Commit Graph

2069 Commits

Author SHA1 Message Date
Kevin Lin b2c29274f3 presence: Allow bots to fetch realm presence data.
Before, presence information for an entire realm could only be queried via
the `POST /api/v1/users/me/presence` endpoint. However, this endpoint also
updates the presence information for the user making the request. Therefore,
bot users are not allowed to access this endpoint because they don't have
any presence data.

This commit adds a new endpoint `GET /api/v1/realm/presence` that just
returns the presence information for the realm of the caller.

Fixes #10651.
2018-10-15 12:51:28 -07:00
Steve Howell 0f7628280f narrow: Handle spurious emails in pm-with searches.
If cordelia searches on pm-with:iago@zulip.com,cordelia@zulip.com,
we now properly treat that the same way as pm-with:iago@zulip.com.

Before this fix, the query would initially go through the
huddle code path.  The symptom wasn't completely obvious, as
eventually a deeper function would return a recipient id
corresponding to a single PM with @iago@zulip.com, but we would
only get messages where iago was the recipient, and not any
messages where he was the sender to cordelia.

I put the helper function for this in zerver/lib/addressee, which
is somewhat speculative.  Eventually, we'll want pm-with queries
to allow for user ids, and I imagine there will be some shared
logic with other Addressee code in terms of how we handle these
strings.  The way we deal with lists of emails/users for various
endpoints is kind of haphazard in the current code, although
granted it's mostly just repeating the same simple patterns.  It
would be nice for some of this code to converge a bit.  This
affects new messages, typing indicators, search filters, etc.,
and some endpoints have strange legacy stuff like supporting
JSON-encoded lists, so it's not trivial to clean this up.

Tweaked by tabbott to add some additional tests.
2018-10-12 10:18:30 -07:00
Joshua Pan 971cb18cb3 user_settings: Compare new stripped email with old email.
We weren't comparing the newly stripped email with the current
old email, thus adding spaces around an email would result in
an error.
2018-10-11 15:55:32 -07:00
Tim Abbott 8cf104b643 avatar: Allow API authentication for /avatar/ routes.
This makes it feasibly for the mobile apps to correctly render user
avatars generated by the `!avatar()` syntax.
2018-10-11 15:52:29 -07:00
Aditya Bansal 3164f1a9a4 avatar: Rename user_profile to avatar_user_profile.
This is a preparatory commit for upcoming changes to move
/avatar/ to be a logged in or API accessible endpoint.
Basically we rename this variable because the new name is more
appropriate in the situation. Also user_profile will be used to
hold the user_profile of person accessing the endpoint in coming up
commit.
2018-10-11 15:50:37 -07:00
Aditya Bansal 6e433186a1 thumbnails: Change thumbnail size to be 300px.
Fixes: #10219.
2018-10-11 15:44:47 -07:00
Vishnu Ks d8c19cb003 models: Move billing models from zilencer to corporate. 2018-10-11 14:54:29 -07:00
Callum Fraser 383f1633e6 api: Add limit of total messages available per request of 5000.
Tweaked by tabbott to use a declared constant rather than just use
5000 in multiple places; this also means we can change the count
without updating translations.

Fixes #10446.
2018-10-09 15:43:21 -07:00
Greg Price 82a4dd832f search: Always encode match_subject as HTML.
The `match_subject` field is supposed to contain HTML; that's how
the highlighting is done.  But the `subject` field is plain text --
it must be encoded if we want corresponding HTML.

Of the three places the `match_subject` field is populated -- two
here in messages_in_narrow_backend, one in get_messages_backend --
two of them already do this correctly, via get_search_fields.
Fix the remaining one, where in a `/messages/matches_narrow` query
we populate `matches_subject` even if the query didn't involve a
full-text search.

This doesn't affect the webapp, which ignores `match_subject` unless
it knows it did a full-text search; nor the mobile app, which
doesn't use `/messages/matches_narrow` at all.
2018-10-02 12:07:54 -07:00
Harshit Bansal 20aee7b116 emoji: Change fallback emojiset for text emojiset.
Now that we have added back support for `google-blob` emojiset,
changing the fallback emojiset for `text` emojiset to `google-blob`
make sense.
2018-09-21 18:34:12 -07:00
Vishnu Ks 169de2f9cb billing: Include link to /plans and /billing in gear menu. 2018-09-07 17:30:26 -07:00
Rishi Gupta 2a0523cbe5 billing: Hide /plans if Realm.plan_type=SELF_HOSTED. 2018-09-05 13:44:35 -07:00
Vishnu Ks 9489ce0efc plans: Redirect to login if /plans is accessed from realm subdomain. 2018-09-05 13:44:35 -07:00
Pragati Agrawal ba4e4e38ae user settings: Add setting to make login notifications optional.
This adds a feature in the "Notification" section of "Settings" tab,
which lets user enable or disable login emails notification.

Tweaked by tabbott to simplify the test.

Fixes: #5795, progress towards #5854.
2018-08-28 14:02:31 -07:00
Roman Godov a2f407c11b api: Add an endpoint for listing the user groups in realm.
Adds endpoint for listing the user groups in realm.
Provides "description", "members", "name" and "id" for each user group.

