Sam 
							
						 
					 
					
						
						
							
						
						e6fcaadd45 
					 
					
						
						
							
							FIX: redirects back to origin for SSO and omniauth login  
						
						
						
						
					 
					
						2016-09-16 13:48:50 +10:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						0b334cdf74 
					 
					
						
						
							
							FIX: stop removing query params from destination url in sso  
						
						
						
						
					 
					
						2016-08-16 17:06:52 +10:00 
						 
				 
			
				
					
						
							
							
								Robin Ward 
							
						 
					 
					
						
						
							
						
						2f8ab8cd30 
					 
					
						
						
							
							SECURITY: XSS in "Account Suspended" Messages and Badge Descriptions  
						
						
						
						
					 
					
						2016-07-28 11:38:12 -04:00 
						 
				 
			
				
					
						
							
							
								Peter Lejeck 
							
						 
					 
					
						
						
							
						
						e265b7b090 
					 
					
						
						
							
							Log RecordInvalid when verbose_sso_logging enabled  
						
						
						
						
					 
					
						2016-06-29 22:12:25 -07:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						852860de66 
					 
					
						
						
							
							FEATURE: simpler and friendlier unsubscribe workflow  
						
						... 
						
						
						
						- All unsubscribes go to the exact same page
- You may unsubscribe from watching a category on that page
- You no longer need to be logged in to unsubscribe from a topic
- Simplified footer on emails 
						
						
					 
					
						2016-06-17 11:28:49 +10:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						19ca08857f 
					 
					
						
						
							
							FEATURE: verbose SSO logging  
						
						... 
						
						
						
						By enabling the site setting verbose_sso_logging
you can log information every time a user tries initiates SSO
and during SSO failures 
						
						
					 
					
						2016-04-08 11:20:01 +10:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						a130cb8305 
					 
					
						
						
							
							FEATURE: move more urgent emails notifications to critical queue  
						
						... 
						
						
						
						Move signup, admin login and password change email notifications
to critical queue 
						
						
					 
					
						2016-04-07 14:39:01 +10:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						8ec7fd84fd 
					 
					
						
						
							
							FEATURE: prioritize sidekiq jobs  
						
						... 
						
						
						
						This commit introduces 3 queues for sidekiq
"critical" for urgent jobs (weighted at 4x weight)
"default" for standard jobs(weighted at 2x weight)
"low" for less important jobs
"critical jobs"
Reset Password emails has been seperated to its own job
Heartbeat which is required to keep sidekiq running
Test email which needs to return real quick
"low priority jobs"
Notify mailing list
Pull hotlinked images
Update gravatar
"default"
All the rest
Note: for people running sidekiq from command line use
bin/sidekiq -q critical,4 -q default,2 -q low 
						
						
					 
					
						2016-04-07 12:56:43 +10:00 
						 
				 
			
				
					
						
							
							
								Robin Ward 
							
						 
					 
					
						
						
							
						
						f0552af5f1 
					 
					
						
						
							
							FIX: Don't log validation errors for sso  
						
						
						
						
					 
					
						2016-03-23 14:44:34 -04:00 
						 
				 
			
				
					
						
							
							
								Régis Hanol 
							
						 
					 
					
						
						
							
						
						0a84275800 
					 
					
						
						
							
							missed a couple of newlines in the logs  
						
						
						
						
					 
					
						2016-02-24 23:35:45 +01:00 
						 
				 
			
				
					
						
							
							
								Régis Hanol 
							
						 
					 
					
						
						
							
						
						97c7b894ce 
					 
					
						
						
							
							better logs when an error happens in SSO  
						
						
						
						
					 
					
						2016-02-24 21:57:01 +01:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						97130463d6 
					 
					
						
						
							
							FEATURE: show a new modal when suspended users try to log in  
						
						
						
						
					 
					
						2016-02-19 12:19:20 -05:00 
						 
				 
			
				
					
						
							
							
								Régis Hanol 
							
						 
					 
					
						
						
							
						
						7d3be0f8f1 
					 
					
						
						
							
							forgot password on a staged account does nothing  
						
						
						
						
					 
					
						2015-11-09 17:37:33 +01:00 
						 
				 
			
				
					
						
							
							
								Arpit Jalan 
							
						 
					 
					
						
						
							
						
						c28843e87b 
					 
					
						
						
							
							FIX: redirect to return_url when working as SSO provider  
						
						
						
						
					 
					
						2015-10-25 11:30:38 +05:30 
						 
				 
			
				
					
						
							
							
								Dan Singerman 
							
						 
					 
					
						
						
							
						
						8055d065f2 
					 
					
						
						
							
							Refactor ApplicationController#redirect_to_login_if_required to use session for SSO  
						
						
						
						
					 
					
						2015-08-11 16:48:55 +01:00 
						 
				 
			
				
					
						
							
							
								Dan Singerman 
							
						 
					 
					
						
						
							
						
						7056db26e6 
					 
					
						
						
							
							Respect cookie[:destination_url] in Single Sign On  
						
						... 
						
