Discourse 2.4.0.beta2 Release Notes

New features in 2.4.0.beta2

Multiple TOTP Factors

TOTP/2FA settings are now centralized all on one page.

On the new TOTP landing page, you can manage existing TOTP factors and backup codes. And, if you have need for multiple TOTP factors, you can now add and manage those here.

Improved Tag Search

Search now includes a few new options for tags. First off, searching for a tag now shows the tag in the search box as well as the topics.

Tag groups are a helpful way to organize tags, such as a group of tags used to manage documentation. You can now search by tag group using #tag-group as a search term.

Tag group search returns results with topics tagged with any tag in the group.

Lastly, you can search for tagged or untagged topics using the search operators in:tagged or in:untagged.

Disable theme components

Have a theme component that’s breaking your site? Or want to simply turn one off temporarily? Theme components can now be disabled under the Admin > Customize > Component menu.

When a component is disabled, a notice shows up with who it was disabled by and a button to enable it.

Improved keyboard navigation

In previous versions we improved keyboard navigation shortcuts, J and K, to provide a better user experience by scrolling smooth and breaking long posts into multiple button presses (original theme component).

In the last version, we changed it again to let users combine keyboard navigation with mouse scrolling. For example, if a user presses J until post #42, scrolls with the mouse until post #50 and then presses J again, it will continue from post #51. It used to continue from post #43, but that is no longer the case (original feature request).


Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Security Updates

This beta includes 7 security fixes for issues reported by our community and HackerOne.

  • XSS when displaying watched words in admin panel.
  • SQL injection with default categories
  • Upgrade lodash
  • XSS with title selector on preferences page
  • Strip HTML from invite emails
  • XSS in routes
  • Escape email text for posts containing [details].

Plugin improvements

Discourse Solved

  • Improve button position and visibility

Discourse Tooltips

  • Upgrade js-yaml to 3.13.1

Discourse Style Guide

  • Button style simplification, class reference
  • Explain font scaling system

Discourse Spoiler Alert

  • FIX: toolbar generating invalid multi-paragraph spoilers

Discourse Code Review

  • Approved notifications
  • Rename overridden title method

Discourse Assign

  • Skip enqueuing reminders if no groups are allowed
  • Send assignments message in the notified user’s locale

Discourse Voting

  • Add unique index for 'vote_count" topic custom fields
  • Fix migration class name
  • Use correct URL for sorting by votes

Discourse OAuth2 Basic

  • Allow provider to set email verification state
  • Use token callback user details
  • Handle fetch user details failure

Docker Manager

  • Message bus when using a longPollingBaseUrl not replacing chars correctly
  • Bump lodash.defaultsdeep to 4.6.1
  • Update client app to include message bus

Discourse Staff Notes

  • Improve styling, rename staff notes to user notes in translations

Discourse Ad Plugin

  • Support multiple ad sizes in AdSense and Ad Manager

Discourse Chat Integration

  • Use Slack display names instead of the “name” field

Discourse Prometheus Alert Receiver

  • Resync topic titles
  • Do not key alerts on start time when calculating stale alerts
  • Correct stale duration logic
  • Add support for resync with non-grouped alerts payload

Discourse GitHub

  • Use GitHub API for granting badges instead of cloning repos
  • Add site setting for excluding permalink overwrites
  • Support for multiple emails
  • Octokit error with trailing slash in repo name
  • Don’t throw errors in jobs if URLs are not on GitHub

Discourse Calendar

  • Add id to prevent memory leaks
  • Compute holidays for active users

Discourse Plugin Discord Auth

  • Allow revoke

Discourse Translator

  • Use zh-Hans and zh-Hant as language codes for Microsoft API

Discourse Akismet

  • Rely on the auth token log to get user-agent/user-ip information when sending it to Akismet

Additional Features and Fixes

Click to expand

New Features

  • Use configured quotation marks in fancy topic title
  • Site setting for typographic quotation marks
  • Remap uploads during restore when S3 or CDN changes
  • Add hidden setting to include S3 uploads in backups
  • Allow Markdown in post notices. (#7864)
  • Show login and signup button on no-ember layout (#7867)
  • Add “Group owners” to posting options for groups
  • Add new group visibility option for “logged on users” (#7814)
  • Rake themes installer (#7848)
  • Add Belarusian language
  • Opt-in guidance on topics for users without access (#7852)
  • Support query params when redirecting to internal link on login (#7829)
  • Add CSS classes to associated accounts rows
  • When under extreme load disable search
  • Prefill title for direct messages from topic
  • Adds infite scroll on admin users list page (#7821)
  • Export any type of report supporting table mode. (#7662)
  • Add endpoint to individually update a theme setting (#7789)
  • Apply a small penalty to closed topics when searching (#7782)
  • Adds early support for new emojis (#7785)