Fixes #10298
2018-08-27 16:56:23 -07:00
Lyla Fischer 1efcdfdb5c templates: Merge Help and API doc main into documentation_main.
With minor fixes by eeshangarg.
2018-08-27 20:19:24 -02:30
Yago González 8b141e6dbc muting: Correct agrammatical error message.
The error message displayed when unmuting a topic that wasn't previously
muted wasn't properly formulated.
2018-08-27 14:12:03 -07:00
Vishnu Ks d2e4417a72 urls: Separate endpoint for signup and new realm email confirm.
This is preparation for the next commit.
2018-08-26 22:53:57 -07:00
Yashashvi Dave d5153bd136 events: Convert custom user field value to json object on update event.
In user type custom field, field value is list of user ids. We weren't
converting list to json object in update event payload. This throws
error in frontend, cause we store stringify representation of custom
field value. Therefore, after update event is recieved field-value-
type gets updated to array from string which throws json parsing error.
2018-08-22 22:45:08 -07:00
Joshua Pan 79e2266d6e models: Create starred_message_counts boolean field. 2018-08-21 13:42:22 -07:00
Eeshan Garg f476ec7fac webhooks/freshdesk/doc.md: Render example JSON correctly.
We've been getting reports from users that our Freshdesk webhook
isn't working correctly. It turns out that the issue had nothing
to do with the webhook implementation itself!

In freshdesk/doc.md, we have a JSON template we ask users to
copy/paste into a textbox in the Freshdesk UI. That JSON template
contains "{{" and "}}" characters which we escaped as Unicode
decimals to prevent clashes with Jinja2 syntax in other parts
of the same template. This worked for a while!

But thanks to the changes introduced as part of the
nested_code_blocks extension, such escaped characters were never
decoded, leading users to copy/paste the same template but with
raw escaped unicode representations of "{{" and "}}" inside. And
that eventually broke our webhook implementation.

This commit makes sure that such characters are properly "unescaped",
just for Freshdesk docs.
2018-08-17 08:55:41 -07:00
Yashashvi Dave 8ef0c6d99a custom profile field: Add length validation on field name and hint.
Add max length validation for custom field name and hint
on create-field and update-field backend views and
frontend forms.

Fixes #10284.
2018-08-17 08:37:27 -07:00
Harshit Bansal 7be7561c68 emoji: If current emojiset is text then fallback to google emojiset.
If `TEXT_EMOJISET` is currently selected emojiset then fallback to
`GOOGLE_EMOJISET` for displaying emojis in emoji picker and
composebox typeahead. We should pre-load the spritesheets in`emoji.js`
even in case of text emojiset otherwise on slow networks emoji picker
will appear empty initially.
2018-08-14 12:01:00 -07:00
Yashashvi Dave 2a73b2b805 custom profile field: Add at-least-one-choice validation for choice field.
Add validation at-least-one-choice required for every choice type field
in backend.
2018-08-14 10:17:57 -07:00
Shubham Padia feb2cdf378 onboarding: Change logic for preventing new login emails for a new user.
Issue: When you created a new organization with /new, the "new login"
emails were emailed. We previously had a hack of adding the
.just_registered property to the user Python object to attempt to
prevent the emails, and checking that in zerver/signals.py. This
commit gets rid of the .just_registered check.
Instead of the .just_registered check, this checks if the user has
joined more than a minute before.
A test test_dont_send_login_emails_for_new_user_registration_logins
already exists.

Tweaked by tabbott to introduce the constant JUST_CREATED_THRESHOLD.

Fixes #10179.
2018-08-13 10:16:41 -07:00
Steve Howell 413a0174f4 Extract a zephyr.py library.
Right now it only has one function, but the function
we removed never really belonged in actions.py, and
now we have better test coverage on actions.py, which
is an important module to get to 100%.
2018-08-11 14:51:26 -07:00
Tim Abbott 83300c329b register: Fix period at end of heading. 2018-08-09 17:17:45 -07:00
Shubham Padia bdaff17e28 narrow: Use is_private flag index for `is:private`.
This implements a significant performance optimization for users
clicking the `Private messages` narrow in the Zulip UI, especially for
those users who do not have 50 recent private messages in an
organization with a lot of stream message traffic (because then
previously, postgres needed to scan through a huge amount of history
to find enough private messages).

The database index powering it can also support many other queries we
might want to do in the future to support "recent conversations" type
features.

Fixes #6896.
2018-08-09 16:10:01 -07:00
Tim Abbott 3e885e52b2 i18n: Fix hard-to-translate notification bot string. 2018-08-09 08:37:23 -07:00
Yago González 298aa0fcbf mobile: Make otp_encrypt_api_key accept API keys.
Since otp_encrypt_api_key only encrypts API keys, it doesn't require
access to the full UserProfile object to work properly. Now the
parameter it accepts is just the API key.

This is preparatory refactoring for removing the api_key field on
UserProfile.
2018-08-08 16:45:40 -07:00
Yago González 6a192ac84c utils: Move random API key generator as generate_api_key.
random_api_key, the function we use to generate random tokens for API
keys, has been moved to zerver/lib/utils.py because it's used in more
parts of the codebase (apart from user creation), and having it in
zerver/lib/create_user.py was prone to cyclic dependencies.

The function has also been renamed to generate_api_key to have an
imperative name, that makes clearer what it does.
2018-08-08 16:45:25 -07:00
Yago González f6219745de users: Get all API keys via wrapper method.
Now reading API keys from a user is done with the get_api_key wrapper
method, rather than directly fetching it from the user object.