						
						
						When the login_required setting is true, the destination URL is dropped. This change means it will be
respected at login time 
						
						
					 
					
						2015-08-11 16:31:28 +01:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						fc2a08731a 
					 
					
						
						
							
							FIX: sso_not_approved_url not working correctly  
						
						
						
						
					 
					
						2015-05-30 13:19:07 +10:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						02fa7448ca 
					 
					
						
						
							
							FEATURE: custom url to redirect to on account pending approval for sso  
						
						
						
						
					 
					
						2015-05-27 14:06:45 +10:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						918034aa7b 
					 
					
						
						
							
							remove less useful error reporting  
						
						
						
						
					 
					
						2015-05-27 11:17:28 +10:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						e5888cf090 
					 
					
						
						
							
							PERF: avoid preloading json in cases where it is not needed  
						
						... 
						
						
						
						(uploads / avatars / non GET requests) 
						
						
					 
					
						2015-05-20 17:12:16 +10:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						14ab9c45b6 
					 
					
						
						
							
							Merge pull request  #3470  from ahuling13/expired-nonce-return-status  
						
						... 
						
						
						
						In the case of an expired nonce, return a 400 status code instead of 500 
						
						
					 
					
						2015-05-20 12:08:17 +10:00 
						 
				 
			
				
					
						
							
							
								Andrew Huling 
							
						 
					 
					
						
						
							
						
						e44ddff9bb 
					 
					
						
						
							
							Change the expired nonce return status code from 400 to 419.  
						
						
						
						
					 
					
						2015-05-19 13:13:14 -04:00 
						 
				 
			
				
					
						
							
							
								Paul Kaplan 
							
						 
					 
					
						
						
							
						
						b8a43e153c 
					 
					
						
						
							
							Use session controller to prevent inactive SSO users  
						
						
						
						
					 
					
						2015-05-15 12:15:06 -05:00 
						 
				 
			
				
					
						
							
							
								Andrew Huling 
							
						 
					 
					
						
						
							
						
						e1d2ecef10 
					 
					
						
						
							
							In the case of an expired nonce, return a 400 status code instead of a 500.  
						
						... 
						
						
						
						500 status codes are for unexpected server-side error scenarios. When an expired nonce is used by the client, a 4XX-level error is more appropriate because the client has submitted a bad request (by using an expired nonce). A 500 also causes Internet Explorer to show its default 500 page which does not show the error message and leads to a bad end user experience. I am choosing 400 for the new status rather than 401 or 403 because 401 requires a WWW-Authenticate header which would be difficult to generate in an SSO scenario and a 403 implies that no re-authentication will address the failure. 
						
						
					 
					
						2015-05-14 16:03:02 -04:00 
						 
				 
			
				
					
						
							
							
								Harm Geerts 
							
						 
					 
					
						
						
							
						
						d9a3e82516 
					 
					
						
						
							
							Stop sso login processing after rendering error  
						
						... 
						
						
						
						This prevents a DoubleRenderError triggered on the redirect_to. 
						
						
					 
					
						2015-05-11 14:17:32 +02:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						f5af4768eb 
					 
					
						
						
							
							FEATURE: add clean support for running Discourse in a subfolder  
						
						... 
						
						
						
						To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish 
						
						
					 
					
						2015-03-09 13:14:29 +11:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						7c14db44cc 
					 
					
						
						
							
							UX: improve message when admin login is blocked because of admin ip address whitelisting  
						
						
						
						
					 
					
						2015-03-02 12:13:22 -05:00 
						 
				 
			
				
					
						
							
							
								Robin Ward 
							
						 
					 
					
						
						
							
						
						3e2ba5b30b 
					 
					
						
						
							
							FIX: If an IP is blocked, don't allow people to login using it  
						
						
						
						
					 
					
						2015-02-25 16:02:40 -05:00 
						 
				 
			
				
					
						
							
							
								Robin Ward 
							
						 
					 
					
						
						
							
						
						ca5730018a 
					 
					
						
						
							
							FIX: SSO code should respect IP address filters  
						
						
						
						
					 
					
						2015-02-23 16:01:46 -05:00 
						 
				 
			
				
					
						
							
							
								riking 
							
						 
					 
					
						
						
							
						
						5657006aca 
					 
					
						
						
							
							Rename handle_exception to handle_job_exception  
						
						
						
						
					 
					
						2015-02-09 12:47:46 -08:00 
						 
				 
			
				
					
						
							
							
								Robin Ward 
							
						 
					 
					
						
						
							
						
						b3a2c0c45b 
					 
					
						
						
							
							SECURITY: The SSO return_path was an open redirect  
						
						... 
						
						
						
						This security fix needs SSO to be configured, and the user has to go
through the entire auth process before being redirected to the wrong host so
it is probably lower priority for most installs. 
						
