Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver/tests/test_realm_linkifiers.py

385 lines
17 KiB
Python
Raw Normal View History

realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
import re
linkifier: Support reordering linkifiers. This adds API support to reorder linkifiers and makes sure that the returned lists of linkifiers from `GET /events`, `POST /register`, and `GET /realm/linkifiers` are always sorted with the order that they should processed when rendering linkifiers. We set the new `order` field to the ID with the migration. This preserves the order of the existing linkifiers. New linkifiers added will always be ordered the last. When reordering, the `order` field of all linkifiers in the same realm is updated, in a manner similar to how we implement ordering for `custom_profile_fields`.
2023-08-10 04:09:25 +02:00
from typing import List
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
linkifier: Support reordering linkifiers. This adds API support to reorder linkifiers and makes sure that the returned lists of linkifiers from `GET /events`, `POST /register`, and `GET /realm/linkifiers` are always sorted with the order that they should processed when rendering linkifiers. We set the new `order` field to the ID with the migration. This preserves the order of the existing linkifiers. New linkifiers added will always be ordered the last. When reordering, the `order` field of all linkifiers in the same realm is updated, in a manner similar to how we implement ordering for `custom_profile_fields`.
2023-08-10 04:09:25 +02:00
import orjson
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
from django.core.exceptions import ValidationError
mypy: Enable new error explicit-override. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-10-12 19:43:45 +02:00
from typing_extensions import override
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
from zerver.lib.test_classes import ZulipTestCase
models: Extract zerver.models.linkifiers. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-12-15 02:51:31 +01:00
from zerver.models import RealmAuditLog, RealmFilter
from zerver.models.linkifiers import url_template_validator
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-11 00:54:34 +02:00
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
class RealmFilterTest(ZulipTestCase):
mypy: Enable new error explicit-override. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-10-12 19:43:45 +02:00
@override
populate_db: Populate linkifiers. The curl examples of reordering linkifiers require there to be some linkifiers in the database to be reordered. This adjusts some test cases so they do not assume that there is no linkifier in the test db.
2023-08-11 01:10:21 +02:00
def setUp(self) -> None:
super().setUp()
iago = self.example_user("iago")
RealmFilter.objects.filter(realm=iago.realm).delete()
zerver/tests: Use python 3 syntax for typing. This patch was extracted by tabbott for just the files with no open PRs modifying them.
2017-11-05 10:51:25 +01:00
def test_list(self) -> None:
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.login("iago")
Refactor: Use backend-endpoint function instead of helper function. Use backend-endpoint function instead of helper function in `test_realm_linkifiers.py` so that tests are more end-to-end. The removed helper function: `do_add_linkifier` is tested in `zerver/tests/test_events.py`.
2021-04-15 19:41:12 +02:00
data = {
"pattern": "#(?P<id>[123])",
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
"url_template": "https://realm.com/my_realm_filter/{id}",
Refactor: Use backend-endpoint function instead of helper function. Use backend-endpoint function instead of helper function in `test_realm_linkifiers.py` so that tests are more end-to-end. The removed helper function: `do_add_linkifier` is tested in `zerver/tests/test_events.py`.
2021-04-15 19:41:12 +02:00
}
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
linkifiers: Update API to send data using dictionaries. * This introduces a new event type `realm_linkifiers` and a new key for the initial data fetch of the same name. Newer clients will be expected to use these. * Backwards compatibility is ensured by changing neither the current event nor the /register key. The data which these hold is the same as before, but internally, it is generated by processing the `realm_linkifiers` data. We send both the old and the new event types to clients whenever the linkifiers are changed. Older clients will simply ignore the new event type, and vice versa. * The `realm/filters:GET` endpoint (which returns tuples) is currently used by none of the official Zulip clients. This commit replaces it with `realm/linkifiers:GET` which returns data in the new dictionary format. TODO: Update the `get_realm_filters` method in the API bindings, to hit this new URL instead of the old one. * This also updates the webapp frontend to use the newer events and keys.
2021-03-30 12:51:54 +02:00
result = self.client_get("/json/realm/linkifiers")
tests: Refactor away result.json() calls with helpers. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-06-07 01:37:01 +02:00
linkifiers = self.assert_json_success(result)["linkifiers"]
tests: Consistently use assert_length helper. This helper does some nice things like printing out the data structure incase of failure.
2021-05-17 05:41:32 +02:00
self.assert_length(linkifiers, 1)
Refactor: Use backend-endpoint function instead of helper function. Use backend-endpoint function instead of helper function in `test_realm_linkifiers.py` so that tests are more end-to-end. The removed helper function: `do_add_linkifier` is tested in `zerver/tests/test_events.py`.
2021-04-15 19:41:12 +02:00
self.assertEqual(linkifiers[0]["pattern"], "#(?P<id>[123])")
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
self.assertEqual(linkifiers[0]["url_template"], "https://realm.com/my_realm_filter/{id}")
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
zerver/tests: Use python 3 syntax for typing. This patch was extracted by tabbott for just the files with no open PRs modifying them.
2017-11-05 10:51:25 +01:00
def test_create(self) -> None:
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.login("iago")
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data = {"pattern": "", "url_template": "https://realm.com/my_realm_filter/{id}"}
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
result = self.client_post("/json/realm/filters", info=data)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assert_json_error(result, "This field cannot be blank.")
