Commit Graph

51860 Commits

Author SHA1 Message Date
Sahil Batra d8c8de5f27 bootstrap: Remove CSS for color type input elements.
We do not use "color" type input elements anywhere in the
app.
2023-05-23 10:54:12 -07:00
Sahil Batra 3f57672e15 bootstrap: Remove CSS for "tel" type input elements.
We do not use "tel" type input elements anywhere in the
app.
2023-05-23 10:54:12 -07:00
Sahil Batra 385d30b285 bootstrap: Remove CSS for week type input elements.
We do not use "week" type input elements anywhere in the
app.
2023-05-23 10:54:12 -07:00
Sahil Batra 33df97a3d9 bootstrap: Remove CSS for time type input elements.
We do not use "time" type input elements anywhere in the
app.
2023-05-23 10:54:12 -07:00
Sahil Batra 7627f346a3 bootstrap: Remove CSS for month type input elements.
We do not use "month" type input elements anywhere in the
app.
2023-05-23 10:54:12 -07:00
Sahil Batra 5d484a8794 bootstrap: Remove CSS for date type input elements.
We do not use "date" type input elements anywhere in the
app.
2023-05-23 10:54:12 -07:00
Sahil Batra 8ca8745c0e bootstrap: Remove CSS for datetime type input elements.
We do not use "datetime" type input elements anywhere in the
app.
2023-05-23 10:54:12 -07:00
Sahil Batra 286f47468d bootstrap: Remove CSS for button type inputs.
We do not use button type inputs anywhere in the app so
we can remove its CSS.
2023-05-23 10:54:12 -07:00
Sahil Batra b08ba862e6 bootstrap: Remove CSS for reset type inputs.
We do not use "reset" type inputs in our app, so we can
safely remove the CSS for them.
2023-05-23 10:54:12 -07:00
Aman Agrawal dc6099d656 message_row: Use equal top/bottom padding in message content.
We had the `3px 0 1px` padding before migration to use grid,
then I switched it to use `4px 0 1px` since we were planning to
use blue box border which seemed to have helped that case.

Since we switched to using outline for blue box, it makes sense
to just use equal padding.
2023-05-23 10:45:28 -07:00
Greg Price df8a434424 portico: Add Senior Flutter Engineer position to `/jobs` page. 2023-05-22 17:22:39 -07:00
Alex Vandiver 0935d388f0 nginx: Set X-Forwarded-Proto based on trust from requesting source.
Django has a `SECURE_PROXY_SSL_HEADER` setting[^1] which controls if
it examines a header, usually provided by upstream proxies, to allow
it to treat requests as "secure" even if the proximal HTTP connection
was not encrypted.  This header is usually the `X-Forwarded-Proto`
header, and the Django configuration has large warnings about ensuring
that this setting is not enabled unless `X-Forwarded-Proto` is
explicitly controlled by the proxy, and cannot be supplied by the
end-user.

In the absence of this setting, Django checks the `wsgi.url_scheme`
property of the WSGI environment[^2].

Zulip did not control the value of the `X-Forwarded-Proto` header,
because it did not set the `SECURE_PROXY_SSL_HEADER` setting (though
see below).  However, uwsgi has undocumented code which silently
overrides the `wsgi.url_scheme` property based on the
`HTTP_X_FORWARDED_PROTO` property[^3] (and hence the
`X-Forwarded-Proto` header), thus doing the same as enabling the
Django `SECURE_PROXY_SSL_HEADER` setting, but in a way that cannot be
disabled.  It also sets `wsgi.url_scheme` to `https` if the
`X-Forwarded-SSL` header is set to `on` or `1`[^4], providing an
alternate route to deceive to Django.

These combine to make Zulip always trust `X-Forwarded-Proto` or
``X-Forwarded-SSL` headers from external sources, and thus able to
trick Django into thinking a request is "secure" when it is not.
However, Zulip is not accessible via unencrypted channels, since it
redirects all `http` requests to `https` at the nginx level; this
mitigates the vulnerability.

Regardless, we harden Zulip against this vulnerability provided by the
undocumented uwsgi feature, by stripping off `X-Forwarded-SSL` headers
before they reach uwsgi, and setting `X-Forwarded-Proto` only if the
request was received directly from a trusted proxy.

Tornado, because it does not use uwsgi, is an entirely separate
codepath.  It uses the `proxy_set_header` values from
`puppet/zulip/files/nginx/zulip-include-common/proxy`, which set
`X-Forwarded-Proto` to the scheme that nginx received the request
over.  As such, `SECURE_PROXY_SSL_HEADER` was set in Tornado, and only
Tornado; since the header was always set in nginx, this was safe.
However, it was also _incorrect_ in cases where nginx did not do SSL
termination, but an upstream proxy did -- it would mark those requests
as insecure when they were actually secure.  We adjust the
`proxy_set_header X-Forwarded-Proto` used to talk to Tornado to
respect the proxy if it is trusted, or the local scheme if not.

