Security Updates
This beta includes 3 security fixes for issues reported by our community and HackerOne.
- 413 for GET, HEAD or DELETE requests with payload.
- Bound the amount of work that embed#topics can do
- Add content-disposition: attachment for SVG uploads
Plugin improvements
Many plugins
- Bug fix
- We’ve patched numerous bugs in many of our plugins
Code Review
- Custom theme for code review categories
Graphviz
- Upgrade to version 2.44 from 2.40
Knowledge Explorer
- Add keyboard shortcut
- Move route to
/docs
Akismet
- Add a task to cleanup the database before uninstalling
Checklist
- Remove support for checkboxes other than
[ ]
,[x]
, and[X]
Docker Manager
- Add plugin compatibility check support
Encrypt
- Add setting to auto-enable encryption
- Decrypt notification titles before rendering
Translator
- Security Fix
Data Explorer
- Add support for soft deleting (hiding) queries
Chat Integration
- Add Microsoft Teams support
Subscriptions
- Plugin made official
- Allow one-time purchases of products
- Support 3D Secure payments
- New UX style
- Cancel payments at the end of subscription, not immediately
- Show renewal date on active subscriptions
Assign
- New Assignment Summary page for groups
Calender
- Additional events functionality and improvements
Additional Features and Fixes
Click to expand
New Features
- Ensure posts are rebaked when missing is fixed
- Autoplay oneboxed twitter GIF media
- Allow group membership to unmute categories and tags
- Don’t notify about changed tags for a private message
- Introduce tasks for dealing with legacy broken uploads
- Group category permissions tab
- Block vibration in Firefox Android
- Use PG
ts_headline
for highlighting topic title in search. - Add advanced order to search
- Notification for vote plugin
- Set notification levels when added to a group
- Poll breakdown 2.0
- Add category_id to TopicViewWordpressSerializer
- New plugin outlet for category-heading
- Invite emails to groups from add member modal
- Add expandable muted categories ui to
/categories
page. - Show login button on error page if user is not logged in
- G,j and g,k to navigate to next and prev topic
- Allow picture HTML element in posts
- Allows to display charts by day/week/month
- Allow the specification of an arbitrary unicorn listen address
- Support converting HEIF images to JPEG
- Add tracked filter to topic lists
- Submit post from mobile composer preview
- Add query params to staff action logs
- Add support for
top
filter in tag page. - Add “delete on owner reply” bookmark functionality
- Trigger
user_updated
event if email changed. - Improve header meta alignment and truncation with css grid
- Load hidden posts in segments
- Allow video tag attributes for video gifs
- Add search to user bookmark list
- Add global rate limit for anon searches
- Parse images in email signatures
- Add “smallest” option to user text size preferences
- Add reply_as_new_group_message composer action
- Create SQL-only backup if there are no uploads
- Optionally skip the create account popup for external auth
- Sso_overrides_(email|username|name) for all auth methods
- Trigger
user_updated
event if username is changed. - Site setting to always show category definitions
- Allow disabling of extra term injection in search
Bug Fixes
-
user_option
option can benil
for new users. - User titles from translated badge names were automatically revoked
- SiteSettings::LocalProcessProvider didn’t work on multisite
- Default_tags_muted setting should work for anonymous users too.
