In some edge cases (e.g. SSO plugin redirecting the user immediately), with modern browsers, the request is never "completed" for speed. This causes a condition where the session object never persists to the database, even though it has changed. This added line forces a db persist on a successful login.
Context: https://github.com/expressjs/session/pull/484
One notable change is line 200, where a conditional was changed. The conditional used to check for `user.hasOwnProperty('picture')` and was added so that icons would only be included in the response if the picture was requested. This doesn't seem to apply as picture could be set regardless (see default avatar logic above), so I explicitly check `requestedFields` now.
>
> A plugin wanted to use `response:rotuer.page` to 404 a specific page on some condition. res.render returns early in send404 and so must be awaited otherwise multiple responses will be sent
If URL was set to something like `http://example.com:8080`, and port
was set to 4567, keep listening on port 4567 and keep linking through
URL that was specified.
This allows to listen on port 4567, while having NGINX (or any proxy)
set to listen on port 8080 and route traffic to port 4567.
So NodeBB can be "hidden" behind proxy while URL can still contain
non-standard port, i.e., port different than 80 and 443.
fix: ensure proper admin privilege checking on remounted `/admin` mount
fix: guard against plugins sending back missing mounts
fix: no need to make addRemountableRoutes awaitable
For 7+ years we were escaping this value, but it is in many cases already sanitized (as it may be a post content). For those cases when it is not, I now run it through parse.raw.
Instead of escaping, it now strips p, img, and a tags.
* feat: wip categories pagination
* feat: add subCategoriesPerPage setting
* feat: add load more sub categories button to category page
* fix: openapi spec
* feat: show sub categories left on category page
hide button when no more categories left
* breaking: rename categories to allCategories on /search
categories contains the search results
* fix: spec
* refactor: remove cidsPerPage
* fix: tests
* feat: use component for subcategories
* fix: prevent negative subCategoriesLeft
* feat: new category filter/search WIP
* feat: remove categories from /tag
* fix: dont load all categories when showing move modal
* feat: allow adding custom categories to list
* breaking: dont load entire category tree on post queue
removed unused code
add hooks to filter/selector
add options to filter/selector
* feat: make selector modal work again
* feat: replace old search module
* fix: topic move selector
* feat: dont load all categories on create category modal
* fix: fix more categorySelectors
* feat: dont load entire category tree on group details page
* feat: dont load all categories on home page and user settings page
* feat: add pagination to /user/:userslug/categories
* fix: update schemas
* fix: more tests
* fix: test
* feat: flags page, dont return entire category tree
* fix: flag test
* feat: categories manage page
dont load all categories
allow changing root category
clear caches properly
* fix: spec
* feat: admins&mods page
dont load all categories
* fix: spec
* fix: dont load all children when opening dropdown
* fix: on search results dont return all children
* refactor: pass all options, rename options.cids to options.selectedCids
* fix: #9266
* fix: index 0
* fix: spec
* feat: #9265, add setObjectBulk
* refactor: shoter updateOrder
* feat: selectors on categories/category
* fix: tests and search filter
* fix: category update test
* feat: pagination on acp categories page
show order in set order modal
* fix: allow drag&drop on pages > 1 in /admin/manage/categories
* fix: teasers for deep nested categories
fix sub category display on /category page
* fix: spec
* refactor: use eslint-disable-next-line
* refactor: shorter
Login route saves the previous page by checking for the X-Return-To header. This header is automatically set by ajaxify.
Login takes this value and saves it to `req.session`.
Up until now, `/register` saved the previous URL in a hidden input, and redirected based on that value, but it occasionally conflicted with req.session.returnTo. It was also confusing because it did not match how login handled the values.
This commit updates the route handling so it works identically to `/login`.
Adds a `Service-Worker-Allowed` header on `assets/src/service-worker.js` URL and uses `scope` option during registration to ensure the service worker is correctly scoped to the entire forum and only the forum.
* feat: wip categories pagination
* feat: add subCategoriesPerPage setting
* feat: add load more sub categories button to category page
* fix: openapi spec
* feat: show sub categories left on category page
hide button when no more categories left
* breaking: rename categories to allCategories on /search
categories contains the search results
* fix: spec
* refactor: remove cidsPerPage
* fix: tests
* feat: use component for subcategories
* fix: prevent negative subCategoriesLeft
If multiple sorted-lists were on separate pages, saving one page would erase the sorted-lists saved on the other page. This was caused by naive deletion of the sorted-lists index on settings save.
At the same time, a bug was found where if fewer items were passed in, only that many items were removed from the database, leaving leftover orphan data in the database.
The logic now:
- Only removes sorted-lists if they are passed in (and empty)
- Deletes all sorted list items, not just the items passed in.
`/api/post/pid/:pid`, `/api/topic/tid/:tid`, `/api/category/cid/:cid` have now been removed in favour of routes in the Write API (`/api/v3/(posts|topics|categories)/:id`)
The slowdown is fairly insignificant (< .1s), and the only change is the minified file is identical across environments, which is better from a debugging standpoint
These options were originally used when the flag filters were shown in the sidebar. This has seen been removed, and so the information is now superfluous
When combining filters, the old logic assumed that every filter was
exclusive, unless that filter contained multiple items, in which
case it was added to a list of "or" filters that returned all
matching flags.
A fault was discovered in that if you passed in multiple "or"
states, it did not return flags with the expected filtering.
e.g. open flags, closed flags, flags of cid 1, flags of cid 2
This could return open flags of cid 3, since all of the filters
were "OR"'d.
This logic change updates the behaviour so disparate OR sets are
intersected (ANDed).
This change is breaking in the sense that if you have written
interstitial callbacks before that are async functions _with_ a
callback, those are no longer allowed. You will not need to call
next() as that argument will no longer be passed in to async
functions.
Access checks were added for topic GET route, but occasionally a post_uuid is passed in, which is available to everyone, and so checks should be skipped
Barış Soner Uşaklı
Julian Lam
Barış Soner Uşaklı
Peter Jaszkowiak
ahwayakchih
gasoved
Opliko