:wtf: How can this be so wrong??? (AKA the Discopocalypse thread)
-
@loopback0 wow that dude is not long for meta.d.
-
@loopback0 oh wow, that's... advanced stupid.
As in, I realize that if you're building as SPA, you want to handle navigation with JS magic, since that's kinda what SPAs are about, and since people also want those pesky good-looking URLs that means you need to route client-side so that going from one thread to another doesn't cause a full page reload. So far so good.
But imagine you're an Ember router, and you get asked for a URL you don't know about. What's your reasonable response?
a) "Hm, this doesn't look like any URL I'm aware of, but I don't know the exact list of resources on the domain. After all, I'm just one resident of the server, and the admin might've put something else in there. And berating the user without making 100 percent sure they're wrong is just bad design. All in all, I should probably fall back to the server - either via a full redirect, or just a HEAD request to see if it's actually a 404."
b) "Fuck you, if Discourse don't trust ya I'm gon' shoot ya. Thought you'd try hiding things from me? Putting some other files on, maybe? Well I'M IN CONTROL OF THIS PLACE, BITCH! 404 NOT FOUND, 'CAUSE I AIN'T EVEN GONNA LOOK!"
-
@Maciejasjmj c) let's just hardcode some URLs for the router to ignore.
-
@Maciejasjmj said in How can this be so wrong??? (AKA the Discopocalypse thread):
But imagine you're an Ember router, and you get asked for a URL you don't know about. What's your reasonable response?
Shoot myself in the head with a shotgun?
-
Bonus points for the xaade comma.
-
@coldandtired said in How can this be so wrong??? (AKA the Discopocalypse thread):
Bonus points for the xaade comma.
That's not a @xaade comma.
"I never fully understood the distinction, so you would need to (since I have no idea how any of this shit works anymore so maybe figure it out yourself), direct this at @sam (he's our bitch for all those cases we can't be arsed to take up, maybe he'll find some time for you)"
-
BWAH HA HA. I only regret that I didn't see this earlier...
-
https://meta.discourse.org/t/blocked-users-and-hidden-posts/46776/10
I blocked a TL3 user and it hid their posts
This should only happen for TL0
This does already happen only for TL0
I blocked a TL2 and it happened again
Me too
Why? You're using the software wrong
-
@coldandtired said in How can this be so wrong??? (AKA the Discopocalypse thread):
Bonus points for the xaade comma.
I want to see the view as a non admin
: Impersonate
That totes doesn't work
yes it does, just not for impersonating other admins
so you can impersonate for viewing as a non admin?
Yes with the caveat that most admins will not be able to impersonate admins.
-
@Maciejasjmj said in How can this be so wrong??? (AKA the Discopocalypse thread):
b) "Fuck you, if Discourse don't trust ya I'm gon' shoot ya. Thought you'd try hiding things from me? Putting some other files on, maybe? Well I'M IN CONTROL OF THIS PLACE, BITCH! 404 NOT FOUND, 'CAUSE I AIN'T EVEN GONNA LOOK!"
Pro tip: reading this with a Jersey accent makes it 20% funnier than it already is.
-
@coldandtired quoted in How can this be so wrong??? (AKA the Discopocalypse thread):
Just wondering if it possible to have an option where the forum can be viewed as a non-staff member without having to create a separate non-staff account?
TBH, what's the issue with creating non-staff accounts?
Though, truth be told, one of those things is not like the others.
I think the OP, however, was basically asking to temporarily demote/promote their own user (to a max of the original level) to one of the however many levels they have these days. (Basically what I used the
PJH_([0-4]|MOD)
accounts for.)
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
c) let's just hardcode some URLs for the router to ignore.
That sounds expensive. Better spin up a link CDN.
Of course, I joke, but that was actually 's first response to this situation.
-
Based on our analysis of this event we are bumping minimum password lengths, from a global default of 8 in Discourse 1.5 to
users -- 10 chars
admins -- 15 charsWhat Jeff thinks:
weakpass => #w3akpa5s!
What really happens:
weakpass => weakpass12
-
@Sumireko said in How can this be so wrong??? (AKA the Discopocalypse thread):
Based on our analysis of this event we are bumping minimum password lengths, from a global default of 8 in Discourse 1.5 to
users -- 10 chars
admins -- 15 charsWhat Jeff thinks:
weakpass => #w3akpa5s!
What really happens:
weakpass => weakpass12
Yeah 15+ char password requirements are just asking for trouble.
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
The attacker can see all email addresses for all users on your site. This is normally privileged info that even moderators have to click a button to reveal.
Click a fucking button. I'd forgotten about that
Should moderators have access to a user's email address?
It's privileged info
So... no?
Add a button and make them click it first
What colour should it be?Well, the basic idea seems sensible since it could be used for auditing. Does that actually / could it actually happen with Discourse though?
