Commit Graph

45813 Commits

Author SHA1 Message Date
Anders Kaseorg 3eb2791c3e CVE-2021-3853: Fix HTML escaping in recipient_row.
Commit 44f935695d (#20462) incorrectly
added these extra braces while intending to add whitespace control.
This triple-brace syntax was asking Handlebars to skip escaping the
string.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-18 21:28:21 -08:00
Alya Abbott 3659d95092 developer docs: Update GSoC documentation. 2022-01-18 21:16:18 -08:00
Alex Vandiver 677467f040 upgrade-zulip-from-git: Fix upstream URL for existing deploys. 2022-01-18 21:10:38 -08:00
Alex Vandiver bad58cdca6 upgrade-zulip-from-git: Fix the upstream URL not be the custom remote. 2022-01-18 21:10:38 -08:00
Aman Agrawal d4c70319eb topic_list: Fix search box not focused in expanded state.
We only check `topic_search_focused_before_build` if the
search box is visible.
2022-01-18 16:53:25 -08:00
Anders Kaseorg 1178e015d1 provision: Install non-PGDG PGroonga package in development environment.
The development environment installs PostgreSQL from the OS, not PGDG,
so we should install the non-PGDG PGroonga package to match.  This is
required on Debian 10 where postgresql-12-pgdg-pgroonga does not exist.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-18 16:06:25 -08:00
Sahil Batra bb6dbb6383 todo_widget: Tag "Task list" heading for translation. 2022-01-18 14:15:34 -08:00
Alex Vandiver 915c2b2fd9 muting: Fix a race in topic unmuting.
Rather than check if the topic exists and then try to delete it, just
try to delete it, and catch the lack of matching rows.
2022-01-18 14:15:06 -08:00
Alex Vandiver 6bc5849ea8 puppet: Remove now-unused debathena apt repository. 2022-01-18 14:13:28 -08:00
Alex Vandiver b3f07cc98d puppet: Replace debathena zephyr package with equivalent puppet file. 2022-01-18 14:13:28 -08:00
Alex Vandiver a6d7539571 puppet: Replace debathena krb5 package with equivalent puppet file. 2022-01-18 14:13:28 -08:00
Alex Vandiver 75224ea5de puppet: python-dev is now purely virtual; install python2.7-dev. 2022-01-18 14:13:28 -08:00
Mateusz Mandera f8b06ed952 events: Send invites_changed event if user deactivation revokes invites.
revoke_invites_generated_by_user should send invites_changed event if it
actually revokes some invitations. This is called in the user
deactivatoin codepath.
2022-01-18 14:12:55 -08:00
Mateusz Mandera 74d2aea76a apply_events: Update state["subscribers"] upon "remove user" event.
Event of type "realm_user", op "remove", emitted by do_deactivate_user
should remove the user id from subscriptions in the state. We weren't
catching this bug, because test_do_deactivate_bot uses a newly created
bot, so no stream subscriptions are affected. The bug shows up if
deactivating e.g. cordelia - thus we want to have two tests instead,
one for testing bot deactivation and one for user deactivation.
2022-01-18 14:12:55 -08:00
Steve Howell dd1c9c45c7 stream colors: Try harder to avoid collisions.
We now use recipient_id % 24 for new stream colors
when users have already used all 24 of our canned
colors.

This fix doesn't address the scenario that somebody
dislikes one of our current canned colors, so if a
user continually changes canned color N to some other
color for new streams, their new streams will continue
to include color N (and the user will still need to
change them).

This fix doesn't address the fact that it can be expensive
during bulk-add situations to query for all the colors
that users have already used up.

See https://chat.zulip.org/#narrow/stream/3-backend/topic/assigning.20stream.20colors
for more discussion.
2022-01-18 13:56:54 -08:00
Priyank Patel 039910a159 ts: Convert lazy_set module to typescript. 2022-01-18 13:24:02 -08:00
Priyank Patel d0c339e772 lazy_set: Return set from the _make_set method.
This is done to avoid adding typescript type error checks when this
is converted to typescript.
2022-01-18 13:24:02 -08:00
Priyank Patel 84958bf7eb lazy_set: Move the size getter above other methods.
This is to avoid @typescript-eslint/member-ordering error when this
module is converted to typescript.
2022-01-18 13:24:02 -08:00
Priyank Patel 16a3d444fd lazy_set: Move set and array properties to the data field.
The data field will be a union type when it is converted to typescript.
This approach allows us to avoid introducing additional type check for
both of the properties.
2022-01-18 13:24:02 -08:00
N-Shar-ma be486b6138 i18n: Fix 'add choice' / 'add task' button size.
Removed the CSS rule setting the button's width to 100px.  This lets
the button take as much space as the appropriate translation needs,
without displaying an odd two-line button.

