Commit Graph

544 Commits

Author SHA1 Message Date
Tim Abbott c17676b00c Cleanup MIT hardcoding for disabling presence. 2016-07-26 20:30:12 -07:00
Tim Abbott b2d1c18268 views: Move push token views to new push_notification.py. 2016-07-26 14:44:24 -07:00
Tim Abbott 6dc5681171 views: Move presence views to presence.py. 2016-07-26 14:29:32 -07:00
Tim Abbott 62affa53c9 views: Move update_realm to new realm.py views file. 2016-07-26 14:29:24 -07:00
Umair Khan 7c138c6e33 Import is_inactive from proper file. 2016-07-26 12:26:55 -07:00
Tim Abbott 4de203a23f Fix MIT users joining a Zulip realm. 2016-07-22 14:27:36 -07:00
Umair Khan dce48d58b6 Cache translations.
Fixes: #1158
2016-07-21 10:23:31 -07:00
Tim Abbott 3ea4cbb5c3 settings: Extract settings.VERBOSE_SUPPORT_OFFERS. 2016-07-19 15:28:41 -07:00
Tim Abbott fb386da552 settings: Extract settings.SAVE_FRONTEND_STACKTRACES. 2016-07-19 15:28:41 -07:00
Tim Abbott 0aaa55fb8f settings: Extract settings.SHARE_THE_LOVE. 2016-07-19 15:28:41 -07:00
Kartik Maji 599b15cb84 Allow fetching subscribers for streams the user has never subscribed to.
This allows the frontend to fetch data on the subscribers list (etc.)
for streams where the user has never been subscribed, making it
possible to implement UI showing details like subscribe counts on the
subscriptions page.

This is likely a performance regression for very large teams with
large numbers of streams; we'll want to do some testing to determine
the impact (and thus whether we should make this feature only fully
enabled for larger realms).
2016-07-18 16:24:19 -07:00
Taranjeet Singh 84660a5087 zerver/views/__init__.py: Fix lines with length greater than 120. 2016-07-18 14:51:06 -07:00
Steve Howell 5fcbd0a178 Remove muting logic in approximate_unread_count().
The muting logic in approximate_unread_count() was confusing
stream/subject and only using the first of many stream/subject
pairs, so it was rarely excluding rows from the count, and when
it did exclude rows, they were the wrong rows.

This fixes part of #1300, but we may want to keep the issue open.
2016-07-18 11:21:51 -07:00
Rishi Gupta d529a94e4d Add realm setting to time-limit editing of message content.
This is controlled through the admin tab and a new field in the Realms table.
Notes:
* The admin tab setting takes a value in minutes, whereas the backend stores it
  in seconds.
* This setting is unused when allow_message_editing is false.
* There is some generosity in how the limit is enforced. For instance, if the
  user sees the hovering edit button, we ensure they have at least 5 seconds to
  click it, and if the user gets to the message edit form, we ensure they have
  at least 10 seconds to make the edit, by relaxing the limit.
* This commit also includes a countdown timer in the message edit form.

Resolves #903.
2016-07-15 13:55:49 -07:00
Tim Abbott c0a6672471 Update path to language_options.json in production.
The previous code didn't correctly transport language_options.json to
the production environment.
2016-07-13 12:30:45 -07:00
Rishi Gupta 43c2f35776 Add realm setting to disable message editing.
This is controlled through the admin tab and a new field in the Realms
table.  This mirrors the behavior of the old hardcoded setting
feature_flags.disable_message_editing.  Partially resolves #903.
2016-07-10 11:57:24 -07:00
Umair Khan 043ae8ad65 Upgrade to Django-Pipeline==1.6.8. 2016-07-09 07:09:55 -07:00
Taranjeet a8a4caf2c0 zerver: Fix lines with length greater than 120. 2016-07-08 11:41:43 -07:00
Eklavya Sharma 63d55bdd86 zerver/views/__init__.py: decode b64encoded ccache.
Convert b64encoded ccache to `str` before passing to
subprocess.check_call.
2016-07-07 10:02:08 -07:00
Umair Khan 035fceb814 Add dynamically loaded language dropdown. 2016-07-04 11:56:02 -07:00
Eklavya Sharma 9772a512cb Use abstract types in annotations. 2016-07-04 03:01:32 +05:30
Vishnu Ks 1cbd39b768 Unique link generator for realm creation. 2016-06-30 15:52:41 -07:00
Tim Abbott abc2c03b0f Fix missing 'current_url' value in registration flow.
This fixes some tracebacks I got while testing the Zulip htpasswd SSO
functionality.

