Commit Graph

53384 Commits

Author SHA1 Message Date
Mateusz Mandera f3a3047484 bulk_access_messages_expect_usermessage: Fix function name and comments.
The name and docstring were just wrong, having a UserMessage row isn't
sufficient for having message access and is actually only relevant in a
private stream with private history. The function is only used in a
single place anyway, in bulk_access_messages.

The comment mentioning this function in handle_remove_push_notification
can be tweaked to just not mention any function specifically and just
say why we're not checking message access.
2023-08-25 14:10:27 -04:00
Mateusz Mandera 91eef4d77f delete_in_topic: Add comment explaining the access logic. 2023-08-25 14:10:27 -04:00
Mateusz Mandera c908b518ef CVE-2023-32678: Prevent unauthorized editing/deletion in priv streams.
Users who used to be subscribed to a private stream and have been
removed from it since retain the ability to edit messages/topics, and
delete messages that they used to have access to, if other relevant
organization permissions allow these actions. For example, a user may be
able to edit or delete their old messages they posted in such a private
stream. An administrator will be able to delete old messages (that they
had access to) from the private stream.

We fix this by fixing the logic in has_message_access (which lies at the
core of our message access checks - access_message() and
bulk_access_messages())
to not rely on only a UserMessage row for checking access but also
verify stream type and subscription status.
2023-08-25 14:10:27 -04:00
Karl Stolley 51e3ed0262 compose: Render Mac-specific Cmd, Return at compose bottom. 2023-08-25 10:52:05 -07:00
Daniil Fadeev 54c01ac46e emoji: Remove unnecessary style declaration.
The `.emoji-popover` element is a div and thus has display: block by
default.
2023-08-24 17:54:13 -07:00
Daniil Fadeev 190b25878e emoji: Remove parameter from the emoji popover template.
Only one value was ever used.
2023-08-24 17:54:13 -07:00
Zixuan James Li a081428ad2 user_groups: Make locks required for updating user group memberships.
**Background**

User groups are expected to comply with the DAG constraint for the
many-to-many inter-group membership. The check for this constraint has
to be performed recursively so that we can find all direct and indirect
subgroups of the user group to be added.

This kind of check is vulnerable to phantom reads which is possible at
the default read committed isolation level because we cannot guarantee
that the check is still valid when we are adding the subgroups to the
user group.

**Solution**

To avoid having another transaction concurrently update one of the
to-be-subgroup after the recursive check is done, and before the subgroup
is added, we use SELECT FOR UPDATE to lock the user group rows.

The lock needs to be acquired before a group membership change is about
to occur before any check has been conducted.

Suppose that we are adding subgroup B to supergroup A, the locking protocol
is specified as follows:

1. Acquire a lock for B and all its direct and indirect subgroups.
2. Acquire a lock for A.

For the removal of user groups, we acquire a lock for the user group to
be removed with all its direct and indirect subgroups. This is the special
case A=B, which is still complaint with the protocol.

**Error handling**

We currently rely on Postgres' deadlock detection to abort transactions
and show an error for the users. In the future, we might need some
recovery mechanism or at least better error handling.

**Notes**

An important note is that we need to reuse the recursive CTE query that
finds the direct and indirect subgroups when applying the lock on the
rows. And the lock needs to be acquired the same way for the addition and
removal of direct subgroups.

User membership change (as opposed to user group membership) is not
affected. Read-only queries aren't either. The locks only protect
critical regions where the user group dependency graph might violate
the DAG constraint, where users are not participating.

**Testing**

We implement a transaction test case targeting some typical scenarios
when an internal server error is expected to happen (this means that the
user group view makes the correct decision to abort the transaction when
something goes wrong with locks).

To achieve this, we add a development view intended only for unit tests.
It has a global BARRIER that can be shared across threads, so that we
can synchronize them to consistently reproduce certain potential race
conditions prevented by the database locks.

