Discourse 2.6.0.beta2 Release Notes

Security Updates

This beta includes 3 security fixes for issues reported by our community and HackerOne.

  • 413 for GET, HEAD or DELETE requests with payload.
  • Bound the amount of work that embed#topics can do
  • Add content-disposition: attachment for SVG uploads

Plugin improvements

Many plugins

  • Bug fix
    • We’ve patched numerous bugs in many of our plugins

Code Review

  • Custom theme for code review categories

Graphviz

  • Upgrade to version 2.44 from 2.40

Knowledge Explorer

  • Add keyboard shortcut
  • Move route to /docs

Akismet

  • Add a task to cleanup the database before uninstalling

Checklist

  • Remove support for checkboxes other than [ ], [x], and [X]

Docker Manager

  • Add plugin compatibility check support

Encrypt

  • Add setting to auto-enable encryption
  • Decrypt notification titles before rendering

Translator

  • Security Fix

Data Explorer

  • Add support for soft deleting (hiding) queries

Chat Integration

  • Add Microsoft Teams support

Subscriptions

  • Plugin made official
  • Allow one-time purchases of products
  • Support 3D Secure payments
  • New UX style
  • Cancel payments at the end of subscription, not immediately
  • Show renewal date on active subscriptions

Assign

  • New Assignment Summary page for groups

Calender

  • Additional events functionality and improvements

Additional Features and Fixes

Click to expand

New Features

  • Ensure posts are rebaked when missing is fixed
  • Autoplay oneboxed twitter GIF media
  • Allow group membership to unmute categories and tags
  • Don’t notify about changed tags for a private message
  • Introduce tasks for dealing with legacy broken uploads
  • Group category permissions tab
  • Block vibration in Firefox Android
  • Use PG ts_headline for highlighting topic title in search.
  • Add advanced order to search
  • Notification for vote plugin
  • Set notification levels when added to a group
  • Poll breakdown 2.0
  • Add category_id to TopicViewWordpressSerializer
  • New plugin outlet for category-heading
  • Invite emails to groups from add member modal
  • Add expandable muted categories ui to /categories page.
  • Show login button on error page if user is not logged in
  • G,j and g,k to navigate to next and prev topic
  • Allow picture HTML element in posts
  • Allows to display charts by day/week/month
  • Allow the specification of an arbitrary unicorn listen address
  • Support converting HEIF images to JPEG
  • Add tracked filter to topic lists
  • Submit post from mobile composer preview
  • Add query params to staff action logs
  • Add support for top filter in tag page.
  • Add “delete on owner reply” bookmark functionality
  • Trigger user_updated event if email changed.
  • Improve header meta alignment and truncation with css grid
  • Load hidden posts in segments
  • Allow video tag attributes for video gifs
  • Add search to user bookmark list
  • Add global rate limit for anon searches
  • Parse images in email signatures
  • Add “smallest” option to user text size preferences
  • Add reply_as_new_group_message composer action
  • Create SQL-only backup if there are no uploads
  • Optionally skip the create account popup for external auth
  • Sso_overrides_(email|username|name) for all auth methods
  • Trigger user_updated event if username is changed.
  • Site setting to always show category definitions
  • Allow disabling of extra term injection in search

