Discourse 2.5.0.beta3 Release Notes

Security Updates

This beta includes 4 security fix for issues reported by our community and HackerOne.

  • Ensure user can see group and group members
  • Respect topic permissions when loading bookmark metadata
  • Respect topic permissions when loading draft metadata
  • Prevent access to other user’s bookmark lists

Plugin improvements

All plugins

  • Bug fixes
    • We’ve patched numerous bugs across our entire suite of plugins

Assign

  • Publish webhook event when assigning and unassigning topics

WP-Discourse

  • Prevent Auto Publish setting from auto publishing post updates to Discourse. The Auto Publish setting is only applied when a post is initially published on WordPress. If the post is later updated on WordPress, to update the content on Discourse, click the Update Topic button from the WP Discourse sidebar.
  • When Discourse is the SSO provider for WordPress, pass WordPress redirect_to URL parameter to the SSO process.

Solved

  • Publish webhook event when solving/unsolving topics

Policy

  • Add option to expire policy monthly, quarterly, and yearly, in addition to x days

Canned Replies

  • Add new site settings to allow non-staff users to use canned replies.

Additional Features and Fixes

Click to expand

New Features

  • Make report filters reusable
  • Add created_at column to user_badges
  • Improve rendering of RSS feeds
  • Rake task to export groups
  • Users can be ignored for six months.
  • Add support for upload format in theme settings.
  • Add user_session_refreshed trigger
  • Enforce_canonical_emails site setting
  • Plugin support for transpiling regular .js files
  • Add after-reviewable-post-user plugin outlet
  • Webhooks and Event for user being granted a badge
  • Show noscript view to unsupported browsers
  • Support for publishing topics as pages
  • Add same site cookie ‘None’ option to make cross domain systems possible
  • Screenreader landmarks for main, suggested topics
  • Enable offline browsing and fullscreen PWA in iOS by default
  • Hash user API keys in the database
  • Allow admins to disable self-service account deletion
  • Add setting auto_approve_email_domains to auto approve users
  • Display “Last Updated At” on user directory
  • Allows multiple custom emoji groups
  • Option to update child theme components via theme CLI.
  • Stricter rules for user presence
  • Invite_code is case-insensitive
  • Allow plugins to exclude wizard steps
  • List search menu shortcuts in instructions modal
  • Navigate through search results using J/K
  • Unassign the review queue topic when a flag is handled
  • Show votes in an “on voted” poll to the creator
  • Google Calendar doesn’t support URL in iCalendar, add fallback description
  • ICalendar feed for Bookmark reminders
  • Demote muted categories on category list
  • Show rejected posts count in user summary
  • Optional global invite_code for account registration
  • Add support for custom gravatar-like services
  • Allow for a larger maximum post length
  • Allow themes to specify modifiers in their about.json file
  • Broader support for post uploads in video markup
  • Improve keyboard shortcuts help modal
  • Add embed_set_canonical_url setting
  • Add site setting to disable staged user cleanup
  • New route for loading multiple user cards simultaneously
  • Prevent accidental canceling when drafting penalties
  • Option to connect to Redis using SSL

