Commit Graph

47925 Commits

Author SHA1 Message Date
Mateusz Mandera 46c6f33b10 reactivate_realm: Change error status code on invalid links to 404. 2022-07-26 17:14:26 -07:00
Mateusz Mandera 0e2691815e confirmation: Prevent re-use of email change links.
The .status value of EmailChangeStatus was not being looked
at anywhere to prevent re-use of email change confirmation links. This
is not a security issue, since the EmailChangeStatus object has a fixed
value for the new_email, while the confirmation link has expiry time of
1 day, which prevents any reasonable malicious scenarios.

We fix this by making get_object_from_key look at
confirmation.content_object.status - which applies
generally to all confirmations where the attached object has the .status
attribute. This is desired, because we never want to
successfully get_object_from_key an object that has already been used or
reused.
This makes the prereg_user.status check in check_prereg_key redundant so
it can be deleted.
2022-07-26 17:14:26 -07:00
Mateusz Mandera 9992c7b6cc test_email_change: Extract generate_email_change_link helper. 2022-07-26 17:14:26 -07:00
Zixuan James Li fe9ed2e69d settings: Make INVITATION_LINK_VALIDITY_MINUTES optional.
Type inference does not work when the default value of `REQ` is
non-optional while `ResultT` is optional. Mypy tries to unify
`json_validator` with `Validator[int]` in `invite_users_backend` instead
of the desired `Validator[Optional[int]]` because of the presence of the
default value `settings.INVITATION_LINK_VALIDITY_MINUTES`, which is
inferred to be an `int`. Mypy does not resort to a less specific type but
instead gives up early.

This issue applies to invite_users_backend and generate_multiuse_invite_backend
in zerver.views.invite.

There might be a way that we can add an overload to get around this, but
it's probably not worth the complexity until it comes up again more frequently.

We do in fact allow `invite_expires_in_minutes` to be `None` in places
like `do_invite_users`, `invite_users_backend`, etc, and we have
`settings.INVITATION_LINK_VALIDITY_MINUTES` as the default for them. So
it makes sense to allow having an optional value for this setting. And
since there isn't a way to independently set the value of this constant,
we move it to a different place.

TODO:

This is a temporary fix that should be refactored when the bug is fixed.

The encountered mypy issue: https://github.com/python/mypy/issues/13234

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-26 17:07:48 -07:00
Anders Kaseorg b17affc3da storage: Use Django 4.0 manifest_storage option.
https://code.djangoproject.com/ticket/27590
https://docs.djangoproject.com/en/4.0/ref/contrib/staticfiles/#manifeststaticfilesstorage

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-07-26 17:06:02 -07:00
David Rosa 6062bad761 help-docs: Document "Pin to top"/"Unpin from top" mobile app feature.
Adds step-by-step instructions for mobile app users.

Adds alternate instructions for accessing the stream settings from
the long-press menu and from the information icon using a new
macro for reusability.

Fixes: #22198.
2022-07-26 17:04:40 -07:00
David Rosa ca22783960 help-docs: Add "Unpin" section to the "Pin a stream" page.
Fixes part of #22198.
2022-07-26 17:04:40 -07:00
Nikhil Maske 249d2a5d55 confirm_deactivate_user: Provide additional information about user.
Providing additional information like number of invites and number of
bots owned by deactivating user in the confirm_deactivate_user modal
will help the administrator if they need to do any follow-up work.

Fixes #20973.

Completed-by: Ganesh Pawar <pawarg256@gmail.com>
2022-07-26 17:03:02 -07:00
Tim Abbott 83fa5741ca css: Scope edit_bot_form custom CSS. 2022-07-26 17:00:01 -07:00
om2137 6013a1f4fc css: Use more consistent visuals for edit bot form.
* Use more consistent font style, both within the form and with the
  rest of the app.
* Use more consistent spacing.

Fixed #21410.
2022-07-26 16:58:43 -07:00
Aman Agrawal 6a7d64dc44 footer: Fix corporate footer being displayed on self-hosted server.
The condition was wrong in #22184.
2022-07-26 14:22:43 -07:00
Zixuan James Li 3104a7ea94 exceptions: Guard validation error conversion with message_dict.
Iterating over ValidatorError does not necessarily return a tuple. This
uses the `message_dict` property on `ValidationError` instead to make
sure that we always get a `dict` (it otherwise raises an `AttributeError`
when the `dict` is not available).

