Tomasz Kolek
2ac9c792f3
test_hooks: Use an incoming webhook bot for webhook tests.
2016-06-07 21:27:04 -07:00
Tomasz Kolek
999093b227
Add new is_incoming_webhook bot type.
...
This type of bot is only able to send messages via webhook endpoints.
2016-06-07 21:23:35 -07:00
Hyunchel Kim
b0702c62fc
Annotate zerver.views.messages partially.
2016-06-07 21:09:30 -07:00
Nathan Florea
6bcb6c3192
Removed some unused imports.
2016-06-07 18:13:58 -07:00
Nathan Florea
f11eee8b41
Remove redundant file open.
...
Calling open() with mode 'w' or 'a' will create a file if it doesn't exist,
while mode 'r' will cause an exception. This can be easily tested with:
python -c 'open("test.tmp", "w")'
ls test.tmp
2016-06-07 18:10:44 -07:00
Conrad Dean
fe2c352ac0
ClientDescriptor: Pass inline sets, not lists, to do_gc_event_queues.
...
This allows us to more precisely type do_gc_event_queues.
2016-06-07 13:28:45 -07:00
Conrad Dean
d77c70220c
send_event: Remove useless return value and annotate.
...
Detected by mypy.
[tweaked by tabbott to pass mypy check and remove annotations]
2016-06-07 13:27:40 -07:00
Conrad Dean
a4704ba8b2
event_queue: Fix deque values type annotation.
...
Event IDs in here are ints, as shown by the prune operation.
2016-06-07 13:05:46 -07:00
Umair Khan
5becd53414
Add tests for json_error and JsonableError.
2016-06-07 12:41:59 +05:00
Tim Abbott
bc2961d3ac
Refactor file upload routes to their own file.
2016-06-06 16:09:05 -07:00
Vishnu Ks
f3a8962612
Replace make_dict() with stream.to_dict().
2016-06-06 14:46:12 -07:00
Evan Palmer
8afeb7d8ce
Annotate webhooks/transifex.py, webhooks/yo.py.
2016-06-05 17:01:53 -07:00
Daw-Ran Liou
7f0709b65c
Annotate zerver.views.webhooks.freshdesk
...
Change the comments into docstrings.
Modified the return type of parse_freshdesk_event to always return a
list of str.
2016-06-05 15:56:27 -07:00
Dalek-Sec
c457f551ea
Annotate zerver/views/webhooks/crashlytics.py
2016-06-05 15:54:13 -07:00
medullaskyline
7e30de04ca
Annotate zerver.views.webhooks.pingdom.
2016-06-05 15:52:53 -07:00
medullaskyline
4c1da236ad
Annotate zerver.views.webhooks.pagerduty.
2016-06-05 15:47:33 -07:00
Daw-Ran Liou
4428287846
Annotate zerver.views.webhooks.stash.
2016-06-05 15:42:25 -07:00
Hyunchel Kim
b79cad0404
Annotate zerver.views.webhooks.teamcity
2016-06-05 15:11:45 -07:00
Daw-Ran Liou
26d067fc97
Annotate zerver.views.webhooks.pivotal.
2016-06-05 14:57:53 -07:00
medullaskyline
2369d48a9b
Annotate zerver.views.webhooks.newrelic.
2016-06-05 14:52:20 -07:00
Evan Palmer
4bf81b58b4
Annotate zerver/views/webhooks/zendesk.py.
2016-06-05 14:50:52 -07:00
Hyunchel Kim
de34dd1187
Annotate travis webhoook function.
2016-06-05 14:46:26 -07:00
medullaskyline
158914aa98
Annotate zerver.views.webhooks.jira.
2016-06-05 14:36:39 -07:00
Hyunchel Kim
bc87685ea6
bitbucket: Correct return type in annotation.
2016-06-05 14:33:31 -07:00
Daw-Ran Liou
70f44c00b0
check_send_message: Replace args/kwargs with explicit args.
...
This lets us actually type-checks the various views that are using
check_send_message.
2016-06-05 14:30:38 -07:00
Max
86fb6467e7
Add annotations to avatar.py, db.py, logging_util.py, unminify.py.
...
Also, fixed a a small type annotation in users.py because email must
be a string because emails don't support UTF-8 at this time (according
a comment in gravatar_hash in avatar.py).
2016-06-05 12:38:20 -07:00
medullaskyline
2855c285b4
Annotate zerver.forms.
