Commit Graph

49936 Commits

Author SHA1 Message Date
Mateusz Mandera 89a72c92ea stripe: Change realm.plan_type when upgrading a realm to Plus plan. 2023-02-08 10:28:13 -08:00
Aman Agrawal 4dfe3d36e0 floating_recipient_bar: Replace with sticky header. 2023-02-07 16:25:39 -08:00
Aman Agrawal 00be770d38 css: Use variables for changed header height in smaller widths.
In addition to the benefit of using variables, this change makes
it more noticeable that the header has a different height on smaller
widths.
2023-02-07 16:25:39 -08:00
Aman Agrawal b7ea924876 css: Combine box-shadows for selected message.
There are no visual changes since we are replacing 4 single borders
with a single box.
2023-02-07 16:25:39 -08:00
Aman Agrawal 2be3cbc00e message_list_view: Remove wrong `$` prefix in message_viewport variable.
Since `message_viewport` library is not jQuery object, it should
not have `$` prefix before it.
2023-02-07 16:25:39 -08:00
David Rosa e3c75ee0a9 help: Cross-link Do Not Disturb with other Notifications pages.
Fixes part of #24169.
2023-02-07 16:00:46 -08:00
David Rosa 6567a45488 help: Document Do Not Disturb feature in Desktop app.
Documents the Do Not Disturb option with a dedicated page in
the Notifications section.

The capitalization is not our standard style because the desktop app
doesn't follow that style convention.

Fixes #24169.
2023-02-07 16:00:46 -08:00
Pranav2612000 c58f38dae3 compose: Show resolve topic banner only once per narrow.
Previously, when sending a message to a resolved topic, if you disissed
the 'You are sending a message to a resolved topic' banner, it would
reappear as soon as the user enters another character.

Fix this by showing the banner at most once per narrow. It does not
reappear if the user closes the banner and continues typing.  It will
only be shown again if the user closes compose, changes stream/topic,
sends a message or otherwise clears the compose box state.

We also remove the existing check for whether this banner is already
visible; this is essentially a more precise version of the same logic.

Fixes #24245.
2023-02-07 15:53:25 -08:00
N-Shar-ma 0e55b2aed9 unread: Show unread count for only 1:1 human PMs for right sidebar icon.
Uptil now, the right sidebar user list unread count included bot and group
PMs which sometimes resulted in the confusing state of the user list icon
indicating unread messages but on expanding the user list, no username
had a counter beside it, since the list only has individual human users.

Now this right sidebar unread count too excludes bots and groups, so the
unread count and the user list are consistent, without any ghost counts.
2023-02-07 15:38:32 -08:00
SameepAher 8efa3965fd css: Fix long name overflow in user profile modal.
Set width of the heading tag displaying user profile name heading, which
doesn't let the edit button get pushed off the user profile modal.

Ellipsis property is applied to user profile name on text overflow.

Fixes: #23781.
2023-02-07 15:36:51 -08:00
Palash Baderia 0ca5d11670 settings: Improve column widths in settings > uploaded files.
Changed the width of the file column to show the names properly,
while making sure that the table UI remains consistent in different
languages too (checked the same for Russian language).

Drop the file size column if the viewport is less than 992px (lg_min)
to ensure that the size word doesn't break when there are no uploaded files.
Discussed on CZO thread.

Changed the position of the Date uploaded arrow to stay visible
in all view ports and added word-break to prevent spill over of Mentioned-in
and date uploaded.

