2.9.0.beta5: Security Fixes, Block Hotlinked Media, PM Tagging, Search Improvements and more

• Register assigned link under sidebar topics section.
• Promote polymorphic bookmarks
• Shows note in moderator post
• Show note in tooltip
• Add assign note

• Include users who were assigned to a post instead of topic.
• Only assign when suggestion is clicked
• Assigning a user without notes assigns and closes the modal
• Polymorphic bookmarks support
• Rename button
• User link on post assign/unassign
• Hide footer action button when user cannot assign
• Broken reviewable filter

• Don’t mention the group when no one is assigned.
• Show posers on group assign list
• Show posters on assigned topic list

• Speed up User.assign_allowed SQL query

• Move bookmark button to chat message quick actions
• Implement oneboxes for chat
• Add a button to switch back to small chat
• Chat notification emails
• Chat message bookmarks
• Chat-composer-buttons API
• Move chat messages to another channel
• Make original message the reply excerpt if prettified excerpt is empty

• Ensures a deleted message can be marked as read
• Requests larger avatars for onebox
• Tests were broken following core change
• Prevents the jump when loading more
• Onebox should only show active users
• Make sure chat uploads have correct URL in template
• Undefined uploads error when attempting to cloneJSON
• Dev populate breaks with missing admin user
• Refresh chat state when tab gains visibility
• Add extra chat shortcut help text
• Ensures we attempt to fill the current pane with messages
• Ensures chat has correct height on composer resizing
• Ensures staged message is not using uploads array ref
• Ensures we unsubscribe from /chat-reply in draft mode
• Issues with deleted messages and incorrect last read
• Prevents destroyed/deleted chatable to crash admin page
• Message order consistency
• Serialize dates using ISO8601
• Add ChatChannelFetcher specs and fix issues
• Use message full_url in summary emails
• Send_unread_mentions_summary is a class method
• Make the bookmark row highlight work with sidebar
• Fix filter in chat channel fetcher
• Don’t hide the new messages’ separator besides the channel header.
• Ensures composer transition is over to compute height
• Minor fixes to msg-actions
• Reduces margin before dots of replying indicator
• Workaround electron quirk
• Prevents 2 rows when only one is needed in firefox
• Composer disabled state was incorrect
• Update user last read endpoint.
• Add channel ID attribute to chat quotes
• Make get channel by name work with chatable name
• Nicer error message when reacting without membership
• Immediately queue notification jobs
• Excerpts for complex messages
• Composer uploads were appearing in the last message
• ChatMessageClasses has too many arguments
• Add gallery to collapser
• Ensures mentions are correctly highlighted
• Don’t hide the new messages indicator beside the channel header
• Do not show Move Messages button in DM channels
• Do not assume name exists for channel
• Don’t hide the new messages indicator beside the channel header.
• Loads populate only on development env
• Ensures separator is correctly translated
• Shows edited text if editing a collapsible into a collapsible
• Ensures collapsing is working on legacy
• Ensure edits are shown, with tests
• Decorates lazyYT only once
• Get + computed causing issues on legacy
• Ensures widget is re-rendering when router changes
• Fix overflowing github oneboxes
• Scope chat image/onebox styling to .chat-message
• Following public channel doesn’t return channel
• Ensures channels are refreshed when creating channel
• Resize images within oneboxes
• Ensures we don’t double subscribe to updates
• Correctly acknowledge for deletion in unread_counts
• Use @service router to fix chat quoting on mobile
• Enable quoting in all cases
• Scope updating ChatMessageEmailStatus records to current_user
• Default channel setting not working
• Ensures html pasting works
• Reset dm-creator state on channel change
• Ensures we focus when creating from a dm
• Improves channel switching when upserting

• Ensures sticking to bottom loads from last message
• Reduces spacing between avatars in channel onebox
• Split each summary’s message into its row.
• Tweak the archived channel UI
• Changes chat composer dropdown button to use times icon
• Raises DM limit to 20 in every cases
• Hide msg actions on mouseleave
• Slightly improve look of message actions on desktop
• Vibrate on devices supporting it
• Disable text selection on more elements
• Make some UI elements unselectable
• Display staged message when creating channel
• Uses pencil icon for browse channels button
• Uses cog icon for editing channels btn
• Reduces replying indicator vertical padding
• Ensures progress bar reaches done state

• Only parse HTML once during isCollapsible
• Update all decorators to use decorateChatMessage api
• Only decorate messages when cooked changes

