You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Move website name logic from frontend to backend serializer
Show complete URL path when website domain matches instance domain
Display parent domain path when website is subdomain of instance
Add conditional inclusion of website_name attribute in serialization
Diagram Walkthrough
flowchart LR
A["User Profile Website"] --> B["Backend Serializer"]
B --> C["Compare Domains"]
C --> D["Same Domain"]
C --> E["Parent Domain"]
C --> F["Different Domain"]
D --> G["Return Full Path"]
E --> G
F --> H["Return Host Only"]
G --> I["website_name Attribute"]
H --> I
I --> J["Frontend Template"]
Loading
File Walkthrough
Relevant files
Enhancement
user_serializer.rb
Add backend website_name serialization with domain logic
app/serializers/user_serializer.rb
Add website_name attribute to serialized user attributes
Implement website_name method with domain comparison logic
Parse website URL and compare against instance hostname
Return full path for same/parent domains, host only for different domains
Add include_website_name conditional to only include when website present
Below is a summary of compliance checks for this PR:
Security Compliance
⚪
URL validation/normalization
Description: The website_name method constructs a display string by concatenating host and URI(website).path without normalizing or validating the URL, which could enable reflected XSS or unsafe display if the website field contains malformed or javascript: URLs and the frontend later renders it unsafely. user_serializer.rb [137-150]
Follow the guide to enable codebase context checks.
Custom Compliance
🟢
Generic: Meaningful Naming and Self-Documenting Code
Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting
Status: Passed
Generic: Secure Error Handling
Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging.
Status: Passed
Generic: Secure Logging Practices
Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data.
Status: Passed
⚪
Generic: Comprehensive Audit Trails
Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance.
Status: No audit logs: The changes add serialization logic for website display without introducing any logging for critical actions, but no critical actions appear to be performed here.
Generic: Robust Error Handling and Edge Case Management
Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation
Status: Fragile URL parse: The website_name method rescues URI parsing broadly and may return nil or partial results without logging or handling malformed URLs or empty paths explicitly.
Generic: Security-First Input Validation and Data Handling
Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities
Status: Input validation: The code uses user-provided website to construct display strings without explicit validation/sanitization beyond URI parsing, which may allow unexpected or unsafe formats.
Replace the complex, custom domain comparison logic in user_serializer.rb with a dedicated library like public_suffix. This simplifies the code and makes domain matching more robust and reliable.
# app/serializers/user_serializer.rbdefwebsite_namewebsite_host=URI(website.to_s).hostdiscourse_host=Discourse.current_hostnamereturnifwebsite_host.nil?ifwebsite_host == discourse_hostwebsite_host + URI(website.to_s).pathelsif(/* complex string splitting to check for sibling domains */)# ... logic to compare parts of the domainwebsite_host.split('.')[1..-1].join('.') == discourse_host.split('.')[1..-1].join('.') ? website_host + URI(website.to_s).path : website_hostelse# ... check if one domain ends with the otherdiscourse_host.ends_with?("." << website_host) ? website_host + URI(website.to_s).path : website_hostendend
Why: The suggestion correctly identifies that the custom domain comparison logic is complex and brittle, and proposes a significantly more robust and maintainable solution using a standard library, which is a best practice.
High
Possible issue
Fix conditional inclusion method name
Rename the include_website_name method to include_website_name? to ensure it is correctly used by the serializer for conditional attribute inclusion.
-def include_website_name+def include_website_name?
website.present?
end
Apply / Chat
Suggestion importance[1-10]: 8
__
Why: The suggestion correctly identifies a bug where the conditional inclusion method include_website_name is missing the required trailing ?, which would cause it to not be recognized by the serializer, leading to incorrect behavior.
Medium
Simplify and fix domain comparison
Refactor the website_name method to simplify the domain comparison logic, fix a bug where a website on a subdomain of the instance domain is not correctly handled, and improve readability.
Why: The suggestion correctly identifies a bug in the domain comparison logic and provides a clearer, more robust, and more maintainable implementation that covers all intended subdomain/parent domain scenarios.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
PR #6
PR Type
Enhancement
Description
Move website name logic from frontend to backend serializer
Show complete URL path when website domain matches instance domain
Display parent domain path when website is subdomain of instance
Add conditional inclusion of website_name attribute in serialization
Diagram Walkthrough
File Walkthrough
user_serializer.rb
Add backend website_name serialization with domain logicapp/serializers/user_serializer.rb
website_nameattribute to serialized user attributeswebsite_namemethod with domain comparison logicdomains
include_website_nameconditional to only include when websitepresent
user.js.es6
Remove frontend websiteName computed propertyapp/assets/javascripts/discourse/controllers/user.js.es6
websiteNamecomputed property from controlleruser.hbs
Update template to use backend website_name attributeapp/assets/javascripts/discourse/templates/user/user.hbs
websiteNamecontroller property withmodel.website_nameuser_serializer_spec.rb
Add website_name serialization tests with domain scenariosspec/serializers/user_serializer_spec.rb
user.js.es6
Fix JSDoc property documentation referenceapp/assets/javascripts/discourse/models/user.js.es6
websiteNametoprofileBackground