Commit Graph

35265 Commits

Author SHA1 Message Date
Steve Howell beaf488eeb ui: Make selectors more specific for message hover.
The hover values here should not apply to draft
messages, for example.
2020-04-02 16:57:01 -07:00
Dinesh 8062192759 tests: Add realm creation test using puppeteer. 2020-04-02 15:37:12 -07:00
Hashir Sarwar 1d3827d518 lightbox: Extract image parsing logic from lightbox.open().
Moved the parsing logic to a new function `parse_image_data()`.

Part of #14152.
2020-04-02 15:12:00 -07:00
shubhamgupta2956 793c3f25e7 api_docs: Migrate POST /zulip-outgoing-webhook.
This commit migrates zulip outging webhook payload to
/zulip-outgoing-webhook:post in OpenAPI.

Since this migrates the last payloads from api/fixtures.json to
OpenAPI, this commit removes api/fixtures.json file and the functions
accessing the file.

Tweaked by tabbott to further remove an unnecessary conditional.
2020-04-02 14:55:32 -07:00
shubhamgupta2956 6ebf408fc4 api_docs: Migrate POST /rest-error-handling.
This commit migrates payload of errors which are common to many endpoints
to /rest-error-handling:post in OpenAPI.
2020-04-02 14:48:29 -07:00
Steve Howell a9a16932ec condense: Clean up continue/else/if idiom.
If an `if` calls continue, then you don't need
the clutter of an `else`.  (I wonder if eslint
can enforce these the same way it does for
return/else.)
2020-04-02 14:44:35 -07:00
Steve Howell ca9a416e38 Use early-continue for condense_and_collapse loop.
This just flattens the code a bit.
2020-04-02 14:44:35 -07:00
Steve Howell 249c19b7df condense: Skip over invalid content.
We were defending against `content` being undefined,
which is impossible, instead of checking the length
of the jQuery object.
2020-04-02 14:44:35 -07:00
Steve Howell 5245aa457f condense/resize: Fix blueslip errors from drafts.
The selector we were passing to `condense_and_collapse`
included rows from our drafts UI, which don't have
zids and don't play nice with condense/collapse code
(which expects message ids for settings things like
`.condense` flags).

Now we just use a better selector.
2020-04-02 14:44:35 -07:00
Steve Howell 02947d6b41 blueslip: Protect against drafts pitfall for rows.id.
If folks use an overly broad selector for message rows,
they will accidentally include drafts from the drafts
dialog, which won't have zids.  More specific selectors
will be more efficient and possibly prevent strange
behaviors.

For testing convenience, we extract the message.
2020-04-02 14:44:35 -07:00
Tim Abbott 5eb5b6a5ad import: Make sure the internal realm is created before import.
This is critical for importing the very first realm into an empty
server, since in 27b15a9722, we changed
the model to create the internal realm when the first real realm would
be created, but neglected the data import code path.
2020-04-02 14:34:32 -07:00
Steve Howell 8315eee046 message edit: Handle escape key more nicely.
We now handle the esc key completely within the
keydown handler that we already have for message
editing.  We allow escape to work no matter what
the focused element is within an edited message,
and we blur that element properly and end the
edit.

We remove all the strange, duplicated logic
from hotkey.js.

This should also fix a blueslip error where the
hotkey code was passing message_edit a jQuery
element with zero length.

Fixes the traceback reported in #14151, though we should still look at
the DOM cleanup discussed there.
2020-04-02 14:32:11 -07:00
Tim Abbott 0f5dcd5d84 version: Update for Desktop 5.0.0 release.
This just affects the /apps download page.
2020-04-01 22:59:30 -07:00
Mateusz Mandera 5252b081bd queue_processors: Gather statistics on queue worker operations. 2020-04-01 16:44:06 -07:00
brendon f65e6d0d94 sgrep: Install syntactic code search tool as an external linter.
Add sgrep (sgrep.dev) to tooling and include simple rule as
proof of concept. Included rule detects use of old django render
function.

Also added a rule that looks for if-else statements where both
code paths are identical.
2020-04-01 15:08:34 -07:00
Steve Howell f6503a4061 validation: Use JsonableError for extractors.
The distinction between ValueError and TypeError
is not useful in these functions:

    - extract_stream_indicator
    - extract_private_recipients (or its callees)

These are always invoked in views to validate
user input.

When we use REQ to wrap the validators, any
Exception gets turned into a JsonableError, so
the distinction is not important.

And if we don't use REQ to wrap the validators,
the errors aren't caught.

Now we just let these functions directly produce
the desired end result for both codepaths.

Also, we now flag the error strings for translation.
2020-04-01 15:01:19 -07:00
Ryan Rehman 5a5fc6caa1 stream edit: Fix real-time sync of stream notification setting.
The UI in the `#settings/notifications` page is updated similarly
to what is done in the `update_global_notifications` path present
in the `server_events_dispatch` file.
2020-04-01 14:40:41 -07:00
Ryan Rehman 7d39d7b17f settings_config: Move Stream level notification settings. 2020-04-01 14:40:41 -07:00
Ryan Rehman 58d06f3911 settings_config: Move Realm level notification settings.
We make `all_notifications` a function to avoid a
require-time dependency on page_params.
2020-04-01 14:40:41 -07:00
Ryan Rehman 39577b58ba stream settings: Display success/failure status for edits.
We have an alert for when the stream name is changed.
This also adds an alert when subscription settings
are updated and the widget is similar to that used in
the settings page.

