Commit Graph

37352 Commits

Author SHA1 Message Date
orientor 817ee5c6b2 openapi_docs: Replace `argument` with `parameter`.
The term `parameter` is a better word than `argument` for data passed
to an API endpoint; this is why OpenAPI uses in their terminology.
Replace `argument` with `parameter` in the API docs to improve their
readability.

Fixes #15435.
2020-06-18 09:18:27 -07:00
Steve Howell d4fc28cf42 list_cursor: Avoid tracebacks.
In rare situations we would get tracebacks from
list_cursor on the line that I changed here.  We
went the entire month of May without a traceback
here, and I can't reproduce the problem.

This is a pretty clear fix, though, and it will
hopefully lead to a more enlightening symptom.

The likely scenario here is that you use `q` to
navigate the stream list and then unsubscribe.
I tested that and couldn't get a traceback,
but I do think the traceback indicates some
possible issues.

The behavior I saw when I did this
appeared to be mostly harmless.
When I deleted a row (by unsubscribing), the code
seemed to effectively disable the cursor.  It's
possible we should go to the next row or fully disable
the search.

I opened #15439 to follow up on this and other
cursor-related issues.
2020-06-18 09:08:46 -07:00
Steve Howell 9fdd98cf88 refactor: Clean up add/remove_sidebar_row.
The stream_events tests were kinda messy, but
I mostly just consolidated a few sections of
code so that we didn't have to keep
re-stubbing the same functions.

For the actual code, I extracted add_sidebar_row
and then removed the unnecessarily complicated
jQuery trigger mechanisms.
2020-06-18 09:08:46 -07:00
Ryan Rehman 69f9c72edc search suggestions: De-duplicate legacy search codepath.
This merges the `exports.get_search_result_legacy` and
`exports.get_search_result` function.

The key differences between the two code paths are as follows:

* We only want to generate suggestions for the queries which
  the user is typing or can edit.
  For the legacy version, suggestions are displayed for the
  entire search string in the searchbox. (`all_operators`)
  For the pills enabled version, suggestions are displayed
  only for the input which hasn't been converted to pills.
  (`query_operators`)
  `all_operators` = `base_query_operators` + " " +  `query_operators`.
  trim is added at the end just to handle the legacy case
  where we pass the `base_query` as ''.

* It is not possible to detect whether the user wants to
  continue typing in the legacy version. However if the
  the searchbox is still focused even after pill creation
  we can assume the user still wants to continue typing.
  To handle this we push an empty term as the `last` operator.
  This is possible since the previous queries have been
  completely entered as evident from it's generated pill.

* When using the legacy version, `search_operators` are
  the same as `all_operators`, as mentioned in point 1.
  In the pills enabled version we perform most of the
  computations from the `query_operators`, but we do
  require all `all_operators`, only for filtering the last
  query's suggestion.

* And there is just one block unique to the legacy search
  system. More details are mentioned in the comments of that
  block.

We also refactor both the search suggestions node tests,
mainly to make them similar and easier to detect differences
when we switch over to the new version.
2020-06-18 01:44:15 -07:00
Ryan Rehman a7dc0ed816 search: Deactivate narrow on deleting the last search pill.
This is the only case where we change narrow
using the search box besides pressing enter.
2020-06-18 01:36:49 -07:00
Ryan Rehman 531a803bfc typeahead: Allow automated selection for `contenteditable` elements.
This adds the support of our auto completion behaviour of the legacy
search code into the search pills version.
2020-06-18 01:35:19 -07:00
Ryan Rehman 4ed4aa7b6f search: Do not narrow on updation of search pills.
Previously we narrowed every time a search pill was created or deleted.
This commit allows the user to be able to continue typing without the
lag of narrowing.
This behaviour matches with the legacy version, whose code path remains
unchanged.
2020-06-18 01:33:56 -07:00
Ryan Rehman 6ce43f3ede search: Be able to continue typing after adding pills.
Under the search pills paradigm it is more natural for the
user to add pills and still continue typing.
Previously everytime a pills gets added the narrow activates
(this is still the case) and then the user had to refocus the
searchbox the continue typing the remaining search query.
2020-06-18 01:32:11 -07:00
Ryan Rehman dd4460009b search: Remove redundant actions on `focus` events.
The 2 function calls of `open_search_bar_and_close_narrow_description`
was removed from the 2 event handlers since it was called again, from
the `search.initiate_search`.

The "focusin" event was redundant since there are multiple other event
handlers (like the `tab_bar` or `hotkeys`) for this purpose, and all
of them call the `search.initiate_search` function.
2020-06-18 01:32:11 -07:00
Ryan Rehman 0e158f2c90 search suggestions: Refactor `get_search_result_legacy` code path.
The only change made here is the renaming of `operators` variable
to `search_operators`.