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
CVE-2021-41115: Use re2 for user-supplied linkifier patterns. Zulip attempts to validate that the regular expressions that admins enter for linkifiers are well-formatted, and only contain a specific subset of regex grammar. The process of checking these properties (via a regex!) can cause denial-of-service via backtracking. Furthermore, this validation itself does not prevent the creation of linkifiers which themselves cause denial-of-service when they are executed. As the validator accepts literally anything inside of a `(?P<word>...)` block, any quadratic backtracking expression can be hidden therein. Switch user-provided linkifier patterns to be matched in the Markdown processor by the `re2` library, which is guaranteed constant-time. This somewhat limits the possible features of the regular expression (notably, look-head and -behind, and back-references); however, these features had never been advertised as working in the context of linkifiers. A migration removes any existing linkifiers which would not function under re2, after printing them for posterity during the upgrade; they are unlikely to be common, and are impossible to fix automatically. The denial-of-service in the linkifier validator was discovered by @erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
data["pattern"] = "(foo"
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
result = self.client_post("/json/realm/filters", info=data)
CVE-2021-41115: Use re2 for user-supplied linkifier patterns. Zulip attempts to validate that the regular expressions that admins enter for linkifiers are well-formatted, and only contain a specific subset of regex grammar. The process of checking these properties (via a regex!) can cause denial-of-service via backtracking. Furthermore, this validation itself does not prevent the creation of linkifiers which themselves cause denial-of-service when they are executed. As the validator accepts literally anything inside of a `(?P<word>...)` block, any quadratic backtracking expression can be hidden therein. Switch user-provided linkifier patterns to be matched in the Markdown processor by the `re2` library, which is guaranteed constant-time. This somewhat limits the possible features of the regular expression (notably, look-head and -behind, and back-references); however, these features had never been advertised as working in the context of linkifiers. A migration removes any existing linkifiers which would not function under re2, after printing them for posterity during the upgrade; they are unlikely to be common, and are impossible to fix automatically. The denial-of-service in the linkifier validator was discovered by @erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
self.assert_json_error(result, "Bad regular expression: missing ): (foo")
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
CVE-2021-41115: Use re2 for user-supplied linkifier patterns. Zulip attempts to validate that the regular expressions that admins enter for linkifiers are well-formatted, and only contain a specific subset of regex grammar. The process of checking these properties (via a regex!) can cause denial-of-service via backtracking. Furthermore, this validation itself does not prevent the creation of linkifiers which themselves cause denial-of-service when they are executed. As the validator accepts literally anything inside of a `(?P<word>...)` block, any quadratic backtracking expression can be hidden therein. Switch user-provided linkifier patterns to be matched in the Markdown processor by the `re2` library, which is guaranteed constant-time. This somewhat limits the possible features of the regular expression (notably, look-head and -behind, and back-references); however, these features had never been advertised as working in the context of linkifiers. A migration removes any existing linkifiers which would not function under re2, after printing them for posterity during the upgrade; they are unlikely to be common, and are impossible to fix automatically. The denial-of-service in the linkifier validator was discovered by @erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
data["pattern"] = r"ZUL-(?P<id>\d????)"
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
result = self.client_post("/json/realm/filters", info=data)
CVE-2021-41115: Use re2 for user-supplied linkifier patterns. Zulip attempts to validate that the regular expressions that admins enter for linkifiers are well-formatted, and only contain a specific subset of regex grammar. The process of checking these properties (via a regex!) can cause denial-of-service via backtracking. Furthermore, this validation itself does not prevent the creation of linkifiers which themselves cause denial-of-service when they are executed. As the validator accepts literally anything inside of a `(?P<word>...)` block, any quadratic backtracking expression can be hidden therein. Switch user-provided linkifier patterns to be matched in the Markdown processor by the `re2` library, which is guaranteed constant-time. This somewhat limits the possible features of the regular expression (notably, look-head and -behind, and back-references); however, these features had never been advertised as working in the context of linkifiers. A migration removes any existing linkifiers which would not function under re2, after printing them for posterity during the upgrade; they are unlikely to be common, and are impossible to fix automatically. The denial-of-service in the linkifier validator was discovered by @erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
self.assert_json_error(result, "Bad regular expression: bad repetition operator: ????")
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
data["pattern"] = r"ZUL-(?P<id>\d+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "$fgfg"
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
result = self.client_post("/json/realm/filters", info=data)
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
self.assert_json_error(
result, "Group 'id' in linkifier pattern is not present in URL template."
)
models: Fix the URL validation code in `RealmFilter` model.
2017-07-22 01:08:26 +02:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
data["pattern"] = r"ZUL-(?P<id>\d+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://realm.com/my_realm_filter/"
models: Fix the URL validation code in `RealmFilter` model.
2017-07-22 01:08:26 +02:00
result = self.client_post("/json/realm/filters", info=data)
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
self.assert_json_error(
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
result, "Group 'id' in linkifier pattern is not present in URL template."
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
)
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://realm.com/my_realm_filter/#hashtag/{id}"
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assertIsNotNone(re.match(data["pattern"], "ZUL-15"))
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
data["pattern"] = r"ZUL2-(?P<id>\d+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://realm.com/my_realm_filter/?value={id}"
realm_filters: Support ? in URL format strings.