2016-06-05 12:02:19 -07:00
Daw-Ran Liou
90a2dead46
Annotate zerver/views/webhooks/deskdotcom.py.
2016-06-05 11:53:44 -07:00
Deborah Hanus
a261a6bbac
Annotate zerver/views/__init__.py.
...
Also fix typing errors in a few related files.
[with tweaks from tabbott]
2016-06-05 11:34:19 -07:00
Daw-Ran Liou
c9bb93b0d2
Annotate zerver/views/webhooks/beanstalk.py.
2016-06-05 10:54:23 -07:00
Tim Abbott
15b2dd085e
Annotate zerver.lib.test_runner.
2016-06-04 23:23:31 -07:00
Tim Abbott
1ca7c3378b
Annotate zerver.lib.testing_mocks.
...
Also fix some annotations in bugdown to match.
2016-06-04 22:54:49 -07:00
Tim Abbott
157a3efb78
Annotate zerver.exceptions, zerver.filters, zerver.logging_handlers.
2016-06-04 22:51:18 -07:00
Conrad Dean
33dee43179
Annotate zerver/lib/socket.py.
...
Currently this uses a Union type for connection_id; we need to figure
out what actually sets that and what its type is and fix that later
(see https://github.com/zulip/zulip/issues/896 ).
2016-06-04 22:36:03 -07:00
Dalek-Sec
2bcf313a85
Added MyPy types to zerver/views/webhooks/codeship.py
2016-06-04 22:03:41 -07:00
medullaskyline
47c3ec1283
Annotate zerver.lib.upload.
2016-06-04 19:13:03 -07:00
Umair Khan
1bfe566c8d
[i18n] Make Json error messages translatable.
2016-06-04 18:48:36 -07:00
medullaskyline
c5f0d5b40a
Annotate zerver.middleware.
2016-06-04 18:32:06 -07:00
Tim Abbott
9c5f15e89b
models: Fix use of non-lazy ugettext at import time.
...
Was introduced in 03debdf82f
.
2016-06-04 17:46:03 -07:00
Daw-Ran Liou
0265968ea2
Annotate zerver/views/user_settings.
2016-06-04 17:41:59 -07:00
Reid Barton
cf93c8bce0
Annotate zerver/views/webhooks/bitbucket.py.
2016-06-04 17:02:59 -07:00
Daw-Ran Liou
8bbd93011d
Annotate zerver/views/users.py.
2016-06-04 17:00:53 -07:00
medullaskyline
fcdcccb5df
Annotate zerver.lib.digest.
2016-06-04 16:20:18 -07:00
Tim Abbott
d9d0515d3b
Add mypy bug number for check_redis type: ignore.
2016-06-04 16:11:18 -07:00
medullaskyline
7c2c7fb31c
Annotate zerver/lib/bulk_create.py.
2016-06-04 15:51:05 -07:00
Tomasz Kolek
8411b2e574
Add Crashlytics integration.
2016-06-04 15:18:42 -07:00
Tomasz Kolek
093e5a96d4
Add Transifex integration.
...
Fixes : #810 .
2016-06-04 14:52:57 -07:00
Max
04e2745136
Annotate debug.py, initial_password.py, narrow.py, response.py.
...
Also, fixed up the annotations for tornadoviews to better align with
how narrows was defined as `Iterable[Sequence[str]]` rather than
`List[Tuple[str, str]]`.
2016-06-04 12:56:36 -07:00
medullaskyline
7b2db95d02
Annotate zerver/lib/ccache.py.
2016-06-04 12:19:34 -07:00
Tim Abbott
6fba0879a4
Annotate much of the rest of zerver/tests.
2016-06-04 11:53:20 -07:00
Tim Abbott
27e9d3f06b
Annotate test_external and test_signup.
2016-06-04 11:53:20 -07:00
Tim Abbott
966375d74c
Annotate test_events, test_realm_emoji, test_uploads.
2016-06-04 11:53:20 -07:00
Tim Abbott
f1d58e767b
Annotate zerver/tests/test_subs.py.
...
This required a number of unique-related changes to test_helpers.
2016-06-04 11:53:10 -07:00
Tim Abbott
6f69053911
Annotate most of the rest of bugdown.
2016-06-04 11:35:29 -07:00
Max
c8dc033c3c
Annotate camo.py, mandrill_client.py, query.py, session_user.py
2016-06-04 11:28:42 -07:00
Tim Abbott
a1a27b1789
Annotate most Zulip management commands.