- Sending a PM through a flag on a deleted post
- Error message when setting enforce 2fa with social logins
- Delete unused tags shouldn’t delete tags belonging to tag groups
- Unlike own posts on ownership transfer
- Polls can be quoted and loaded
- Do not cancel search early in tests
- Display label when theme uses default color scheme
- Do not override logo markup when loading page in dark mode
- Fix css var issues
- Makes group_show_serializer#is_group_owner follow standards
- Always wait for promise when loading a topic
- More efficient and resilient widget-dropdown body
- Add bookmark-list component
- Composer upload icon regression because of HEIC
- When destroying uploads clear card and profile background
- Add playsinline to twitter GIFs
- Allow safari to load and autoplay videos in posts
- Refactor broke wizard
- Skip rendering twitter video if matching format not found
- Broken when iconList missing
- Replace iframe with
<video>
for twitter videos - Clicking on category autocomplete row
- Prevents errors on /tags when a tag
constructor
exists - This leaves an empty example group in TRAVIS mode
- Ensure auto close notice is posted with system locale
- Mobile group add dropdown was broken
- Defer topic was broken
-
application
controller is not used by the card - DEV: Introduce
@bind
decorator - A paste event listener was re-added instead of being removed
- Add script asset locations to worker-src CSP directives
- Generate_topic_thumbnails job infinitely running for corrupted images
- Update preview when autocomplete is clicked
- Prevent
LockOn
conflicts - Move queryParams to each discovery controller rather than shared
- Refreshing was not working
- Preserve anchors in permalink transitions
- Remove other category which is not used
- Improved specs to ensure that revise was succesful
- Generate topic excerpt when moving posts to new topic.
- Make sure user preference to open external links in new tab works for bookmark list excerpts
- Do not require tagging to be enabled for IMAP archive and delete
- Allow plugin pinning to fetch missing commits
- AWS S3 errors don’t necessarily include a message
- Change the controller method name to match its new name.
- Heisentest with topic timings
- Allow mods to choose restricted categories as parent category.
- Color scheme selection with non-default theme
- Expose PG headline highlighting for all search results.
- Limit PG headline based search blurb generation to 200 characters.
- Try to make topic_tracking_state_spec stable
- IOS/iPadOS freezing when changing notification level in topic footer
- Use correct site setting when uploading images
- Invalidate cache when updating color scheme colors
- Ensure load more directory items has a .json url
- Return 422 when creating topics with tags w/out permission
- Include secure media URLs when linking post uploads
- Update colors for presence plugin
- Smaller header font size for published page
- Include both name and id in color scheme stylesheet filename slugs
- Sync reviewable count when opening the hamburger menu
- Removes persistedQueryParams as it should work out of the box
- Specify config when generating tsquery using
ts_headline
. - PM participants list refreshing after inviting
- Missing bottom border in select-kit color list settings
- User preferences tests didn’t always have pretender called
- Stop sync of tracking state when list is filtered
- Only raise proper
"error"
messages - Pretender errors were being swallowed
- Raise errors for broken pretender responses in test mode
- Replace
fullPath
while rewriting the/my/
URLs. - Ensures shadow has last_posted_at before comparing to site setting
- Attempt to output a useful error message
- Shows all_results if current settings category has no results
- Disable concurrent migration for
multisite:migrate
. - Don’t run seeds if multisite migration fails.
- Excerpts larger than 999 are not supported
- Topic map was incorrectly counting assign actions
- Show “group members forbidden” message on mobile
- Rewrite of
/my/
URL should work on sub directory site too. - Allows to change a user group notification level
- Previous fix comitted the wrong thing and was broken
- Exclude shared drafts from digests
- Current value of flair icon missing in group manage UI
- Load base color scheme when default theme is not set
- Check if selectable avatar with SHA1
- IMAP archive fix and group list mailbox code unification
- Discobot inappropriate flag section
- Bug with sharing when used outside a topic
- Get correct selectable avatar from URL
- Exclude
DELETE
methods from invalid request with payload. - Reset max_posts query parameter
- Respect query params for latest.rss
- Set mailing_list_mode to false when unsubscribing from all
- IMAP sync email update uniqueness across groups and minor improvements
- Removes an error in the console in test mode
- Should allow non-ASCII slugs for category pages.
