New features in 2.4.0.beta10
Bigger emoji
When 1-3 emoji exists on their own line, they’re now automatically made larger! Now you can communicate in emoji without needing to squint as much.
Award a badge to a set of users
Badges now support “bulk award”, allowing admins to upload a list of user emails which will all be granted a badge. For full details, see
Badges are an excellent way to acknowledge someone who is doing a good job. Discourse now allows awarding a badge to a set of users. If you go to the badges section in the admin panel, you’ll notice that a new button called “Bulk Award” is now available next to the “new” button: [Screen Shot 2020-01-15 at 11.34.31] After clicking it, you’ll be prompted to select a badge and get started: [Screen Shot 2020-01-15 at 11.34.43] Select the badge you want to award and upload a CSV file containing …
MaxMind DB downloads now require a license key
Discourse uses the free MaxMind GeoLite2 IP database to provide location information for users and admins. This powers features like Recently Used Devices in user preferences, and IP lookup on user admin pages. Due to changes required by the CCPA, MaxMind has changed the download process. To download the database admins must now register for an account and receive a (free) license key. More details in Upgrade / Rebuilds Fail due to MaxMind DB EOL .
Internet Explorer 11 Deprecation
Discourse will be ending support for IE11 on June 1, 2020. Users are strongly encouraged to move to a supported browser to continue using Discourse without interruption. Discourse will start showing a warning to users that IE11 support is ending at the top of the site. For full details, see Discourse is ending support for Internet Explorer 11 (IE11) on June 1, 2020
CSP enabled by default
At the start of 2019 Discourse first supported a Content Security Policy (CSP), an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. CSP has been enabled for new sites over the last year, but older sites did not have CSP enabled without explicit admin action. With beta10 CSP will be enabled for all sites, unless explicitly disabled by an admin (strongly discouraged). Sites with external scripts running, for example Google Analytics, Ads, tracking, etc. may need configuration updates to continue working. See Mitigate XSS Attacks with Content Security Policy for full details on CSP, and how to configure scripts to work.
Security Updates
This beta includes 4 security fixes for issues reported by our community and HackerOne. It is highly recommended that sites update to receive these patches.
- 2FA with U2F / TOTP
- Use strict JSON parsing when parsing backup metadata
- Improve second factor auth logic
- Privacy leak with staged user and closed category
Even more!
But wait, there’s more! We do our best to highlight new features and changes for you, but there’s always too many changes to detail. For a full list of new features, bug fixes, UX improvements, and more, be sure to review the Additional Features and Fixes listed below.
Plugin improvements
CalendarImprove Holiday Grouping Multiple UX improvements Add timezone picker Add Google Calendar link Bug fixes
Translator
Add Yandex.Translate support
OpenID Connect
Respect the email_verified boolean when supplied by IDP Allow parameters to be passed from /auth/oidc to the IDP
GitHub
Add support for GitHub issues Bug fix
WP Discourse
Fix Open Links in New Tab setting not being applied to Join Discussion link Use WPDISCOURSE_PATH constant when loading plugin files
Yearly Review
Exclude read_restricted categories from user stats calculations Spanish support UX improvements Bug fixes
Ad Plugin
Support fluid ad size in Google Ad Manager Bug fixes
Chat Integration
Include category title and color in Discord payload
Voting
UX improvement Bug fix
Policy
Bug fix
Teambuild
Bug fixes
JWT
Bug fix
Styleguide
Bug fixes
RSS Polling
Bug fix
Signatures
Bug fix
SAML
Bug fix
Tooltips
Bug fix
Code Review
Bug fix
Onebox
Bug fixes
Encrypt
Bug fixes
Assign
Bug fixes
Cakeday
Bug fixes
Solved
Bug fix
Data Explorer
Bug fix
User Notes
Bug fixes
Additional Features and Fixes
Click to expand
New FeaturesExport all types of reports Drop “backup” schema 7 days after restore Secure media allowing duplicated uploads with category-level privacy and post-based access rules Allows to define a dissmiss duration on global notices Add hidden setting to disable configuration of inventory bucket Pass in excluded usernames to user-selector Use new Badging API Add rake task to disable secure media Topic admin menu sticks to bottom on mobile. Allows plugins to add a global notice Allow TL3 promotions for overturned penalties Allow complex post params from plugin Add mybb.ru import script Keyboard shortcut for opening the topic admin menu
Bug Fixes
Use new tag routes Workaround limitation in jquery.autoellipsis Higher z-index for usercards in the header Do not extract dates from quotes and Oneboxes Allow the app to generate and accept longer backup codes Incorrect locale in badge granter When tag or category is added notify users that topic was modified Do not error in excerpts when aside tag has no class attribute Make topic query include topics from sub-sub-categories Make category-chooser show all parent categories Users should be able to remove their primary group Don’t override timezone on every visit of profile preferences Don’t cause exceptions due to rename of reply_id column Show PM icon in docked header Applies correct styles to icon and attempts to dry code Do not increase size of emojis in markdown tables Reload the ReviewableScore types when extending flags Include sub-sub-categories in new/unread counts Change additional public uploads to not be secure Groups pagination was broken Change rootNone behavior in category-chooser Add missing translation key for narrative bot Italian locale. Styling for feature topic on profile modal Show error message