I think that this stopped working as a result of the Jinja2 migration.
2016-06-28 23:05:38 -07:00
acrefoot a36e5d4987 Add get_auth_backends endpoint to API.
We would like to know which kind of authentication backends the server
supports.

This is information you can get from /login, but not in a way easily
parseable by API apps (e.g. the Zulip mobile apps).
2016-06-27 18:30:34 -07:00
Tim Abbott e72f41cdec Remove old prototype data import/export tool.
This prototype from Dropbox Hack Week turned out to be too inefficient
to be used for realms with any significant amount of history, so we're
removing it.

It will be replaced by https://github.com/zulip/zulip/pull/673.
2016-06-27 13:47:08 -07:00
Eklavya Sharma d7a83ed019 zerver/views/__init__.py: Type annotate a variable. 2016-06-27 17:52:37 +05:30
Vishnu Ks 7d654a26c8 Casper test for realm creation. 2016-06-25 10:50:12 -07:00
Vishnu Ks 20adcbc64b Make send_registration_completion_email return the Confirmation object. 2016-06-24 17:47:56 -07:00
Vishnu Ks 8350b89798 Add support for custom error message in realm-creation-failed template. 2016-06-24 17:47:56 -07:00
Tim Abbott 6d71c25a0f accounts_register: Stop using _ as dummy variable.
This conflicts with internationalization.
2016-06-24 17:47:31 -07:00
acrefoot e4ed9195dc Remove rest_dispatch hack and optimize imports.
For a long time, rest_dispatch has had this hack where we have to
create a copy of it in each views file using it, in order to directly
access the globals list in that file.  This removes that hack, instead
making rest_dispatch just use Django's import_string to access the
target method to use.

[tweaked and reorganized from acrefoot's original branch in various
ways by tabbott]
2016-06-24 16:11:03 -07:00
Vishnu Ks 574a304b12 Mention invite emails are printed in console in dev.
This is part 2 of #1046.
2016-06-23 17:07:11 -07:00
Tim Abbott f39c9161fe Fix fetching user API keys via settings page when using LDAP backend.
Previously, json_fetch_api_key was hardcoding a check using Zulip's
built-in password functionality, rather than using authenticate().
2016-06-21 14:58:25 -07:00
Vishnu Ks ad1c3894d9 Add interface for creating new realms.
This is controlled by settings.OPEN_REALM_CREATION; if that setting is
off, this feature doesn't do anything.
2016-06-17 16:15:28 -07:00
kunall17 007eee6061 Add route to fetch emails for mobile passwordless login.
[Tweaked by tabbott to rename API to explicitly support not just
Android]
2016-06-17 11:03:19 -07:00
kunall17 7ea0eaed1c Add passwordless login for mobile app development.
[Tweaked by tabbott to rename API to explicitly support not just
Android].
2016-06-17 10:58:33 -07:00
Vishnu Ks 01c9bb2d5e Make name_changes_disabled() work with no argument. 2016-06-16 17:13:59 -07:00
Eklavya Sharma 6f5ed6e7c9 Fix annotations clashing with Stream model fields. 2016-06-13 20:01:02 +05:30
Eklavya Sharma 10f2ec043d Fix zerver.lib.utils.generate_random_token.
generate_random_token used to return a value of type six.binary_type
and its return type was annotated as `str`.  This commit fixes that
by making it return a value of type `six.text_type` and updating
the annotation accordingly.
Also fix clashing annnotations.
2016-06-12 09:30:53 -07:00
Vishnu Ks 77ec6217eb Add validation for private message recipients.
The function will reject messages where recipients aren't either a
member of the realm or a member of cross_realm_user_emails.

Fixes: #930.
2016-06-11 11:24:45 -07:00
Vishnu Ks f9f31b79d0 Make default_streams web controllable.
Fixes: #665
2016-06-09 15:24:32 -07:00
Tim Abbott bc2961d3ac Refactor file upload routes to their own file. 2016-06-06 16:09:05 -07:00
Deborah Hanus a261a6bbac Annotate zerver/views/__init__.py.
Also fix typing errors in a few related files.

[with tweaks from tabbott]
2016-06-05 11:34:19 -07:00
Umair Khan 08fbd57245 [i18n] Make error messages translatable.
Make all strings passing through `json_error` and `JsonableError`
translatable.

Fixes #727
2016-05-31 07:40:42 -07:00
Tim Abbott 960144a49e Desupport using uninstantiated REQ with has_request_variables.
This makes life difficult for doing static type annotations, and
didn't make the code look that much better anyway.
2016-05-31 07:31:15 -07:00
Aristeidis Fkiaras 3ee210d9e8 Add setting to only allow admins create new streams.
Fixes: #691.