That is mostly evident from the fact that we do not need to
make any changes to `node_tests/search_suggestion_legacy.js`.

As mentioned in the previous commit, we make this change
to get a minimal diff between the legacy and search pills
enabled version.
2020-06-18 01:27:10 -07:00
Ryan Rehman 8d40a508fb search suggestions: Refactor `get_search_result` code path.
The only changes made here is the renaming of `query_operators`
variable to `search_operators`.

That is mostly evident from the fact that we do not need to
make any changes to `node_tests/search_suggestion.js`.

This will be helpful when we combine this function with it's
legacy function. As most of the logical decisions to generate
the result is based on the `query_operators` variable for the
search pills enabled version and the `operators` variable for
the legacy search version.
2020-06-18 01:27:10 -07:00
sahil839 8bd1429f4c css: Move css of upgrade-tip class to app_components.scss.
This commits moves the css of upgrade-tip class from settings.scss
to app_components.scss as this class will also be used in stream
settings page for message-retention-days setting in further commits.

tip class in settings.scss is also moved as it has the same styles as
upgrade-tip class.
2020-06-18 01:17:58 -07:00
Aman Agrawal 42436cedbe stream_popover: Allow editing topic without stream change.
* User can now edit the topic without changing stream.
* An alert is displayed if neither stream or topic changed.
2020-06-18 01:01:47 -07:00
Aman Agrawal baf01795a9 stream_popover: Extract method to show error message in topic edit. 2020-06-18 01:01:44 -07:00
Aman Agrawal b7e5b7f193 do_update_messages: Delete user_message if guest user loses access.
Fixes #14498.
When a topic is moved to a different stream, the message may no
longer be reachable to guest user, if the user is not subscribed
to the new stream.

We used to send message update event to the client in these cases,
which seems to be confusing both to the client updating the message
and the server sending push_notifications for it.

Now, we delete the UserMessage entry for these messages for the
user and send a delete message event to the client; which makes
both push_notification and the event handling client think that
the message was deleted and hence no confusion in the code is
raised.
2020-06-18 01:00:04 -07:00
SiddharthVarshney 20f7e6a393 left-sidebar: Update comment.
Since chevron is replaced with ellipsis this
commit will update the comment.
2020-06-18 00:54:18 -07:00
SiddharthVarshney cbf592b6ac docs: Update testing list for Popover menus.
Replace word 'chevron' with 'ellipsis'(because of the
recent migration to ellipsis for sidebars menu icons)
and mention where to click more specifically for sidebar
popover testing.
2020-06-18 00:54:18 -07:00
Hashir Sarwar ab6be2a711 push_notifications: Store tokens locally even when bouncer is used.
This makes the system store and track PushDeviceToken objects on
the local Zulip server when using the push notifications bouncer
and includes tests for this.

This is something we need to implement end-to-end encryption for
push notifications. We'll add the encryption key as an additional
property on the local PushDeviceToken object.

It also likely adds some value in the case that a server were to
switch between using the bouncer service and sending notifications
directly, though in practice that's unlikely to happen.
2020-06-17 18:44:59 -07:00
akashaviator ce571048b9 openapi: Document GET /attachments endpoint. 2020-06-17 18:35:44 -07:00
Tim Abbott bca164c1b6 api docs: Use better language for no parameters allowed. 2020-06-17 18:20:23 -07:00
Tim Abbott f28b38bd8c message_fetch: Use first unread anchor for home view.
This fixes one of our oldest important user experience issues, namely
that if you never visit the home view, the Zulip webapp would often
load "deep in the past" because the pointer had not advanced.

Fixes #1529.
2020-06-17 18:08:48 -07:00
Aman Agrawal 77bbbf7ae0 message_fetch: Raise fatal error in an impossible case.
When fetching older/new messages, we used to resort to the pointer
to act as anchor when message list was empty.

This appears to be an impossible case, as
`fetch_status.can_load_newer_messages`
should be false in this case and user cannot be scrolling an
empty message_list in the first case.

