feat: add response:helpers.notAllowed

* fix: pin colors to 1.4.0

* fix: exclude colors from renovate updates

install/data/defaults.json

@@ -138,6 +138,7 @@
     "disableEmailSubscriptions": 0,
     "emailConfirmInterval": 10,
     "removeEmailNotificationImages": 0,
+    "sendValidationEmail": 1,
     "includeUnverifiedEmails": 0,
     "emailPrompt": 1,
     "inviteExpiration": 7,

install/package.json

@@ -41,7 +41,7 @@
         "chart.js": "^2.9.4",
         "cli-graph": "^3.2.2",
         "clipboard": "^2.0.6",
-        "colors": "^1.4.0",
+        "colors": "1.4.0",
         "commander": "^7.1.0",
         "compare-versions": "3.6.0",
         "compression": "^1.7.4",

public/language/en-GB/admin/settings/email.json

@@ -38,7 +38,8 @@
 	"subscriptions.hour-help": "Please enter a number representing the hour to send scheduled email digests (e.g. <code>0</code> for midnight, <code>17</code> for 5:00pm). Keep in mind that this is the hour according to the server itself, and may not exactly match your system clock.<br /> The approximate server time is: <span id=\"serverTime\"></span><br /> The next daily digest is scheduled to be sent  <span id=\"nextDigestTime\"></span>",
 	"notifications.remove-images": "Remove images from email notifications",
 	"require-email-address": "Require new users to specify an email address",
-	"require-email-address-warning": "By default, users can opt-out of entering an email address. Enabling this option means they have to enter an email address in order to proceed with registration. <strong>It does not ensure user will enter a real email address, nor even an address they own.</strong>",
+	"require-email-address-warning": "By default, users can opt-out of entering an email address by leaving the field blank. Enabling this option means they have to enter an email address in order to proceed with registration. <strong>It does not ensure user will enter a real email address, nor even an address they own.</strong>",
+	"send-validation-email": "Send validation emails when an email is added or changed",
 	"include-unverified-emails": "Send emails to recipients who have not explicitly confirmed their emails",
 	"include-unverified-warning": "By default, users with emails associated with their account have already been verified, but there are situations where this is not the case (e.g. SSO logins, grandfathered users, etc). <strong>Enable this setting at your own risk</strong> &ndash; sending emails to unverified addresses may be a violation of regional anti-spam laws.",
 	"prompt": "Prompt users to enter or confirm their emails",

public/src/ajaxify.js

@@ -424,7 +424,7 @@ ajaxify = window.ajaxify || {};
 	};
 
 	ajaxify.loadTemplate = function (template, callback) {
-		require([config.assetBaseUrl + '/templates/' + template + '.js'], callback, function (err) {
+		require([config.asset_base_url + '/templates/' + template + '.js'], callback, function (err) {
 			console.error('Unable to load template: ' + template);
 			throw err;
 		});

public/src/client/topic/posts.js

@@ -132,7 +132,7 @@ define('forum/topic/posts', [
 		if (!isPreviousPostAdded && data.posts[0].selfPost) {
 			return ajaxify.go('post/' + data.posts[0].pid);
 		}
-		const repliesSelector = $('[component="post"]:not([data-index=0]), [component="topic/event"]');
+		const repliesSelector = $('[component="topic"]>[component="post"]:not([data-index=0]), [component="topic"]>[component="topic/event"]');
 		createNewPosts(data, repliesSelector, direction, false, function (html) {
 			if (html) {
 				html.addClass('new');

public/src/modules/translator.js

@@ -3,7 +3,7 @@
 (function (factory) {
 	function loadClient(language, namespace) {
 		return new Promise(function (resolve, reject) {
-			jQuery.getJSON([config.assetBaseUrl, 'language', language, namespace].join('/') + '.json?' + config['cache-buster'], function (data) {
+			jQuery.getJSON([config.asset_base_url, 'language', language, namespace].join('/') + '.json?' + config['cache-buster'], function (data) {
 				const payload = {
 					language: language,
 					namespace: namespace,

renovate.json

@@ -6,7 +6,8 @@
   "packageRules": [
     {
       "updateTypes": ["minor", "patch", "pin", "digest"],
-      "automerge": true
+      "automerge": true,
+      "excludePackageNames": ["colors"]
     }
   ]
 }

src/controllers/api.js

@@ -14,6 +14,7 @@ const apiController = module.exports;
 
 const relative_path = nconf.get('relative_path');
 const upload_url = nconf.get('upload_url');
+const asset_base_url = nconf.get('asset_base_url');
 const socketioTransports = nconf.get('socket.io:transports') || ['polling', 'websocket'];
 const socketioOrigins = nconf.get('socket.io:origins');
 const websocketAddress = nconf.get('socket.io:address') || '';
@@ -22,7 +23,8 @@ apiController.loadConfig = async function (req) {
 	const config = {
 		relative_path,
 		upload_url,
-		assetBaseUrl: `${relative_path}/assets`,
+		asset_base_url,
+		assetBaseUrl: asset_base_url, // deprecate in 1.20.x
 		siteTitle: validator.escape(String(meta.config.title || meta.config.browserTitle || 'NodeBB')),
 		browserTitle: validator.escape(String(meta.config.browserTitle || meta.config.title || 'NodeBB')),
 		titleLayout: (meta.config.titleLayout || '{pageTitle} | {browserTitle}').replace(/{/g, '{').replace(/}/g, '}'),

src/controllers/helpers.js

@@ -123,6 +123,11 @@ helpers.buildTerms = function (url, term, query) {
 helpers.notAllowed = async function (req, res, error) {
 	({ error } = await plugins.hooks.fire('filter:helpers.notAllowed', { req, res, error }));
 
