Discourse 2.4.0.beta10 Release Notes

New features in 2.4.0.beta10

Bigger emoji

When 1-3 emoji exists on their own line, they’re now automatically made larger! Now you can communicate in emoji without needing to squint as much.


Award a badge to a set of users

Badges now support “bulk award”, allowing admins to upload a list of user emails which will all be granted a badge. For full details, see

MaxMind DB downloads now require a license key

Discourse uses the free MaxMind GeoLite2 IP database to provide location information for users and admins. This powers features like Recently Used Devices in user preferences, and IP lookup on user admin pages. Due to changes required by the CCPA, MaxMind has changed the download process. To download the database admins must now register for an account and receive a (free) license key. More details in Upgrade / Rebuilds Fail due to MaxMind DB EOL.

Internet Explorer 11 Deprecation

Discourse will be ending support for IE11 on June 1, 2020. Users are strongly encouraged to move to a supported browser to continue using Discourse without interruption. Discourse will start showing a warning to users that IE11 support is ending at the top of the site. For full details, see Discourse is ending support for Internet Explorer 11 (IE11) on June 1, 2020

CSP enabled by default

At the start of 2019 Discourse first supported a Content Security Policy (CSP), an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. CSP has been enabled for new sites over the last year, but older sites did not have CSP enabled without explicit admin action. With beta10 CSP will be enabled for all sites, unless explicitly disabled by an admin (strongly discouraged). Sites with external scripts running, for example Google Analytics, Ads, tracking, etc. may need configuration updates to continue working. See Mitigate XSS Attacks with Content Security Policy for full details on CSP, and how to configure scripts to work.

Security Updates

This beta includes 4 security fixes for issues reported by our community and HackerOne. It is highly recommended that sites update to receive these patches.

  • 2FA with U2F / TOTP
  • Use strict JSON parsing when parsing backup metadata
  • Improve second factor auth logic
  • Privacy leak with staged user and closed category

Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Plugin improvements


  • Improve Holiday Grouping
  • Multiple UX improvements
  • Add timezone picker
  • Add Google Calendar link
  • Bug fixes


  • Add Yandex.Translate support

OpenID Connect

  • Respect the email_verified boolean when supplied by IDP
  • Allow parameters to be passed from /auth/oidc to the IDP


  • Add support for GitHub issues
  • Bug fix

WP Discourse

  • Fix Open Links in New Tab setting not being applied to Join Discussion link
  • Use WPDISCOURSE_PATH constant when loading plugin files

Yearly Review

  • Exclude read_restricted categories from user stats calculations
  • Spanish support
  • UX improvements
  • Bug fixes

Ad Plugin

  • Support fluid ad size in Google Ad Manager
  • Bug fixes

Chat Integration

  • Include category title and color in Discord payload


  • UX improvement
  • Bug fix


  • Bug fix


  • Bug fixes


  • Bug fix


  • Bug fixes

RSS Polling

  • Bug fix


  • Bug fix


  • Bug fix


  • Bug fix

Code Review

  • Bug fix


  • Bug fixes


  • Bug fixes


  • Bug fixes


  • Bug fixes


  • Bug fix

Data Explorer

  • Bug fix

User Notes

  • Bug fixes

Additional Features and Fixes

Click to expand

New Features

  • Export all types of reports
  • Drop “backup” schema 7 days after restore
  • Secure media allowing duplicated uploads with category-level privacy and post-based access rules
  • Allows to define a dissmiss duration on global notices
  • Add hidden setting to disable configuration of inventory bucket
  • Pass in excluded usernames to user-selector
  • Use new Badging API
  • Add rake task to disable secure media
  • Topic admin menu sticks to bottom on mobile.
  • Allows plugins to add a global notice
  • Allow TL3 promotions for overturned penalties
  • Allow complex post params from plugin
  • Add mybb.ru import script
  • Keyboard shortcut for opening the topic admin menu

