Commit Graph

2080 Commits

Author SHA1 Message Date
Bianca Nenciu
c916806fe8
FIX: Serialize categories when viewing a topic (#25206)
When navigating straight to a topic the category was not displayed at
all because the categories were not loaded. Similarly, the categories
for suggested topics were not loaded either.

This commit adds a list of categories to topic view model class and
serializer.
2024-01-10 20:30:59 +02:00
Vinoth Kannan
992211350a
FEATURE: option to sort user and group private messages. (#25146)
The UI will be the same as the one we're using in the topic list in "latest", "top" etc.,
2024-01-10 13:33:30 +05:30
Kyle
9e758a3ae7
Fix OpenAPI doc issue (#23619) 2024-01-10 10:29:35 +08:00
Ted Johansson
1b28823638
SECURITY: Prevent guest users from accessing secure uploads when login required 2024-01-08 08:02:19 -07:00
Ted Johansson
a5f0935307
DEV: Convert min_trust_level_to_create_tag to groups (#24899)
We're changing the implementation of trust levels to use groups. Part of this is to have site settings that reference trust levels use groups instead. It converts the min_trust_level_to_create_tag  site setting to create_tag_allowed_groups.

This PR maintains backwards compatibility until we can update plugins and themes using this.
2024-01-05 10:19:43 +08:00
Alan Guo Xiang Tan
5530cb574b
DEV: Fix test incorrectly removing stylesheet cache of other processes (#25103)
Why this change?

The `can survive cache miss` test in `spec/requests/stylesheets_controller_spec.rb`
was failing because the file was not found on disk for the cache to be
regenerated. This is because a test in
`spec/lib/stylesheet/manager_spec.rb` was removing the entire
`tmp/stylesheet-cache` directory which is incorrect because the folder
in the test environment further segretates the stylesheet caches based
on the process of the test.

What does this change do?

1. Introduce `Stylesheet::Manager.rm_cache_folder` method for the test
   environment to properly clean up the cache folder.

2. Make `Stylesheet::Manager::CACHE_PATH` a private constant since the
   cache path should be obtained from the `Stylesheet::Manager.cache_fullpath` method.
2024-01-03 13:15:35 +08:00
Kelv
b4a89ea610
FEAT: add cc addresses and post_id to sent email logs (#25014)
* add cc addresses and post_id to sent email logs
* sort cc addresses by email address filter value and collapse additional addreses into tooltip
* add slice helper for use in ember tempaltes
2024-01-03 09:27:25 +08:00
Alan Guo Xiang Tan
6e8c2bb4ab
DEV: Improve error message when test fails (#25067)
Why this change?

The two tests being updated in question has been flaky on CI. However,
when using `be_forbidden`, the error message does not indicate what the
actual response code was making it hard for us to debug.

What does this change do?

Assert for the exact response status code we are expecting.
2023-12-29 12:44:41 +08:00
marstall
ddd750cda7
FEATURE: change /invites.json api endpoint to optionally accept array of emails (#24853)
https://meta.discourse.org/t/feature-request-sending-bulk-invitations-via-api/272423/18
2023-12-28 10:16:04 -05:00
Sam
d5e1b3e683
DEV: add test that ensure include_raw param continues to work (#25055)
Previously we hand no tests for `include_raw` which some consumers may
depend on.

Specifically, Discourse AI uses it to get raw markdown for a set of posts
on a topic.

Also cleans up tests so they lint with default ruby
2023-12-28 14:26:27 +11:00
Krzysztof Kotlarek
d03f6727b1
FIX: TL3 can convert their post to a wiki (#25023)
A bug that allowed TL1 to convert other's posts to wiki.