Bug Fixes

  • Handle sub-sub-category paths without an id
  • caret icon should inherit its color
  • differentiate sk outline handling on single/multi
  • use absolute url for /user_avatar/ links
  • Properly add ‘two-rows’ class to header-topic-info container
  • Improve selector for copy codeblock button
  • Only confirm bookmark delete if a reminder has been set
  • Reject invalid Category slugs
  • PublishedPages error responses
  • TopicsController error responses (There was an issue of two separate Topic instances for the same record. This makes sure there’s only one up-to-date instance.)
  • Make InlineUploads handle more URL formats
  • When category or tag is muted, update user
  • Temporarily compatibility for Evented on a Topic Route
  • Set category description to first posts cooked value
  • Concurrency issues with making topic embedded posts visible
  • Don’t make topics visible unless the posts are regular
  • Allow embed updates of just the title
  • Embedded topics couldn’t update their titles
  • An opts hash was not, in fact, optional :slight_smile:
  • Wizard was creating duplicate Light theme if Light was selected
  • Restore to S3 didn’t work without env variables
  • Infinite loop in migrate_to_s3 rake task
  • Prevents custom emoji to show double colons and set background img
  • Set user timezone on password reset login
  • Do not raise an error if the post action type is nil
  • Stops bookmark keybaod event to be propagated into modal
  • Topic title in search contains data-topic-id
  • Flaky groups_controller_spec
  • Template-lint uses strict rel-noopener rule which requires noreferrer
  • Abort emit_web_hook_event job cleanly if web hook was deleted
  • Reviewable score JS was in the wrong folder
  • Keyboard navigation fixes in setup wizard
  • Don’t demote users to TL2 when default trust level is 3
  • Ensures keyboard event is not propagated when using c shortcut
  • Reopen sidekiq log files after rotation
  • Makes topic-list-item decorator work on mobile
  • Minor bookmark with reminder issue cleanup
  • Google groups import changed login URL
  • Attempts to listen more reliably to scopedCategoryId changes
  • Only apply bold font on topic lists
  • Remove word boundary regex (\b) for search result highlights.
  • Add short_path to upload_serializer
  • Allows custom groups updates to be reflected without recompilation
  • Toggle bookmark for topic was not working after cancelling the modal
  • Include subcategories in ‘posts’ report
  • Remove invalid background
  • Show today’s date on /users page period chooser
  • Ensures toolbar is updated on composer action change
  • Missing timezone guess on email session login
  • Use correct command line attribute for gifsicle while scale down the gif.
  • Adds values/entries/NodeList.forEach/before polyfills for iOS 9.3
  • Detect more unsupported browsers
  • Ensure first post is loaded before trying to bookmark topic
  • WCAG-AA compliant topic list heatmap colors
  • Labels for modal close and dismiss-error buttons
  • Add index on user_api_keys.key_hash
  • Ensure .gap width does not exceed window width
  • Quoting posts
  • Correctly attribute quotes when using Reply button
  • Correctly attribute quotes when using replyAsNewTopic
  • Allow quoting a quote
  • Correctly mark quotes as “full”
  • Don’t try to create a quote if it’s empty
  • Prevent low score flags from auto-closing a topic if the reviewable default visibility is higher than low
  • Respect automatic group membership when sso changes email
  • Redirect /my/*path to /login-preferences on client side
  • Widen modal on desktop
  • Exclude private messages from TL3 requirements
  • Reset gravatar cache by adding random param to URL
  • Fix untitled/long links extending out box
  • CSV Exports were throwing errors with invalid dates
  • Include pending queued users regardless of their score
  • Show topic level bookmark with reminder modal
  • Revert inadvertently removed css class
  • Add category hashtags support for sub-sub categories.
  • Prevents registering multiple topic-notifications-button:changed
  • When loading drafts set the topic
  • Remove date from bookmark reminder non-English translations
  • Guardian always got user but sometimes it is anonymous
  • Guardian always got user but sometimes it is anonymous
  • Ensure category_id is an integer
  • Topic.time_to_first_response should include sub-sub-categories
  • Limit personal message participants when converting from topic
  • Check active themes for all requests
  • Do not attempt to deselect tags if filter is not empty
  • Jobs/delete_replies: Add Time+Duration, not Time+Time #9314
  • Move total rows count & load more URL inside meta.
  • Allows color-input to set hex and color names through input
  • Track links in onebox body if it’s same as header link.
  • Default to light theme in wizard so that previews are displayed
  • Show today’s date on /top page period chooser
  • JQuery deprecation warning
  • Removing a timer with duration doesn’t work.
  • Set null high_priority columns to false in high priority notification migration
  • Replace default welcome topic post with new value from wizard
  • Restore failed if schema contained objects not owned by the current DB user
  • FlagSockpuppets should not flag a post if a post of that user was already rejected by staff
  • FlagSockpuppets should not flag a post if a post of that user was already rejected by staff
  • Ninja edit for replies not working
  • Correctly load drafts based of id
  • Staged users getting user_linked and user_quoted emails
  • Bypass serviceworker cache for auth routes
  • The correct action for group-member-dropdown is now actOnGroup
  • When a post is moved copy notifications level
  • When switching reply type update options
  • Do not save draft while it is loading
  • Error when changing a topic’s category and creating a tag
  • Makes clicking and displaying date picker more reliable
  • Ensures mini-tag-chooser display min tags req if no selection
  • Prevents rendering empty timeline-controls
  • Correctly take category/group filters into csv export
  • Prevents exception when clicking component title above ace editor
  • Allows adapters to define a custom primaryKey
  • Allow invite email field to be blank for invite tokens
  • Get_size_from_image_sizes should return [width, height] or nil
  • Quoting a nested quote should preserve original post info.
  • Custom SQL with a trailing comment might break BadgeGranter SQL