Bug Fixes

  • user_option option can be nil for new users.
  • User titles from translated badge names were automatically revoked
  • SiteSettings::LocalProcessProvider didn’t work on multisite
  • Default_tags_muted setting should work for anonymous users too.
  • Sending a PM through a flag on a deleted post
  • Error message when setting enforce 2fa with social logins
  • Delete unused tags shouldn’t delete tags belonging to tag groups
  • Unlike own posts on ownership transfer
  • Polls can be quoted and loaded
  • Do not cancel search early in tests
  • Display label when theme uses default color scheme
  • Do not override logo markup when loading page in dark mode
  • Fix css var issues
  • Makes group_show_serializer#is_group_owner follow standards
  • Always wait for promise when loading a topic
  • More efficient and resilient widget-dropdown body
  • Add bookmark-list component
  • Composer upload icon regression because of HEIC
  • When destroying uploads clear card and profile background
  • Add playsinline to twitter GIFs
  • Allow safari to load and autoplay videos in posts
  • Refactor broke wizard
  • Skip rendering twitter video if matching format not found
  • Broken when iconList missing
  • Replace iframe with <video> for twitter videos
  • Clicking on category autocomplete row
  • Prevents errors on /tags when a tag constructor exists
  • This leaves an empty example group in TRAVIS mode
  • Ensure auto close notice is posted with system locale
  • Mobile group add dropdown was broken
  • Defer topic was broken
  • application controller is not used by the card
  • DEV: Introduce @bind decorator
  • A paste event listener was re-added instead of being removed
  • Add script asset locations to worker-src CSP directives
  • Generate_topic_thumbnails job infinitely running for corrupted images
  • Update preview when autocomplete is clicked
  • Prevent LockOn conflicts
  • Move queryParams to each discovery controller rather than shared
  • Refreshing was not working
  • Preserve anchors in permalink transitions
  • Remove other category which is not used
  • Improved specs to ensure that revise was succesful
  • Generate topic excerpt when moving posts to new topic.
  • Make sure user preference to open external links in new tab works for bookmark list excerpts
  • Do not require tagging to be enabled for IMAP archive and delete
  • Allow plugin pinning to fetch missing commits
  • AWS S3 errors don’t necessarily include a message
  • Change the controller method name to match its new name.
  • Heisentest with topic timings
  • Allow mods to choose restricted categories as parent category.
  • Color scheme selection with non-default theme
  • Expose PG headline highlighting for all search results.
  • Limit PG headline based search blurb generation to 200 characters.
  • Try to make topic_tracking_state_spec stable
  • IOS/iPadOS freezing when changing notification level in topic footer
  • Use correct site setting when uploading images
  • Invalidate cache when updating color scheme colors
  • Ensure load more directory items has a .json url
  • Return 422 when creating topics with tags w/out permission
  • Include secure media URLs when linking post uploads
  • Update colors for presence plugin
  • Smaller header font size for published page
  • Include both name and id in color scheme stylesheet filename slugs
  • Sync reviewable count when opening the hamburger menu
  • Removes persistedQueryParams as it should work out of the box
  • Specify config when generating tsquery using ts_headline.
  • PM participants list refreshing after inviting
  • Missing bottom border in select-kit color list settings
  • User preferences tests didn’t always have pretender called
  • Stop sync of tracking state when list is filtered
  • Only raise proper "error" messages
  • Pretender errors were being swallowed
  • Raise errors for broken pretender responses in test mode
  • Replace fullPath while rewriting the /my/ URLs.
  • Ensures shadow has last_posted_at before comparing to site setting
  • Attempt to output a useful error message
  • Shows all_results if current settings category has no results
  • Disable concurrent migration for multisite:migrate.
  • Don’t run seeds if multisite migration fails.
  • Excerpts larger than 999 are not supported
  • Topic map was incorrectly counting assign actions
  • Show “group members forbidden” message on mobile
  • Rewrite of /my/URL should work on sub directory site too.
  • Allows to change a user group notification level
  • Previous fix comitted the wrong thing and was broken :frowning:
  • Exclude shared drafts from digests
  • Current value of flair icon missing in group manage UI
  • Load base color scheme when default theme is not set
  • Check if selectable avatar with SHA1
  • IMAP archive fix and group list mailbox code unification
  • Discobot inappropriate flag section
  • Bug with sharing when used outside a topic
  • Get correct selectable avatar from URL
  • Exclude DELETE methods from invalid request with payload.
  • Reset max_posts query parameter
  • Respect query params for latest.rss
  • Set mailing_list_mode to false when unsubscribing from all
  • IMAP sync email update uniqueness across groups and minor improvements
  • Removes an error in the console in test mode
  • Should allow non-ASCII slugs for category pages.
  • Reset ‘filter’ query parameter when clicking on a nav-item
