3.4.5 Security fixes release

Security Updates

This release includes fixes for these security issues reported by our community and HackerOne.

• https://github.com/discourse/discourse/security/advisories/GHSA-cm93-6m2m-cjcv
• https://github.com/discourse/discourse/security/advisories/GHSA-x8mp-chx3-6x2p
• https://github.com/discourse/discourse/security/advisories/GHSA-3q5q-qmrm-rvwx

Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements

discourse-activity-pub

New Features

• Allow everyone to see both followers and follows of Category and Tag Actors (223)
• Add actor deletion (215)

UX Changes

• Improve ActivityPub topic and post modals (224)

discourse-ai

New Features

• Allow access to assigns from forum researcher (1412)
• Use different personas to power AI helper features.
• Add context and llm controls to researcher, fix username filter (1401)
• Add inferred concepts system (1330)
• Support upload.getUrl in custom tools (1384)
• Simplify streaming implementation - rush last update (1380)
• Automatic translation and localization of posts, topics, categories (1376)

Bug Fixes

• Update topic summarization prompt to work better when using full names (1409)
• When tool options are added they should be available (1406)
• Always render “today” on top of conversation sidebar (1400)
• Edit-topic is not invisible on desktop (1394)
• Unable to scroll on mobile AI post helper results (1396)
• Proper default LLM detection for inferred concepts (1392)
• Exporting overall sentiment fails (1388)
• Enum handling needs to be done on save as well (1386)
• Custom tools incorrectly setting all fields to blank enum (1385)
• Full page search broken (1383)
• Bump persona’s examples length (1377)

UX Changes

• Style tweaks for RAG uploader and form width (1407)
• AI composer helper refinements (1387)

Performance

• Optimize .ai-debug-modal__tokens selector (1390)

discourse-calendar

New Features

• Show local timezone (735)
• Support for recurrence_until (730)
• Optional attached chat channel for event (728)

Bug Fixes

• Nbsp handling in group-timezones (739)
• Prevents double event and uses correct starts_at (736)
• Remove hard dependency on Chat plugin (732)

UX Changes

• Better copy (737)

discourse-data-explorer

UX Changes

• Category-id-input: allows no-category selection (377)

discourse-oauth2-basic

UX Changes

• Update admin settings plugin name (130)

discourse-policy

Security Changes

• Policy group members (165)

discourse-saml

New Features

• Allow multiple attributes for group sync and also using group full_name (127)

All Features and Fixes

Security Changes

• Stricter default codepen on allowed_iframes
• Respect max length in bot-human PMs (stable)
• Escape topic title for mailers (stable)