Fixes: #20077
2022-01-18 12:46:45 -08:00
Sahil Batra 06cba4ae1f actions: Use transaction.atomic in do_change_bot_owner. 2022-01-18 12:43:04 -08:00
Sahil Batra 7c44151135 actions: Use transaction.atomic in do_change_tos_version. 2022-01-18 12:43:04 -08:00
Sahil Batra 06d715a41d actions: Use transaction.atomic in do_change_icon_source. 2022-01-18 12:43:04 -08:00
Sahil Batra 64d1dc6525 actions: Use transaction.atomic in do_change_logo_source. 2022-01-18 12:43:04 -08:00
Sahil Batra 8945a64024 actions: Use transaction.atomic in do_change_realm_org_type. 2022-01-18 12:43:04 -08:00
Sahil Batra c8f81ded4e actions: Use transaction.atomic in do_change_default_sending_stream. 2022-01-18 12:43:04 -08:00
Sahil Batra cb43bdab93 actions: Use transaction.atomic for do_change_default_all_public_streams. 2022-01-18 12:43:04 -08:00
Sahil Batra 4a7461361e actions: Use transaction.atomic for do_change_default_events_register_stream. 2022-01-18 12:43:04 -08:00
Sahil Batra 5c758af3b4 actions: Use transaction.atomic for do_change_user_setting. 2022-01-18 12:43:04 -08:00
Alex Vandiver fc1adef28a puppet: Fix server_name of internal staging server. 2022-01-18 12:36:56 -08:00
Alex Vandiver 7e630b81f8 puppet: Switch to using snakeoil certs for staging.
This parallels ba3b88c81b, but for the
staging host.
2022-01-18 12:36:56 -08:00
Mateusz Mandera a812d93c24 corporate: Fix wrong hyperlink in /policies/terms. 2022-01-18 12:36:30 -08:00
Alex Vandiver fb4d9764fa puppet: Bump Grafana version, for 8.3.4. security release. 2022-01-18 12:33:02 -08:00
Dinesh 35960be510 puppeteer: Disable test_invalid_edit_bot_form(). 2022-01-17 09:46:03 -05:00
Alex Vandiver 19f891968d markdown: Increase the maximum number of image previews per message.
The limit here is purely to prevent breakage in case of a pathological
number of images in a single message; 5 images is entirely possible in
a reasonable message, and causes user confusion when they are not
expended.

Increase the limit to 10 per message.
2022-01-14 11:30:07 -08:00
Anders Kaseorg 1dfddffc8d profile_request: Use modern Django middleware API.
Fixes “RemovedInDjango40Warning: Passing None for the middleware
get_response argument is deprecated.” from LogRequests().

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 21:03:22 -08:00
Anders Kaseorg 5bb8520c82 computed_settings: Remove deprecated Jinja2 autoescape extension.
It’s built in to Jinja2 as of 2.9.  Fixes “DeprecationWarning: The
'autoescape' extension is deprecated and will be removed in Jinja
3.1. This is built in now.”

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 21:03:00 -08:00
Anders Kaseorg 6e00d6f97a change_password: Set requires_system_checks to a list.
Django 3.2 expects a list, and Django 4.1 will require one.  Fixes
“RemovedInDjango41Warning: Using a boolean value for
requires_system_checks is deprecated. Use '__all__' instead of True,
and [] (an empty list) instead of False.”

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 21:02:41 -08:00
Anders Kaseorg 9e70a47f93 test_push_notifications: Close event loops.
Fixes “ResourceWarning: unclosed event loop <_UnixSelectorEventLoop
running=False closed=False debug=False>”.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 20:40:46 -08:00
Anders Kaseorg 87b4e9259f documentation: Replace deprecated request.is_ajax() method.
This was deprecated in Django 3.1 for being jQuery-specific, and
removed in Django 4.0.  Replicate the jQuery-specific check.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 15:40:22 -08:00
Anders Kaseorg 4147da24dd tests: Use read_test_image_file.
Fixes a ResourceWarning from the unclosed file at test_upload.py:1954.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:59:46 -08:00
Anders Kaseorg 031f4596ab openapi: Use openapi_core ResponseValidator to validate responses.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:34:11 -08:00
Anders Kaseorg 4cd5e0e578 openapi: Fix display_brief_error not to rely on naively_merge_allOf.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:34:11 -08:00
Anders Kaseorg 86c39e5792 test_openapi: Make testing.yml a full conformant specification.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:34:11 -08:00
Anders Kaseorg 465ea4ac51 openapi: Validate Python example responses against the entire schema.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:34:11 -08:00
Anders Kaseorg 02c1196e3e openapi: Merge success examples for POST users/me/subscriptions.
oneOf with two identical branches (modulo example) is a bug because
oneOf means exclusive or.  It’s also a totally inappropriate kludge
for encoding multiple examples.  The OpenAPI specification provides a
perfectly good standard way to do that:

https://spec.openapis.org/oas/v3.0.3#example-object

However, we don’t handle that in our OpenAPI documentation generator
yet, so for now just merge the examples.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:34:11 -08:00
Anders Kaseorg e9fd52da01 openapi: Mark subscribe error as a JsonError.
This was a oneOf with two identical branches modulo example, which is
always a bug because oneOf means exclusive or.  But the example for
the first branch did not fit the schema for AddSubscriptionsResponse,
which is a subset of JsonSuccessBase.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:34:11 -08:00
Anders Kaseorg a503d19eae openapi: Declare items: {} for “inherited” array properties.
This should not be needed, but works around an openapi-core bug:
https://github.com/p1c2u/openapi-core/issues/380

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:34:11 -08:00
Anders Kaseorg 6c25c628b1 openapi: Mark “inherited” nullable properties as nullable.
Although allOf is often used to indicate inheritance, its semantics
are that of a plain set intersection.  The intersection of a nullable
property with a non-nullable property is a non-nullable property.
Therefore, if we want an inherited property to remain nullable, we
need to mark it as such.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:34:11 -08:00
Anders Kaseorg 1cb397c1ed openapi: Remove additionalProperties: false from BasicStreamBase.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-01-13 14:34:11 -08:00