2017-03-26 01:13:34 +01:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assertIsNotNone(re.match(data["pattern"], "ZUL2-15"))
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
data["pattern"] = r"_code=(?P<id>[0-9a-zA-Z]+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://example.com/product/{id}/details"
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assertIsNotNone(re.match(data["pattern"], "_code=123abcdZ"))
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
data["pattern"] = r"PR (?P<id>[0-9]+)"
requirements: Upgrade Python requirements. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2024-01-29 00:32:21 +01:00
data["url_template"] = (
"https://example.com/~user/web#view_type=type&model=model&action=12345&id={id}"
)
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assertIsNotNone(re.match(data["pattern"], "PR 123"))
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
data["pattern"] = r"lp/(?P<id>[0-9]+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://realm.com/my_realm_filter/?value={id}&sort=reverse"
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assertIsNotNone(re.match(data["pattern"], "lp/123"))
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
data["pattern"] = r"lp:(?P<id>[0-9]+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://realm.com/my_realm_filter/?sort=reverse&value={id}"
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assertIsNotNone(re.match(data["pattern"], "lp:123"))
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
data["pattern"] = r"!(?P<id>[0-9]+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://realm.com/index.pl?Action=AgentTicketZoom;TicketNumber={id}"
realm filters: Expand set of characters allowed in prefixes. Our list of allowed characters in realm filter patterns has long been too string; fix this by extending the pattern. Also, extend the tests to have examples of actual strings one would use with the patterns, for clarity. Fixes #10953, fixes #6835.
2018-12-14 20:10:20 +01:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assertIsNotNone(re.match(data["pattern"], "!123"))
realm_filters: Support ? in URL format strings.
2017-03-26 01:13:34 +01:00
linkifiers: Add joint validation for linkifier urls and patterns. We now validate the linkifier urls and patterns together, and add the following additional checks: 1. All groups in the pattern must be used in the URL format string. 2. All groups in the URL format string must be declared in the pattern. Linkifier pattern is now validated inside the `clean` method. `filter_pattern_validator` is moved from `clean_fields` to `clean` method as a safe check. As a result of this, a Puppeteer test case is updated. NOTE: The changes here are IN ADDITION to the existing validations. Fixes #16482. Co-authored-by: akshatdalton <akshat.dak@students.iiit.ac.in>
2021-06-07 11:38:57 +02:00
# This block of tests is for mismatches between field sets
data["pattern"] = r"ZUL-(?P<id>\d+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = r"https://realm.com/my_realm_filter/{hello}"
linkifiers: Add joint validation for linkifier urls and patterns. We now validate the linkifier urls and patterns together, and add the following additional checks: 1. All groups in the pattern must be used in the URL format string. 2. All groups in the URL format string must be declared in the pattern. Linkifier pattern is now validated inside the `clean` method. `filter_pattern_validator` is moved from `clean_fields` to `clean` method as a safe check. As a result of this, a Puppeteer test case is updated. NOTE: The changes here are IN ADDITION to the existing validations. Fixes #16482. Co-authored-by: akshatdalton <akshat.dak@students.iiit.ac.in>
2021-06-07 11:38:57 +02:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_error(
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
result, "Group 'hello' in URL template is not present in linkifier pattern."
linkifiers: Add joint validation for linkifier urls and patterns. We now validate the linkifier urls and patterns together, and add the following additional checks: 1. All groups in the pattern must be used in the URL format string. 2. All groups in the URL format string must be declared in the pattern. Linkifier pattern is now validated inside the `clean` method. `filter_pattern_validator` is moved from `clean_fields` to `clean` method as a safe check. As a result of this, a Puppeteer test case is updated. NOTE: The changes here are IN ADDITION to the existing validations. Fixes #16482. Co-authored-by: akshatdalton <akshat.dak@students.iiit.ac.in>
2021-06-07 11:38:57 +02:00
)
data["pattern"] = r"ZUL-(?P<id>\d+)-(?P<hello>\d+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = r"https://realm.com/my_realm_filter/{hello}"
linkifiers: Add joint validation for linkifier urls and patterns. We now validate the linkifier urls and patterns together, and add the following additional checks: 1. All groups in the pattern must be used in the URL format string. 2. All groups in the URL format string must be declared in the pattern. Linkifier pattern is now validated inside the `clean` method. `filter_pattern_validator` is moved from `clean_fields` to `clean` method as a safe check. As a result of this, a Puppeteer test case is updated. NOTE: The changes here are IN ADDITION to the existing validations. Fixes #16482. Co-authored-by: akshatdalton <akshat.dak@students.iiit.ac.in>
2021-06-07 11:38:57 +02:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_error(
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
result, "Group 'id' in linkifier pattern is not present in URL template."