						
					 
					
						2015-01-22 12:20:17 -05:00 
						 
				 
			
				
					
						
							
							
								Robin Ward 
							
						 
					 
					
						
						
							
						
						9bb2ab6265 
					 
					
						
						
							
							Merge pull request  #3034  from fantasticfears/filter_system_user  
						
						... 
						
						
						
						disable sending email or show presence when forgot system user password 
						
						
					 
					
						2014-12-19 16:52:01 -05:00 
						 
				 
			
				
					
						
							
							
								Erick Guan 
							
						 
					 
					
						
						
							
						
						ceca85c9eb 
					 
					
						
						
							
							use system user helper and constant when it's referred  
						
						
						
						
					 
					
						2014-12-18 18:21:14 +08:00 
						 
				 
			
				
					
						
							
							
								Erick Guan 
							
						 
					 
					
						
						
							
						
						9937af7ac4 
					 
					
						
						
							
							disable sending email or show presence when forgot system user password  
						
						
						
						
					 
					
						2014-12-10 14:17:56 +08:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						800ae5265f 
					 
					
						
						
							
							Add admin and moderator state to sso provider  
						
						
						
						
					 
					
						2014-11-27 12:24:37 +11:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						c10e3df012 
					 
					
						
						
							
							FEATURE: implement SSO provider on Discourse so Auth can be farmed to it  
						
						... 
						
						
						
						FEATURE: pass return_sso_url to SSO endpoints, for easier return 
						
						
					 
					
						2014-11-26 17:26:27 +11:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						9e1e3df6c9 
					 
					
						
						
							
							FEATURE: Localize SSO error messages  
						
						
						
						
					 
					
						2014-11-24 12:16:23 +11:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						d3b24b625b 
					 
					
						
						
							
							Add more SSO logging for failure conditions  
						
						
						
						
					 
					
						2014-11-24 10:02:22 +11:00 
						 
				 
			
				
					
						
							
							
								Robin Ward 
							
						 
					 
					
						
						
							
						
						1252e7324f 
					 
					
						
						
							
							Added easy impersonate route while in development mode  
						
						
						
						
					 
					
						2014-10-07 12:25:50 -04:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						d53e01619f 
					 
					
						
						
							
							SECURITY: rate limit user/password login  
						
						
						
						
					 
					
						2014-09-25 10:06:44 +10:00 
						 
				 
			
				
					
						
							
							
								riking 
							
						 
					 
					
						
						
							
						
						2c6d03f87f 
					 
					
						
						
							
							SECURITY: Limit passwords to 200 characters  
						
						... 
						
						
						
						Prevents layer 8 attack. 
						
						
					 
					
						2014-09-12 12:07:11 -04:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						45e8337a29 
					 
					
						
						
							
							FEATURE: renames forgot_password_verbose, forgot_password_strict  
						
						
						
						
					 
					
						2014-09-11 15:53:29 +10:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						61bcde6284 
					 
					
						
						
							
							FEATURE: inform users if forgot password works or not  
						
						... 
						
						
						
						FIX: flash dialog in forgot password often had wrong color
(this can be disabled by setting forgot_password_verbose to false) 
						
						
					 
					
						2014-09-11 12:04:44 +10:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						ca5f361d0a 
					 
					
						
						
							
							FEATURE: restrict admin access based on IP address  
						
						
						
						
					 
					
						2014-09-05 12:06:01 -04:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						e0a82d3088 
					 
					
						
						
							
							FIX: rate limit password reset email  
						
						
						
						
					 
					
						2014-08-18 10:55:30 +10:00 
						 
				 
			
				
					
						
							
							
								Neil Lalonde 
							
						 
					 
					
						
						
							
						
						1da59e7e2e 
					 
					
						
						
							
							FIX: deactivated users shouldn't be able to log in  
						
						
						
						
					 
					
						2014-04-28 13:46:28 -04:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						be06156629 
					 
					
						
						
							
							SECURITY: when enabled_local_logins is false users could log in via API  
						
						... 
						
						
						
						thanks @Nicholas Blanco 
						
						
					 
					
						2014-03-26 15:39:44 +11:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						74a1145a0b 
					 
					
						
						
							
							BUGFIX: sso to respect must_approve_users  
						
						
						
						
					 
					
						2014-02-26 10:27:39 +11:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						440435f023 
					 
					
						
						
							
							FEATURE: SSO to handle return_path automatically  
						
						
						
						
					 
					
						2014-02-26 09:58:30 +11:00 
						 
				 
			
				
					
						
							
							
								Sam 
							
						 
					 
					
						
						
							
						
						6f31d3f0e5 
					 
					
						
						
							
							FEATURE: single sign on support  
						
						... 
						
						
						
						Added support for outsourcing auth to a different website, documentation on meta 
						
						
					 
					
						2014-02-25 14:31:03 +11:00