Commit Graph

527 Commits

Author SHA1 Message Date
Waseem Daher 68e7a052cb Remove the link to 'activity' from the gear menu.
I find that I never use it, and I don't totally like our
experience in the app to be different from our users'.
Admittedly, this is a small way in which that's the case :)

Finally, since we do usability studies in @humbughq.com,
the link appears there too, and I'd like it not to.

(imported from commit 1225c4ae79de52fa98b21ce00a6542df76b667ea)
2013-03-07 13:12:45 -05:00
Waseem Daher 4ea7ac102f Allow internal_send_message to send cross-realm stream messages.
Prior to this change, any stream message sent by internal_send_message
could only be in the realm of the sender.

This was a problem most notably for... the tutorial bot, with the
hilarious consequence that the tutorial worked fine in humbughq.com,
but failed to start anywhere else.

(imported from commit 33a904a28e3a57e1a2cf9172c2e2a75b50967a50)
2013-03-06 23:04:57 -05:00
Reid Barton 6bb9ad4e3c Avoid cross-site logout attacks
Require POST method for /accounts/logout. This has the side effect of
automatically enabling Django's CSRF protection.

(imported from commit 44b1b6ebaadc1c03006e21ae54ac768e31234801)
2013-03-06 19:10:04 -05:00
Waseem Daher f7d189feb8 Don't send GitHub notifications (for CUSTOMER18) if not to master.
People make throwaway branches all the time, and we don't
want to spam them.

(imported from commit 0e7b628573ad1a6a7f49d3c4b4135c7d3a911834)
2013-03-06 17:30:52 -05:00
Tim Abbott 27d91eb9ea Fix including debug.js when DEBUG=True.
Previously, it wasn't actually included in the index.html templates.

(imported from commit b9f9903e0daa808ec1f6ff966309cbc4eef9b9fd)
2013-03-06 11:36:15 -05:00
Waseem Daher ca127f8228 Allow tutorial bot to send messages to a stream.
But only allow them to send to tutorial-<<your username>>.

The idea being that this helps reduce potential abuse from this JSON
call. (Because otherwise, anyone could call into this endpoint and
have the tutorial bot send random messages to random peoples's
streams.)

(imported from commit 471d4348d7ad43858b5df240e4f1dceba006aab6)
2013-03-05 23:46:10 -05:00
Tim Abbott 36bb39ede9 Fix improperly case-sensitive narrowing by subject.
(imported from commit 24403f0815e46f21000f7d5a5b59bfdfe3448ddf)
2013-02-28 17:49:57 -05:00
Tim Abbott 1e9a85ff05 Fix use of case-sensitive comparisons on email addresses.
(imported from commit d420169640a9f9c034b3d9ded207e583691f6652)
2013-02-28 17:49:57 -05:00
Tim Abbott 49af19aa71 Add support for narrowing by a message's sender.
Fixes #972.

(imported from commit 2514d14c94a071f2b3e6149a2bdaeaa00e0c847f)
2013-02-28 17:49:57 -05:00
Jessica McKellar 6a56ed0c94 Add a button on the Settings page to declare Humbug bankruptcy.
(imported from commit 6ca635e997ada54b816abe3425980102ad8f5d2c)
2013-02-27 18:16:51 -05:00
Jessica McKellar ff62ac96e6 Extend get_profile to also be a JSON request.
(imported from commit 38e0d5a9aa2498ffcdfa65b07283a456257feafd)
2013-02-27 18:16:50 -05:00
Jeff Arnold fcd033e33e [schema] Save enter_sends on the server in the database.
(imported from commit 4d82f6aaf5918f155a930253c9cc334dbcc0d97a)
2013-02-27 17:25:29 -05:00
Keegan McAllister cc19afd0fe Re-enable desktop notifications in automated testing
After c1d98239 the function works in CasperJS as well.

Reverts some of 90f4d6ac3ddb387e74051b9af2c230698fa94479.

(imported from commit 3579df33930bb34dc081908b84900905eee6d270)
2013-02-26 18:02:20 -05:00
Keegan McAllister 56d183ea06 Remove lurk mode from web client and API examples
See #796.