Fixes: #23738
2023-02-07 15:15:40 -08:00
m-e-l-u-h-a-n 8f29f81539 user groups: Fix incorrect checking for open groups overlay.
Overlays.js incorrectly checked for whether `#groups` overlay
was open, so it re-assigned the global `open_overlay_name`
variable. As a consequence unwanted bluslip errors were thrown
when closing the groups overlay after any group event was
received while the `#groups` overlay was open.
2023-02-07 15:12:56 -08:00
m-e-l-u-h-a-n 9d6cc8142b user groups: Add support for add_member and remove member events. 2023-02-07 15:12:56 -08:00
m-e-l-u-h-a-n 1f03042a48 user groups: Add support for removing user groups.
The new `#groups` overlay had no way for user groups to be deleted.
This commit adds UI support for removing user groups along with
adding support for live update of `#groups` overlay on remove
event for user groups.
2023-02-07 15:12:56 -08:00
m-e-l-u-h-a-n c0cd6f7f04 user groups: Add support for user group update event. 2023-02-07 15:12:56 -08:00
m-e-l-u-h-a-n 6147f2bd7a user groups: Add live update support for user_group add event.
We add live update support for user group events as part of
https://github.com/zulip/zulip/issues/19526.
This however has a few TODOs:
1. Deciding on how we want to sort the group list on left of
   #groups overlay.
2. How we highlight the newly created groups after it is added
   to the list.
These will be covered as we add support for more groups events.
2023-02-07 15:12:56 -08:00
Purushottam Tiwari fdd9f018ad user groups: Add `+` button to navigate to create user group. 2023-02-07 15:12:56 -08:00
Purushottam Tiwari 637bbf638e user groups: Enable remove button for user creating the user group. 2023-02-07 15:12:56 -08:00
Purushottam Tiwari 4a91bf8f5b user groups: Add margins to user group create alert info.
Since we do not currently have live update on newly
created ui for user group management, alert shown
after successful creation of user group apeared across
full width of right panel of #groups overlay. Which
made it look a bit awkward, so we add margins to that
alert info.
2023-02-07 15:12:56 -08:00
Aman Agrawal 7a8ddf90cd css: Remove focus outline on simplebar wrapper elements.
This removes the focus outline on `simplebar-content-wrapper` in
the left sidebar and other places in the app when focused since
it doesn't look visually nice.
2023-02-07 11:06:13 -08:00
Sahil Batra db4bae8050 portico: Fix cursor set to pointer incorrectly for input elements.
This commit fixes the code which incorrectly set the cursor
property to "pointer" for input and textarea elements where
only select elements should have it. The code causing this bug
was added in d708bc338.
2023-02-07 11:05:06 -08:00
Alex Vandiver e3c976fed9 missed_messages: Include messages from topic which differ by case.
In Zulip, message topics are case-insensitive but case-preserving.
The `get_context_for_message` function erroneously did a
case-sensitive search, and thus only messages whose topic matched
exactly were pulled in as context.

Make the missed-message pipeline aware that message topics are not
case-sensitive.  This means that, when collapsing adjacent messages,
we merge messages with topic headers which are "different"; create a
separate explicit "grouping" to know which to collapse.
2023-02-07 11:04:21 -08:00
Alex Vandiver 23894fc9a3 uploads: Set Content-Type and -Disposition from Django for local files.
Similar to the previous commit, Django was responsible for setting the
Content-Disposition based on the filename, whereas the Content-Type
was set by nginx based on the filename.  This difference is not
exploitable, as even if they somehow disagreed with Django's expected
Content-Type, nginx will only ever respond with Content-Types found in
`uploads.types` -- none of which are unsafe for user-supplied content.

However, for consistency, have Django provide both Content-Type and
Content-Disposition headers.
2023-02-07 17:12:02 +00:00
Alex Vandiver 2f6c5a883e CVE-2023-22735: Provide the Content-Disposition header from S3.
The Content-Type of user-provided uploads was provided by the browser
at initial upload time, and stored in S3; however, 04cf68b45e
switched to determining the Content-Disposition merely from the
filename.  This makes uploads vulnerable to a stored XSS, wherein a
file uploaded with a content-type of `text/html` and an extension of
`.png` would be served to browsers as `Content-Disposition: inline`,
which is unsafe.

The `Content-Security-Policy` headers in the previous commit mitigate
this, but only for browsers which support them.

Revert parts of 04cf68b45e, specifically by allowing S3 to provide
the Content-Disposition header, and using the
`ResponseContentDisposition` argument when necessary to override it to
`attachment`.  Because we expect S3 responses to vary based on this
argument, we include it in the cache key; since the query parameter
has dashes in it, we can't use use the helper `$arg_` variables, and
must parse it from the query parameters manually.

Adding the disposition may decrease the cache hit rate somewhat, but
downloads are infrequent enough that it is unlikely to have a
noticeable effect.  We take care to not adjust the cache key for
requests which do not specify the disposition.
2023-02-07 17:09:52 +00:00
Alex Vandiver 36e97f8121 CVE-2023-22735: Set a Content-Security-Policy header on proxied S3 data.
This was missed in 04cf68b45ebb5c03247a0d6453e35ffc175d55da; as this
content is fundamentally untrusted, it must be served with
`Content-Security-Policy` headers in order to be safe.  These headers
were not provided previously for S3 content because it was served from
the S3 domain.

This mitigates content served from Zulip which could be a stored XSS,
but only in browsers which support Content-Security-Policy headers;
see subsequent commit for the complete solution.
2023-02-07 17:09:52 +00:00
Alex Vandiver d41a00b83b uploads: Extra-escape internal S3 paths.
In nginx, `location` blocks operate on the _decoded_ URI[^1]:

> The matching is performed against a normalized URI, after decoding
> the text encoded in the “%XX” form

This means that if a user-uploaded file contains characters that are
not URI-safe, the browser encodes them in UTF-8 and then URI-encodes
them -- and nginx decodes them and reassembles the original character
before running the `location ~ ^/...` match.  This means that the `$2`
_is not URI-encoded_ and _may contain non-ASCII characters.

