Commit Graph

54728 Commits

Author SHA1 Message Date
Sahil Batra dc98136346 streams: Send stream deletion events on unsubscribing users.
This commit adds code to send stream deletion events when
unsubscribing non-admin users from private streams and
when unsubscribing guests from public streams since
non-admins cannot access unsubscribed private streams
and guests cannot access unsubscribed public streams.
2023-11-16 13:25:33 -05:00
Sahil Batra d4fb244d2d CVE-2023-47642: Invalid metadata access for formerly subscribed streams.
It was discovered by the Zulip development team that active users who
had previously been subscribed to a stream incorrectly continued being
able to use the Zulip API to access metadata for that stream. As a
result, users who had been removed from a stream, but still had an
account in the organization, could still view metadata for that
stream (including the stream name, description, settings, and an email
address used to send emails into the stream via the incoming email
integration). This potentially allowed users to see changes to a
stream’s metadata after they had lost access to the stream.

This bug was present in all Zulip releases prior to today's Zulip
Server 7.5.
2023-11-16 13:25:33 -05:00
Sahil Batra 3c8701ee36 streams: Add API endpoint to get stream email.
This commit adds new API endpoint to get stream email which is
used by the web-app as well to get the email when a user tries
to open the stream email modal.

The stream email is returned only to the users who have access
to it. Specifically for private streams only subscribed users
have access to its email. And for public streams, all non-guest
users and only subscribed guests have access to its email.
All users can access email of web-public streams.
2023-11-16 13:25:33 -05:00
Sahil Batra 432001656e streams: Remove "email_address" field from Subscription objects.
This commit removes "email_address" field from Subscription objects
and we would instead a new endpoint in next commit to get email
address for stream with proper access check.

This change also fixes the bug where we would include email address
for the unsubscribed private stream as well when user did not have
permission to send message to the stream, and having email allowed
the unsubscribed user to send message to the stream.

Note that the unsubscribed user can still send message to the stream
if the user had noted down the email before being unsubscribed
and the stream token is not changed after unsubscribing the user.
2023-11-16 13:25:33 -05:00
Tim Abbott e6102af351 Revert "lightbox_view: Fix media title update on change in title."
This reverts commit 273081d0a6.

This change broken the arrow key navigation in the lightbox.
2023-11-16 10:19:05 -08:00
David Rosa 21aa5d261a help: Document @ topic mentions.
Documents new wildcard mention for topic participants updating
and making tweaks to all relevant pages.

Fixes #27657.

Co-authored-by: Alya Abbott <alya@zulip.com>
2023-11-16 10:03:41 -08:00
Alya Abbott d87f47412b help: Define "participate" for automatically following topics.
Fixes #27721.
2023-11-16 10:02:51 -08:00
Prakhar Pratyush 135d7c03cc stripe: Add 'get_billing_page_context' method to 'BillingSession'.
This commit moves the main context creation part of the
'billing_home` view to a new shared
'BillingSession.get_billing_page_context' method.

This refactoring will help in minimizing duplicate code
while supporting both realm and remote_server customers.
2023-11-16 09:48:43 -08:00
Karl Stolley b04dd62f8a left_sidebar: Preserve DM layout when zoomed into more conversations. 2023-11-16 09:21:48 -08:00
David Rosa 0f157e7e2b docs: Update Spanish translation for "Narrow to".
The word "Filtrar" is ambiguous in this context since it can be
interpreted as "filter out" which is the opposite of what we want
here. "Buscar solo" is a better phrase that we can use unambiguously
and consistently for all instances of "Narrow to".
2023-11-16 09:15:54 -08:00
David Rosa 56a6eee656 help: Document changing home view from left sidebar.
Documents this new feature as a tip for the existing instructions.

Fixes #27655.
2023-11-16 09:15:36 -08:00
Mateusz Mandera 1819b85b85 management: Allow changing is_billing_admin using change_user_role. 2023-11-15 18:36:07 -08:00
Tim Abbott 49eed7540a i18n: Update translation data from Transifex. 2023-11-15 18:01:47 -08:00
Tim Abbott 7a6f288fab narrow: Move maybe_scroll_to_selected call.
This should now happen at the same time it did prior to this change,
without requiring the show_all_message_view wrapper to have any
business logic.

