3.2.1: Security and bug fix release

Discourse 3.2.1 Stable Release

Discourse strongly recommends that all sites follow the default tests-passed branch of Discourse. The “stable” branch is more focused on lack of change than lack of bugs - all releases, including those on tests-passed and beta are production ready.

Security Updates

This release includes fixes for these security issues reported by our community and HackerOne.

9 Likes

Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements

discourse-activity-pub

Bug Fixes

  • Ensure topic collections exists for full_topic activities (67)
  • Use full slugPath to reload categories with permissions (65)
  • Delivery job failure log (64)

discourse-adplugin

New Features

  • Improve DFP / Ad-manager Content-Security-Policy compat (201)

Bug Fixes

  • Calculate no ads for groups server side (200)
  • Add exclude groups for each ad platforms (197)

discourse-ai

New Features

  • Share conversations with AI via a URL (521)
  • AI Quick Semantic Search (501)
  • Add GitHub Helper AI Bot persona and tools (513)
  • Support for claude opus and sonnet (508)
  • Option for AI triage to send a post to the review queue (498)
  • AI helper support in non English languages (489)
  • Handle secure uploads in image caption (476)
  • AI image caption (470)
  • New Discourse Helper persona (473)
  • Mentionable personas and random picker tool, context limits (466)
  • Allow personas to supply top_p and temperature params (459)
  • Fine tune llm report to follow instructions more closely (451)

Bug Fixes

  • Syntax highlighting for shared-ai conversions with CSP enabled (532)
  • Handle unicode on tokenizer (515)
  • Expire assets when CSS changes
  • Missing translation on share page (528)
  • Don’t show share conversation incorrectly (526)
  • Filter soft-deleted topics when backfilling sentiment (527)
  • Ai-image-caption should not crash on checking currentUser can_use_assistant (523)
  • Image caption feature should respect composer AI helper groups (522)
  • Tune function calling (519)
  • Improve AI persona editor inputs and optional GitHub auth (518)
  • Prevent AI chat thread titles from being created before replies are posted (517)
  • Avoid all bot feedback loops (507)
  • Backspace in composer custom prompt closes menu (505)
  • System persona non English save, missing bot pms
  • Support multiple tool calls (502)
  • Stream messages when directly PMing a persona (500)
  • Support spaces within arguments for Open AI (499)
  • Composer service call breaking shared edits (494)
  • Lower truncation size for Gemini Embeddings (493)
  • Image generation in gemini was broken (490)
  • Caption was broken with multiple subsequent calls (481)
  • Unable to share conversations with persona user (479)
  • Cleanup AI search results when a subsequent search happens (469)
  • Better AI chat thread titles (467)
  • Use a dedicated prompt for thread titles (464)
  • Explicit check for empty string in compat migration (463)
  • Hide related topics when module is disabled (461)
  • Typo causing text_embedding_3_large to fail (460)
  • Improve embedding generation (452)
  • Add table name to remove ambiguous column reference in SQL (449)

UX Changes

  • Add title suffix to shared AI pages (531)
  • Add support for dark mode (529)
  • Update styles and markup for share feature (525)
  • AI Helper positioning (506)
  • Minor adjustments for image caption size, behavior (484)
  • Minor image caption style adjustments (482)
  • Add missing settings descriptions (465)
  • Re-introduce embedding settings validations (457)
  • Validate embeddings settings (455)

Security Changes

  • Place a SSRF protection when calling services from the plugin. (485)

discourse-akismet

Bug Fixes

  • 500 Error when editing a PostVotingComment (127)
  • Missing translation for review_tl1_users_first_post_voting_comment (128)

discourse-automation

New Features

  • Allow either custom_fields or user_fields in trigger (253)
  • Automated Post creation on user updated (249)

Bug Fixes

  • Update how we pass values to ModalJsonSchemaEditor (257)
  • Correctly format placeholders (255)
  • Computes next daily recurring from now (248)

discourse-cakeday

UX Changes

  • Fix page layout, clean up (123)

discourse-calendar

New Features

  • Use new options from downloadCalendar (549)

Bug Fixes

  • Editing custom field of event didn’t work (550)
  • Update test for holiday adjustments (541)

Security Changes

  • Hide invitees from users who are not allowed to see the event post (544)
  • Disallow self invite to private events (543)

discourse-client-performance

Bug Fixes

  • Use the proper plugin name in PLUGIN_NAME

discourse-data-explorer

New Features

  • Add group_list parameter type (283)

discourse-global-filter

Bug Fixes

  • Empty category matrix by converting it to glimmer (133)

discourse-group-membership-ip-block

Security Changes

  • Don’t expose custom fields from other plugins (13)

discourse-jira

Bug Fixes

  • Update jira field to Component API. (61)
  • Typo (58)

discourse-kolide

New Features

  • New checkbox to mark a device as mobile in onboarding (89)

discourse-math

UX Changes

  • Hide mathjax loading toast (78)

discourse-microsoft-auth

Security Changes

  • Emails from microsoft are not verified (72)

discourse-multilingual

Bug Fixes

  • Failing tests due to i18n.default (3)

Security Changes

  • Add max length to content_languages custom field

discourse-oauth2-basic

New Features

  • Allow specifiying required paths when retrieving userinfo (96)

discourse-post-voting

Bug Fixes

  • Next Page issues with crawlers (193)

discourse-reactions

New Features

  • Count all reactions as likes with exceptions controlled by a site setting (267)

Bug Fixes

  • Stop requesting more reactions when none exist (282)
  • Do not show Likes on reactions-received endpoint (279)
  • View activity reactions for other users (278)
  • _allowHover() function call (277)
  • Hovering reaction icon causing error would flood AJAX requests (274)
  • Do not show users who Reacted under post … menu (275)
  • Do not show likes with reactions on likes-received list (273)
  • Handle null post.user_id for UserAction sync (270)
  • Require missing scheduled job in plugin.rb (269)

discourse-solved

Bug Fixes

  • Nest combobox within LI element (280)

discourse-steam-login

Bug Fixes

  • Button styling and label (79)

discourse-subscriptions

Bug Fixes

  • Ensure deletion of product upon confirmation (195)

discourse-templates

New Features

  • Add a link to template source topic (70)

Bug Fixes

  • Slowness when listing templates and the templates category (67)

discourse-vk-auth

UX Changes

  • Improve button design to match other logins (29)

All Features and Fixes

New Features

  • Auto generate and display video preview image (25633)
  • Site setting to include post in penalty messages (26026)

Bug Fixes

  • Set the video background to be black (25744)
  • Add a boarder around the video placeholder play button (25727)
  • Video playback on iOS (25513)
  • Webauthn origin was incorrect for subfolder setups (#25651) (25654)
  • Correctly save group invites (stable) (25567)
  • Update themes javascript cache after running themes migrations (25564)
  • Site-setting integer input type (25488)

UX Changes

  • Fix the video spinner css (25770)
  • Tweak play button css (25754)

Security Changes

  • Limit invites params length
  • Add rate limits for uploads
  • Generate more category CSS on client
  • Prevent large staff actions causing DoS
  • Don’t disclose the existence of secret subcategories
4 Likes