The issue was introduced in this PR: https://github.com/discourse/discourse/pull/24999/files

The wiki can be created if a user is TL3 and it is their own post - default 3 for setting `SiteSetting.min_trust_to_allow_self_wiki`

In addition, a wiki can be created by staff and TL4 users for any post.
2023-12-23 21:31:46 +11:00
Krzysztof Kotlarek
025e40354c
FIX: correct typo minmin_trust_to_edit_wiki_post (#24999)
Typo introduced here https://github.com/discourse/discourse/pull/24766#pullrequestreview-1792187422

In addition, use setting instead of hard-coded @user.has_trust_level?(TrustLevel[4])
2023-12-22 08:39:42 +11:00
Osama Sayegh
87883a1963
FIX: Show true content of robots.txt after restoring to default (#24980)
Meta topic: https://meta.discourse.org/t/reseting-robots-txt-override-doesnt-seem-to-work-as-expected/287880?u=osama

Discourse provides a default version for `/robots.txt` which can be customized by admins in `/admin/customize/robots`. In that page, there's a button to reset back to the default version that Discourse provides. However, there's currently a bug with the reset button where the content appears to change to some HTML document instead of the default `robots.txt` version when clicking the button. Refreshing the page shows the true/correct content of `robots.txt` which is the default version, so the reset button actually works but there's a display problem.

What causes this display problem is that we use Rails' `render_to_string` method to generate the default content for `robots.txt` from the template, and what we get from that method is the `robots.txt` content wrapped in the application layout. To fix this issue, we need to pass `layout: false` to the `render_to_string` method so that it renders the template without any layouts.
2023-12-20 23:00:37 +03:00
Alan Guo Xiang Tan
38abc0d922
DEV: Change default of cross_origin_opener_policy_header (#24940)
Why this change?

This is part of our efforts to harden the security of the Discourse
application. Setting the `CROSS_ORIGIN_OPENER_POLICY` header to `same-origin-allow-popups`
by default makes the application safer. We have opted to make this a
hidden site setting because most admins will never have to care about
this setting so we're are opting not to show it. If they do have to
change it, they can still do so by setting the
`DISCOURSE_CROSS_ORIGIN_OPENER_POLICY` env.
2023-12-19 11:46:44 +08:00
Blake Erickson
3380d283c9
FEATURE: Add API scope for /logs route (#24956)
Adds an API scope for accessing Logster's routes. This one is a bit
different than routes from core because it is mounted like

```
mount Logster::Web => "/logs"
```

and doesn't have all the route info a traditional rails app/engine does.
2023-12-18 19:45:04 -07:00
Blake Erickson
a08691a599
FIX: Ensure file size restriction types are ints (#24947)
Settings that are using the new `file_size_restriction` types like the
`max_image_size_kb` setting need to have their values saved as integers.
This was a recent regression in 00209f03e6
that caused these values to be saved as strings.

This change also removes negatives from the validation regex because
file sizes can't be negative anyways.

Bug report: https://meta.discourse.org/t/289037
2023-12-18 09:22:50 -07:00
Ted Johansson
6ab1a19e93
DEV: Convert min_trust_level_to_allow_invite to groups (#24893)
We're changing the implementation of trust levels to use groups. Part of this is to have site settings that reference trust levels use groups instead. It converts the min_trust_level_to_allow_invite  site setting to invite_allowed_groups.

Nothing much of note. This is used in one place and there's no fallout.
2023-12-18 12:07:36 +08:00
Krzysztof Kotlarek
1f72152e47
DEV: Remove usage of min_trust_to_create_topic SiteSetting (#24887)
Using min_trust_to_create_topic and create_topic_allowed_groups together was part of #24740

Now, when plugins specs are fixed, we can safely remove that part of logic.
2023-12-18 13:39:53 +11:00
Ted Johansson
294febf3c4
DEV: Convert min_trust_to_flag_posts setting to groups (#24864)
We're changing the implementation of trust levels to use groups. Part of this is to have site settings that reference trust levels use groups instead. It converts the min_trust_to_flag_posts site setting to flag_post_allowed_groups.

Note: In the original setting, "posts" is plural. I have changed this to "post" singular in the new setting to match others.
2023-12-13 17:18:42 +08:00
Ted Johansson
36057638ca
DEV: Convert min_trust_to_edit_post to groups (#24840)
We're changing the implementation of trust levels to use groups. Part of this is to have site settings that reference trust levels use groups instead. It converts the min_trust_to_edit_post site setting to edit_post_allowed_groups.