Also, every place where an action should be done for each API key is now
using get_all_api_keys. This method returns for the moment a single-item
list, containing the specified user's API key.

This commit is the first step towards allowing users have multiple API
keys.
2018-08-08 16:35:17 -07:00
Tim Abbott 9941b408a0 email_log: Only import Django test client when using it.
Importing the Django test client is somewhat expensive, and we only
use it within one view function that's not used in production.  So
there's a significant startup-time performance optimization in doing
an import inside the view code.
2018-08-08 14:19:42 -07:00
Yago González 14bc5c7d5c messages: Don't require "anchor" when "use_first_unread_anchor" is set.
The use_first_unread_anchor parameter allows automatically setting the
anchor to the first message that hasn't been read in this narrow.
Therefore it isn't necessary to specify an anchor when this parameter is
enabled.

Note from Tim: Arguably, we should think about making
`use_first_unread_anchor` the default behavior when anchor is
unspecified, but that's for later consideration.
2018-08-08 10:30:08 -07:00
Yashashvi Dave 6e136be975 default stream: Allows admins to remove any default stream.
This fixes a bug where administrators couldn't remove private
unsubscribed streams from the "default streams" list, because
access_stream_by_name didn't give them access to the stream object.
2018-08-07 13:28:30 -07:00
Abhilash Verma 1d2f8bed92 emoji: Show emoji names with spaces on front-end.
This commit also supports entering emoji names with spaces
replacing them with underscores before saving.

Fixes #10177.
2018-08-04 09:40:52 -07:00
Tim Abbott c775be8ea4 do_mark_stream_messages_as_read: Accept a Client object.
We also fix an incorrect Optional in the type annotations.
2018-08-01 16:49:57 -07:00
Tim Abbott 6e55342e21 bulk_remove_subscriptions: Pass client object in.
We need the client object to pass on to do_mark_stream_as_read.
2018-08-01 16:48:31 -07:00
Tim Abbott c60f197fde do_update_message_flags: Accept a Client object.
This is important for upcoming logging changes.
2018-08-01 16:40:58 -07:00
Tim Abbott 0e44010976 do_mark_all_as_read: Accept a client object.
This is needed for upcoming logging changes.
2018-08-01 16:40:15 -07:00
Tim Abbott 5f0519dfb4 do_update_pointer: Pass client object from callers.
We also fix an unused import.

This is needed for upcoming logging changes.
2018-08-01 16:40:15 -07:00
Vishnu Ks 6b3706494c notifications: Pass realm_creation argument to enqueue_welcome_emails. 2018-08-01 11:29:34 -07:00
Roman Godov c0806917ec models: Rename Realm.restricted_to_domain field.
This renames Realm.restricted_to_domain field to
emails_restricted_to_domains, for greater clarity as to what it does
just from seeing the setting name, without having to look it up.

Fixes part of #10042.
2018-07-31 09:28:33 -07:00
Tim Abbott aa5959396d docs: Add some basic subsystem documentation for thumbnailing. 2018-07-30 13:20:54 -07:00
Aditya Bansal 77651ece39 thumbnails: Rename size value 'original' to 'full'. 2018-07-30 13:00:23 -07:00
Tim Abbott 07af59d4cc tornado: Split get_events_backend into two functions.
The lower-layer function, now called get_events_backend, is intended
to be called by multiple code paths (including the upcoming
get_events_internal).
2018-07-30 12:28:31 -07:00
Tim Abbott 00f6fc2559 subs: Limit editing subscribers for waiting period users.
Does not let you subscribe other users if you are a guest or a
waiting period user.

Co-authored-by: Shubham Padia <shubhamapadia@gmail.com>
2018-07-30 12:12:51 -07:00
Rohitt Vashishtha d83ef30904 notification-bot: @-mention the user subscribing you to a stream. 2018-07-30 09:50:48 -07:00
Shubham Dhama 9cf67a5e71 models: Add function to get UserMessage from message id. 2018-07-28 14:58:36 -07:00
Tim Abbott eff372da74 mypy: Fix mypy error with optional.
This was missed in a57d337113.
2018-07-27 10:58:08 -07:00
Tim Abbott a57d337113 bots: Enforce bot creation policy on reactivating bots.
It's sorta an unusual state to get into, to have a user own a
deactivated bot, when they can't create a bot of that type, but
definitely a valid possibility that we should be checking for.

Fixes #10087.
2018-07-27 10:31:38 -07:00
Tim Abbott 2918cc92f3 search: Duplicate HTML template content for search area.
This is preparation for being able to work on the search pills feature
without making any user-facing changes until we're ready to enable it.
2018-07-23 11:29:10 -07:00
Tim Abbott 8dca8f1087 search: Add setting to control whether search pills are enabled.
This setting isn't intended to exist long term, but instead to make it
possible to merge our search pills code before we're ready to cut over
production environments to use it.
2018-07-23 11:29:10 -07:00
Aditya Bansal 98a4e87e1d thumbor: Complete implementation of thumbnailing.
Various pieces of our thumbor-based thumbnailing system were already
merged; this adds the remaining pieces required for it to work:

* a THUMBOR_URL Django setting that controls whether thumbor is
  enabled on the Zulip server (and if so, where thumbor is hosted).

* Replaces the overly complicated prototype cryptography logic

* Adds a /thumbnail endpoint (supported both on web and mobile) for
  accessing thumbnails in messages, designed to support hosting both
  external URLs as well as uploaded files (and applying Zulip's
  security model for access to thumbnails of uploaded files).

