Commit Graph

18939 Commits

Author SHA1 Message Date
Mateusz Mandera 1d7d3fae61 signup: Mirror dummy user should be registered with role from invite.
Aside of what's generally explained in the code comment, this is
motivated by the specific situation of import of Slack Connect channels.
These channels contain users who are "external collaborators" and
limited to a single channel in Slack. We don't have more sophisticated
handling of their import, which would map this concept 1-to-1 in Zulip -
but we create them as inactive dummy users, meaning they have to go
through signup before their account is usable.

The issue is that their imported UserProfile.role is set to Member and
when they register, the UserProfile gets reactivated with that role
unchanged. However, if e.g. the user is signing up after they received
an invitation from the admin, they should get the role that was
configured on the invite. In particular important if the user is meant
to still be "limited" and thus the admin invites them as a guest - they
definitely don't want the user to get a full Member account because of
this weird interaction between import and registration.
2024-09-19 15:26:27 -07:00
Alex Vandiver 818c30372f upload: Use tusd for resumable, larger uploads.
Currently, it handles two hook types: 'pre-create' (to verify that the
user is authenticated and the file size is within the limit) and
'pre-finish' (which creates an attachment row).

No secret is shared between Django and tusd for authentication of the
hooks endpoints, because none is necessary -- tusd forwards the
end-user's credentials, and the hook checks them like it would any
end-user request.  An end-user gaining access to the endpoint would be
able to do no more harm than via tusd or the normal file upload API.

Regardless, the previous commit has restricted access to the endpoint
at the nginx layer.

Co-authored-by: Brijmohan Siyag <brijsiyag@gmail.com>
2024-09-19 11:37:29 -07:00
Sahil Batra 5f3a8334be user_groups: Do not allow deleting user groups. 2024-09-18 13:41:13 -07:00
Sahil Batra c53563d0e7 user_groups: Handle deactivated groups in webapp. 2024-09-18 13:41:13 -07:00
Sahil Batra 5c790aac72 user_groups: Rename allow_deactivated in 'GET /user_groups'.
This commit renames "allow_deactivated" parameter in
"GET /user_groups" endpoint to "include_deactivated_groups", so
that we can have consistent naming here and for client capability
used for deciding whether to send deactivated groups in register
response and how to handle the related events.
2024-09-18 13:41:13 -07:00
Sahil Batra fb63c47ea6 user_groups: Add client capability to handle deactivated groups.
This commit adds a client capability to not receive data about
deactivated groups.
2024-09-18 13:41:13 -07:00
Sahil Batra aa123b38b4 tests: Test can_manage_group setting for deactivating groups.
There were no tests for testing group deactivation permission
based on can_manage_group setting.
2024-09-18 13:41:13 -07:00
Sahil Batra 7a6135371e settings: Handle guests separately for group-based settings.
This commit adds code to handle guests separately for group
based settings, where guest will only have permission if
that particular setting can be set to "role:everyone" group
even if the guest user is part of the group which is used
for that setting. This is to make sure that guests do not
get permissions for actions that we generally do not want
guests to have.

Currently the guests do not have permission for most of them
except for "Who can delete any message", where guest could
delete a message if the setting was set to a user defined
group with guest being its member. But this commit still
update the code to use the new function for all the settings
as we want to have a consistent pattern of how to check whether
a user has permission for group-based settings.
2024-09-18 11:51:11 -07:00
Alex Vandiver 9a1f78db22 thumbnail: Support checking for images from streaming sources.
We may not always have trivial access to all of the bytes of the
uploaded file -- for instance, if the file was uploaded previously, or
by some other process.  Downloading the entire image in order to check
its headers is an inefficient use of time and bandwidth.

Adjust `maybe_thumbnail` and dependencies to potentially take a
`pyvips.Source` which supports streaming data from S3 or disk.  This
allows making the ImageAttachment row, if deemed appropriate, based on
only a few KB of data, and not the entire image.
2024-09-17 12:51:30 -07:00
Alex Vandiver ef21dd9b99 thumbnail: Set a stable ordering on ImageAttachment rows for locking.
Failure to have a stable ordering can lead to deadlocks.
2024-09-17 09:14:52 -07:00
Prakhar Pratyush 764083d31b settings: Add 'allow_private_data_export' user setting.
This commit adds a user-setting to allow users to decide
whether to let administrators export their private data.

Fixes part of #31201.
2024-09-16 15:48:40 -07:00
Lauryn Menard bc8993f159 user-groups: Add helper for date_created comparison. 2024-09-16 11:42:55 -07:00
Johan Nilsson bf9cbe30a7 integrations: Add support for release events to GitLab integration. 2024-09-16 09:26:20 -07:00
sujal shah 614caf111e user_groups: Add `creator` and `date_created` field in user groups.
This commit introduced 'creator' and 'date_created'
fields in user groups, allowing users to view who
created the groups and when.

