Commit Graph

3325 Commits

Author SHA1 Message Date
Alan Guo Xiang Tan
a243d1d6a1
DEV: Fix state leak in spec (#29135)
`GlobalSetting.skip_redis` sets a class instance variable so we need
to reset it.

Follow-up to 7d441e3782
2024-10-09 06:36:47 +08:00
Régis Hanol
34d04e7507
SECURITY: add pagination to post replies
When a post has some replies, and the user click on the button to show them, we would load ALL the replies. This could lead to DoS if there were a very large number of replies.

This adds support for pagination to these post replies.

Internal ref t/129773

FIX: Duplicated parent posts

DEV: Query refactor
2024-10-07 11:48:48 +08:00
Jeff Wong
7d441e3782
FIX: skips caching a generated secret key base token if skip_redis is true. (#29029)
Allows for `SKIP_DB_AND_REDIS` env var to be used without a secret key setup in
global setting env.
2024-10-06 06:46:58 -07:00
Ted Johansson
e60876ce49
FIX: Appropriately handle uninstalled problem checks (#28771)
When running checks, we look to the existing problem check trackers and try to grab their ProblemCheck classes.

In some cases this is no longer in the problem check repository, e.g. when the check was part of a plugin that has been uninstalled.

In the case where the check was scheduled, this would lead to an error in one of the jobs
2024-09-18 10:11:52 +08:00
Ted Johansson
be33363f13
FEATURE: Add ability to dismiss admin notices (#28916)
his is a new feature that lets admins dismiss notices from the dashboard. This helps with self-service in cases where a notice is "stuck", while we work on provisions to prevent "sticking" in the first place.
2024-09-17 14:43:34 +08:00
Jan Cernik
0c019b2e45
FIX: Error when moving the group default notification state (#28910) 2024-09-13 16:01:20 -03:00
Osama Sayegh
3baf6233aa
FIX: Remove anonymous users from users directory (#28892)
Anonymous users are "shadow" users created when an existing real user desires to post anonymously. This feature is off by default, but it can be enabled via the `allow_anonymous_posting` site setting. Those shadow users shouldn't be included in the users directory (`/u`).
2024-09-13 15:12:57 +03:00
Alan Guo Xiang Tan
97143efc52
PERF: Drop user_search_similar_results site setting (#28874)
In 14cf8eacf1, we added the
`user_search_similar_results` site setting which when enabled will use
trigram matching for similarity search in `UserSearch`. However, we
noted that adding the `index_users_on_username_lower_trgm` index is
causing the PG planner to not use the `index_users_on_username_lower`
index when the `=` operator is used against the `username_lower` column.

Based on the PG mailing list discussion where support for the `=`
operator in gist_trgm_ops was being considered, it stated that "I also have checked that btree_gist is preferred over pg_trgm gist
index for equality search." This is however quite different from reality
on our own PG clusters where the btree index is not preferred leading to
significantly slower queries when the `=` operator is used.

Since the pg_trgm gist index is only used for queries when the `user_search_similar_results` site setting
is enabled, we decided to drop the feature instead as it is hidden and
disabled by default. As such, we can consider it experiemental and drop
it without deprecation.

PG mailing list discussiong: https://www.postgresql.org/message-id/CAPpHfducQ0U8noyb2L3VChsyBMsc5V2Ej2whmEuxmAgHa2jVXg%40mail.gmail.com
2024-09-13 09:04:02 +08:00
Krzysztof Kotlarek
1f1709d249
FIX: use a custom prefix for custom flags (#28839)
Currently, when the custom flag has the same name as the system flag (which is disabled) then it is not displayed. To fix the problem, `custom_` prefix as `name_key` is used to distinguish between the system and the custom flag.

I considered writing a migration to fix existing custom flags name key. However, at the end of migration I would need to run rails code to reset cache `Flag.reset_flag_settings!`. I decided to skip that step as it is a very edge case. If someone has the same flag name as the system flag, then all they have to do is edit the flag and click save.

In addition, I made 2 small fixes:
- edit flag title was missing translation;
- flag form UI was not showing that description is the required field.
2024-09-11 15:30:20 +10:00
Martin Brennan
0323b366f3
DEV: Fix report flakys (#28838)
The Report model spec was directly adding methods
to the Report class, which was causing errors in the
admin reports controller because it would look for
a translation of the report name (e.g. report_timeout_test)
like so `I18n.t("reports.#{type}.title")`, then get an
error because the translation did not exist.

