Previously, test cases or clients accessing /json/ views using HTTP
Basic Auth would be accepted, while we intended to only allow clients
authenticated with a session cookie to access these views.
This adds a check on the accessed path to avoid this possibility.
It seems unlikely that any API clients clients were taking advantage
of this unintended quirk; so we're not going to bother documenting
this bug fix as an API change. In any case, it should be trivial for
anyone affected to consult the documentation and then switch their
/json/foo URL to a correct /api/v1/foo URL.
Signed-off-by: Zixuan James Li <p359101898@gmail.com>
Updates the check in compose validate for the organization's
policy on sending private messages to use the code/value in
settings_config, instead of the number value.
Private messages between a user and a bot are not restricted by
the organization's policy setting for sending private messages.
So, for the empty banner text, we set the default title for
a single bot for the "pm-with" narrow.
Group private messages that include a bot are restricted by
this policy setting, so those messages stay the same.
Also, since bot's aren't people, we update the text for valid
"pm-with", "sender" and "group-pm-with" operands to include the
user's full name in the title.
When there are multiple people in the "pm-with" narrow, we still
send a generic "these people" message instead of listing all the
users in the narrow.
Finally, we make the default message end in a period instead of
an exclamation mark.
For narrows that focus on private messages ("is:private", "pm-with",
"group-pm-with"), we want to check the organization private message
policy and set an empty narrow title that matches that policy.
For these narrows with invalid users, we prioritize that message
for the empty narrow title, instead of the private message policy
message.
Fixes#21889.
Mobile clients older than v27.192 do not support PRONOUNS type
custom profile fields, so we instead change the type of it to
SHORT_TEXT in the data sent with register response and also in
the events sent to those clients.
A user could trigger a "pm-with" narrow with an invalid user by moving
back/forward in the session, which would trigger the compose box to
open via a hash change. Updates the check to pass in any "pm-with"
narrow with an invalid user.
Also, if the compose box was active/started in the previous view, but
without any content, then we want to actively cancel/close it in the
invalid user "pm-with" narrow.
If an organization has disabled sending private messages, we do not
want to load the compose box automatically for "pm-with" narrows.
We still open the compose box for private messages narrows with a
single bot user as this is not limited by this organization setting.
Also, if the compose box was active/started in a narrow with a bot
user, but had no content, then we want to close/cancel that in a
new narrow with a person or group.
Fixes#23332
Check if col we are trying to focus exists for the row inside
`set_table_focus`.
We call `revive_current_focus` after `topics_widget` is defined
since it can be used inside it.
Fixes#23331
Combine checks for last row between `vim_dowm` and `down_arrow`.
Check for the presence of unread counter in `set_table_focus`
directly so that it can be used in other cases as well. This is
especially useful when marking the last row in the table as read.
We used to hide and show topic rows in the DOM when topics are
updated. This resulted in incorrect calculations in the length of
visible topics. As a consequence, focus is sometimes set to hidden topic.
Removing hidden topics from DOM helps us keep
the calculations correct.
The fixes bugs related to focus being lost when trying to mute
or mark as read the last row.
Instead of topic filter box being a part of the list when keeps
updating, we move it out and fix its position.
This should reduce rendering time of topics list and provide
a smoother experience to users when waiting for topics list to
load.
Updates the first part of the article to discuss the basics of
the search feature. Adds sub-headers / sections to the list of
search operators. Makes the exluding messages a section header
instead of a sub-section of the list.
Updates the help center article on searching for messages to have
the correct format for the "group-pm-with" operator.
Also, reorders the list so that the private message searches are
all together, and the `streams:public` operator is last so that
it stands out a bit more.
On multi-realm systems this results in traversal of all messages in
all realms and returns a massive payload of 1 row per stream on
the server, not the intended one row per realm.
As explained in 158287f998,
wantMessagesSigned can't be enabled globally (as it'll break setups with
IdPs that sign SAMLResponse assertions) - but is needed for
LogoutRequests, and will be for LogoutResponses in the SP-initiated SLO
flow in future commits.
We extract a function with the necessary hacky logic for re-use in the
SP-initiated SLO implementation.
This lets us provide a hook to where we've written some advice both on
what makes a good stream description, and also what Markdown formatting
is supported there.
Fixes#23376.
Zixuan James Li
Anders Kaseorg
Alya Abbott
Lauryn Menard
Sahil Batra
Julia Bichler
Aman Agrawal
M@
Mateusz Mandera
Tim Abbott
evykassirer
Imran
Rohitt Vashishtha