Both fields can be null for groups without creator data.
2024-09-13 18:44:58 -07:00
Tim Abbott cb53c60563 models: Clean up CommonMessagePolicyEnum.
This is no longer used outside an old migration.
2024-09-12 09:36:02 -07:00
Vector73 0cd51f2fea settings: Remove `delete_own_message_policy` realm property.
Removed `delete_own_message_policy` realm property as the permission
to delete own messages is controlled by `can_delete_own_message_group`
setting.
2024-09-12 09:36:02 -07:00
Vector73 28c7a04734 settings: Add `can_delete_own_message_group` realm setting.
Added `can_delete_message_group` realm setting to replace
`delete_own_message_policy` property.
2024-09-12 09:36:02 -07:00
Tim Abbott 2585d209c0 user_groups: Rename misleadingly named view function. 2024-09-11 09:43:56 -07:00
Sahil Batra 688c5ad0af groups: Allow excluding deactivated groups in 'GET /user_groups' response. 2024-09-11 09:43:56 -07:00
Sahil Batra fef2925ff0 mention: Handle mentioning deactivated user groups.
If someone tries to mention a deactivated user group,
then it is automatically converted to a silent mention
like we do for deactivated users.
2024-09-11 09:43:56 -07:00
Sahil Batra c1d6da0a5c user_groups: Update handling of deactivated groups.
We only allow updating name of a deactivated group, and not
allow updating description, members, subgroups and any setting
of a deactivated user group.

Deactivated user groups cannot be a a subgroup of any group
or used as a setting for a group.
2024-09-11 09:43:56 -07:00
Sahil Batra e1cfe61452 user_groups: Add API support for deactivating user groups. 2024-09-11 09:43:56 -07:00
Sahil Batra bef7cfe00f user_groups: Add deactivated field to NamedUserGroup model. 2024-09-11 09:43:56 -07:00
Sahil Batra f0c0eef8dc groups: Lock user group rows while using them for settings.
This is important to make sure that we handle cases when there
are two parallel requests - one for using a group for a setting
and one for deactivating the same group. This makes sure that
atleast one of the above task fails.
2024-09-11 09:43:56 -07:00
Mateusz Mandera b572b1536a test_retention: Delete irrelevant comment.
This comment is clearly out of place and at this point doesn't match any
of the classes in a useful way.
2024-09-10 17:07:47 -07:00
Mateusz Mandera ce5439d87f retention: Remove outdated compat block for delete_message events.
As noted in the comment in that block, this is no longer useful.
2024-09-10 17:07:47 -07:00
Tim Abbott ad890890f6 lint: Fix several duplicate word typos. 2024-09-10 15:59:00 -07:00
Ikko Eltociear Ashimine 0507f65da5
realm_settings: Fix duplicate word typos in comments. 2024-09-10 15:55:14 -07:00
joseph 65893292b5 channel_subscribe: Use IDs instead of emails when processing results.
As part of our todo in the code, we want to use the unique user IDs
instead of emails when processing the results of subscribing users to a
channel. These changes apply those changes and streamlines the use of IDs.
2024-09-10 15:37:38 -07:00
Mateusz Mandera a36f906d1a presence: Add history_limit_days param to the API.
This param allows clients to specify how much presence history they want
to fetch. Previously, the server always returned 14 days of history.
With the recent migration of the presence API to the much more efficient
system relying on incremental fetches via the last_update_id param added
in #29999, we can now afford to provide much more history to clients
that request it - as all that historical data will only be fetched once.

There are three endpoints involved:
- `/register` - this is the main useful endpoint for this, used by API
clients to fetch initial data and register an events queue. Clients can
pass the `presence_history_limit_days` param here.
- `/users/me/presence` - this endpoint is currently used by clients to
update their presence status and fetch incremental data, making the new
functionality not particularly useful here. However, we still add the
new `history_limit_days` param here, in case in the future clients
transition to using this also for the initial presence data fetch.
- `/` - used when opening the webapp. Naturally, params aren't passed
here, so the server just assumes a value from
`settings.PRESENCE_HISTORY_LIMIT_DAYS_FOR_WEB_APP` and returns
information about this default value in page_params.
2024-09-10 13:15:35 -07:00
Mateusz Mandera 6ce096c0ff zerver: Rename some message_type variables to recipient_type. 2024-09-10 12:50:28 -07:00
Prakhar Pratyush e8349aa5d7 custom_email: Add manage_preferences block to the plaintext version.
Earlier, the content of the "manage_preferences" block that includes
the unsubscribe_link, personal settings link, etc was missing in the
plaintext version of the custom emails.

