2.9.0.beta4: Security Fixes, Sitemaps, Discourse Connect Provider 2FA, and more

New features in 2.9.0.beta4

:warning: Rebuild required. The rebuild will update package versions to latest, and must be completed if the site has not be been rebuilt from the command line in the past day.

Security Updates

This beta includes 5 security fixes for issues reported by our community and HackerOne.

  • Update Nokogiri to 1.13.4.
  • Category group permissions leaked to normal users.
  • Avoid leaking private group name when viewing category.
  • Hide private categories in user activity export
  • Ensure user-agent-based responses are cached separately

:exclamation: Note that discourse_docker, the Docker image upon which Discourse run, also has a security update. The manual rebuild mentioned above is required to pull in this fix. This will result in downtime.

Add Sitemap Support

Discourse now support sitemaps without the need for a plugin. This includes the same features of the Discourse Sitemap plugin, which can be safely uninstalled after updating.

Discourse Connect Provider 2FA Support

If you use Discourse as your identity provider for external sites, you can now require that users be prompted to confirm their 2FA. See GitHub for full details.


Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements


UX Changes

  • Additional refactor for topic-list prep

Discourse Chat

New Features

  • Add chat button on topic page under topic timeline and footer
  • Add an option to disable channel-wide mention notifications
  • Chat button in user card
  • Limit unique emoji reactions to 30 per message

Bug Fixes

  • Allows to DM yourself
  • Ensures a correct draft is created when building DM
  • Add missing tooltip to icon in topic list
  • Fixes a regression preventing indicator to show
  • Cooking is not required as we send message to server
  • Makes direct_messages an index route
  • Format usernames at request time
  • Filter right away to prevent flashing no results
  • Change copy for the quote button
  • Apply truncation on placeholder
  • Minor tweaks
  • Fix missing app event bindings
  • Use chatEventPrefix to handle composer insert-text events
  • Allow new duplicate reactions when max new reactions are reached
  • Error when anon viewing another user when chat is enabled
  • Don’t error from missing table

UX Changes

  • Implements a fully revamped direct message composer
  • Implements a progress bar
  • Change plugin outlet for user-card button placement
  • Prevents replying-text to be selected on long press
  • Cancel long press on scroll
  • Even more consistent chat notifications
  • Implements using long-press to trigger mobile menu
  • Adds slightly more padding under reactions
  • Implements a dedicated mobile menu for messages


New Features

  • Improve blank page syndrome

Bug Fixes

  • Handle boolean correctly on server


Bug Fixes

  • Make the review of a TL1 user’s first post configurable.


New Features

  • Include full date label as tooltip in topic list

UX Changes

  • Adjust calendar event display

Data Explorer

Bug Fixes

  • Use new properties for pick-files-button


Bug Fixes

  • Hide quick-edit button for encrypted topics
  • Add only valid search results
  • Check cached objects exist before accessing
  • Update existing keys only if they exist
  • Hide convert to public topic button


Bug Fixes

  • Pluck device ids before performing updating the db.

Docker Manager

Bug Fixes

  • Dynamically fetch logo url

Code Review

Bug Fixes

  • Handle commits without messages

RSS Polling

Bug Fixes

  • Do not raise if user does not exist


Bug Fixes

  • Clear next_renew_at when renew-start is removed.
  • Order displayed users and exclude inactive / suspended


Bug Fixes

  • Ensures we don’t mutate automation objectmuta

UX Changes

  • Allows to destroy an erroring automation


Bug Fixes

  • Allow multiple references to same footnote


Bug Fixes

  • Add missing locale entries for site settings.
  • Remove unused admin route
  • Preload topic custom fields

Chat Integration

New Features

  • Allow [quote] to be disabled for slack transcripts

Bug Fixes

  • Correct error in AdminDashboardData problem check
  • Only show admin dashboard errors when plugin/provider enabled