The transaction test case lanuches pairs of threads initiating possibly
conflicting requests at the same time. The tests are set up such that exactly N
of them are expected to succeed with a certain error message (while we don't
know each one).

**Security notes**

get_recursive_subgroups_for_groups will no longer fetch user groups from
other realms. As a result, trying to add/remove a subgroup from another
realm results in a UserGroup not found error response.

We also implement subgroup-specific checks in has_user_group_access to
keep permission managing in a single place. Do note that the API
currently don't have a way to violate that check because we are only
checking the realm ID now.
2023-08-24 17:21:08 -07:00
Zixuan James Li 9f7fab4213 user_groups: Extract has_user_group_access helper.
Similar to has_message, we can maintain a helper dedicated to managing
access to user groups. Future permission related changes should be added
here.
2023-08-24 17:21:08 -07:00
Zixuan James Li 006b2acd5d user_groups: Make acting user requried for deletion.
When doing a checked deletion, the acting user is always required.
It is effectively the user_profile parameter we had been previously
requiring.
2023-08-24 17:21:08 -07:00
Zixuan James Li 8792cfbadf user_groups: Return a QuerySet for recursive subgroups query.
This makes it more consistent with other recursive queries and allow
better composability.
2023-08-24 17:21:08 -07:00
Zixuan James Li a3f4341934 user_groups: Make for_read required.
We want to make the callers be more explicit about the use of the
user group being accessed, so that the later implemented database lock
can be benefited from the visibility.
2023-08-24 17:21:08 -07:00
Zixuan James Li 37b3507b86 user_groups: Reduce necessary nesting inside try-block.
The error only occurs when we do the get call.
2023-08-24 17:21:08 -07:00
Zixuan James Li 2b2a3b41be settings: Remove lock icon when the user can add bots.
Being able to add bots at the admin bot settings page, the lock icon is
unintuitive.

Fixes #24154

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2023-08-24 16:57:17 -07:00
Zixuan James Li a4963df6ad settings: Remove "add a new bot button" from admin page.
Instead, we show a message with links that either opens a modal for
creating a new bot or navigates to the bot settings page. The
"add a new bot" link only show up when the user has enough permission
to create new bots, and the "manage your bots" link only shows up when
the user has at least one bot if they don't have the permission to
create one. Otherwise, the message does not show up at all.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2023-08-24 16:57:17 -07:00
palashb01 5df5f6c125 help: Update message edit history documentation.
Co-authored-by: Tim Abbott <tabbott@zulip.com>
2023-08-24 16:28:06 -07:00
palashb01 ad70838cff keyboard_shortcuts: Add Shift+H to open message edit history dialog.
This commit introduces a new keyboard shortcut to open the message
edit history dialog for the selected message by using Shift+H.
2023-08-24 16:28:06 -07:00
Palash Baderia 92d1c6e390 message_feed: Remove the view edit history from the three-dot menu.
This commit removes the 'View Edit History' option from the three-dot
menu since we have already implemented this feature through the
edited/moved label in the message. Therefore, we no longer need this
option in the three-dot menu. This commit aims to simplify the
three-dot message menu.

Fixes: #23077
2023-08-24 16:28:06 -07:00
Karl Stolley c7adc5ee74 actions: Show an arrow and render a tooltip on @ indicator. 2023-08-24 14:30:46 -07:00
Karl Stolley 9709e1b4ed actions: Show pointer on bell icon. 2023-08-24 14:30:46 -07:00
Satyam Bansal cc8c159e0a compose: Add support for Jitsi audio calls.
Fixes #12207.
2023-08-24 10:52:34 -07:00
Satyam Bansal 4c501e4321 compose: Extract video call link creation logic to a generic function.
This extraction has been done to make sure that creation of audio call
links can happen in the same function only.