* Modifies bugdown to, when THUMBOR_URL is set, render images with the
  `src` attribute pointing /thumbnail (to provide a small thumbnail
  for the image), along with adding a "data-original" attribute that
  can be used to access the "original/full" size version of the image.

There are a few things that don't work quite yet:
* The S3 backend support is incomplete and doesn't work yet.
* The error pages for unauthorized access are ugly.
* We might want to rename data-original and /thumbnail?size=original
  to use some other name, like "full", that better reflects the fact
  that we're potentially not serving the original image URL.
2018-07-15 00:39:41 +05:30
Aditya Bansal 63ec8b08b8 archives: Add endpoint to fetch topic history of web public streams.
In this commit we add a new endpoint so as to have a way of fetching
topic history for a given stream id without having to be logged in.
This can only happen if the said stream is web public otherwise we
just return an empty topics list. This endpoint is quite analogous
to get_topics_backend which is used by our main web app.

In this commit we also do a bit of duplication regarding the query
responsible for fetching all the topics from DB. Basically this
query is exactly the same as what we have in the
get_topic_history_for_stream function in actions.py. Basically
duplicating now is the right thing to do because this query is
really gonna change when we add another criteria for filtering
messages which is:
Only topics for messages which were sent during the period the
corresponding stream was web public should be returned.
Now when we will do this, the query will change and thus it won't
really be a code duplication!
2018-07-14 09:51:37 +05:30
Yago González 0e135b69f9 alert words: Return the updated list when adding/removing words.
POST and DELETE operations in /users/me/alert_words may leave the
user's list of alert words in an unknown state: POSTing adds words to a
list that the client may not know from the begining, and the same with
DELETE.

Replying with the current status of the alert words list is the best way
of letting the client alter the list and knowing its contents after
being updated with a single query.

This is especially useful taking into account that POSTing words that
were already present and DELETing non-existing words both produce a
successful response.

An extra test has been added to avoid leaving GET /users/me/alert_words
too untested.
2018-07-13 01:01:00 +05:30
Yago González 3b21b17a35 alert words: Make alert_words required for POST and DELETE.
Querying an endpoint with no information (thus a noop) and it producing
a successful response doesn't seem to be expected.

Given the case that the client makes such query with no content it will
probably be unintentional and the API should let them know about it.
2018-07-13 01:01:00 +05:30
Sarah d1cda29fb4 API: Add stream email notification setting plumbing.
This is all the plumbing that makes it possible to enable the
stream_email_notifications setting via the Zulip API.  The flag still
doesn't do anything yet, but this is a nice checkpoint along the way
to implementing this feature.
2018-07-12 13:39:14 +05:30
Yago González e9cd0ad3d6 reactions: Allow using emoji_name for removing reactions.
Given that we allow adding emoji reactions by only using the
emoji_name, we should offer the same possibility for removing
reactions to make the experience for API clients not require looking
up emoji codes.

Since this is an additional optional parameter, this also preserves
backward compatibility.
2018-07-11 19:41:43 +05:30
Yago González 9244a6740e reactions: Make the emoji_code optional for adding a rection.
Complete, correct implementations of Zulip's emoji reactions API need
to send both emoji_code and emoji_name in order to add a reaction;
this is important for corner cases around clicking on a reaction in a
message that was first reacted to a year ago, when the emoji
name->code mappings have changed for the given code point in the
intervening time.

However, for folks building tools using the Zulip API, that corner
case is not particularly common; as a result, it makes sense to offer
an interface that allows adding a reaction by only specifying the
emoji name.

This is why the only field that needs to be required is emoji_name,
which can now be mapped to a single emoji. Both fields will be
necessary when "voting" an old reaction, but since we stil allow
specifying the two of them, these changes offer retrocompatibility.
2018-07-11 19:34:48 +05:30
Aditya Bansal 9b485f3ef4 auth: Fix bug with subdomains and GitHub auth causing apparent logouts.
This adds a new settings, SOCIAL_AUTH_SUBDOMAIN, which specifies which
domain should be used for GitHub auth and other python-social-auth
backends.

If one is running a single-realm Zulip server like chat.zulip.org, one
doesn't need to use this setting, but for multi-realm servers using
social auth, this fixes an annoying bug where the session cookie that
python-social-auth sets early in the auth process on the root domain
ends up masking the session cookie that would have been used to
determine a user is logged in.  The end result was that logging in
with GitHub on one domain on a multi-realm server like zulipchat.com
would appear to log you out from all the others!

We fix this by moving python-social-auth to a separate subdomain.

Fixes: #9847.
2018-07-10 16:49:00 +05:30
Anders Kaseorg 037f696d26 Enable pycodestyle W605 (invalid escape sequence).
The only changes visible at the AST level, checked using
https://github.com/asottile/astpretty, are

zerver/lib/test_fixtures.py:
'\x1b\\[(1|0)m' ↦ '\\x1b\\[(1|0)m'
'\\[[X| ]\\] (\\d+_.+)\n' ↦ '\\[[X| ]\\] (\\d+_.+)\\n'

which is fine because re treats '\\x1b' and '\\n' the same way as
'\x1b' and '\n'.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2018-07-03 16:54:46 +02:00
Yago González d151f4a234 messages: Allow fetching unedited messages' history.
When GETting an unedited message's edit history, the server wasn't able
to reply properly and produced a 500 error.