This fixes a potential scroll position bug in the event that
narrow.deactivate in fact calls itself recursively after a timeout.
2023-11-15 17:33:21 -08:00
Tim Abbott eabab840e9 narrow: Hide inbox/recent views inside deactivate.
We already do a very parallel construction in narrow.activate, so this
moves us towards being able to unify those code paths, while also just
being more readable by avoiding a small-but-important wrapper function
in hashchange.js.

I believe this fixes a bug where we were not saving scroll position in
browser history when navigating to "All messages" from another view.
2023-11-15 17:33:21 -08:00
Tim Abbott d505a3c8b7 hashchange: Fix duplicate hides of inbox/recent views.
Since at least 6ef0753a51, it's been the
case that narrow.activate already hides the inbox/recent views if
open, and the same is true for all messages.

Fixing the duplicate call is important in show_home_view, because
show_all_message_view relies on having an accurate value for whether the
recent/inbox views were already open in order to correctly update the
left sidebar.
2023-11-15 17:33:21 -08:00
Tim Abbott a3842584dd hashchange: Fix flicker when navigating to all messages.
Testing experimentally, removing the setTimeout seems to fix a visible
flicker when using Esc to navigate to "All messages" from the Inbox
view. That setTimeout has been moved around without real examination
since 5d79bb6a20 from early 2013; I
don't see any good reason why it would make be necessary only in the
"All messages" code path, and not when narrowing to any other view.
2023-11-15 17:33:21 -08:00
Karl Stolley 62f5806f42 left_sidebar: Ensure All messages highlight on reload.
Co-Authored-By: Tim Abbott <tabbott@zulip.com>
2023-11-15 17:33:21 -08:00
Tim Abbott 0f01eae655 narrow: Simplify actively_scrolling data flow.
There's no good reason to have the caller of deactivate pass this
parameter in.

This effectively reverts a18b1662cb,
which did this as part of trying to avoid an import cycle, with a more
appropriate solution using the existing message_scroll_state module.

Importantly, it also means that we again wait for scrolls longer than
50ms to finish before opening All messages; I think this might fix a
regression.
2023-11-15 17:33:21 -08:00
Tim Abbott 03f3e17a40 narrow: Clarify first parameter to deactivate.
This previous parameter name was inaccurate, since that's not what the
caller is actually asserting for us.
2023-11-15 17:33:21 -08:00
Karl Stolley f17e4e7198 left_sidebar: Group view-highlight code together. 2023-11-15 17:33:21 -08:00
Anders Kaseorg c8784634e1 openapi: Remove unnecessary cast.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-11-15 17:10:48 -08:00
Anders Kaseorg 2fc327b775 compose_ui: Fall back to comma join when Intl.ListFormat is missing.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-11-15 15:51:33 -08:00
Anders Kaseorg f4e7a11c35 requirements: Upgrade Python requirements.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-11-15 15:27:54 -08:00
Anders Kaseorg a688e753de test_helpers: Fix logging in cursor_executemany mock.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-11-15 15:27:54 -08:00
Anders Kaseorg cb9a04d3e3 test_create_video_call: Add missing not None assertions.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-11-15 15:27:54 -08:00
Anders Kaseorg 7a4ca3135d stripe: Prepare to switch to stripe inline annotations.
https://github.com/stripe/stripe-python/wiki/Inline-type-annotations

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-11-15 15:27:54 -08:00
Anders Kaseorg 2c9c105bbb db: Check connection type in wrapper_execute.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-11-15 15:27:54 -08:00
Anders Kaseorg 248ee82db0 migrations: Remove useless null argument for ManyToManyField.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-11-15 15:27:54 -08:00
Anders Kaseorg 9552014047 models: Include explicit app name in ManyToManyField reference strings.
https://github.com/typeddjango/django-stubs/issues/1802