Bug Fixes

  • Use new tag routes
  • Workaround limitation in jquery.autoellipsis
  • Higher z-index for usercards in the header
  • Do not extract dates from quotes and Oneboxes
  • Allow the app to generate and accept longer backup codes
  • Incorrect locale in badge granter
  • When tag or category is added notify users that topic was modified
  • Do not error in excerpts when aside tag has no class attribute
  • Make topic query include topics from sub-sub-categories
  • Make category-chooser show all parent categories
  • Users should be able to remove their primary group
  • Don’t override timezone on every visit of profile preferences
  • Don’t cause exceptions due to rename of reply_id column
  • Show PM icon in docked header
  • Applies correct styles to icon and attempts to dry code
  • Do not increase size of emojis in markdown tables
  • Reload the ReviewableScore types when extending flags
  • Include sub-sub-categories in new/unread counts
  • Change additional public uploads to not be secure
  • Groups pagination was broken
  • Change rootNone behavior in category-chooser
  • Add missing translation key for narrative bot Italian locale.
  • Styling for feature topic on profile modal
  • Show error message if the topic deletion fails
  • Correctly wrap image and resize controls inside paragraph
  • Better error message when topic deletion fails
  • Create post notices only for public posts
  • Group membership leak
  • Raised a proper NotFound exception when filtering groups by username with invalid username.
  • Properly filter the groups based on current user visibility when viewing another user’s groups.
  • Spec for groups_controller#index when group directory is disabled for logged in user.
  • Groups_controller.sortable specs to actually test all sorting combinations.
  • Rewrote the “view another user’s groups” specs to test all group_visibility and members_group_visibility combinations.
  • Ensures group-navigation states changes when route changes
  • Ensures secondary menu of user notifications mobile nav reloads
  • Update user-selector excluded usernames after insert
  • Update featured badge ranking when mass-awarding badges
  • Moves back padStart/padEnd to core polyfills
  • Specs with old filename
  • Use CDN for the discourse-internet-explorer
  • Remove padding while composer is saving
  • Ran prettier on user-selector-test
  • Make ‘findBySlugPathWithID’ when URL ends with a slash
  • Prevents url of file from being pasted when pasting file on iOS
  • Don’t log a claimed topic database error during tests
  • Stop logging errors in postgres on reviewable conflict
  • Decompressing lots of small files triggered error
  • Allow users to change title in locales other than English
  • Do not redirect to /auth/* urls after authentication
  • If the admin sso sync has no external ID, don’t throw an error
  • Don’t leak event listeners in user-activity-drafts
  • Allow omniauth confirmation page to pass through GET parameters
  • Add noindex header to user profile pages.
  • Make scrolling to bottom post in topic more consistent
  • Ensure we consistently pick the same topic for bench
  • OnScroll method was not defined on mobile discovery
  • Topic_tracking_state when mute_all_categories_by_default is enabled
  • Only agree with the first post when using the ‘Delete post + replies and agree’ option
  • Cached new topic data should not be deleted after dismiss new
  • New/unread count after dismissing new topics in a regular category
  • Allows scroll on load for discovery topic list
  • Bulk insert to create application requests
  • Bulk insert to create topics
  • No need to create separate user for each topic, post etc.
  • Another bulk_insert of ApplicationRequests
  • Dont create user and topic instances when not neccessary
  • Merge examples with expensive setup into one example
  • MaxMind DB file not downloading correctly
  • Keep ‘rb’ & ‘rp’ tags in html to markdown conversion.
  • Ensure CSP is off for qunit
  • Show uncategorized description on categories page
  • Descriptions were blank for uncategorized in hamburger menu
  • Add a blank poll options validation
  • Don’t give error 500 when invalid date param is given to admin reports
  • Allow underscore in file extension while downloading the uploads.
  • Correctly account for onebox height when lazy loading images
  • Any global notice text can contain HTML
  • Bots accuracy should be zero
  • Allow any protocol in wildcard url checker
  • Avoid superflous logging when mime type is bad
  • Under rare conditions saving a new draft could error temporarily
  • Catch error when unknown COSE algorithm is supplied for Security Key
  • Trigger commands are different for each locale, account for that.
  • Only show admin wrench when there are actions on mobile
  • Don’t display cloak on admin tool when the right wrench is clicked
  • Visual improvements to admin topic menu
  • Use cached MaxMind DB for longer
  • Open a card on click even if the mention has extra elements
  • The ‘reviewed’ status filter should include deleted elements
  • Update topic/post counter correctly when category has zero topics
  • Makes highlighting last viewed topic more resilient
  • Correctly styles pwa consent banner
  • Allows global_notice site setting to contain html
  • Cache_critical_dns was erroring without IPAddr
  • Correctlt styles notification-consent-banner
  • Track correct site setting
  • English and US date/time formats
  • Better error message when forum is in read-only mode
  • Update normalize css from 3.0.1 to 8.0.1
  • Correct description for out of love badge
  • Everyone can see poll results when on_vote and closed
  • Bug when revoking badge as title
  • Category routes model params should decode their URL parts
  • Ensure that we encode a slug only once if slug generation method is encoded
  • Give expanded CSS/HTML editor >`0 height
  • Label helpers on sign up form are not hidden
  • Remove rerenderTriggers
  • Remove full nested quotes on direct reply
  • Show signup input tips and improve spacing
  • Limit requests and include data when reporting deprecated icons

UX Changes

  • Users must confirm when leaving a private group
  • Minor adjustments to choose topic modal
  • Improve appearance of pm title editing
  • Improve appearance of lists and user fields in mobile bios
  • Ensure all generated backup codes are displayed on the screen
  • Return a friendlier error when the CSV is invalid. Added a cancel button to return to the /badges view
  • Update IE11 deprecation warning, and enable by default
  • Communicate the result to the user
  • Center featured topic on mobile profiles
  • Remove reliance on JS for category box links
  • Sub-sub categories in “Boxes with subcategories” + consistency
  • Correct validation message for category search priority
  • TMP fix (CSS revert) until translations are ready for flex
  • Some category page style adjustments for sub-sub categories
  • Do not use avatars as fallback opengraph images for replies
  • Invites#show can’t be requested with json and is not configured properly
  • New bell icons for notification/tracking statuses


  • Cache ranks for featured badges, to simplify user serialization
  • Reduce DB queries when serializing ignore/mute information
  • Cache ignored and muted user ids in the current_user object
  • Avoid DB queries when checking ignore/mute permission in guardian
  • Cache user badge count in user_stats table