2.9.0.beta13: Security fixes, sidebar improvements, new API scopes, and more

New features in 2.9.0.beta13

Security Updates

This beta includes 2 security fixes for issues reported by our community and HackerOne.

Plugin Security Updates

The Calendar plugin has also received a security fix. Be sure to update plugins in addition to Discourse.

Sidebar narrow screen improvements

When desktop screen is narrow, the sidebar now behaves similar to mobile - hiding by default and appearing as a slide-in panel when opened.

User Status API

User Status now has a dedicated API scope for more secure integrations. For more details, see this post

New site setting: default composer category

Admins can now configure the default category for the composer. The selected category will be pre-filled in the new topic composer. The setting applies when starting a topic from pages other than a category list. If creating a new topic while browsing a specific category, for example bug - Discourse Meta, the composer will pre-fill the category being viewed.

New chat default: allow chat access for Trust Level 1 users

The chat allowed groups site setting controls which groups can access chat. Previously, only @staff had chat access by default. To make it easier for new sites to use chat, TL1 users now also have access out of the box.

New Features

This release includes a number of additional smaller features, including:

  • Allow setting default_enabled for badges
  • Add descriptions on hover for hashtag search results
  • Allow staff to flag chat messages
  • API to update user’s discourse connect external id
  • Deprioritize like notifications on all list
  • Add user tips for post and topic features
  • Introduces chat_max_direct_message_users setting

Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements


New Features
  • Cleanup notifications when reassigning


UX Changes
  • Update plugin’s user page navigation to be compatible with new nav


New Features
  • Set holiday status immediately when adding or updating calendar post
Bug Fixes
  • Exclude deleted events from MonitorEventJob

Data Explorer

Bug Fixes
  • Better handling of edge cases


New Features
  • Add new badges and rename existing badges
Bug Fixes
  • Use default_enabled for badges
  • Use generic, static names for badges
  • Badges shouldn’t be editable
  • Improve query for “Helpdesk” badge
  • Improve query for “Tech Support” badge


Bug Fixes
  • Allow encrypt_pms_default to be null

BBCode Color

Bug Fixes
  • Chat is now a core plugin

Docker Manager

Bug Fixes
  • Modernize upgrade-header compilation
  • Use less_memory_flags for s3:expire_missing_assets
  • Cleanup unneeded S3 assets after deploys

Code Review

Bug Fixes
  • Update repository name when receiving webhook
  • Retry after rate limit is lifted


Bug Fixes
  • Remove register_asset call for .hbs file

Client Performance

New Features
  • Log other metrics relative to ttfb
  • Log domain of app and CDNs


Bug Fixes
  • DB Migration didn’t handle existing “First Reaction” badge
  • Use generic, static name for badge
  • Improve badge query


Bug Fixes
  • Increase Microsoft max character limit to new limit

Twitter Profile Link

Bug Fixes
  • Correct hbs file extension and remove sprockets call


Bug Fixes
  • Prevents saving an enabled automation with no trigger

Question Answer Discourse

Bug Fixes
  • Returns all post-voting fields for new posts
  • Register plugin notification item icon

User Notes

Bug Fixes
  • Use period filters passed into plugin for admin reports


New Features
  • Add a global setting to support custom docs url path


UX Changes
  • Add settings link

Additional Features and Fixes

Click to expand

New Features

  • Sync user tips status between client
  • API to customize server side composer errors handling in the client side
  • Generic hashtag autocomplete lookup and markdown cooking
  • Hidden site setting to suppress unsecured categories from admins
  • Stop hiding “allow archiving channels” setting

Bug Fixes

  • Ensures chat sidebar is present when core sidebar is disabled
  • Prevents drawer error when resizing core composer
  • Use correct Regexp flag to ignore case
  • Push category hashtag slug match to top
  • Existing users were mistakenly unable to redeem invite
  • Pass period filter to plugin outlet
  • Minor hashtag autocomplete fixes
  • Experimental hashtag search result matching and limit fixes
  • Do not click track .hashtag-cooked
  • Set chat_allowed_groups based on chat_enabled setting
  • Unescape :emoji: in hashtag search results
  • Filtering rows of S3 inventory files was too strict
  • When filtering tags for visibility, respect tag group permissions
  • Update link in group_in_subject site description
  • Delete associated channel upon category deletion
  • Allows to change sound when no sound was ever set
  • Revert to old hashtag style for hashtag-raw
  • Do not add color style if no prefixColor
  • Amend release_notes_link in app/models/admin_dashboard_general_data.rb
  • Amend release_notes_link in /tests/fixtures/dashboard-new-features.js
  • Ensure DButton uses the correct target for string actions
  • Enable_auto_join_users was used in create channel
  • Better chat-message-actions position
  • Correct implementation for user preferences tracking page
  • Tag ordering adjustment for new hashtag autocompletion
  • Allow new hashtag HTML to be quoted to markdown
  • Allow tl4 to bulk select
  • Hides user card button when current user can’t DM
  • Invite redemption error if user had already redeemed
  • Bug with admin trust level growth report
  • Regression with special a keyword in search
  • Update user options only once
  • Status was clearing after editing user preferences
  • Add Custom Primary-Numbers
  • Support unicode in search filter @username
  • Deprioritize reaction notifications
  • Rename Users to Sign-Ups in About page
  • Prevents arrow keys to bubble into parents components
  • Only applies scroll position to full page
  • Allow sidebar links to register didInsert actions
  • Correctly opens drawer to message id when given
  • Ensures composer is focused after edit
  • Only checks for full page instead of preference

UX Changes

  • Alters chat icon behavior on drawer and mobile
  • Show educational messages for the likes tab when it’s empty
  • Improve mention styling, simplify
  • Styling backwards compatibility for old user page navigation
  • Style adjustments & addition of login button on admin invite page
  • Use solid envelope icon for consistency
  • Improve mention styling
  • Update “education.dominating_topic” and raise default percentage
  • Ensures browse view input is focused on page load
  • Do not automatically refresh page while composer is open
  • Removed tracked section link from Community section in Sidebar
  • Padding adjustment for empty channel message
  • Reorganize user prefs for experimental user nav
  • User message controls need some padding
  • Better email login pages
  • Mark pre-populated dropdowns as not required
  • Redesign of chat settings + add chat retention info
  • Improves arrow support in chat emoji picker
  • Move horiz nav margin to padding
  • Force sidebar to occupy full height
  • Add channel header offset to browse page height


  • Stop downloading images from post processor and lean on uploads
  • Speed up S3 inventory updates
  • Adjust node memory threshold for assets:precompile
  • Limits use of redis cache while building emojis list


  • Improve “my posts” sidebar link title
  • Improved titles for chat in the sidebar
  • Add title & aria-expanded for sidebar toggle
  • Improve the accessibility of sidebar content
  • Add live area for search menu, labels