- Reset ‘filter’ query parameter when clicking on a nav-item
- Keep category name in URL when filtering
- Allow ‘c’ as a tag
- Define s3_helper in EnsureS3UploadsExistence job
- Rename delete_when_reminder_sent? bookmark method to avoid conflict with AR
- Add protection when removing auto delete on post bookmarks
- Ensure topic user bookmarked synced on bookmark auto-delete
- Allow playsinline for videos in posts
- Ensure correct locale is set during RenderEmpty responses
- Reduces charts height
- Prevents group show serializer to override basic group serializer
- Computed property deprecation
- Page:changed was sometimes reporting the wrong URL
- Add back group redirects
- Bump onebox to 2.0.1 for engine priority fix
- Cooked snippet of raw in
Topic.similar_to
. - Handle case where
Post#raw
is blank inTopic.similar_to
. - Improve
Topic.similar_to
with betterTopic#title
matches. - Improve allowed_path column migration
- Resolve issue where deleted spam topics marked as Not Spam were not being recovered
- Avoid validation error when deleting users with locked trust level
- Uses topic title for published page head title
- Reduce number of terms injected for host lexeme.
- Improve regexp for matching version lexeme.
- Don’t inject extra terms for version lexeme.
- Add a translation for reaction notification
- Reserve id for reaction notifications
- Use allowlist and blocklist terminology
- Tests that used the olds paths
- Uploads was not testing properly
- Pass
siteSettings
through in more places - Add enable_email_sync_demon global variable and disable EmailSync demon by default
- Add strip_secure_urls method to GroupSmtpMailer
- Do not show Email tab for group settings unless IMAP + SMTP enabled
- Tests for reindex_search_spec pass regardless of seed
- Display correct status on unsubscribe page
- Move consts and translations for bookmark auto delete prefs
- Restore navigation-bar on tag topic list
- Include resolved locale in anonymous cache key
- Make set_locale an around_action to avoid leaking between requests
- Improve email styling of code blocks
- Remove iOS trick to prevent scrolling when focusing on input
- Reviews that are auto-hidden by a trusted spam flagger should always have enough weight.
- Remove the border from YT thumbnail placeholder
- Apply video preview trick for Safari to stream only
- Add system fonts to wizard
- Allow user to recover/delete post if they can review the topic
- Typo in
NotificationsController#index
not caught by tests. - Ignore removed delete_when_reminder_sent bookmarks column
- Stop double prepending of window.location.origin on media URLs
- Test for fillGapBefore
- Remove
username_lower
from admin serializer - Keep by_users check in S3 inventory
- Delete synonyms in topics if target tag is already added.
- Improve S3 inventory logic
- Undefined method on nil class error in forking servers.
- Gives emojis a width/height to prevent lazy loading warning
- Handle PG readonly mode in
Auth::DefaultCurrentUserProvider
. - Don’t raise error when adding to cache fails in readonly mode.
- Trigger before upload event after saving and before uploading it, so we are sure that the upload is valid.
- Users should be able to delete their own queued posts
- Focus tests are unreliable in qunit
- Our test build of highlight.js was broken
- Raw jQuery usage in tests
-
deleted
is a computed property of Topic - Report was overwriting a CP
-
category-drop
tests were broken and overwriting CPs - Overwritten computed properties
- Missing favicon in test
- Listing topics with muted mixed-case tags
- Missing application backtrace in chained loggers."
- Incorrectly rescuing from
PG::ServerError
. - Correct stream counter when load more posts
- Fewer broken image paths in tests
- Don’t use prototype extensions like
.observes
- Tests involving dates were logging warnings
-
passwordRequired
is a computed property - Poll tests were overwriting a couple of computed properties
- More 404 image requests in test
- Error in test mode with missing
topic
- Don’t load images that don’t exist in test
- Tooltip is no longer used
-
Discourse.Site
is deprecated - Show background images for both slug formats
- Missing title when inserting hyperlinks
- Bookmark search fixes
- Reindex posts when
Topic#title
orCategory#name
changes. - Add topic title back to choose-topic
- Update meh-o icon to far-meh
- Be sure to use same units when comparing thumbnail size
- Fewer 404s in JS tests
- More errors being logged in tests
- Deprecation
usernames
is nowrecipients
- Remove more computed properties being set
- Deprecation -
usernames
is nowrecipients
- Overwriting more computed properties
- Remove computed property setting from hamburger test
- Don’t use jQuery directly in a test
- Setting computed properties in tests
- Removal of i18nPrefix deprecations
- Remove user_deleted when staff recovers post
- : trigger
user_updated
event only if email changed after user creation. -
in:title
search should only search through topic first posts. - Search page bulk-select button position
- Count new and unread respects muted categories
- Prevent thumbnail gen if image too large
- Apply video preview workaround to iOS
- Regression in secure URL generation, followup to 36bad0c
- Preload metadata for audio/video when secure media enabled
- Trick Safari into loading video previews
- Off-by-one-slash error in topic.notifications.reasons
- Add noindex header to user summary page.