A change in test was also required as the whole logic of finding the
textarea where the link should be inserted happens a bit later now.
2023-08-24 10:52:34 -07:00
David Rosa 5b898ef216 help: Document "Browse and subscribe to streams" mobile feature. 2023-08-24 10:46:28 -07:00
David Rosa cef3a801c2 help: Update "Browse and subscribe to streams".
Updates Desktop/web instructions to follow current help center
documentation patterns.
2023-08-24 10:46:28 -07:00
Anders Kaseorg 03c24bc459 lightbox: Fix + and - zoom shortcuts to be inverses of each other.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-08-24 10:45:25 -07:00
Karl Stolley 207a0d789f message_time: Lighten font-weight to 350.
The tabular figures in Source Sans 3 place a foot on the 1, and
overall just feel visually a little heavier than their proportional
counterparts.

To compensate for that, this takes advantage of the variable-font
properties of Source Sans 3 to subtly drop the weight to keep the
timestamp readable but not in fierce competition with the message
area.
2023-08-24 10:44:39 -07:00
Lauryn Menard 80ee255f2b stats: Add stats page_params to `webpack.assets.json`.
In commit 640de3ad29, a separate
`page_params.ts` was added for the stats/analytics page, but adding
it to the `web/webpack.assets.json` for "stats" was missed, so we
add that here.
2023-08-24 10:43:38 -07:00
Anders Kaseorg 4300ec3293 requirements: Fix transitively replaced two_factor migrations.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-08-23 22:22:15 -07:00
Anders Kaseorg ead7b9177a check-database-compatibility: Ignore twofactor typo.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-08-23 22:14:26 -07:00
Lauryn Menard 29bb346480 typing: Update main typing notifications protocol documentation.
Updates the main description of the `api/set-typing-status` endpoint
for the new fields in the register response for the typing start,
stop, expired time intervals. Previously these were hardcoded by
the client side code and not the server side code.

Also updates the developer documentation for typing indicators in
the subsystems docs. This refreshes a few parts of that doc that
were already out of date, as well as adds the information about
the new register response fields noted above.
2023-08-23 16:38:59 -07:00
Samuel 3ce7b77092 typing: Add typing constants to the post register api response.
Adds typing notification constants to the response given by
`POST /register`. Until now, these were hardcoded by clients
based on the documentation for implementing typing notifications
in the main endpoint description for `api/set-typing-status`.

This change also reflects updating the web-app frontend code
to use the new constants from the register response.

Co-authored-by: Samuel Kabuya <samuel.mwangikabuya@kibo.school>
Co-authored-by: Wilhelmina Asante <wilhelmina.asante@kibo.school>
2023-08-23 16:36:44 -07:00
Anders Kaseorg d26a94a0db management: Validate string_id when creating or renaming a realm.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-08-23 16:33:13 -07:00
Anders Kaseorg 124c5d02e5 ci: Restore commented clean_unused_caches.py invocation.
The comment logic doesn’t make sense.  Every build gets to write to
the caches; some builds do in fact add new items, and without
clean_unused_caches.py there’s no way for them to remove items.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-08-23 16:20:01 -07:00
evykassirer a8d2481d77 generate emoji: Use hex_codepoint_to_emoji.
This new util function helps make the
code here a little more readable.
2023-08-23 16:18:15 -07:00
evykassirer b9303a6506 push notifications: Use hex_codepoint_to_emoji.
Now that we have this util function, we can
use it here. No functional changes.
2023-08-23 16:18:15 -07:00
evykassirer 0289beb784 emoji: Match emoji sequences in markdown.
Fixes #11767.

Previously multi-character emoji sequences weren't matched in the
emoji regex, so we'd convert the characters to separate images,
breaking the intended display.

This change allows us to match the full emoji sequence, and
therefore show the correct image.
2023-08-23 16:18:15 -07:00
evykassirer 78f0dca269 narrow: Save blue box position and restore on navigation.
This saves the blue box position as state on the location
in brower history, with `history.replaceState`.

The position is restored when a narrow is activated.