  • Check for presence of name before normalizing
  • Keep date object
  • Narrative bot not working for bookmarks with reminders
  • Ensure wiki editor is assigned consistently
  • Auto redirect had invalid extension
  • Broken transpilation
  • nil != false
  • Mbox import failed if no tags were configured
  • The migrate_to_s3 rake task couldn’t find the AWS SDK
  • Importing with pgbouncer failed
  • Groups filtering input was causing a full page reload
  • Perform crop using user-specified image sizes
  • Perform crop using user-specified image sizes
  • Use correct spacing in emails with code
  • Display small post actions when embedding a topic
  • First pass to improve efficiency of secure uploads rake task
  • Change secure media to encompass attachments as well
  • Allow JS transpilation
  • Resolver wasn’t being set properly
  • Use 1 column instead of 4 for permalink destination
  • Ensures we have a date object in date-time-input
  • TopicEmbed#absolutize_urls was trying to modify a frozen string
  • Word boundary regex (\b) not working in Unicode languages.
  • Fix image optimization pipeline
  • Do not use original filename to extract the original filename
  • Ensures search-menu is not briefly showing previous results
  • User-selector was not excluding currentUser
  • Race conditions in search menu
  • Prevent scheduled publishing to deleted category
  • Improve user timezone saving
  • Check for permalinks before showing the 404 page
  • Wizard tests were missing
  • Respect prioritize_username_in_ux setting on /about page
  • Middle click was reading every notifications
  • Backfill topic timer duration
  • Correctly remove authentication_data cookie on oauth login flow
  • Post edited webhook does not reflect updated topic title
  • Permalinks should redirect to category URL including the ID
  • Correctly remove authentication_data cookie on oauth login flow
  • Moderators should be able to review flagged PMs since this has always been like this
  • Don’t fail if the test environment doesn’t support Webauthn
  • Include entire slug path in permalinks
  • Add support for sub-sub category slugs in search
  • Allow CSP to work correctly for non-default hostnames/schemes
  • Update email_digests user option when default_email_digest_frequency updated.
  • Show the envelope icon when the flagged post is a PM. Flagged PM must be exclusively reviewed by admins
  • Fix a PostgreSQL error when a draft was concurrently created
  • Use the new duration attribute in set_or_create_timer method.
  • Correctly remove authentication_data cookie on oauth login flow
  • N1 issues for bookmark list
  • Use id instead of elementId in hbs file
  • Improve HTML to Markdown conversion
  • Condense line codes in emails
  • Prevent mobile bookmark modal cutoff
  • Theme-javascripts using incorrect subfolder setting
  • Broken computing of userHasTimezone in bookmark modal and missing tap-tile templates for regular users
  • Remote themes Github link should go to custom branch #9184
  • Consistency to show mute/ignore menu in user profile
  • Don’t display webhooks for inactive plugins
  • Dismiss notifications on middle click
  • Add basePath to link for “no timezone” in bookmark modal
  • Improve bookmark modal on mobile and bookmark sync rake task
  • Sync-alt is used on composer draft indicator
  • Use delete_all_posts_max to improve consistency when using the delete button from the admin view
  • Show time input in poll builder
  • Check for existence of post before creating notification
  • Bookmark reminders and improvements changes
  • Ensure show_short URLs handle secure uploads using multisite
  • Fix html response in development after ApplicationController reload
  • Plugins may have relative symlinks
  • RANDOM_PASSWORD not working rake admin:create
  • Method from Telligent import script was deleted by accident
  • Ignore suspect users that were migrated or users who were created more than six months ago
  • Failed to restore backups from versions without translation overrides
  • Remove parent tag from tag group
  • Make sure bookmark serializer works with deleted topics + posts
  • Add topic deleted check to email/sender
  • Prevents i18n helper to return a SafeString
  • Notification emails with attachments are incorrectly structured
  • Enter submits form for hyperlink insert modal
  • Prevents crash when to be unescaped emoji is not a string
  • Differentiates flag-modal and flag-modal-body
  • Show topic progress on iPad when portrait-oriented
  • When must_approve_users is enabled, we don’t want to send suspect users to the review queue. Only non-approved users should be sent. Provide a migration to auto-approve every problematic review item
  • Missing constant in SMF2 importer
  • Typo on draft save
  • ContactPicker was not setting invite input on topics
  • Featured_topic.fancy_title was rendered without emojis
  • Some errors and clean up in confirm-new-email
  • Various fixes to support posts with no user
  • Last ip address could point at wrong ip
  • Ensures category exists for hideParent in categoryBadgeHTML
  • Throw error when removing a user from group fails
  • Don’t break the private key when writing it out during theme import
  • Throttles topic tracking shortcut and enforces topic id
  • Preserve TopicCreator’s timestamp resolution
  • Correctly checks if component is in modal
  • Ensures pinned-options header is showing correct state
  • Set current user timezone when saving profile timezone
  • Incorrect message when logging in via email
  • Error message for 403 when featuring topic on profile
  • Preserve PostCreator’s created_at resolution
  • Use bio_excerpt when checking for presence
  • Removes legacy refreshQueryWithoutTransition
  • Import script might have skipped some users due to missing ORDER BY.
  • Ensure category and tags can be changed from reviewable
  • Embarassing algoriths typo ->` algorithms for security keys
  • Check if auth token exists before revocation
  • Prevent race condition when post processing post
  • Tolerate quotes with no username and no title
  • Import posts of missing users from phpbb3
  • Prevent avatar flair image from repeating on user/group cards
  • Allows to define placement strategy of select-kit body
  • Uses only global allow_uncategorized_topics for category drop
  • Correctly format select options for group poll by fields
  • Allow quoting from a closed topic while writing a reply
  • Show a nicer error if name/code missing for TOTP/Security Keys