- Don’t overwrite
maxlength
computed property -
loaded
is a CP and can’t be overwritten - Silence route-recognizer source map errors in development mode
- Silence ember-qunit source map warning
- Add popper sourcemap
- Properly load ember source map in development mode
- Can’t set
url
on topics, it is calculated from slugs - Error with
currentCategory
- FilterPlaceholder is a computed property
-
topic.details
is not a plain JS Object - Allow highlightjs-worker to be compiled successfully
- Ignore document length in search when ranking by relevance.
- Prevent redirect when image scale btn is inside a link.
- Search by relevance may return incorrect post number.
- Add protection just in case topic is not set
- Correct user profile URLs in
/about
crawler view - Strip query from URLs when indexing for search.
- Inject extra lexemes for host lexeme.
- Search for whole URLs wasn’t working.
- Improvements for vanilla bulk import
- Ensure that aggregating search shows the post with the higest rank.
- Various improvements to bookmark modal UI
- Incorrect search blurb when advanced search filters are used take2
- Get only the correct collapse title in emails
- Don’t strip
noopener
from oneboxes - Don’t award new user of the month in the wrong month
- Remove social sharing icons from private contexts
- Check if last poster exists before using it
- Set the lang/xml:lang html attrs in emails
- Skip whisper posts when updating topic like count
- Slightly reduce fake delay of discobot user.
- Last visit bar regression
- Allow signup when auth provider supplies no email
- Replace links to removed uploads from reviewables with a placeholder
- Do not display enabled inputs when username/name are locked
- Sync client and server side behavior for category hashtag lookup
- Post menu bookmark icon and attributes not refreshing on notification click
- Migrate topic_users.bookmarked to false when it is incorrectly true
- Test output related to
Discourse::VERSION
- Flaky test
- Flaky tests
- Incorrect fix for invites breaking when no group is selected
- Invites when no group is selected
- Catch all kinds of exceptions when processing email
- Short URL resolution in cook-text
- Force ActiveRecord reading role if Redis is down take 2.
- Force ActiveRecord reading role if Redis is down.
- Do not send system emails to suspended users
-
getURL
deprecation - ‘resend all invite’ button was not working as expected
- Cap bookmark name at 100 chars and truncate existing names
- Stop updating bookmarked column from TopicUser.update_post_action_cache
- Incorrect search blurb when advanced search filters are used.
- Disable security keys at same time as TOTP 2FA
- Only offer disabling 2FA to admins
- Bookmarks shortcut goes to new bookmarks with reminders
- Do not highlight large code blocks
- Set default value for poll result field
- Redirect user to the URL with the correct category slug
- Ensures category order keeps consistent
- Add table CSS rules to normalize
- Fix race condition when resolving tag and category hashtags
- Improve category hashtag lookup
- Improve category hashtag lookup
- Sub-sub-categories can be mentioned using only two levels
- Remove support for three-level hashtags
- Set default value for poll result field
- Generate Topic Thumbnails nil to Array error
- Handle the case where upload goes missing during downsizing
- Do not rerender widget-dropdown on all clicks
- CookText may be gone before promise resolves
OptimizedImage#filesize
- Make Email::Styles operate on html documents instead of fragments
- Ensures seconds are displayed when used with dates
- Update normalize css from 3.0.1 to 8.0.1
- Skip hidden posts while generating canonical url.
- Uploading an existing image as a site setting
- Uploading an image as a site setting
- Emoji autocomplete not triggering correctly
- Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes
- Negative limit values shouldn’t cause error 500
- Filter read/unread notifications on the server side
- Delete related search data when record has been deleted.