• Includes variables %{topic_title} and %{topic_url}
• Return 422 in /canned_replies/id/use if id does not belong to canned reply
• Limit max replies retrieved as a safe guard
• Added rake tasks to migrate data from v1 to v2
• Check category permissions to see if user can use canned replies
• Filter out topics with unwanted status from replies list
• Unified desktop and mobile selection UI
• Remove replies CUD code and UI elements
• Allow user to filter canned response by tag
• MVP - Fetch replies from category topics

• Fixes regression in templates variables starting with reply_
• Renamed migration to reate_discourse_templates_usage_count
• Default usage_count to 0 while migrating from v1
• @computed in CannedTagDrop was causing test to fail
• Test if the filter input was found before setting focus
• Removed unnecessary inline style in canned-replies-modal.hbs
• Use POST to update reply usage
• Removed unused settings
• Fixed lint errors

New Features

• Add new/unread counts to tags section links exp sidebar
• First pass tags section for experimental sidebar.
• Display new/unread count for tracked categories in exp sidebar
• Add section links to categories section to exp sidebar
• Create upload_references table
• Propagate user status via message bus
• Highlight None option by default for bookmarks
• User status
• Make S3 presigned GET URL expiry configurable
• Pull hotlinked images immediately after posting
• Site setting for blocking onebox of URLs that redirect
• Promote polymorphic bookmarks to default and migrate
• Allow locals to be passed in server_plugin_outlet
• Add page title to 404 pages
• Restore scroll on user activity pages
• Promote the “delete group” staff action log.
• Polymorphic bookmarks pt. 3 (reminders, imports, exports, refactors)
• Validate setting combination between exif strip and img opt
• Add fallback to suggested value when auth_overrides_username
• Introduce a sitewide setting for disabling suggesting weekends in time pickers
• Optionally skip using full_name when suggesting usernames
• Scope search to PMs when in that context
• Detect emoji from Emoji 14.0
• Polymorphic bookmarks pt. 2 (lists, search)
• Show prompt for required tag groups
• Site setting to cap the recipient list in notification emails
• Block indexing the embed topic list

Bug Fixes

• Ensure that extract_upload_ids works with all short URLs
• Skip CSRF token check on webhook routes
• Display translated fallback as the group name for custom emoji groups
• Allows image to be displayed at the right size
• Twitter onebox keeps whitespace for expanded links
• Send quote notifications to correct users when prioritizing full names
• Cleanup invalid historic site setting data
• Handle empty string in theme_settings for upload_references
• Make disabling TLS in mail possible again
• Escape youtube title when constructing onebox preview html
• Missing tracked sub category topics from tracked topic list
• Correctly handle invalid auth cookies
• Seed multisite dbs after migrating in development
• Email Send post has already been taken error
• Restore automatic style preview in wizard
• DiscourseConnect login did not auto approve based on email domain
• Ensures composer is not pre-filled with none/all tags
• Don’t throw errors on wizard dropdowns
• Approves user when redeeming an invite for invites only sites
• Do not use SVGs for twitter:image metadata
• Keep composer draft when go back and forth between PM and New Topic.
• Harmonise category body class generation on server/client
• Show suspended by user
• Make f query param sticky when navigating between nav items
• Topic list nav items count not respecting tracked filter.
• Change event target on select kit row
• Tracked filter did not account for max_category_nesting of 3
• Fallback to default push notification icon if none exists
• Do not looks for plugin test js in production
• Add bookmark quick access tests and fix username
• Correctly handle nested quotes in to-markdown
• Respect user timezone in emails about silencing and suspending
• Changing date should recompute input
• Incorrect URL for bookmark quick action menu
• Further refine duplicate bookmark delete query
• Delete extraneous topic bookmarks
• InlineOneboxer watched word censor error
• Apply censored words to inline onebox
• Improve bookmark-icon title
• Limits for PM and group header search
• Skip pulling hotlinked images for nil user bio
• Applying default user options didn’t work for boolean flags
• Site setting changes for boolean should be logged as true/false
• Refactor placement of plugin outlet & index use
• Clear inline onebox cache when a post is rebaked
• Pass empty hash for view locals by default
• Apply ‘allowed_href_schemes’ to all src/srcset attributes
• Allow users to select “regular” categories
• Use CSS transition to make room for composer
• acted state in post action like could desync with multiple likes
• Apply ‘hide email account’ for invites
• Prevent all kinds of login in readonly mode
• Add safari 12 to ember-cli build targets in production
• Make read only errors respect the request format
• Handle quote rendering for external Discourse instance
• Checked allowed tag when editing Reviewables
• Auto margins cause too-narrow content
• Show error message if extensions cannot be created
• Do not log category custom fields changes if the value is unchanged
• Create PostgreSQL extensions before migrating
• Use our header value instead of custom header on duplicates
• Use registered bookmarkables for BookmarkManager
• Allow .ics for polymorphic bookmarks
• Store scroll position when using Back button
• Apply watched words to user fields
• Polymorphic bookmarks for bookmark report
• Use hidden site setting for batch presign rate limit
• Use polymorphic bookmarks for in:bookmarks search
• Add support for pipelined and multi redis commands
• Background like count update didn’t account for own user actions
• Prioritize names and usernames consistently
• Limit pan event handler to fix scrolling in TOC
• Use proper ActiveRecord method in import scripts
• Ensures d-popover closes when clicking on popper
• Polymorphic bookmarks for new user narrative bot
• Prevents double user_badge_granted event
• Prevent admin theme settings from blowing up
• Validate post’s polls as acting user
• Topic view breaks with topic timer to publish to restricted category.
• Users with unicode usernames unable to load more topics in activity
• Add email to admin user list when show_emails is enabled
• Missing translation when translation override contained a %{key}
• Skip invalid custom_field json in hotlinked_media migration
• Validate permalink_normalizations setting
• Handle enum types during database restore
• Destroys instance when hiding date popover
• Handle invalid JSON from downloaded_images custom fields
• Handle duplicates in hotlinked_media migration
• Updated filtered replies when replies exist
• Ensure post_hotlinked_media index does not exceed size limit
• Avoid concurrent usage of AR models
• Closes popover when downloading calendar
• Uses tippy for popover
• Show group in filter only if user can see the members list.
• Ensure values are escaped in select-kit dropdowns
• Prepare data before creating chart to avoid side effect
• Remove refresh seconds override on cache_critical_dns
• Cache_critical_dns - add TLS support for Redis healthcheck
• Prefers computed over discourseComputed
• Correctly handle the print param on topics#show.
• Check 2FA is disabled before enabling DiscourseConnect.
• Properly clean Thunderbird emails, don’t remove links
• Ensure lazy-load-images does not remove entire img.style
• Use username for nested quotes
• Show footer on the categories page
• Replaces discourseComputed by computed
• Showing icons on future-date-input options
• Do not error when json-serialized cookies are used
• Show footer at the end of topic list
• Add missing translations for medium format
• Skip upload extension validation when changing security
• Don’t allow DiscourseConnect logins in readonly mode
• Return a 404 when a sitemap request doesn’t have a format
• Ensure ‘crop’ always returns requested dimensions
• Check if bookmarkable column exists before adding
• Issues with incorrect unread and private message topic tracking state
• Warn_exception expect hash as second arg
• Show dismiss all modal in user-notifications page
• Do not show visibility topic if visible
• Don’t validate and render the polls inside a quoted post.
• Email styles for Gmail app dark mode