Fixes #20066.
2023-08-23 13:40:26 -07:00
Sahil Batra 5a8416ff6a message: Do not pass "sender__realm" to select_related.
We have modified the code to directly fetch realm from Message
object instead of "sender" field and thus we no longer need to
fetch "sender__realm" using select_related.
2023-08-23 11:38:32 -07:00
Sahil Batra e9a6f69849 tests: Access realm directly from ScheduledMessage object.
There is no need to get realm for sender as ScheduledMessage
object also has realm field.

There is no direct benefit of this change but it is nice to
maintain the pattern which we want to follow in the code
in tests as well.
2023-08-23 11:38:32 -07:00
Sahil Batra 58aecbe443 message: Pass realm as argument to wildcard_mention_allowed.
We do not want to access realm from "sender" field so that
we do not need to pass "sender__realm" argument to
select_related call when querying messages. We can instead
pass realm as argument to wildcard_mention_allowed.
2023-08-23 11:38:32 -07:00
Sahil Batra df2407f97a message: Access realm from SendMessageRequest object directly.
We store realm object in SendMessageRequest object, so we can
access it directly instead of getting it from "sender" field.
2023-08-23 11:38:32 -07:00
Sahil Batra 7295028194 message: Access realm object directly from message.
We can directly get the realm object from Message object now
and there is no need to get the realm object from "sender"
field of Message object.

After this change, we would not need to fetch "sender__realm"
field using "select_related" and instead only passing "realm"
to select_related when querying Message objects would be enough.

This commit also updates a couple of cases to directly access
realm ID from message object and not message.sender. Although
we have fetched sender object already, so accessing realm_id
from message directly or from message.sender should not matter,
but we can be consistent to directly get realm from Message
object whenever possible.
2023-08-23 11:38:32 -07:00
Sahil Batra 4f30447b95 test_markdown: Set realm for Message objects.
We do not set realm to Message objects defined for markdown tests
and this works because we currently access realm from sender object.

This commit changes the code to set realm in Message objects as
we would be accessing realm from Message object directly in further
commits.
2023-08-23 11:38:32 -07:00
Alex Vandiver adc987dc43 send_email: Use a consistent order when sending custom emails to users. 2023-08-23 10:49:34 -07:00
Karl Stolley 3de007d9cd actions: Make uniform horizontal alignment. 2023-08-22 16:21:27 -07:00
Karl Stolley a17c7dfe0b controls: Present bell icon as a block.
This gives better positioning control over this icon, while not
inviting the side-effects and headaches of introducing another
flexbox.
2023-08-22 16:21:27 -07:00
Karl Stolley f07fb4fd58 time: Revert to Source Sans lnum, tnum defaults.
Source Sans 3 defaults to lining (lnum), tabular (tnum) figures,
the latter of which is necessary to have times like 11:11 and 11:18
line up in short, adjacent messages.

CZO discussion:
https://chat.zulip.org/#narrow/stream/6-frontend/topic/redesigned.20hover.20icons.20.2326283/near/1629117
2023-08-22 16:19:54 -07:00
David Rosa 1f3c125217 help: Document how notifications work for edited and deleted messages. 2023-08-22 14:50:23 -07:00
David Rosa 0349152f0f help: Rename edit-or-delete-a-message.md and update links. 2023-08-22 14:50:23 -07:00
David Rosa c86dc34eba help: Split "Edit or delete a message".
- Splits page into "Edit a message" and "Delete a message".
2023-08-22 14:50:23 -07:00
Satyam Bansal eb8714c9dc integrations: Add support for "Test plugin" in Sentry integration.
Previously, if a user tried to create a webhook using the Webhooks
plugin in Sentry and used the "Test plugin" to test the webhook,
the server would send a 500 error, even though the integration
worked perfectly. This led users to believe that the integration
was not working.

Fixes #26173.
2023-08-22 12:09:02 -07:00