Commit Graph

23037 Commits

Author SHA1 Message Date
Umair Khan 1acdfef13c two_factor: Disable prefix in OurAuthenticationForm.
In two factor authentication every step adds a unique prefix to the fields,
due to this the name of the form fields differs from the HTML fields. If
we do not do this we will have to change the name in the HTML, which
will cause the change in tests.
2017-11-28 15:27:44 -08:00
Umair Khan 274bba82b9 two_factor: Add configuration and URLs.
This adds django-two-factor to the project, but held behind
settings.TWO_FACTOR_AUTHENTICATION_ENABLED, so that this has no effect
by default.
2017-11-28 15:21:40 -08:00
Tim Abbott 4f5a5a8547 auth: Extract add_dev_login_context.
This simple refactor cleans up the code for the dev_auth_enabled code
path to be a bit less deeply in the login_page() logic.
2017-11-28 15:17:33 -08:00
Tim Abbott b42ce65090 requirements: Add dependencies for two-factor auth.
We're not yet ready to add 2FA to Zulip yet, but we've determined we'd
like to work from these libraries.

I'm not bothering to bump PROVISION_VERSION for this, since we're
likely to do something else that bumps it soon, and we're not merging
anything that uses these new libraries.
2017-11-28 15:13:38 -08:00
Tim Abbott d5bb45db60 webhooks/gci: Fix missing mypy annotation. 2017-11-28 14:08:44 -08:00
Sampriti Panda bea653fabc webhooks/gci: Improve message formatting.
* Use Student Name instead of Task Name in subject.
* Use Task Instance URL instead of Task Definition URL (and workaround
  for a bug in the API).
2017-11-28 13:53:42 -08:00
Tommy Ip 2d7536bf05 Document the add_mentor.py tool. 2017-11-28 13:26:59 -08:00
Tommy Ip ba1a32ca74 Create script to add and remove mentor's ssh key from DO droplets. 2017-11-28 13:26:59 -08:00
Tommy Ip 6e22847548 refactor: new message content -> compose textarea. 2017-11-28 12:53:40 -08:00
Cynthia Lin e92a8ac8ee subs: Properly focus on Stream name box while creating a new stream.
Fixes #7473.
2017-11-28 10:07:11 -08:00
Garvit b9826e9067 Add filters for toMarkdown to paste data to compose-box.
This fixes bugs with pasting headings and italic styling.

Fixes #7485.
2017-11-28 09:56:48 -08:00
Tim Abbott cb8f2cf484 git cheat sheet: Be a bit less agressively anti-git-pull.
Now that we configure pull.rebase, it's less necessary.
2017-11-28 09:15:13 -08:00
Rohitt Vashishtha c073af0ddc git-docs: Highlight Zulip's git scripts in overview. 2017-11-28 09:07:25 -08:00
Rohitt Vashishtha 106cc71c19 docs: Add external documentation for markdown subsystem.
Tweaked by tabbott to move the content earlier in the doc.
2017-11-28 09:07:17 -08:00
Rohitt Vashishtha a2d1ebc091 git-docs: Refine git-cheat-sheet with more examples. 2017-11-28 09:02:50 -08:00
Vishnu Ks 87a412a992 droplets: Fix broken link for requesting droplets. 2017-11-28 08:53:52 -08:00
Vishnu Ks 73ee9a4ad8 droplets: Update info on recreating the droplets. 2017-11-28 08:53:52 -08:00
Vishnu Ks c37193568f droplets: Update baseimage snapshot id.
The new snapshot has python-zulip-env as well
as VIM and mosh installed.
2017-11-28 08:53:52 -08:00
Tommy Ip 29e9d16ac7 refactor: s/upload-bar/compose-upload-bar. 2017-11-27 21:35:14 -08:00
Tommy Ip 6a694418b2 refactor: s/error-msg/compose-error-msg. 2017-11-27 21:35:14 -08:00
Tommy Ip b9c2f479d3 refactor: s/send-status-close/compose-send-status-close. 2017-11-27 21:35:14 -08:00
Tommy Ip c0c58f9761 refactor: s/send-status/compose-send-status. 2017-11-27 21:35:14 -08:00
Tommy Ip 19b518c801 refactor: Extract tests for upload mechanics.
This temporarily removes the tests for clear_out_file_list since
fixing that test proved to be difficult.
2017-11-27 21:34:55 -08:00
Tommy Ip ddaff4cd2a refactor: Extract upload mechanics to new JS module.
Tweaked by tabbott to move changes from the next commit that are
required for this to pass tests into this commit.

Note that this exports a few items that were not previously exported.
2017-11-27 21:31:51 -08:00
Tim Abbott 0445322625 compose: Export the major upload-related methods.
This is a preparatory commit to moving these to their own module.
2017-11-27 21:31:24 -08:00
Tim Abbott df58f0f7ae compose: Export some upload-related variables. 2017-11-27 21:31:23 -08:00
Robert Hönig 1e66bd1c02 tests: Add newlines to test_service_bot_system.test_internal_endpoint(). 2017-11-27 21:05:34 -08:00
derAnfaenger c8a5ae753c embedded bots: Consistently use 'storage' instead of 'state.' 2017-11-27 21:05:34 -08:00
Tim Abbott 9645c8b31f integrations: Remove disabled googlesearch integration.
This was moved to another part of the python-zulip-api codebase
because it was unfinished.
2017-11-27 20:50:37 -08:00
Eeshan Garg c45517f544 python-zulip-api: Upgrade to PyPI package release 0.3.8.
There's one migration required by this release:

* queue_processors: Stop passing state_handler to handle_message.

  state_handler is now a property of bot_handler and thus, does
  not need to be passed to bot_handler.handle_message().