linkifiers: Add joint validation for linkifier urls and patterns. We now validate the linkifier urls and patterns together, and add the following additional checks: 1. All groups in the pattern must be used in the URL format string. 2. All groups in the URL format string must be declared in the pattern. Linkifier pattern is now validated inside the `clean` method. `filter_pattern_validator` is moved from `clean_fields` to `clean` method as a safe check. As a result of this, a Puppeteer test case is updated. NOTE: The changes here are IN ADDITION to the existing validations. Fixes #16482. Co-authored-by: akshatdalton <akshat.dak@students.iiit.ac.in>
2021-06-07 11:38:57 +02:00
)
data["pattern"] = r"ZULZ-(?P<hello>\d+)-(?P<world>\d+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = r"https://realm.com/my_realm_filter/{hello}/{world}"
linkifiers: Add joint validation for linkifier urls and patterns. We now validate the linkifier urls and patterns together, and add the following additional checks: 1. All groups in the pattern must be used in the URL format string. 2. All groups in the URL format string must be declared in the pattern. Linkifier pattern is now validated inside the `clean` method. `filter_pattern_validator` is moved from `clean_fields` to `clean` method as a safe check. As a result of this, a Puppeteer test case is updated. NOTE: The changes here are IN ADDITION to the existing validations. Fixes #16482. Co-authored-by: akshatdalton <akshat.dak@students.iiit.ac.in>
2021-06-07 11:38:57 +02:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
data["pattern"] = r"ZUL-(?P<id>\d+)-(?P<hello>\d+)-(?P<world>\d+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = r"https://realm.com/my_realm_filter/{hello}"
linkifiers: Add joint validation for linkifier urls and patterns. We now validate the linkifier urls and patterns together, and add the following additional checks: 1. All groups in the pattern must be used in the URL format string. 2. All groups in the URL format string must be declared in the pattern. Linkifier pattern is now validated inside the `clean` method. `filter_pattern_validator` is moved from `clean_fields` to `clean` method as a safe check. As a result of this, a Puppeteer test case is updated. NOTE: The changes here are IN ADDITION to the existing validations. Fixes #16482. Co-authored-by: akshatdalton <akshat.dak@students.iiit.ac.in>
2021-06-07 11:38:57 +02:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_error(
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
result, "Group 'id' in linkifier pattern is not present in URL template."
linkifiers: Add joint validation for linkifier urls and patterns. We now validate the linkifier urls and patterns together, and add the following additional checks: 1. All groups in the pattern must be used in the URL format string. 2. All groups in the URL format string must be declared in the pattern. Linkifier pattern is now validated inside the `clean` method. `filter_pattern_validator` is moved from `clean_fields` to `clean` method as a safe check. As a result of this, a Puppeteer test case is updated. NOTE: The changes here are IN ADDITION to the existing validations. Fixes #16482. Co-authored-by: akshatdalton <akshat.dak@students.iiit.ac.in>
2021-06-07 11:38:57 +02:00
)
test: Replace occurences of `uri` with `url`. In all the tests files, replaced all occurences of `uri` with `url` appeared in comments, local variablles, function names and their callers.
2023-04-08 07:01:50 +02:00
data["pattern"] = r"ZUL-URL-(?P<id>\d+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://example.com/%ba/{id}"
linkifiers: Support URL percent-encoded bytes. Supporting URL percent-encoded bytes is possible using `%%20`, but this is not necessarily very understandable to end-users, even those that understand percent encoding. Allow `%20` in linkifier URL format strings, and transform them into `%%20` in the pattern just before they are applied in markdown translation. Care must be taken here, such that already-escaped `%`s are not escaped an extra time. We do this before rendering, and not before storage, as a simplification; the JS-side linkifier at present only understands `%(foo)s` and thus needs no changes, and to avoid an un-escaping pass before showing in the admin UI.
2021-10-20 04:57:53 +02:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
data["pattern"] = r"(?P<org>[a-zA-Z0-9_-]+)/(?P<repo>[a-zA-Z0-9_-]+)#(?P<id>[0-9]+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://github.com/{org}/{repo}/issue/{id}"
realm filters: Add a test for a useful thing to support.
2018-11-21 04:34:28 +01:00
result = self.client_post("/json/realm/filters", info=data)
linkifiers: Add validation support for multiple items. This is a simple change to our validation, to allow multiple copies of the main linkifier syntax, which lets us support things like generic GitHub URLs. Fixes #10914.
2018-12-17 21:12:52 +01:00
self.assert_json_success(result)
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assertIsNotNone(re.match(data["pattern"], "zulip/zulip#123"))
realm filters: Add a test for a useful thing to support.
2018-11-21 04:34:28 +01:00
requirements: Upgrade Python requirements. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2024-01-29 00:32:21 +01:00
data["pattern"] = (
r"FOO_(?P<id>[a-f]{5});(?P<zone>[a-f]);(?P<domain>[a-z]+);(?P<location>[a-z]+);(?P<name>[a-z]{2,8});(?P<chapter>[0-9]{2,3});(?P<fragment>[a-z]{2,8})"
)
data["url_template"] = (
"https://zone_{zone}{.domain}.net/ticket{/location}{/id}{?name,chapter}{#fragment:5}"
)
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
result = self.client_post("/json/realm/filters", info=data)
self.assert_json_success(result)
zerver/tests: Use python 3 syntax for typing. This patch was extracted by tabbott for just the files with no open PRs modifying them.
2017-11-05 10:51:25 +01:00
def test_not_realm_admin(self) -> None:
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.login("hamlet")
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
result = self.client_post("/json/realm/filters")
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assert_json_error(result, "Must be an organization administrator")
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
result = self.client_delete("/json/realm/filters/15")
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.assert_json_error(result, "Must be an organization administrator")
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
zerver/tests: Use python 3 syntax for typing. This patch was extracted by tabbott for just the files with no open PRs modifying them.