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-26 14:17:46 -07:00
Zixuan James Li 43106fb6ce avatar: Remove unnecessary try...except statement.
The `RateLimited` exception can be caught by `JsonErrorHandler`, so it
is not necessary to have the try...except statement here. It is also invalid
to pass a string to initialize `RateLimited`.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-26 09:50:31 -07:00
Zixuan James Li ad17096c9c realm_audit_log: Explicitly stringify dict before insertion.
`extra_data` as a `TextField` expects a `str`, but we had been passing
`dict` instead. This is a temporary solution before #18391 to fix the
type annotation.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-26 09:48:33 -07:00
Julia Bichler 4be2f0ed10 stream_settings: Use tooltips.
This changes the stream settings ui so that it uses
tooltips instead of titles.
2022-07-25 17:13:23 -07:00
Tim Abbott 8d49769d2e docs: Improve documentation for development environment subdomains. 2022-07-25 17:05:18 -07:00
Aman Agrawal 594b3abadc landing_pages: Fix gradient mismatch with background on wide screens.
Make the gradient end in white color to match the background.
This avoids a weird line in the background at the end of the
gradient.
2022-07-25 16:55:13 -07:00
Aman Agrawal 2e4a525669 plans: Improve design of faq answers. 2022-07-25 16:55:13 -07:00
Alya Abbott f244336271 portico: Move /plans FAQ to help center. 2022-07-25 16:55:13 -07:00
Sahil Batra 6287b87209 models: Remove unused "hidden_for_sponsorship" from ORG_TYPES.
We do not use "hidden_for_sponsorship" currently as it was
removed in d7ef0c7232.
2022-07-25 16:53:37 -07:00
Sahil Batra 28799c5d84 settings: Mention about sponsorship in upgrade banner.
We mention about sponsorship in upgrade banner to non-business
organizations. The message for business organizations is same
as before.

There is no explicit hover behavior for banners for org types
other than business, as banners are not themselves links in
such cases and only parts of text inside the banner are links.

Fixes #22161.
2022-07-25 16:53:37 -07:00
Zixuan James Li 2e248cdbec settings: Add CUSTOM_HOME_NOT_LOGGED_IN for type narrowing.
django-stubs dynamically collects the type annotation for us from the
settings, acknowledging mypy that `HOME_NOT_LOGGED_IN` is an
`Optional[str]`. Type narrowing with assertions does not play well with
the default value of the decorator, so we define the same setting
variable with a different name as `CUSTOM_HOME_NOT_LOGGED_IN` to bypass
this restriction.

Filed python/mypy#13087 to track this issue.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-25 14:11:32 -07:00
Zixuan James Li 44f5c1cb33 muting: Add validation for update operations.
This adds a `check_string_in` validator to ensure that `op` is actually
valid before we finally return `json_success()`.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-25 14:03:08 -07:00
Zixuan James Li cbaa4bd98c user_groups: Add MemberGroupUserDict.
Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-25 13:46:57 -07:00
Anders Kaseorg 9094a591e4 common: Remove unnecessary polyfills for IE.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-07-23 15:36:40 -07:00
Julia Bichler 7758317250 message-editing: Change default move option. 2022-07-23 15:35:28 -07:00
Anders Kaseorg 0bf7d76fb2 zjsunit: Fix mock_esm call site detection.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-07-22 19:30:55 -07:00
Sahil Batra 74476317fd compose: Remove validation for stream named "announce".
Originally, DEFAULT_NOTIFICATION_STREAM_NAME was set to
"announce" and we also showed warning in frontend when
user was composing message to "announce" stream and if
the stream had more than 60 subscribers.

But we changed DEFAULT_NOTIFICATION_STREAM_NAME to "general"
in d46b125bf2. That commit did not remove the frontend code
for showing warning and this commit removes it since there
is no "announce" stream by default now, and we would not
want to show warning when sending to "general" since that
stream could be used for many discussions and it would not
be nice experience to show warning everytime.
2022-07-22 17:19:40 -07:00
Sahil Batra aa7bd76e5d compose: Show same error message everytime user is not allowed to post.
We do not show different error messages for different values of post
policy values if user is not allowed to post making it consistent with
other settings like wildcard mention settings and organization settings.

This also helps us deduplicate some code as we use almost same code
for excluding the streams to which user is not allowed to post from
the dropdown in moving messages UI.
2022-07-22 17:19:40 -07:00
Sahil Batra 18dda7b485 message_edit: Do not show streams to which user cannot post.
We do not show the streams to which user cannot post in the dropdown
list widget for moving messages between streams.
2022-07-22 17:19:40 -07:00
Mateusz Mandera 39d8a81e51 registration: Tie PreregistrationUser to the original MultiUseInvite.
Fixes #21266.

We want to tie the prereg_user to the MultiUseInvite directly rather
than to the MultiUserInvite's confirmation object, because the latter is
not possible. This is because the flow is that after going through the
multiuse invite link, the PreregistrationUser is created together with a
Confirmation object, creating a confirmation link (via
create_confirmation_link) to which then the user is redirected to finish
account creation. This means that the PreregistrationUser is already
tied to a Confirmation, so that attribute is occupied.
2022-07-22 17:08:44 -07:00
yogesh sirsat 5697c047fc settings_bots: Display "Deactivate bot" button inside bot edit modal.
Fixes: #22482
2022-07-22 16:57:40 -07:00
yogesh sirsat 34c01d80cb settings_bots: Display "Manage bot" modal from bots profile summary.
Fixes part of: #22482
2022-07-22 16:57:40 -07:00
yogesh sirsat fcd49871eb profile_summary: Clarify "Bot" user in bot profile summary.
A bot is technically a special case of a user, in terms of how they're
stored in the database at least, but for end users, we avoid referring
to them that way.

