2.9.0.beta11: Security fixes, New general category, Sidebar improvements, and more

New features in 2.9.0.beta11

Security Updates

This beta includes 3 security fixes for issues reported by our community and HackerOne.

Plugin Security Updates

Multiple plugins have also received security fixes. Be sure to update plugins in addition to Discourse.

General is the default category

For sites with the #general category, it will now be automatically selected when a new topic is created.

New site setting: require change email confirmation

We’ve added a new site setting, require change email confirmation. When enabled, all users will need to confirm both their current email, and new email when changing it. When disabled, only staff users will need to confirm their current email when changing it.

Hide welcome topic if it hasn’t been edited

All Discourse sites come with a welcome topic that admins are suggested to edit when setting up their site. This topic is now hidden from non-admin users until an edit is made.

Sidebar: Allow user to set preferred list destination

Users can choose between Default or new/unread as the destination when clicking links in the sidebar.

Sidebar: Display link for admins when default categories/tags are not configured

We now add a link to the sidebar for admin users when they have not configured the default_sidebar_categories or default_sidebar_tags site settings

image

New user tips (experimental)

User status configurable via preferences

Custom users statuses can now be configured via account preferences, /my/preferences/account in addition to the user menu. This change also allows site setting to edit and/or clear a custom status from a user as needed.

Dark mode option for category logos

Admins can now upload a second category logo which will be used for dark themes.

16 Likes

Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements

Assign

Bug Fixes
  • Show group icon for group notifications

Chat

New Features
  • Improve mobile chat index screen experience
  • Improved emoji selection
  • Enable flagging for DMs
  • Inline video player for video uploads
  • Link general chat channel to general category
  • Use direct_message_enabled_groups for DM access
  • Improve chat messages flagging.
Bug Fixes
  • Prevents silenced users to send messages
  • 10ms might be too short for ios hack
  • Removes requestAnimationFrame
  • Improves iOS hack for momentum scrolling
  • Ensures actions backdrop is removed when collapsing on mobile
  • Channel index mobile issues
  • Move reaction emoji name from class to data attribute
  • Improve chat reactions store
  • Prevents exception when transcripting multiple messages
  • Don’t fail when trying to display DM flags in the review queue.
  • Makes emoji filtering case insensitive
  • Remove hijack on webhook and improve documentation
  • Ensures emojis have a title in the picker
  • Default is now only used for custom emojis
  • Prevents shimmer effect to apply to sidebar
  • Prevents selected toned emoji to append t1
  • Firefox uses relatedTarget for toElement/fromElement
  • Prevents blank screen on ios on initial load
  • Avoids blank screen on ios on sticky scroll
  • Stalled core emoji cache could return emojis without search_aliases
  • Ensures we reset selecting messages when switching channel
  • Prevents scrollbar to appear over content on android
  • Use sidebar contentCSSClass for muted channels
  • Staff should always be able to chat
  • Direct_message_enabled_groups refinements
  • Closing button not visible on chat index page
  • Deleting old messages should also clear flags.
  • Prefers /chat/channel/:id/:title?messageId=x link
  • Tighten flagging restrictions for chat messages.
  • Correctly censors excerpts
  • Simplifies loading message code
  • Enforces chat_channel_id when present
  • Add missing translation chat_message_flag_allowed_groups
  • Make chat_allow_uploads apply to DM channels
UX Changes
  • Fix link colour channel cards
  • Implements leave button on channel card
  • Adjusts composer/uploads padding
  • Ensures emoji picker search gets focus on first load
  • Double clicking one of your messages starts editing it
  • Moves new channel button to browse view
Accessibility
  • Show emoji color options in WHCM

discourse-voting

UX Changes
  • Avoid double li tag in user-activity-bottom outlet

discourse-calendar

New Features
  • When user is on holiday set user status in core
Bug Fixes
  • Calendar wasn’t resetting expired statuses
  • Disabling of header sorting now checks the correct site setting and defaults to false

discourse-data-explorer

Bug Fixes
  • Click not opening query
  • Errors when running query due to PG template patterns or comments

discourse-perspective-api

Bug Fixes
  • Add nil check for topic

discourse-code-review

UX Changes
  • Remove unnecessary li tag for user-activity-bottom plugin outlet

discourse-subscriptions

Bug Fixes
  • Simplify Stripe webhook handler
UX Changes
  • Make styling consistent with everything else