Bug Fixes

  • Allow ampersand in site_texts routes
  • Recalculate settings when dependent settings change
  • Use default locale for flag reasons
  • Do not show bootbox if post has no replies. (#7866)
  • Turn off search logging when read-only (#7877)
  • Ensures spinner is showing on tags/show when loading more (#7876)
  • Ensures routing with hash doesn’t stuck history (#7872)
  • Ensures routin with hash doesnt stuck history
  • Latest Selenium gem broke Google Groups import script
  • Remapping during restore was wrong for CDN URLs
  • Remap differently when backup comes from multisite
  • Turbo tests exit codes
  • Clear theme editor content on switching tabs
  • Remap shouldn’t try to change read-only columns
  • Show category name in title for crawler view
  • Use correct timezone for manual SQL
  • Don’t use exceptions to catch conflicts
  • Back button would go to previous topic instead of list
  • Only add image size when with & height are in pixels
  • IE grid layout issue on user’s own activity page
  • Fail if none of our tags could be updated
  • Do not show invite button if local logins are disabled
  • Ensures routing to / with query string works (#7859)
  • Don’t disable download_remote_images_to_local if site uses S3 (#7861)
  • Upsert a custom field if a unique constraint fails
  • Ensure lightbox image download has correct content disposition in S3 (#7845)
  • Prevent emoji-picker from not showing (#7856)
  • Respect the full_screen_login parameter from plugin auth providers (#7855)
  • Use title attribute for notification items. (#7840)
  • Remove misplaced save button
  • Show ‘Export’ button for all tabular reports. (#7838)
  • Logs for enabling/disabling components should show up in the staff actions logs
  • Ensures emoji helper is working with custom emojis (#7843)
  • Ensures /t/TOPIC_ID/POST_NUMBER is correctly routing (#7841)
  • Page starts at 1 (#7844)
  • Remove misplaced outlet
  • Creating new badge is failing on empty SQL query (#7837)
  • Only show remove timer button to users with permission to do so
  • Use normal title instead of fancy title for prefilled composer
  • Don’t send notification email when user isn’t allowed to see topic
  • Ensures static pages are using absolute path (#7828)
  • Copy local theme changes to correct temp folder when diffing updates to remote theme
  • Fix a navigation bug
  • FakeExceptions should have the original class name
  • An exception cause is itself an exception
  • Mark topics in sub categories as unread when dismissing parent
  • Turbo_rspec doesn’t accept these options
  • Only include pending/agreed scores in the total score
  • Provides an emoji helper to replace codes by images (#7802)
  • Prevents failure when TL was mutated on internal object (#7808)
  • Do not allow creation of topic if there is no category available for posting (#7786)
  • Calling action with a string is deprecated (#7807)
  • Closes search-menu on escape (#7804)
  • Do not include uncategorized_category_id in topic_create_allowed if posting in uncategorized is disabled
  • Ensure topic exists before making a banner. (#7781)
  • Don’t use DistributedCache to store redis readonly state
  • CategoryUser#batch_set (#7787)
  • Remove notification_level from category_users unique indexes
  • CategoryUser#batch_set wasn’t updating pre-existing records
  • Changed was being reported incorrectly
  • Iterate when clearing watched words cache
  • Multisite upload urls must have either db name or the word ‘short-url’.
  • Mobile overflow for tall fixed modals
  • Ensures url to full reviewable conversation works on subfolder
  • Category-chooser search should be scoped to category (#7794)
  • Ensure :after_auth event is triggered. (#7791)
  • Back button shenanigans when redirecting from index routes
  • Support carriage return in InlineUploads.
  • Don’t replace img tags within anchor tags with markdown format.
  • Edge case with anchor tag in InlineUploads.
  • Some toolbar operations weren’t triggering the change event
  • If a user deletes a hidden post, it should not lose history
  • Do not refresh all settings on save for all settings, limit to only a few
  • ‘status’ param change not filtering the topics in tag route.
  • BBcode edge case for InlineUploads.
  • Use correct name for selectable_avatars_enabled site setting
  • InlineUploads should replace attachment links with markdown text.
  • Upload#short_url generates incorrect URL when extension is nil.
  • Don’t allow users to edit topic information when the OP is locked
  • Couldn’t modify a widget that wasn’t in the registry
  • Remove temporary hack for fixed iOS bug (#7773)

UX Changes

  • Ensures popup-tip shows over dropdowns (#7891)
  • Mobile editor style fixes (#7878)
  • Update placeholder for Tags Groups
  • Add title attribute and aria-label to PM icon link
  • Discard selected post if it is not in viewport. (#7869)
  • Expand-post button alignment fix (#7865)
  • Make default site logo height an even 40px
  • Give badge icons width to accommodate for dimensionless SVGs
  • Improve twitter status onebox with line breaks
  • Add styling for quoted tweets (#7832)
  • Improves styling of similar topics results in composer (#7839)
  • Puts tags and categories on same line in search-menu-results (#7830)
  • Improved mobile positioning of topic timer remove button
  • Gives each info its own line in search-menu-results (#7825)
  • Update ignored_user_summary copy (#7748)
  • Move link to show tracked topics, simplify translation
  • Change icon for video placeholder
  • Hide post is unread tooltip after the post is read (#7813)
  • Make onebox video placeholder icon grey
  • Require a confirmation if approving a post in a closed topic
  • New inline button to remove a topic timer (#7790)
  • Add shortcut for deferring topics (#7798)
  • Improves change-timestamp modal datepicker (#7771)
  • Show like icon on archived posts (#7775)


  • Use Oj for serializing JSON. (#7820)
  • Limit time spent diffing large blobs of text