We've recently had two reports of Discourse sites that were compromised, likely due to weak admin account passwords. So we'd like to document: what to do when compromise happens what we can do to better prevent this in the future The Database :warning: In case of compromise, you should...
The attacker can see all email addresses for all users on your site. This is normally privileged info that even moderators have to click a button to reveal.
Click a fucking button. I'd forgotten about that
Should moderators have access to a user's email address?
It's privileged info
Add a button and make them click it first
What colour should it be?
Well at least that highlights another bug- timestamps aren't completely fixed, or this thread is really ed up.
EDIT: Whoops it fixed on refresh. Guess it was a temporary fault in the script or something.
Did you know that there is LITERALLY no way to calculate the height of an element, and it's position on the screen, and if position + height > viewport height, open bottom-to-top instead of top-down.
Heh. I say "easily"... I mean it's simple in theory. The numbers are all there. As long as nothing changes, it's easy to put it where it's supposed to be... mostly you just have to make your script handle things moving, which could happen due to scrolling or the browser reflowing the content. You should be able to detect scrolling trivially; reflow, on the other hand... there's no single event that you can bind to listen for it. It could be something like an image loading anywhere above ... or below ... the content in particular. Y'know... typical jellypotato.
AFAIK there's really no good way to cover all of the bases for "if this element moves at all, I want to know about it!" in your script.
It'd really be nice if you could do it in CSS... then it'd be the browser's problem to give it the correct position if there's a reflow event. As it really should be...