[^1]: https://docs.djangoproject.com/en/4.2/ref/settings/#secure-proxy-ssl-header
[^2]: https://wsgi.readthedocs.io/en/latest/definitions.html#envvar-wsgi.url_scheme
[^3]: 73efb013e9/core/protocol.c (L558-L561)
[^4]: 73efb013e9/core/protocol.c (L531-L534)
2023-05-22 16:50:29 -07:00
Greg Price 2baa4fc0ca total-contributions: Add zulip-flutter to the list of repos. 2023-05-22 16:04:26 -07:00
Greg Price c4cc27cd20 total-contributions: Fix bug that replaced a repo's whole history with nothing.
When using a start date before the first commit to a repo, we should
include the repo's entire history (up to the end date) in our totals.

Instead, we were using a range like "..{upper_version}", which in Git
revision-range syntax means the start of the range is HEAD -- so the
range was empty.

Fix that by leaving out the ".." when we want no left endpoint.
2023-05-22 16:04:26 -07:00
Greg Price 0c8fef2fc8 total-contributions: Factor out logic common to all repos. 2023-05-22 16:04:26 -07:00
Karl Stolley ab94bcb21b css: Move recipient-row unread markers to message row file. 2023-05-22 15:54:57 -07:00
Karl Stolley 36c5df7663 css: Move message-row styles to own file. 2023-05-22 15:54:57 -07:00
Karl Stolley ffbd0cb316 css: Clean up comments for future readers. 2023-05-22 15:54:57 -07:00
Tim Abbott a5ac19e93a emails: Work around bad Apple Mail preview parser.
Apparently, Apple Mail interpreted the <body> text in the comment here
as the start of the body in the email in its special parser for
displaying a preview of emails in the inbox view, resulting in every
Zulip email being displayed as "tag out of the email, the ..." instead
of our configured preheader.
2023-05-22 15:50:50 -07:00
xoldyckk 6f009c5e65 ts: Convert rtl.js to TypeScript.
Co-authored-by: Satyam Bansal <sbansal1999@gmail.com>
2023-05-22 15:41:42 -07:00
Lauryn Menard 6d6a335e32 api-docs: Make realm_linkifiers current API clear in description.
Adjusts the descriptions of realm_linkifiers (and deprecated
realm_filters) events and register response fields so that the
description of the current API is complete without the feature
level 176 **Changes** notes.
2023-05-22 15:20:07 -07:00
Lauryn Menard fd02648b0e api-changelog: Update feature level 175 entry and related changes notes. 2023-05-22 13:21:03 -07:00
Karl Stolley 9f99235368 send_button: Suppress Send tooltip on tabbing to send. 2023-05-22 13:01:52 -07:00
Aman Agrawal eeea5c1713 css: Fix @everyone and @stream displayed as user mentions.
Backend incorrectly renders @everyone and @stream as `user-mention`
while they are clearly `group_mention`. To fix this, we use
`data-user-id` property of @everyone and @stream which are
set to `*` for them.
2023-05-22 12:41:44 -07:00
Aman Agrawal 67ff421194 css: Change mention text and background colors. 2023-05-22 12:41:44 -07:00
Aman Agrawal c415944e55 css: Separate mention pill colors. 2023-05-22 12:41:44 -07:00
Lalit 888d6d8037 settings_playground: Fix sorting issues in playgrounds table.
Removed the sorting functions which were sorting under the assumption that
our comparison items were a list instead I used the generic sort functions
functionality of our `list_widget` module.
2023-05-22 09:36:24 -07:00
Aman Agrawal f04ae8acd3 drafts: Fix message header overlapping outline. 2023-05-22 09:31:21 -07:00
Lalit 7346ce98f3 ts: Convert `emojisets` to TypeScript.
Declared types for '*.png' modules and '!style-loader?*' modules in
`assets.d.ts` and used them in `emojisets.ts`.
2023-05-22 09:02:42 -07:00
Hardik Dharmani d9716bc189 left_sidebar: Improve mentions in muted topics.
When there are only muted unread mentions in a stream, show `@` icon
and unread count in faded style, also align the `@` on more topics
with no unead counter on it.

If there are only muted unread messages without mentions don't show
the unread counter on the stream.

Fixes #25382.
2023-05-19 18:40:57 -07:00
Hardik Dharmani 8c6f9b3f95 unread: Improve live update for direct mentions in muted topics.
The "Mark as unread" event handler was not passing through the
mentioned_me_directly value, which is now important to left sidebar
rendering.

See the extended comment for how this solution is incorrect/incomplete
and has to fall back to guessing a potentially incorrect value in rare
situations.