This is fixed by using `Report.stubs` instead, which is
cleaned up after every test.
2024-09-11 15:24:19 +10:00
Keegan George
f2059bf15f
FIX: Form template limit validation (#28791) 2024-09-10 08:11:44 -07:00
Osama Sayegh
0a994a9221
FEATURE: Add setting to exclude groups from /about page (#28809)
This commit adds a new `about_page_hidden_groups` setting to exclude members of specific groups from the admin and moderator lists on the /about page.

Internal topic: t/137717.
2024-09-10 14:43:41 +03:00
Martin Brennan
14b436923c
FEATURE: Switch to new methods of pageview measurement and reporting (#28729)
### UI changes

All of the UI changes described are gated behind the `use_legacy_pageviews`
site setting.

This commit changes the admin dashboard pageviews report to
use the "Consolidated Pageviews with Browser Detection" report
introduced in 2f2da72747 with
the following changes:

* The report name is changed to "Site traffic"
* The pageview count on the dashboard is counting only using the new method
* The old "Consolidated Pageviews" report is renamed as "Consolidated Legacy Pageviews"
* By default "known crawlers" and "other" sources of pageviews are hidden on the report

When `use_legacy_pageviews` is `true`, we do not show or allow running
the "Site traffic" report for admins. When `use_legacy_pageviews` is `false`,
we do not show or allow running the following legacy reports:

* consolidated_page_views
* consolidated_page_views_browser_detection
* page_view_anon_reqs
* page_view_logged_in_reqs

### Historical data changes

Also part of this change is that, since we introduced our new "Consolidated
Pageviews with Browser Detection" report, some admins are confused at either:

* The lack of data before a certain date , which didn’t exist before
  we started collecting it
* Comparing this and the current "Consolidated Pageviews" report data,
  which rolls up "Other Pageviews" into "Anonymous Browser" and so it
  appears inaccurate

All pageview data in the new report before the date where the _first_
anon or logged in browser pageview was recorded is now hidden.
2024-09-10 09:51:49 +10:00
Guhyoun Nam
aacd354de5
FEATURE: Added Category Experts unapproved post WebHook Event (#28802)
This PR is adding a Category Experts unapproved WebHook event type.
2024-09-10 07:56:35 +09:00
Ted Johansson
776b4ec8e2
DEV: Remove old problem check system - Part 1 (#28772)
We're now using the new, database-backed problem check system. This PR removes parts of the old, Redis-backed system that is now defunct.
2024-09-06 17:00:25 +08:00
Osama Sayegh
280adda09c
FEATURE: Support designating multiple groups as mods on category (#28655)
Currently, categories support designating only 1 group as a moderation group on the category. This commit removes the one group limitation and makes it possible to designate multiple groups as mods on a category.

Internal topic: t/124648.
2024-09-04 04:38:46 +03:00
Joffrey JAFFEUX
e418f7056f
FIX: prevents PM to large groups (#28681)
This commit introduces a new hidden site setting: `group_pm_user_limit`, default to `1000` which will raise an error when attempting to create a PM target a large group.
2024-09-03 12:08:14 +02:00
Guhyoun Nam
050c665160
FEATURE: Added Category Experts approved WebHook Event (#28525)
This PR is adding a Category Experts WebHook event type.
2024-09-03 06:59:15 +09:00
Joffrey JAFFEUX
4f705b3146
FIX: ensure About#stats uses the cache (#28634)
Prior to this fix we were calling `fetch_stats` which is never checking if we have a cache entry. This call is making a lot of SQL calls, so it's better to use the cache.
2024-08-29 12:16:57 +02:00
Osama Sayegh
5eea7244c7
FIX: Add users to user directory on account activation (#28505)
Follow-up to e3ae57ea7a

The previous commit added an `after_create` callback that triggers a refresh for the user directory whenever a `User` record is created. Theoretically, this approach should work, however, there's a gotcha in practice, because during a real user registration, when the `User` record is created in the database, it's not marked as active until the user verifies their email address and the user directory excludes inactive users, so the initial directory refresh triggered by the `after_create` callback becomes pointless.

