Commit Graph

10816 Commits

Author SHA1 Message Date
Tomasz Kolek c4254497b2 Add WebhookTestCase abstract class for writing webhook tests.
This cuts a ton of code duplication and semi-duplication between the
webhook tests, and thus should make it a lot easier to write new ones.
2016-05-18 14:37:31 -07:00
Eklavya Sharma 016a2faa23 Make zproject/local_settings.py pass mypy check. 2016-05-18 17:10:18 +05:30
Eklavya Sharma 54759be785 Make zproject/local_settings_template.py pass mypy check. 2016-05-18 17:10:18 +05:30
Eklavya Sharma 70a94a5b23 Expand zproject/ in mypy exclude list. 2016-05-18 17:10:18 +05:30
Eklavya Sharma 6606c30355 Remove zilencer/models.py from mypy exclude list.
zilencer/models.py no longer gives an error on type checking with
mypy.
2016-05-18 17:10:18 +05:30
Eklavya Sharma 7c77522ce4 Make zerver/middleware.py pass mypy check.
This was done by reporting python/mypy#1540 and upgrading to the
latest version of mypy which has the fix for this.
2016-05-18 17:10:18 +05:30
Eklavya Sharma 98afe000ee Make zerver/lib/statistics.py pass mypy check. 2016-05-18 17:10:18 +05:30
Eklavya Sharma 0dcd8b387d Make zerver/lib/bugdown/fenced_code.py pass mypy check. 2016-05-18 17:10:17 +05:30
Eklavya Sharma 3441f0848c Annotate pg_backup_and_purge.py. 2016-05-18 17:10:17 +05:30
Eklavya Sharma 66bb6394e5 Make api/zulip/__init__.py pass mypy check. 2016-05-18 17:10:17 +05:30
Eklavya Sharma 46757f07bf Make zerver/lib/actions.py pass mypy check. 2016-05-18 17:10:17 +05:30
Eklavya Sharma 16067b7013 Make zerver/views/webhooks/jira.py pass mypy check. 2016-05-18 17:10:17 +05:30
Sumana Harihareswara 5f053e0047 Add remaining codebases to README.md.
The README should link to all the Zulip codebases. Also, it makes
sense to split up app code from integration and other glue code.

Fixes: #674.
2016-05-17 16:56:46 -07:00
Sumana Harihareswara 3d267a5438 Add doc-building dependencies to requirements.txt.
Fixes: #794.
2016-05-17 12:21:25 -07:00
Tim Abbott b38913c8f9 Upgrade sphinx version used in ReadTheDocs.
According to https://github.com/spatialaudio/nbsphinx/issues/26, this
should fix support for mixing rST and markdown in our docs.

Fixes #668.
2016-05-14 14:27:21 -07:00
Sumana Harihareswara 34d2c505e9 Fix typos in README.md. 2016-05-13 22:18:20 -07:00
Tim Abbott c3985520e5 webhooks: Remove unnecessary get_client imports. 2016-05-13 12:25:12 -07:00
Tomasz Kolek db7ea8b484 Move getting client to api_key_only_webhook_view.
This decreases the amount of convention developers need to understand
in order to write a new webhook integration.
2016-05-13 12:22:38 -07:00
Tim Abbott d55c3bd142 Add npm-debug.log to gitignore. 2016-05-12 16:32:51 -07:00
Tim Abbott 12b32d3889 check-py3: Display git status --porcelain output. 2016-05-12 16:30:58 -07:00
Tim Abbott aa7ff158b6 Reduce development environment RAM requirements by 750MB.
Since we merged cd2348e9ae more than a
month ago and haven't seen any noticable regresions as a result, it's
reasonable at this point to do a corresponding decrease in our
documented RAM requirements for the Zulip development environment.
2016-05-12 16:12:43 -07:00
Tim Abbott e7cb1e3f92 README.dev: Make 'official Zulip PPA' link to the PPA. 2016-05-12 15:38:02 -07:00
Tim Abbott efd24b374e analytics: Fix cnts variable reuse with different type.
Found using mypy.
2016-05-12 14:07:32 -07:00
Sumana Harihareswara 038c1ea20f Add integration project links to README.
The README should link to all Zulip-specific open source projects
so users know where to file bugs and code contributors can pitch
in.