  The commit responsible is:
  2a74ad11c5
2017-11-27 20:31:37 -08:00
rht e538f4dd44 zerver/views: Use Python 3 syntax for typing.
Edited by tabbott to remove state.py and streams.py, because of
problems with the original PR's changes, and wrap some long lines.
2017-11-27 17:10:39 -08:00
rht 92888a0cde zproject: Use Python 3 syntax for typing. 2017-11-27 17:01:18 -08:00
Rishi Gupta 83149a953a copy paste: Turn off toMarkdown in production.
At least until some of the TODOs at the bottom of
node_tests/copy_and_paste.js are done.
2017-11-27 16:44:16 -08:00
Rishi Gupta 3fcfcd2a55 copy paste: Add toMarkdown test for `1. text`. 2017-11-27 16:44:16 -08:00
Tim Abbott bd8196c3a5 lint: Fix too-long line in auth.py. 2017-11-27 15:28:46 -08:00
Rohitt Vashishtha 8082780853 typeahead: Update @mention to not autocomplete "@ " (@space).
Tweaked by tabbott to also cover "@** ".

Fixes #7533.
2017-11-27 15:15:56 -08:00
Vishnu Ks d4ee3023b2 registration: Require an explicit realm on PreregistrationUser.
This completes the last commit's work to fix CVE-2017-0910, applying
to any invite links already created before the fix was deployed.  With
this change, all new-user registrations must match an explicit realm
in the PreregistrationUser row, except when creating a new realm.

[greg: rewrote commit message]
2017-11-27 14:59:34 -08:00
Vishnu Ks 985768b2fd registration: Check realm against PreregistrationUser realm.
We would allow a user with a valid invitation for one realm to use it
on a different realm instead.  On a server with multiple realms, an
authorized user of one realm could use this (by sending invites to
other email addresses they control) to create accounts on other
realms. (CVE-2017-0910)

With this commit, when sending an invitation, we record the inviting
user's realm on the PreregistrationUser row; and when registering a
user, we check that the PregistrationUser realm matches the realm the
user is trying to register on.  This resolves CVE-2017-0910 for
newly-sent invitations; the next commit completes the fix.

[greg: rewrote commit message]
2017-11-27 14:58:26 -08:00
Tim Abbott 8b935f4e99 settings: Add setting for SYSTEM_BOT_REALM.
This fixes some subtle JavaScript exceptions we've been getting in
zulipchat.com, caused by the system bot realm there not being "zulip"
interacting with get_cross_realm_users.
2017-11-27 14:46:07 -08:00
Tim Abbott 25fd4c5508 bulk_get_users: Edit the cache keys to make them more unique.
While at this point I was to rewrite this function, this at least
plugs the issues for now.
2017-11-27 14:41:31 -08:00
Tim Abbott 339b67f7af get_cross_realm_dicts: Harden against caching bug in last commit.
This should help protect us from future issues with the way that
`bulk_get_users` does caching.

It's likely that we'll want to further restructure `bulk_get_users` to
not have this base_query code path altogether (since it's kinda
buggy), but I'm going to defer that for a time when we have another
user.
2017-11-27 14:35:50 -08:00
Tim Abbott 646ba5b9e5 bulk_get_users: Fix issues with users in multiple realms.
The previous implementation had a subtle caching bug: because it was
sharing its cache with the `get_user_profile_by_email` cache, if a
user happened to have an email in that cache, we'd return it, even
though that user didn't match `base_query`.

This causes `get_cross_realm_users` to no longer have a problematic
caching bug.
2017-11-27 14:34:45 -08:00
Tim Abbott f423dc4930 check_send_receive_time: Fix parsing bug.
This was a regression introduced with the argparse migration.
2017-11-27 14:01:30 -08:00
Rohitt Vashishtha 6734b00c0b markdown: Hide URL if message is only an image.
Hides URL if the message content == image url so that sending gifs or
images feels less cluttered. Uses the url_to_a() function to generate
the expected url string for matching.

Fixes #7324.
2017-11-27 13:30:18 -08:00
Rohitt Vashishtha 3550467899 markdown: Insert text in link-only inline image preview tests.
Appends "Test: " text to some tests to make changes to the image preview
rendering. In the future, if the message is only a link to an image,
the link will be hidden.
2017-11-27 13:30:18 -08:00
Steve Howell 025b8c19ae Simplify code to warn about private stream links.
This change does a few things:

    * I use "early return" to make the code a bit flatter
      and easier to comment.

    * I added more comments.

    * I removed some unneeded passing of `invite_only` into
      the template.
2017-11-27 10:41:10 -08:00
Steve Howell e74118e730 tests: Improve templates.compose_private_stream_alert() test.
I assert that the stream_name gets properly placed into the HTML.
2017-11-27 10:41:10 -08:00
Umair Khan 8f190e0746 user-groups: Update marked.js to do proper local echo for mentions.
We implement markdown in the JS as well to improve the
usability.  Comes complete withunit tests.

Fixes #7381.
2017-11-27 09:16:09 -08:00
Umair Khan 90994bccac user-groups: Recognize single asterisk for group mentions.
The character combination of @* now begins a group mention, so
this test is no longer valid.
2017-11-27 09:16:09 -08:00
Umair Khan c78846a274 markdown.js: Add error function to blueslip.
If we do not add this, we get an exception before we reach the
assertion.
2017-11-27 09:08:30 -08:00