To make a new user appear in the user directory immediately after sign up, we need to trigger a refresh via an `after_save` callback when they verify their email address and become active.
2024-08-26 18:01:24 +03:00
Joffrey JAFFEUX
f7990ec8f6
FIX: prevents topic hot scope error on future topics (#28545)
Prior this fix a topic created in the future could generate this exception:

```
Job exception: ERROR:  a negative number raised to a non-integer power yields a complex result
```

This fix and spec should ensure we don't consider topics in the future as the rest of the `update_scores` function is doing at other places.
2024-08-26 14:07:31 +02:00
Ted Johansson
981110d96e
FIX: Fix incorrect check for required custom fields (#28541)
This check was checking the wrong scope, causing problems in certain edge conditions, for example:

1. Admin adds an "on signup" field that isn't editable after signup.
2. Admin adds a "for all users" field.
3. User goes and fills up the "for all users" field from 2.
4. User is now stuck on the required fields page without any fields showing.

With this change, we only consider "for all users" fields when asking if required custom fields are filled in.
2024-08-26 15:33:19 +08:00
Krzysztof Kotlarek
e82e255531
FIX: serialize Flags instead of PostActionType (#28362)
### Why?
Before, all flags were static. Therefore, they were stored in class variables and serialized by SiteSerializer. Recently, we added an option for admins to add their own flags or disable existing flags. Therefore, the class variable had to be dropped because it was unsafe for a multisite environment. However, it started causing performance problems. 

### Solution
When a new Flag system is used, instead of using PostActionType, we can serialize Flags and use fragment cache for performance reasons. 

At the same time, we are still supporting deprecated `replace_flags` API call. When it is used, we fall back to the old solution and the admin cannot add custom flags. In a couple of months, we will be able to drop that API function and clean that code properly. However, because it may still be used, redis cache was introduced to improve performance.

To test backward compatibility you can add this code to any plugin
```ruby
  replace_flags do |flag_settings|
    flag_settings.add(
      4,
      :inappropriate,
      topic_type: true,
      notify_type: true,
      auto_action_type: true,
    )
    flag_settings.add(1001, :trolling, topic_type: true, notify_type: true, auto_action_type: true)
  end
```
2024-08-14 12:13:46 +10:00
Krzysztof Kotlarek
559c9dfe0a
REVERT: FIX: serialize Flags instead of PostActionType (#28334) 2024-08-13 18:32:11 +10:00
Krzysztof Kotlarek
094052c1ff
FIX: serialize Flags instead of PostActionType (#28259)
### Why?
Before, all flags were static. Therefore, they were stored in class variables and serialized by SiteSerializer. Recently, we added an option for admins to add their own flags or disable existing flags. Therefore, the class variable had to be dropped because it was unsafe for a multisite environment. However, it started causing performance problems. 

### Solution
When a new Flag system is used, instead of using PostActionType, we can serialize Flags and use fragment cache for performance reasons. 

At the same time, we are still supporting deprecated `replace_flags` API call. When it is used, we fall back to the old solution and the admin cannot add custom flags. In a couple of months, we will be able to drop that API function and clean that code properly. However, because it may still be used, redis cache was introduced to improve performance.

To test backward compatibility you can add this code to any plugin
```ruby
  replace_flags do |flag_settings|
    flag_settings.add(
      4,
      :inappropriate,
      topic_type: true,
      notify_type: true,
      auto_action_type: true,
    )
    flag_settings.add(1001, :trolling, topic_type: true, notify_type: true, auto_action_type: true)
  end
```
2024-08-13 11:22:37 +10:00
Loïc Guitaut
84823550d4 DEV: Enable Rails 7.1 defaults 2024-08-12 10:41:13 +02:00
Isaac Janzen
aeaae9babc
DEV: Add user modifier to prevent updating ip_address (#28280) 2024-08-08 13:06:08 -05:00
Isaac Janzen
2527f4599d
DEV: Add search_log modifier to prevent search log logging (#28279) 2024-08-08 12:41:10 -05:00
carson chang
854b8b7093
FEATURE: Add option to immediately delete stub topics upon merge (#28228)
Currently to handle stub topics after merging, there are only options to (1) never delete a stub topic and (2) delete a stub topic after X amount of days. This adds the option to immediately delete a stub topic upon merge.