discourse-policy

New Features
  • Email notifications for policies
Bug Fixes
  • Adds prefix to UserOption enums to avoid collision

discourse-cakeday

New Features
  • Separate sidebar links for anniv and bday

discourse-shared-edits

Bug Fixes
  • Validate post when committing revision
  • AppEvents.off error when destroying controller:topic

discourse-reactions

Bug Fixes
  • Do not override core rate limiting error message
  • Handle rate limit error messages on server side
  • Deleted topic should exclude it from reactions given
UX Changes
  • Use a regular mouse cursor in popover
  • Remove unnecessary li tag for plugin outlet
  • Remove unnecessary li tag for user-activity-bottom plugin outlet

discourse-automation

New Features
  • Adds settings and enable_manual_trigger
  • Adds once support to auto-responder script

discourse-question-answer-discourse

Bug Fixes
  • Adjust QA answers header sorts in RTL mode

discourse-footnote

Bug Fixes
  • Do not registerPlugin if no window.markdownitFootnote

discourse-gamification

New Features
  • Added a setting for the default leaderboard period
Bug Fixes
  • Update plugin canon repo
UX Changes
  • Allow picking any leaderboard in minimal component
  • Add crown
  • Leaderboard minimal styling

Additional Features and Fixes

Click to expand

New Features

  • Reduce suspicious distance logins warning to 100km
  • Control topic width with variables
  • Generic hashtag autocomplete sorting
  • Add button to reset seen popups
  • Generic hashtag autocomplete part 1
  • Implement new onboarding popups
  • Show relative time when date is omitted
  • Add contentCSSClass for sidebar section-link
  • Double color for subcategories prefix
  • Adds seeded default categories to the sidebar
  • Preload resources via link header
  • Omit showing day when ‘to’ day is same as ‘from’ day
  • New outlet topic-list-main-link-bottom added to mobile
  • Handle oneboxes for complex GitHub URLs
  • When entering a topic scroll to last visited line marker

Bug Fixes

  • Can’t change notification level of categories set to regular
  • Evaluate all callbacks rather than override them
  • Don’t notify topic author about small action posts
  • Follow up fixes for password-reset error page
  • Simplify display of multiple AJAX errors
  • Don’t attempt to add user again to a group when syncing groups via SSO
  • Ignore unique conflicts when backfilling sidebar defaults
  • Ensure that custom {{action}} modifier works with actions hash
  • A couple of topic elements are too wide
  • Move group-box group name from class to data attribute
  • Allow users already in automatic groups to log in
  • Add theme-color <meta> tag when a dark scheme is selected
  • Variable name typo
  • Reset error props on Topic model
  • Log user addition/deletion from groups when they’re changed via DiscourseConnect
  • Category chooser not updating selection when editing reviewable
  • Correctly reset controllerReady prop
  • Use only first line from commit message
  • Minor typo
  • Set max-width on category logo img
  • Clientside checks for personal_message_enabled_groups
  • Set width on category logo img, not container
  • Do not show a 404 page when visiting messages
  • Correctly debounce various functions
  • Calculate header offset once on load
  • Skip all post validations if necessary
  • Ensure minification does not break colocated connectors
  • Do not include group less emojis in standard list
  • Sidebar_list_destination on CurrentUserSerializer
  • Ensure dropdown is above sibling labels
  • Sidebar list destination for tracked and tags
  • Exclude hidden topic posts and small actions from the RSS feed.
  • User card focus state appearing on click
  • Clarify security key copy
  • Reset general_category_id if the general category was deleted
  • Prevent layout shift while traversing dropdown
  • Adjust the users per trust level cells in RTL mode
  • Remove RS384 and RS512 cose ciphers
  • Show timelines dates as clickable
  • Action_code_path not being loaded for user-stream-item
  • Missing category badge for category with color stored as 3-digit hex code
  • Category sidebar link not active when filtered by none and all
  • Replace prefixCSS with prefixElementColors
  • Remove nil items before sorting the sha1 string array.
  • Reset related site settings on general category delete
  • Status emoji was shown on the left on mobile
  • Alignment of user status emoji on posts
  • Correctly handle HTTP errors during dominant color calculation
  • Typo
  • Warning about sidebar prefix style
  • User field styling on login
  • Change text
  • Staff action log ‘show details’ links
  • Ensure local date format shortcuts work correctly
  • Ensure poll type toggle buttons function correctly
  • Deprecated settings should not override from UI
  • Hide old PM settings
  • Show error if field is same as password
  • Remove public topic invite functionality
  • Do not show welcome CTA banner if the welcome topic is deleted
  • Ensure group inboxes in messages section is sorted by group name
  • Determining local date same range is erroring when there is no date
  • Arrive at topic must be hidden when must_approve_users
  • Improve error handling for calculate_dominant_color!
  • Do not prefill default site title value on wizard introduction step
  • Make sure first admin users are added to auto groups
  • Watched topic overcome muted category
  • Ability to trigger emoji after indented code block
  • Missing sidebar section link icon for PM tags
  • Link to discovery.category in sidebar`
  • Skip quality title validations for static topics when edited by admin
  • Count resulting bulk invites correctly
  • Do not show user status on posts twice
  • New general category changes preventing topic create
  • Review sidebar link showing for users that can’t review
  • Workaround a bug in the R2 gem to produce valid RTL CSS
  • Allow email login for admins in staff-writes-only-mode
  • Allow logout for admins in staff-writes-only-mode
  • Remove zero-width space when not necessary
  • Add better and more strict invite validators
  • Revert recursively tag lookup with missing ancestor tags
  • Missing theme upload should not break precompile process.
  • Removed bookmark reminder alert for reminders set in the past
  • Ensure closing sidebar tears down all callbacks.
  • Quirks around starting new uploads when one was in progress

