafe Discourse.store.download methods

* DEV: Update call sites that can use the safe store download method
2023-05-11 17:27:27 +08:00
dependabot[bot]
4e846b69c4
Build(deps): Bump loofah from 2.20.0 to 2.21.1 (#21495)
Bumps [loofah](https://github.com/flavorjones/loofah) from 2.20.0 to 2.21.1.
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md)
- [Commits](https://github.com/flavorjones/loofah/compare/v2.20.0...v2.21.1)

---
updated-dependencies:
- dependency-name: loofah
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-11 15:04:25 +08:00
Joffrey JAFFEUX
5b12d23b1d
FIX: rely only on one keyboard computation solution (#21492)
We were combining both solutions which was apparently causing issues from chrome 113 on Android at least.

The commit will now use `geometrychange` (android) only when available and fallback to `visualViewport` otherwise (iOS).
2023-05-11 08:58:29 +02:00
Joffrey JAFFEUX
55c4a550c1
FEATURE: chat-replying indicator for threads (#21485)
This feature adds the replying indicator in threads, it uses the same `/chat-reply/CHANNEL_ID` prefix than the channel composer replying indicator as we don't have specific right on threads ATM (if you can access channel, you can access thread). Thread will however use a presence channel name of the following format: `/chat-reply/CHANNEL_ID/thread/THREAD_ID`

This commit also simplifies the computation of `users` to eventually avoid a race-condition leading to a leak of the indicator in another channel/thread.

<!-- NOTE: All pull requests should have tests (rspec in Ruby, qunit in JavaScript). If your code does not include test coverage, please include an explanation of why it was omitted. -->
2023-05-11 08:02:04 +02:00
Joffrey JAFFEUX
aab6fb13a0
DEV: fix flakey spec in handle_category_udpated (#21488) 2023-05-11 08:01:02 +02:00
Tobias Eigen
dee8c759eb
simplify email_in description (#21476)
this includes info not relevant on our hosting and also does not mention it works with groups. see https://meta.discourse.org/t/when-an-existing-staged-user-joins-my-site-filled-in-user-custom-fields-data-isnt-saved/254926/9?u=tobiaseigen
2023-05-10 17:36:47 -07:00
Juan David Martínez Cubillos
83d2f9ef78
FEATURE: Default to subcategory when parent category does not allow posting (#21228)
added site toggle functionality through site settings

added tests to implemented feature

Introduced suggested correction

renamed find_new_topic method and deleted click_new_topic_button method
2023-05-10 12:34:39 -05:00
Martin Brennan
616885895a
FIX: Chat NotificationLevels extension breaking in prod (#21484)
When setting DISCOURSE_ZEITWERK_EAGER_LOAD=1 to enable
eager loading the previous solution to adding chat_levels
to the core NotificationLevels would break with a module
loading error (c.f. cc2570fce3)

We don't actually _need_ to extend the core class, we can just
make our own for chat, let's do this instead.
2023-05-10 18:46:06 +02:00
Martin Brennan
79812db7d3
DEV: Fix double Chat:: module usage in chat models (#21483) 2023-05-10 17:51:46 +02:00
Martin Brennan
9b95a65dff
DEV: Fix thread excerpt word break (#21482)
Changing from break-all to break-word because otherwise
longer words (not just links) are split into separ
ate lines.
2023-05-10 17:20:02 +02:00
Martin Brennan
cc2570fce3
DEV: Create UserChatThreadMembership table and model (#21481)
This will enable us to begin work on user tracking
state for a thread so we can show thread-specific
unreads and mentions indicators. In this case are following
the core notification_level paradigm rather than the solution
UserChatChannelMembership went with, and eventually we
will want to refactor the other table to match this as well.

Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2023-05-10 17:19:48 +02:00
Bianca Nenciu
d3a5a493fa
DEV: Add configurable? helper to Plugin::Instance (#21472)
This reapplies commit 3073e5cfb0, with
a fix that makes sure that plugins can be looked up both by the name
present in metadata and directory name.
2023-05-10 16:21:48 +03:00
Joffrey JAFFEUX
b713ae166f
FIX: excerpt overflow and children click events (#21473) 2023-05-10 15:07:43 +02:00
dependabot[bot]
d65c37366e
Build(deps-dev): Bump terser in /app/assets/javascripts (#21463)
Bumps [terser](https://github.com/terser/terser) from 5.17.2 to 5.17.3.
- [Changelog](https://github.com/terser/terser/blob/master/CHANGELOG.md)
- [Commits](https://github.com/terser/terser/compare/v5.17.2...v5.17.3)

---
updated-dependencies:
- dependency-name: terser
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-10 15:05:39 +02:00
Martin Brennan
91c5658e9b
FIX: Handle deleted original message for thread index (#21470)
Since we have channel message retention which deletes
messages, we can end up with cases where the thread
is still around but the message is deleted. We will
handle the cascade delete in a different commit --
for now we will ensure the thread list lookup handles
this case and doesn't error.
2023-05-10 13:58:15 +02:00
Jan Cernik
cbbaeb55b5
FIX: Don't autojoin users when they have ready-only permissions (#20213)
After this change, in order to join a chat channel, a user needs to be in a group with at least “Reply” permission for the category. If the user only has “See” permission, they are able to preview the channel, but not join it or send messages. The auto-join function also follows this new restriction.