---------

Co-authored-by: Mark VanLandingham <markvanlan@gmail.com>
Co-authored-by: Renato Atilio <renato@discourse.org>
2024-08-07 10:05:40 -03:00
Loïc Guitaut
97cd03d41a FIX: Return additional message types properly
Following a recent refactor, some methods from `FlagSettings` have been
renamed (`custom_types` -> `additional_message_types`). The
`PostActionType` model was using `custom_types` but when the renaming
was done, it was renamed to `with_additional_message` instead of
`additional_message_types`, which under the right circumstances will
raise an error.
2024-08-06 16:01:38 +02:00
Krzysztof Kotlarek
2b6c754779
Revert "FIX: Cache all flags multisite-safe (#28204)" (#28236)
This reverts commit 2225c03455.
2024-08-06 10:59:10 +10:00
Martin Brennan
2225c03455
FIX: Cache all flags multisite-safe (#28204)
This fixes an N1 in topics when loading all flags
and also makes the cache multisite-safe, followup
to fb7cc2d375
2024-08-06 09:59:49 +10:00
Ted Johansson
a32390f5dc
FIX: Don't count draft views towards topic view stats (#28162)
When creating a shared draft, we're recording topic view stats on the draft and then pass those on when the draft is published, conflating the actual view count.

This fixes that by not registering topic views if the topic is a shared draft.
2024-07-31 11:10:50 +08:00
Loïc Guitaut
edc6b6f26c DEV: Fix flaky spec related to translation overrides 2024-07-26 13:20:20 +02:00
Loïc Guitaut
ebde13a527 WIP: extract outdated/up-to-date logic in model 2024-07-26 12:20:00 +02:00
Loïc Guitaut
53210841c8 FIX: Validate MF strings when adding overrides
Currently, when adding translation overrides, values aren’t validated
for MF strings. This results in being able to add invalid plural keys or
even strings containing invalid syntax.

This patch addresses this issue by compiling the string when saving an
override if the key is detected as an MF one.

If there’s an error from the compiler, it’s added to the model errors,
which in turn is displayed to the user in the admin UI, helping them to
understand what went wrong.
2024-07-26 12:20:00 +02:00
锦心
5b05cdfbd9
FIX: Add post id to the anchor to prevent two identical anchors (#28070)
* FIX: Add post id to the anchor to prevent two identical anchors

We generate anchors for headings in posts. This works fine if there is
only one post in a topic with anchors. The problem comes when you have
two or more posts with the same heading. PrettyText generates anchors
based on the heading text using the raw context of each post, so it is
entirely possible to generate the same anchor for two posts in the same
topic, especially for topics with template replies

    Post1:
    # heading
    context
    Post2:
    # heading
    context

When both posts are on the page at the same time, the anchor will only
work for the first post, according to the [HTML specification](https://html.spec.whatwg.org/multipage/browsing-the-web.html#scroll-to-the-fragment-identifier).

> If there is an a element in the document tree whose root is document
> that has a name attribute whose value is equal to fragment, then
> return the *first* such element in tree order.

This bug is particularly serious in forums with non-Latin languages,
such as Chinese. We do not generate slugs for Chinese, which results in
the heading anchors being completely dependent on their order.

```ruby
[2] pry(main)> PrettyText.cook("# 中文")
=> "<h1><a name=\"h-1\" class=\"anchor\" href=\"#h-1\"></a>中文</h1>"
```

Therefore, the anchors in the two posts must be in exactly the same by
order, causing almost all of the anchors in the second post to be
invalid.

This commit solves this problem by adding the `post_id` to the anchor.
The new anchor generation method will add `p-{post_id}` as a prefix when
post_id is available:

```ruby
[3] pry(main)> PrettyText.cook("# 中文", post_id: 1234)
=> "<h1><a name=\"p-1234-h-1\" class=\"anchor\" href=\"#p-1234-h-1\"></a>中文</h1>"
```