Thanks to Preston Hansen for work on this feature!
2016-05-18 18:53:13 -07:00
Tim Abbott 92bec8cfea Merge Zulip 1.3.12 security release. 2016-05-10 11:32:26 -07:00
Tim Abbott be216506a9 Improve api_fetch_api_key error messages.
Previously, api_fetch_api_key would not give clear error messages if
password auth was disabled or the user's realm had been deactivated;
additionally, the account disabled error stopped triggering when we
moved the active account check into the auth decorators.
2016-05-10 09:50:57 -07:00
Tim Abbott b28b3cd65c CVE-2016-4427: Fix access by deactivated realms/users.
The security model for deactivated users (and users in deactivated
realms) being unable to access the service is intended to work via two
mechanisms:

* All active user sessions are deleted, and all login code paths
  (where a user could get a new session) check whether the user (or
  realm) is inactive before authorizing the request, preventing the
  user from accessing the website and AJAX endpoints.
* All API code paths (which don't require a session) check whether the
  user (and realm) are active.

However, this security model was not implemented correctly.  In
particular, the check for whether a user has an active account in the
login process was done inside the login form's validators, which meant
that authentication mechanisms that did not use the login form
(e.g. Google and REMOTE_USER auth) could succeed in granting a session
even with an inactive account.  The Zulip homepage would still fail to
load because the code for / includes an API call to Tornado authorized
by the user's token that would fail, but this mechanism could allow an
inactive user to access realm data or users to access data in a
deactivated realm.

This fixes the issue by adding explicit checks for inactive users and
inactive realms in all authentication backends (even those that were
already protected by the login form validator).

Mirror dummy users are already inactive, so we can remove the explicit
code around mirror dummy users.

The following commits add a complete set of tests for Zulip's inactive
user and realm security model.
2016-05-10 09:50:48 -07:00
Tim Abbott b869be9301 style: Use 'not in' consistently rather than `not foo in`. 2016-05-09 17:00:10 -07:00
Umair Khan 5359e6b0d4 Convert Zulip to use Jinja2 templates.
This results in a substantial performance improvement for all of
Zulip's backend templates.

Changes in templates:
- Change `block.super` to `super()`.
- Remove `load` tag because Jinja2 doesn't support it.
- Use `minified_js()|safe` instead of `{% minified_js %}`.
- Use `compressed_css()|safe` instead of `{% compressed_css %}`.
- `forloop.first` -> `loop.first`.
- Use `{{ csrf_input }}` instead of `{% csrf_token %}`.
- Use `{# ... #}` instead of `{% comment %}`.
- Use `url()` instead of `{% url %}`.
- Use `_()` instead of `{% trans %}` because in Jinja `trans` is a block tag.
- Use `{% trans %}` instead of `{% blocktrans %}`.
- Use `{% raw %}` instead of `{% verbatim %}`.

Changes in tools:
- Check for `trans` block in `check-templates` instead of `blocktrans`

Changes in backend:
- Create custom `render_to_response` function which takes `request` objects
  instead of `RequestContext` object. There are two reasons to do this:
    1. `RequestContext` is not compatible with Jinja2
    2. `RequestContext` in `render_to_response` is deprecated.
- Add Jinja2 related support files in zproject/jinja2 directory. It
  includes a custom backend and a template renderer, compressors for js
  and css and Jinja2 environment handler.
- Enable `slugify` and `pluralize` filters in Jinja2 environment.

Fixes #620.
2016-05-09 09:55:18 -07:00
Tim Abbott 8a278cbe3a Switch to using a Zulip version of @login_required.
Currently the code is the unmodified Django upstream implementation;
this commit is preparation for modifying it.
2016-04-21 14:59:39 -07:00
Tim Abbott 49799440a4 Replace use of django-guardian with fields on UserProfile.
As documented in https://github.com/zulip/zulip/issues/441, Guardian
has quite poor performance, and in fact almost 50% of the time spent
running the Zulip backend test suite on my laptop was inside Guardian.

As part of this migration, we also clean up the old API_SUPER_USERS
variable used to mark EMAIL_GATEWAY_BOT as an API super user; now that
permission is managed entirely via the database.

When rebasing past this commit, developers will need to do a
`manage.py migrate` in order to apply the migration changes before the
server will run again.

We can't yet remove Guardian from INSTALLED_APPS, requirements.txt,
etc. in this release, because otherwise the reverse migration won't
work.

