This commit adds code to send stream deletion events when
unsubscribing non-admin users from private streams and
when unsubscribing guests from public streams since
non-admins cannot access unsubscribed private streams
and guests cannot access unsubscribed public streams.
It was discovered by the Zulip development team that active users who
had previously been subscribed to a stream incorrectly continued being
able to use the Zulip API to access metadata for that stream. As a
result, users who had been removed from a stream, but still had an
account in the organization, could still view metadata for that
stream (including the stream name, description, settings, and an email
address used to send emails into the stream via the incoming email
integration). This potentially allowed users to see changes to a
stream’s metadata after they had lost access to the stream.
This bug was present in all Zulip releases prior to today's Zulip
Server 7.5.
This commit adds new API endpoint to get stream email which is
used by the web-app as well to get the email when a user tries
to open the stream email modal.
The stream email is returned only to the users who have access
to it. Specifically for private streams only subscribed users
have access to its email. And for public streams, all non-guest
users and only subscribed guests have access to its email.
All users can access email of web-public streams.
This commit removes "email_address" field from Subscription objects
and we would instead a new endpoint in next commit to get email
address for stream with proper access check.
This change also fixes the bug where we would include email address
for the unsubscribed private stream as well when user did not have
permission to send message to the stream, and having email allowed
the unsubscribed user to send message to the stream.
Note that the unsubscribed user can still send message to the stream
if the user had noted down the email before being unsubscribed
and the stream token is not changed after unsubscribing the user.
Documents new wildcard mention for topic participants updating
and making tweaks to all relevant pages.
Fixes#27657.
Co-authored-by: Alya Abbott <alya@zulip.com>
This commit moves the main context creation part of the
'billing_home` view to a new shared
'BillingSession.get_billing_page_context' method.
This refactoring will help in minimizing duplicate code
while supporting both realm and remote_server customers.
The word "Filtrar" is ambiguous in this context since it can be
interpreted as "filter out" which is the opposite of what we want
here. "Buscar solo" is a better phrase that we can use unambiguously
and consistently for all instances of "Narrow to".
This should now happen at the same time it did prior to this change,
without requiring the show_all_message_view wrapper to have any
business logic.
This fixes a potential scroll position bug in the event that
narrow.deactivate in fact calls itself recursively after a timeout.
We already do a very parallel construction in narrow.activate, so this
moves us towards being able to unify those code paths, while also just
being more readable by avoiding a small-but-important wrapper function
in hashchange.js.
I believe this fixes a bug where we were not saving scroll position in
browser history when navigating to "All messages" from another view.
Since at least 6ef0753a51, it's been the
case that narrow.activate already hides the inbox/recent views if
open, and the same is true for all messages.
Fixing the duplicate call is important in show_home_view, because
show_all_message_view relies on having an accurate value for whether the
recent/inbox views were already open in order to correctly update the
left sidebar.
Testing experimentally, removing the setTimeout seems to fix a visible
flicker when using Esc to navigate to "All messages" from the Inbox
view. That setTimeout has been moved around without real examination
since 5d79bb6a20 from early 2013; I
don't see any good reason why it would make be necessary only in the
"All messages" code path, and not when narrowing to any other view.
There's no good reason to have the caller of deactivate pass this
parameter in.
This effectively reverts a18b1662cb,
which did this as part of trying to avoid an import cycle, with a more
appropriate solution using the existing message_scroll_state module.
Importantly, it also means that we again wait for scrolls longer than
50ms to finish before opening All messages; I think this might fix a
regression.
This introduces a new INTERACTIVE_HOVER_DELAY of 425 milliseconds.
It's meant to be short enough that the tooltip's contents are
displayed without too much of a lag, but long enough that a quick
interaction--like +1'ing an existing emoji--happens without the
quick flash of the tooltip itself.