panels: Show a banner for users with legacy desktop apps.

Users who are using ZulipDesktop or haven't managed to auto-update to ZulipElectron should be strongly encouraged to upgrade. We'll likely want to move to something even stricter that blocks loading the app at all, but this is a good start.
2025-11-04 14:03:30 +00:00 · 2020-02-28 00:55:29 -08:00
parent 7db3d4560f
commit d79a7a8c35
6 changed files with 40 additions and 1 deletions
--- a/static/js/panels.js
+++ b/static/js/panels.js
@@ -20,7 +20,9 @@ const get_step = function ($process) {
 exports.initialize = function () {
    // if email has not been set up and the user is the admin, display a warning
    // to tell them to set up an email server.
-    if (page_params.warn_no_email === true && page_params.is_admin) {
+    if (page_params.insecure_desktop_app) {
+        exports.open($("[data-process='insecure-desktop-app']"));
+    } else if (page_params.warn_no_email === true && page_params.is_admin) {
        exports.open($("[data-process='email-server']"));
    } else {
        exports.open($("[data-process='notifications']"));
--- a/templates/zerver/app/navbar.html
+++ b/templates/zerver/app/navbar.html
@@ -26,6 +26,16 @@
            </a>
        </div>
    </div>
+    <div data-process="insecure-desktop-app" class="alert alert-info red">
+        <span class="close" data-dismiss="alert" aria-label="{{ _('Close') }}">&times;</span>
+        <div data-step="1">
+            You are using an old, insecure version of the Zulip
+            desktop app that cannot auto-update.
+            <a class="alert-link" href="https://zulipchat.com/apps" target="_blank">
+                Download the latest version.
+            </a>
+        </div>
+    </div>
 </div>
 <div class="header">
    <nav class="header-main rightside-userlist" id="top_navbar">
--- a/zerver/tests/test_compatibility.py
+++ b/zerver/tests/test_compatibility.py
@@ -91,3 +91,13 @@ class CompatibilityTest(ZulipTestCase):
                self.assert_json_error(result, "Client is too old")
            else:
                assert False  # nocoverage
+
+    def test_insecure_desktop_app(self) -> None:
+        from zerver.views.compatibility import is_outdated_desktop_app
+
+        self.assertTrue(is_outdated_desktop_app('ZulipDesktop/0.5.2 (Mac)'))
+        self.assertTrue(is_outdated_desktop_app('ZulipElectron/2.3.82 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Zulip/2.3.82 Chrome/61.0.3163.100 Electron/2.0.9 Safari/537.36'))
+        self.assertFalse(is_outdated_desktop_app('ZulipElectron/4.0.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Zulip/4.0.3 Chrome/66.0.3359.181 Electron/3.1.10 Safari/537.36'))
+        self.assertFalse(is_outdated_desktop_app('ZulipElectron/4.0.3 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Zulip/4.0.3 Chrome/66.0.3359.181 Electron/3.1.10 Safari/537.36'))
+
+        self.assertFalse(is_outdated_desktop_app('Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36'))
--- a/zerver/tests/test_home.py
+++ b/zerver/tests/test_home.py
@@ -91,6 +91,7 @@ class HomeTest(ZulipTestCase):
            "high_contrast_mode",
            "hotspots",
            "initial_servertime",
+            "insecure_desktop_app",
            "is_admin",
            "is_guest",
            "jitsi_server_url",
--- a/zerver/views/compatibility.py
+++ b/zerver/views/compatibility.py
@@ -87,3 +87,17 @@ def check_global_compatibility(request: HttpRequest) -> HttpResponse:
                and version_lt(user_agent['version'], android_min_app_version)):
            return json_error(legacy_compatibility_error_message)
    return json_success()
+
+def is_outdated_desktop_app(user_agent_str: str) -> bool:
+    user_agent = parse_user_agent(user_agent_str)
+    if user_agent['name'] == 'ZulipDesktop':
+        # The deprecated QT/webkit based desktop app, last updated in ~2016.
+        return True
+
+    if user_agent['name'] == 'ZulipElectron' and version_lt(user_agent['version'], '4.0.0'):
+        # Versions of the modern Electron-based Zulip desktop app with
+        # known security issues.  Versions before 2.3.82 won't
+        # auto-update; we may want a special notice to distinguish
+        # those from modern releases.
+        return True
+    return False
--- a/zerver/views/home.py
+++ b/zerver/views/home.py
@@ -24,6 +24,7 @@ from zerver.lib.streams import access_stream_by_name
 from zerver.lib.subdomains import get_subdomain
 from zerver.lib.users import compute_show_invites_and_add_streams
 from zerver.lib.utils import statsd, generate_random_token
+from zerver.views.compatibility import is_outdated_desktop_app
 from two_factor.utils import default_device

 import calendar
@@ -227,6 +228,7 @@ def home_real(request: HttpRequest) -> HttpResponse:
        debug_mode            = settings.DEBUG,
        test_suite            = settings.TEST_SUITE,
        poll_timeout          = settings.POLL_TIMEOUT,
+        insecure_desktop_app  = is_outdated_desktop_app(request.META["HTTP_USER_AGENT"]),
        login_page            = settings.HOME_NOT_LOGGED_IN,
        root_domain_uri       = settings.ROOT_DOMAIN_URI,
        max_file_upload_size  = settings.MAX_FILE_UPLOAD_SIZE,