Hence, we raise a fatal error to inform user of the same.
2020-06-17 18:08:48 -07:00
jagansivam28 872d43713a settings org: Fix i18n in image_upload_widget.hbs.
Since our translation functions don't support passing a variable into
them and still being found by manage.py makemessages, we need to use
translation function before passing as variable into
image_upload_widget.hbs file.
2020-06-17 17:56:57 -07:00
Tim Abbott 3a46f6ecca i18n: Add regex for nested handlebars i18n.
This is required for our i18n search code to find the "Upload icon"
category of strings we're about to restore recently regressed i18n
for.
2020-06-17 17:56:57 -07:00
jagansivam28 3cef5abaf0 settings org: Delete realm-logo-widget.hbs file.
Since we use common HTML template  'image_upload_widget.hbs' for
user avatar, realm icon and realm day/night logo `realm-logo-widget.hbs`
file is replaced by  'image_upload_widget.hbs' therefore
we can delete `realm-logo-widget.hbs` file.
2020-06-17 17:56:57 -07:00
jagansivam28 97b992323c settings org: Deduplicate `upload_realm_logo_or_icon`.
Now that we have arranged our HTML and CSS classes in a similar
fashion for each of the cases, we can remove the duplicated lists of
objects.
2020-06-17 17:56:25 -07:00
jagansivam28 548107632c settings org: Use `image_upload_widget.hbs` for realm day/night logo.
Now we can use common HTML image upload widget template
`image_upload_widget.hbs` for realm day/night logo and
we should access those day/night logo elements using
e.g., "#realm-day/night-logo-upload-widget .realm-logo-elements".
since we use image_upload_widget.hbs for realm day/night logo upload
widget we need to extract CSS for realm day/night logo and
place them separately under `#realm-day-logo-upload-widget`
and `#realm-day-logo-upload-widget` css id.
2020-06-17 17:47:49 -07:00
jagansivam28 e132db3480 settings org: Use `image_upload_widget.hbs` for realm icon.
Now we can use common HTML image upload widget template
`image_upload_widget.hbs` for realm icon. we can access icon
element using "#realm-icon-upload-widget .realm-icon-elements".
also we need to extract CSS for realm icon and place them
separately under `#realm-icon-upload-widget` css id.
2020-06-17 17:47:49 -07:00
Dinesh 3d97050e75 puppeteer: Improve --interactive option for test-js-with-puppeteer.
Previously, --interactive used to run tests from the start on a
repeated run triggered when tests failed and we decide to trigger
a re-run by pressing Enter key. Rerunning passed tests is of no interest.
It also used to run all tests in a loop even if all pass.

This commit fixes those both issues i.e it runs again from the
test that failed on pressing Enter and exits if all tests pass.
2020-06-17 15:24:14 -07:00
Alex Vandiver 7250d41bf7 puppet: Fix the path to install-wall-g 2020-06-17 15:23:18 -07:00
Hemanth V. Alluri 489a7a2c53 gitignore: Ignore core dump files.
Signed-off-by: Hemanth V. Alluri <hdrive1999@gmail.com>
2020-06-17 13:35:33 -07:00
Aman Agrawal 3d8181455b unread_ops: Don't read messages when any overlay is open.
Messages are automatically marked read when all the messages in
the current narrow are visible. While this is handy, this is
should not happen when any of the overlays are open.
2020-06-17 13:08:56 -07:00
Tim Abbott a0eb26951c docs: Update changelog for Zulip Server 2.1.6 release. 2020-06-17 00:42:28 -07:00
Tim Abbott 7872b197c2 docs: Update changelog for 2.1.5 release. 2020-06-16 23:35:39 -07:00
Tim Abbott a9877d6765 migrations: Add merged migration following 2.1.5 release. 2020-06-16 23:35:39 -07:00
Tim Abbott a2767e8c50 CVE-2020-14194: Use noopener/noreferrer for external links.
We fixed the main issue of this form in CVE-2020-9444, but the audit
done at that time only included links found in rendered_markdown; this
change completes our audit for links with target=_blank anywhere in
the codebase.
2020-06-16 23:35:39 -07:00
Tim Abbott 9f4905d7e3 CVE-2020-14215: Add migration to clear INVITED_AS_REALM_ADMIN.
This migration fixes any PreregistrationUser objects that might have
been already corrupted to have the administrator role by the buggy
original version of migration 0198_preregistrationuser_invited_as.

Since invitations that create new users as administrators are rare, it
is cleaner to just remove the role from all PreregistrationUser
objects than to filter for just those older invitation objects that
could have been corrupted by the original migration.
2020-06-16 23:35:39 -07:00
Tim Abbott 3f55bfc53b CVE-2020-14215: Fix migration 0198_preregistrationuser_invited_as.
This migration incorrectly swapped the role associated with invitation
objects between members and organization administrators, resulting in
most invitation objects that existed before the upgrade to Zulip
2.0.0-rc1 or later to be incorrectly administrator invitations.

Fixing the migration is safe and will help those installations
upgrading directly from 1.9.x to 2.1.5 or later.

A migration to fix the corrupted records will appear in an upcoming
commit.
2020-06-16 23:35:39 -07:00
Mateusz Mandera 8d2d64c100 CVE-2020-14215: Fix validation in PreregistrationUser queries.
The most import change here is the one in maybe_send_to_registration
codepath, as the insufficient validation there could lead to fetching
an expired PreregistrationUser that was invited as an administrator
admin even years ago, leading to this registration ending up in the
new user being a realm administrator.