The old implementation will co-exist for a short period while I update any references in plugins and themes.
2023-12-13 13:25:13 +08:00
Krzysztof Kotlarek
702d0620d7
DEV: Convert min_trust_to_create_topic to groups (#24740)
This change converts the min_trust_to_create_topic site setting to
create_topic_allowed_groups.

See: https://meta.discourse.org/t/283408

- Hides the old setting
- Adds the new site setting
- Add a deprecation warning
- Updates to use the new setting
- Adds a migration to fill in the new setting if the old setting was
changed
- Adds an entry to the site_setting.keywords section
- Updates tests to account for the new change
- After a couple of months, we will remove the min_trust_to_create_topicsetting entirely.

Internal ref: /t/117248
2023-12-13 14:50:13 +11:00
Krzysztof Kotlarek
1017820012
DEV: Convert allow_uploaded_avatars to groups (#24810)
This change converts the allow_uploaded_avatars site setting to uploaded_avatars_allowed_groups.

See: https://meta.discourse.org/t/283408

Hides the old setting
Adds the new site setting
Adds a deprecation warning
Updates to use the new setting
Adds a migration to fill in the new setting if the old setting was changed
Adds an entry to the site_setting.keywords section
Updates tests to account for the new change
After a couple of months, we will remove the allow_uploaded_avatars setting entirely.

Internal ref: /t/117248
2023-12-13 10:53:19 +11:00
Selase Krakani
90eff6f344
FIX: Remove duplicate spec example (#24846) 2023-12-12 13:48:23 +01:00
Krzysztof Kotlarek
7dd150bc95
DEV: Convert min_trust_to_edit_wiki_post to groups (#24766)
This change converts the min_trust_to_edit_wiki_post site setting to edit_wiki_post_allowed_groups.

See: https://meta.discourse.org/t/283408

Hides the old setting
Adds the new site setting
Add a deprecation warning
Updates to use the new setting
Adds a migration to fill in the new setting if the old setting was changed
Adds an entry to the site_setting.keywords section
Updates tests to account for the new change
After a couple of months, we will remove the email_in_min_trust setting entirely.

Internal ref: /t/117248
2023-12-12 15:20:37 +11:00
Bianca Nenciu
dcd81d56c0
FIX: category selectors for lazy loaded categories (#24533)
A lot of work has been put in the select kits used for selecting
categories: CategorySelector, CategoryChooser, CategoryDrop, however
they still do not work as expected when these selectors already have
values set, because the category were still looked up in the list of
categories stored on the client-side Categrories.list().

This PR fixes that by looking up the categories when the selector is
initialized. This required altering the /categories/find.json endpoint
to accept a list of IDs that need to be looked up. The API is called
using Category.asyncFindByIds on the client-side.

CategorySelector was also updated to receive a list of category IDs as
attribute, instead of the list of categories, because the list of
categories may have not been loaded.

During this development, I noticed that SiteCategorySerializer did not
serializer all fields (such as permission and notification_level)
which are not a property of category, but a property of the relationship
between users and categories. To make this more efficient, the
preload_user_fields! method was implemented that can be used to
preload these attributes for a user and a list of categories.
2023-12-08 12:01:08 +02:00
Mark VanLandingham
ee05f57e2d
FEATURE: Site setting to display user avatars in user menu (#24514) 2023-12-07 11:30:44 -06:00
Martin Brennan
7afb5fc481
DEV: Use Discourse::SYSTEM_USER_ID in fixtures/009_users (#24743)
I couldn't find where we created the system user and
this is why -- everywhere else in the app we reference
SYSTEM_USER_ID but here.
2023-12-07 09:04:45 +10:00
Jarek Radosz
694b5f108b
DEV: Fix various rubocop lints (#24749)
These (21 + 3 from previous PRs) are soon to be enabled in rubocop-discourse:

Capybara/VisibilityMatcher
Lint/DeprecatedOpenSSLConstant
Lint/DisjunctiveAssignmentInConstructor
Lint/EmptyConditionalBody
Lint/EmptyEnsure
Lint/LiteralInInterpolation
Lint/NonLocalExitFromIterator
Lint/ParenthesesAsGroupedExpression
Lint/RedundantCopDisableDirective
Lint/RedundantRequireStatement
Lint/RedundantSafeNavigation
Lint/RedundantStringCoercion
Lint/RedundantWithIndex
Lint/RedundantWithObject
Lint/SafeNavigationChain
Lint/SafeNavigationConsistency
Lint/SelfAssignment
Lint/UnreachableCode
Lint/UselessMethodDefinition
Lint/Void