Fixes #441.
2016-04-20 21:51:52 -07:00
Ashish 1bf644369f Delete old route for json/update_active_status. 2016-04-11 21:38:23 -07:00
Ashish 78b9f45bf7 Delete old route for json/update_pointer. 2016-04-11 21:38:23 -07:00
Ashish 9429358795 Delete old route for /json/get_profile. 2016-04-11 21:38:23 -07:00
Varshit 4e1060076d Purge 'from typing import *' from zerver/.
This is a partial implementation of #636.
2016-04-07 14:07:07 -07:00
Tim Abbott ec7bb0b011 Add PEP-484 type annotations to zerver/views/. 2016-04-03 15:40:23 -07:00
Reid Barton 9735025167 Refactor logic around restricted_to_domain.
Add a function email_allowed_for_realm that checks whether a user with
given email is allowed to join a given realm (either because the email
has the right domain, or because the realm is open), and use it
whenever deciding whether to allow adding a user to a realm.

This commit is not intended to change any behavior, except in one case
where the Zulip realm's domain was not being converted to lowercase.
2016-02-07 10:54:52 -05:00
Reid Barton 0755b51c2e Move create_user_backend into zerver.views.users.
Commit aa33a0da moved users views into their own file, but missed this one.
2016-02-07 10:54:48 -05:00
Reid Barton 4e5f18407d Add comment in create_user_backend about not needing to invite users first. 2016-02-07 10:52:50 -05:00
Tim Abbott 6c5cee2400 Cleanup 500s due to Google oauth2 errors.
These are user errors, albeit somewhat interesting ones, so they
should be logged (and return a user error response), not throw an
exception.
2016-02-02 23:08:20 -08:00
Tim Abbott aad3bff193 Harden style rule for % comprehensions and fix existing errors. 2016-02-02 23:08:19 -08:00
Tim Abbott 5bacda3662 python3: Fix usage of .keys()/.values() to handle iterators.
This fixes the places where we use the result of .keys(), .items(),
and .values() that wouldn't work with an iterator to wrap them with
list().
2016-01-26 21:11:25 -08:00
Tim Abbott 6528b18ad3 Switch all urllib/urlparse usage to six.moves.urllib.
This provides Python 2+3 compatibility for our use of urllib.

Also add a test to avoid future regressions.
2016-01-26 21:09:43 -08:00
Reid Barton ed412281d0 Fix typo in Google OAuth error message. 2016-01-12 09:32:09 -05:00
Tim Abbott c661bc17fb Fix support for having a unique, open realm.
The previous implementation didn't work because HomepageForm rejected
the email as not having a domain.  Additionally, the logic in
accounts_register didn't work with Google auth because that code path
doesn't pass through accounts_home.  Since whether there's a unique
open realm for the server is effectively a configuration property, we
can fix the bug and make the logic clearer by moving it into the
"figure out the user's realm" function.
2016-01-09 22:52:34 -08:00
Tim Abbott 85a8a742e2 Remove unused json_events_register route.
The browser registers for events via loading the home view, not this
interface, and this functionality is available via the API-format
register route anyway.
2016-01-09 20:01:38 -08:00
Tim Abbott 01f613751a Limit DevAuthBackend user list display to 100 users.
This makes it possible to use DevAuthBackend when doing
performance/scalability testing on Zulip with many thousands of users.

It's unlikely that anyone testing this backend will find it valuable
to have more than 100 login buttons on the same page, and if they do,
they can always just change this limit.

Thanks to @dbiollo for the suggestion!
2016-01-09 20:01:37 -08:00
Tim Abbott be9939b2ad Fix tracebacks if HTTP_USER_AGENT is not specified.
Previously, we handled this correctly in some places (like the
decorators) but not in the website flows (accepting ToS, loading /).
2015-12-25 16:23:11 -08:00
Tim Abbott a79e89b28f Cleanup remaining usage of % comprehensions without explicit tuples. 2015-12-05 15:29:42 -08:00
Chris Chapman 44a9e1dff5 Fix for setting file upload size through settings file.
(Slightly tweaked by Tim Abbott to change the variable name, docs, and
default values).

