Die beliebte Forensoftware Discourse wurde aktualisiert und liegt in der Version 3.3.0 beta1 vor. Beta ist normalweise keine Version die produktiv installiert werden sollte, jedoch sind die Releaseversionen bei Discourse anders gestaltet, sodass die Beta durchaus installiert werden kann und grade im Falle von Sicherheitsfixes, installiert werden muss.

Purwin-IT bietet Discourse mit zahlreichen Modulen in übersichtlichen Hostingpaketen: https://www.purwin-it.de/webhosting/discourse

Die neue Entwickler haben viel Arbeit in die Weiterentwicklung gesteckt und umfangreiche Fehlerkorrekturen und Neuerungen in das Release von Discourse gesteckt. Nachfolgend lediglich die Auflistung der Security Changes, neuen Funktionen und Bugfixes - die Highlights

Discourse 3.3.0 beta1 Release Notes

Security Changes

• Disclosure of the existence of secret subcategories (CVE-2024-24748) 6
• DoS via Pixel Flood (CVE-2024-24827) 5
• DoS via invite - no max field size (CVE-2024-27085) 5
• DoS via Staff Actions Logs (CVE-2024-27100) 3
• Disclosure of the existence of secret categories with custom backgrounds CVE-2024-28242 2
  
  

New Features

• Optionally show “Powered by Discourse” link to discourse.org (26162 2)
• Filter additional keywords for the sidebar (26148)
• Use browser dir="auto" for support_mixed_text_direction (26129)
• Silence Close Notifications User Setting (26072)
• Improve “+ subcategories” option (26086)
• Enable strict-dynamic Content-Security-Policy by default (26051)
• Show remaining count in category-drop (25938)
• Move back to the forum link above the filter (26070)
• Bulk Silent Close Topics (26043)
• Add “+ subcategories” option back (26035 1)
• Allows to force a thread (25987)
• Site setting to include post in penalty messages (26025)
• Add onebox for loom (26016)
• Introduce APIs for manipulating header icons (25916)
• Allow specific groups to view raw email (26003)
• Add recover api scopes (25978)
• Support boolean, enum and integer fields for schema theme settings (25933)
• Introduces chat_preferred_mobile_index setting (25927)
• Allow rowspan and colspan attributes on HTML tables (20973)
• Filter admin sidebar (25853)
• Add user status to chat members list (25831)
• Schema theme setting input fields (25811)
• Hide user status when user is hiding public profile and presence (24300)
• Add scheduled Twitter login problem check - Part 1 (25830)
• Call hub API to update Discourse discover enrollment. (25634)
• Add automatic before and after outlets to wrapper plugin outlets (24254)
• Add plugin-outlet before/after sidebar sections (25807)
• Add a checkbox for users to confirm before flagging as illegal (25762)
• Back button for schema theme settings (25743)
• Create a link to start a new chat (25722)
• Add a .topic attribute to transformedPost (25757)
• Add experimental option for strict-dynamic CSP (25664)
• Groundwork for schema theme settings UI (25673)
• Shift+j and shift+k will scroll entire posts (25684)
• Apply pinning to hot topic lists (25690)
• Backlink to the site from Logster (25669)
• Auto generate and display video preview image (25633)
• Async load of category and chat hashtags (25526)
• Add new ‘illegal’ flag reason (25498)
• Show unread post indicator on mobile (25421)
• Permalinks for users (25552)
• Allow disabling user activity tab for non admin users (25540)
• Improvements to hot feature (25533)
• Adds a link to original message (25503)

