Also fixes a couple of miscellaneous bugs:
- Minimise the Composer when clicking the preview button in full-screen mode on desktop.
- Minimise the Composer when clicking the link to the discussion/post in the header on mobile/full-screen mode.
Turns out there's a little more to the regression in e5a7013. First, we need to give the spaces in between list items a key too. Second, there's a bug in the latest Mithril code where using string keys can break the diffing algorithm. I've patched it manually in our dist JS files for now, and reported the issue: https://github.com/lhorie/mithril.js/issues/934
- In Mithril, `finally` has been removed from promise objects as it is not part of the ES spec. See https://gist.github.com/jish/e9bcd75e391a2b21206b for info on the substitute.
- Fix a regression introduced in e5a7013 which broke some redraws
Fixes#667. This issue was due to the fact that Mithril would change the "Lock" badge into a "Sticky" badge, but the tooltip initialization would not be triggered because it was using the same element. By maintaining element identity, the "Lock" badge will remain untouched, and a new element for the "Sticky" badge will be inserted before it. See https://lhorie.github.io/mithril/mithril.html#dealing-with-focus for more information.
Newly-created accounts are allowed to log in straight away, but they still have the permissions of a guest until they've confirmed their email address. Instead of showing a success message after registration, we reload the page since they're already logged in.
Still todo: show a message explaining that they need to verify their email address to do anything, and allow it to be resent.
- Use cookies + CSRF token for API authentication in the default client. This mitigates potential XSS attacks by making the token unavailable to JavaScript. The Authorization header is still supported, but not used by default.
- Make sensitive/destructive actions (editing a user, permanently deleting anything, visiting the admin CP) require the user to re-enter their password if they haven't entered it in the last 30 minutes.
- Refactor and clean up the authentication middleware.
- Add an `onhide` hook to the Modal component. (+1 squashed commit)
Extracts strings that were missed previously in:
- Dashboard page of admin interface.
- Edit Custom CSS modal of admin interface.
- Settings modal of admin interface.
- Post activity list on user page of forum UI.
Hopefully there aren't any more!