2017-11-05 10:51:25 +01:00
def test_delete(self) -> None:
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-02-12 08:20:45 +01:00
self.login("iago")
Refactor: Use backend-endpoint function instead of helper function. Use backend-endpoint function instead of helper function in `test_realm_linkifiers.py` so that tests are more end-to-end. The removed helper function: `do_add_linkifier` is tested in `zerver/tests/test_events.py`.
2021-04-15 19:41:12 +02:00
data = {
"pattern": "#(?P<id>[123])",
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
"url_template": "https://realm.com/my_realm_filter/{id}",
Refactor: Use backend-endpoint function instead of helper function. Use backend-endpoint function instead of helper function in `test_realm_linkifiers.py` so that tests are more end-to-end. The removed helper function: `do_add_linkifier` is tested in `zerver/tests/test_events.py`.
2021-04-15 19:41:12 +02:00
}
result = self.client_post("/json/realm/filters", info=data)
tests: Refactor away result.json() calls with helpers. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-06-07 01:37:01 +02:00
linkifier_id = self.assert_json_success(result)["id"]
refactor: Rename most of "filter" to "linkifier". After this only the database table, events, and API endpoints remain.
2021-03-30 12:15:39 +02:00
linkifiers_count = RealmFilter.objects.count()
result = self.client_delete(f"/json/realm/filters/{linkifier_id + 1}")
Refactor: Rename `Filter` to `Linkifier`. Linkifier error message: `Filter not found` is updated to `Linkifier not found.`. Similarly, `filter_id` description is updated to: `The ID of the linkifier that you want to remove.`, renamed the term `filter` with `linkifier`, in `zulip.yaml`.
2021-04-14 04:21:49 +02:00
self.assert_json_error(result, "Linkifier not found.")
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
refactor: Rename most of "filter" to "linkifier". After this only the database table, events, and API endpoints remain.
2021-03-30 12:15:39 +02:00
result = self.client_delete(f"/json/realm/filters/{linkifier_id}")
Add initial implementation of custom realm filters. This PR was abandoned by Vladislav and then substantially modified by Igor Tokarev and Tim Abbott to complete it and fix a number of bugs. Fixes #544.
2016-02-13 19:17:15 +01:00
self.assert_json_success(result)
refactor: Rename most of "filter" to "linkifier". After this only the database table, events, and API endpoints remain.
2021-03-30 12:15:39 +02:00
self.assertEqual(RealmFilter.objects.count(), linkifiers_count - 1)
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
def test_update(self) -> None:
self.login("iago")
data = {
"pattern": "#(?P<id>[123])",
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
"url_template": "https://realm.com/my_realm_filter/{id}",
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
}
result = self.client_post("/json/realm/filters", info=data)
tests: Refactor away result.json() calls with helpers. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-06-07 01:37:01 +02:00
linkifier_id = self.assert_json_success(result)["id"]
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
data = {
"pattern": "#(?P<id>[0-9]+)",
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
"url_template": "https://realm.com/my_realm_filter/issues/{id}",
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
}
result = self.client_patch(f"/json/realm/filters/{linkifier_id}", info=data)
self.assert_json_success(result)
self.assertIsNotNone(re.match(data["pattern"], "#1234"))
# Verify that the linkifier is updated accordingly.
result = self.client_get("/json/realm/linkifiers")
tests: Refactor away result.json() calls with helpers. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-06-07 01:37:01 +02:00
linkifier = self.assert_json_success(result)["linkifiers"]
tests: Consistently use assert_length helper. This helper does some nice things like printing out the data structure incase of failure.
2021-05-17 05:41:32 +02:00
self.assert_length(linkifier, 1)
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
self.assertEqual(linkifier[0]["pattern"], "#(?P<id>[0-9]+)")
self.assertEqual(
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
linkifier[0]["url_template"], "https://realm.com/my_realm_filter/issues/{id}"
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
)
data = {
CVE-2021-41115: Use re2 for user-supplied linkifier patterns. Zulip attempts to validate that the regular expressions that admins enter for linkifiers are well-formatted, and only contain a specific subset of regex grammar. The process of checking these properties (via a regex!) can cause denial-of-service via backtracking. Furthermore, this validation itself does not prevent the creation of linkifiers which themselves cause denial-of-service when they are executed. As the validator accepts literally anything inside of a `(?P<word>...)` block, any quadratic backtracking expression can be hidden therein. Switch user-provided linkifier patterns to be matched in the Markdown processor by the `re2` library, which is guaranteed constant-time. This somewhat limits the possible features of the regular expression (notably, look-head and -behind, and back-references); however, these features had never been advertised as working in the context of linkifiers. A migration removes any existing linkifiers which would not function under re2, after printing them for posterity during the upgrade; they are unlikely to be common, and are impossible to fix automatically. The denial-of-service in the linkifier validator was discovered by @erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
"pattern": r"ZUL-(?P<id>\d????)",
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
"url_template": "https://realm.com/my_realm_filter/{id}",
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
}
result = self.client_patch(f"/json/realm/filters/{linkifier_id}", info=data)
CVE-2021-41115: Use re2 for user-supplied linkifier patterns. Zulip attempts to validate that the regular expressions that admins enter for linkifiers are well-formatted, and only contain a specific subset of regex grammar. The process of checking these properties (via a regex!) can cause denial-of-service via backtracking. Furthermore, this validation itself does not prevent the creation of linkifiers which themselves cause denial-of-service when they are executed. As the validator accepts literally anything inside of a `(?P<word>...)` block, any quadratic backtracking expression can be hidden therein. Switch user-provided linkifier patterns to be matched in the Markdown processor by the `re2` library, which is guaranteed constant-time. This somewhat limits the possible features of the regular expression (notably, look-head and -behind, and back-references); however, these features had never been advertised as working in the context of linkifiers. A migration removes any existing linkifiers which would not function under re2, after printing them for posterity during the upgrade; they are unlikely to be common, and are impossible to fix automatically. The denial-of-service in the linkifier validator was discovered by @erik-krogh and @yoff, as GHSL-2021-118.