Bug Fixes

• Correctly strip unneeded csp directives under strict-dynamic (26180)
• Support [code] in blockquotes (26182)
• Handle nil post_search_data for search result (26179)
• Clicking “more…” in emoji autocomplete (26176)
• Clicking “more…” in emoji autocomplete (26160)
• Improvements for the admin sidebar (26168)
• Hide suggestion to send PMs when PMs are disabled for user (26157)
• Avoid sending user emails if @ mentioning a staged user in a topic (26102)
• Wait for async Topic.apply_transformations during loadMore (26143)
• Lookbehind assertions aren’t available in `< iOS 16.4 (26139)
• Close user menu on navigation (26131)
• Code “block” detection before showing autocomplete (26023)
• Correctly detect RTL (26127)
• Ensure header topic info updates immediately when navigating away (26128)
• Correct pm icon link in glimmer header (26125)
• Don’t prevent opening regular links in wrapper (26126)
• Store registration ip address when creating user via SSO (26121)
• Allow nil for properties values when they’re not required (26112)
• Use user’s locale for chat push notifications (26107)
• Bug in desktopNotifications service not allowing unsubscription (26103)
• Improves linking of thread messages (26095)
• Dismissing unread not dismissing correctly (26096)
• In topic search for glimmer header (26040)
• Check for options in dismissRead (26065)
• Brings back discourse-sidebar icon (26050)
• Update Discobot’s UserProfile#bio_raw when default locale changes (26045)
• <td> spacing on expanded table (26037)
• Do not show threads with no replies (26033)
• Correctly shows as disabled a user who can’t chat (26010)
• Active webhook types exclude inactive plugins (26022)
• ThemeSettingsObjectValidator not allowing URL paths for string (26005)
• Down downgrade trust level if all requirements are met. (25953 1)
• Prevents duplicate attachments in incoming emails (25986)
• Return missing href attribute for topic map participants avatars (25981)
• Instantly removes group message when leaving (25961)
• import:rebake_uncooked_* jobs couldn’t be run in parallel (25969)
• Show “no category” in category-chooser (25917)
• Live updates threads from my threads page (25955)
• Channel member status live updates (25925)
• Show deleted bookmark reminders in user bookmarks menu (25905)
• Do not show send pm prompt when user cant pm (25912)
• Add status to channel membership serializer (25906)
• Better handling of error on create DM (25908)
• ThemeSettingsValidator.validate_value returning wrong error (25901)
• Error when integer values are set as default of string type settings (25898)
• Prevents exception when last reply has deleted user (25852)
• Do not raise error on transition aborted (25841)
• Correctly updates last read on scroll arrow click (25838)
• Prevent admin sidebar errors in safe mode (25832)
• Muted tags breaking hot page when filtered to tags (25824)
• Do not double-highlight admin plugin links in sidebar (25808)
• Regression with onFilesPicked action (25819)
• Make category-drop search subcategories (25817)
• Show Uncategorized in category-chooser (25794)
• Allows to query a username made of integers (25815)
• FollowRedirects when changing sidebar panel (25814)
• Customize form template view modal footer buttons (25804)
• Make /categories/search order deterministic (25793)
• Ensure model properties are set (25790)
• Cache keys should be strings (25791)
• Load categories with search topic results (25700)
• Category results should be ordered by term (25771)
• Admin sidebar was hiding chat/forum toggle button (25781)
• Do not duplicate admin sidebar plugin links (25780)
• Admin nav active link in dark mode (25759)
• Set the video background to be black (25744)
