3.5.0.beta6 Security fixes release

Security Updates

This release includes fixes for these security issues reported by our community and HackerOne.

• https://github.com/discourse/discourse/security/advisories/GHSA-cm93-6m2m-cjcv
• https://github.com/discourse/discourse/security/advisories/GHSA-x8mp-chx3-6x2p
• https://github.com/discourse/discourse/security/advisories/GHSA-3q5q-qmrm-rvwx

Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements

discourse-activity-pub

New Features

• Allow everyone to see both followers and follows of Category and Tag Actors (223)
• Add actor deletion (215)

UX Changes

• Improve ActivityPub topic and post modals (224)

discourse-ai

New Features

• Allow access to assigns from forum researcher (1412)
• Use different personas to power AI helper features.
• Add context and llm controls to researcher, fix username filter (1401)
• Add inferred concepts system (1330)
• Support upload.getUrl in custom tools (1384)
• Simplify streaming implementation - rush last update (1380)
• Automatic translation and localization of posts, topics, categories (1376)

Bug Fixes

• Update topic summarization prompt to work better when using full names (1409)
• When tool options are added they should be available (1406)
• Always render “today” on top of conversation sidebar (1400)
• Edit-topic is not invisible on desktop (1394)
• Unable to scroll on mobile AI post helper results (1396)
• Proper default LLM detection for inferred concepts (1392)
• Exporting overall sentiment fails (1388)
• Enum handling needs to be done on save as well (1386)
• Custom tools incorrectly setting all fields to blank enum (1385)
• Full page search broken (1383)
• Bump persona’s examples length (1377)

UX Changes

• Style tweaks for RAG uploader and form width (1407)
• AI composer helper refinements (1387)

Performance

• Optimize .ai-debug-modal__tokens selector (1390)

discourse-calendar

New Features

• Show local timezone (735)
• Support for recurrence_until (730)
• Optional attached chat channel for event (728)

Bug Fixes

• Nbsp handling in group-timezones (739)
• Prevents double event and uses correct starts_at (736)
• Remove hard dependency on Chat plugin (732)

UX Changes

• Better copy (737)

discourse-data-explorer

UX Changes

• Category-id-input: allows no-category selection (377)

discourse-oauth2-basic

UX Changes

• Update admin settings plugin name (130)

discourse-policy

Security Changes

• Policy group members (165)

discourse-saml

New Features

• Allow multiple attributes for group sync and also using group full_name (127)

All Features and Fixes

New Features

• Theme-owned color palettes (32795)
• Add option to make <AceEditor /> resizable (33044)
• Allow customizing default timezone for email. (32964)
• Show language switcher for anons (32965)

Bug Fixes

• Wrong link to groups in post-small-action widget (33099)
• Do not show header search icon if welcome banner search shown (33098)
• Wrap theme translations in IIFE (33108)
• Disallow encoded words in e-mail addresses (33083)
• Ensures post toolbar text can’t be selected (33075)
• Respect category/tag filtering for reviewable webhooks (33051)
• Exclude reviewable_notes from intermediate DB schema (33068)
• Latest duplicated groups to about components (33003)
• Back to themes page not working when theme has enabled components (33048)
• Uses text selection when using hide details (33049)
• When new new is enabled, filter dismiss modal to correct type (33037)
• Handle redirect issue with categoryId rewriting page number (33009)
• Ensure copy_data callbacks run even when all rows are skipped (33002)
• Correctly unescape title for amazon oneboxes (33010)
• Restore category text color field (32915)
• Improvements for admin search (33006)
• Topic timeline in mobile is not usable due to full height (32986)
• Removes shift which is not necessary anymore (32979)
• Composite primary key output (32972)

UX Changes

• Add * mention to site setting description
• Only show single composer tip at a time (33050)
• Add z-index to the admin save all banner (33093)
• Fix admin reports breadcrumb link (33085)
• Keep marks when using emoji input rules on rich editor (33058)
• Add subheader to admin themes page (32987)
• Rich editor [details] caret hover and padding (33057)
• Update theme cards min width (33045)
• Margin top to first onebox in topic (33054)
• Fast topic edit (32941)
• More consistent search menu spacing (33036)
• Onebox changes (33038)
• Make sure search context is kept when navigating (33016)
• Update some delete confirmation dialogs (33018)
• Avoid presence layout shift (33022)
• Scale down the theme title edit size (33021)
• Merge onebox experiment into core (33015)
• Fix active menu item bottom border (33013)
• Move to regular border radius variable (33011)
• Polishing borders, border-radius, input, and spacing (32995)
• Fix mobile positioning for content editable (rich editor) (32993)
• Add hover state to theme cards (32980)
• Add gap to sidebar items (32981)
• Decrease spacing between content sections in theme-card UI (32977)
• Fix padding (32973)
• Improve color descriptions (32930)
• Fix border-radius on image upload inputs (32935)

Security Changes

• Respect max length in bot-human PMs
• Escape topic title for mailers

Performance

• Remove <details> polyfill (33020)

Accessibility

• SVG icons should be hidden unless a label is provided (33059)