Commit Graph

451 Commits

Author SHA1 Message Date
Anders Kaseorg 68cfcd6446 CVE-2020-9444: Prevent reverse tabnabbing attacks.
While we could fix this issue by changing the markdown processor,
doing so is not a robust solution, because even a momentary bug in the
markdown processor could allow cached messages that do not follow our
security policy.

This change ensures that even if our markdown processor has bugs that
result in rendered content that does not properly follow our policy of
using rel="noopener noreferrer" on links, we'll still do something
reasonable.

Co-authored-by: Tim Abbott <tabbott@zulipchat.com>
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Steve Howell a81fd786f5 refactor: Use get_default_stream_ids() in settings.
We now use the up-to-date info from stream_data
to hydrate the default stream ids.  All we need
here in the template is `invite_only` and `name`.

Since we are no longer using data from `page_params`,
we can remove `maybe_update_realm_default_stream_name`.
(If you are wondering if we still get live updates,
we get that via a more upstream call to
update_default_streams_table in the event
dispatching codepath.)
2020-03-25 17:11:25 -07:00
Anders Kaseorg 5383f019be subs: Convert hidden_ids from object to Map.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-12 10:39:01 -08:00
Anders Kaseorg 055bcfd6e6 subs: Convert widgets from object to Map.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-12 10:39:01 -08:00
Anders Kaseorg 59d55d1e06 js: Use modern spread arguments syntax.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-11 17:43:35 -08:00
Anders Kaseorg b566d11d69 js: Convert _.findIndex(a, …) to a.findIndex(…).
And convert the corresponding function expressions to arrow style
while we’re here.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-10 14:08:12 -08:00
Anders Kaseorg 02511bff1c js: Automatically convert _.each to for…of.
This commit was automatically generated by the following script,
followed by lint --fix and a few small manual lint-related cleanups.

import * as babelParser from "recast/parsers/babel";
import * as recast from "recast";
import * as tsParser from "recast/parsers/typescript";
import { builders as b, namedTypes as n } from "ast-types";
import { Context } from "ast-types/lib/path-visitor";
import K from "ast-types/gen/kinds";
import { NodePath } from "ast-types/lib/node-path";
import assert from "assert";
import fs from "fs";
import path from "path";
import process from "process";

const checkExpression = (node: n.Node): node is K.ExpressionKind =>
  n.Expression.check(node);
const checkStatement = (node: n.Node): node is K.StatementKind =>
  n.Statement.check(node);

for (const file of process.argv.slice(2)) {
  console.log("Parsing", file);
  const ast = recast.parse(fs.readFileSync(file, { encoding: "utf8" }), {
    parser: path.extname(file) === ".ts" ? tsParser : babelParser,
  });
  let changed = false;
  let inLoop = false;
  let replaceReturn = false;

  const visitLoop = (...args: string[]) =>
    function(this: Context, path: NodePath) {
      for (const arg of args) {
        this.visit(path.get(arg));
      }
      const old = { inLoop };
      inLoop = true;
      this.visit(path.get("body"));
      inLoop = old.inLoop;
      return false;
    };

  recast.visit(ast, {
    visitDoWhileStatement: visitLoop("test"),

    visitExpressionStatement(path) {
      const { expression, comments } = path.node;
      let valueOnly;
      if (
        n.CallExpression.check(expression) &&
        n.MemberExpression.check(expression.callee) &&
        !expression.callee.computed &&
        n.Identifier.check(expression.callee.object) &&
        expression.callee.object.name === "_" &&
        n.Identifier.check(expression.callee.property) &&
        ["each", "forEach"].includes(expression.callee.property.name) &&
        [2, 3].includes(expression.arguments.length) &&
        checkExpression(expression.arguments[0]) &&
        (n.FunctionExpression.check(expression.arguments[1]) ||
          n.ArrowFunctionExpression.check(expression.arguments[1])) &&
        [1, 2].includes(expression.arguments[1].params.length) &&
        n.Identifier.check(expression.arguments[1].params[0]) &&
        ((valueOnly = expression.arguments[1].params[1] === undefined) ||
          n.Identifier.check(expression.arguments[1].params[1])) &&
        (expression.arguments[2] === undefined ||
          n.ThisExpression.check(expression.arguments[2]))
      ) {
        const old = { inLoop, replaceReturn };
        inLoop = false;
        replaceReturn = true;
        this.visit(
          path
            .get("expression")
            .get("arguments")
            .get(1)
            .get("body")
        );
        inLoop = old.inLoop;
        replaceReturn = old.replaceReturn;