UX Changes

• Remove limit for emoji search in composer
• Larger images in mobile emoji picker
• Hide select-kits when the parent element is outside the viewport
• Don’t tether popper to the viewport if reference is out of the viewport
• Update chat menu popover styling
• Show message if rebake fails
• Make YouTube playlist onebox full width to match video onebox
• Reordered topics in INSTALL-cloud.md to add a ‘Before you start’ section
• Align the trash button on the bookmark modal
• Update hljs-builtin-name colour
• Update hljs-builtin-name highlight
• Consistent spacing on group interaction form
• Fix status icon size in suggested topics
• Add back link on taggroup page
• Fix various login modal issues on mobile
• Allows to close popover on escape
• Prevent user grid blowout on full page search
• Remove horizontal scoll from narrow screens
• Ensure #main-outlet-wrapper takes full width.
• Fix hover state for flat buttons in WCAG schemes
• Add a brief accessibility summary to the README
• Display user.username on user cards
• Reset mark element highlight for WCAG schemes
• Add time_shortcut.now translation
• Improve the list of options on the slow mode modal
• Move post date under title in share-modal
• Larger clickable area for mobile topic list
• Fix topic admin menu layout for short screens
• Tweak topic-admin-menu alignment/size
• Prevent group mention from wrapping
• Ask for confirmation when deleting a post using shortcut
• Fix a few WCAG color scheme contrast issues
• Organize topic admin menu into groups
• Show all pie legend options for long polls
• Add title to read time stats from user page
• More descriptive moderator manage setting
• Improves select-kit body placement when vertical space is short
• Add more detail to remove full quote site setting description
• Minor email group chooser alignment fix
• Minor adjustment to login/signup close position
• Improve small action button alignment

Performance

• Improve to-markdown speed, update the code
• Lazily lookup emoji-picker selected-diversity
• Speed up secure media and ACL sync rake tasks
• Update all user_histories with one query in UserDestroyer

Accessibility

• Add keyboard support for do-not-disturb modal
• Keyboard access for /u table headings
• Fix WCAG contrast for notification header