Commit Graph

35284 Commits

Author SHA1 Message Date
Vishnu KS 905f3d2d23 stats: Don't show analytics data unavailable error for new realms.
The value of start would be set to realm creation date or installation
date unless a value is explicitly provided by the user. We don't
want to show analytics data missing error in both these cases if
start is less than 24.5 hours from timezone_now() since some of the
stats are populated by a daily cron job that may take a couple of
minutes to run.

The same case applies if the value of the start is passed in the
request.
2020-04-03 11:51:20 -07:00
Steve Howell 1ae07b93d8 presence: Simplify payload for webapp.
This changes the payload that is used
to populate `page_params` for the webapp,
as well as responses to the once-every-50-seconds
presence pings.

Now our dictionary of users only has these
two fields in the value:

    - activity_timestamp
    - idle_timestamp

Example data:

    {
        6: Object { idle_timestamp: 1585746028 },
        7: Object { active_timestamp: 1585745774 },
        8: Object { active_timestamp: 1585745578,
                    idle_timestamp: 1585745400}
    }

We only send the slimmer type of payload
to clients that have set `slim_presence`
to True.

Note that this commit does not change the format
of the event data, which still looks like this:

    {
        website: {
            client: 'website',
            pushable: false,
            status: 'active',
            timestamp: 1585745225
        }
    }
2020-04-03 11:44:56 -07:00
Steve Howell da6508a7af presence tests: Test for offline/reload use cases.
This gets us to 100% line coverage.
2020-04-03 11:42:59 -07:00
Vaibhav Raj Singh 379eed7159 org settings: Minor changes to link icons and documentation.
Changed `help` to `help_link` so as to denote that it's a link to docs.
Also, updated `message feed` to `other settings` in docs.
2020-04-03 11:41:18 -07:00
Yash Rathore d6fddad440
settings: Use % width for checkbox labels in small narrows. (#14448)
This fixes the responsive design for most of our settings pages.

Fixes #14426.
2020-04-03 11:40:02 -07:00
Steve Howell f7b432afec node tests: Auto-include zblueslip for node tests.
We already use blueslip stubs in ~45 tests, so we
may as well just auto-include it.
2020-04-03 12:56:49 -04:00
Steve Howell 09336c9e28 node test: Clean up ad hoc mocks for blueslip. 2020-04-03 12:56:49 -04:00
Steve Howell df84c52a7f zblueslip: Change API to expect/reset.
The `set_test_data` never made complete sense to
me, since it wasn't really data that we were
setting.
2020-04-03 12:56:49 -04:00
Steve Howell ec2aaa52dd zblueslip: Prevent spurious expected errors.
This also cleans up some idioms in the zblueslip
code.
2020-04-03 12:56:49 -04:00
Steve Howell 26baaab34c zblueslip: Expect strings in blueslip calls. 2020-04-03 12:56:49 -04:00
Steve Howell 95b84c0057 zblueslip: Remove unused check_error(). 2020-04-03 12:56:49 -04:00
Steve Howell 2788ebdde7 minor: Clean up blank lines in tests. 2020-04-03 12:56:49 -04:00
MariaGkoulta b248b2681c settings: Add link for help near the setting of link previews
Next to the checkbox of "Show previews of linked websites" added a
documentation link in order to help users not confuse its function.
To do this:
- Added the field 'help' which is the link for the documentation in
organization_settings_admin.hbs
- Added the if statement in settings_checkbox.hbs to check if the above
field exists.In case it exists, a help icon which leads to the documentation
link appears.
The specific field was added in order to be able to add a help link in
other settings as well.

Co-authored-by: Katerina Perikou
<44238834+kPerikou@users.noreply.github.com>

Fixes: #13450
2020-04-02 17:38:24 -07:00
Tim Abbott 09a0f01586 node tests: Add test_realm_integer test for bot_creation_policy.
This fills in a missing test I noticed while reviewing the adjacent
code.
2020-04-02 17:34:43 -07:00
sahil839 72a18ba7d4 tests: Stop using ttest_realm_boolean for integer fields.
This adds a new test_realm_integer, replacing test_realm_boolean for
testing integer fields like realm_create_stream_policy,
realm_invite_to_stream_policy, and realm_invite_required in dispatch.js.

Fixes #12284
2020-04-02 17:34:43 -07:00
sahil839 50d65fffe6 tests: Change policy elements value to correct type in page_params.
Fields like realm_email_address_visibility and realm_bot_creation_policy
were strings instead of integers in page_params obeject in
settings_org.js tests.

