We'd like a way to see which users have added a category to their watch list. Ideally this information would be able to be exposed to mods as well, or handled as a new security "type" for the category security settings.
Our use case is that we have mods that we assign to "check-in" with users to make sure that they are subscribing to a particular category and getting updates. Right now there is no real way that we can see to expose that information without going into each user account in admin and checking their preferences.
Discourse now ships with official hooks to perform auth offsite.
The Problem
Many sites wish to integrate with a Discourse site, however want to keep all user registration in a separate site. In such a setup all Login operations should be outsourced to a different site.
What if I would like SSO in conjunction with existing auth?
enable_sso : must be enabled, global switch sso_url: the offsite URL users will be sent to when attempting to log on sso_secret: a secret string used to hash SSO payloads. Ensures payloads are authentic.
Once enable_sso is set to true:
Clicking on login or avatar will, redirect you to /session/sso which in turn will redirect users to sso_url with a signed payload.
Users will not be allowed to "change password". That field is removed from the user profile.
Users will no longer be able to use Discourse auth (username/password, google, etc)
What if you check it by mistake?
If you check enable_sso by mistake and need to revert to the original state and no longer have access to the admin panel
run:
RAILS_ENV=production bin/rails c
irb > SiteSetting.enable_sso = false
Implementing SSO on your site
Discourse will redirect clients to sso_url with a signed payload: (say sso_url is https://somesite.com/sso)
You will receive incoming traffic with the following
https://somesite.com/sso?sso=PAYLOAD&sig=SIG
The payload is a Base64 encoded string comprising of a nonce. The payload is always a valid querystring.
For example, if the nonce is ABCD. raw_payload will be:
Validate the signature, ensure that HMAC-SHA256 of sso_secret, PAYLOAD is equal to the sig
Perform whatever authentication it has to
Create a new payload with nonce, email, external_id and optionally (username, name, return_url)
Base64 encode the payload
Calculate a HMAC-SHA256 hash of the using sso_secret as the key and Base64 encoded payload as text
Redirect back to http://discourse_site/session/sso_login?sso=payload&sig=sig
Discourse will validate that the nonce is valid (if valid it will expire it right away so it can no longer be used) it will attempt to:
Log the user on by looking up an already associated external_id in the SingleSignOnRecord model
Log the user on by using the email provided (updating external_id)
Create a new account for the user providing (email, username, name) updating external_id
Security concerns
The nonce (one time token) will expire automatically after 10 minutes. This means that as soon as the user is redirected to your site they have 10 minutes to log in / create a new account.
The protocol is safe against replay attacks as nonce may only be used once.
Reference implementation
Discourse contains a reference implementation of the SSO class:
A trivial implementation would be:
class DiscourseSsoController < ApplicationController
def sso
secret = "MY_SECRET_STRING"
sso = SingleSignOn.parse(request.query_string, secret)
sso.email = "user@email.com"
sso.name = "Bill Hicks"
sso.username = "bill@hicks.com"
sso.external_id = "123" # unique to your application
sso.sso_secret = secret
redirect_to sso.to_url("http://l.discourse/session/sso_login")
end
end
Transitioning to and from single sign on.
The system always trusts emails provided by the single sign on endpoint. This means that if you had an existing account in the past on Discourse with SSO disabled, SSO will simply re-use it and avoid creating a new account.
If you ever turn off SSO, users will be able to reset passwords and gain access back to their accounts.
I would like to use discourse for gaming community. We also need some page for recent news which will link to discussion in discource. It seems quite a waste to setup wordpress blog only for this purpose. Why not give some simplified blog functionality in discource.
Currently, category title in the French locale is "{title} Sujets" like in English, but it's not correct. It should something like "Sujets de la catégorie {title}". I can't found the locale to change it. Anyone can help me?
In my forum I have one very annoying category. That category (a.k. spam) should be muted for all users. Since my users are low lever computer experienced also I did not yet done with translation of discourse. Ill love to mute this category for them. Is there way to I do MUTE-ing category for my users.
Or better will be to we add category parameter. Default: Watched | Tracked | Muted
Is there way to do some kind of for-each loops over users inside RAILS_ENV=development bundle exec rails console or whatever is that ( forgive me I am coming from .NET world)
I'm trying to get the users list out of our forum to see if we get any conflicts if we turn on SSO.
We don't have many users, so I thought the easiest way to do this would be to cut and paste the HTML table from /admin/users/list into Google Docs. That works great for the first 100 users, but there doesn't seem to be a next page button. Is it supposed to be infinite scroll? If so it's broken for me.
I can probably do this by doing a select on the database directly, but the lack of a next page button does feel like a bug to me.
I have one unread PM whereby the green notification will not clear. I tentatively categorised this as a bug but I'm not 100% sure? I have done a super refresh, read and replied to the post but the notification remains.
Been trying to find this via the admin but appears unable.
In our group we share books we've read, hotspots we've visited, but those things would make the board quite noisy if they were all posted and shown as unread individually as people throw their books up. First thought is to have a Category that is automatically muted for all users so it can be referenced later, but it won't email out when topics get added to it, and it won't show up in the Unread section.
Not really sure how exactly to solve this yet. Is there a way to do this with Discourse?
Entering search from a Profile page (mine or another member's) the search facility automatically prefers posts by that member. Likewise from within a category.
Both those things are useful as an option, but frequently they're not what I want, and it's irritating to have to return to the home page to get an "unbiased" search.
Is there any way for the user to take control of search preferences, rather than Discourse?
On vBulletin, I can send a PM to somebody by going to my messages and typing a username into a new message. Unless I'm missing something, that's not possible on Discourse. Instead, you need to visit the member's Profile page or use the pop-up box from their avatar on a post.
Once the app is created, click on Settings on the left. Enter forum.example.com in the App Domains field.
Then click Add Platform, choose Website, and enter http://forum.example.com in the Site URL field.
Enter your email in the Contact Email field
Under the Advanced tab (at the top), make sure Client OAuth Login is enabled. Enter http://forum.example.com/auth/facebook/callback in the Valid OAuth redirect URIs field.
Click the Save Changes button.
The App ID and App Secret go in the facebook_app_id and facebook_app_secret settings in the users section.
Go to Status & Review and change "available to the general public" to Yes.
I had automatic backups setup to go to S3 and they stopped working.
The backups tab Backup button now says "Cancel". If I click cancel, it changes to the blue backup button then if I navigate to the page I get the same Cancel button.
Currently, the guid is the URL of the item. But when the title is updated, the url changed too. So, if you use a service like Twitterfeed, your discussion we'll be post twice.
PS : Moreover, for this use, it should be better to sort them by creation date instead of update date.
On some big forums, some users have multiple accounts to support their own opinion, get an extra like, get an extra vote on polling or post offensive to other users.
How can we use discourse to handle issue like this?
I imported a backup and now I need to activate the admin user again.
I tried to access the Ruby console using RAILS_ENV=production bundle exec rails c from within the Docker container and I get FATAL: role "root" does not exist (PG::Error)