2021-09-29 01:27:54 +02:00
self.assert_json_error(result, "Bad regular expression: bad repetition operator: ????")
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
data["pattern"] = r"ZUL-(?P<id>\d+)"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "$fgfg"
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
result = self.client_patch(f"/json/realm/filters/{linkifier_id}", info=data)
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
self.assert_json_error(
result, "Group 'id' in linkifier pattern is not present in URL template."
)
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
data["pattern"] = r"#(?P<id>[123])"
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["url_template"] = "https://realm.com/my_realm_filter/{id}"
linkifiers: Add an API to support the editing of linkifier. This commit adds an API to `zproject/urls.py` to edit/update the realm linkifier. Its helper function to update the database is added in `zerver/lib/actions.py`. `zulip.yaml` is documented accordingly as well, clearly stating that this API updates one linkifier at a time. The tests are added for the API and helper function which updates the realm linkifier. Fixes #10830.
2021-04-15 19:51:36 +02:00
result = self.client_patch(f"/json/realm/filters/{linkifier_id + 1}", info=data)
self.assert_json_error(result, "Linkifier not found.")
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
data["pattern"] = r"#(?P<id>[123])"
data["url_template"] = "{id"
result = self.client_patch(f"/json/realm/filters/{linkifier_id}", info=data)
self.assert_json_error(result, "Invalid URL template.")
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
def test_valid_urls(self) -> None:
valid_urls = [
linkifiers: Explicitly only check format strings after verifying as a URL. This makes the errors less confusing -- they might otherwise be jammed together in the frontend.
2021-10-21 00:26:01 +02:00
"http://example.com/",
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
"https://example.com/",
"https://user:password@example.com/",
"https://example.com/@user/thing",
"https://example.com/!path",
"https://example.com/foo.bar",
"https://example.com/foo[bar]",
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
"https://example.com/{foo}",
"https://example.com/{foo}{bars}",
"https://example.com/{foo}/and/{bar}",
"https://example.com/?foo={foo}",
linkifiers: Support URL percent-encoded bytes. Supporting URL percent-encoded bytes is possible using `%%20`, but this is not necessarily very understandable to end-users, even those that understand percent encoding. Allow `%20` in linkifier URL format strings, and transform them into `%%20` in the pattern just before they are applied in markdown translation. Care must be taken here, such that already-escaped `%`s are not escaped an extra time. We do this before rendering, and not before storage, as a simplification; the JS-side linkifier at present only understands `%(foo)s` and thus needs no changes, and to avoid an un-escaping pass before showing in the admin UI.
2021-10-20 04:57:53 +02:00
"https://example.com/%ab",
"https://example.com/%ba",
"https://example.com/%21",
"https://example.com/words%20with%20spaces",
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
"https://example.com/back%20to%20{back}",
linkifiers: Support URL percent-encoded bytes. Supporting URL percent-encoded bytes is possible using `%%20`, but this is not necessarily very understandable to end-users, even those that understand percent encoding. Allow `%20` in linkifier URL format strings, and transform them into `%%20` in the pattern just before they are applied in markdown translation. Care must be taken here, such that already-escaped `%`s are not escaped an extra time. We do this before rendering, and not before storage, as a simplification; the JS-side linkifier at present only understands `%(foo)s` and thus needs no changes, and to avoid an un-escaping pass before showing in the admin UI.
2021-10-20 04:57:53 +02:00
"https://example.com/encoded%2fwith%2fletters",
"https://example.com/encoded%2Fwith%2Fupper%2Fcase%2Fletters",
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
"https://example.com/%%",
"https://example.com/%%(",
"https://example.com/%%()",
"https://example.com/%%(foo",
"https://example.com/%%(foo)",
"https://example.com/%%(foo)s",
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
"https://example.com{/foo,bar,baz}",
"https://example.com/{?foo*}",
"https://example.com/{+foo,bar}",
"https://chat{.domain}.com/{#foo}",
"https://zone_{zone}{.domain}.net/ticket{/location}{/id}{?name,chapter}{#fragment:5}",
"$not_a_url$",
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
]
for url in valid_urls:
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
url_template_validator(url)
