Security Updates
This beta includes 4 security fix for issues reported by our community and HackerOne.
- Ensure user can see group and group members
- Respect topic permissions when loading bookmark metadata
- Respect topic permissions when loading draft metadata
- Prevent access to other user’s bookmark lists
Plugin improvements
All plugins
- Bug fixes
- We’ve patched numerous bugs across our entire suite of plugins
Assign
- Publish webhook event when assigning and unassigning topics
WP-Discourse
- Prevent Auto Publish setting from auto publishing post updates to Discourse. The Auto Publish setting is only applied when a post is initially published on WordPress. If the post is later updated on WordPress, to update the content on Discourse, click the Update Topic button from the WP Discourse sidebar.
- When Discourse is the SSO provider for WordPress, pass WordPress redirect_to URL parameter to the SSO process.
Solved
- Publish webhook event when solving/unsolving topics
Policy
- Add option to expire policy monthly, quarterly, and yearly, in addition to x days
Canned Replies
- Add new site settings to allow non-staff users to use canned replies.
Additional Features and Fixes
Click to expand
New Features
- Make report filters reusable
- Add created_at column to user_badges
- Improve rendering of RSS feeds
- Rake task to export groups
- Users can be ignored for six months.
- Add support for
upload
format in theme settings. - Add user_session_refreshed trigger
- Enforce_canonical_emails site setting
- Plugin support for transpiling regular
.js
files - Add after-reviewable-post-user plugin outlet
- Webhooks and Event for user being granted a badge
- Show noscript view to unsupported browsers
- Support for publishing topics as pages
- Add same site cookie ‘None’ option to make cross domain systems possible
- Screenreader landmarks for main, suggested topics
- Enable offline browsing and fullscreen PWA in iOS by default
- Hash user API keys in the database
- Allow admins to disable self-service account deletion
- Add setting
auto_approve_email_domains
to auto approve users - Display “Last Updated At” on user directory
- Allows multiple custom emoji groups
- Option to update child theme components via theme CLI.
- Stricter rules for user presence
- Invite_code is case-insensitive
- Allow plugins to exclude wizard steps
- List search menu shortcuts in instructions modal
- Navigate through search results using J/K
- Unassign the review queue topic when a flag is handled
- Show votes in an “on voted” poll to the creator
- Google Calendar doesn’t support URL in iCalendar, add fallback description
- ICalendar feed for Bookmark reminders
- Demote muted categories on category list
- Show rejected posts count in user summary
- Optional global invite_code for account registration
- Add support for custom gravatar-like services
- Allow for a larger maximum post length
- Allow themes to specify modifiers in their about.json file
- Broader support for post uploads in video markup
- Improve keyboard shortcuts help modal
- Add embed_set_canonical_url setting
- Add site setting to disable staged user cleanup
- New route for loading multiple user cards simultaneously
- Prevent accidental canceling when drafting penalties
- Option to connect to Redis using SSL
Bug Fixes
- Handle sub-sub-category paths without an id
- caret icon should inherit its color
- differentiate sk outline handling on single/multi
- use absolute url for
/user_avatar/
links - Properly add ‘two-rows’ class to header-topic-info container
- Improve selector for copy codeblock button
- Only confirm bookmark delete if a reminder has been set
- Reject invalid Category slugs
- PublishedPages error responses
- TopicsController error responses (There was an issue of two separate
Topic
instances for the same record. This makes sure there’s only one up-to-date instance.) - Make InlineUploads handle more URL formats
- When category or tag is muted, update user
- Temporarily compatibility for Evented on a Topic Route
- Set category description to first posts cooked value
- Concurrency issues with making topic embedded posts visible
- Don’t make topics visible unless the posts are regular
- Allow embed updates of just the title
- Embedded topics couldn’t update their titles
- An
opts
hash was not, in fact, optional - Wizard was creating duplicate Light theme if Light was selected
- Restore to S3 didn’t work without env variables
- Infinite loop in migrate_to_s3 rake task
- Prevents custom emoji to show double colons and set background img
- Set user timezone on password reset login
- Do not raise an error if the post action type is nil
- Stops bookmark keybaod event to be propagated into modal
- Topic title in search contains data-topic-id
- Flaky groups_controller_spec
- Template-lint uses strict rel-noopener rule which requires noreferrer
- Abort emit_web_hook_event job cleanly if web hook was deleted
- Reviewable score JS was in the wrong folder
- Keyboard navigation fixes in setup wizard
- Don’t demote users to TL2 when default trust level is 3
- Ensures keyboard event is not propagated when using c shortcut
- Reopen sidekiq log files after rotation
- Makes topic-list-item decorator work on mobile
- Minor bookmark with reminder issue cleanup
- Google groups import changed login URL
- Attempts to listen more reliably to scopedCategoryId changes
- Only apply bold font on topic lists
- Remove word boundary regex (\b) for search result highlights.