Fixes #276.
2015-11-24 06:06:46 -08:00
Tim Abbott aa33a0daec Move users views into their own file. 2015-11-24 05:20:37 -08:00
Tim Abbott 4d79083cf5 Move tutorial views into their own file. 2015-11-24 05:20:37 -08:00
Tim Abbott f77b0bdb43 Move alert_words views into their own file. 2015-11-24 05:20:37 -08:00
Tim Abbott e64a3d0fae Move reporting views to their own file. 2015-11-24 05:20:37 -08:00
Tim Abbott 8526d02370 Move settings views into their own file. 2015-11-24 05:20:37 -08:00
Tim Abbott 37d4a11610 Move streams views into their own file. 2015-11-24 05:20:37 -08:00
Allie Jones 85809e6140 Add webpack build process. 2015-11-06 09:13:25 -08:00
Tim Abbott cd6f8e9191 Apply Python 3 futurize transform libmodernize.fixes.fix_map. 2015-11-01 09:35:05 -08:00
Tim Abbott 43abd83d1c Apply Python 3 futurize transform lib2to3.fixes.fix_ws_comma. 2015-11-01 09:26:14 -08:00
Tim Abbott 90e61d3b61 Call process_new_human_user consistently when creating new users.
Previously we only did this when new human users were created via the
login process, which meant the management command to create a user did
not add the user to default streams (for example) and any future code
that might want to register a new Zulip user (such as the LDAP
integration) would need to import views/__init__.py in order to
properly set this up.
2015-10-15 09:16:58 -04:00
Tim Abbott 355e1bbd94 Move process_new_human_user and helpers from views to actions.py. 2015-10-15 09:16:58 -04:00
Darren Worrall 77fad7a16e Add an api endpoint to fetch GOOGLE_CLIENT_ID
Further to #102, this provides an endpoint suitable for mobile apps to
consume the GOOGLE_CLIENT_ID if configured.
2015-10-06 23:28:08 +00:00
Tim Abbott a65656dd9d Fix backwards-compatibility for old python-requests .json property.
In b59b5cac35, we upgraded our Google
Oauth code to support new python-requests, but because Ubuntu precise
still has old python-requests, this broke the codepath for older
systems.
2015-10-01 18:54:17 -07:00
Tim Abbott bda9d78092 Use settings.ZULIP_ADMINISTRATOR as contact list for deactivated users. 2015-09-29 17:59:47 -07:00
Yuvi Panda b59b5cac35 Fix TypeError in Google OAuth authenticator.
requests 1.0 changed response.json attribute to response.json()
instancemethod. The code wasn't updated to match that change,
causing a TypeError when attempting to use the Google OAuth
Authenticator backend.

This is fixed simply by using response.json() instead of response.json.
2015-09-26 13:51:27 -07:00
Tim Abbott da5fe944e1 Set limits for export tool.
(imported from commit 0c582223f5b3ac4caf7685217719d4c32c5d2fae)
2015-09-24 19:34:28 -07:00
Tim Abbott b68d116e3a Remove old is_super_user helper functions.
(imported from commit 85655ea9369f5dc309f6f687bac578924571c9ee)
2015-09-20 11:13:20 -07:00
David Roe 3ac95ddc1a Add UserProfile flag to control whether we have a left side userlist.
Previously this was hardcoded for a single customer.

(imported from commit a6b7095050aa10cef976541505d9b09a35453f48)
2015-09-19 23:22:59 -07:00
Tim Abbott 21ac93ae9c Remove the send_to_prod hack.
(imported from commit ba2a4d5e7d83769add979cc05996dbd8b014e8a2)
2015-09-19 21:54:51 -07:00
Tim Abbott fcec80461b Remove the SSO-only realm integration.
It's messy code, only one customer ever used it, and it's not in use
today.

(imported from commit af3f512ac6af74af66c588c7d40d699e98514d0a)
2015-09-19 21:54:51 -07:00
Neeraj Wahi 9f0a6272fa Removed dbx_branding flag and Dropbox corner logo
(imported from commit d205898671643985e2de7c0d6d300bdca32cae21)
2015-09-19 15:16:42 -07:00
David Roe 3f7cb34b00 enterprise => voyager
(imported from commit 04be792bb480d5e5db1c91d296d1000cf1682571)
2015-08-21 10:33:35 -07:00
David Roe edf7e732a2 ENTERPRISE => VOYAGER.
(imported from commit 4f8080b9f506a87ca40bef32e39de5218cba916a)
2015-08-21 10:33:35 -07:00
David Roe d702ddb3cf DEPLOYED => PRODUCTION
(imported from commit a7d365c07916c5103fc721c712db94f9af977640)
2015-08-21 10:33:35 -07:00
David Roe 63e576b811 STAGING_DEPLOYED => ZULIP_COM_STAGING
(imported from commit 25419979292218932c53cface59c1e8e2348a7c2)
2015-08-21 10:33:35 -07:00
David Roe 8778c4726a Add settings.DEVELOPMENT as a complement of settings.DEPLOYED.
(imported from commit 0437140d9fee7eec7b28abe583cfe8cde3e07c21)
2015-08-21 10:33:35 -07:00
Reid Barton ab9539cffe Remove OpenID authentication
(imported from commit 70a859041a851ed10dc40cfc068330e472d2ed09)
2015-08-20 23:52:48 -07:00
Reid Barton d88efef74b Fix field name in get_bots_backend
Django 1.8 noticed that it was wrong.