• Correct category name for auto_join_users_info in chat (25739)
• Full post jump not working (25734)
• Add a boarder around the video placeholder play button (25727)
• Preload parent categories for sidebar (25726)
• Remove strict-dynamic-specific logic from CSP extensions (25725)
• Respect homepage prefs on admin sidebar Back to Forum link (25642)
• Is_my_own? check for users who are anonymously doing actions (25716)
• Make recent search items populate input with value (25704)
• A regression in b797434 (25694)
• Logster backlink config in production (25685)
• Make similar topics selectable (25682)
• Allow several chat channels to have an empty slug (25680)
• Hide timer info on topic status toggle (25596)
• Touch up illegal flag type translations (25670)
• Do not add "tag-" class to pages with no tag filter (25677)
• Serialize can_ignore_users (25672)
• Don’t unnecessarily scrub query params from homepage (25665)
• Preload user-specific category fields (25663)
• Email category badges shouldn’t use category text color (25655)
• Quoted private topic url respects subfolder install (25643)
• Sort chat channels by slug (25656)
• No reply as a new topic without permission (25641)
• Webauthn origin was incorrect for subfolder setups (25651)
• Sort chat channels by mentions, unread and channel title (25565)
• Change max_image_megapixels logic (25625)
• Render category badge styles inline for email (25487)
• Look up all channel hashtags (25617)
• Preload associations on subcategories when lazy loading categories (25630)
• Always preload admin plugin list for admin in sidebar (25606)
• Hot not adding recently bumped topics (25619)
• Do not async already loaded categories (25607)
• Respect date range in top traffic sources report (25599)
• Service worker push notifications when cache disabled (25610)
• Always trust admin and moderators with post edits (25602)
• Translation missing for Illegal flag on topic (25603)
• Always allow staff (admins & mods) to post links (25601)
• Add id to warn (25597)
• Omit CSP nonce and hash values when unsafe-inline enabled (25590)
• Restore support for .js.es6 files in PrettyText (25588)
• Similar topics relying on widget search menu (25586)
• Clicking a notification was triggering an error (25583)
• Correct className for notification avatars using system avatar (25578)
• Visits for TL3 actually means “Posts Read: unique days” (25468)
• Save previous chat state when navigating with the sidebar (25537)
• Insert Hyperlink search badge spacing (25563)
• Correctly save group invites (25566)
• Update themes javascript cache after running themes migrations (25562)
• Add desktop redirect for mobile only chat routes (25561)
• Handle old Firefox versions that do not support isConditionalMediationAvailable (25549)
• Plugin image assets in production (25547)
• Prevents discourse header to go under ipad navigation (25542)
• Only use mention styling for valid mentions in chat (25523)
• Preload sidebar categories when lazy loading categories (25332)
• Serialize uploaded_avatars_allowed_groups check on current user (25515)
• Better supports ipad and hub footer nav (25518)
• Video playback on iOS (25513)
• Use feedback_category placeholder in i18n string (25514)
• Remap postgres text search proximity operator (25497 1)
• Missing translation of guidelines_topic.body (25505)
• Conditionally hide ‘My Threads’ on mobile (25494)
• Remove fast-edit regex and string replacement (25496)
• Chat channel row indicator should only show urgent count (25458)
• Default more group settings to staff + TL(N) (25493)
• Remove newlines from img alt & title in HTML to markdown parser (25473)
• Site-setting integer input type (25485)