  • Keep category name in URL when filtering
  • Allow ‘c’ as a tag
  • Define s3_helper in EnsureS3UploadsExistence job
  • Rename delete_when_reminder_sent? bookmark method to avoid conflict with AR
  • Add protection when removing auto delete on post bookmarks
  • Ensure topic user bookmarked synced on bookmark auto-delete
  • Allow playsinline for videos in posts
  • Ensure correct locale is set during RenderEmpty responses
  • Reduces charts height
  • Prevents group show serializer to override basic group serializer
  • Computed property deprecation
  • Page:changed was sometimes reporting the wrong URL
  • Add back group redirects
  • Bump onebox to 2.0.1 for engine priority fix
  • Cooked snippet of raw in Topic.similar_to.
  • Handle case where Post#raw is blank in Topic.similar_to.
  • Improve Topic.similar_to with better Topic#title matches.
  • Improve allowed_path column migration
  • Resolve issue where deleted spam topics marked as Not Spam were not being recovered
  • Avoid validation error when deleting users with locked trust level
  • Uses topic title for published page head title
  • Reduce number of terms injected for host lexeme.
  • Improve regexp for matching version lexeme.
  • Don’t inject extra terms for version lexeme.
  • Add a translation for reaction notification
  • Reserve id for reaction notifications
  • Use allowlist and blocklist terminology
  • Tests that used the olds paths
  • Uploads was not testing properly
  • Pass siteSettings through in more places
  • Add enable_email_sync_demon global variable and disable EmailSync demon by default
  • Add strip_secure_urls method to GroupSmtpMailer
  • Do not show Email tab for group settings unless IMAP + SMTP enabled
  • Tests for reindex_search_spec pass regardless of seed
  • Display correct status on unsubscribe page
  • Move consts and translations for bookmark auto delete prefs
  • Restore navigation-bar on tag topic list
  • Include resolved locale in anonymous cache key
  • Make set_locale an around_action to avoid leaking between requests
  • Improve email styling of code blocks
  • Remove iOS trick to prevent scrolling when focusing on input
  • Reviews that are auto-hidden by a trusted spam flagger should always have enough weight.
  • Remove the border from YT thumbnail placeholder
  • Apply video preview trick for Safari to stream only
  • Add system fonts to wizard
  • Allow user to recover/delete post if they can review the topic
  • Typo in NotificationsController#index not caught by tests.
  • Ignore removed delete_when_reminder_sent bookmarks column
  • Stop double prepending of window.location.origin on media URLs
  • Test for fillGapBefore
  • Remove username_lower from admin serializer
  • Keep by_users check in S3 inventory
  • Delete synonyms in topics if target tag is already added.
  • Improve S3 inventory logic
  • Undefined method on nil class error in forking servers.
  • Gives emojis a width/height to prevent lazy loading warning
  • Handle PG readonly mode in Auth::DefaultCurrentUserProvider.
  • Don’t raise error when adding to cache fails in readonly mode.
  • Trigger before upload event after saving and before uploading it, so we are sure that the upload is valid.
  • Users should be able to delete their own queued posts
  • Focus tests are unreliable in qunit
  • Our test build of highlight.js was broken
  • Raw jQuery usage in tests
  • deleted is a computed property of Topic
  • Report was overwriting a CP
  • category-drop tests were broken and overwriting CPs
  • Overwritten computed properties
  • Missing favicon in test
  • Listing topics with muted mixed-case tags
  • Missing application backtrace in chained loggers."
  • Incorrectly rescuing from PG::ServerError.
  • Correct stream counter when load more posts
  • Fewer broken image paths in tests
  • Don’t use prototype extensions like .observes
  • Tests involving dates were logging warnings
  • passwordRequired is a computed property
  • Poll tests were overwriting a couple of computed properties
  • More 404 image requests in test
  • Error in test mode with missing topic
  • Don’t load images that don’t exist in test
  • Tooltip is no longer used
  • Discourse.Site is deprecated
  • Show background images for both slug formats
  • Missing title when inserting hyperlinks
  • Bookmark search fixes
  • Reindex posts when Topic#title or Category#name changes.
  • Add topic title back to choose-topic
  • Update meh-o icon to far-meh
  • Be sure to use same units when comparing thumbnail size
  • Fewer 404s in JS tests
  • More errors being logged in tests
  • Deprecation usernames is now recipients
  • Remove more computed properties being set
  • Deprecation - usernames is now recipients
  • Overwriting more computed properties
  • Remove computed property setting from hamburger test
  • Don’t use jQuery directly in a test
  • Setting computed properties in tests
  • Removal of i18nPrefix deprecations
  • Remove user_deleted when staff recovers post
  • : trigger user_updated event only if email changed after user creation.
  • in:title search should only search through topic first posts.
  • Search page bulk-select button position
  • Count new and unread respects muted categories
  • Prevent thumbnail gen if image too large
  • Apply video preview workaround to iOS
  • Regression in secure URL generation, followup to 36bad0c
