Commit Graph

51833 Commits

Author SHA1 Message Date
Aman Agrawal f04ae8acd3 drafts: Fix message header overlapping outline. 2023-05-22 09:31:21 -07:00
Lalit 7346ce98f3 ts: Convert `emojisets` to TypeScript.
Declared types for '*.png' modules and '!style-loader?*' modules in
`assets.d.ts` and used them in `emojisets.ts`.
2023-05-22 09:02:42 -07:00
Hardik Dharmani d9716bc189 left_sidebar: Improve mentions in muted topics.
When there are only muted unread mentions in a stream, show `@` icon
and unread count in faded style, also align the `@` on more topics
with no unead counter on it.

If there are only muted unread messages without mentions don't show
the unread counter on the stream.

Fixes #25382.
2023-05-19 18:40:57 -07:00
Hardik Dharmani 8c6f9b3f95 unread: Improve live update for direct mentions in muted topics.
The "Mark as unread" event handler was not passing through the
mentioned_me_directly value, which is now important to left sidebar
rendering.

See the extended comment for how this solution is incorrect/incomplete
and has to fall back to guessing a potentially incorrect value in rare
situations.

Co-authored-by: Tim Abbott <tabbott@zulip.com>
2023-05-19 18:00:25 -07:00
Alex Vandiver 68722e7d3c release-checklist: Add a mastodon announce step. 2023-05-19 16:55:30 -07:00
Alex Vandiver 68c37c9d7b release-checklist: Adjust for the blogs being in Astro. 2023-05-19 16:55:30 -07:00
Alya Abbott 9ca00a1eff help: Document keyboard navigation for scheduling a message. 2023-05-19 16:53:31 -07:00
Tim Abbott 4be5ce97cb index: Move audio file HTML out of .app.
There's no compelling reason for these to be inside the container
element for the app's main screen UI.
2023-05-19 15:24:10 -07:00
Aman Agrawal d7528f6bbe index: Remove no longer used alert-bar-container.
This was used for tutorial but was removed in
ebe959f2b0
2023-05-19 15:24:10 -07:00
Aman Agrawal 1171862bfd index: Move alert box out of `.app`.
This allows us to show alert box above navbar.
2023-05-19 15:24:10 -07:00
Aman Agrawal ca21eb7141 index: Move user-profile-modal outside `.app`.
Keep it inside `.app` restricted its height and its ability to
draw over other elements.
2023-05-19 15:24:10 -07:00
Aman Agrawal bbd5431e18 index: Move informational-overlays outside .app.
This is how other overlays are managed, and will be important in
upcoming refactoring, since we don't want the overlay height to be
restricted by the height of the `.app`.
2023-05-19 15:24:10 -07:00
Alex Vandiver e6b1384a05 version: Update version and changelog after 6.2 release. 2023-05-19 16:58:55 -04:00
Lalit 7ac891a6b9 people: Add `version` parameter for medium sized avatar urls.
We need to append the `version` parameter when constructing the urls for
medium-sized images so that the browser updates the image in real time when
the user uploads a new avatar.

Fixes #25558.
2023-05-19 13:52:00 -07:00
Akarsh Jain 12db83b011 help: Open Help Center links in new tab for empty message lists.
This commit updates the Help Center links in all relevant empty message
list views to open in a new tab by default. This prevents users from being
navigated away from the app.

Fixes #25337.
2023-05-19 13:51:00 -07:00
Karl Stolley c2f6167c01 css: Remove superfluous grid- properties.
The use of named areas with `grid-area` make it unnecessary to
declare `grid-row` or `grid-column` values. (Note also that
grid areas must not be presented in quotation marks.)