Also use values struct defined in settings_config.js and setting_bots.js
instead of direct values for improving readability.
2020-04-02 17:34:43 -07:00
Tim Abbott 31e5765431 lightbox: Fix incorrect use of const and typo.
This was a bug in 1d3827d518.
2020-04-02 17:34:43 -07:00
Pranav 957429e14a msg_recipient_bar: Add spacing between recipient_bar icons.
Fixes the problem of recipient_bar_icons being too close to each
other. To improve spacing between them, classes are added, namely
recipient_bar_icon_link (for link icon) and reciepient_bar_icon
(for other icons). CSS for spacing these classes correctly, using
padding-left and padding-right, has been added zulip.scss

Manually tested for cases with single and multiple links present.

Fixes #14364.
2020-04-02 17:08:44 -07:00
Steve Howell f2806a0a06 copy/paste: Extract visible_range() to fix error.
When we tried to copy/paste multiple rows up to
and including the last row in our view, we'd have
a blueslip error when the `for` loop checked the
condition `rows.id(row) <= ...` after we had
called `row = rows.next_visible(row)` on the last
row.  Basically, `rows.id()` would complain
about a non-existent row.

Now we extract that code into `visible_range`, so
that our `while` loop can exit as soon as we found
the last row in the range.
2020-04-02 16:57:01 -07:00
Steve Howell beaf488eeb ui: Make selectors more specific for message hover.
The hover values here should not apply to draft
messages, for example.
2020-04-02 16:57:01 -07:00
Dinesh 8062192759 tests: Add realm creation test using puppeteer. 2020-04-02 15:37:12 -07:00
Hashir Sarwar 1d3827d518 lightbox: Extract image parsing logic from lightbox.open().
Moved the parsing logic to a new function `parse_image_data()`.

Part of #14152.
2020-04-02 15:12:00 -07:00
shubhamgupta2956 793c3f25e7 api_docs: Migrate POST /zulip-outgoing-webhook.
This commit migrates zulip outging webhook payload to
/zulip-outgoing-webhook:post in OpenAPI.

Since this migrates the last payloads from api/fixtures.json to
OpenAPI, this commit removes api/fixtures.json file and the functions
accessing the file.

Tweaked by tabbott to further remove an unnecessary conditional.
2020-04-02 14:55:32 -07:00
shubhamgupta2956 6ebf408fc4 api_docs: Migrate POST /rest-error-handling.
This commit migrates payload of errors which are common to many endpoints
to /rest-error-handling:post in OpenAPI.
2020-04-02 14:48:29 -07:00
Steve Howell a9a16932ec condense: Clean up continue/else/if idiom.
If an `if` calls continue, then you don't need
the clutter of an `else`.  (I wonder if eslint
can enforce these the same way it does for
return/else.)
2020-04-02 14:44:35 -07:00
Steve Howell ca9a416e38 Use early-continue for condense_and_collapse loop.
This just flattens the code a bit.
2020-04-02 14:44:35 -07:00
Steve Howell 249c19b7df condense: Skip over invalid content.
We were defending against `content` being undefined,
which is impossible, instead of checking the length
of the jQuery object.
2020-04-02 14:44:35 -07:00
Steve Howell 5245aa457f condense/resize: Fix blueslip errors from drafts.
The selector we were passing to `condense_and_collapse`
included rows from our drafts UI, which don't have
zids and don't play nice with condense/collapse code
(which expects message ids for settings things like
`.condense` flags).

Now we just use a better selector.
2020-04-02 14:44:35 -07:00
Steve Howell 02947d6b41 blueslip: Protect against drafts pitfall for rows.id.
If folks use an overly broad selector for message rows,
they will accidentally include drafts from the drafts
dialog, which won't have zids.  More specific selectors
will be more efficient and possibly prevent strange
behaviors.

For testing convenience, we extract the message.
2020-04-02 14:44:35 -07:00
Tim Abbott 5eb5b6a5ad import: Make sure the internal realm is created before import.
This is critical for importing the very first realm into an empty
server, since in 27b15a9722, we changed
the model to create the internal realm when the first real realm would
be created, but neglected the data import code path.
2020-04-02 14:34:32 -07:00
Steve Howell 8315eee046 message edit: Handle escape key more nicely.
We now handle the esc key completely within the
keydown handler that we already have for message
editing.  We allow escape to work no matter what
the focused element is within an edited message,
and we blur that element properly and end the
edit.

We remove all the strange, duplicated logic
from hotkey.js.

This should also fix a blueslip error where the
hotkey code was passing message_edit a jQuery
element with zero length.

Fixes the traceback reported in #14151, though we should still look at
the DOM cleanup discussed there.
2020-04-02 14:32:11 -07:00
Tim Abbott 0f5dcd5d84 version: Update for Desktop 5.0.0 release.
This just affects the /apps download page.
2020-04-01 22:59:30 -07:00
Mateusz Mandera 5252b081bd queue_processors: Gather statistics on queue worker operations. 2020-04-01 16:44:06 -07:00
brendon f65e6d0d94 sgrep: Install syntactic code search tool as an external linter.
Add sgrep (sgrep.dev) to tooling and include simple rule as
proof of concept. Included rule detects use of old django render
function.