        const [right, { body, params }] = expression.arguments;
        const loop = b.forOfStatement(
          b.variableDeclaration("let", [
            b.variableDeclarator(
              valueOnly ? params[0] : b.arrayPattern([params[1], params[0]])
            ),
          ]),
          valueOnly
            ? right
            : b.callExpression(
                b.memberExpression(right, b.identifier("entries")),
                []
              ),
          checkStatement(body) ? body : b.expressionStatement(body)
        );
        loop.comments = comments;
        path.replace(loop);
        changed = true;
      }
      this.traverse(path);
    },

    visitForStatement: visitLoop("init", "test", "update"),

    visitForInStatement: visitLoop("left", "right"),

    visitForOfStatement: visitLoop("left", "right"),

    visitFunction(path) {
      this.visit(path.get("params"));
      const old = { replaceReturn };
      replaceReturn = false;
      this.visit(path.get("body"));
      replaceReturn = old.replaceReturn;
      return false;
    },

    visitReturnStatement(path) {
      if (replaceReturn) {
        assert(!inLoop); // could use labeled continue if this ever fires
        const { argument, comments } = path.node;
        if (argument === null) {
          const s = b.continueStatement();
          s.comments = comments;
          path.replace(s);
        } else {
          const s = b.expressionStatement(argument);
          s.comments = comments;
          path.replace(s, b.continueStatement());
        }
        return false;
      }
      this.traverse(path);
    },

    visitWhileStatement: visitLoop("test"),
  });

  if (changed) {
    console.log("Writing", file);
    fs.writeFileSync(file, recast.print(ast).code, { encoding: "utf8" });
  }
}

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-07 14:09:47 -08:00
Ryan Rehman 174b2abcfd settings: Migrate to stream_post_policy structure.
This commit includes a new `stream_post_policy` setting,
by replacing the `is_announcement_only` field from the Stream model,
which is done by mirroring the structure of the existing
`create_stream_policy`.

It includes the necessary schema and database migrations to migrate
the is_announcement_only boolean field to stream_post_policy,
a smallPositiveInteger field similar to many other settings.

This change is done to allow organization administrators to restrict
new members from creating and posting to a stream. However, this does
not affect admins who are new members.

With many tweaks by tabbott to documentation under /help, etc.

Fixes #13616.
2020-02-04 17:08:08 -08:00
Tim Abbott 7af6be9aaf subs: Fix reloading the browser to "manage streams" UI.
I'm not sure when this regressed, but the bug is one of those subtle
"8" != 8 issues.

Fixes #13756.
2020-01-28 14:17:29 -08:00
Tim Abbott e2681372f3 js: Clean up poorly named const id variables.
We have conventions for naming message_id, stream_id, etc. values that
way for readability; these entries are violations of those conventions.
2020-01-16 13:27:27 -08:00
Anders Kaseorg 45bee2f512 js: Clean up stream_id type confusion.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-01-16 13:23:47 -08:00
Steve Howell 0aa9decd86 blueslip: Add feature to time common operations.
This is relatively unobtrusive, and we don't send
anything to the server.

But any user can now enter blueslip.timings in the
console to see a map of how long things take in
milliseconds.  We only record one timing per
event label (i.e. the most recent).

It's pretty easy to test this by just clicking
around.  For 300 users/streams most things are
fast except for:

    - initialize_everything
    - manage streams (render_subscriptions)

Both do lots of nontrivial work, although
"manage streams" is a bit surprising, since
we're only measuring how long to build the
HTML from the templates (whereas the real
time is probably browser rendering costs).
2020-01-15 12:01:16 -08:00
Steve Howell 9f7be51ce8 streams: Replace Dict with IntDict in stream_data.
There's another Dict that we'll convert to a Set
in a subsequent commit.
2020-01-05 12:28:28 -08:00
joaomcarvalho cd2c68c778 stream settings: Fix initialization of main toggler state.
The "Stream settings" UI was always intended to be initialized in the
"Subscribed" tab when opened not through navigation that explicitly
aims to via "All streams".  We had implemented that through how the UI
is rendered as well as the internal state tracking variable
`subscribed_only`, which was initialized to `true`.

The bug was that we didn't reset that to `true` when re-opening
"Stream settings" via a code path that calls `setup_page` (e.g. via
the menus on the left sidebar).