Now when that happens, we return a message history that only contains
the original message.
2018-07-01 08:16:59 -07:00
Tim Abbott 5f7691b74e upload: Remove unnecessary use of has_request_variables.
All the parameters for this function are parsed in urls.py.
2018-07-01 01:47:03 -07:00
Eeshan Garg e1e4d523aa Replace remaining user-facing occurences of the term "invite-only".
Fixes #9611.
2018-06-27 12:34:29 -07:00
Yashashvi Dave 317a2fff2a bots settings: Improve API for editing bot owners to refer to users by ID.
Fixes #9502
2018-06-23 12:47:50 -07:00
Vishnu Ks 1b179ca530 signup: Prevent users from signing up with email containing +. 2018-06-23 12:03:30 -07:00
Vishnu Ks 2b1424e51a registration: Use tokenized noreply address in signup confirmation. 2018-06-23 12:03:30 -07:00
Rishi Gupta 4f8c44a019 notifications: Simplify notification messages for new subscriptions.
We're adding more stream types, e.g. splitting private streams into
with/without shared history, adding publicly-archived streams, adding
announce-only streams, etc. So maintaining this text is going to get more
complicated over time.

Also, the right place to explain this stuff is in the stream header, or near
the z-in-a-circle.

This commit also adds translation tags to the messages.
2018-06-20 07:53:10 -04:00
Vishnu Ks 403f254557 signup: Create get_accounts_for_email function. 2018-06-19 11:25:23 -07:00
Shubham Dhama 8e032376f9 guest: Restrict guest access to user group creation and updation. 2018-06-19 11:04:14 -07:00
Yashashvi Dave 8909cb1d15 custom fields: Allow list of users in user type of custom fields.
Allow user to add more than one user-value in user type of custom
fields.

Tweaked by tabbott to improve the models.py code and type annotations.
2018-06-16 09:37:49 -07:00
Rhea Parekh d0bc8d0736 zcommands: Add zcommand module and separate test module.
Move the zcommands from '/views/messages.py' to
'/lib/zcommand'.

Also, move the zcommand tests from '/tests/test_messages.py'
to '/tests/test_zcommand'.
2018-06-16 10:32:42 -04:00
Shubham Dhama d40c2bb166 emoji: Make uploading new realm emoji inaccessible for guest users. 2018-06-16 06:33:14 -07:00
Shubham Dhama 596ce5b60f invite: Make inviting new users inaccessible for guest users. 2018-06-16 06:33:13 -07:00
Tim Abbott 425b4a3866 invite: Use require_realm_admin decorator. 2018-06-16 06:33:13 -07:00
Yashashvi Dave f7f039e772 custom fields: Add endpoint to delete value of custom profile data.
Add delete endpoint at `users/me/profile_data` to delete value of
custom profile data.

Fixes #9669
2018-06-07 08:35:04 -07:00
Yashashvi Dave 5145b24635 users: Replace duplication with generic func to validate user id.
This adds a common function `access_user_by_id` to access user id
within same realm, complete with a full suite of unit tests.

Tweaked by tabbott to make the test much more readable.
2018-06-05 11:13:13 -07:00
Umair Khan 9b698dec08 2FA: Use patch.object for monkey patching.
Ref #9521
2018-06-05 09:25:40 -07:00
Raymond Akornor 0335da7e05 python: Use python3 style super() in 2FA code paths. 2018-06-04 20:55:42 -07:00
Steve Howell 47b4dd6bdb slash commands: Refine /day and /night.
These two slash commands now use zcommand to talk to
the server, so we have no Message overhead, and if you're
on a stream, you no longer spam people by accident.

The commands now also give reasonable messages
if you are already in the mode you ask for.

It should be noted that by moving these commands out of
widget.py, they are no longer behind the ALLOW_SUB_MESSAGES
setting guard.
2018-06-02 09:40:12 -07:00
Steve Howell 4b2e8b83c4 slash commands: Add /ping command (via zcommand).
This adds a /ping command that will be useful for users
to see what the round trip to the Zulip server is (including
only a tiny bit of actual server time to basically give a
200).

It also introduce the "/zcommand" endpoint and zcommand.js
module.
2018-06-02 09:40:12 -07:00
Tim Abbott c37fe998d2 templates: Make zulip_default_context available in API endpoints.
This is mostly useful for advertising support_email, but some other
fields may by helpful over time.
2018-06-01 11:32:18 -07:00
Tim Abbott 0d84eb0a8b mypy: Clean zerver/views/users.py for strict-optional. 2018-06-01 08:48:17 -07:00
Tim Abbott 0a0ae5e703 users: Move add_service to zerver.lib.users so it is reusable. 2018-06-01 08:48:17 -07:00
Tim Abbott bab69a325f registration: Narrow try/exception block for LDAP usernames.
This just makes the code a bit more clear about where we expect that
exception to come from.
2018-05-31 14:04:47 -07:00
Sampriti Panda 46711a43f0 pgroonga: Upgrade to PGroonga 2 API. 2018-05-31 13:00:34 -07:00
Shubham Padia bb8ad15fa9 streams: Set is_announcement_only when creating streams.
Adds is_announcement_only to create_stream_if_needed and
add_subscriptions_backend.
2018-05-30 14:17:33 -07:00
Steve Howell bfc13ecea4 submessages: Just send content for submessage events.
For some reason in my original version I was sending both
content and data to the client for submessage events,
where data === JSON.parse(content).  There's no reason
to not just let the client parse it, since the client
already does it for data that comes on the original
message, and since we might eventually have non-JSON
payloads.