if the topic deletion fails Correctly wrap image and resize controls inside paragraph Better error message when topic deletion fails Create post notices only for public posts Group membership leak Raised a proper NotFound exception when filtering groups by username with invalid username. Properly filter the groups based on current user visibility when viewing another user’s groups. Spec for groups_controller#index when group directory is disabled for logged in user. Groups_controller.sortable specs to actually test all sorting combinations. Rewrote the “view another user’s groups” specs to test all group_visibility and members_group_visibility combinations. Ensures group-navigation states changes when route changes Ensures secondary menu of user notifications mobile nav reloads Update user-selector excluded usernames after insert Update featured badge ranking when mass-awarding badges Moves back padStart/padEnd to core polyfills Specs with old filename Use CDN for the discourse-internet-explorer Remove padding while composer is saving Ran prettier on user-selector-test Make ‘findBySlugPathWithID’ when URL ends with a slash Prevents url of file from being pasted when pasting file on iOS Don’t log a claimed topic database error during tests Stop logging errors in postgres on reviewable conflict Decompressing lots of small files triggered error Allow users to change title in locales other than English Do not redirect to /auth/* urls after authentication If the admin sso sync has no external ID, don’t throw an error Don’t leak event listeners in user-activity-drafts Allow omniauth confirmation page to pass through GET parameters Add noindex header to user profile pages. Make scrolling to bottom post in topic more consistent Ensure we consistently pick the same topic for bench OnScroll method was not defined on mobile discovery Topic_tracking_state when mute_all_categories_by_default is enabled Only agree with the first post when using the ‘Delete post + replies and agree’ option Cached new topic data should not be deleted after dismiss new New/unread count after dismissing new topics in a regular category Allows scroll on load for discovery topic list Bulk insert to create application requests Bulk insert to create topics No need to create separate user for each topic, post etc. Another bulk_insert of ApplicationRequests Dont create user and topic instances when not neccessary Merge examples with expensive setup into one example MaxMind DB file not downloading correctly Keep ‘rb’ & ‘rp’ tags in html to markdown conversion. Ensure CSP is off for qunit Show uncategorized description on categories page Descriptions were blank for uncategorized in hamburger menu Add a blank poll options validation Don’t give error 500 when invalid date param is given to admin reports Allow underscore in file extension while downloading the uploads. Correctly account for onebox height when lazy loading images Any global notice text can contain HTML Bots accuracy should be zero Allow any protocol in wildcard url checker Avoid superflous logging when mime type is bad Under rare conditions saving a new draft could error temporarily Catch error when unknown COSE algorithm is supplied for Security Key Trigger commands are different for each locale, account for that. Only show admin wrench when there are actions on mobile Don’t display cloak on admin tool when the right wrench is clicked Visual improvements to admin topic menu Use cached MaxMind DB for longer Open a card on click even if the mention has extra elements The ‘reviewed’ status filter should include deleted elements Update topic/post counter correctly when category has zero topics Makes highlighting last viewed topic more resilient Correctly styles pwa consent banner Allows global_notice site setting to contain html Cache_critical_dns was erroring without IPAddr Correctlt styles notification-consent-banner Track correct site setting English and US date/time formats Better error message when forum is in read-only mode Update normalize css from 3.0.1 to 8.0.1 Correct description for out of love badge Everyone can see poll results when on_vote and closed Bug when revoking badge as title Category routes model params should decode their URL parts Ensure that we encode a slug only once if slug generation method is encoded Give expanded CSS/HTML editor >`0 height Label helpers on sign up form are not hidden Remove rerenderTriggers Remove full nested quotes on direct reply Show signup input tips and improve spacing Limit requests and include data when reporting deprecated icons
UX Changes
Users must confirm when leaving a private group Minor adjustments to choose topic modal Improve appearance of pm title editing Improve appearance of lists and user fields in mobile bios Ensure all generated backup codes are displayed on the screen Return a friendlier error when the CSV is invalid. Added a cancel button to return to the /badges view Update IE11 deprecation warning, and enable by default Communicate the result to the user Center featured topic on mobile profiles Remove reliance on JS for category box links Sub-sub categories in “Boxes with subcategories” + consistency Correct validation message for category search priority TMP fix (CSS revert) until translations are ready for flex Some category page style adjustments for sub-sub categories Do not use avatars as fallback opengraph images for replies Invites#show can’t be requested with json and is not configured properly New bell icons for notification/tracking statuses
Performance
Cache ranks for featured badges, to simplify user serialization Reduce DB queries when serializing ignore/mute information Cache ignored and muted user ids in the current_user object Avoid DB queries when checking ignore/mute permission in guardian Cache user badge count in user_stats table
I’m in crunch mode at the moment, but I’ve set a task to process this more.