When `proxy_pass` is passed a value containing one or more variables,
it does no encoding on that expanded value, assuming that the bytes
are exactly as they should be passed to the upstream.  This means that
directly calling `proxy_pass https://$1/$2` would result in sending
high-bit characters to the S3 upstream, which would rightly balk.

However, a longstanding bug in nginx's `set` directive[^2] means that
the following line:

```nginx
set $download_url https://$1/$2;
```

...results in nginx accidentally URI-encoding $1 and $2 when they are
inserted, resulting in a `$download_url` which is suitable to pass to
`proxy_pass`.  This bug is only present with numeric capture
variables, not named captures; this is particularly relevant because
numeric captures are easily overridden by additional regexes
elsewhere, as subsequent commits will add.

Fixing this is complicated; nginx does not supply any way to escape
values[^3], besides a third-party module[^4] which is an undue
complication to begin using.  The only variable which nginx exposes
which is _not_ un-escaped already is `$request_uri`, which contains
the very original URL sent by the browser -- and thus can't respect
any work done in Django to generate the `X-Accel-Redirect` (e.g., for
`/user_uploads/temporary/` URLs).  We also cannot pass these URLs to
nginx via query-parameters, since `$arg_foo` values are not
URI-decoded by nginx, there is no function to do so[^3], and the
values must be URI-encoded because they themselves are URLs with query
parameters.

Extra-URI-encode the path that we pass to the `X-Accel-Redirect`
location, for S3 redirects.  We rely on the `location` block
un-escaping that layer, leaving `$s3_hostname` and `$s3_path` as they
were intended in Django.

This works around the nginx bug, with no behaviour change.

[^1]: http://nginx.org/en/docs/http/ngx_http_core_module.html#location
[^2]: https://trac.nginx.org/nginx/ticket/348
[^3]: https://trac.nginx.org/nginx/ticket/52
[^4]: https://github.com/openresty/set-misc-nginx-module#set_escape_uri
2023-02-07 17:09:52 +00:00
Alex Vandiver a955f52904 uploads: Stop putting API headers on local-file upload responses.
These only need the usual response headers, not the
Access-Control-Origin headers that API endpoints need.
2023-02-07 17:09:52 +00:00
sayamsamal 059f64dcd9 tooltips: Fix tooltip content alignment for message inline images.
This commit fixes the issue where the "Click to view or download" comes
to the right of the image title. We add a parent division in this commit
that leads to the break tag being applied successfully, shifting the
secondary tooltip content ("Click to view or download") to next line.
2023-02-06 18:41:31 -08:00
sayamsamal e9d53b6bb4 tooltips: Fix line height for non-English characters.
Some non-English characters overflow when the line height is reduced
for the tooltip text. This commit increases the line height of the
tooltips to accommodate these non-English characters and fixes the
hotkey hint margins for the same.
2023-02-06 18:41:31 -08:00
sayamsamal c15c2157f7 tooltips: Set font-feature-settings to "ss01" for stylistic variant of "I".
This commit enables the stylistic set "ss01" in Source Sans 3
font family which contains stylistic variant of the upper-case
character "I", which contains two bars, one each on the top and
bottom of the letter. This provides a uniform look across all
the characters when used in the hotkey hints of the tooltips.
2023-02-06 18:41:31 -08:00
sayamsamal 9b1d4ca81e tooltips: Add italics styling to description of multi-line tooltips.
The second line of a multi-line tooltip generally desctribes the
additional information which helps the major text, i.e. the first
line of the multi-line tooltip, hence it would be a good idea to
add italics styling, to differentiate it from the main title. We
describe a simple ".italic" class for the same.

We also add a shorter line height to this description using the
".tooltip-inner-content" class.
2023-02-06 18:41:31 -08:00
sayamsamal 0f213f13ff tooltips: Add support for modifier key conversion for mac-syle keyboards.
We scan a tooltip for any required windows-to-mac hotkey conversions
from the list of attributes supplied to the hotkey_hints helper.

If we find any, we add/modify the hotkyes in the hotkey hints list to
match the mac-style key combinations and then return back the modified
list of hotkey hints to be displayed in the tooltip.