+	await plugins.hooks.fire('response:helpers.notAllowed', { req, res, error });
+	if (res.headersSent) {
+		return;
+	}
+
 	if (req.loggedIn || req.uid === -1) {
 		if (res.locals.isAPI) {
 			if (req.originalUrl.startsWith(`${relative_path}/api/v3`)) {

src/prestart.js

@@ -94,6 +94,9 @@ function loadConfig(configFile) {
 		nconf.set('secure', urlObject.protocol === 'https:');
 		nconf.set('use_port', !!urlObject.port);
 		nconf.set('relative_path', relativePath);
+		if (!nconf.get('asset_base_url')) {
+			nconf.set('asset_base_url', `${relativePath}/assets`);
+		}
 		nconf.set('port', nconf.get('PORT') || nconf.get('port') || urlObject.port || (nconf.get('PORT_ENV_VAR') ? nconf.get(nconf.get('PORT_ENV_VAR')) : false) || 4567);
 
 		// cookies don't provide isolation by port: http://stackoverflow.com/a/16328399/122353

src/user/email.js

@@ -2,6 +2,7 @@
 'use strict';
 
 const nconf = require('nconf');
+const winston = require('winston');
 
 const user = require('./index');
 const utils = require('../utils');
@@ -69,6 +70,11 @@ UserEmail.sendValidationEmail = async function (uid, options) {
 	 * 		- force, sends email even if it is too soon to send another
 	 */
 
+	if (meta.config.sendValidationEmail !== 1) {
+		winston.verbose(`[user/email] Validation email for uid ${uid} not sent due to config settings`);
+		return;
+	}
+
 	options = options || {};
 
 	// Fallback behaviour (email passed in as second argument)
@@ -110,6 +116,7 @@ UserEmail.sendValidationEmail = async function (uid, options) {
 	await db.expireAt(`confirm:${confirm_code}`, Math.floor((Date.now() / 1000) + (60 * 60 * 24)));
 	const username = await user.getUserField(uid, 'username');
 
+	winston.verbose(`[user/email] Validation email for uid ${uid} sent to ${options.email}`);
 	events.log({
 		type: 'email-confirmation-sent',
 		uid,

src/views/admin/settings/email.tpl

@@ -20,13 +20,6 @@
 				<input type="text" class="form-control input-lg" id="email:from_name" data-field="email:from_name" placeholder="NodeBB" /><br />
 			</div>
 
-			<div class="checkbox">
-				<label for="removeEmailNotificationImages" class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
-					<input class="mdl-switch__input" type="checkbox" id="removeEmailNotificationImages" data-field="removeEmailNotificationImages" name="removeEmailNotificationImages" />
-					<span class="mdl-switch__label">[[admin/settings/email:notifications.remove-images]]</span>
-				</label>
-			</div>
-
 			<div class="checkbox">
 				<label for="requireEmailAddress" class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
 					<input class="mdl-switch__input" type="checkbox" id="requireEmailAddress" data-field="requireEmailAddress" name="requireEmailAddress" />
@@ -35,6 +28,13 @@
 			</div>
 			<p class="help-block">[[admin/settings/email:require-email-address-warning]]</p>
 
+			<div class="checkbox">
+				<label for="sendValidationEmail" class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
+					<input class="mdl-switch__input" type="checkbox" id="sendValidationEmail" data-field="sendValidationEmail" name="sendValidationEmail" />
+					<span class="mdl-switch__label">[[admin/settings/email:send-validation-email]]</span>
+				</label>
+			</div>
+
 			<div class="checkbox">
 				<label for="includeUnverifiedEmails" class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
 					<input class="mdl-switch__input" type="checkbox" id="includeUnverifiedEmails" data-field="includeUnverifiedEmails" name="includeUnverifiedEmails" />
@@ -50,6 +50,13 @@
 				</label>
 			</div>
 			<p class="help-block">[[admin/settings/email:prompt-help]]</p>
+
+			<div class="checkbox">
+				<label for="removeEmailNotificationImages" class="mdl-switch mdl-js-switch mdl-js-ripple-effect">
+					<input class="mdl-switch__input" type="checkbox" id="removeEmailNotificationImages" data-field="removeEmailNotificationImages" name="removeEmailNotificationImages" />
+					<span class="mdl-switch__label">[[admin/settings/email:notifications.remove-images]]</span>
+				</label>
+			</div>
 		</form>
 	</div>
 </div>

test/mocks/databasemock.js

@@ -38,6 +38,7 @@ nconf.defaults({
 const urlObject = url.parse(nconf.get('url'));
 const relativePath = urlObject.pathname !== '/' ? urlObject.pathname : '';
 nconf.set('relative_path', relativePath);
+nconf.set('asset_base_url', `${relativePath}/assets`);
 nconf.set('upload_path', path.join(nconf.get('base_dir'), nconf.get('upload_path')));
 nconf.set('upload_url', '/assets/uploads');
 nconf.set('url_parsed', urlObject);