This commit updates the logic to include the manage_preferences block
content in the plaintext version.
2024-09-10 09:36:56 -07:00
Prakhar Pratyush e967226f8c remote_server_email: Add 'unsubscribe link' in the mail footer.
Previously, the emails sent to the remote servers had the
'unsubscribe link' only present in the 'List-Unsubscribe' header.

Not all email clients expose that header.

So, this commit adds the link in the footer too.
2024-09-10 09:36:56 -07:00
Vector73 eacf54d52d test_realm: Fix `test_invalid_integer_attribute_values`.
Fixes test that checks for error when invalid value is given for a property
in realm. Currently, only properties with type int are checked, leaving
properties having optional int type. This commit fixes that.
2024-09-10 09:32:33 -07:00
Alex Vandiver 8bacdbc895 thumbnail: Put the original dimensions on spinner images.
This lets us reserve the right amount of space in the message feed
immediately.
2024-09-09 15:59:02 -07:00
Tim Abbott f757f5f5f8 api_docs: Document feature level 286. 2024-09-09 15:59:02 -07:00
Alex Vandiver 56ca594abf upload: Preserve content-type from upload for local-file storage.
Now that we store the content-type in the database, use that value
(if we have it, since we did not backfill) when serving content back
to the client.  This means the file backend has parity with the S3
backend.
2024-09-09 12:40:17 -07:00
Alex Vandiver d7ebe7296d test_upload: Switch to SimpleUploadedFile. 2024-09-09 12:40:17 -07:00
Alex Vandiver 485e235719 test_upload: Remove an incorrect comment.
S3 uploads are now (after 04cf68b45e) handled like local uploads
were -- no redirects are used.
2024-09-09 12:40:17 -07:00
Alex Vandiver 903bfb31e6 upload: Provide the frontend with the less-modified filename. 2024-09-09 12:40:17 -07:00
Alex Vandiver b4764f49df upload: Download files with their original names.
Fixes: #29491.
2024-09-09 12:40:17 -07:00
Alex Vandiver 933e3cb375 upload: Explicitly return a bool and the Attachment object. 2024-09-09 12:40:17 -07:00
Alex Vandiver 0b0a7fa251 attachments: Tighten type of validate_attachment_request_for_spectator_access. 2024-09-09 12:40:17 -07:00
Alex Vandiver ca72e756eb upload: Rename "upload_image_to_s3"; it is not only for images. 2024-09-09 12:40:17 -07:00
Alex Vandiver c8c480baef mattermost: Handle duplicate dm-groups.
Observed in the wild, cause unknown.

Partially fixes: #24131.

Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2024-09-09 12:05:28 -07:00
Alex Vandiver 989d425023 users: Soften assumptions that all bots have owners.
Imported Slack bots currently do not have owners (#23145).  Soften the
deactivation codepath to allow them to be successfully deactivated
despite this.

Co-authored-by: Mateusz Mandera <mateusz.mandera@zulip.com>
2024-09-09 11:55:46 -07:00
Mateusz Mandera 7ebeffbcdc test_bots: Remove misleading comment.
This comment looks like an ancient leftover from early days (moved here
in a test_bots extraction in 123b4c1877 in
2017). Whatever its history, this comment and test name don't make sense
anymore. The response here is an error, not a silent success.
2024-09-09 11:55:46 -07:00
Lauryn Menard d610e09397 audit-logs: Use AuditLogEventType enum name for string method.
Reorders audit log string methods to have the following pattern:
"event_type event_time (id): modified_object". And the event type
is the name for the AuditLogEventType enum.
2024-09-09 11:50:13 -07:00
Lauryn Menard 00ecd4c8f0 audit-log: Move remote realm event types to AuditLogEventType enum.
Event types moved: REMOTE_REALM_VALUE_UPDATED,
REMOTE_PLAN_TRANSFERRED_SERVER_TO_REALM, REMOTE_REALM_LOCALLY_DELETED
REMOTE_REALM_LOCALLY_DELETED_RESTORED
2024-09-09 11:50:13 -07:00
Lauryn Menard aad93e149e audit-log: Move remote server event types to AuditLogEventType enum.
Event types moved: REMOTE_SERVER_DEACTIVATED, REMOTE_SERVER_REACTIVATED
REMOTE_SERVER_PLAN_TYPE_CHANGED, REMOTE_SERVER_DISCOUNT_CHANGED
REMOTE_SERVER_SPONSORSHIP_APPROVED, REMOTE_SERVER_BILLING_MODALITY_CHANGED
REMOTE_SERVER_SPONSORSHIP_PENDING_STATUS_CHANGED, REMOTE_SERVER_CREATED
2024-09-09 11:50:13 -07:00