This is also necessary because the stream specific
notification settings UI updation goes through this
path and it is necessary to display a confirmation
to match with other settings confirmation pattern.
2020-04-01 14:40:41 -07:00
Ryan Rehman 412eb6f1cb css: Refactor `.alert-notification`.
Since each element containing the `.alert-notification`
class has a predefined area that wont overlap with any
other element, we make changes to the CSS so that it
just stays hidden until the text appears.
2020-04-01 14:40:41 -07:00
Ryan Rehman 95c97e4a46 css: Use SCSS nesting for `.alert-notification`.
We also remove the `#settings_page` container as there
are plans to reuse the above class in the stream edit
page as well.
2020-04-01 14:40:41 -07:00
Ryan Rehman c59997b148 templates: Extract subscription_privacy partial template. 2020-04-01 14:40:41 -07:00
Tim Abbott 3983bf21ac docs: Update changelog for 2.1.3 release. 2020-04-01 14:01:45 -07:00
Anders Kaseorg 1c8950900f frontend: Defensively filter unsafe links that may come from bugdown.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Anders Kaseorg 2d45308546 CVE-2020-10935: Fix XSS vulnerability in local link rewriting.
Make sure rewrite_local_links_to_relative does not accidentally change
the meaning of links.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Anders Kaseorg 4f748fb627 markdown: Stop setting target="_blank".
This setting is being overridden by the frontend since the last
commit, and the security model is clearer and more robust if we don't
make it appear as though the markdown processor is handling this
issue.

Co-authored-by: Tim Abbott <tabbott@zulipchat.com>
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Anders Kaseorg 68cfcd6446 CVE-2020-9444: Prevent reverse tabnabbing attacks.
While we could fix this issue by changing the markdown processor,
doing so is not a robust solution, because even a momentary bug in the
markdown processor could allow cached messages that do not follow our
security policy.

This change ensures that even if our markdown processor has bugs that
result in rendered content that does not properly follow our policy of
using rel="noopener noreferrer" on links, we'll still do something
reasonable.

Co-authored-by: Tim Abbott <tabbott@zulipchat.com>
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Tim Abbott e3a4aeeffa CVE-2020-9445: Remove unused and insecure modal_link feature.
Zulip's modal_link markdown feature has not been used since 2017; it
was a hack used for a 2013-era tutorial feature and was never used
outside that use case.

Unfortunately, it's sloppy implementation was exposed in the markdown
processor for all users, not just the tutorial use case.

More importantly, it was buggy, in that it did not validate the link
using the standard validation approach used by our other code
interacting with links.

The right solution is simply to remove it.
2020-04-01 14:01:45 -07:00
Tim Abbott 17723b1617 version: Move minimum desktop version configuration to version.py.
This makes it relatively easy for a system administrator to
temporarily override these values after a desktop app security
release that they want to ensure all of their users take.

We're not putting this in settings, since we don't want to encourage
accidental long-term overrides of these important-to-security values.
2020-04-01 13:23:08 -07:00
Tim Abbott f572bf50f5 message_list_view: Suppress exceptions for missing mention users.
If we can't find data on a mentioned user to update its full_name to
the current value, we'll have to go with the value in the message
itself.

This can happen if e.g. we hard-deleted the originally mentioned user
from the database (which can sometimes happen after a "delete my
account completely" request).
2020-03-31 17:56:12 -07:00
Ryan Rehman 9cb2475b53 notification_settings: Display streams that differ.
The user has an option for setting global
notification settings as well as the same settings
for individual streams. Currently the user has to
keep track of each unmatched stream and then visit
each individual stream whose settings he wants to
update.

Thus this adds a dedicated UI table allowing the user
to view and update the notifications of the specific
streams which differs from the global settings.
It is located on the same page where the user defined
global notification settings can be modified.

Fixes #9228.
2020-03-31 15:57:47 -07:00
Ryan Rehman e845b2364f refactor: Remove redundant block in `stream_edit.stream_setting_clicked`.
Currently we are updating the checkbox UI as soon as the user clicks.
This block is removed to match with the pattern of rest of the
properties in the stream edit page where `stream_events.update_property`
is responsible for updating the UI after a successful server response.
2020-03-31 15:36:59 -07:00
Ryan Rehman c759083cb8 notification settings: Add helper function for stream notifications.
This function returns a list of objects to create a
list_render object, and each item contains the streams
whose atleast one notification setting differs from the
default set by the user.

This is done by comparing the global settings in the
`#settings/notifications` page with those settings
present in the subscribed streams.