- Add short_path to upload_serializer
- Allows custom groups updates to be reflected without recompilation
- Toggle bookmark for topic was not working after cancelling the modal
- Include subcategories in ‘posts’ report
- Remove invalid background
- Show today’s date on /users page period chooser
- Ensures toolbar is updated on composer action change
- Missing timezone guess on email session login
- Use correct command line attribute for
gifsicle
while scale down the gif. - Adds values/entries/NodeList.forEach/before polyfills for iOS 9.3
- Detect more unsupported browsers
- Ensure first post is loaded before trying to bookmark topic
- WCAG-AA compliant topic list heatmap colors
- Labels for modal close and dismiss-error buttons
- Add index on user_api_keys.key_hash
- Ensure .gap width does not exceed window width
- Quoting posts
- Correctly attribute quotes when using Reply button
- Correctly attribute quotes when using replyAsNewTopic
- Allow quoting a quote
- Correctly mark quotes as “full”
- Don’t try to create a quote if it’s empty
- Prevent low score flags from auto-closing a topic if the reviewable default visibility is higher than low
- Respect automatic group membership when sso changes email
- Redirect
/my/*path
to/login-preferences
on client side - Widen modal on desktop
- Exclude private messages from TL3 requirements
- Reset gravatar cache by adding random param to URL
- Fix untitled/long links extending out box
- CSV Exports were throwing errors with invalid dates
- Include pending queued users regardless of their score
- Show topic level bookmark with reminder modal
- Revert inadvertently removed css class
- Add category hashtags support for sub-sub categories.
- Prevents registering multiple
topic-notifications-button:changed
- When loading drafts set the topic
- Remove date from bookmark reminder non-English translations
- Guardian always got user but sometimes it is anonymous
- Guardian always got user but sometimes it is anonymous
- Ensure category_id is an integer
- Topic.time_to_first_response should include sub-sub-categories
- Limit personal message participants when converting from topic
- Check active themes for all requests
- Do not attempt to deselect tags if filter is not empty
- Jobs/delete_replies: Add Time+Duration, not Time+Time #9314
- Move total rows count & load more URL inside meta.
- Allows color-input to set hex and color names through input
- Track links in onebox body if it’s same as header link.
- Default to light theme in wizard so that previews are displayed
- Show today’s date on /top page period chooser
- JQuery deprecation warning
- Removing a timer with
duration
doesn’t work. - Set null high_priority columns to false in high priority notification migration
- Replace default welcome topic post with new value from wizard
- Restore failed if schema contained objects not owned by the current DB user
- FlagSockpuppets should not flag a post if a post of that user was already rejected by staff
- FlagSockpuppets should not flag a post if a post of that user was already rejected by staff
- Ninja edit for replies not working
- Correctly load drafts based of id
- Staged users getting user_linked and user_quoted emails
- Bypass serviceworker cache for auth routes
- The correct action for group-member-dropdown is now actOnGroup
- When a post is moved copy notifications level
- When switching reply type update options
- Do not save draft while it is loading
- Error when changing a topic’s category and creating a tag
- Makes clicking and displaying date picker more reliable
- Ensures mini-tag-chooser display min tags req if no selection
- Prevents rendering empty timeline-controls
- Correctly take category/group filters into csv export
- Prevents exception when clicking component title above ace editor
- Allows adapters to define a custom primaryKey
- Allow invite email field to be blank for invite tokens
- Get_size_from_image_sizes should return
[width, height]
or nil - Quoting a nested quote should preserve original post info.