Additionally, because `.unread_marker` is no longer placed on the
grid by itself (i.e., it always accompanies `.date_unread_marker`
or `.message_unread_marker`), it does not need any manual grid
placement, `grid-area` or otherwise.
2023-05-19 13:48:16 -07:00
Aman Agrawal 9aa9f9b3c8 message: Separate unread marker of date_row from message.
This allows us to easily disable unread marker for date row of
the first unread message without producing any bugs.
2023-05-19 13:48:16 -07:00
Karl Stolley ef3289b73b css: Present message_row as CSS Grid.
This change enables the unread marker to participate as a grid item,
rather than the product of various absolute/relative positioning
hacks. The intention is to therefore prevent the blue active-message
box from disappearing on browsers that have zoomed out (~80% zoom).

With grid in place, this also makes for a more robust presentation
of each message row, and named grid areas should make it possible to
modify and extend the grid into the future.

Finally, this change removes styles that are no longer necessary in
the context of CSS Grid.
2023-05-19 13:48:16 -07:00
Tim Abbott 9c09edd7af ui_init: Fix loading spectators view.
18578cc5da broke the success code path.
2023-05-19 13:42:48 -07:00
Lauryn Menard 3cb6c9aea9 api-docs: Add examples to `realm_filters` event prose description.
Adds examples of the regex pattern and old URL string format to
the deprecated `realm_filters` event and register response field.
The examples are in the prose description since the events are
no longer sent and therefore no longer tested.
2023-05-19 13:23:07 -07:00
Lauryn Menard 03a2c2da6a api-changelog: Update and clarify docs for feature level 176 entry.
Revises API changelog entry for missing endpoint method and to
clarify the overall text.

Updates Changes notes for feature level 176 to not have repetitive
text, so that the updates were clearer and more concise.

The original commit with the changes related to this API changelog
entry is commit 268f858f39.
2023-05-19 13:23:07 -07:00
Sahil Batra 4c4caa7be4 CVE-2023-32677: Check permission to subscribe other users in invites.
This commit updates the API to check the permission to subscribe other
users while inviting.  The API will error if the user passes the
"stream_ids" parameter (even when it contains only default streams)
and the calling user does not having permission to subscribe others to
streams.

For users who do not have permission to subscribe others, the
invitee will be subscribed to default streams at the time of
accepting the invite.

There is no change for multiuse invites, since only admins are allowed
to send them, and admins always have the permission to subscribe
others to streams.
2023-05-19 16:13:32 -04:00
Mateusz Mandera a23b077b79 CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.
Since 74dd21c8fa in Zulip Server 2.1.0, if:
- ZulipLDAPAuthBackend and an external authentication backend (any aside
  of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones
  enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py
- The organization permissions don't require invitations to join

...then an attacker can create a new account in the organization with
an arbitrary email address in their control that's not in the
organization's LDAP directory.

The impact is limited to installations which have the specific
combination of authentication backends described above, in addition to
having the "Invitations are required for joining this organization
organization" permission disabled.
2023-05-19 16:13:00 -04:00
Mateusz Mandera 3ed2a30e01 maybe_send_to_registration: Remove password_required arg.
This argument was added with the default incorrectly set to `True` in
bb0eb76bf3 - despite
`maybe_send_to_registration` only ever being called in production code
in a single place, with `password_required=False` explicitly. And then
it just got carried forward through refactors.

`maybe_send_to_registration` was/is also called twice in tests, falling
back to the default, but the `password_required` value is irrelevant to
the tests - and if anything letting it use the `True` has been wrong,
due to not matching how this function is actually used.
2023-05-19 16:13:00 -04:00
Josiah Kievit 28c5c64b8d
css: Remove copy code button outline.
Added styling to show no outline around the copy to clipboard button on click. 

Previously, when clicking this button, a rectangular outline appeared around 
the button, which didn't look good, since a 'Copied!' message was already displayed.

Fixes #25533.
2023-05-19 13:09:10 -07:00
Karl Stolley 6e3e8c9ede linter: Lint grid-area names for quotation marks.
This adds a CSS stylelint rule that will catch erroneous quotation
marks around named grid-areas, which should be <custom-ident> values,
not strings.

