This project is mirrored from https://github.com/discourse/discourse.
Pull mirroring updated .
- Jul 13, 2022
-
-
David Taylor authored
-
- Jul 04, 2022
-
-
Gerhard Schlager authored
Logging out failed when the current user was cached by an instance of `Auth::DefaultCurrentUserProvider` and `#log_off_user` was called on a different instance of that class. Co-authored-by: Sam <sam.saffron@gmail.com>
-
Gerhard Schlager authored
This happened when a middleware accessed the `currentUser` before a controller had a chance to populate the `action_dispatch.request.path_parameters` env variable. In that case Discourse would always cache `nil` as `currentUser`.
-
- Jun 21, 2022
-
-
Penar Musaraj authored
-
Daniel Waterworth authored
In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
-
- Jun 13, 2022
-
-
Blake Erickson authored
-
Blake Erickson authored
-
- Jun 03, 2022
-
-
Alan Guo Xiang Tan authored
When a site has `SiteSetting.invite_only` enabled, we create a `ReviewableUser`record when activating a user if the user is not approved. Therefore, we need to approve the user when redeeming an invite. There are some uncertainties surrounding why a `ReviewableRecord` is created for a user in an invites only site but this commit does not seek to address that. Follow-up to 7c4e2d33
-
Alan Guo Xiang Tan authored
`run-qunit.js` does not expect QUnit tests to start automatically but our wizard QUnit setup did not respect the `qunit_disable_auto_start` URL param. Hence, tests would start running automatically and when a subsequent `QUnit.start()` function call is made, we ended up getting a `QUnit.start cannot be called inside a test context.` error. This error can be consistently reproduced in the `discourse:discourse_test` container but not in the local development environment. I do not know why and did not feel like it is important at this point in time to know why.
-
- Jun 02, 2022
-
-
Gerhard Schlager authored
This security fix affects sites which have `SiteSetting.must_approve_users` enabled. There are intentional and unintentional cases where invited users can be auto approved and are deemed to have skipped the staff approval process. Instead of trying to reason about when auto-approval should happen, we have decided that enabling the `must_approve_users` setting going forward will just mean that all new users must be explicitly approved by a staff user in the review queue. The only case where users are auto approved is when the `auto_approve_email_domains` site setting is used. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
-
- May 06, 2022
-
-
David Taylor authored
(Stable backport of 7ed899fe) There is a couple of layers of caching for theme JavaScript in Discourse: The first layer is the `javascript_caches` table in the database. When a theme with JavaScript files is installed, Discourse stores each one of the JavaScript files in the `theme_fields` table, and then concatenates the files, compiles them, computes a SHA1 digest of the compiled JavaScript and store the results along with the SHA1 digest in the `javascript_caches` table. Now when a request comes in, we need to render `<script>` tags for the activated theme(s) of the site. To do this, we retrieve the `javascript_caches` records of the activated themes and generate a `<script>` tag for each record. The `src` attribute of these tags is a path to the `/theme-javascripts/:digest` route which simply responds with the compiled JavaScript that has the requested digest. The second layer is a distributed cache whose purpose is to make rendering `<script>` a lot more efficient. Without this cache, we'd have to query the `javascript_caches` table to retrieve the SHA1 digests for every single request. So we use this cache to store the `<script>` tags themselves so that we only have to retrieve the `javascript_caches` records of the activated themes for the first request and future requests simply get the cached `<script>` tags. What this commit does it ensures that the SHA1 digest in the `javascript_caches` table stay the same across compilations by adding an order by id clause to the query that loads the `theme_fields` records. Currently, we specify no order when retrieving the `theme_fields` records so the order in which they're retrieved can change across compilations and therefore cause the SHA1 to change even though the individual records have not changed at all. An inconsistent SHA1 digest across compilations can cause the database cache and the distributed cache to have different digests and that causes the JavaScript to fail to load (and if the theme heavily customizes the site, it gives the impression that the site is broken) until the cache is cleared. This can happen in busy sites when 2 concurrent requests recompile the JavaScript files of a theme at the same time (this can happen when deploying a new Discourse version) and request A updates the database cache after request B did, and request B updates the distributed cache after request A did. Internal ticket: t60783. Co-authored-by: David Taylor <david@taylorhq.com> Co-authored-by: Osama Sayegh <asooomaasoooma90@gmail.com>
-
- Apr 28, 2022
-
-
David Taylor authored
The values in Discourse dropdown menus only come from admin-defined strings, not unsanitised end-user input, so this lack of escaping was not exploitable.
-
- Apr 14, 2022
-
-
Penar Musaraj authored
All current browser treat the HTML document (not the body element) as the scrollable document element. Hence in all current browsers, `document.body.scrollTop` returns 0. This commit removes all usage of this property, because it is effectively 0. Co-authored-by: David Taylor <david@taylorhq.com>
-
Penar Musaraj authored
-
Penar Musaraj authored
-
David Taylor authored
-
- Apr 12, 2022
-
-
Alan Guo Xiang Tan authored
Nokogiri 1.13.4 updates zlib to 1.2.12 to address CVE-2018-25032. https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5 https://nvd.nist.gov/vuln/detail/CVE-2018-25032
-
- Apr 11, 2022
-
-
Jarek Radosz authored
This would allow to use the decorator in tag-less components and in controllers.