Ths fixes a bug where the stream-list in the stream settings would
list all streams but would show the 'Subscribed' label after
navigating to "All streams", closing "Manage streams", and then
reopening it.

Fixes #13297.
2019-12-02 09:59:13 -08:00
Anders Kaseorg f9f104a4f8 js: Automatically convert var to let and const in more files.
This commit was automatically generated by `tools/lint --only=eslint
--fix`, after an `.eslintrc.json` change.

A half dozen files were removed from the changes by tabbott pending
further work to ensure we avoid breaking valuable PRs with merge
conflicts.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-11-20 14:10:47 -08:00
Anders Kaseorg d17b577d0c js: Purge useless IIFEs.
With webpack, variables declared in each file are already file-local
(Global variables need to be explicitly exported), so these IIFEs are
no longer needed.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2019-10-25 13:51:21 -07:00
Mateusz Mandera bf7f4f3f1b stream settings: Replace email address hint popup with link to docs.
Fixes #13134 as the last commit in the series for this issue.
Solves the "The (?) should just be a target=_blank link to
/help/message-a-stream-by-email." part of the issue.
As a result, a bunch code managing the email hint popup can be deleted,
together with a node test for that.
2019-09-05 11:48:32 -07:00
Rohitt Vashishtha 5e6493d36e compose_state: Maybe update stream name on stream name change.
If we rename a stream that we are composing to, we now change the
stream name in the compose target as well.
2019-07-21 20:18:29 -07:00
Rohitt Vashishtha 5d20c4b8fb typeahead: Clear rendered stream html on stream rename.
Previously, after a stream name, you could search for it using its
new name but the typeahead would still display the old name.
2019-07-21 20:18:29 -07:00
Anders Kaseorg db0b33842c templates: Replace templates.render with require calls.
This removes an unnecessary layer of indirection and allows webpack to
catch filename mistakes.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-07-12 21:11:14 -07:00
Yashashvi Dave 88f3325970 stream settings: Deduplicate stream settings click handlers. 2019-06-24 14:46:45 -07:00
Thomas Ip 6cad1988a9 jQuery: Use positional methods on single selectors.
For selectors like `$('.element:first')`, we can simply write
`$('.element').first()`.
2019-06-06 15:21:26 -07:00
Yashashvi Dave 2a943d3b40 static/js/stream_muting: Rename `update_in_home_view` function. 2019-05-30 21:39:06 -07:00
Yashashvi Dave 40f550038d subs: Replace all `in_home_view` uses with `is_muted` property.
Replace all uses of `in_home_view` subscription property
with `is_muted` property in frontend.

Fixes #12322
2019-05-30 21:39:06 -07:00
Anders Kaseorg 01613e71fb ui: Replace set_up_scrollbar with data-simplebar attribute.
With perfectScrollbar, we needed to call a function from JavaScript to
enable a scrollbar on a new element, but simplebar has a much simpler
default API one can do by using data-simplebar attributes in the HTML.