UX Changes

  • Ensure image size is maintained even after loading error
  • Switch no categories/tags configured text in sidebar to a link
  • Fix grammar typo in trust_level_unlocked_tip
  • Change emoji graphic on invite error page
  • Make whole category box clickable
  • Allow linebreaks mid-word in github onebox file paths
  • Use a friendlier educational message
  • Send notification of type replied to topic author if they’re watching the topic
  • Drag new user menus, scroll primary user nav
  • Fix user status display in autocomplete
  • Stop falling back to topic image on embeds
  • Improve autocomplete styling
  • Show category edit button when in tag intersection
  • Extend horizontal user nav to all user pages
  • Correct capitalization
  • Fix alt text cancel button in dark mode
  • Change button to grey
  • Simplify bootstrap mode visuals
  • Prevent reply to name from being longer than 400px
  • Welcome CTA edits
  • Theme setting highlight update
  • Horitzontal scroll controls for new user nav
  • Hide keyboard shortcuts on mobile
  • Onboarding edits
  • Conditionally display sidebar tags section for user
  • Conditionally hide sidebar categories section for user
  • Hide tags section in sidebar when user has no visible tags
  • Danger colour update
  • Updated styles for user nav with sidebar
  • Hide tags section from anonymous user when site has no tags
  • Correct colour to nav instead of danger
  • Default to dark category logo on dark schemes
  • Add more spacing to tab btns
  • Ensures we don’t focus invisible button in sidebar
  • More... More` in Sidebar
  • Hide sidebar on 2FA route
  • Change notifications nav icon in user page to bell
  • Add max-width to digest email, format erb
  • Fix post placeholder on mobile
  • Move dismiss button on the bottom to the right of the footer message

Performance

  • Exclude anon sidebar tags in site serializer for logged in user
  • Move dominant color calculation to separate job

Accessibility

  • Add keyboard support to youtube embeds
  • Add title to drafts remove icon button
  • Add for attributes for location, website in profile
  • Sortable header elements should have pointer
  • Add aria-label to topic post badges
  • Return focus to header search button upon escape of search
  • Improve group search accessibility
  • Improve user card appearance in WHCM
  • Add aria labels for posts in group activity
  • Improve topic timeline in WHCM
  • Bookmarks modal
  • Add href to frequent poster avatars
  • Improve accessibility in WHCM themes
  • Add more information to the “reply to” button label.
  • Signal the toggle header can reorder table elements.
  • Trap focus on auth security modal
  • Make input popup errors keyboard-accessible
  • Fix tab order in “Feature topic” modal
  • Make “Load parent post” element accessible
  • Set role=presentation if alt attr is missing
9 Likes