Previous PRs:
Lint/ShadowedArgument
Lint/DuplicateMethods
Lint/BooleanSymbol
RSpec/SpecFilePathSuffix
2023-12-06 23:25:00 +01:00
Jarek Radosz
4280c01153
DEV: Fix Lint/ShadowedArgument (#24733) 2023-12-06 13:16:10 +01:00
Alan Guo Xiang Tan
d9dca6482d
DEV: Incorrect setup for test (#24736)
Why this change?

The test in question is testing an anon user instead of a user that has
no permissions to a given topic.
2023-12-06 09:26:45 +08:00
Bianca Nenciu
8fb5b1fe7c
DEV: Fix assertion in embedding test (#24694)
The modified test used to be the same as the test above. The bad test
was introduced in commit 77d4c4d8dc,
during a refactoring.

This was not a serious problem because the same behavior was still
tested partially by the other tests below.
2023-12-05 18:30:52 +02:00
Daniel Waterworth
a6c79aa27a
DEV: Fix readonly admin login spec (#24714)
"prevents login by admins" should test with an admin.
2023-12-05 06:49:22 -06:00
David Taylor
cf8961e1c1
DEV: Correct forums_controller success spec (#24690)
The implementation did not match the name of the spec
2023-12-04 14:26:29 +00:00
Jarek Radosz
7196613e2e
DEV: Fix various spec linting issues (#24672)
Duplicated specs, incorrect descriptions, incorrect assertions, incorrect filenames, old todo
2023-12-04 13:45:19 +01:00
David Taylor
ecf7a4f0c6
FIX: Ensure app-cdn CORS is not overridden by cors_origin setting (#24661)
We add `Access-Control-Allow-Origin: *` to all asset requests which are requested via a configured CDN. This is particularly important now that we're using browser-native `import()` to load the highlightjs bundle. Unfortunately, user-configurable 'cors_origins' site setting was overriding the wldcard value on CDN assets and causing CORS errors.

This commit updates the logic to give the `*` value precedence, and adds a spec for the situation. It also invalidates the cache of hljs assets (because CDNs will have cached the bad Access-Control-Allow-Origin header).

The rack-cors middleware is also slightly tweaked so that it is always inserted. This makes things easier to test and more consistent.
2023-12-01 12:57:11 +00:00
Alan Guo Xiang Tan
50bafd48cd
FIX: Flaky spec due to incorrect Rack response body (#24640)
Why was the problem?

ActiveRecord's query cache for the connection pool wasn't disabled after the
`with a fake provider runs 'other_phase' for enabled auth methods` test
in `omniauth_callbacks_controller_spec.rb` was run. This was because the
Rack response body in `FakeAuthenticator::Strategy::other_phase` did not
adhere to the expected Rack body format which is "typically an Array of
String instances". Because this expectation was broken, it cascaded the
problem down where it resulted in the ActiveRecord's query cache for the
connection pool not being disabled as it normally should when the
response body is closed.

When the query cache is left enabled, common assertions pattern in RSpec
like `expect { something }.to change { Group.count }` will fail since
the query cache is enabled and the call first call to `Group.count` will
cache the result to be reused later on.

To see the bug in action, one can run the following command:

`bundle exec rspec --seed 44747
spec/requests/omniauth_callbacks_controller_spec.rb:1150
spec/models/group_spec.rb:283`
2023-11-30 10:49:55 +08:00
Bianca Nenciu
dbb8b66a37
FIX: Show only top categories in first category-drop (#24575) 2023-11-29 09:41:25 +02:00
Sam
b09422428d
DEV: update syntax tree to latest (#24623)
update format to latest syntax tree
2023-11-29 16:38:07 +11:00
Bianca Nenciu
e85a81f33c
FIX: Make category-drop work with lazy_load_categories (#24187)
The category drop was rerendered after every category async change
because it updated the categories list. This is not necessary and
categories can be referenced indirectly by ID instead.
2023-11-28 17:58:47 +02:00
David Taylor
5783f231f8
DEV: Introduce DISCOURSE_ASSET_URL_SALT (#24596)
This value is included when generating static asset URLs. Updating the value will allow site operators to invalidate all asset urls to recover from configuration issues which may have been cached by CDNs/browsers.
2023-11-28 11:28:40 +00:00
Alan Guo Xiang Tan
36a9d4df3a
DEV: Don't depend on assets path to determine layout that is rendered (#24562)
Why this change?

In the `invites_controller_spec.rb` file, we had several tests that were
checking for assets path in the response's body to determine which
layout has been rendered. However, those test fails if `bin/ember-cli
--build` has been run locally.

What does this change do?

Instead of checking for asset paths to determine the layout that has
been rendered, this change relies on the fact that the `no_ember` layout
has a `no-ember` class on the `body` element. This is more deterministic
as compared to relying on the different asset paths that are rendered in
the response.
2023-11-27 14:04:13 +08:00
Krzysztof Kotlarek
dc2a0854b0
UX: add gift emoji styling for new features (#24523)
When admin has unseen new feature, gift emoji is added to a link.

In addition, `/new-features` path was changed to `/whats-new`
2023-11-27 09:32:28 +11:00
Sam
85d2b5fa48
DEV: maxmind license checking failing tests (#24534)
This improves the implementation of #18993

1. Error message displayed to user is clearer
2. open_db will also be called, even if license key is blank, as it was previously
3. This in turn means no need to keep stubbing 'maxmind_license_key'
2023-11-24 09:38:46 +11:00
MichaIng
c58a41cb3e
UX: Show on IP lookup if MaxMind key is missing (#18993)
as discussed in https://meta.discourse.org/t/maxminddb-not-found-error/148512/7.
 
shows a warning to the admin if no license for maxmind is found
2023-11-24 08:02:05 +11:00
Bianca Nenciu
012541b045
FIX: Serialize parent categories first (#24530)
The parent category needs to be serialized before the child category
because they are parsed in order. Otherwise the client will not build
the parent-child relationship correctly.
2023-11-23 19:03:05 +02:00
Blake Erickson
447d9b2105
DEV: Convert approve_unless_trust_level to groups (#24357)
This change converts the `approve_unless_trust_level` site setting to
`approve_unless_allowed_groups`.

See: https://meta.discourse.org/t/283408

- Adds the new site setting
- Adds a deprecation warning
- Updates core to use the new settings.
- Adds a migration to fill in the new setting of the old setting was
  changed
- Adds an entry to the site_setting.keywords section
- Updates many tests to account for the new change

After a couple of months we will remove the `approve_unless_trust_level`
setting entirely.

Internal ref: /t/115696
2023-11-21 11:31:42 -07:00
David Taylor
91fe91e03b
DEV: Properly cleanup auth providers in test (#24482)
Followup to 5c38e55dc9
2023-11-21 10:45:51 +00:00
Mark VanLandingham
7d35e406ba
DEV: Add support for limit in notifications index w/o recent param (#24423)
Currently to use a limit in the notifications index, you have to also pass recent: true as a param.

This PR:

Adds optional limit param to be used in the notifications query, regardless of the presence of recent
Raises the max limit of the response with recent present from 50 -> 60. It is super weird we have a hard-limit of 50 before with recent param, and 60 without the param.
2023-11-17 08:22:18 -06:00
Penar Musaraj
c6ead3f5c4
FEATURE: Allow users to confirm session with passkeys (#24337)
We ask users to confirm their session if they are making a sensitive
action, such as adding/updating second factors or passkeys. This
commit adds the ability to confirm sessions with passkeys as an option
to the password confirmation.
2023-11-14 11:38:10 -05:00
Alan Guo Xiang Tan
e5b0493b49
FEATURE: Allow /filter route to be accessible by anon users (#24359)
Why this change?

There is no reason for us to exclude anon users from viewing this route
so we're making a product decision to change this.
2023-11-14 08:03:24 +08:00