Discourse 2.2.0.beta6 Release Notes

New features in 2.2.0.beta6

Improved Security

This release includes a number of security related improvements.

Content Security Policy (CSP)

Discourse now ships with a CSP Level 2 policy. This policy helps mitigate Cross Site Scripting (XSS) attacks to keep your site safe. For all the details, including how to turn it on, and what it may break, see

New dashboard tab: security

We’ve added a third tab to the admin dashboard: security. This tab shows all security related reports in one place, including the suspicious logins report, and the new staff logins report.

Invalidate admin accounts if not seen for a year

To help minimize the risk of an unused admin account being compromised, admins who have not been seen for 365 days will now have their accounts deactivated, and social logins revoked. To regain access they’ll need to validate their email again, and reconnect social accounts. The length of time before deactivation can be configured via site settings.

Warn before overwriting draft

Ever start editing a post in one tab, leave it open, start editing in another tab, and then find that you overwrote your first edits? I know I have. To help avoid this, Discourse now warns you when edits may overwrite an existing draft.


Lazily load images

Back in June, one of our designers, @Johani, created a theme component to enable lazy loading for images. This helps make load times faster, as well as sending less data at one time. The theme worked so well one of our engineers adapted it to ship as part of Discourse core. Now images are only loaded when they are on screen, not when they are 7 posts below.

Full height swipe enabled menus on mobile

First discussed way back in 2015, full height slide out menus are now enabled! Both the user menu (notifications) and the hamburger menu now occupy the full height of the mobile browser when opened, and can be swiped away when no longer needed. On Android, swipe-in is also supported. (Swipe-in is not supported on iOS as horizontal swipes from the edges of the screen are reserved by the OS for forward/back).

Share to Discourse (Android)

Discourse PWA on Android now supports receiving the native OS “share” feature. For all the details and requirements, see:

Remove category column from topic lists

To help streamline the topic list, we’ve removed the dedicated category column and instead display the category below topic tiles, just like tags. Want more details on the change? Check out The topic list doesn't need a category column.


Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Security Updates

This beta includes 2 security fixes for issues reported by our community and HackerOne.

  • Do not delete avatars uploads when deleting accounts
  • Require groups to be given when inviting to a restricted category.

Plugin improvements

Steam Login

  • Bug fix for FA5
  • Use https for URLs

WordPress Discourse Plugin


  • improve graph image quality


  • Bug fix


  • Bug fix

Docker Manager

  • Bug fix


  • Bug fixes

Chat Interation

  • Bug fix


  • Updates for FA5
  • Updates for CSP
  • Bug fixes
  • Do not sync automatic groups


  • Do not sync automatic groups
  • Updates for FA5

Additional Features and Fixes

Click to expand

New Features

  • Rake task to list users which have been staff in the past month
  • Adds site setting to let quotes on direct replies.
  • Add short_site_description setting to be included in title tag on homepage
  • Polyfill intersection observer for IE11 / iOS Safari
  • Allow connecting associated accounts when two-factor is enabled
  • Activate users invited via email when invite is redeemed
  • Option to use ruby-bbcode-to-md in bulk import script
  • Remove full quotes of direct replies.
  • Improved deprecation warnings
  • Discourse.deprecate can report version
  • Show avatar flair on group, badges and directory pages
  • Show autocomplete when enable_inline_emoji_translation is true.
  • Add support for inline emoji translation.
  • Add ‘Advanced Test’ for admin panel.
  • Filter topic and post web hook events by tags
  • Multisite support for S3 backup store
  • Disable notifications for small actions that are whispers
  • Allow advanced specification of excerpts for posts
  • Do not check consecutive replies for original poster.
  • Allow plugins and themes to extend the default CSP

Bug Fixes

  • Suspicious login detection
  • Only serialize group membership domains for administrators
  • Delete all posts in batches without hijack
  • Incorrect translation key on admin search logs.
  • Apply original margin-bottom to fix position placeholder
  • Define actions on connector class early
  • Incorrect arguments were being passed to Jobs::ClosePoll.
  • Remove slow platform detection from server side
  • Always show filtered site settings
  • Invalidating inactive admin emails should mark them as not active
  • Do not bump topic when removing full quotes.
  • Makes charts more resilient to resizing
  • Sidekiq fails to start if any of the multisite has problems.
  • Support RTL languages in header menu
  • Return authenticated=true when reconnecting
  • Do not convert quote tags to markdown
  • Show every voter only once.
  • URLs containing two # would fail to work
  • Redirect to default homepage when visiting /login
  • Use database to persist metadata during social registration
  • Category-drop initial state was incorrect
  • Don’t double add users to topic allowed users
  • Exec_params needs instrumentation
  • Support connecting GitHub with existing accounts
  • Add missing android icon
  • Prioritize explicit ‘connect’ over matching by email
  • Return 422 instead of 500 for invalid SSO signature
  • Only hide shared draft topics from latest
  • Do not serialize user fields unless they are specified for display
  • Posts would not auto rebake unless gravatar download was enabled
  • Refactor lightbox mobile icon
  • Wizard tries harder to find existing Welcome Topic
  • `UserNotificationsHelper#logo_url’ to work with S3 based uploads.
  • Always allow admins upload selectable avatars.
  • Properly secure poll message bus
  • Ignore query parameters when displaying counter on internal links
  • Do not reset link counts when post is rebaked
  • Method extraction caused push notifications to include incorrect post
  • Variable name typo in subcategory image
  • Clamp integers to prevent ‘PG::NumericValueOutOfRange’ errors
  • Improve avatar loading, and add tests
  • Increase timeout when trying to reload unicorn.
  • Use safe navigation operator throughout statement
  • Topic is nil when first post is being created
  • Use safe navigation operator when looking for avatar URL
  • Tooltip regression in admin dashboard
  • Fixed tests.
  • Raise exception when getting dimensions of missing image
  • Don’t steal focus when text in editor is replaced
  • All multisite upload paths should start with /uploads/default/…
  • Make staff_edit_locks_post work with download_remote_images_to_local
  • Show generic title when quoting off-topic secure category posts
  • Do not store key tracking last seen time indefinitely
  • Lightbox expand icon on mobile
  • Add vkontakte icon alias
  • Log name changes only when the name is actually updated
  • Incoming email matches the wrong user if null bounce key available in db
  • Redis leak when visiting large amounts of topics
  • Jobs::CleanUpUploads fails when value of upload data_type is an empty string.
  • Refactor commit a8c3ca, add test
  • Limit SvgSprite scan to string setting values
  • Refactor ImageSizer.resize
  • Call ImageSizer only if width/height are available
  • Defer flags (only) when handling a flag and deleting replies
  • Prevent minimum_required_tags on category being set to null

UX Changes

  • Removes superfluous posters column header
  • Increase selector specificity so that “inline” lightboxes in quotes don’t get backgrounds
  • Fix cropped image thumbnails
  • Reduce show dismiss… at top of unread/new to 15
  • More consistent category lock and topic-status styles
  • Add styling for updated twitter status icons in onebox
  • Globally dim categories slightly
  • When composer is minimized, let user open composer in regular size instead of full screen
  • Dim visited post info along with title
  • Add missing icons
  • Refactoring topic statuses for consistent icon sizes & colors
  • Make shared drafts behaviour consistent for non-staff users
  • Improve code highlighting diffs for dark themes
  • Show smaller Emojis within some HTML elements
  • Wrap pre element.
  • Truncate long topic tiles to prevent badges and date from wrapping
  • Replace FA5 compress/expand icons
  • Do not restrict width of category image, only height