-
Alan Guo Xiang Tan authored
This was causing our build to become flaky.
-
- Apr 08, 2022
-
-
Alan Guo Xiang Tan authored
After this commit, category group permissions can only be seen by users that are allowed to manage a category. In the past, we inadvertently included a category's group permissions settings in `CategoriesController#show` and `CategoriesController#find_by_slug` endpoints for normal users when those settings are only a concern to users that can manage a category.
-
Bianca Nenciu authored
The permissions for the 'everyone' group were not serialized because the list of groups a user can view did not include it. This bug was introduced in commit dfaf9831.
-
Martin Brennan authored
Since 3fd7b31a some tests were failing with this error: > Error: Unhandled request in test environment: /c/feature/find_by_slug.json > (GET) at http://localhost:7357/assets/test-helpers.js This commit fixes the issue by adding the missing pretender. Also noticed while fixing this that the parameter for the translation was incorrect -- it was `group` instead of `groupNames`, so that is fixed here too, along with moving the onShow functions into @afterRender decorated private functions. There is no need for the appevent listeners.
-
Bianca Nenciu authored
It was displayed for the "everyone" group too, but that was not necessary.
-
- Apr 01, 2022
-
-
Alan Guo Xiang Tan authored
Our group fabrication creates groups with name "my_group_#{n}" where n is the sequence number of the group being created. However, this can cause the test to be flaky if and when a group with name `my_group_10` is created as it will be ordered before `my_group_9`. This commits makes the group names determinstic to eliminate any flakiness. This reverts commit 558bc6b7.
-
David Taylor authored
`group_permissions` are not serialized in a consistent order Follow-up to dfaf9831
-
- Mar 31, 2022
-
-
Alan Guo Xiang Tan authored
In certain instances when viewing a category, the name of a group with restricted visilbity may be revealed to users which do not have the required permission.
-
- Mar 24, 2022
-
-
Martin Brennan authored
In some of the user's own activity export data, we sometimes showed a secure category's name or exposed the existence of a secure category.
-
- Mar 22, 2022
-
-
Neil Lalonde authored
-
- Mar 18, 2022
-
-
Alan Guo Xiang Tan authored
when bundler is loaded, it sets the `RUBYOPT` environment variable to setup bundler. However, it was causing weird errors like the following when we try to install custom plugin gems into a specific directory. ``` /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:214:in `rescue in load_spec_files': https://github.com/discourse/mail.git is not yet checked out. Run `bundle install` first. (Bundler::GitError) from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:210:in `load_spec_files' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/path.rb:107:in `local_specs' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/source/git.rb:178:in `specs' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/lazy_specification.rb:88:in `__materialize__' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:75:in `block in materialize' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:72:in `map!' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/spec_set.rb:72:in `materialize' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:468:in `materialize' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:190:in `specs' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/definition.rb:238:in `specs_for' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/runtime.rb:18:in `setup' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler.rb:151:in `setup' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/setup.rb:20:in `block in <top (required)>' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/ui/shell.rb:136:in `with_level' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/ui/shell.rb:88:in `silence' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.5/lib/bundler/setup.rb:20:in `<top (required)>' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require' from /home/tgxworld/.asdf/installs/ruby/2.7.5/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require' ```
-
Alan Guo Xiang Tan authored
We have 3 branches which we care about, main, beta and stable. However, each of this branch has different compatibilties with plugins and we want to respect that.
-
- Mar 17, 2022
-
-
Alan Guo Xiang Tan authored
-
- Feb 18, 2022
-
-
David Taylor authored
Themes often cache `nil` values in a DistributedCache. This bug meant that we were re-calculating some values on every request, AND triggering message-bus publishing on every request. This fix should provide a significant performance improvement for busy sites.
-
- Feb 17, 2022
-
-
Andrei Prigorshnev authored
* FIX: Caret moves to a wrong position when uploading an image via toolbar * Skip the test
-
- Feb 15, 2022
-
-
Bianca Nenciu authored
accept HTML attribute is not fully supported on iOS yet and can contain only MIME types. This changes the input to allow all files and the extension check is performed later in JavaScript.
-
communiteq authored
-
- Feb 14, 2022
-
-
Krzysztof Kotlarek authored
-
Krzysztof Kotlarek authored
Validation to ensure that Onebox request is no longer than 10 seconds and response size is not bigger than 1 MB
-
- Feb 09, 2022
-
-
Dan Ungureanu authored
* FEATURE: RS512, RS384 and RS256 COSE algorithms These algorithms are not implemented by cose-ruby, but used in the web authentication API and were marked as supported. * FEATURE: Use all algorithms supported by cose-ruby Previously only a subset of the algorithms were allowed.
-
- Feb 04, 2022
-
-
David Taylor authored
Combination of 0dfaaf49 and 022480b4 Co-authored-by: Discourse Translator Bot <discourse.translator.bot@gmail.com>
-