Additional Features and Fixes

Click to expand

New Features

  • Add user_suspended attribute in post serialize.
  • Improve screened IPs roll up and extend for IPv6
  • Add a sidekiq job for syncing S3 ACLs
  • Add email dark mode
  • Sortable json-editor items
  • Allow for local theme js assets
  • Allow multiple required tag groups for a category
  • DiscourseEvent hook for sync_sso
  • Polymorphic bookmarks pt. 1 (CRUD)
  • Support upload:// urls in img tags

Bug Fixes

  • Href attribute for post-date link
  • Add href to post-date link element
  • Prevents error with emoji autocomplete
  • Update dark mode emails styles
  • Ensure allowed_tags and allowed_tag_groups can be removed
  • Email logs not finding attached incoming email
  • Ensure category_required_tag_groups are destroyed with tag_groups
  • Fall back to clipboard.writeText if ClipboardItem not supported
  • Buggy topic scrolling on iOS 12
  • Serialize permissions for everyone group
  • Clean required category tag groups with invalid tag_group ids
  • Ensure legacy browser handling uses full <noscript> content
  • Hide user notifications tab for moderator users.
  • Uppy-image-uploader and uppy-upload mixin minor issues
  • Prevent duplicates in API scope allowed URLs
  • Include routes in an API scope’s allowed URLs even if they have no format constraints
  • Exclude automatic anchors from search index
  • Limit max word length in search index
  • Include crawler content on old mobile browsers
  • Users watching tags in open tag groups not notified
  • No need to hide “Later This Week” when showing “Later Today”
  • Ensure images do not change height when loading is complete
  • Redirect user to topic they were invited to
  • Do not attempt to pull_hotlinked_image for raw_html
  • Auto-generated emails causing group SMTP email storm
  • 500 error when creating a user with an integer username
  • Update ‘posted’ column on post owner change
  • Review queue scrolling is not working after take an action.
  • Stop sorting options in date-pickers on the bookmark modal and the topic-timers modal
  • Can_permanently_delete should check for admin
  • Abort theme creation if unable to create uploads
  • Build correct post and topic shareUrl
  • Ensure ActiveSupport::Inflector is used by Zeitwerk
  • Hide tag count in tag filter when in a category context
  • Flips popper when top position is chosen incorrectly
  • Close user/group card on esc key press
  • Don’t put the whole sidekiq conf in to_prepare
  • Maintain HTML ``<img` when downloading remote images
  • Validate category tag restrictions before sending new topics to review
  • Resetting selectable avatars was failing
  • Show restricted groups warning when necessary
  • Do not wrap unaccent around tsqueries
  • Bug setting notification level to muted/ignored on user page
  • Add errors field if group update confirmation
  • Don’t attempt to focus .title in topic-list-item if it doesn’t exist
  • Closing the picker shouldn’t propagate the pointer event
  • Make sure max_oneboxes_per_post is enforced
  • Allow @ember/test import in embercli prod builds
  • Don’t listen for focus/blur events if the topic-list opts out of last visited focus

UX Changes

  • Minor mobile topic list alignment adjustments
  • Make full topic row clickable on mobile
  • Add margin to security key button
  • Less specific styling for Auth logins
  • Apply crawler styling to <noscript> content
  • Make header/footer HTML consistent for crawler and noscript
  • Make crawler view usable under different color schemes
  • Inline code block edit
  • Update crawler view styles to be more readable
  • Require a password for invited users
  • Add details button to admin bounced/rejected lists
  • Use committed date for GitHub oneboxes
  • Indicate that “Show replies” button does not work for deleted posts
  • Cleaner messages for empty state on the user activity topics page


  • Speed up admin user list main query
  • Throttle updates to API key last_used_at
  • Update UserDestroyer to fetch histories and actions in batch


  • Make user avatars in posts stream untabbable
  • Improve accessibility of embedded replies below post
  • Improve accessibility of likes/read count post buttons
  • Change tabLoc tagName from <a> to <span>
  • Include username in aria-label of post region
  • Make the views column in topics lists tabbable
  • Improve topic entrance modal
  • Add aria-labels to topics list column headers
  • Add aria-label to the Replies cell in topics list
  • Focus last viewed topic in topic lists (take 3)