---------

Co-authored-by: Martin Brennan <martin@discourse.org>
2023-05-10 08:45:13 -03:00
David Taylor
56995e40c2
Revert "A11Y: Improve select-kit accessibility (#21400)" (#21468)
This reverts commit e8aea3c558. This introduced some errors during navigation on mobile. Reverting while we investigate
2023-05-10 11:45:17 +01:00
Joffrey JAFFEUX
3727c95f6f
Revert "DEV: Add configurable? helper to Plugin::Instance (#20767)" (#21469)
This reverts commit 3073e5cfb0.
2023-05-10 12:41:55 +02:00
Bianca Nenciu
3073e5cfb0
DEV: Add configurable? helper to Plugin::Instance (#20767)
This can be used to forcibly disable plugins.
2023-05-10 13:16:37 +03:00
Joffrey JAFFEUX
c6b43ce68b
FEATURE: Thread list initial UI (#21412)
This commit adds an initial thread list UI. There are several limitations
with this that will be addressed in future PRs:

* There is no MessageBus reactivity, so e.g. if someone edits the original
   message of the thread it will not be reflected in the list. However if
   the thread title is updated the original message indicator will be updated.
* There is no unread functionality for threads in the list, if new messages
   come into the thread there is no indicator in the UI.
* There is no unread indicator on the actual button to open the thread list.
* No pagination.

In saying that, this is the functionality so far:

* We show a list of the 50 threads that the user has most recently participated
   in (i.e. sent a message) for the channel in descending order.
* Each thread we show a rich excerpt, the title, and the user who is the OM creator.
* The title is editable by staff and by the OM creator.
* Thread indicators show a title. We also replace emojis in the titles.
* Thread list works in the drawer/mobile.
2023-05-10 11:42:32 +02:00
Joffrey JAFFEUX
7a84fc3d9d
DEV: more resilient scroll to bottom spec (#21467)
The spec now checks we are in the state we expect to be before clicking bottom button. The bottom button could show while it's still loading and on slow systems cause failures.
2023-05-10 10:54:02 +02:00
Natalie Tay
17603794b5
DEV: Reduce plugin system test parallel processors (#21466) 2023-05-10 15:43:41 +08:00
David Battersby
a19027afae
FIX: show 404 on new category page for moderators when Site Setting disabled (#21448)
Currently the /new-category url can be accessed by moderators, regardless of whether the Site Setting for moderators_manage_categories_and_groups is true or false.

On top of this, non authorized users can also access this page but shows errors (no 404 loaded).

Since the 404 redirect happens within Ember, we need to allow the site setting value to be accessed within JS. 

After this change all non admin users will see a 404 for this route, the exception being moderators if the moderators_manage_categories_and_groups setting has a value of true.

/t/73360
2023-05-10 14:26:49 +08:00
David Battersby
5d8632d484
FIX: fallback to composer for non ascii characters (#21465)
The problem
When selecting text and clicking the "Edit" button that pops up, this opens up the Fast Edit dialog.

The fast edit feature doesn't work well with non standard characters (non-ascii). If the user selects a string of text that contains non-ascii characters, sometimes they won't save. It is non-obvious to the user why this is happening. This issue occurs more frequently when editing content that is written in non-english languages, as fast-edit doesn't work well with non-ascii characters. We currently do a global replace on a couple of the more obvious quotation marks when the fast edit dialog attempts to save, but there are too many edge cases for foreign language content.

The solution
We can fix this issue by using a catch-all approach for non-ascii characters before the user clicks the edit button to bring up the fast edit dialog. Then we can fallback to the full composer to edit their text, which has much better support for non-ascii characters.

What does this regex do?
The regex used matches any character that is not within the ASCII range of 0x00 to 0x7F, which includes all control characters and non-ASCII characters.

This regex pattern can be used to match any character that is not a standard ASCII character, such as accented characters, non-Latin characters, and special symbols.
2023-05-10 12:38:28 +08:00
Natalie Tay
41bdf8cfcd
DEV: Use BuildJet for some test jobs (#21404) 2023-05-10 10:39:27 +08:00
Sam
bd32912c5e
FIX: do not allow title stuffing to dominate search (#21464)
We were giving topics with repeated words extra weight in search index.
This meant that it was trivial to stuff words into title to dominate in search
given we search for exact title matches first.

The following tweak means that:

`invite invited invites`
and
`invite some stuff`

Both rank the same for title searching.

Titles are short and punchy, duplicating words should not give special
weight.

Requires a full reindex to take effect.
2023-05-10 11:47:58 +10:00
Discourse Translator Bot
a010c3495b
Update translations (#21455) 2023-05-10 00:48:10 +02:00
Joffrey JAFFEUX
dacb605e98
DEV: more resilient upload spec (#21462)
Checking "uploading" string is tricky because it both takes time before showing, and when it will show it will show for a short period of time. I prefer to reduce the surface tested here while still getting some confidence out of it and making the test more reliable.
2023-05-10 00:33:40 +02:00