- Custom SQL with a trailing comment might break BadgeGranter SQL
- Check for presence of name before normalizing
- Keep date object
- Narrative bot not working for bookmarks with reminders
- Ensure wiki editor is assigned consistently
- Auto redirect had invalid extension
- Broken transpilation
-
nil
!=false
- Mbox import failed if no tags were configured
- The migrate_to_s3 rake task couldn’t find the AWS SDK
- Importing with pgbouncer failed
- Groups filtering input was causing a full page reload
- Perform crop using user-specified image sizes
- Perform crop using user-specified image sizes
- Use correct spacing in emails with code
- Display small post actions when embedding a topic
- First pass to improve efficiency of secure uploads rake task
- Change secure media to encompass attachments as well
- Allow JS transpilation
- Resolver wasn’t being set properly
- Use 1 column instead of 4 for permalink destination
- Ensures we have a date object in date-time-input
- TopicEmbed#absolutize_urls was trying to modify a frozen string
- Word boundary regex (\b) not working in Unicode languages.
- Fix image optimization pipeline
- Do not use original filename to extract the original filename
- Ensures search-menu is not briefly showing previous results
- User-selector was not excluding currentUser
- Race conditions in search menu
- Prevent scheduled publishing to deleted category
- Improve user timezone saving
- Check for permalinks before showing the 404 page
- Wizard tests were missing
- Respect
prioritize_username_in_ux
setting on /about page - Middle click was reading every notifications
- Backfill topic timer duration
- Correctly remove authentication_data cookie on oauth login flow
- Post edited webhook does not reflect updated topic title
- Permalinks should redirect to category URL including the ID
- Correctly remove authentication_data cookie on oauth login flow
- Moderators should be able to review flagged PMs since this has always been like this
- Don’t fail if the test environment doesn’t support Webauthn
- Include entire slug path in permalinks
- Add support for sub-sub category slugs in search
- Allow CSP to work correctly for non-default hostnames/schemes
- Update
email_digests
user option whendefault_email_digest_frequency
updated. - Show the envelope icon when the flagged post is a PM. Flagged PM must be exclusively reviewed by admins
- Fix a PostgreSQL error when a draft was concurrently created
- Use the new duration attribute in
set_or_create_timer
method. - Correctly remove authentication_data cookie on oauth login flow
- N1 issues for bookmark list
- Use id instead of elementId in hbs file
- Improve HTML to Markdown conversion
- Condense line codes in emails
- Prevent mobile bookmark modal cutoff
- Theme-javascripts using incorrect subfolder setting
- Broken computing of userHasTimezone in bookmark modal and missing tap-tile templates for regular users
- Remote themes Github link should go to custom branch #9184
- Consistency to show mute/ignore menu in user profile
- Don’t display webhooks for inactive plugins
- Dismiss notifications on middle click
- Add basePath to link for “no timezone” in bookmark modal
- Improve bookmark modal on mobile and bookmark sync rake task
- Sync-alt is used on composer draft indicator
- Use delete_all_posts_max to improve consistency when using the delete button from the admin view
- Show time input in poll builder
- Check for existence of post before creating notification
- Bookmark reminders and improvements changes
- Ensure show_short URLs handle secure uploads using multisite
- Fix html response in development after ApplicationController reload
- Plugins may have relative symlinks
- RANDOM_PASSWORD not working rake admin:create
- Method from Telligent import script was deleted by accident
- Ignore suspect users that were migrated or users who were created more than six months ago
- Failed to restore backups from versions without translation overrides
- Remove parent tag from tag group
- Make sure bookmark serializer works with deleted topics + posts
- Add topic deleted check to email/sender
- Prevents i18n helper to return a SafeString
- Notification emails with attachments are incorrectly structured
- Enter submits form for hyperlink insert modal