So, for example, `grid-area: "my_area";` is an error. It should be
`grid-area: my_area;`.
2023-05-19 13:08:15 -07:00
Mateusz Mandera b55adbef3d export: Handle RealmAuditLog with .acting_user in different realm. 2023-05-19 11:12:19 -07:00
Alex Vandiver c978bfaa32 models: Add a unique index on UserProfile.api_key.
This prevents `get_user_profile_by_api_key` from doing a sequential
scan.

Doing this requires moving the generation of initial api_key values
into the column definition, so that even bare calls to
`UserProfile.objects.create` (e.g. from tests) call appropriately
generate a random initial value.
2023-05-19 11:11:04 -07:00
evykassirer 27bc36b7d6 settings: Revert dark mode background color changes. 2023-05-19 10:57:50 -07:00
Lauryn Menard 145d6915c1 api-changelog: Add 2.1.0 entry for realm_default_external_accounts.
Adds an API changelog note to 2.1 for the addition of
realm_default_external_accounts to the `/register-queue` response.

Also adds a Changes note to the field in the endpoint's response
API documentation.

The original commit that added it to that endpoint's response was
commit d7ee2aced1.
2023-05-19 10:50:17 -07:00
Sahil Batra a4db19f9aa signup: Fix selector used for validating the forms.
This commit fixes a typo in the selector used to
validate registration, support, realm creation,
password reset and terms of service forms. This
typo also resulted in a bug where "This field is
required" error message was shown at incorrect
position and this change fixes it.

This commit also fixes the client side error
handling of these forms which did not work
perfectly due to the selector being wrong.
2023-05-19 10:48:52 -07:00
Alex Vandiver 18578cc5da ui_init: Properly call reject with an error, not an xhr.
If the spectator registration call fails, properly log the error and
call `reject` with an error object, not the xhr that `channel.post`
calls its error callback with.

This does nothing to address the UI question of what to do should this
request fail.
2023-05-19 10:48:21 -07:00
Alex Vandiver b312a86ada sentry: Add the observed user's IP address before forwarding.
The default for Javascript reporting is that Sentry sets the IP
address of the user to the IP address that the report was observed to
come from[^1].  Since all reports come through the Zulip server, this
results in all reports being "from" one IP address, thus undercounting
the number of affected unauthenticated users, and making it difficult
to correlate Sentry reports with server logs.

Consume the Sentry Envelope format[^2] to inject the submitting
client's observed IP address, when possible.  This ensures that Sentry
reports contain the same IP address that Zulip's server logs do.

[^1]: https://docs.sentry.io/platforms/python/guides/logging/enriching-events/identify-user/
[^2]: https://develop.sentry.dev/sdk/envelopes/
2023-05-18 16:25:54 -07:00
David Rosa 19eb98a74a help: Document "User list style" display setting.
- Documents the "User list style" (under Settings > Display settings)
- Adds new section to /help/status-and-availability#statuses

Fixes #23492.
2023-05-18 16:17:56 -07:00
Toyam Cox 650cdc474d docs: Also set X-Forwarded-Proto in proxies.
Django 4.0 and higher began checking the `Origin` header, which made
it important that Zulip know accurately if the request came over HTTPS
or HTTP; failure to do so would result in "CSRF verification failed"
errors.

For Zulip servers which are accessed via proxies, this means that
`X-Fowarded-Proto` must be set accurately.  Adjust the documentation
for the suggested configurations to add the header.

Fixes: #24599.