The server still continues to validate that the payload
is JSON, and the client will blueslip if the server
regressses and sends bad JSON for some reason.
2018-05-30 13:53:11 -07:00
Tim Abbott 99c6a82b7f i18n: Clean up logic for picking language in app.
We now have a simple algorithm: First, look at the URL path
(e.g. /de/, which is intended to be an override).  Second, look at the
language the user has specified in their settings.
2018-05-30 08:57:26 -07:00
Shubham Dhama 1d9afc7328 i18n: Pass translation data in page_params.
This is a preliminary step to make translation_data available as a
resource to `i18next.init()`.
2018-05-30 08:57:26 -07:00
Yashashvi Dave 47aaf4e20a users: Replace duplication with generic func to validate bot id.
This adds a common function `access_bot_by_id` to access bot id within
same realm.  It probably fixes some corner case bugs where we weren't
checking for deactivated bots when regenerating API keys.
2018-05-29 15:47:27 -07:00
Tim Abbott 91ec0aba09 auth: Improve interactions between LDAPAuthBackend and EmailAuthBackend.
Previously, if you had LDAPAuthBackend enabled, we basically blocked
any other auth backends from working at all, by requiring the user's
login flow include verifying the user's LDAP password.

We still want to enforce that in the case that the account email
matches LDAP_APPEND_DOMAIN, but there's a reasonable corner case:
Having effectively guest users from outside the LDAP domain.

We don't want to allow creating a Zulip-level password for a user
inside the LDAP domain, so we still verify the LDAP password in that
flow, but if the email is allowed to register (due to invite or
whatever) but is outside the LDAP domain for the organization, we
allow it to create an account and set a password.

For the moment, this solution only covers EmailAuthBackend.  It's
likely that just extending the list of other backends we check for in
the new conditional on `email_auth_backend` would be correct, but we
haven't done any testing for those cases, and with auth code paths,
it's better to disallow than allow untested code paths.

Fixes #9422.
2018-05-28 22:47:47 -07:00
Tim Abbott 8119670da1 user_settings: Prevent LDAP users from setting a Zulip password.
Previously, if both EmailAuthBackend and LDAPAuthBackend were enabled,
LDAP users could set a password using EmailAuthBackend and continue to
use that password, even if their LDAP account was later deactivated.

That configuration wasn't supported at all before, so this doesn't fix
a pre-existing security issue, but now that we're making that a valid
configuration, we need to cover this case.
2018-05-28 22:47:47 -07:00
Sampriti Panda 250015a5d5 pgroonga: Fix issues with HTML escaping in queries. 2018-05-28 16:53:30 -07:00
Yashashvi Dave e82c879b85 custom fields: Add user type of custom fields.
Fixes #8878
2018-05-27 23:01:21 -07:00
Tim Abbott 6967b6519d settings: Add a development-only setting for less dense mode.
This should make it easier for us to iterate on a less-dense Zulip.

We create two classes on body, less_dense_mode and more_dense_mode, so
that it's easy as we refactor to separate the two concepts from things
like colors that are independent.
2018-05-24 12:31:37 -07:00
Vishnu Ks 54a002c2e2 requirements: Upgrade pyflakes to 2.0.0.
We fix a few errors that only the new version finds.
2018-05-24 11:31:36 -07:00
Steve Howell 69517f5ac5 Support zform-based widget content in the server.
API users, particularly bots, can now send a field
called "widget_content" that will be turned into
a submessage for the web app to look at.  (Other
clients can still rely on "content" to be there,
although it's up to the bot author to make the
experience good for those clients as well.)

Right now widget_content will be a JSON string that
encodes a "zform" widget with "choices."  Our first
example will be a trivia bot, where users will see
something like this:

    Which fruit is orange in color?

        [A] orange
        [B] blackberry
        [C] strawberry

The letters will be turned into buttons on the webapp
and have canned replies.

This commit has a few parts:
    - receive widget_content in the request (simply
        validating that it's a string)
    - parse the JSON in check_message and deeply
        validate its structure
    - turn it into a submessage in widget.py
2018-05-24 09:30:22 -07:00
Shubham Dhama fc3dcbfb5a messages: Allow "no topic" topics editable indefinitely.
Fixes: #9484.
2018-05-24 07:35:52 -07:00
Umair Khan adaeaccd20 2FA: Add link in settings to setup two-factor. 2018-05-23 15:49:41 -07:00
Umair Khan 0b1e25f453 2FA: Integrate with login feature. 2018-05-23 15:46:57 -07:00
Umair Khan a2d3aea027 2FA: Add two-factor related code.
This commit adds a view which will be used to process login requests,
adds an AuthenticationTokenForm so that we can use TextField widget for
tokens, and activates two factor authentication code path whenever user
tries to login.
2018-05-23 15:46:56 -07:00
Vishnu Ks 8369e2b15e registration: Allow users to import settings from other realm.
This should significantly improve the user experience for creating
additional accounts on zulipchat.com.