This way we can ensure that each anchor name only appears once on the
same topic. Using post id also prevents the potential possibility of the
same anchor name when splitting/merging topics.
2024-07-25 13:50:30 +08:00
Krzysztof Kotlarek
fb7cc2d375
FIX: stop memoize PostActionTypes (#28005)
Memoizing all_flags on PostActionType was a mistake. This commit brings back the cache on the serialize level.
2024-07-22 17:35:49 +10:00
Krzysztof Kotlarek
f41716d532
FIX: drop fragment cache for flags (#28001)
Flags are stored in the memory of the process and a fragment cache is not necessary.
2024-07-22 12:37:33 +10:00
Mark VanLandingham
6e77107ccc
DEV: Publish DiscourseEvent in TopicUser.track_visit for first visit (#27975) 2024-07-19 10:53:12 -05:00
Martin Brennan
48d13cb231
UX: Use a dropdown for SSL mode for group SMTP (#27932)
Our old group SMTP SSL option was a checkbox,
but this was not ideal because there are actually
3 different ways SSL can be used when sending
SMTP:

* None
* SSL/TLS
* STARTTLS

We got around this before with specific overrides
for Gmail, but it's not flexible enough and now people
want to use other providers. It's best to be clear,
though it is a technical detail. We provide a way
to test the SMTP settings before saving them so there
should be little chance of messing this up.

This commit also converts GroupEmailSettings to a glimmer
component.
2024-07-18 10:33:14 +10:00
Krzysztof Kotlarek
c975c7fe1b
FEATURE: custom flag can require additional message (#27908)
Allow admin to create custom flag which requires an additional message.

I decided to rename the old `custom_flag` into `require_message` as it is more descriptive.
2024-07-18 10:10:22 +10:00
Natalie Tay
7d02b45304
DEV: Update webhook site setting for topic voting (#27935) 2024-07-17 20:26:48 +08:00
Vinoth Kannan
7b53e610c1
SECURITY: limit the number of characters in watched word replacements.
The watch words controller creation function, create_or_update_word(), doesn’t validate the size of the replacement parameter, unlike the word parameter, when creating a replace watched word. So anyone with moderator privileges can create watched words with almost unlimited characters.
2024-07-15 19:25:17 +08:00
Krzysztof Kotlarek
9e4e591d60
Revert "FEATURE: custom flag can require additional message (#27706)" (#27906)
This reverts commit c0bcd979e3.
2024-07-15 09:45:57 +10:00
Krzysztof Kotlarek
c0bcd979e3
FEATURE: custom flag can require additional message (#27706)
Allow admin to create custom flag which requires an additional message.

I decided to rename the old `custom_flag` into `require_message` as it is more descriptive.
2024-07-15 08:48:01 +10:00
Keegan George
3978db0811
DEV: Add missing Chinese simplified to names.yml (#27847) 2024-07-11 07:54:45 -07:00
Loïc Guitaut
301713ef96 DEV: Upgrade the MessageFormat library (JS)
This patch upgrades the MessageFormat library to version 3.3.0 from
0.1.5.

Our `I18n.messageFormat` method signature is unchanged, and now uses the
new API under the hood.

We don’t need dedicated locale files for handling pluralization rules
anymore as everything is now included by the library itself.

The compilation of the messages now happens through our
`messageformat-wrapper` gem. It then outputs an ES module that includes
all its needed dependencies.

Most of the changes happen in `JsLocaleHelper` and in the `ExtraLocales`
controller.

A new method called `.output_MF` has been introduced in
`JsLocaleHelper`. It handles all the fetching, compiling and
transpiling to generate the proper MF messages in JS. Overrides and
fallbacks are also handled directly in this method.

The other main change is that now the MF translations are served through
the `ExtraLocales` controller instead of being statically compiled in a
JS file, then having to patch the messages using overrides and
fallbacks. Now the MF translations are just another bundle that is
created on the fly and cached by the client.
2024-07-10 09:51:25 +02:00
Bianca Nenciu
6591a0654b
FIX: Destroy Drafts when increasing sequences (#27739)
Drafts used to be deleted instead of being destroyed. The callbacks that
clean up the upload references were not being called. As a result, the
upload references were not cleaned up and uploads were not deleted
either. This has been partially fixed in 9655bf3e.
2024-07-10 10:43:11 +03:00
David Battersby
f44ec18fd2
DEV: update base url links to respect subfolder installs (#27740)
This change eliminates a couple of instances where subfolder urls are badly formatted, in most cases we can use Discourse.base_url_no_prefix to prevent adding the subfolder to the base url.
2024-07-09 12:42:38 +04:00