(imported from commit e238ce571c3f30d8312b630df7048ad1d9cad6d2)
2013-02-21 15:11:10 -05:00
Waseem Daher 163c9c8d75 Add a JSON call that causes the tutorial bot to send you a message.
The idea here is: part of the onboarding tutorial is going to
be you talking to the tutorial bot and it talking to you, from
our Javascript.

The reason it's driven by Javascript is that then in principle we can
do nice stuff like making popovers appear in places to point things
out to you, whereas if we were to do it strictly server-side, doing so
would be a lot harder.

The downside to doing it in Javascript is that you don't get any of
the Markdown rendering, since that happens on the server. So instead
we add this call where you give it a message, and it responds by
having the tutorial bot send you that message.

I don't think there are any security concerns here because
(1) The bot only messages you -- so you can't use it to make someone
    else think that the system is telling them to do something
(2) If there were an issue associated with having the server parse
    arbitrary Markdown, you could just trigger the issue by sending
    a message yourself.

(imported from commit b34f594dab6be6bcb81899278ae1cbe447404468)
2013-02-20 23:04:49 +00:00
Zev Benjamin 061aaea601 Use plainto_tsquery instead of to_tsquery
This will discard punctuation symbols in the Postgres search and also prevent
syntax errors when users try to submit queries with symbols that to_tsquery
interprets as special syntax (such as '|' and '&').

Fixes #906

(imported from commit 3e3a0d6ae3d4a516beb8a5846f06065294ca9457)
2013-02-15 16:18:02 -05:00
Tim Abbott 1612b5c045 Fix sending messages to numeric stream names.
json_to_foo will raise a ValueError if the JSON passed to it is just a
string containing a number, e.g. "1".

Traceback (most recent call last):
  File "/home/tabbott/humbug/zephyr/views.py", line 711, in extract_recipients
    recipients = json_to_list(raw_recipients)
  File "/home/tabbott/humbug/zephyr/decorator.py", line 289, in json_to_list
    return json_to_foo(json, list)
  File "/home/tabbott/humbug/zephyr/decorator.py", line 282, in json_to_foo
    raise ValueError("argument is not a %s" % (type().__class__.__name__))
ValueError: argument is not a list

Fixes #776.

(imported from commit 0c123a610c009eda9004cf0b0b53d60695c4e8d5)
2013-02-13 13:08:40 -05:00
Luke Faraone ea7005e8e3 Rename is_active to is_inactive.
The purpose of the validator is to ensure the user isn't active, so
let's correctly test for that here.

(imported from commit 772ddb901098f78750efab274405a10f36c49232)
2013-02-12 16:15:29 -05:00
Luke Faraone 54a19e9091 Check whether users are active, not whether they are nonunique.
Previously we checked and bailed when there was a user registered with
an email address, regardless of active status.

This meant that MIT users who had inactive accounts autocreated had
issues where they would be confusingly told they were signed up even
though they had never taken any action on our site directly.

Now we instead check whether there are any current *active* user
accounts with that email address, and proceed with generating an
activation link if the user lacks a corresponding active account.

Security implications of this commit come into play if we start
implementing removing users ability to sign in as deactivation. Since we
lack a user removal story here, this isn't terribly concerning yet and
we'll revist this code when we decide to add such functionality in the
future.

This resolves trac #581 and #631.

(imported from commit c3fb93ce065e63e19b41f63c1f27891b93b75f86)
2013-02-12 15:31:06 -05:00
Tim Abbott 62c632ceef presence: Fix loop making database queries.
The previous select_related didn't properly get the User object,
containing the email address, and thus would make one query per user
with presernce information.

(imported from commit 3341bc5a65387030fa8737b03ca43f79089ef56b)
2013-02-12 14:52:59 -05:00
Keegan McAllister 6fba03a0a4 activity: Use select_related when querying UserActivity records
On my dev machine this cuts /activity load time with lots of users by more than
2/3.  I expect the gains will be even greater in production due to the greater
relative cost of database queries.

