Commit Graph

45113 Commits

Author SHA1 Message Date
Alex Vandiver d3ecbf96a8 rate_limit: Rate-limit password reset attempts by IP, as well. 2021-11-04 20:34:39 -07:00
Alex Vandiver e3ec2e398c rate_limit: Pass seconds to freedom to all RateLimited exceptions. 2021-11-04 20:34:39 -07:00
Tim Abbott 1cad29fc3a settings: Add rate limiting for email address changes.
Co-authored-by: Alex Vandiver <alexmv@zulip.com>
2021-11-04 20:34:39 -07:00
Alex Vandiver f0532aecc8 tests: Stop adding an api_by_user rate limit always.
The decorator form is clearer by being more explicit; additionally,
the api_by_user rate-limit only currently used in one place, and makes
it difficult to test per-user rate-limits that are more specific.
2021-11-04 20:34:39 -07:00
Tim Abbott 01e2a495fc rate_limit: Fix missing IP rate limiting on confirmation.
Co-authored-by: Alex Vandiver <alexmv@zulip.com>
2021-11-04 20:34:39 -07:00
Alex Vandiver 48ba2e7cc6 tests: Hitting a rate-limit on find accounts should not send emails. 2021-11-04 20:34:39 -07:00
Alex Vandiver 0cfb156545 rate_limit: Merge two IP rate limits domains that send emails.
Both `create_realm_by_ip` and `find_account_by_ip` send emails to
arbitrary email addresses, and as such can be used to spam users.
Lump their IP rate limits into the same bucket; most legitimate users
will likely not be using both of these endpoints at similar times.

The rate is set at 5 in 30 minutes, the more quickly-restrictive of
the two previous rates.
2021-11-04 20:34:39 -07:00
Alex Vandiver 5f0897e6f7 tests: Add a test that IP rate-limiting is by IP.
The existing test did no verify that the rate limit only applied to
127.0.0.1, and that other IPs were unaffected.  For safety, add an
explicit test of this.
2021-11-04 20:34:39 -07:00
Alex Vandiver 9495dad850 tests: Simplify by always clearing IP limits in rate_limit_rule.
The only use case of rate_limit_rule which does not clear the
RateLimitedIPAddr history is test_hit_ratelimits_as_remote_server,
which is not made any worse by clearing out the IP history for a
non-existent `api_by_remote_server` domain.
2021-11-04 20:34:39 -07:00
Alex Vandiver 260ccc9620 tests: Factor out common non-api rate-limit assert function.
The same `assert_func` is used in multiple places, for non-API
requests.  Factor it out and make it a flag to do_test_hit_ratelimits.
2021-11-04 20:34:39 -07:00
Alex Vandiver 272e78de8b tests: Split out test_find_account_rate_limiting_multiple.
This lets rate_limit_rule be used consistently as a decorator, and
improves how parallel the code is here, with other tests.
2021-11-04 20:34:39 -07:00
Alex Vandiver 328a28d772 tests: Correct the assert in the post-rate-limit test. 2021-11-04 20:34:39 -07:00
Tim Abbott 1dfc62f9a0 emails: Remove username from email change confirmation.
Generally when we send confirmation emails to addresses the user has
not already proven that they control, we want to avoid including in
the email any user-controlled data.  Doing so makes it hard for
malicious actors to use the feature to send spam, since they won't
have a way to include the URL for their malicious website in our
emails.
2021-11-04 17:51:37 -07:00
Anders Kaseorg 6fa86385aa docs: Enable sphinx_rtd_theme as an extension.
This has no effect at present, but it’s documented as necessary to
enable localization of theme strings in translated output, so maybe
it’ll be relevant some day.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-11-04 11:55:15 -07:00
Anders Kaseorg 03a7d0c053 docs: Remove html_theme_path override.
This block has been obsolete since at least sphinx-rtd-theme 0.2.5.
Removing it fixes the heading permalink icon in a local build to be
consistent with the one shown on Read the Docs, and has no other
effect.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-11-04 11:55:15 -07:00
Anders Kaseorg 8d4568140c docs: Enable collapse_navigation for local builds.
This makes local builds significantly faster, while leaving the fancy
navigation enabled on Read the Docs where it’s important.

https://sphinx-rtd-theme.readthedocs.io/en/stable/configuring.html#confval-collapse_navigation

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-11-04 11:55:15 -07:00
Anders Kaseorg 177dde15eb docs: Clean Sphinx configuration file.
Delete all the boilerplate comments and unused options generated by
the ancient version of Sphinx that originally generated this file,
leaving a file that one can realistically read.  Leave some links for
those who want to read about all the options that exist.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-11-04 11:55:15 -07:00
Aman Agrawal 0879e5e0e2 home: Delete prefers_web_public_view key after user is logged in.
Since `prefers_web_public_view` key in session is only
relevant to users without an account, this key should no longer
be present in the user's session object.