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
# No need to test this extensively, because most of the invalid
# cases should be handled and tested in the uri_template library
# we used for validation.
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
invalid_urls = [
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
"https://example.com/{foo",
"https://example.com/{{}",
"https://example.com/{//foo}",
"https://example.com/{bar++}",
linkifiers: Loosen regex that validates URLs. User-supplied custom realm filter has had some sort of regex-based validation of the format URL since their introduction in d7e1e4a2c0b11e6fc4a3fa396aa7be9f75da8943 -- and this has always been in addition to the URLValidator. The URLValidator is the one which does the security-relevant work of validating that the schema is reasonable, and that the overall shape of the URL is well-formed. The regex has served primarily to arbitrary limit the characters that can appear in the URL, in the mistaken name of safety. Adjust the regex, such that its only purpose is to verify that the usages of `%` characters in the URL are reasonable, and leave the URL validation to the URLValidator, which can do a far better job. This includes broadening the support to include `%%` as an escape character; this is likely such a niche case as to be unnecessary, but costs little. Fixes #16013.
2021-10-20 03:08:44 +02:00
]
for url in invalid_urls:
with self.assertRaises(ValidationError):
linkifier: Support URL templates for linkifiers. This swaps out url_format_string from all of our APIs and replaces it with url_template. Note that the documentation changes in the following commits will be squashed with this commit. We change the "url_format" key to "url_template" for the realm_linkifiers events in event_schema, along with updating LinkifierDict. "url_template" is the name chosen to normalize mixed usages of "url_format_string" and "url_format" throughout the backend. The markdown processor is updated to stop handling the format string interpolation and delegate the task template expansion to the uri_template library instead. This change affects many test cases. We mostly just replace "%(name)s" with "{name}", "url_format_string" with "url_template" to make sure that they still pass. There are some test cases dedicated for testing "%" escaping, which aren't relevant anymore and are subject to removal. But for now we keep most of them as-is, and make sure that "%" is always escaped since we do not use it for variable substitution any more. Since url_format_string is not populated anymore, a migration is created to remove this field entirely, and make url_template non-nullable since we will always populate it. Note that it is possible to have url_template being null after migration 0422 and before 0424, but in practice, url_template will not be None after backfilling and the backend now is always setting url_template. With the removal of url_format_string, RealmFilter model will now be cleaned with URL template checks, and the old checks for escapes are removed. We also modified RealmFilter.clean to skip the validation when the url_template is invalid. This avoids raising mulitple ValidationError's when calling full_clean on a linkifier. But we might eventually want to have a more centric approach to data validation instead of having the same validation in both the clean method and the validator. Fixes #23124. Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-10-05 20:55:31 +02:00
url_template_validator(url)
linkifier: Support reordering linkifiers. This adds API support to reorder linkifiers and makes sure that the returned lists of linkifiers from `GET /events`, `POST /register`, and `GET /realm/linkifiers` are always sorted with the order that they should processed when rendering linkifiers. We set the new `order` field to the ID with the migration. This preserves the order of the existing linkifiers. New linkifiers added will always be ordered the last. When reordering, the `order` field of all linkifiers in the same realm is updated, in a manner similar to how we implement ordering for `custom_profile_fields`.
2023-08-10 04:09:25 +02:00
def test_reorder_linkifiers(self) -> None:
iago = self.example_user("iago")
self.login("iago")
def assert_linkifier_audit_logs(expected_id_order: List[int]) -> None:
"""Check if the audit log created orders the linkifiers correctly"""
migration: Rename extra_data_json to extra_data in audit log models. This migration applies under the assumption that extra_data_json has been populated for all existing and coming audit log entries. - This removes the manual conversions back and forth for extra_data throughout the codebase including the orjson.loads(), orjson.dumps(), and str() calls. - The custom handler used for converting Decimal is removed since DjangoJSONEncoder handles that for extra_data. - We remove None-checks for extra_data because it is now no longer nullable. - Meanwhile, we want the bouncer to support processing RealmAuditLog entries for remote servers before and after the JSONField migration on extra_data. - Since now extra_data should always be a dict for the newer remote server, which is now migrated, the test cases are updated to create RealmAuditLog objects by passing a dict for extra_data before sending over the analytics data. Note that while JSONField allows for non-dict values, a proper remote server always passes a dict for extra_data. - We still test out the legacy extra_data format because not all remote servers have migrated to use JSONField extra_data. This verifies that support for extra_data being a string or None has not been dropped. Co-authored-by: Siddharth Asthana <siddharthasthana31@gmail.com> Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2023-07-13 19:46:06 +02:00
extra_data = (
RealmAuditLog.objects.filter(
acting_user=iago, event_type=RealmAuditLog.REALM_LINKIFIERS_REORDERED
linkifier: Support reordering linkifiers. This adds API support to reorder linkifiers and makes sure that the returned lists of linkifiers from `GET /events`, `POST /register`, and `GET /realm/linkifiers` are always sorted with the order that they should processed when rendering linkifiers. We set the new `order` field to the ID with the migration. This preserves the order of the existing linkifiers. New linkifiers added will always be ordered the last. When reordering, the `order` field of all linkifiers in the same realm is updated, in a manner similar to how we implement ordering for `custom_profile_fields`.