-
@pydsigner said in How can this be so wrong??? (AKA the Discopocalypse thread):
@Sumireko said in How can this be so wrong??? (AKA the Discopocalypse thread):
Based on our analysis of this event we are bumping minimum password lengths, from a global default of 8 in Discourse 1.5 to
users -- 10 chars
admins -- 15 charsWhat Jeff thinks:
weakpass => #w3akpa5s!
What really happens:
weakpass => weakpass12
Yeah 15+ char password requirements are just asking for trouble.
My passwords are all like this:
pnOqs0yIebnYfTtmRmes3J6UFtY5fey3fpweeqz9R7BvbilaNav3F6Pr4eIkQ7w
I'd put symbols in, but a lot of websites break if I enter a password with a less than sign followed by a letter, or even worse, accept the password change and then break, like the payroll website my company uses.
-
@Dreikin said in How can this be so wrong??? (AKA the Discopocalypse thread):
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
The attacker can see all email addresses for all users on your site. This is normally privileged info that even moderators have to click a button to reveal.
Click a fucking button. I'd forgotten about that
Should moderators have access to a user's email address?
It's privileged info
So... no?
Add a button and make them click it first
What colour should it be?Well, the basic idea seems sensible since it could be used for auditing. Does that actually / could it actually happen with Discourse though?
We hide email addresses using CSS that shows the address on hover because we just don't want our mods or admins accidentally screenshotting a user's email address.
-
@ben_lubar said in How can this be so wrong??? (AKA the Discopocalypse thread):
we just don't want our mods or admins accidentally screenshotting a user's email address.
Yeah, but it's a point, anyway, because they'd have to work to get to the page where they'd be visible.
-
@ben_lubar said in How can this be so wrong??? (AKA the Discopocalypse thread):
or even worse, accept the password change and then break, like the payroll website my company uses.
Have you told Alex about this? I feel he should be informed...
-
@PJH said in How can this be so wrong??? (AKA the Discopocalypse thread):
@ben_lubar said in How can this be so wrong??? (AKA the Discopocalypse thread):
or even worse, accept the password change and then break, like the payroll website my company uses.
Have you told Alex about this? I feel he should be informed...
I mean, he's the one who had to reset my account password, so I'm pretty sure I told him the reason.
-
@ben_lubar Can you check he's paid the server bill this month?
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
@ben_lubar Can you check he's paid the server bill this month?
Short answer: not yet
Long answer: He filed a support ticket yesterday about automatic renewal not working. I sent him an email about the response to the ticket ("we support automatic renewal on services X, Y, Z, A, B, and D, but you're using service C, which we haven't made work with automatic renewal yet"), but the date on my email is 12 hours after the date on Alex's email saying he would file a ticket.
I'm pretty sure he'll have time to renew it before most of the people in North America wake up, but Europeans might have some time where they can't access the site tomorrow.
-
a user got confused by the
.gz
extension when dowloading their posts
i wanted.zip
but it turned out to be hard on Linux
-
@loopback0 ........
Well, the man gets literally everything else wrong, so why should this be a surprise.
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
a user got confused by the
.gz
extension when dowloading their posts
i wanted.zip
but it turned out to be hard on LinuxMittineague Plugin Author:
a free tool to open the .gz file
I use a hacky (file names are edited in) DIY PHP file on my localhost
<?php ini_set("memory_limit", -1); // no limit set_time_limit(0); // no limit $readfilename = "_____.csv.gz"; $writefilename = "_____.csv"; $filecontent = ""; $filepointer = gzopen($readfilename, "rb"); while (!gzeof($filepointer)) { $contentline = gzgets($filepointer); $filecontent .= $contentline; } gzclose($filepointer); $filehandle = fopen($writefilename, "wb"); fwrite($filehandle, $filecontent); fclose($filehandle); ?>
But I guess anyone that would know how to do that understands compression formats.
-
@Dreikin He's been there writing Discoplugins for so long that he's caught the Discostupidity™ :O
-
@Dreikin said in How can this be so wrong??? (AKA the Discopocalypse thread):
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
a user got confused by the
.gz
extension when dowloading their posts
i wanted.zip
but it turned out to be hard on LinuxMittineague Plugin Author:
a free tool to open the .gz file
I use a hacky (file names are edited in) DIY PHP file on my localhost
<?php ini_set("memory_limit", -1); // no limit set_time_limit(0); // no limit $readfilename = "_____.csv.gz"; $writefilename = "_____.csv"; $filecontent = ""; $filepointer = gzopen($readfilename, "rb"); while (!gzeof($filepointer)) { $contentline = gzgets($filepointer); $filecontent .= $contentline; } gzclose($filepointer); $filehandle = fopen($writefilename, "wb"); fwrite($filehandle, $filecontent); fclose($filehandle); ?>
But I guess anyone that would know how to do that understands compression formats.
I love the part where they get halfway to writing a streaming decoder and then say "fuck it" and append the whole file to a buffer before writing any of it.
-
Having just reread the bug report that started this mess, for the lulz, does anyone still have a meta.d account and the inclination to see if the button positioning has been fixed?