  • Preload metadata for audio/video when secure media enabled
  • Trick Safari into loading video previews
  • Off-by-one-slash error in topic.notifications.reasons
  • Add noindex header to user summary page.
  • Don’t overwrite maxlength computed property
  • loaded is a CP and can’t be overwritten
  • Silence route-recognizer source map errors in development mode
  • Silence ember-qunit source map warning
  • Add popper sourcemap
  • Properly load ember source map in development mode
  • Can’t set url on topics, it is calculated from slugs
  • Error with currentCategory
  • FilterPlaceholder is a computed property
  • topic.details is not a plain JS Object
  • Allow highlightjs-worker to be compiled successfully
  • Ignore document length in search when ranking by relevance.
  • Prevent redirect when image scale btn is inside a link.
  • Search by relevance may return incorrect post number.
  • Add protection just in case topic is not set
  • Correct user profile URLs in /about crawler view
  • Strip query from URLs when indexing for search.
  • Inject extra lexemes for host lexeme.
  • Search for whole URLs wasn’t working.
  • Improvements for vanilla bulk import
  • Ensure that aggregating search shows the post with the higest rank.
  • Various improvements to bookmark modal UI
  • Incorrect search blurb when advanced search filters are used take2
  • Get only the correct collapse title in emails
  • Don’t strip noopener from oneboxes
  • Don’t award new user of the month in the wrong month
  • Remove social sharing icons from private contexts
  • Check if last poster exists before using it
  • Set the lang/xml:lang html attrs in emails
  • Skip whisper posts when updating topic like count
  • Slightly reduce fake delay of discobot user.
  • Last visit bar regression
  • Allow signup when auth provider supplies no email
  • Replace links to removed uploads from reviewables with a placeholder
  • Do not display enabled inputs when username/name are locked
  • Sync client and server side behavior for category hashtag lookup
  • Post menu bookmark icon and attributes not refreshing on notification click
  • Migrate topic_users.bookmarked to false when it is incorrectly true
  • Test output related to Discourse::VERSION
  • Flaky test
  • Flaky tests
  • Incorrect fix for invites breaking when no group is selected
  • Invites when no group is selected
  • Catch all kinds of exceptions when processing email
  • Short URL resolution in cook-text
  • Force ActiveRecord reading role if Redis is down take 2.
  • Force ActiveRecord reading role if Redis is down.
  • Do not send system emails to suspended users
  • getURL deprecation
  • ‘resend all invite’ button was not working as expected
  • Cap bookmark name at 100 chars and truncate existing names
  • Stop updating bookmarked column from TopicUser.update_post_action_cache
  • Incorrect search blurb when advanced search filters are used.
  • Disable security keys at same time as TOTP 2FA
  • Only offer disabling 2FA to admins
  • Bookmarks shortcut goes to new bookmarks with reminders
  • Do not highlight large code blocks
  • Set default value for poll result field
  • Redirect user to the URL with the correct category slug
  • Ensures category order keeps consistent
  • Add table CSS rules to normalize
  • Fix race condition when resolving tag and category hashtags
  • Improve category hashtag lookup
  • Improve category hashtag lookup
  • Sub-sub-categories can be mentioned using only two levels
  • Remove support for three-level hashtags
  • Set default value for poll result field
  • Generate Topic Thumbnails nil to Array error
  • Handle the case where upload goes missing during downsizing
  • Do not rerender widget-dropdown on all clicks
  • CookText may be gone before promise resolves
  • OptimizedImage#filesize
  • Make Email::Styles operate on html documents instead of fragments
  • Ensures seconds are displayed when used with dates
  • Update normalize css from 3.0.1 to 8.0.1
  • Skip hidden posts while generating canonical url.
  • Uploading an existing image as a site setting
  • Uploading an image as a site setting
  • Emoji autocomplete not triggering correctly
  • Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes
  • Negative limit values shouldn’t cause error 500
  • Filter read/unread notifications on the server side
  • Delete related search data when record has been deleted.
  • Return cdn url for uploads if available.
  • Support root paths that omit the trailing slash and have QPs
  • Search was not multisite aware
  • Hide publish_read_state option from non-admin users
  • Sometimes not all output of psql was logged during restores
  • Emoji_autocomplete_min_chars failing when not 0
  • Update theme fields when updating from ThemesInstallTask
  • Uploads cannot be mapped due to the cook-text’s element attr being null
  • Identify slug-less topic urls everywhere
  • Correct version comparison logic when comparing stable to beta
  • Serialize an empty array if no suggested topics exist
  • Seed needs to run before optimizing site icons.
  • Published-page-header should be a sibling to published-page-body not a parent
  • Broken specs
  • Remove paths from robots.txt in favor of noindex header
  • Match discobot triggers on cooked version
  • Invalid urls should not break store.has_been_uploaded?
  • Avoid marking notifications as seen in readonly mode.

