Commit Graph

56 Commits

Author SHA1 Message Date
Robin Ward
7b45a5ce55 FIX: Better and more secure validation of periods for TopicQuery
Co-authored-by: Martin Brennan <mjrbrennan@gmail.com>
2021-07-23 14:24:44 -04:00
Rafael dos Santos Silva
e12b00eab7
FEATURE: Stop checking referer for embeds (#13756)
Flips content_security_policy_frame_ancestors default to enabled, and
removes HTTP_REFERER checks on embed requests, as the new referer
privacy options made the check fragile.
2021-07-16 15:25:49 -03:00
Rafael dos Santos Silva
e2154b3d59
FEATURE: Small improvements to the topic list embed (#12881)
* FEATURE: Small improvements to the topic list embed

- Ability to wrap the list in a custom class so you can styles different
lists using specific CSS

- Adds a topic link to the thumbnail when using the complete template

* FIX: Be more strict about allowed chars in class name
2021-04-29 12:12:00 -03:00
Rafael dos Santos Silva
a74783d157
FEATURE: Allow using 'top' view for topic list embed (#12825) 2021-04-26 18:10:04 -03:00
Rafael dos Santos Silva
fb4486d5f1
FEATURE: Add CSP frame-ancestors support (#12404) 2021-03-22 16:00:25 -03:00
Robin Ward
53ab3dda5d
FIX: Embedded comments should only return regular posts (#11773)
There shoudln't be a situation where you'd want to see moderator actions
or small posts.
2021-01-21 12:47:03 -05:00
Daniel Waterworth
0b800d307f SECURITY: Bound the amount of work that embed#topics can do
This commit adds a hidden site setting that limits the maximum number of
topics that can be fetched at once via the embed controller.
2020-07-20 13:25:34 +01:00
Mark VanLandingham
66e0bdc053
FEATURE: Create New Topic button on embed with params (#8280)
* FEATURE: Create New Topic button on embed with params
2019-11-01 14:19:10 -05:00
Krzysztof Kotlarek
427d54b2b0 DEV: Upgrading Discourse to Zeitwerk (#8098)
Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains. 

We no longer need to use Rails "require_dependency" anywhere and instead can just use standard 
Ruby patterns to require files.

This is a far reaching change and we expect some followups here.
2019-10-02 14:01:53 +10:00
Robin Ward
1cebe7670a FEATURE: Allow embedding to ignore HTTP REFERER
New site setting: `embed_any_origin` that will send postMessages to
wildcard origins `*` instead of the referer.

Most of the time you won't want to do this, so the setting is default to
`false`. However, there are certain situations where you want to allow
embedding to send post messages when there is no HTTP REFERER.

For example, if you created a native mobile app and you wanted to embed a list
of Discourse topics as HTML. In the code your HTML would be a
static file/string, which would not be able to send a referer. In this
case, the site setting will allow the embed to work.

From a security standpoint we currently only use `postMessage` to send
data about the size of the HTML document and scroll position, so it
should be enable if required with minimal security ramifications.
2019-09-10 12:27:07 -04:00
Arpit Jalan
3e37801d05 DEV: validate param value on /embed/topics 2019-09-04 13:31:46 +05:30
Arpit Jalan
111ae95cbc
FEATURE: embed topic with detailed metadata (#8062) 2019-09-02 19:55:44 +05:30
Robin Ward
b8f21ea962 FIX: Explicitly require topic_query_params 2019-08-15 13:54:52 -04:00
Robin Ward
23367e79ea
FEATURE: Embed topics list on remote sites via Javascript API. (#8008)
This adds support for a `<d-topics-list>` tag you can embed in your site
that will be rendered as a list of discourse topics. Any attributes on
the tag will be passed as filters. For example:

`<d-topics-list discourse-url="URL" category="1234">` will filter to category 1234.

To use this feature, enable the `embed topics list` site setting. Then
on the site you want to embed, include the following javascript:

`<script
src="http://URL/javascripts/embed-topics.js"></script>`

Where `URL` is your discourse forum's URL.

Then include the `<d-topics-list discourse-url="URL">` tag in your HTML document and it will
be replaced with the list of topics.
2019-08-15 13:41:06 -04:00
Sam Saffron
30990006a9 DEV: enable frozen string literal on all files
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.

Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Régis Hanol
de92913bf4 FIX: store the topic links using the cooked upload url 2018-08-14 12:23:32 +02:00
Guo Xiang Tan
ad5082d969 Make rubocop happy again. 2018-06-07 13:28:18 +08:00
Guo Xiang Tan
142571bba0 Remove use of rescue nil.
* `rescue nil` is a really bad pattern to use in our code base.
  We should rescue errors that we expect the code to throw and
  not rescue everything because we're unsure of what errors the
  code would throw. This would reduce the amount of pain we face
  when debugging why something isn't working as expexted. I've
  been bitten countless of times by errors being swallowed as a
  result during debugging sessions.
2018-04-02 13:52:51 +08:00
Guo Xiang Tan
77d4c4d8dc Fix all the errors to get our tests green on Rails 5.1. 2017-09-25 13:48:58 +08:00
Guo Xiang Tan
5012d46cbd Add rubocop to our build. (#5004) 2017-07-28 10:20:09 +09:00
Pat David
18de62b015 Add get_embeddable_css_class to assist multi-site embed styling
If present, pass embeddable_host.class_name to view for inclusion
on the <html> element as a class for targeted styling.
2017-05-11 15:16:16 -04:00
Robin Ward
03bc6f70f9 Better error messages when embedding fails 2016-12-13 14:38:05 -05:00
Arpit Jalan
bfefda06f6 FIX: handle embed count when topic not found 2016-08-25 07:12:20 +05:30
Robin Ward
c3a3aff120 FEATURE: Support for a whitelist for embeddable host paths 2016-08-23 14:56:12 -04:00
Robin Ward
664f1913c8
FIX: Don't include hidden posts in embedded comments 2016-05-03 15:01:20 -04:00
Sam
7ee11b0508 more logging, add referer 2016-04-25 10:48:36 +10:00
Sam Davies
b2f4659792 Pass discourse username to TopicRetriever from embed controller
When you specify `discourse_username` param on the embed URL, it should
translate to creating the post with that username.

This commit ensures that this is now the case.
2016-02-25 13:02:25 +00:00
Robin Ward
e82145cbf9 Fix broken spec 2015-11-20 14:27:30 -05:00
Robin Ward
5056de1d8a FIX: Never show less than 0 replies when embedding 2015-11-20 13:06:00 -05:00
Jude Aakjaer
9cca510944 Add embed/info endpoint for TopicEmbed queries 2015-09-16 03:22:24 +00:00
Robin Ward
d1c69189f3 FEATURE: Can edit category/host relationships for embedding 2015-08-20 15:56:04 -04:00
Robin Ward
ae277e28a6 FEATURE: Allow embedding topics without creating them, by id 2015-06-09 16:24:20 -04:00
Robin Ward
7b6d6b76eb FEATURE: Multiple embeddable hosts
- Also refactors two site settings components into one, with tests
2015-06-09 13:25:43 -04:00
Sam
e5888cf090 PERF: avoid preloading json in cases where it is not needed
(uploads / avatars / non GET requests)
2015-05-20 17:12:16 +10:00
Arpit Jalan
fc30b771cf FIX: reply count is off by one 2015-05-11 13:58:53 +05:30
Arpit Jalan
23fd16850a FIX: include youtube link in embedded comments 2015-05-01 18:34:45 +05:30
Sam
03c8f09be8 PERF: finalize porting to new incoming links structure 2014-08-04 16:43:57 +10:00
Robin Ward
42c7ad4670 FIX: build broke, also escaping issue on poster name 2014-06-18 17:47:31 -04:00
Robin Ward
60cb5ea6a9 FIX: If a user is deleted, don't break embedded comments for admins. 2014-06-18 17:39:36 -04:00
Robin Ward
6dd1880f1f FIX: More safety when displaying link counts on blogs 2014-05-20 15:20:33 -04:00
Robin Ward
6cd3796c39 FIX: Blog counts stopped working with additional security checks 2014-05-09 16:26:14 -04:00
Robin Ward
122f2a00cc Don't look for a JS format. IE11 seems to not request it even with a
`<script>` tag.
2014-04-14 12:16:08 -04:00
Robin Ward
a4daafa026 Support trailing / when retrieving comment counts. 2014-03-20 15:22:49 -04:00
Robin Ward
a963dd9081 Support embeddable_host values that contain a HTTP/HTTPs protocol 2014-02-12 15:56:06 -05:00
Robin Ward
bcc7f3aba4 Support embedded link counts via data-* attribute 2014-01-13 13:37:55 -05:00
Robin Ward
488319a5d1 FIX: Don't store incoming links on embed 2014-01-13 12:58:53 -05:00
Robin Ward
af3edfd5eb FEATURE: Show Reply count on blog index page when embedding 2014-01-13 12:47:41 -05:00
Robin Ward
25caec0e62 Change text at the bottom of embedded comments to be (x more replies) 2014-01-03 14:55:37 -05:00
Robin Ward
1ffcf39448 Make embedded comments look nicer 2014-01-03 12:52:42 -05:00
Robin Ward
aefad6ae85 FIX: Broken test 2014-01-02 12:15:48 -05:00