Currently, disabled in production pending some work on visual styling.
2018-05-23 10:30:00 -07:00
Michael J. Sullivan d5ee801d60 mypy: Set local_partial_types = True.
The daemon implicitly sets this flag, so set it explicitly and fix all
of the type errors.
2018-05-21 22:41:00 -07:00
Aditya Bansal e41d32a15a reminders: Add various design improvements for the UI/reminder msg. 2018-05-21 09:07:37 -07:00
Umair Khan 18defcc673 2FA: Fix check for context_data attr.
This attribute only makes sense for responses that are generated using a
template.
2018-05-21 07:50:05 -07:00
Tim Abbott 2609274719 streams: Don't allow adding deactivated users to streams.
This query was incorreclty not checking whether a user was deactivated
before managing their subscriptions.

This isn't an important bug, but should prevent some weird corner
cases (like trying to send a notification PM to a deactivated user,
which fails).
2018-05-20 19:17:15 -07:00
Tim Abbott cedad52c59 presence: Extract and use get_active_user helper.
This adds a new reusable function for fetching just active users.
2018-05-20 19:07:29 -07:00
Tim Abbott 44b3aeb08d home: Improve logging for narrow parsing exceptions.
This now includes the request and (and thus the related metadata).
2018-05-20 18:47:43 -07:00
Yashashvi Dave 38db31779b /json/bots: Return "No user" if access other realms bot.
Instead of returning warning "Insufficient Permission", return
"No such bot" warning if user tries to access other realms bot."
2018-05-18 15:20:43 -07:00
Yashashvi Dave 4162e61f33 /json/users: Replace email with user_id in API to reactivate user. 2018-05-18 15:20:43 -07:00
Yashashvi Dave 06e7e933cc /json/users: Replace email with user_id in API to update/remove users. 2018-05-18 15:20:43 -07:00
Steve Howell de47eeb6f1 Add /submessage endpoint. 2018-05-16 15:13:33 -07:00
Yashashvi Dave b949d10592 /json/bots: Replace email with user_id in API to generate bot_api_key.
Fixes #3643.
2018-05-15 16:37:06 -07:00
Yashashvi Dave d6e2f9fc88 /json/bots: Replace email with user_id in API to update bots. 2018-05-15 16:34:17 -07:00
Shubham Padia 897ed17f0c api: Allow realm_admins to make a stream announcement_only. 2018-05-13 09:11:51 -07:00
Vishnu Ks 99186952f6 integrations: Make integration_doc endpoint work only on ajax. 2018-05-13 08:56:04 -07:00
Raymond Akornor f67efd5291 zerver: Migrate away from six. 2018-05-09 18:38:25 +00:00
Tim Abbott 602b13db34 home: Make emojiset an explicit parameter.
This is cleaner than accessing the UserProfile object directly (we
don't really do that anywhere else).
2018-05-06 22:36:29 -07:00
Tim Abbott 956bd74905 attachments: Send events for attachment updates.
We send add events on upload, update events when sending a message
referencing it, and delete updates on removal.

This should make it possible to do real-time sync for the attachments
UI.

Based in part on work by Aastha Gupta.
2018-05-04 16:22:27 -07:00
Tim Abbott 508dc5b6ed decorators: Add new decorators for guest users.
These decorators will be part of the process for disabling access to
various features for guest users.

Adding this decorator to the subscribe endpoint breaks the guest users
test we'd just added for the subscribe code path; we address this by
adding a more base-level test on filter_stream_authorization.
2018-05-04 10:25:52 -07:00
Aditya Bansal c38b70566c views/archive.py: Make 'StreamDoesNotExist' return a error msg page. 2018-05-02 15:23:33 -07:00
Aditya Bansal 5d7907b59f public_archives: Add basic infra for displaying topics.
We add very basic infra so that we can view any discussion which
happened under a topic of a global public stream without
authorization.
2018-05-02 15:23:33 -07:00
Umair Khan b778259547 login-page: Return early if resp is a redirect.
Redirect response does not need a context.
2018-05-02 15:15:37 -07:00
Umair Khan aef2234e97 login_page: Create update_login_page_context().
This will also be used from two factor login.
2018-05-02 14:30:02 -07:00
Tim Abbott a0e8a37e7f topics: Fix get_topics_backend logic for zephyr realms.
This removes a check on invite_only, that should have been a check on
history_public_to_subscribers.  In addition to fixing a bug for zephyr
realms, it also makes "more topics" work correctly for realms using
the new settings for stream history being public to subscribers.
2018-05-02 09:02:57 -07:00
Tim Abbott d92edb8ea5 css: Remove support for legacy desktop app.
We haven't seen significant traffic from the legacy desktop app in
over a year, and users using it get a warning to upgrade since last
summer, so it's probably OK to stop providing special fonts for it.
2018-05-01 09:49:28 -07:00
Angelika Serwa f4f64243dd custom_profile_fields: Support changing the sort order of the fields.
Tweaked by tabbott for variable naming and the URL.

Closes #8879.
2018-04-30 18:17:41 -07:00
Vishnu Ks 69b0783b35 emails: Pass realm_name instead of realm in notify_change_in_email context. 2018-05-01 00:11:44 +05:30
Yashashvi Dave a97a00a4c6 custom fields: Replace field id with field name in error message. 2018-04-30 10:53:23 -07:00
Yashashvi Dave 7e9ccead2e stream settings: Fix server error on long stream description.
Add backend validations to check stream description length.
2018-04-30 10:11:23 -07:00
Eeshan Garg 057ff9c91e models: Add Stream.history_public_to_subscribers.
This commit adds a new field history_public_to_subscribers to the
Stream model, which serves a similar function to the old
settings.PRIVATE_STREAM_HISTORY_FOR_SUBSCRIBERS; we still use that
setting as the default value for new streams to avoid breaking
backwards-compatibility for those users before we are ready with an
actual UI for users to choose directly.