2016-06-04 10:12:06 -07:00
Tim Abbott
c2bea0fa08
zulip_finish: Remove useless return statement.
2016-06-04 10:06:31 -07:00
Tim Abbott
ac3989c114
models: Add most missing type annotations.
2016-06-04 00:03:54 -07:00
David Adamec
9e8ea93d3d
Add annotations for zerver/lib/validator.
2016-06-03 23:53:49 -07:00
David Adamec
4f3c85a20c
Add type annotations to zerver/lib/rest.
2016-06-03 23:48:46 -07:00
Conrad Dean
e7f0698884
Annotate zerver/lib/notifications.py.
2016-06-03 23:45:29 -07:00
Tim Abbott
7fd2956f29
clear_followup_emails_queue: Rename confusing local variable.
2016-06-03 23:45:29 -07:00
medullaskyline
cb84f72f2d
Annotate zerver/lib/html_diff.py.
2016-06-03 23:21:26 -07:00
Tim Abbott
2ec0114079
test_bugdown: Add tests for mentions.
2016-06-03 23:18:39 -07:00
Tim Abbott
cfff4f1d49
test_bugdown: Add a bugdown test for alert_words functionality.
2016-06-03 23:18:39 -07:00
Tim Abbott
8c757292cf
test_bugdown: Add test for nonmatching realm filters.
2016-06-03 23:18:39 -07:00
Tim Abbott
3a0eb01dda
test_messages: Fix huddle test failing when not on Internet.
2016-06-03 23:18:39 -07:00
Tim Abbott
e89730dc8f
subject_links: Remove useless RealmFilter.DoesNotExist case.
2016-06-03 23:18:39 -07:00
Tim Abbott
68fba3579d
test_bugdown: Add testing of subject_links feature.
2016-06-03 23:18:39 -07:00
gregmccoy
d77e8df3fa
Add tests for zerver/views/realm_emoji.py.
2016-06-03 23:12:53 -07:00
Tim Abbott
03debdf82f
Fix malformed error message when creating invalid Realm Emoji.
...
Thanks to Greg McCoy for his help finding this bug.
2016-06-03 23:12:36 -07:00
David Adamec
8ad20e9775
mypy type annotations for zerver/lib/utils
2016-06-03 22:58:15 -07:00
Tim Abbott
1552b9308b
Fix apnsclient import to match version 0.1.8 used in production.
...
Apparently, apnsclient moved Connection to a different module between
0.1.8 and 0.2.1.
2016-06-03 19:28:36 -07:00
Max
0f4673ae3b
Add type annotation to mention.py, redis_utils.py, timestamp.py, user_agent.py
...
Some functions in models.py had input typed as int when they needed to be typed as datetime.datetime
2016-06-03 19:00:16 -07:00
Max
1148f6ff8a
Rename timestamp kwarg in to_presence_dict to dt
...
It is not a timestamp, it is a datetime object. This is better ducktyping
2016-06-03 19:00:16 -07:00
Tim Abbott
654bd663aa
bugdown: Add annotations for a few more functions.
...
This resolves the issue with Typeshed #244 by making `upload_re` start
with `ur`.
2016-06-03 18:11:53 -07:00
Tim Abbott
f97b025a33
push_notifications: Fix incorrect Connection import.
2016-06-03 18:11:53 -07:00
medullaskyline
303bd21068
Annotate zserver.lib.push_notifications.
2016-06-03 17:45:54 -07:00
Oren Leaffer
2916fb30cb
bugdown: add some type annotations.
...
Had to add some "type: ignore" because the pattern used in match
doesn't affect the type returned. A fix for this issue has been pushed
to typeshed - https://github.com/python/typeshed/pull/244
2016-06-03 17:03:52 -07:00
medullaskyline
2213a9f41f
Annotate zerver/lib/cache_helpers.py
2016-06-03 16:34:30 -07:00
Conrad Dean
7f61a5e862
Add type annotations to zerver.lib.test_helpers.
2016-06-03 12:17:26 -07:00
Max
a6e60419c4
Add types to confirmation/views.py and zerver/tornadoviews.py
2016-06-03 11:26:30 -07:00
Vishnu Ks
4fd569f910
Change add_default_stream method from PATCH to PUT.
...
This is more consistent with our other routes.
2016-06-03 09:52:51 -07:00
Nathan Florea
04c71fadc6
More removal of mutable default arguments.
...
I've left a few that clearly aren't being passed and aren't being mutated, but
I think I've gotten the rest of them.