Fixes #19907
2021-11-03 16:52:51 -07:00
Priyansh Garg 17409a78be data_import: Fix a few KeyError bugs in Rocket.Chat import tool.
This commit fixes a few bugs in Rocket.Chat import tool as reported on CZO.

Link: https://chat.zulip.org/#narrow/stream/9-issues/topic/Rocketchat.20Import
2021-11-03 16:50:56 -07:00
Anders Kaseorg 458844a2f5 install-yarn: Verify that the install location is /srv/zulip-yarn.
scripts.lib.node_cache expects Yarn to be in /srv/zulip-yarn, so if
it’s installed somewhere else, even if it’s the right version, we need
to reinstall it.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-11-03 16:49:58 -07:00
EmmalineLake 071c1c617d
vscode: Recommend remote development extension.
Add the VSCode Remote Development Extension to our list of recommended extensions.
2021-11-03 16:03:46 -07:00
Aman Agrawal 1484812f4b message_view_header: Hide subscriber count for spectators.
While we figure out a plan in #19842 to display
subscriber count for spectators without doing a heavy query
to the database, we hide this section in navbar.
2021-11-03 16:02:53 -07:00
Shlok Patel 893c9bc896 export: Remove `--delete-after-upload` flag in realm export.
For export realm following changes have been made:
- `./manage.py export --upload` would delete `.tar.gz` and unpacked dir
- `./manage.py export` would only delete `unpacked dir`

Besides, we have removed `--delete-after-upload` as we have set it as
the default.

Fixes #20081
2021-11-03 11:14:02 -07:00
Tim Abbott 4d055a6695 push_notifications: Truncate overly large remove events.
Fixes #19224.
2021-11-02 21:24:14 -07:00
Anders Kaseorg 069d6ced69 requirements: Upgrade Python requirements.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-11-02 16:30:42 -07:00
Eeshan Garg fd0ce28029 requirements: Ensure that importlib-metadata installs on > py3.8.
In #20012, it was discovered that since our `zulip_bots` package
requires `importlib-metadata >= 3.6; python_version < "3.10"`
whereas the server requires
`importlib-metadata==4.8.1 ; python_version < "3.8". This results
in `importlib-metadata` not being installed on Python 3.8 and
Python 3.9. This commit resolves that discrepancy.

Thanks to Anders Kaseorg (@andersk) for reporting this bug!
2021-11-02 16:02:22 -07:00
Tim Abbott 32a5318fa6 api docs: Fix release lifecycle link.
This was added in 3871c99104.
2021-11-02 14:45:34 -07:00
Mateusz Mandera 1c0e92d343 scim: Add a /help/ page for Okta SCIM. 2021-11-02 14:33:22 -07:00
Tim Abbott 3871c99104 docs: Improve introduction for API changelog page.
This links to the release lifecycle documentation and is a bit more
explicit about how to use this.

Probably further improvement would be useful as well.
2021-11-02 14:14:53 -07:00
Lauryn Menard dd5cad549c documentation: Expand documentation processes in new feature tutorial.
Expands the developer tutorial 'Writing a new application feature' to
include more detail about the documentation aspects of adding a new
feature. Adds references to specific files that will be impacted and
highlights API changes as well as writing `/help` articles.
2021-11-02 14:03:34 -07:00
AEsping 6963876e22 docs: Update instructions for Windows 10 installation.
This commit includes the following changes.
- Adds the definition of the WSL acronym.
- Adds information for changing BIOS settings
in order to enable machine virtulization.
- Fixes a broken link to Microsoft WSL installation instructions.
- Adds a reminder to create a new SSH key before connecting to
GitHub.
- Removes the step to install Ubuntu.  This step is now
included in the standard installation.
- Reminds the user to launch Ubuntu as and administrator.
- Switches the text editor in the example to nano from vim.
Nano is included with the wsl installation, and is easier for
most people to use than vim.
- Adds a separate step to fork the Zulip/Zulip repository.
- Adds the bash command to open VS Code and
reminds the user to install the relevant extensions.