So we can delete all the scrollbar creation/deletion code.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-05-19 18:06:38 -07:00
Anders Kaseorg 141088586b Completely replace perfect-scrollbar with SimpleBar.
perfect-scrollbar replaces both the appearance and the behavior of the
scrollbar, and its emulated behavior will never feel native on most
platforms.  SimpleBar customizes the appearance while preserving the
native behavior.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2019-05-17 12:06:51 -07:00
Yashashvi Dave b5b5700338 hashchange: Redirect guest user on not-allowed stream settings hash. 2019-05-13 17:27:32 -07:00
Yashashvi Dave 3f38fc6b79 streams: Redirect to subscribed-tab on unsubscription for guest user.
This commit add code to redirect guest users to
subscribed-stream-tab and removes the recently-unsubscribed
stream from settings tab on unsubscription.
2019-05-13 17:27:32 -07:00
Yashashvi Dave b68c1bb6ac streams: Disable "All streams" tab for guest users.
Fixes #10980
2019-05-13 17:27:32 -07:00
Yashashvi Dave 78bb9bf37a streams: Update subs-ui-element on change-stream-privacy. 2019-05-07 17:33:59 -07:00
Yashashvi Dave fbf25942d0 streams: Extract change-stream-permissions functions. 2019-05-07 17:33:59 -07:00
Yashashvi Dave 6ae6da5d22 stream_ui_updates: Move function `update_add_subscriptions_elements`. 2019-05-06 17:30:33 -07:00
Yashashvi Dave 71e561de76 stream_ui_updates: Extract `update_subscribers_list` function. 2019-05-06 17:30:33 -07:00
Yashashvi Dave 7d7cf3d786 stream_ui_updates: Extract `update_subscribers_count` function. 2019-05-06 17:30:33 -07:00
Yashashvi Dave 22f172114d subscription: Update existing sub-row in settings on sub events.
Update stream-subscription-row in stream settings, when
subsctiption add/removal event is received. This is only
to show dynamic effects to user on sub events.
2019-05-01 17:23:44 -07:00
Yashashvi Dave a593f73e9a static/js/subs.js: Extract `update_stream_row_in_settings_tab` function. 2019-05-01 17:23:44 -07:00
Yashashvi Dave ed2dd612fb static/js/subs.js: Extract `is_subscribed_stream_tab_active` function. 2019-05-01 17:23:44 -07:00
Yashashvi Dave 7a168216ff stream_ui_updates: Extract `update_change_stream_privacy_settings`. 2019-04-30 14:37:30 -07:00
Yashashvi Dave ecc165b899 stream_ui_updates: Extract `update_regular_sub_settings`. 2019-04-30 14:37:24 -07:00
Yashashvi Dave a71eb6aa15 subs: Extract change-stream-privacy block from function.
This commit removes code to update-stream-privacy-btn
in stream settings from update-sub-settings function.
Because stream-privacy-btn is not part of regular
sub-settings, it is admins only settings.
2019-04-30 14:36:52 -07:00
Yashashvi Dave 9dd9ea5721 stream settings: Update URL when opening empty settings panel. 2019-04-30 14:36:52 -07:00
Yashashvi Dave 460515a2ee stream settings: Extract `setup_subscriptions_tab_hash` function. 2019-04-30 14:36:52 -07:00
Yashashvi Dave 2d1b80e2b4 stream_ui_updates: Extract `update_settings_button_for_sub`. 2019-04-30 14:37:14 -07:00
Yashashvi Dave 859ba9e892 stream_ui_updates: Extract `update_check_button_for_sub` func. 2019-04-30 14:37:05 -07:00
Steve Howell bfdce11c8f refactor: Initialize stream list code in stream_list.js.
This code was in subs.js for historical reasons.
2019-04-11 10:50:55 -07:00
Pragati Agrawal 48175ce1f7 subs: Update Default streams data while renaming streams.
If a stream is a default stream, this updates its name at `Default Streams`
section of `Organization settings` page.

Fixes: #11466
2019-02-13 15:05:25 -08:00
Hemanth V. Alluri 683ec852fd stream_data: Use stream rendered_description provided by the backend.
Use the results of commit #73d26c8 to remove the method
`render_stream_description` in static/js/stream_data.js and instead
use the rendered_description attribute now being sent by the backend.

This will be a valuable optimization and a step towards removing the
need for the marked.js markdown parser and speeding up the client end.
2019-02-11 12:24:27 -08:00
kunal-mohta b89769420a stream_color: Extend subscribe API to support color attribute.
This fixes an annoying bug where clicking to subscribe to a stream
would change the color shown in the "manage streams" UI immediately
after you click.

Fixes #11072.
2019-01-25 16:44:59 -08:00
Vaibhav 746870df65 stream settings: Hide creating admin-only streams in members UI.
This commit takes away the ability for non-admin members to create
streams where only admins can post messages by hiding the option from
them.

Fixes #11290.
2019-01-24 10:51:49 -08:00
Steve Howell 82e453d9fe ui: Fix scrollbar regressions.
In between releases, the following commit introduced
a bug where we agressively scroll to the top every
place we call `ui.update_scrollbar`:

    092b73d0b7

The main symptoms were that the left and right sidebars
would go to the top for things like selecting a topic,
getting activity updates from the server, and resizing
the window.  It was very jarring.

The recent commit looked innocuous--the root of the problem
was the original API expressed an intent to scroll to the
top, but didn't actually do it, so it was a bug in hiding.

There are **some** occasions where it's actually appropriate
to scroll to the top, mostly around search filtering, and
in those places we now call the new `ui.reset_scrollbar`
function.

This is a bit of an emergency fix, so particularly with
the settings stuff, we may get more reports of glitches here.

The important thing here is that you almost never want to
reset the scrollTop for sidebars.
2019-01-09 09:15:45 -08:00