2016-06-03 09:17:04 -07:00
Nathan Florea
5fe9076631
Remove some mutable default arguments.
...
These ones don't fix any bugs, because the mutable arg is never passed
outside of the callable or mutated. But it's good practice to not use
them in case those invariants are changed in the future.
2016-06-03 09:16:56 -07:00
Ashish Kumar
9b990e3bd0
Type annotation of zerver/views/alert_words.
...
[Tweaked by tabbott to annotate the REQ variables the new way]
2016-06-03 08:07:58 -07:00
Ashish Kumar
31bf6b8259
Type annotation of zerver/models.py
...
[Substantially revised by tabbott]
This probably still has some bugs in it, but having mostly complete
annotations for models.py will help a lot for the annotations folks
are adding to other files.
2016-06-02 23:28:34 -07:00
Tim Abbott
37015fd7c5
Run mypy on zerver/lib/test_auth_backends.py.
2016-06-02 23:01:15 -07:00
Tim Abbott
8cef9675c8
Run mypy on zerver/lib/test_events.py.
2016-06-02 23:00:04 -07:00
Tim Abbott
e6d2b0cdbc
Run mypy on zerver/lib/test_unread.py.
2016-06-02 22:59:00 -07:00
Tim Abbott
f3b07ee9aa
Run mypy on zerver/lib/test_subs.py.
2016-06-02 22:57:07 -07:00
Oren Leaffer
c2ce5119c6
Annotate zerver.views.tutorial.
2016-06-02 18:49:27 -07:00
Rachel Kelly
df36216914
Change instances of 'coworkers' to 'users'.
...
In order to genericize use of Zulip outside companies,
all instances of coworkers have been changed to users.
NOTABLE EXCEPTION: When the Zulip instance is domain-
locked, the reference to coworkers remains. The reason
for this is twofold: first, the majority of Zulip instances
which require a particular domain will be locked to a
company, and second, the template variable for the domain
necessary should be added to the alert so it is clear
to the user what the domain needs to be for access.
Fixes : #861 .
2016-06-02 16:05:27 -07:00
Pei-Wei Wu
8d2733ae8c
Add mypy type annotations to zerver/views/streams.py.
2016-06-02 15:44:43 -07:00
Ashley Dunn
7826aa7e7f
Type annotation of zerver/views/realm_emoji.
2016-06-02 14:01:28 -07:00
Ashish Kumar
cad342aff6
Correct annotation of generic_bulk_cached_fetch in zerver/lib/cache.py.
...
Previously, object_ids was tagged as an int, but it is called from
models.py with a string, so we make it an Any.
2016-06-01 14:00:49 -07:00
Umair Khan
08fbd57245
[i18n] Make error messages translatable.
...
Make all strings passing through `json_error` and `JsonableError`
translatable.
Fixes #727
2016-05-31 07:40:42 -07:00
Tim Abbott
ab2d325a08
Update production default streams to be less engineering-centric.
2016-05-31 07:38:25 -07:00
Vishnu Ks
100d885f23
Change default announcement stream to announce.
...
Fixes #788 .
2016-05-31 07:38:07 -07:00
Tim Abbott
960144a49e
Desupport using uninstantiated REQ with has_request_variables.
...
This makes life difficult for doing static type annotations, and
didn't make the code look that much better anyway.
2016-05-31 07:31:15 -07:00
Tim Abbott
41336f3782
lint-all: Check for use of '== None'.
2016-05-31 07:02:04 -07:00
Umair Khan
9a57176ad6
Do shallow testing of backend templates.
...
Just render the templates without the actual workflow to see if they
don't return a 500 error; this lets us catch various classes of
template bugs automatically.
Fixes #784 .
2016-05-31 05:42:17 -07:00
Umair Khan
c884559ec6
Show templates rendered report.
...
Add two options to the `test-backend` script:
1. verbose
If given the `test-backend` script will give detailed output.
2. no-shallow
Default value is False. If given the `test-backend` script will
fail if it finds a template which is shallow tested.
2016-05-31 16:46:11 +05:00
Tomasz Kolek
8e144a1f57
Add zip and absoulte_import to pass py3k test.
2016-05-30 22:28:05 +02:00
Tim Abbott
baec0f12cf
Add a proper annotation for REQ in streams.py.
2016-05-30 11:41:16 -07:00
Reid Barton
8c6afac7cd
Add a stub file for request.py.
...