(imported from commit d9578719e7713c1fd6756b80aac13f4d93f12fa7)
2015-08-20 23:15:45 -07:00
Reid Barton 0aab583bb1 Django 1.8 compatibility: transactions
- autocommit is now the default
- commit_on_success is now atomic

(imported from commit b6166ca666ff23d34f2871ca365ce3ec66b0fa86)
2015-08-20 23:15:45 -07:00
Anders Kaseorg bded0d9d54 Remove corporate beta signup form
(imported from commit 1b3a0cd8a59a124905fa4cbd3121a78d23aeb3a2)
2015-08-20 18:40:34 -07:00
David Roe 3515a69e43 Remove public_streams_disabled.
(imported from commit 1d0c8db92bf8e4c44bd1c96063acfd6eea74925c)
2015-08-20 18:12:53 -07:00
Kate Buckner 4d0f7c7ea4 Add a user-visible setting for 24-hour time display.
(imported from commit d934824fd6b72e64a455aac9ff4585b262145f02)
2015-08-20 17:33:16 -07:00
David Roe bfa70675cb Remove notify_for_streams_by_default.
(imported from commit 9963c97ffec82fe7cf2921bd51422545c29a8915)
2015-08-20 17:33:16 -07:00
David Roe 086d8eee22 Add name_changes_disabled realm field.
(imported from commit 6b04ba2f7ad64c44f2ef18302f0fbd819259d632)
2015-08-20 15:29:46 -07:00
David Roe 5b7f3466ba Add feature where only admins can invite new users.
This is controlled through the admin tab and a new field in the Realms table.

(imported from commit e78a6f48160e2a1bbc68d278beb726fe31515266)
2015-08-20 15:29:46 -07:00
David Roe 809efc4f2b Add realm option to show or not show digest e-mail.
(imported from commit e9cfe519aa9f2857a1dcc7c75f5e1889834fcb86)
2015-08-20 15:29:45 -07:00
David Roe e5cb2a468f Enable Lab features for all users
(imported from commit 4e2658d28a5e02067ad472fec76c66f46592d520)
2015-08-20 15:29:45 -07:00
David Roe 90e2f5053f Add mandatory topics as a realm option.
(imported from commit 929a884b8610669aa24a167367b899683e33a045)
2015-08-20 15:29:45 -07:00
David Roe 472898cfc6 Allow adding users to realms more easily in Dev VM.
Include new field on Realm to control whether e-mail invitations are required
separately from whether the e-mail domain must match.
Allow control of these fields from admin panel.
Update logic in registration page to use these fields.

(imported from commit edc7f0a4c43b57361d9349e258ad4f217b426f88)
2015-08-19 22:24:53 -07:00
David Roe 32783ebbfb Admin users in red, at beginning, in dev login view
(imported from commit 530f0a5d26d5c2b637834281e45adb399852ae0a)
2015-08-19 22:24:53 -07:00
Jonathan Dahan 6f77e68622 Add GET /export endpoint, which dumps important tables in json.
Meant to be used in tandem with the manage.py import command.
The following sensitive data is scrubbed:

  * user api keys
  * user password hashes
  * stream email keys
  * invite-only streams
  * messages from invite-only streams
  * messages from users from other domains

(imported from commit 8e58dcdcb80ef1c7127d3ab15accf40c6187633f)
2015-08-19 15:31:08 -07:00
Tim Abbott f792b67098 Fix send_to_prod redirect to not run on the Dev VM.
(imported from commit 6006c71348706d39740b0d6302df0a548e65b65e)
2015-08-18 20:17:47 -07:00
David Roe 46e224997e Add a new dev login page for logging in without a password on the dev VM.
(imported from commit ac8f2504771c9907b7e92dc91cec5f7220ce951b)
2015-08-18 20:17:47 -07:00
Leo Franchi d865732e0d Maintain two APNS connections and send correct notifications to each
Now we have 2 different Zulip apps out there, and they are signed with
two certs: Zulip and Dropbox. The Dropbox-signed apps are going to need
to be sent APNS notifications from the appropriate APNS connection

(imported from commit 6db50c5811847db4f08e5c997c7bbb4b46cfc462)
2015-02-11 06:57:25 +00:00
Luke Faraone a901677be1 Use a unicode string when grabbing SSO unames
(imported from commit 5742147003928e2207d9eac8704aa6090fb8cb8a)
2015-02-06 09:56:39 -08:00
Jason Michalski 6ba5271824 Fix the SSO path to support mirror dummies
The SSO flow which was never used on a realm with mirror dummies before.
Also change the redirect to stay on the same doain.