Also added a rule that looks for if-else statements where both
code paths are identical.
2020-04-01 15:08:34 -07:00
Steve Howell f6503a4061 validation: Use JsonableError for extractors.
The distinction between ValueError and TypeError
is not useful in these functions:

    - extract_stream_indicator
    - extract_private_recipients (or its callees)

These are always invoked in views to validate
user input.

When we use REQ to wrap the validators, any
Exception gets turned into a JsonableError, so
the distinction is not important.

And if we don't use REQ to wrap the validators,
the errors aren't caught.

Now we just let these functions directly produce
the desired end result for both codepaths.

Also, we now flag the error strings for translation.
2020-04-01 15:01:19 -07:00
Ryan Rehman 5a5fc6caa1 stream edit: Fix real-time sync of stream notification setting.
The UI in the `#settings/notifications` page is updated similarly
to what is done in the `update_global_notifications` path present
in the `server_events_dispatch` file.
2020-04-01 14:40:41 -07:00
Ryan Rehman 7d39d7b17f settings_config: Move Stream level notification settings. 2020-04-01 14:40:41 -07:00
Ryan Rehman 58d06f3911 settings_config: Move Realm level notification settings.
We make `all_notifications` a function to avoid a
require-time dependency on page_params.
2020-04-01 14:40:41 -07:00
Ryan Rehman 39577b58ba stream settings: Display success/failure status for edits.
We have an alert for when the stream name is changed.
This also adds an alert when subscription settings
are updated and the widget is similar to that used in
the settings page.

This is also necessary because the stream specific
notification settings UI updation goes through this
path and it is necessary to display a confirmation
to match with other settings confirmation pattern.
2020-04-01 14:40:41 -07:00
Ryan Rehman 412eb6f1cb css: Refactor `.alert-notification`.
Since each element containing the `.alert-notification`
class has a predefined area that wont overlap with any
other element, we make changes to the CSS so that it
just stays hidden until the text appears.
2020-04-01 14:40:41 -07:00
Ryan Rehman 95c97e4a46 css: Use SCSS nesting for `.alert-notification`.
We also remove the `#settings_page` container as there
are plans to reuse the above class in the stream edit
page as well.
2020-04-01 14:40:41 -07:00
Ryan Rehman c59997b148 templates: Extract subscription_privacy partial template. 2020-04-01 14:40:41 -07:00
Tim Abbott 3983bf21ac docs: Update changelog for 2.1.3 release. 2020-04-01 14:01:45 -07:00
Anders Kaseorg 1c8950900f frontend: Defensively filter unsafe links that may come from bugdown.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Anders Kaseorg 2d45308546 CVE-2020-10935: Fix XSS vulnerability in local link rewriting.
Make sure rewrite_local_links_to_relative does not accidentally change
the meaning of links.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Anders Kaseorg 4f748fb627 markdown: Stop setting target="_blank".
This setting is being overridden by the frontend since the last
commit, and the security model is clearer and more robust if we don't
make it appear as though the markdown processor is handling this
issue.

Co-authored-by: Tim Abbott <tabbott@zulipchat.com>
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Anders Kaseorg 68cfcd6446 CVE-2020-9444: Prevent reverse tabnabbing attacks.
While we could fix this issue by changing the markdown processor,
doing so is not a robust solution, because even a momentary bug in the
markdown processor could allow cached messages that do not follow our
security policy.

This change ensures that even if our markdown processor has bugs that
result in rendered content that does not properly follow our policy of
using rel="noopener noreferrer" on links, we'll still do something
reasonable.

Co-authored-by: Tim Abbott <tabbott@zulipchat.com>
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Tim Abbott e3a4aeeffa CVE-2020-9445: Remove unused and insecure modal_link feature.
Zulip's modal_link markdown feature has not been used since 2017; it
was a hack used for a 2013-era tutorial feature and was never used
outside that use case.

Unfortunately, it's sloppy implementation was exposed in the markdown
processor for all users, not just the tutorial use case.

More importantly, it was buggy, in that it did not validate the link
using the standard validation approach used by our other code
interacting with links.

The right solution is simply to remove it.
2020-04-01 14:01:45 -07:00
Tim Abbott 17723b1617 version: Move minimum desktop version configuration to version.py.
This makes it relatively easy for a system administrator to
temporarily override these values after a desktop app security
release that they want to ensure all of their users take.

We're not putting this in settings, since we don't want to encourage
accidental long-term overrides of these important-to-security values.
2020-04-01 13:23:08 -07:00
Tim Abbott f572bf50f5 message_list_view: Suppress exceptions for missing mention users.
If we can't find data on a mentioned user to update its full_name to
the current value, we'll have to go with the value in the message
itself.

This can happen if e.g. we hard-deleted the originally mentioned user
from the database (which can sometimes happen after a "delete my
account completely" request).
2020-03-31 17:56:12 -07:00