This stub file allows us to annotate view functions using the actual
types present in the bodies of the functions, rather than everything
having the type REQ.
2016-05-30 11:28:53 -07:00
Tim Abbott
572c69f3c2
Move REQ and friends to their own module.
2016-05-30 11:24:17 -07:00
Eklavya Sharma
48e7e1a2a1
zerver/lib/actions.py: Rename stream_name to stream.
...
In function bulk_add_subscriptions, some variables were named
`stream_name` but their type is Stream, not a string. Rename
those variables to `stream`.
2016-05-30 09:52:59 -07:00
Eklavya Sharma
94e4b39112
Replace python2.7 by python everywhere.
2016-05-29 05:03:08 -07:00
Eklavya Sharma
149938d468
Change shebangs from python2.7 to python.
2016-05-29 05:03:08 -07:00
Eklavya Sharma
1bb6a0db4c
Annotate zerver/lib/actions.py.
2016-05-29 04:26:17 -07:00
Eklavya Sharma
2308107805
zerver/lib/actions.py: Use unicode literals.
...
Convert some strings literals to unicode strings by prefixing with `u`.
2016-05-29 04:26:17 -07:00
Eklavya Sharma
b74f603682
zerver/lib/actions.py: Rename variables and add/edit comments.
2016-05-29 04:26:17 -07:00
Eklavya Sharma
efab224bd1
zerver/lib/actions.py: Remove unneeded `return {}` statements.
2016-05-29 04:26:17 -07:00
Eklavya Sharma
a2b48f05e5
zerver/lib/actions.py: Fix return values.
2016-05-29 04:26:17 -07:00
Eklavya Sharma
1ea6171179
Fix an annotation in zerver/lib/cache.py.
...
This is done to make annotations in zerver/lib/actions.py work correctly.
2016-05-25 15:11:48 -07:00
Eklavya Sharma
30892b2f99
Make makemessages.py pass mypy check.
2016-05-25 15:04:39 -07:00
Eklavya Sharma
1c04560def
Re-enable pyflakes in linter and remove python 3 pyflakes errors.
2016-05-25 19:25:13 +05:30
Eklavya Sharma
459c6640bf
Fix type annotations in zerver/lib/alert_words.py.
2016-05-24 14:12:11 -07:00
Eklavya Sharma
95d059bfb3
Fix typo in zerver/lib/actions.py.
2016-05-24 14:12:11 -07:00
Eklavya Sharma
508a080e08
do_change_bot_type: Add update_fields to user_profile.save().
2016-05-24 13:21:44 -07:00
Umair Khan
82b5d9304b
[third] Integrate i18next with Handlebars
2016-05-19 22:58:25 -07:00
Tomasz Kolek
8c18b8947f
Add bot_type field to UserProfile.
...
This is intended to support creating different types of bots with
potentially limited permissions.
2016-05-19 22:37:37 -07:00
Umair Khan
f9bbc5d6ff
Enable i18n support in URL configuration.
...
This supports i18n using all of the following:
- I18N urls
- Session
- Cookie
- HTTP header
2016-05-19 08:33:30 -07:00
Tim Abbott
b01196db86
to_log_dict: Add sender_id to logged fields.
2016-05-18 23:02:43 -07:00
Aristeidis Fkiaras
3ee210d9e8
Add setting to only allow admins create new streams.
...
Fixes : #691 .
Thanks to Preston Hansen for work on this feature!
2016-05-18 18:53:13 -07:00
Tim Abbott
e781136132
Fix subscribing to existing streams when can_create_streams=False.
...
Previously, a user with can_create_streams=False would be incorrectly
unable to subscribe to streams, whether the streams previously existed
or not.
2016-05-18 18:47:24 -07:00
Tomasz Kolek
c4254497b2
Add WebhookTestCase abstract class for writing webhook tests.
...
This cuts a ton of code duplication and semi-duplication between the
webhook tests, and thus should make it a lot easier to write new ones.
2016-05-18 14:37:31 -07:00
Eklavya Sharma
98afe000ee
Make zerver/lib/statistics.py pass mypy check.
2016-05-18 17:10:18 +05:30
Eklavya Sharma
0dcd8b387d
Make zerver/lib/bugdown/fenced_code.py pass mypy check.
2016-05-18 17:10:17 +05:30
Eklavya Sharma
46757f07bf
Make zerver/lib/actions.py pass mypy check.