-
@Jaloopa said in How can this be so wrong??? (AKA the Discopocalypse thread):
Having just reread the bug report that started this mess, for the lulz, does anyone still have a meta.d account and the inclination to see if the button positioning has been fixed?
Wasn't it jeffed to oblivion? IIRC the topic was moved out of public view and forgotten.
As far as "fixed". Um... I just created an account, now awaiting New Topics...
Edit: Filed under: How the frick do you mark a thread as unread manually in Discourse again?
-
@Jaloopa said in How can this be so wrong??? (AKA the Discopocalypse thread):
Having just reread the bug report that started this mess, for the lulz, does anyone still have a meta.d account and the inclination to see if the button positioning has been fixed?
Only in spirit. There's now a single Dismiss... button, but it changes screen sides depending on what you view it on.
Desktop:
Chrome Developer Tools - Device mode - Nexus 6P:
Pixel:
Edit: Now with screenshots!
-
@Tsaukpaetra said in How can this be so wrong??? (AKA the Discopocalypse thread):
As far as "fixed". Um...
They took away two buttons and made it one.
-
@Maciejasjmj oh, right, that was in the leaked whisper
-
I went to write a title and Discourse started swearing at me - honest-to-goodness, real sailor talk.
You said "password"
...
It has the word in it
We should at least make sure we match the whole word before we start swearing.
And fix the spacing - no one can read all that swearing if it isn't properly formatted!
So ... if my community of nuns mention spotting a blue tit in the convent gardens ... this list will pop up?
There goes my plans for a hernia support community ...
-
@svieira "please enter your username and pbuttword to login"
-
Who else than the Discoteam would repeat this clbuttic mistake?
What a bunch of blue tits...
-
-
@Onyx said in How can this be so wrong??? (AKA the Discopocalypse thread):
Who else than the Discoteam would repeat this clbuttic mistake?
Gotta check those topic breastles are safe.
-
@svieira What's almost as embarrassing as the clbuttic mistake is that list itself. Apparently, it's impossible to have Civilized Discourse™ about sex or rape, because those are BAD WORDS!!!!!!!!
-
@asdf said in How can this be so wrong??? (AKA the Discopocalypse thread):
@svieira What's almost as embarrassing as the clbuttic mistake is that list itself. Apparently, it's impossible to have Civilized Discourse™ about sex or rape, because those are BAD WORDS!!!!!!!!
I recall there having been about sensitive word lists on here before, something about a github project.
EDIT: This: https://github.com/wooorm/alex, it was talked about in a garage thread.
-
@aliceif said in How can this be so wrong??? (AKA the Discopocalypse thread):
something about a github project
Oh, yeah, that project was hilarious. The
discussionshitstorm that followed was less amusing, though, IIRC.
-
@Lorne-Kates said in How can this be so wrong??? (AKA the Discopocalypse thread):
You can't roll back the data, because every time they make a change they permanently break backwards compatibility.
It's the Rails way!
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
a user got confused by the
.gz
extension when dowloading their posts
i wanted.zip
but it turned out to be hard on Linux7zip licences should permit it to be distributed with Discourse, as long as it's attributed or whatever (to my understanding). And surprise, surprise, 7zip has command line support, so all would be well.
-
@dkf said in How can this be so wrong??? (AKA the Discopocalypse thread):
It's the Rails way!
To be fair, it's not. Or, at least, not always. It is, however, the way of the fly-by-night cowboy developer. Migrations from one database schema to another should include atestedway of migrating back. Migrations usually involve the generation of synthetic data, where it's impossible to unsynthesize that, there's always *gasp* backups.
That Jeffco® don't take a robust approach to database schema changes should be a surprise to approximately 0% of people here.
-
@tufty said in How can this be so wrong??? (AKA the Discopocalypse thread):
Migrations usually involve the generation of synthetic data, where it's impossible to unsynthesize that, there's always gasp backups.
Directive 595 Part Jeff "Backups and backup solutions are slow give lack of flexibility, more costly evolution, inhibit the use of Discourse acting as a service to my ego and make it an inhibitor to evolution"
-
@loopback0 said in How can this be so wrong??? (AKA the Discopocalypse thread):
i wanted .zip but it turned out to be hard on Linux
wat?
Why is zip hard on linux? I was zipping stuff left and right in a bunch of software I made.
-
@cartman82
unzip
is not mentioned in top SO answer. Looking past that is hard.
-
@svieira Wow! Who thought it was a good idea to dump the entire censor list into an error message!?
-
@cartman82
Jeff figured he'd take the opportunity to express how he really felt about his lusers.
-
@cartman82 said in How can this be so wrong??? (AKA the Discopocalypse thread):
@svieira Wow! Who thought it was a good idea to dump the entire censor list into an error message!?
zogstrip:
Also, we should fix that message. It's very bad UX.
Yep, I agree. It's terrible UX to unexpectedly have a huge list of curse words tossed at you for no discernible reason.
At the very least, something like .split("|").sort.join(", ").
-
Someone needs to let @codinghorror know that Jeff Atwood has Declared that running stable is running horrendously out of date software. Backports are