Discourse 2.4.0.beta5 Release Notes

New features in 2.4.0.beta5

Quick Access Panels in User Menu

A new UX addition to 2.4.0.beta5 is a multi-paneled user menu. Now users have direct access to notifications, bookmarks, and messages straight from the user menu!

Additionally, users can directly access parts of their user profile and preferences by clicking on their username as shown below.

Full-Screen Video Embeds using iframe

By default, the allowfullscreen iframe attribute is now whitelisted. This allows videos from providers like Vimeo to use full-screen mode straight from Discourse.

Of course, you still need to add the source link to the allowed iframes site setting for it to appear.


Even more!

But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.

Security Updates

This beta includes 4 security fixes for issues reported by our community and HackerOne.

  • Update rubyzip dependency
  • Update rack-mini-profiler to latest to correct XSS
  • Don’t allow base_uri as embeddable host if none exist
  • XSS when oneboxing user profile location field

Plugin improvements


  • Add new EnsureConsistency scheduled job
  • Add combo box label when no user timezone set


  • Clean up posts and reviewables when deleting an Askismet-flagged user
  • Set button styles using new button_class API


  • Support for slack custom username
  • Allow slash commands to set rules in private groups


  • Add support for unicode usernames
  • Quick access panel for assignments
  • Add endpoint to list all assignments by user


  • Don’t compare secret keys using string equality


  • support consistent policy renewal dates
  • migration was not account for new has policy field
  • when checking policy acceptance, looking at wrong date


  • AdButler support


  • Match users to commits made from noreply emails


  • Allow groups to access queries
  • ability to import an exported query


  • limit allowed font-size values

Additional Features and Fixes

Click to expand

New Features

  • Add support for maskable icons in the PWA manifest
  • Make share button support custom javascript
  • Update mini_scheduler to support history filtering
  • Allow embedding to ignore HTTP REFERER

Bug Fixes

  • Reset watched site settings when default locale changes
  • Respect unicode whitelist when suggesting username
  • Correctly escape category description text
  • Change focus when application resumes in android
  • Include video tags and short urls in ‘have_uploads’ method.
  • Include ‘short_path’ as src in each_upload_url method.
  • PWA install was broken due to missing basic logo
  • Cleanup DiscoursePluginRegistry state after tests that use it
  • Fix options given to per-minute rate limiter
  • Properly render server side plugin outlets (#8106)
  • Require a min amount of reviewables before calculating thresholds
  • Sensitivity did not work by default
  • Remove versions from Active Record warm up (#8105)
  • Ignore min_trust_to_send_messages when messaging groups (#8104)
  • Proper jumpToPost with whispers/small-actions
  • By default, don’t abort Google Groups crawling on error
  • Split migration into two steps in developer guide (#8103)
  • Only apply post hide logic to flag actions
  • Google Groups crawler failed to login
  • Preview up to ‘max_oneboxes_per_post’ oneboxes
  • Put back the TL3 ->` TL0 spam thing
  • Ignored flags should not count in your accuracy score
  • Correct theme SCSS error handling
  • Live reload plugin stylesheets when editing in development
  • Live reload plugin stylesheets when the color scheme changes
  • Do not include theme variables in plugin SCSS, and fix register_css
  • Do not allow posting of category topic template without any changes
  • Escape $ in translations before interpolating (#8100)
  • Open drafts for PMs from Activity >` Drafts screen.
  • Ensure page is reloaded correctly when a hash is present (#8096)
  • Don’t show non-members as readers when the post is a whisper
  • Improve protection against problematic usernames (#8097)
  • Load raw hbs templates correctly from theme javascripts folder
  • Explicitly specify the format when loading /associate/{{token}}
  • Add support for version query parameter in InlineUploads
  • Do not escape fancy_title again. (#8095)
  • Do not show latest count in tabs on tag lists
  • Rails 6 multisite migrations and plugin migrations
  • Support <img> in code blocks when inlining uploads
  • Make markdown regexp patterns case insensitive.
  • Do not log ‘pull_hotlinked_images’ edits in the staff action log
  • Change admin dashboard sort caret icon color on hover
  • Let mailgun_api_key also support their “HTTP webhook signing key” (#8091)
  • Cast all numerical values in reports
  • Clear authentication data from session after create account (#8040)
  • User directory should not include unapproved users
  • POP3 doesn’t work with TLS 1.3
  • Missing translation
  • Switch to full screen external login for Safari
  • Inline_uploads and subfolder
  • Migrate_to_s3 task and subfolder
  • Errors in qunit tests when version check info is missing
  • Do not show staged users avatars when expanding the read count indicator
  • Display emojis in search result blurbs
  • Improve Onebox detection (#8019)
  • Broken spec
  • Modify frozen String and profile_db_generator uses category id (#8080)
  • Migrate post_edit_time_limit to tl2_post_edit_time_limit (#8082)

UX Changes

  • Fix topic progress placement
  • Fix alignment on topic progress bar and remove some magic numbers
  • Improve composer layout in iPads
  • Change composer’s edit reason link to an icon
  • Use Visual Viewport API for iOS composer height
  • Add class to distinguish specific moderator categories on about page
  • Use medium format for displaying time in post notices. (#8074)
  • Show installed version with SHA instead of number of commits
  • Adjusts RTL composer presence avatar alignment


  • Ensure we warm up schema cache in the entire multisite
  • Avoid spinning a thread each time we close a connection
  • Update readers count when a post from another user is read. Don’t fetch the post data again just to update the count. (#8078)