Fixes: #674.
2016-05-12 13:45:20 -07:00
Tomasz Kolek f486e47d4d Change CircleCI logo on /integrations to leave off the name.
The name is already present in the label just below.
2016-05-12 13:14:18 -07:00
Umair Khan 99b73c2728 digest emails: Fix typo in remaining_unread_pms_count.
This error likely caused this feature to never trigger.
2016-05-12 13:09:37 -07:00
Umair Khan dfc58b0ed0 Upgrade digest email templates to Jinja2.
Fixes: #780
2016-05-13 01:01:28 +05:00
Tim Abbott 60722a8fce Integration guide: Add a note about spelling integraiton names. 2016-05-11 21:19:15 -07:00
Tomasz Kolek eeeb4d0c92 Add CircleCI integration.
Fixes: #617.
2016-05-11 21:17:37 -07:00
Tom 014fcf7570 README.dev.md: Add PPA instructions to get tsearch-extras.
Fixes #109.
2016-05-11 16:22:53 -07:00
Sumana Harihareswara c270b94b21 Fix formatting, grammar, and style in Yo integration docs. 2016-05-10 21:34:05 -07:00
Sumana Harihareswara 4c529cdf37
Update Getting Started With Hubot doc link. 2016-05-10 20:54:28 -04:00
Bert Muthalaly 261dac25a5 Fix skipping to latest messages (fast_forward_pointer).
The refactoring in b8ec8f5ef0 had a
slightly wrong URL.
2016-05-10 17:24:42 -07:00
Tim Abbott 2409ac9b2f cache: Add type annotations to active_*_dict_fields. 2016-05-10 11:48:03 -07:00
Tim Abbott f2aee961e1 test_auth_backends: Fix unused variables. 2016-05-10 11:46:39 -07:00
Tim Abbott 92bec8cfea Merge Zulip 1.3.12 security release. 2016-05-10 11:32:26 -07:00
Tim Abbott 90634356cb Add changelog for Zulip 1.3.12 release. 2016-05-10 09:51:49 -07:00
Tim Abbott 9b65464b6b logout_all_users: Add option to logout deactivated users. 2016-05-10 09:50:57 -07:00
Tim Abbott 393159bbd8 queue: Disable RabbitMQ heartbeat in BlockingConnection.
Fixes #741.
2016-05-10 09:50:57 -07:00
Tim Abbott 6f282581f7 requirements: Upgrade pika to version 0.10.0.
This is needed to fix RabbitMQ heartbeat issues that cause connections
to drop (#741).  It's also relevant for Python 3 support.
2016-05-10 09:50:57 -07:00
Tim Abbott d82e44ecd0 queue: Refactor Pika credentials code to be a bit cleaner. 2016-05-10 09:50:57 -07:00
Tim Abbott 620debc5fd Change PrincipalError to return status code 403 by default. 2016-05-10 09:50:57 -07:00
Tim Abbott 85c64c9f93 zulip_login_required: Add checks for active users and realms.
Like the recent change blocking JSON endpoints for deactivated users
and users in deactivated realms, this change is a hardening
improvement.  Those users should be unable to get an active session
anyway, but if somehow one is leaked, this means they won't be able to
access any user data.
2016-05-10 09:50:57 -07:00
Tim Abbott be216506a9 Improve api_fetch_api_key error messages.
Previously, api_fetch_api_key would not give clear error messages if
password auth was disabled or the user's realm had been deactivated;
additionally, the account disabled error stopped triggering when we
moved the active account check into the auth decorators.
2016-05-10 09:50:57 -07:00
Tim Abbott 52ddd500f0 Add tests for authentication backends. 2016-05-10 09:50:57 -07:00
Tim Abbott 38c82083de Add test suite for deactivated users. 2016-05-10 09:50:57 -07:00
Tim Abbott df7466e893 Add test suite for deactivate realms. 2016-05-10 09:50:57 -07:00
Tim Abbott 76814f37a3 decorators: Block access to JSON endpoints for deactivated users.
While in theory users should be unable to get a valid session in order
to access these endpoints in the first place, this provides an extra
layer of hardering to prevent a deactivated user with a session from
accessing data via the old-style JSON API.
2016-05-10 09:50:57 -07:00
Tim Abbott b28b3cd65c CVE-2016-4427: Fix access by deactivated realms/users.
The security model for deactivated users (and users in deactivated
realms) being unable to access the service is intended to work via two
mechanisms:

* All active user sessions are deleted, and all login code paths
  (where a user could get a new session) check whether the user (or
  realm) is inactive before authorizing the request, preventing the
  user from accessing the website and AJAX endpoints.
* All API code paths (which don't require a session) check whether the
  user (and realm) are active.

However, this security model was not implemented correctly.  In
particular, the check for whether a user has an active account in the
login process was done inside the login form's validators, which meant
that authentication mechanisms that did not use the login form
(e.g. Google and REMOTE_USER auth) could succeed in granting a session
even with an inactive account.  The Zulip homepage would still fail to
load because the code for / includes an API call to Tornado authorized
by the user's token that would fail, but this mechanism could allow an
inactive user to access realm data or users to access data in a
deactivated realm.

This fixes the issue by adding explicit checks for inactive users and
inactive realms in all authentication backends (even those that were
already protected by the login form validator).

Mirror dummy users are already inactive, so we can remove the explicit
code around mirror dummy users.

The following commits add a complete set of tests for Zulip's inactive
user and realm security model.
2016-05-10 09:50:48 -07:00
Tim Abbott b31ac1eca9 Fix users in deactivated realms sending webhook messages.
In a deactivated realm, webhooks would still successfully send
messages, since there was no check for whether the realm was active in
api_key_only_webhook_view.
2016-05-10 09:50:48 -07:00