UX Changes

  • better outline support in sk components
  • Fix broken image placeholder styling
  • Set focus when launching composer on iOS
  • Wizard Font Size
  • Prevent category dropdown from wrapping count, limit mobile width
  • Improve published page avatar resolution
  • Applies default background color to onebox
  • Strip base64 image URLs when converting HTML to markdown.
  • Note “Summarize This Topic” settings behavior
  • Adjust noscript footer nav
  • Displays full date time when displaying ranges
  • Ensures timezone is used over localTimezone when displaying dates
  • Display zones without prefix to reduce noise
  • Restyle bookmark reminder modal
  • Removes color on categories if no style chosen
  • Remove share as link fallback on touch devices
  • Use color variable for background of shortcut keys
  • Break very long words in titles within menus
  • Minor tweaks to users directory last updated at styling
  • Better customize emoji layout on mobile
  • Add flair styles to latest topic list
  • Ensures esc key is correctly working when in dates form
  • Fix composer position on iPads with a hardware keyboard
  • Better spacing for icons in select-kit labels
  • Improves date-time-input on mobile
  • Align bulk select menu toggle relative to main wrapper when possible
  • Disallow tag creation in “default tags” site setting choosers.
  • Show better error images
  • Display avatar flair in categories route topic list items
  • Larger tap areas for profile panel in user menu on mobile devices
  • Hotkey K can select partial posts
  • Disable highlight animation on deleted posts
  • Refresh group membership list when removing users or changing owners
  • Improve suspect user copy on /review
  • Remove “Live Notifications” user profile section on iOS
  • Uses mod+p instead of ctrl+p and command+p for printTopic
  • Improve copy for suspect users feature
  • Better spacing for icon in select-kit label
  • Respect prioritize_username_in_ux setting for user avatar title
  • Adds support for a color setting type

Performance

  • Improve lazy-load performance in Safari
  • Enable new user card route by default
  • Cache Category.subcategory_ids
  • Speed up migrations on multisite
  • Backup with lots of uploads stored on S3 was slow
27 Likes