We also rename the "adjust_mac_shortcuts" function, used for the
keyboard shortcuts menu and help center documnets, to
"adjust_mac_kbd_tags" to avoid any ambiguity with the
adjust_mac_tooltip_keys funtion which is used for tooltip hotkeys.
2023-02-06 18:41:31 -08:00
sayamsamal df04063bf4 tooltips: Add hotkey hints support to filter streams in sidebar. 2023-02-06 18:41:31 -08:00
sayamsamal 78ae5e9526 tooltips: Add hotkey hints support to search people filter in sidebar. 2023-02-06 18:41:31 -08:00
sayamsamal 59bc9715e3 tooltips: Add hotkey hints support to keyboard shortcuts button.
This commits adds hotkey hints to the keyboard shortcuts button
located in the right sidebar, bellow the user list view.
2023-02-06 18:41:31 -08:00
sayamsamal 26fc108e16 tooltips: Add hotkey hints support to compose related buttons.
This commit adds the hotkey hints support to "Cancel compose",
"Cancel compose and save draft", "Scroll to bottom" and "Drafts"
button.
2023-02-06 18:41:31 -08:00
sayamsamal 4a7ad5325a tooltips: Add hotkey hints support to narrow to compose option. 2023-02-06 18:41:31 -08:00
sayamsamal fc6b4775be tooltips: Add hotkey hints support to recipient row. 2023-02-06 18:41:31 -08:00
sayamsamal 4bf16ca9cc tooltips: Add hotkey hints support to message controls. 2023-02-06 18:41:31 -08:00
sayamsamal d66f2d900f tooltips: Add hotkey hints support for tooltips.
We add the support for hotkey hints for the tippyjs tooltips through
the hotkey_hints handlebar helper.

The hotkey_hints helper takes space seperated string arguments and
returns a span containing all the hotkeys with the required classes
for styling.

We also add a simple node test for the hotkey_hints handlebar helper.

Part of #21753
2023-02-06 18:41:31 -08:00
sayamsamal 8e1d537430 tooltips: Change tooltips arrow size to small.
We scale the tippy arrows to the same size as used by the tippyjs
documentation for the small arrow size example.

Part of #21753
2023-02-06 18:41:31 -08:00
sayamsamal 7d5d151b99 tooltips: Change tooltips styling to incorporate the redesign.
We use hsla(0, 0%, 20%, 1) for the light theme background color and
hsla(0, 0%, 0%, 1) for the dark theme. The text inside the tooltips
should be white in color, 14px in size and have a line height of 15px.

With one line of text, we want the height of the tooltips to be 25px,
i.e, line height (15px) + padding (5px + 5px = 10px).

Part of #21753
2023-02-06 18:41:31 -08:00
sayamsamal a93b95f158 tooltips: Move tooltips styling to a dedicated .css file.
We want to seperate the tooltips styling into a dedicated .css file for
general readability and decluttering of the zulip.css file.
2023-02-06 18:41:31 -08:00
evykassirer 0d373e574b compose: Remove remaining instances of compose-send-status.
All banners that used to be rendered here are now in #compose_banners.
2023-02-06 16:01:51 -08:00
Mateusz Mandera d23b0a1f08 docs: Document how LDAP email address changes work (manually).
We will hopefully be able to just this in #16208 to document what
users need to configure in order to do this manually, but the content
here will be useful for anyone who hasn't set that up regardless.
2023-02-06 15:57:44 -08:00
Alya Abbott c78218d88b docs: Update project ideas list for GSoC 2023.
Co-authored-by: Tim Abbott <tabbott@zulip.com>
2023-02-06 15:12:14 -08:00
David Rosa 2b8dfbfe1f help: Improve relative settings links for documentation on bots.
Fixes the documentation generated from the Markdown macros
{settings_tab|your-bots} and {settings_tab|bot-list-admin} to
match the text labels in the Zulip UI and improves the text of
relative links to explicitly say if we are referring to the Bots
tab of the Personal or Organization settings menu.

Follow-up to #23256.
2023-02-06 15:06:15 -08:00
David Rosa df7e409cd9 help_settings_links: Refactor handleMatch function.
This code needs to be more flexible to improve the documentation
of items in the Personal and Organization settings menu when
using the `{settings_tab|[setting-name]}` Markdownm macro that
provides relative links or step-by-step instructions.

This commit moves the Markdown formatting code to a new function that
receives tuples from `link_mapping` as input. This is a preliminary
step to offer more flexibility than the current approach.
2023-02-06 15:06:15 -08:00
Ujjawal Modi 836b9e483e settings: Improve permissions banners on Invitations panel.
Fixes #24158
2023-02-06 15:04:56 -08:00
Aman Agrawal e0f9332280 recent_topics_ui: Adjust filter classes once they are displayed.
Updating filters before rendering recent conversations leads to
bugs if the filters changed or recent topics was not the first
view that was loaded.
2023-02-06 14:57:18 -08:00