- Prevents crash when to be unescaped emoji is not a string
- Differentiates flag-modal and flag-modal-body
- Show topic progress on iPad when portrait-oriented
- When must_approve_users is enabled, we don’t want to send suspect users to the review queue. Only non-approved users should be sent. Provide a migration to auto-approve every problematic review item
- Missing constant in SMF2 importer
- Typo on draft save
- ContactPicker was not setting invite input on topics
- Featured_topic.fancy_title was rendered without emojis
- Some errors and clean up in confirm-new-email
- Various fixes to support posts with no user
- Last ip address could point at wrong ip
- Ensures category exists for hideParent in categoryBadgeHTML
- Throw error when removing a user from group fails
- Don’t break the private key when writing it out during theme import
- Throttles topic tracking shortcut and enforces topic id
- Preserve TopicCreator’s timestamp resolution
- Correctly checks if component is in modal
- Ensures pinned-options header is showing correct state
- Set current user timezone when saving profile timezone
- Incorrect message when logging in via email
- Error message for 403 when featuring topic on profile
- Preserve PostCreator’s created_at resolution
- Use
bio_excerpt
when checking for presence - Removes legacy refreshQueryWithoutTransition
- Import script might have skipped some users due to missing ORDER BY.
- Ensure category and tags can be changed from reviewable
- Embarassing algoriths typo ->` algorithms for security keys
- Check if auth token exists before revocation
- Prevent race condition when post processing post
- Tolerate quotes with no username and no title
- Import posts of missing users from phpbb3
- Prevent avatar flair image from repeating on user/group cards
- Allows to define placement strategy of select-kit body
- Uses only global allow_uncategorized_topics for category drop
- Correctly format select options for group poll by fields
- Allow quoting from a closed topic while writing a reply
- Show a nicer error if name/code missing for TOTP/Security Keys
UX Changes
- better outline support in sk components
- Fix broken image placeholder styling
- Set focus when launching composer on iOS
- Wizard Font Size
- Prevent category dropdown from wrapping count, limit mobile width
- Improve published page avatar resolution
- Applies default background color to onebox
- Strip base64 image URLs when converting HTML to markdown.
- Note “Summarize This Topic” settings behavior
- Adjust noscript footer nav
- Displays full date time when displaying ranges
- Ensures timezone is used over localTimezone when displaying dates
- Display zones without prefix to reduce noise
- Restyle bookmark reminder modal
- Removes color on categories if no style chosen
- Remove share as link fallback on touch devices
- Use color variable for background of shortcut keys
- Break very long words in titles within menus
- Minor tweaks to users directory last updated at styling
- Better customize emoji layout on mobile
- Add flair styles to latest topic list
- Ensures esc key is correctly working when in dates form
- Fix composer position on iPads with a hardware keyboard
- Better spacing for icons in select-kit labels
- Improves date-time-input on mobile
- Align bulk select menu toggle relative to main wrapper when possible
- Disallow tag creation in “default tags” site setting choosers.
- Show better error images
- Display avatar flair in categories route topic list items
- Larger tap areas for profile panel in user menu on mobile devices
- Hotkey K can select partial posts
- Disable highlight animation on deleted posts
- Refresh group membership list when removing users or changing owners
- Improve suspect user copy on /review
- Remove “Live Notifications” user profile section on iOS
- Uses mod+p instead of ctrl+p and command+p for printTopic
- Improve copy for suspect users feature
- Better spacing for icon in select-kit label
- Respect
prioritize_username_in_ux
setting for user avatar title - Adds support for a color setting type
Performance
- Improve lazy-load performance in Safari
- Enable new user card route by default
- Cache Category.subcategory_ids
- Speed up migrations on multisite
- Backup with lots of uploads stored on S3 was slow