(imported from commit 0391cb29f66b618b4b99902d9fb9ab0a6cff0cb3)
2013-02-12 13:46:16 -05:00
Leo Franchi 78ffe36c2d Hide users list for MIT
(imported from commit 4e9dcef483e0c0d85ba2e7511f1abfa4da06be9e)
2013-02-12 12:30:52 -05:00
Leo Franchi 0a0c4bb9a0 [manual] Use rabbitmq for asynchronous presence updating
Note: When deploying, restarting the process-user-activity-commandline script is needed

(imported from commit 63ee795c9c7a7db4a40170cff5636dc1dd0b46a8)
2013-02-11 18:05:57 -05:00
Leo Franchi 31f87481d0 [manual][schema] Add an API for user presence (idle) information
Adds a new db table for storing presences, and an API for setting
an individual user's idleness as well as fetching all idle status
for all users in a realm

(imported from commit 5aad3510d4c90c49470c130d6dfa80f0d36b0057)
2013-02-11 18:05:57 -05:00
Jessica McKellar 3a39ac76c4 Add a new /get_members API query.
(imported from commit ced7c74212210a1fcee03c1c402dca9b42483d11)
2013-02-11 13:45:46 -05:00
Luke Faraone 8dbda2cd64 Use full emails rather than just usernames in /activity.
(imported from commit c0397d6429fe85f0bd6e57731dd2132ed1e11b85)
2013-02-11 10:33:16 -05:00
Keegan McAllister c5644cff12 notify_new_user: Remove code specific to customer29.invalid
(imported from commit 4ac29251ccbfafb4a7c2dd9d7b200474d68505d9)
2013-02-08 13:33:28 -05:00
Keegan McAllister d68674be83 Remove CUSTOMER30-specific account views
Reverts c4b6f744 (inexactly, since there are some other changes along the way).

(imported from commit 5c7294fb13cd0bc523ae55c137dc5254b7cb0121)
2013-02-08 13:33:28 -05:00
Jessica McKellar ad8e9598f6 Log domain in do_activate_user.
(imported from commit 0e39b5ddc395ff245f8e3b0252ea3b33a90860f1)
2013-02-08 13:20:19 -05:00
Jessica McKellar 18db4bc823 views: remove unused imports.
(imported from commit 38a4981637f1b3bfd9135d459a17a3ba142c86a7)
2013-02-08 13:20:19 -05:00
Jessica McKellar 1fcf43c289 When someone invites you to Humbug, infer your domain from their referral.
Regardless of your e-mail address, as the realm might be open.

(imported from commit 5f9cdbdef52f8c8ae61035e71f12a9b7e4ed4a5e)
2013-02-08 13:20:18 -05:00
Jessica McKellar 256fa0e485 Fix invite bug in which we'd falsely say you'd invited folks with existing accounts.
(imported from commit 9114836d084937dcc1a707338dd916e28f97a87d)
2013-02-08 13:20:18 -05:00
Jessica McKellar a332bee2b7 When inviting users, check if the invitee is in-domain or the realm is open.
(imported from commit 42e072d9717f38cc6d0c7010d37bbabd81aa3ae7)
2013-02-08 13:20:18 -05:00
Jessica McKellar aeba3beb55 Validate and document checking the domain of the recipient of an MIT Zephyr Humbug.
(imported from commit 35b8675171bcdf0c27655723bc76bced8b53a431)
2013-02-08 13:20:18 -05:00
Zev Benjamin 526995316f Use the new tsvector cache column for full text search
Note that the tsvector cache column should be fully populated before
commit is deployed.  Otherwise, full text search will be broken until
it's populated.

(imported from commit 23c36fb7d146c289148e8243c3d6a9a6494cfc62)
2013-02-06 12:09:49 -05:00
Luke Faraone 3de93f2b2b Pass stream information in initial template.
This allows us to remove fetch_colors() entirely, and should speed up page
load a bit.

We also JSONEncoderForHTML instead of dumps so that the result is safe
to embed.

(imported from commit 013630911960e2ac1d0bae6f5df31ad342750594)
2013-02-05 15:34:37 -05:00
Luke Faraone e8afaa8b8e Return a dictionary in subscriptions/list instead of a tuple.
This will give us flexibility in the future to add new properties to the
list.