Co-authored-by: Tim Abbott <tabbott@zulip.com>
2023-05-19 18:00:25 -07:00
Alex Vandiver 68722e7d3c release-checklist: Add a mastodon announce step. 2023-05-19 16:55:30 -07:00
Alex Vandiver 68c37c9d7b release-checklist: Adjust for the blogs being in Astro. 2023-05-19 16:55:30 -07:00
Alya Abbott 9ca00a1eff help: Document keyboard navigation for scheduling a message. 2023-05-19 16:53:31 -07:00
Tim Abbott 4be5ce97cb index: Move audio file HTML out of .app.
There's no compelling reason for these to be inside the container
element for the app's main screen UI.
2023-05-19 15:24:10 -07:00
Aman Agrawal d7528f6bbe index: Remove no longer used alert-bar-container.
This was used for tutorial but was removed in
ebe959f2b0
2023-05-19 15:24:10 -07:00
Aman Agrawal 1171862bfd index: Move alert box out of `.app`.
This allows us to show alert box above navbar.
2023-05-19 15:24:10 -07:00
Aman Agrawal ca21eb7141 index: Move user-profile-modal outside `.app`.
Keep it inside `.app` restricted its height and its ability to
draw over other elements.
2023-05-19 15:24:10 -07:00
Aman Agrawal bbd5431e18 index: Move informational-overlays outside .app.
This is how other overlays are managed, and will be important in
upcoming refactoring, since we don't want the overlay height to be
restricted by the height of the `.app`.
2023-05-19 15:24:10 -07:00
Alex Vandiver e6b1384a05 version: Update version and changelog after 6.2 release. 2023-05-19 16:58:55 -04:00
Lalit 7ac891a6b9 people: Add `version` parameter for medium sized avatar urls.
We need to append the `version` parameter when constructing the urls for
medium-sized images so that the browser updates the image in real time when
the user uploads a new avatar.

Fixes #25558.
2023-05-19 13:52:00 -07:00
Akarsh Jain 12db83b011 help: Open Help Center links in new tab for empty message lists.
This commit updates the Help Center links in all relevant empty message
list views to open in a new tab by default. This prevents users from being
navigated away from the app.

Fixes #25337.
2023-05-19 13:51:00 -07:00
Karl Stolley c2f6167c01 css: Remove superfluous grid- properties.
The use of named areas with `grid-area` make it unnecessary to
declare `grid-row` or `grid-column` values. (Note also that
grid areas must not be presented in quotation marks.)

Additionally, because `.unread_marker` is no longer placed on the
grid by itself (i.e., it always accompanies `.date_unread_marker`
or `.message_unread_marker`), it does not need any manual grid
placement, `grid-area` or otherwise.
2023-05-19 13:48:16 -07:00
Aman Agrawal 9aa9f9b3c8 message: Separate unread marker of date_row from message.
This allows us to easily disable unread marker for date row of
the first unread message without producing any bugs.
2023-05-19 13:48:16 -07:00
Karl Stolley ef3289b73b css: Present message_row as CSS Grid.
This change enables the unread marker to participate as a grid item,
rather than the product of various absolute/relative positioning
hacks. The intention is to therefore prevent the blue active-message
box from disappearing on browsers that have zoomed out (~80% zoom).

With grid in place, this also makes for a more robust presentation
of each message row, and named grid areas should make it possible to
modify and extend the grid into the future.

Finally, this change removes styles that are no longer necessary in
the context of CSS Grid.
2023-05-19 13:48:16 -07:00
Tim Abbott 9c09edd7af ui_init: Fix loading spectators view.
18578cc5da broke the success code path.
2023-05-19 13:42:48 -07:00
Lauryn Menard 3cb6c9aea9 api-docs: Add examples to `realm_filters` event prose description.
Adds examples of the regex pattern and old URL string format to
the deprecated `realm_filters` event and register response field.
The examples are in the prose description since the events are
no longer sent and therefore no longer tested.
2023-05-19 13:23:07 -07:00
Lauryn Menard 03a2c2da6a api-changelog: Update and clarify docs for feature level 176 entry.
Revises API changelog entry for missing endpoint method and to
clarify the overall text.

Updates Changes notes for feature level 176 to not have repetitive
text, so that the updates were clearer and more concise.

The original commit with the changes related to this API changelog
entry is commit 268f858f39.
2023-05-19 13:23:07 -07:00
Sahil Batra 4c4caa7be4 CVE-2023-32677: Check permission to subscribe other users in invites.
This commit updates the API to check the permission to subscribe other
users while inviting.  The API will error if the user passes the
"stream_ids" parameter (even when it contains only default streams)
and the calling user does not having permission to subscribe others to
streams.

For users who do not have permission to subscribe others, the
invitee will be subscribed to default streams at the time of
accepting the invite.

There is no change for multiuse invites, since only admins are allowed
to send them, and admins always have the permission to subscribe
others to streams.
2023-05-19 16:13:32 -04:00
Mateusz Mandera a23b077b79 CVE-2023-28623: Prevent unauthorized signup with ldap + external auth.
Since 74dd21c8fa in Zulip Server 2.1.0, if:
- ZulipLDAPAuthBackend and an external authentication backend (any aside
  of ZulipLDAPAuthBackend and EmailAuthBackend) are the only ones
  enabled in AUTHENTICATION_BACKENDS in /etc/zulip/settings.py
- The organization permissions don't require invitations to join

...then an attacker can create a new account in the organization with
an arbitrary email address in their control that's not in the
organization's LDAP directory.

The impact is limited to installations which have the specific
combination of authentication backends described above, in addition to
having the "Invitations are required for joining this organization
organization" permission disabled.
2023-05-19 16:13:00 -04:00