With various formatting tweaks by tabbott.
2021-11-02 13:47:11 -07:00
Aman Agrawal a40a5c0bdb user_info_popover: Show relevant info for spectators and hide buttons.
We add the date joined info to the popover and hide all the buttons
since none are relevant for a spectator.
2021-11-02 11:26:19 -07:00
Tim Abbott d76b4744bf popovers: Use user ID for computing medium avatar URLs. 2021-11-02 11:26:19 -07:00
Aman Agrawal eb396b6190 popovers: Don't try to fetch small avatar using email.
It's always better to use the user ID than the email for fetching data
about an object whose unique ID we have, which should be all of them.
And it's also cleaner code to use the standard people.js method; tabbott
checked that indeed all callers get their `user` objects from `people.js`.

Since we restrict spectators from having access to avatars using
email to avoid someone brute forcing a user's email, this removes
a 401 response from the server in spectator view when trying
to open user info popover.

Additionally, this fixes the cached-fetching behavior documented in
the comments we add about the way we construct URLs.
2021-11-02 11:26:19 -07:00
Aman Agrawal d763ccf0d6 left_sidebar: Hide vdots for All messages and stream buttons.
Since the options in those popovers are non-accessible to the
spectator, it is better to hide the vdots instead of
displaying empty menu.
2021-11-02 11:26:19 -07:00
Aman Agrawal 3e689ebae9 users: Allow spectators to view user avatars.
If realm is web_public, spectators can now view avatar of other
users.

There is a special exception we had to introduce in rest model to
allow `/avatar` type of urls for `anonymous` access, because they
don't have the /api/v1 prefix.

Fixes #19838.
2021-11-02 11:26:19 -07:00
Aman Agrawal d6541c4724 message_fetch: For spectators, add web-public to narrow.
Without this, server will return a 401 error.
2021-11-02 11:26:19 -07:00
YashRE42 937d398f4e minor: Fix typo in zjquery_element.js - "zjquery" was "zjuery". 2021-11-02 10:27:15 -07:00
Tim Abbott 61c0825036 docs: Extend Certbot troubleshooting documentation.
This should help folks who have problems with Certbot renewal; we had
a couple reported this week which I think were both caused by firewall
issues.
2021-11-01 18:11:31 -07:00
Chris Bobbe cce27aa47d openapi: Say message_content_delete_limit_seconds won't be 0 anymore.
I think this is ensured by an assertion in
parse_message_content_delete_limit in zerver/lib/message.py:
  https://github.com/zulip/zulip/blob/b13bfa09c/zerver/lib/message.py#L1482
2021-11-01 17:17:25 -07:00
Priyansh Garg 0c2e4eec20 data_import: Import Rocket.Chat threads as separate topics. 2021-11-01 17:13:35 -07:00
Priyansh Garg 0db9b7287b data_import: Import Rocket.Chat messages from direct discussions.
This commit adds functionality to import messages from the
Discussions having direct channels as their parent. As we don't
have topics in the PMs, the messages are imported in interleaved
form in the imported direct channels/PMs.

This was completely unsupported earlier and would have resulted in
an error.
2021-11-01 17:09:11 -07:00
Priyansh Garg 5f1e246230 data_import: Import wildcard mention data from Rocket.Chat. 2021-11-01 17:06:15 -07:00
Priyansh Garg 7d3ecc8a0e data_import: Update Rocket.Chat caveats for discussions and uploads.
Uploaded files import implemented in: aed4e48
2021-11-01 17:06:14 -07:00
Priyansh Garg 26f16b9eec data_import: Separate logic for naming Rocket.Chat streams and topics. 2021-11-01 16:48:25 -07:00
Sahil Batra e6106cb334 invites: Update error message when max limit for the day is reached.
This commit updates the error message returned when the maximum
invite limit for the day. We update the error returned by API to
only mention that the limit is reached and add the suggestion
to use multi-use link or contact support in the message shown
in webapp.
2021-11-01 16:36:26 -07:00
Tim Abbott 5e23ded50e i18n: Update translation data from Transifex.
This update includes a new Sinhala translation.
2021-11-01 16:33:52 -07:00
Kevin Scott 64f099d2f5 compose: Add compose box button to insert global times.
Fixes #20045.
2021-11-01 16:20:05 -07:00
Tim Abbott 862061fa53 lint: Fix JS style in last commit. 2021-11-01 11:07:01 -07:00
Mateusz Mandera 3d731de3f1 docs: Add disabling of Force POST Binding to Keyclock SLO instructions.
This needs to be disabled, because python3-saml only supports the
Redirect binding. This step was forgotten in the original writing of
this doc.
2021-11-01 11:02:51 -07:00