Fixes part of: #22482
2022-07-22 16:57:40 -07:00
Anders Kaseorg 2039aed821 openapi: Move endpoint URL to generator.
A standard OpenAPI document has no reason to redundantly include this
information in description fields, as standard generators already
display it.

This uniformly moves the URL above the description, which seems fine.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-07-22 16:41:55 -07:00
Anders Kaseorg 8942d11a72 openapi: Simplify other render functions.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-07-22 16:41:55 -07:00
Anders Kaseorg 946a0565c6 openapi: Fuse generate_api_title with generate_api_description.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-07-22 16:41:55 -07:00
Ganesh Pawar e16e7630e6 minor: Add `z-index` to `message_time` class.
This fixes the issue of the timestamp in a message not
being clickable at smaller widths.
2022-07-22 16:39:53 -07:00
Alex Tereschenko eb5fc54859 settings_org: Adjust var/function names after moving to settings_checkbox.
After moving to settings_checkbox in Authentication Methods UI,
mentions of "table" in the related JS variable/function names
are no longer meaningful and may be confusing. Change them to "list".
2022-07-22 16:38:47 -07:00
Alex Tereschenko 9142aab8ba settings_org: Use settings_checkbox in Authentication Methods UI.
Per review feedback in #21002, replace HTML table with a series
of settings_checkbox components for Authentication Methods UI.

Fixes #21001.
2022-07-22 16:38:47 -07:00
Zixuan James Li 8ae838c5c8 users: Remove default values for add_service.
These default values are unused by the callers and incompatible with the
`Service` model.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-22 16:34:32 -07:00
Zixuan James Li ebfd2b25b1 user_status: Add UserInfoDict.
The shared fields of `RawUserInfoDict` and `UserInfoDict` could have
been reused if they both require all keys or none. This is unfortunately
not the case, because subclassing does not override `__total__`.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-22 16:31:18 -07:00
Zixuan James Li e347005a0a integrations: Use TestHttpResponse to type send_webhook_fixture_message.
Since we in fact are using the django test client to generate a response
here, the return type should be `TestHttpResponse` instead.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-22 16:30:04 -07:00
Zixuan James Li 0dfec6b132 templates: Use Dict instead of Mapping for the context parameter.
According to the Django documentation, `Template.render` expects a
`dict`.

See also: https://docs.djangoproject.com/en/4.0/topics/templates/#django.template.backends.base.Template.render.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-22 16:29:14 -07:00
Zixuan James Li e950b94ab5 test_urls: Remove legacy get_callback_string.
`_callback_str` was removed in Django in 1.10, and other logic relevant
to that particular attribute was removed in
32849b80ad, but not to its entirety. It
does not make sense to fall back to `_callback_str`. The
`get_callback_string` helper is no longer needed.

Signed-off-by: Zixuan James Li <p359101898@gmail.com>
2022-07-22 16:22:47 -07:00
Aman Agrawal 768d7630af footer: Reduce links for self-hosted installations on signup pages.
On registration and login pages on self-hosted Zulip servers,
it is not helpful and confusing to show the full navigation footer
for the Zulip website. Instead, we should show a minimal footer.

Fixes #21776
2022-07-22 15:46:42 -07:00
sayamsamal bfc1901289 user_profile_modal: Move profile avatar to the top on smaller screens.
Moving the profile avatar to the top on smaller screen sizes adds to
the general responsiveness of the profile modal.
2022-07-22 15:28:05 -07:00
sayamsamal a5088db6f1 user_profile_modal: Fix long values flowing under the profile avatar.
When some value is very long as in the case of a long email address,
the text used to flow and hide under the profile avatar. We want the
values to be seen at all times, even if they need to be broken into
multiple lines.
2022-07-22 15:28:05 -07:00
sayamsamal d810c285e3 user_profile_modal: Move user status to right and add status icon.
The user status appears out of place among the profile fields and thus
placing it under the avatar avoids any discontinuity between the profile
fields. This also adds the status icon beside the user status.
2022-07-22 15:28:05 -07:00
sayamsamal aebff0fd61 user_profile_modal: Move avatar in full profile to the right.
The placement of the avatar on the right makes the full profile modal
UI consistent with Settings > Profile UI. This also helps the custom
profile fields appear more in line with the default profile fields.

Fixes #21805
2022-07-22 15:28:05 -07:00