2023-08-10 04:09:25 +02:00
)
migration: Rename extra_data_json to extra_data in audit log models. This migration applies under the assumption that extra_data_json has been populated for all existing and coming audit log entries. - This removes the manual conversions back and forth for extra_data throughout the codebase including the orjson.loads(), orjson.dumps(), and str() calls. - The custom handler used for converting Decimal is removed since DjangoJSONEncoder handles that for extra_data. - We remove None-checks for extra_data because it is now no longer nullable. - Meanwhile, we want the bouncer to support processing RealmAuditLog entries for remote servers before and after the JSONField migration on extra_data. - Since now extra_data should always be a dict for the newer remote server, which is now migrated, the test cases are updated to create RealmAuditLog objects by passing a dict for extra_data before sending over the analytics data. Note that while JSONField allows for non-dict values, a proper remote server always passes a dict for extra_data. - We still test out the legacy extra_data format because not all remote servers have migrated to use JSONField extra_data. This verifies that support for extra_data being a string or None has not been dropped. Co-authored-by: Siddharth Asthana <siddharthasthana31@gmail.com> Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2023-07-13 19:46:06 +02:00
.latest("event_time")
.extra_data
linkifier: Support reordering linkifiers. This adds API support to reorder linkifiers and makes sure that the returned lists of linkifiers from `GET /events`, `POST /register`, and `GET /realm/linkifiers` are always sorted with the order that they should processed when rendering linkifiers. We set the new `order` field to the ID with the migration. This preserves the order of the existing linkifiers. New linkifiers added will always be ordered the last. When reordering, the `order` field of all linkifiers in the same realm is updated, in a manner similar to how we implement ordering for `custom_profile_fields`.
2023-08-10 04:09:25 +02:00
)
audit_logged_ids = [
linkifier_dict["id"] for linkifier_dict in extra_data["realm_linkifiers"]
]
self.assertListEqual(expected_id_order, audit_logged_ids)
def assert_linkifier_order(expected_id_order: List[int]) -> None:
"""Verify that the realm audit log created matches the expected ordering"""
result = self.client_get("/json/realm/linkifiers")
actual_id_order = [
linkifier["id"] for linkifier in self.assert_json_success(result)["linkifiers"]
]
self.assertListEqual(expected_id_order, actual_id_order)
def reorder_verify_succeed(expected_id_order: List[int]) -> None:
"""Send a reorder request and verify that it succeeds"""
result = self.client_patch(
"/json/realm/linkifiers",
{"ordered_linkifier_ids": orjson.dumps(expected_id_order).decode()},
)
self.assert_json_success(result)
reorder_verify_succeed([])
self.assertEqual(
RealmAuditLog.objects.filter(
realm=iago.realm, event_type=RealmAuditLog.REALM_LINKIFIERS_REORDERED
).count(),
0,
)
linkifiers = [
{
"pattern": "1#(?P<id>[123])",
"url_template": "https://filter.com/foo/{id}",
},
{
"pattern": "2#(?P<id>[123])",
"url_template": "https://filter.com/bar/{id}",
},
{
"pattern": "3#(?P<id>[123])",
"url_template": "https://filter.com/baz/{id}",
},
]
original_id_order = []
for linkifier in linkifiers:
result = self.client_post("/json/realm/filters", linkifier)
original_id_order.append(self.assert_json_success(result)["id"])
assert_linkifier_order(original_id_order)
self.assertListEqual([0, 1, 2], list(RealmFilter.objects.values_list("order", flat=True)))
# The creation order orders the linkifiers by default.
# When the order values are the same, fallback to order by ID.
RealmFilter.objects.all().update(order=0)
assert_linkifier_order(original_id_order)
# This should successfully reorder the linkifiers.
new_order = [original_id_order[2], original_id_order[1], original_id_order[0]]
reorder_verify_succeed(new_order)
assert_linkifier_audit_logs(new_order)
assert_linkifier_order(new_order)
# After reordering, newly created linkifier is ordered at the last, and
# the other linkifiers are unchanged.
result = self.client_post(
"/json/realm/filters", {"pattern": "3#123", "url_template": "https://example.com"}
)
new_linkifier_id = self.assert_json_success(result)["id"]
new_order = [*new_order, new_linkifier_id]
assert_linkifier_order(new_order)
# Deleting a linkifier should preserve the order.
deleted_linkifier_id = new_order[2]
result = self.client_delete(f"/json/realm/filters/{deleted_linkifier_id}")
self.assert_json_success(result)
new_order = [*new_order[:2], new_linkifier_id]
assert_linkifier_order(new_order)
# Extra non-existent ids are ignored.
new_order = [new_order[2], new_order[0], new_order[1]]
result = self.client_patch(
"/json/realm/linkifiers", {"ordered_linkifier_ids": [deleted_linkifier_id, *new_order]}
)
self.assert_json_error(
result, "The ordered list must enumerate all existing linkifiers exactly once"
)
# Duplicated IDs are not allowed.
new_order = [*new_order, new_order[0]]
result = self.client_patch("/json/realm/linkifiers", {"ordered_linkifier_ids": new_order})
self.assert_json_error(result, "The ordered list must not contain duplicated linkifiers")
# Incomplete lists of linkifiers are not allowed.
result = self.client_patch(
"/json/realm/linkifiers", {"ordered_linkifier_ids": new_order[:2]}
)
self.assert_json_error(
result, "The ordered list must enumerate all existing linkifiers exactly once"
)