2016-05-18 17:10:17 +05:30
Eklavya Sharma
16067b7013
Make zerver/views/webhooks/jira.py pass mypy check.
2016-05-18 17:10:17 +05:30
Tim Abbott
c3985520e5
webhooks: Remove unnecessary get_client imports.
2016-05-13 12:25:12 -07:00
Tomasz Kolek
db7ea8b484
Move getting client to api_key_only_webhook_view.
...
This decreases the amount of convention developers need to understand
in order to write a new webhook integration.
2016-05-13 12:22:38 -07:00
Umair Khan
dfc58b0ed0
Upgrade digest email templates to Jinja2.
...
Fixes : #780
2016-05-13 01:01:28 +05:00
Tomasz Kolek
eeeb4d0c92
Add CircleCI integration.
...
Fixes : #617 .
2016-05-11 21:17:37 -07:00
Tim Abbott
2409ac9b2f
cache: Add type annotations to active_*_dict_fields.
2016-05-10 11:48:03 -07:00
Tim Abbott
f2aee961e1
test_auth_backends: Fix unused variables.
2016-05-10 11:46:39 -07:00
Tim Abbott
92bec8cfea
Merge Zulip 1.3.12 security release.
2016-05-10 11:32:26 -07:00
Tim Abbott
9b65464b6b
logout_all_users: Add option to logout deactivated users.
2016-05-10 09:50:57 -07:00
Tim Abbott
393159bbd8
queue: Disable RabbitMQ heartbeat in BlockingConnection.
...
Fixes #741 .
2016-05-10 09:50:57 -07:00
Tim Abbott
d82e44ecd0
queue: Refactor Pika credentials code to be a bit cleaner.
2016-05-10 09:50:57 -07:00
Tim Abbott
620debc5fd
Change PrincipalError to return status code 403 by default.
2016-05-10 09:50:57 -07:00
Tim Abbott
85c64c9f93
zulip_login_required: Add checks for active users and realms.
...
Like the recent change blocking JSON endpoints for deactivated users
and users in deactivated realms, this change is a hardening
improvement. Those users should be unable to get an active session
anyway, but if somehow one is leaked, this means they won't be able to
access any user data.
2016-05-10 09:50:57 -07:00
Tim Abbott
be216506a9
Improve api_fetch_api_key error messages.
...
Previously, api_fetch_api_key would not give clear error messages if
password auth was disabled or the user's realm had been deactivated;
additionally, the account disabled error stopped triggering when we
moved the active account check into the auth decorators.
2016-05-10 09:50:57 -07:00
Tim Abbott
52ddd500f0
Add tests for authentication backends.
2016-05-10 09:50:57 -07:00
Tim Abbott
38c82083de
Add test suite for deactivated users.
2016-05-10 09:50:57 -07:00
Tim Abbott
df7466e893
Add test suite for deactivate realms.
2016-05-10 09:50:57 -07:00
Tim Abbott
76814f37a3
decorators: Block access to JSON endpoints for deactivated users.
...
While in theory users should be unable to get a valid session in order
to access these endpoints in the first place, this provides an extra
layer of hardering to prevent a deactivated user with a session from
accessing data via the old-style JSON API.
2016-05-10 09:50:57 -07:00
Tim Abbott
b28b3cd65c
CVE-2016-4427: Fix access by deactivated realms/users.
...
The security model for deactivated users (and users in deactivated
realms) being unable to access the service is intended to work via two
mechanisms:
* All active user sessions are deleted, and all login code paths
(where a user could get a new session) check whether the user (or
realm) is inactive before authorizing the request, preventing the
user from accessing the website and AJAX endpoints.
* All API code paths (which don't require a session) check whether the
user (and realm) are active.
However, this security model was not implemented correctly. In
particular, the check for whether a user has an active account in the
login process was done inside the login form's validators, which meant
that authentication mechanisms that did not use the login form
(e.g. Google and REMOTE_USER auth) could succeed in granting a session
even with an inactive account. The Zulip homepage would still fail to
load because the code for / includes an API call to Tornado authorized
by the user's token that would fail, but this mechanism could allow an
inactive user to access realm data or users to access data in a
deactivated realm.
This fixes the issue by adding explicit checks for inactive users and
inactive realms in all authentication backends (even those that were
already protected by the login form validator).
Mirror dummy users are already inactive, so we can remove the explicit
code around mirror dummy users.
The following commits add a complete set of tests for Zulip's inactive
user and realm security model.
2016-05-10 09:50:48 -07:00