UX Changes

• Fix chat title margin on drawer and side panel (26171)
• Fix chat navbar header alignment (26161)
• Update glimmer header with new dnd icon (26166)
• Display setting description for objects typed theme setting (26152)
• Improve error handling for DiscourseConnect (26140)
• Chat thread last replied user avatar (26123)
• Remove last reply from My Threads preview + restyle (25568)
• Change default action label from “Message” to “Send Message” in composer when sending a message (26109)
• Styles for back to the forum link on the hamburger menu (26118)
• Show loading spinner while loading dependencies for ace-editor (26099)
• Chat avatar is-online styling (26012)
• Update Facebook blue hex, add comment about button color (26105)
• Don’t hide new navigation item in experimental new new view (26094)
• Add optional grid-area below-content (26091)
• Clean up invite buttons (26068)
• Left align suggested topics header and footer text (26058)
• Add sidebar icon (26046)
• Move top dismiss button from topics to d-navigation (26032)
• Fix fontsize and weight for prioritize username setting (26034)
• Chat message creator scss cleanup + design tweak to username display (25928)
• Always show image controls on touch devices (26018)
• Site setting descriptions initial pass (25829)
• Disable the image preview controls while invisible (25990)
• Improve group email setting wrap, cleanup styles (25985)
• Improve advanced search wrapping, remove mobile stylesheet (25975)
• Clean up tag info styles, remove mobile stylesheet (25973)
• Simplify styles for image uploader (25970)
• Enable badge title on mobile, style cleanup (25968)
• Update appropriate btn-flat instances to btn-transparent (25945)
• Increase chat pre scrollbar contrast (25930)
• Chat >` general fixes (25929)
• Improve invite error message when a user uses an email that has already redeemed (25695)
• Flexible autocomplete width (25900)
• Make sure a-tag uses border radius var (25882)
• Fix border-radius for dropdown in chat msg actions (25881)
• Remove margin on bookmark icon on chat msg (25859)
• Remove hardcoded value (25499)
• Chat >` send btn alignment + hardcoded value fix (25836)
• Chat composer >` fix typing indicator and top padding (mobile) (25821)
• Group names shouldn’t always be capitalized (25820)
• Fix topic map link expansion hover (25822)
• Tweaks for send button (25816)
• Allow fullscreen composer on mobile (25787)
• Chat composer design update (mobile) (25789)
• Fix sidebar section modal styles (25803)
• Modal mobile fixes (25788)
• Chat channel title links to channel settings (25785)
• Change the color of the overriden dot to be slightly visible in dark mode (25782)
• Hide the draggable icon in the sidebar form on mobile (25738)
• Fix the video spinner css (25770)
• Tweak play button css (25754)
• Tweaks on the admin sidebar (25717)
• Allow resetting password when confirming session (25708)
• Better card alignment (25720)
• Show search history for more contexts (25705)
• Chat browse redesign (25698)
• Clean up some label and form inconsistencies, reduce excess bolding (25701)
• Prevent groupname from wrapping (25696)
• Fix group search result alignment and styles (25681)
• Show the full mobile read-state indicator (25678)
• Add loading indicator to ‘new or updated’ PM banner (25676)
• Clarify old dates with YYYY instead of 'YY (25661)
• Set width for the new feature items (25657)
• Add loading indicator when loading ‘new or updated topics’ (25649)
• Onebox container sizing (25658)
• Set zindex of chat action menu higher (25645)
• Make refresh notice copy more friendly (25646)
• Don’t display empty state while changing notification filter (25631)
• Fix post count position on avatars in topic map (25622)
• Add padding to bottom of mobile chat channel settings page (25587)
• Grant names some more space on /u (25576)
• Chat Sizing on Mobile (25543)
• Refactor Do Not Disturb indicator (25508)
• Shows PWA/Hub footer navigation on chat (25501)
• Update selected colour var (25500)

Security Changes

• Generate more category CSS on client
• Limit invites params length
• Prevent large staff actions causing DoS
• Add rate limits for uploads
• Don’t disclose the existence of secret subcategories

Performance

• Omit HTML view from sessions by logged on users. (26170 1)
• Avoid saving ThemeSetting twice when creating new db override (26076)
• Add indexes to speed up notifications queries by user menu (26048)
• Reduce ActiveRecord allocations in CategoryList#find_relevant_topics (25950)
• Stop running bootsnap in development mode on all environments (25737)
• Use -ping option to ImageMagick identify command (25713)
• Pass the -ping option to the identify ImageMagick command to speed it up (25697)
• Don’t allow a single user to monopolize the defer queue (25593)
• Add cache for Category.asyncFindByIds (25531)

Accessibility

• Update bulk selection keyboard shortcuts (26069)
• Markup sidebar form errors as live regions (25937)
• When adding custom sidebar link, first input of new row should get focus (25920)
• Change composer role to dialog, improve aria-labels (25666)
• Mark up custom nav section form for screen readers (25623)

Alle Änderungen finden Sie in den Notes unter: https://meta.discourse.org/t/3-3-0-beta1-discourse-discover-opt-in-hot-topics-page-its-illegal-flag-reason-and-more/298236/3