(imported from commit 0f1b8a8fcef82ae6eaa5a264686f98d62a683fac)
2015-01-30 20:07:13 -08:00
Jason Michalski bb9ced6e57 Redirect users on the dropbox realm from stage to prod
This commit should only be pushed to stage after c290b630e has been
pushed to prod otherwise it will create a redirect loop.

(imported from commit 408407b845ded596705b1abd8ad13c0aedf6d732)
2015-02-06 00:07:06 -05:00
Jason Michalski 7b82db214c Update the last SSO redirect to use the host header as well
(imported from commit 4392543d5ea4fd4c29c221338e8c5f7919e40b7c)
2015-02-05 23:49:33 -05:00
Jason Michalski 01d018ba31 Change the other use of EXTERNAL_HOST in the oauth2 flow
(imported from commit ff92fcbb43ee19bb2b1520e68c5f6768649246f5)
2015-02-05 23:32:59 -05:00
Jason Michalski 35d22949ed Build the oauth redirect url with the host from the request
(imported from commit 972fed686b556bc8845cf7ae5bca555dc9cbeb13)
2015-02-05 23:14:04 -05:00
Jason Michalski 7e9c121ad3 Use the full_name if available
We were trying to default the users first name when using google auth,
but it was getting lost when rendering the form.

(imported from commit 710e0c2ce591488920458dca74209c75e7031abd)
2015-02-05 21:54:28 -05:00
Jason Michalski 439b86fe3b Migrate the google SSO from openid to oauth2
(imported from commit 6938c1cc5d245cc5642043279470365ff04df903)
2015-02-05 21:54:28 -05:00
Jason Michalski 693857a1f8 Flip the prod to stage redirect for the armooo@dropbox.com
This change will redirect armooo@dropbox.com from stage to prod. It also
removes the prod to stage redirect for all users. This will be rolled
out in two commits to prevent a redirect loop.

(imported from commit c290b630e746f757429b8bbdadbe7768367a5e33)
2015-02-05 17:19:14 -05:00
Zev Benjamin f63ee86730 Fix login popup on cross-realm authenticated content previews
We were serving 401s on /user_uploads when the user wasn't authenticated (due to
it being a REST endpoint).  This was causing a login popup to display instead of
just a broken image preview.

(imported from commit 62640f5bd59eb3b86ab5aae5923ccfa742459805)
2014-10-29 17:53:05 -07:00
Jason Michalski 748fb9afe5 Add avatar_url to v1/users
(imported from commit c89b85e1826dc3fbfdd65ec0529dd364b5e463d5)
2014-07-29 21:46:35 -07:00
Waseem Daher 307d367346 Initial support for white-labeling Zulip as "Dropbox Chat" or otherwise.
Known issues:
* No support for whitelabeling in the email
* No whitelabeling for any externally-visible branding

(imported from commit 9eab7b0744e56a87007b8621a8bb18bbb1080256)
2014-07-29 21:46:33 -07:00
Jason Michalski 8c72eddb72 Add a warning when in the zulip.com realm on production
Display a red warning box to get users to direct users to staging for
the zulip.com (dropbox) realm.

(imported from commit 01ad4209d9247406bc82f5dedaf21371101a1d84)
2014-05-21 13:13:27 -07:00
Luke Faraone 8f8b2519ea Redirect legacy URLs to their new secure location.
URLs with a realm of "unk" will be queried against the new bucket to
determine the relevant realm of the uploading user.

(imported from commit 5d39801951face3cc33c46a61246ba434862a808)
2014-05-05 20:26:29 -07:00
Tim Abbott 8b74a3e052 Remove unauthenticated file upload support from Zulip.
(imported from commit 97262590ac5ad56c18f415fa1c777510aed2baeb)
2014-05-05 16:14:09 -07:00
Tim Abbott 0494e40c39 Merge zerver/tornado_callbacks.py into zerver/lib/event_queue.py.
It had stopped being a coherently distinct component a while ago.

(imported from commit 0617957bcfe8dcaf69143c88a96ddd51ecb31a98)
2014-04-23 17:22:31 -07:00
Zev Benjamin 3498a04613 Call authenticate() when logging users in via JWT
Otherwise the user_profile.backend attribute doesn't get set.  I didn't notice
this previously because on first register authenticate() gets called, and then
the UserProfile object gets cached.  This means that subsequent logins work just
fine as long as the UserProfile object is in memcached.

