Skip to content
Permalink
Branch: stable
Commits on Oct 10, 2019
  1. Version bump to v2.3.5

    nlalonde committed Oct 10, 2019
Commits on Oct 9, 2019
  1. DEV: Bump uglifyjs (#7834)

    romanrizzi committed Oct 9, 2019
    * Rewrite uglifyjs command to work with 3.x
    
    * Use ES5 syntax in plain JS files
    
    * Use the older command if uglifyJS V2.x is installed
  2. SECURITY: mini profiler enabled incorrectly for admins

    SamSaffron committed Oct 9, 2019
    We expect mini profiler only to show up on accounts that are flagged as
    developer accounts.
    
    Unfortunately there was a bypass on any controllers that mix in ApplicationHelper
Commits on Oct 8, 2019
  1. DEV: Allow specifying button class in reviewable action definitions (#…

    davidtaylorhq authored and romanrizzi committed Sep 18, 2019
    …8093)
    
    This avoids the need for using `@extend` in SCSS, which can be problematic in plugins
    
    For context, see https://review.discourse.org/t/fix-make-compatible-with-debundled-plugin-css-assets-feature/5297/7
Commits on Oct 7, 2019
  1. FIX: change focus when application resumes in android

    SamSaffron authored and jjaffeux committed Oct 1, 2019
    Per new lifecycle https://developers.google.com/web/updates/2018/07/page-lifecycle-api
    
    On Android and latest Chrome when an app transitions from "frozen" to
    active the new "resume" event fires with no accompanying "visibilitychange"
    event.
    
    This means that often background tabs may be stuck thinking that discourse
    has no focus when, indeed, it has.
    
    This leads to cases where no posts are marked read anymore.
Commits on Oct 1, 2019
  1. Version bump to v2.3.4

    nlalonde committed Oct 1, 2019
  2. Spec should not depend on aliases

    romanrizzi committed Oct 1, 2019
  3. SECURITY: Don't allow base_uri as embeddable host if none exist

    eviltrout authored and ZogStriP committed Sep 30, 2019
  4. SECURITY: update rack-mini-profiler to latest to correct XSS

    SamSaffron committed Oct 1, 2019
    This corrects an XSS in ?pp=help.
    
    Also removes the jQuery dependency from rack-mini-profiler and restricts
    memory sensitive profiling methods development only.
Commits on Sep 17, 2019
  1. SECURITY: XSS when oneboxing user profile location field

    pmusaraj committed Sep 17, 2019
    The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
Commits on Sep 13, 2019
  1. FIX: Improve protection against problematic usernames (#8097)

    romanrizzi committed Sep 13, 2019
Commits on Sep 12, 2019
  1. FIX: IE grid layout issue on user's own activity page

    pmusaraj committed Jul 5, 2019
Commits on Sep 10, 2019
  1. Use Discourse.getURL for /clicks/track so clicks can be tracked on re…

    qrush authored and featheredtoast committed Sep 9, 2019
    …lative URLs (#8079)
Commits on Sep 6, 2019
  1. DEV: plugin API to register User custom field types

    ZogStriP committed Jul 24, 2019
Commits on Sep 5, 2019
Commits on Sep 4, 2019
  1. FEATURE: add before-topic-progress plugin outlet

    featheredtoast committed Sep 4, 2019
  2. Version bump to v2.3.3

    nlalonde committed Sep 4, 2019
Commits on Sep 2, 2019
  1. Feature/Fix: Flagged posts user notifications (#8041)

    romanrizzi committed Aug 30, 2019
    * FIX: User should get notified when a post is deleted
    
    * FEATURE: Notify posters when restoring flagged posts
    
    * Fix typo
    
    Co-Authored-By: Régis Hanol <regis@hanol.fr>
    
    * Improve tests
Commits on Aug 28, 2019
  1. FIX: When activating via omniauth, create tokens after password reset

    davidtaylorhq committed Aug 28, 2019
    Resetting a password invalidates all email tokens, so we need to create the tokens after the password reset.
  2. FIX: When activating a user, ensure the change is reflected immediately

    davidtaylorhq committed Aug 28, 2019
    When activating a user via an external provider, this would cause the "this account is not activated" message to show on the first attempt, even though the account had been activated correctly.
  3. SECURITY: Reset password when activating an account via auth provider

    davidtaylorhq committed Aug 28, 2019
    Followup to d693b4e35fe0e58c5578eae4a56c06dff4756ba2
Commits on Aug 27, 2019
  1. FIX: add_to_serializer not correctly accounting for inheritance chains

    SamSaffron committed Aug 27, 2019
    This is a very long standing bug we had, if a plugin attempted to amend a
    serializer core was not "correcting" the situation for all descendant classes
    this often only showed up in production cause production eager loads serializers
    prior to plugins amending them.
    
    This is a critical fix for various plugins
Commits on Aug 20, 2019
  1. SECURITY: add rate limiting to anon JS error reporting

    SamSaffron committed Aug 20, 2019
    This adds a 1 minute rate limit to all JS error reporting per IP. Previously
    we would only use the global rate limit.
    
    This also introduces DISCOURSE_ENABLE_JS_ERROR_REPORTING, if it is set to
    false then no JS error reporting will be allowed on the site.
Commits on Aug 19, 2019
Commits on Aug 14, 2019
  1. SECURITY: Restrict message-bus access on login_required sites

    davidtaylorhq committed Aug 13, 2019
Commits on Aug 10, 2019
  1. FIX: Disallow user self-delete when user posted in PMs

    gschlager committed Aug 10, 2019
    All posts created by the user are counted unless they are deleted,
    belong to a PM sent between a non-human user and the user or belong
    to a PM created by the user which doesn't have any other recipients.
    
    It also makes the guardian prevent self-deletes when SSO is enabled.
Commits on Aug 8, 2019
  1. FIX: Use unescaped title as combo-box id (#7979)

    romanrizzi committed Aug 6, 2019
Commits on Aug 5, 2019
  1. FIX: Composer preview on IE11 (#7970)

    davidtaylorhq committed Aug 5, 2019
    Add the Array.from polyfill for IE11. This is required to support the transpiled ES6 spread syntex generated by babel: https://babeljs.io/docs/en/caveats/
Commits on Jul 30, 2019
  1. Revert "FEATURE: add Noindex to robots.txt for disallowed routes"

    SamSaffron committed Jul 30, 2019
    This reverts commit d84256a.
    
    This is not supported by Google and causes robots.txt to be flagged as
    invalid
    
    Removing Noindex
Commits on Jul 27, 2019
  1. FIX: Hide live-loaded posts from ignored users

    davidtaylorhq committed Jul 25, 2019
Commits on Jul 24, 2019
  1. SECURITY: Sanitize email id for use as mutex key

    davidtaylorhq committed Jul 24, 2019
  2. DEV: Correct merge conflicts for 9cfe3f9

    davidtaylorhq committed Jul 24, 2019
Commits on Jul 22, 2019
  1. SECURITY: Validate backup chunk identifier

    gschlager committed Jul 19, 2019
Commits on Jul 15, 2019
  1. Version bump to v2.3.2

    nlalonde committed Jul 15, 2019
Older
You can’t perform that action at this time.