This also comes with a migration to set the value of the new field for
existing streams with an algorithm matching that used at runtime.

With significant changes by Tim Abbott.

This is an initial part of our efforts on #9232.
2018-04-28 22:54:04 -07:00
Tim Abbott e087be6630 home: Ignore handlebars errors in the test suite.
The handlebars error message is just for the manual development
environment; this prevents the state of compiling handlebars templates
from run-dev.py from potentially causing the unit tests to fail.
2018-04-28 13:49:24 -07:00
Tim Abbott 7d6bb3dcb4 settings: Remove obsolete default_desktop_notifications setting.
This actually hasn't been hooked up to do anything in years.

While we're at it, we remove the entire "Zulip Labs" settings page.
2018-04-28 13:46:07 -07:00
Tim Abbott a3fc7d1371 message_edit: Fix spelling of "has passed". 2018-04-27 19:24:14 -07:00
YJDave 6bef44a9fa org setting: Add time limits for message deleting.
Add realm setting to set time limit for message deleitng.
Set default value of message_content_delete_limit_seconds
to 600 seconds(10 min).

Thanks to Shubham Dhama for rebasing and reworking this.  Some final
edits also done by Tim Abbott.

Fixes #7344.
2018-04-27 19:22:28 -07:00
Vishnu Ks 185811f436 emails: Add translation tags to find_team. 2018-04-27 11:59:36 -07:00
Umair Khan cf2f6b38dd profile: Add choice field.
Fixes part of #8878
2018-04-26 00:35:51 -07:00
Umair Khan a1b384039c profile: Check field_type against FIELD_TYPE_CHOICES. 2018-04-25 23:28:27 -07:00
Tim Abbott 79e8bff8fa views: Change use of typing.Text to str.
This is the first part of a general migration of our typing codebase
to use the simpler `str` for strings.
2018-04-23 18:51:23 -07:00
Aditya Bansal 8c0a5c69f3 csp: Dynamically generate and add nonce to script tags. 2018-04-24 06:13:21 +05:30
Tim Abbott 1703e23980 templates: Move all core app templates into a subdirectory.
This should make it easier to find the templates that are actually
part of the core webapp, instead of having them all mixed together
with the portico pages.
2018-04-23 16:46:37 -07:00
Vishnu Ks c9e932a7ce settings: Add support for Hangouts as the video chat provider.
The only thing that's annoying about this feature is that you need to
be a paying G Suite customer to use it.
2018-04-23 09:39:47 -07:00
Tim Abbott c88163eea8 auth: Make "Continue to registration" actually register you.
The main change here is to send a proper confirmation link to the
frontend in the `confirm_continue_registration` code path even if the
user didn't request signup, so that we don't need to re-authenticate
the user's control over their email address in that flow.

This also lets us delete some now-unnecessary code: The
`invalid_email` case is now handled by HomepageForm.is_valid(), which
has nice error handling, so we no longer need logic in the context
computation or template for `confirm_continue_registration` for the
corner case where the user somehow has an invalid email address
authenticated.

We split one GitHub auth backend test to now cover both corner cases
(invalid email for realm, and valid email for realm), and rewrite the
Google auth test for this code path as well.

Fixes #5895.
2018-04-22 19:55:05 -07:00
Tim Abbott 2dcec3704c auth: Introduce confirmation_link local variable.
This is just a prepartory refactor in maybe_send_to_registration.
2018-04-22 16:24:43 -07:00
Tim Abbott 8026b4f9db auth: Refactor login_or_register_remote_user interface.
By moving all of the logic related to the is_signup flag into
maybe_send_to_registration, we make the login_or_register_remote_user
function quite clean and readable.

The next step is to make maybe_send_to_registration less of a
disaster.
2018-04-22 16:24:43 -07:00
Tim Abbott 64023fc563 auth: Fix incorrect use of get_realm_from_request.
The code in maybe_send_to_registration incorrectly used the
`get_realm_from_request` function to fetch the subdomain.  This usage
was incorrect in a way that should have been irrelevant, because that
function only differs if there's a logged-in user, and in this code
path, a user is never logged in (it's the code path for logged-out
users trying to sign up).

This this bug could confuse unit tests that might run with a logged-in
client session.  This made it possible for several of our GitHub auth
tests to have a totally invalid subdomain value (the root domain).

Fixing that bug in the tests, in turn, let us delete a code path in
the GitHub auth backend logic in `backends.py` that is impossible in
production, and had just been left around for these broken tests.
2018-04-22 16:24:43 -07:00
Tim Abbott b36298efda mypy: Fix a missing type annotation in auth code. 2018-04-22 16:24:43 -07:00
Tim Abbott 00c9f45821 auth: Remove dead invalid_subdomain code path.
This code path has actually been dead for a while (since
`invalid_subdomain` gets set to True only when `user_profile` is
`None`).  We might want to re-introduce it later, but for now, we
eliminate it and the artificial test that provided it with test
coverage.
2018-04-22 14:44:06 -07:00