Work towards #9228.
2020-03-31 15:36:59 -07:00
Tim Abbott 0f238f29fb unread: Remove suppress_unread_counts flag.
This flag was used to delay unread count updates while the bankruptcy
modal was visible.  Now that bankrupcty is no longer a modal, we don't
need this flag at all.
2020-03-31 15:30:52 -07:00
majordwarf e85e598e56 bankruptcy: Migrate from modal view to top-of-page panel.
Switched to top-of-page prompt to make it natural to fit in with other
notifications. As we switch to panel-based prompt, templates for the
bankruptcy modal are moved along with its usage in application's
homepage.

We include a bit of delay before reloading to make it easy for the
user to read the "Marking all messages as read" banner before it is
covered by the "Reloading..." notice in environments where the reload
is fast.

Fixes #3347.
2020-03-31 15:30:37 -07:00
sahil839 3cea9ce1c4 stream_edit: Fix closing settings overlay after closing modals.
When stream_post_policy modal is closed either after saving or using
cancel button or cross button, the pointer-events is set to none which
does not allow to close the stream settings overlay on one click.

Added overlay.close_modal on saving such that pointer-events:none is
removed.

Added line which removes pointer-events:none again on clicking cancel
button or close icon.
2020-03-31 15:15:11 -07:00
sahil839 e43614debd overlays: Extract methods for disabling and enabling mouse events.
This is a prep commit which extracts the part of the code in open_modal
and close_modal to separate methods which adds inline style of
pointer-events to enable/disable the background mouse events.

Block comments are added for easy understanding of reader.
2020-03-31 15:12:44 -07:00
arpit551 a2dd1fad12 provision: switch Focal to use PGroonga from PPA.
Since Groonga packages for Ubuntu 20.04 Focal are now available
in their ppa so stopped building pgroonga from source.
2020-03-31 15:02:31 -07:00
Anders Kaseorg 9d75eb0ad5 install-shellcheck: Check the tarball’s SHA-256 hash.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-03-31 15:01:54 -07:00
Siddharth Varshney 3b3f9b0b8a portico: Fix the position and size of overflow for small size devices.
Fixes: #8424
2020-03-31 15:00:26 -07:00
Rohitt Vashishtha 4a0fe4606a tests: Print test-case name in all test failures in fixtures.
Previously, we only printed the test-case when we had an assertion error.
With this change, we also include timeout errors as well as any other
causes for failure.
2020-03-31 14:57:18 -07:00
Steve Howell dd8958e0cd minor: Move then_log_in next to then_log_out. 2020-03-31 10:57:08 -04:00
Steve Howell 3dde4a70d2 capser: Extract wait_for_text().
Before this we were monkey-patching in the
function `waitForSelectorText` into the
`casper` namespace, but only if you called
`common.initialize_casper`.

This would cause confusion if you expected
that function to be documented by Casper.

Now we just add the helper to `common` in
the `common` namespace.

We also avoid having to reason about what
`this` means by just using `casper` inside
the implementation of `wait_for_text` now.
And we don't bother with a return code that
none of our callers were using, anyway.
2020-03-31 10:57:08 -04:00
Steve Howell 05f52f0de6 casper: Remove unused args/params in helpers.
We remove `credentials` or `viewport` as either
arguments or parameters in several places, based
on their callee or caller not using them.
2020-03-31 10:57:08 -04:00
Steve Howell 35d12c55d1 casper: Remove phantom_page_loaded code.
We removed the phantom_page_loaded logic in
b13265d135
(July 2017).

Now we just say that the page is loaded
to the console, which can possibly help
us debug glitches where the tests are
executing too early.
2020-03-31 10:57:08 -04:00
Steve Howell c0782f525a casper test: Refine --loop mode.
We added a really nice feature recently,
called `--interactive`, which lets you loop
through Casper tests without having to restart
it every time.

I am renaming it to `--loop` and adding a few
features:

- The first loop will just run without you having
  to tell it to start.  (This means you don't have
  to sit there while waiting for webpack to finish
  and for the server to start, just to launch
  the tests again.)

- You specify how many loops you want to run,
  which means in the success case, it won't
  just keep going forever--it will eventually
  stop, giving you an opportunity to refine
  the test further without re-launching.
2020-03-31 10:57:08 -04:00
Steve Howell 6b946e4d05 casper: Clean up message helpers.
We now trim the headers inside of
`get_rendered_messages`, since any
sane caller of that function just
wants nicely trimmed headers.

(Note that we're now doing the
string manipulation inside of
Zulip code, not Casper code, which
is why I didn't reuse normalize_spaces.)
2020-03-31 10:57:08 -04:00
Mateusz Mandera 34f1f577f2 forms: Show user.delivery_email in password reset form.
.email shows the dummy userXXXX@domain.com style email, which is
will be confusing for users and is most likely an unintentional bug.
2020-03-30 16:41:46 -07:00
Tim Abbott 724fcc74e8 help: Improve documentation on importing exported organizations.
This should help avoid confusion where some users used the Zulip
backup tool, not the import tool, to try to import their backups.
2020-03-30 13:25:03 -07:00