In order to support that, we now do a list comprehension rather than just
returning the gather_subscriptions list in get_stream_colors.

(imported from commit a3c0f749a3320f647440f800105942434da08111)
2013-02-05 15:34:37 -05:00
Luke Faraone 1c3c3cc33f Add call to toggle whether a view is in the home view.
(imported from commit 5ece7b74a5ac4929a46d3d66ae5d838e1f418b44)
2013-02-05 15:34:37 -05:00
Luke Faraone 2a01b355a4 Correctly return a JSON error if property value is not passed.
Previously we checked if property was false after doing .strip(). Since
you can't call string methods on a NoneType, we were 500ing.

The code now does a normal dictionary get via [] and catches the
KeyError.

(imported from commit da7f28febf0865f44e92bcac1791f817c3d370f3)
2013-02-05 15:34:37 -05:00
Luke Faraone b78d154370 Factor out subscription retrieval code into another function.
(imported from commit 6a66a4feb03990e11c98cd8666d1a7bb97299987)
2013-02-05 15:34:36 -05:00
Luke Faraone 3d25fbce49 Replace calls to json_error to raise JsonableError.
Returning json_error inside an inner function call will result in the error
getting lost.

(imported from commit fd7754b15f7b62fd6e4197fd72ae03d6996a93da)
2013-02-05 15:34:36 -05:00
Luke Faraone 2d4ef59f68 Fix InviteOnlyStreamTest to call public API
Previously we made calls to the JSON api, which means that the API key
was being ignored.

(imported from commit 46d8d0e5ac7926e824f300fd846ec42bc939e2c0)
2013-02-05 15:34:36 -05:00
Jessica McKellar fdb0d15080 Don't let non-subscribers of invite-only streams query the membership.
(imported from commit 01bd8ea089dec96e487e5e82fb38df65703679ae)
2013-02-05 10:12:04 -05:00
Jessica McKellar ab21823c19 Fix bug allowing people to subscribe themselves to others' invite-only streams.
(imported from commit db7634d81677217032c180d8bab297cc766228f1)
2013-02-05 10:01:45 -05:00
Jessica McKellar dc66d6290b views: be more strict about the value of invite_only in add_subscriptions_backend.
(imported from commit 565375b06bb38382100923554e52a16549a18e00)
2013-02-05 10:01:45 -05:00
Jessica McKellar 6d880c2147 subscriptions: make invite-only checkbox have an effect.
(imported from commit 7ee5c5c88efa4ab21395c03012c2921fd3c5192e)
2013-02-05 10:01:45 -05:00
Jessica McKellar 7e6a9136f5 views: make add_subscriptions_backend able to subscribe many people to streams.
Before, it let you subscribe only yourself or one other person to
possibly many streams.

This is used by the subscriptions page to specify the subscribers when
you create a stream.

(imported from commit c1055e98b0bb27799ac9e6dad80b9c9fd87deca2)
2013-02-05 10:01:45 -05:00
Zev Benjamin d5fdfd7be2 Make searching for multiple words be treated as the boolean AND of those words
(imported from commit d9e47dd25553cc31eeda615e3a5709436e883ab3)
2013-01-31 18:10:54 -05:00
Zev Benjamin 97851a93c4 Use full text search when using Postgres
On my laptop, this cuts search time from several seconds down to
a few hundred milliseconds.

If we want even more speed, we could store the ts_vector as a column
on the message database.  The Postgres documentation says this will
make "searches [...] faster, since it will not be necessary to redo
the to_tsvector calls to verify index matches."  Going this route
requires creating a trigger to automatically insert the appropriate
column when new rows are inserted.

Note that the full text index must be fully created before this
commit is deployed.  Full text search without an index is actually
significantly slower than using the LIKE operator.

(imported from commit ae74083da20d33aa2425d3e44fcdc19b160002ba)
2013-01-31 15:57:45 -05:00
Zev Benjamin 1f4e27cf52 Pass the query object to NarrowBuilder
This is for allowing us to do things more complex than returning a Q
expression, needed for doing Postgres full text search.

(imported from commit 669ec71417c04baaf8ed1774bee147079b05b03d)
2013-01-31 15:57:45 -05:00