UX Changes

  • Better wording when there are no unused tags to delete
  • Help users understand the meaning of each scope.
  • Use the same formatting for both user and group card bios
  • Preload muted categories list to prevent rendering delay.
  • Ensures search results wrap on mobile
  • Set silence_reason using the system locale
  • Update header background color in mobile app webview
  • Ensure CSS vars are loaded in the Wizard stylesheet
  • Refactor pikaday month prev/next button styling
  • Refactor lightbox hover drop shadow
  • Uniform focus styles for composer inputs/textarea
  • Allows to navigate widget dropdown with tab and enter
  • Fix spacing of composer preview on mobile
  • Shrink composer consistently when pressing Done in iOS
  • Improve alignment and consistency on full page search
  • Fix quote sharing button spacing
  • Better error message if moderator is not allowed to invite to group
  • Do not show invite to group option if mod is not owner of any group
  • Fix missing icon when merging selected posts
  • Use group-chooser in invite modal
  • Fix layout for long bookmark notes
  • Simplifies editing email templates by always having a default
  • Add link to user email preferences in admin view
  • Remove extra space added by img resize controls in composer preview
  • Restore table borders
  • Hide login button during externally authenticated account creation
  • Suppress “in reply to” section in emails by default
  • Truncate long badge names in the mobile usercard
  • Add Login button on 403 error page if user is not logged in

Performance

  • Drop index idx_regular_post_search_data concurrently
  • Drop idx_regular_post_search_data during migration
  • Improve performance of post_search_data migration
  • Ensure transaction is of minimal size
  • Add partial index for non-pm search.
  • Prefer joins over subquery for User#private_posts_for_user.
  • Remove extra subquery in search.
  • Switch to ActiveRecord’s upsert in SearchIndexer.
  • Faster TL3 promotion replies needed calculation
  • I improved the performance of the ‘notify_reviewable’ job by doing only 1 query
  • Limit characters used to generate headline for search blurb.
  • Use PG headlines for blurb generation and highlighting for search.
  • Replace video and audio links in search blurb while indexing.
  • Optimize ActionView::Helpers::TextHelper#excerpt.
  • Release post_upload records when downloaded image is removed
  • Move URI regexp in GroupSearchResults.blurb_for into constant
  • Remove one extra call to Redis when searching.
  • Preload S3 inventory data for multisite clusters
  • Avoid parsing Post#cooked with Nokogiri for every search.
  • Combine avatar_lookup and primary_group_lookup into user_lookup
  • Reduce size of search payload by removing unused topic attributes.
  • Move highlightjs to a background worker, and add result cache
  • Topic_view participant post count: don’t send back ID list
  • Cache user summary data
  • Add user_id condition so we can use another index in the query
  • Load topic bookmarks for the user in user_post_bookmarks
  • Remove post_upload recovery in daily EnsureS3UploadsExistence job
  • Do not include thumbnail information in default topic list payload
  • Use post number to create canoncial path in mega topics.
  • Only update etag when it changes
  • Refactor lightbox decorator to use querySelectorAll
  • Check for modal visibility in a more efficient way
  • Exclude image_url and thumbnails from SearchTopicListItemSerializer.
  • Cache all metadata for 60 seconds
  • Memoize cooked triggers
  • Stop adding more topics to search when not needed
25 Likes