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-11-15 15:27:54 -08:00
Karl Stolley dd938911f7 compose_box: Set auto height on textarea in full screen. 2023-11-15 15:23:48 -08:00
Alya Abbott 681097fd43 docs: Update server roadmap documentation. 2023-11-15 12:46:10 -08:00
Karl Stolley 4493ee346d reactions: Set more explicit reaction-text setting. 2023-11-15 14:02:45 -06:00
Karl Stolley b374b21171 reactions: Set interactive hover delay on reaction Tippies.
This introduces a new INTERACTIVE_HOVER_DELAY of 425 milliseconds.
It's meant to be short enough that the tooltip's contents are
displayed without too much of a lag, but long enough that a quick
interaction--like +1'ing an existing emoji--happens without the
quick flash of the tooltip itself.
2023-11-15 14:02:45 -06:00
Karl Stolley 6fe49f93ad reactions: Redesign reaction button colors and style.
See CZO discussion:
https://chat.zulip.org/#narrow/stream/9-issues/topic/Reactions.20background.20color/near/1632171

Also:
https://github.com/zulip/zulip/pull/26580#issuecomment-1705734770

Co-Authored-By: Vlad Korobov <terpimost@gmail.com>
2023-11-15 14:02:45 -06:00
Karl Stolley ff9c931366 reactions: Nuke overwrought inherit declaration.
This is made unnecessary thanks to CSS variables.
2023-11-15 14:02:45 -06:00
Karl Stolley 534683a3ff reactions: Express reaction button colors as CSS vars. 2023-11-15 14:02:45 -06:00
Karl Stolley 474dcf60a2 reactions: Unify stream and DM colors, express as CSS vars. 2023-11-15 14:02:45 -06:00
Karl Stolley a929220d3c message_edit: Add styles for Save and Cancel buttons. 2023-11-15 10:41:51 -08:00
Karl Stolley 8bc12a4ee2 modal_buttons: Make exit button colors in to CSS variables. 2023-11-15 10:41:51 -08:00
Karl Stolley f1a79085eb message_edit: Build basic multi-line layout for message editing. 2023-11-15 10:41:51 -08:00
Karl Stolley 6890c9d171 left_sidebar: Place unread count right of All DMs icon.
Also set a CSS variable for header-icon widths in the left sidebar.

Fixes: #27559
2023-11-15 10:07:04 -08:00
Karl Stolley 614abd58be left_sidebar: Place unread count right of stream controls.
Fixes: #27380
2023-11-15 10:07:04 -08:00
Karl Stolley 335790dae8 left_sidebar: Add unread streams count to Streams header. 2023-11-15 10:07:04 -08:00
Tim Abbott 2e2997bd7d typing: Limit typing notifications in large streams. 2023-11-15 09:42:25 -08:00
Prakhar Pratyush f8a0035215 stripe: Move `make_end_of_cycle_updates_if_needed` to BillingSession.
Moves the 'make_end_of_cycle_updates_if_needed' function to
the 'BillingSession' abstract class.

This refactoring will help in minimizing duplicate code while
supporting both realm and remote_server customers.

Since the function is called from our main daily billing cron job
as well, we have changed 'RealmBillingSession' to accept 'user=None'
(our convention for automated system jobs).
2023-11-15 09:26:41 -08:00
Karl Stolley 5accf36115 recent_view: Correct icon alignment within rows. 2023-11-15 09:05:47 -08:00
Karl Stolley 17e87c9a20 compose_box: Fix regression on full-screen Preview areas. 2023-11-15 09:04:54 -08:00
Karl Stolley c5b7432cf2 compose_box: Maintain top alignment in Preview mode. 2023-11-15 09:04:54 -08:00
N-Shar-ma bdba280c3d typeahead: Include wildcard mentions in typeahead for small streams.
We refactor the code checking if wildcard mentions are allowed by
renaming the pre-existing function `wildcard_mention_allowed` to
`wildcard_mention_allowed_in_large_stream`, adding a new function
`is_recipient_large_stream`, then redefining `wildcard_mention_allowed`
to combine these two functions.

Fixes: #27248.
2023-11-15 09:02:34 -08:00