(imported from commit 834d95c46aa07724ea84802f09b7249de99b5ca8)
2014-04-07 11:01:38 -07:00
Zev Benjamin 5b080bd0cf Fix one name_changes_disabled check
(imported from commit f1bf125949bd282c8a9054d3e3b2e92c7bd5ab4e)
2014-04-06 17:00:28 -07:00
Zev Benjamin 2f7af69091 Add customizations for CUSTOMER16 employees' realm
CUSTOMER16 wants their employee realm to:
* only use JWT logins
* have name changes be disabled (they want users' full names to be the
  their CUSTOMER16 user name).
* not show the suggestion that users download the desktop app

(imported from commit cb5f72c993ddc26132ce50165bb68c3000276de0)
2014-04-04 16:51:32 -07:00
Zev Benjamin bd3f1c6a9e Add JSON web token (JWT) authentication
We currently expect the use of HMAC SHA-256, although there shouldn't be
anything preventing us from using other algorithms.

(imported from commit 354510a0b7e9e273d062a1ab5b2b03d4a749d6a3)
2014-04-04 16:51:32 -07:00
Zev Benjamin 04f211bbff Refactor some of the remote user handling
(imported from commit 13facd7afddfb018af39b39ee48c644d355d8ec3)
2014-04-04 16:51:32 -07:00
Zev Benjamin 2e1d5ffd1c Make password_auth_enabled() take a realm object
This will actually be used in an upcoming commit.

(imported from commit 5d3db685a245899b2523440398f2ed2f0cfec4f4)
2014-04-04 16:51:32 -07:00
Zev Benjamin 6759a78d07 Remove extraneous (and incorrect) realm lookup
(imported from commit 9c618c50b0f27795c91da172d5bc63dd5d5f2e61)
2014-04-04 16:51:31 -07:00
Zev Benjamin 3fc779278b Use EXTERNAL_URI_SCHEME instead of hard-coding 'https'
(imported from commit 3a4d2e0591debd7d5e4b5650b050a1eb1d86aa55)
2014-04-04 16:51:31 -07:00
Zev Benjamin 9114715030 Factor out the check for whether name changes are disabled
(imported from commit 56ddd9cf53ec49e2e096abe82ed44f758912272e)
2014-04-04 16:51:31 -07:00
Jason Michalski 280575aff0 Refactor json_set_avatar and patch_bot_backend to use do_change_avatar_source
(imported from commit eba0ff8a5c4409ac01c710455fe200b28f953b56)
2014-03-05 14:16:20 -05:00
Jason Michalski 64ba85aa19 Refactor regenerate_api_key and regenerate_bot_api_key to use do_regenerate_api_key
(imported from commit 5c54e4771b6730a8ebe304f6b6e86722d28eca8d)
2014-03-05 14:16:20 -05:00
Jason Michalski c17ed8dc8c Add bots to page_params and send events on bot creation
(imported from commit ce418b4f056576d57f82d26af621473c730c12d8)
2014-03-05 14:16:19 -05:00
Jason Michalski 846dfd5105 Update patch bot API to support setting stream defaults
Adds APIs edit a bot's default_to_stream, default_events_register_stream
and default_all_public_streams.

(imported from commit c848a94b7932311143dad770c901d6688c936b6d)
2014-03-05 14:16:18 -05:00
Jason Michalski 50db83508b Add API support for setting defaults in the add bot API
Support setting default_to_stream, default_events_register_stream, and
default_all_public_streams during in the bot creation API.

(imported from commit bef484dd8be9f8aacd65a959594075aea8bdf271)
2014-03-05 14:16:18 -05:00
Jason Michalski f3180b774b [schema] Add default user_profile options for register events
Allow bot owners to set which streams their will receive events for
without needing to change a configuration file.

(imported from commit 2b69e519dbc12ffbdba072031a7f7196c9e50e33)
2014-03-05 14:16:18 -05:00
Zev Benjamin 5c44fa9a29 Move bulk of get_streams_backend to actions.py
(imported from commit 3601444a2aabd1c613db61d71e6bc9fd6b4984d5)
2014-03-03 17:30:57 -05:00
Jessica McKellar fae92685ae Convert /json/subscriptions/property to supporting bulk property updates.
This includes removing GET support for the endpoint, which is unused
and doesn't map well to this being a bulk endpoint.

(imported from commit 348ff9dfa84be1661368c6d7d35aebf2ae2a9ae0)
2014-03-03 16:08:33 -05:00
Jessica McKellar 87635b9e32 Convert settings from static HTML to a template.
This will make life much easier for handling update events.

(imported from commit 66b101eb5fae89b4eec6fc797fee8be26ac99bfb)
2014-03-03 16:08:32 -05:00