- Return cdn url for uploads if available.
- Support root paths that omit the trailing slash and have QPs
- Search was not multisite aware
- Hide publish_read_state option from non-admin users
- Sometimes not all output of psql was logged during restores
- Emoji_autocomplete_min_chars failing when not 0
- Update theme fields when updating from ThemesInstallTask
- Uploads cannot be mapped due to the cook-text’s element attr being null
- Identify slug-less topic urls everywhere
- Correct version comparison logic when comparing stable to beta
- Serialize an empty array if no suggested topics exist
- Seed needs to run before optimizing site icons.
- Published-page-header should be a sibling to published-page-body not a parent
- Broken specs
- Remove paths from robots.txt in favor of noindex header
- Match discobot triggers on cooked version
- Invalid urls should not break store.has_been_uploaded?
- Avoid marking notifications as seen in readonly mode.
UX Changes
- Better wording when there are no unused tags to delete
- Help users understand the meaning of each scope.
- Use the same formatting for both user and group card bios
- Preload muted categories list to prevent rendering delay.
- Ensures search results wrap on mobile
- Set silence_reason using the system locale
- Update header background color in mobile app webview
- Ensure CSS vars are loaded in the Wizard stylesheet
- Refactor pikaday month prev/next button styling
- Refactor lightbox hover drop shadow
- Uniform focus styles for composer inputs/textarea
- Allows to navigate widget dropdown with tab and enter
- Fix spacing of composer preview on mobile
- Shrink composer consistently when pressing Done in iOS
- Improve alignment and consistency on full page search
- Fix quote sharing button spacing
- Better error message if moderator is not allowed to invite to group
- Do not show invite to group option if mod is not owner of any group
- Fix missing icon when merging selected posts
- Use group-chooser in invite modal
- Fix layout for long bookmark notes
- Simplifies editing email templates by always having a default
- Add link to user email preferences in admin view
- Remove extra space added by img resize controls in composer preview
- Restore table borders
- Hide login button during externally authenticated account creation
- Suppress “in reply to” section in emails by default
- Truncate long badge names in the mobile usercard
- Add Login button on 403 error page if user is not logged in
Performance
- Drop index idx_regular_post_search_data concurrently
- Drop idx_regular_post_search_data during migration
- Improve performance of post_search_data migration
- Ensure transaction is of minimal size
- Add partial index for non-pm search.
- Prefer joins over subquery for
User#private_posts_for_user
. - Remove extra subquery in search.
- Switch to ActiveRecord’s upsert in
SearchIndexer
. - Faster TL3 promotion replies needed calculation
- I improved the performance of the ‘notify_reviewable’ job by doing only 1 query
- Limit characters used to generate headline for search blurb.
- Use PG headlines for blurb generation and highlighting for search.
- Replace video and audio links in search blurb while indexing.
- Optimize
ActionView::Helpers::TextHelper#excerpt
. - Release post_upload records when downloaded image is removed
- Move URI regexp in
GroupSearchResults.blurb_for
into constant - Remove one extra call to Redis when searching.
- Preload S3 inventory data for multisite clusters
- Avoid parsing
Post#cooked
with Nokogiri for every search. - Combine avatar_lookup and primary_group_lookup into user_lookup
- Reduce size of search payload by removing unused topic attributes.
- Move highlightjs to a background worker, and add result cache
- Topic_view participant post count: don’t send back ID list
- Cache user summary data
- Add user_id condition so we can use another index in the query
- Load topic bookmarks for the user in user_post_bookmarks
- Remove post_upload recovery in daily EnsureS3UploadsExistence job
- Do not include thumbnail information in default topic list payload
- Use post number to create canoncial path in mega topics.
- Only update etag when it changes
- Refactor lightbox decorator to use querySelectorAll
- Check for modal visibility in a more efficient way
- Exclude
image_url
andthumbnails
fromSearchTopicListItemSerializer
. - Cache all metadata for 60 seconds
- Memoize cooked triggers
- Stop adding more topics to search when not needed