Combined with the buggy migration in
0198_preregistrationuser_invited_as.py, this led to users incorrectly
joining as organizations administrators by accident.  But even without
that bug, this issue could have allowed a user who was invited as an
administrator but then had that invitation expire and then joined via
social authentication incorrectly join as an organization administrator.

The second change is in ConfirmationEmailWorker, where this wasn't a
security problem, but if the server was stopped for long enough, with
some invites to send out email for in the queue, then after starting it
up again, the queue worker would send out emails for invites that
had already expired.
2020-06-16 23:35:39 -07:00
Tim Abbott 4fff858aa2 templates: Fix missing quoting of attributes in HTML templates.
This fixes a bundle of issues where we were missing "" around
attributes coming from variables.  In most cases, the variables were
integers or fixed constants from the Zulip codebase (E.g. the name of
an installed integration), but in at least one case it was
user-provided data that could potentially have security impact.
2020-06-16 23:35:39 -07:00
Anders Kaseorg 87f7874a79 CVE-2020-12759: Fix reflected XSS vulnerability in Dropbox webhook.
Also check the challenge argument’s presence before using it.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-06-16 22:46:16 -07:00
YashRE42 a0a7170f48 navbar: Use `filter._sub` instead of calling `stream_data`.
Previously, in `make_tab_data()` we were using the stream name,
which we got from the filter, to call `stream_data.get_sub_by_name()`.

This commit switches to just using `filter._sub`, which is simpler and
better.
2020-06-16 18:07:50 -07:00
YashRE42 ab2e7e097a navbar: Switch make_tab_bar conditionals to using filter/sub values.
Previously, this function relied on the return value of
`filter.get_icon()` which made it brittle.
Directly using the properties of the filter and sub object makes this
more explicit about the intentions and robust.
2020-06-16 18:07:50 -07:00
YashRE42 7ea60ea1ab filter: Store reference to `_sub` instead of `_stream_params`.
In commit 4f6377d493 we added
`_stream_params` as a way of storing attributes such as stream name
and stream privacy, this involved adding a few calls within functions
that updated these values (in order to maintain consistency).

This commit replaces `_stream_params` with an always consistent `_sub`
object and removes unnecessary `_stream_params` related code. Once the
`_sub` object is available, calls to `stream_data` may be considered
suspicious as they can often be avoided by just picking the desired
attribute off of the `_sub` object.
2020-06-16 18:07:50 -07:00
YashRE42 b0b53c8543 navbar: Use a more semantic selector in colorize_tab_bar().
Previously, this bit of code was looking for specific icons on the
navbar, but it's more semantic to just look for the `.fa` which is a
direct child of `.stream`. It also makes the code cleaner, to have a
single call here.
2020-06-16 18:07:50 -07:00
YashRE42 6766b0ab43 navbar: Just use stored stream color in `colorize_tab_bar()`.
This commit removes a redundant line of code which was converting from
hex to RGB rounding off and then converting from RGB to hex again.

This line was (mistakenly) introduced in
eb4a2b9d4e while removing a hover effect
that had become irrelevant.
2020-06-16 18:07:50 -07:00
Tim Abbott 5c0a52585c typeahead: Fix buggy code block language notice.
This was incorrectly checking for the empty string, not null.
2020-06-16 17:57:02 -07:00
YashRE42 c3d322f1a7 navbar: Improve spacing between stream name and sub_count. 2020-06-16 17:26:55 -07:00
YashRE42 63f69c48a5 navbar: Fix clickable area between sub_count and narrow_description.
Previously, there was a small dead spot in the click area between the
sub_count and narrow_description, such that the mouse cursor would
switch from pointer to the default.

This commit corrects the dead spot by adjusting the margins and styles
on navbar elements.

This should be workable, but there is scope for improvement especially
given that the current margins and paddings are messy and not very
semantic.

The end result is that the entire navbar becomes a smooth, clickable
region.
2020-06-16 17:26:55 -07:00
YashRE42 71e393575b navbar: Improve click area around stream name.
Previously the click area to open the settings modal was limited to
just the stream name (just the text). This, inconveniently, created a
lot of empty, unclickable space around the stream name.

This commit resolves the problem by:
  * Extracting the title and icon into a separate template as
    `navbar_title_and_icon.hbs` and calls this partial in
    `tab_bar.hbs`.
  * Calling the partial within an <a> tag for stream based narrows
    and in a <span> tag for non-stream narrows.
  * Making some CSS changes so that everything still renders correctly
    (visually).

This commit also:
  * Leads us to "piggy back" all stream based narrow elements on the
    `stream_settings_link` conditional. (Previously the only "piggy
    backing" was by `narrow_description` on `sub_count`, which was
    necessary for the rendering of the `(no description)` string.)

The end goal here is that the entire navbar is clickable. This is a
step towards that goal, but some of the margins on the sub count and
its ::before and ::after pseudo-elements still need to be fixed.
2020-06-16 17:26:55 -07:00