Co-authored-by: Alex Vandiver <alexmv@zulip.com>
2023-05-18 17:17:35 -04:00
Karl Stolley 0407abc788 help_pages: Improve anchor highlights.
These changes ensure that only headings targeted by URL fragments are
highlighted in full. Div elements will have their immediate first
child element highlighted instead (e.g., the first element of an API
parameter box).
2023-05-18 13:57:42 -07:00
Aman Agrawal 44ae67d426 css: Fix gap between header and sticky header at some zoom level. 2023-05-18 13:39:46 -07:00
Aman Agrawal 3acd7b8f47 css: Move message header padding to the element with border.
Apply border and top margin on the same element so that browser
has no way to introduce a gap between them.
2023-05-18 13:39:46 -07:00
Alex Vandiver a95b796a91 supervisor: Drop minfds back down from 1000000 to 40000.
1c76036c61 raised the number of `minfds` in Supervisor from 40k to
1M.  If Supervisor cannot guarantee that number of available file
descriptors, it will fail to start; `/etc/security/limits.conf` was
hence adjusted upwards as well.  However, on some virtualized
environments, including Proxmox LXC, setting
`/etc/security/limits.conf` may not be enough to raise the
system-level limits.  This causes `supervisord` with the larger
`minfds` to fail to start.

The limit of 1000000 was chosen to be arbitrarily high, assuming it
came without cost; it is not expected to ever be reached on any
deployment.  262b19346e already lowered one aspect of that
changeset, upon determining it did come with a cost.  Potentially
breaking virtualized deployments during upgrade is another cost of
that change.

Lower the `minfds` it back down to 40k, partially reverting
1c76036c61, but allow adjusting it upwards for extremely large
deployments.  We do not expect any except the largest deployments to
ever hit the 40k limit, and a frictionless deployment for the
vanishingly small number of huge deployments is not worth the
potential upgrade hiccups for the much more frequent smaller
deployments.
2023-05-18 13:04:33 -07:00
David Rosa 7fc474c7a6 help: Update "Restrict stream invitation" page.
- Renames page title to "Restrict stream membership management".
- Renames section about "Who can add users to streams" setting.
- Adds new section "Configure who can remove users".
- Updates help/stream-permissions

Fixes #25264.
2023-05-18 12:50:54 -07:00
David Rosa 55127b6178 help: Add intro section to help/add-or-remove-users-from-a-stream.
- Adds an intro section about what's possible by consolidating
  references to permissions.
2023-05-18 12:50:54 -07:00
Lauryn Menard 5802f7775f api-changelog: Update and clarify docs for feature level 178 entry.
Updates the descriptions and examples for there only being two key
values: "website" and "aggregated".

Also, clarifies that email keys are the Zulip display email.

And removes any descriptive text that says presence objects have
information about the clients the user is logged into.
2023-05-18 11:57:02 -07:00
Alex Vandiver 1184bdc934 push_notifications: Lock message while we mark it pending for push.
Deleting a message can race with sending a push notification for it.
b47535d8bb handled the case where the Message row has gone away --
but in such cases, it is also possible for `access_message` to
succeed, but for the save of `user_message.flags` to fail, because the
UserMessage row has been deleted by then.

Take a lock on the Message row over the accesses of, and updates to,
the relevant UserMessage row.  This guarantees that the
message's (non-)existence is consistent across that transaction.

Partial fix for #16502.
2023-05-18 11:53:21 -07:00
Anders Kaseorg 12310189ed install: Support Debian 12.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-05-18 11:52:22 -07:00
Anders Kaseorg 16dedb08fd ci: Fix matrix definition for tests job.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-05-18 11:52:22 -07:00
Anders Kaseorg 4b19863065 test_timeout: Skip test_timeout_warn on Python 3.11 for coverage issue.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-05-18 11:52:22 -07:00
Anders Kaseorg 480a2e2d64 postgresql-init-dev-db: Work around PGroonga WAL issue.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-05-18 11:52:22 -07:00
Anders Kaseorg 83c0ed2a9d build-pgroonga: Upgrade PGroonga from 2.3.6 to 3.0.3.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-05-18 11:52:22 -07:00
Lalit a2db6df826 ts: Convert `deprecated_feature_notice` module to TypeScript. 2023-05-18 08:52:26 -07:00
Lalit 0216eb8915 deprecated_feature_notice: Use `zod` for validating data when fetching it from `localstorage`.
Refactored `maybe_show_deprecation_notice` to use zod to parse the `shown_deprecation_notices`
array stored in localstorage for better type-safety.
2023-05-18 08:52:26 -07:00