The root pages for API, integrations and policies documentation
have a trailing slash for the canoncial URL, but the individual
articles on those pages do not have a trailing slash for the page
we want to mark as canonical.
Previously, closing a pull request by someone other than its creator could result in Zulip notifications attributing the action to the wrong user.
This change adds a focused test and a fixture capturing the case where the webhook sender differs from pull_request.user, ensuring the correct actor is mentioned for pull_request close events.
Follow-up to #36184.
Temporarily exclude Git from `test_integration_doc_endpoints`,
until the doc is updated.
The screenshot for this integration is added separately since this
adds a new screenshot for an integration whose doc is in the
python-zulip-api repo.
Since this breaks the sync between the docs and the screenshots, an
exclusion is added to make the tests pass.
Temporarily exclude jira-plugin from `test_integration_doc_endpoints`,
until the doc is updated.
The screenshot for this integration is added separately since this
adds a new screenshot for an integration whose doc is in the
python-zulip-api repo.
Since this breaks the sync between the docs and the screenshots, an
exclusion is added to make the tests pass.
The integration doc and the screenshot images are in different repos.
So, we cannot avoid going out of sync when adding or deleting image
files.
Added a new set to allow temporarily adding exclusions to the
`test_integration_doc_endpoints` test.
Added testing for unmatched screenshot configs and conflicting entries,
which can be caused by manual error, since the screenshot configs are
hardcoded.
Previously, the test would fail at the first missing occurrence, and
not report about any other missing files.
Now, all missing cases are collected and presented together in a single
error message, every run.
For video and audio call integrations.
The new category is a subset of the "Communication" category, as all
"Video calling" integrations are also listed under "Communication".
This prevents a development-mode-only directory traversal attack,
where the Django development server could be made to respond to
requests for `/user_avatars/../../../../../../etc/passwd`.
The production server is not affected by this vulnerability, as
nginx's configuration sets `PATH_INFO` to `$document_uri`, which is
normalized[^1] -- that is, by the time uwsgi and Django see it, the path
has been percent-decoded once, and all `../` path components have been
applied[^2].
Close this by explicitly normalizing the paths before comparing; the
`LOCAL_UPLOADS_DIR` side is unlikely to require normalization as well,
but is also normalized for consistency. The failure here is left as
an assertion failure, and not a JsonableError, because it only affects
the development server.
[^1]: https://nginx.org/en/docs/http/ngx_http_core_module.html#var_uri
[^2]: https://nginx.org/en/docs/http/ngx_http_core_module.html#location
In Django, when cleaning a form field, all validators are run on
the field and all validation error messages are all collected.
Updates our test for invalid email addresses when creating a new
realm to confirm all expected error messages from the various
validators that are run on that field.
In commit c7a08f3b77, we started setting the realm_creation field
in both the RegistrationForm and its superclass, RealmDetailsForm,
which was likely a copy and paste error.
Since we only need to set the realm_creation field once when
initializing the form fields, we set it in the RealmDetailsForm,
which also removes any confusion related to the comment about
removing extra kwargs in the RegistrationForm initialization.
Systems upgrading from 11.x will have 0753 and not 0752, while systems
upgrading from main may have 0752 and not 0753, so a merge migration
is required to smoothly handle upgrades from both states.
This clarifies which Slack bot token scopes the integration really uses.
Extraneous scopes are: `users:read.email`, `team:read`, and
`emoji:read`.
Fixes part of #30827.
Slack attachment urls with white spaces,
e.g. `https://example.com/some file.png`,
were rejected by `check_url`. We want to call `requote_url` to deal with
any url-quoting jankiness that may be present in the exported data.
1. `call` is a block type we've observed in the wild in a Slack export,
despite not being documented in
https://docs.slack.dev/reference/block-kit/blocks/
2. We already have the logic for converting `condition` block type below
in the function, but it was erroneously missing from the list of valid
types.
The user associated to a pull request is always its creator, however,
when closing a pull request, this can be the wrong actor. The paylod
contains the actor in the `sender` value, use this instead.
Django's Model.EmailField's default max_length is 254 characters,
while the Form.EmailField's default max length is 320 characters.
The longer valid length for form email fields raises an error
when an email with over 254 characters is validated and the server
attempts to create a preregistration user or realm.
Sets the max length on current form EmailFields to match the max
length on corresponding email fields in the database.
For the form MultiEmailField used on the find account/team page,
we don't need to set the max length to 254, but we don't expect
any emails longer than that to match any existing user accounts.
Adds tests in `zerver/tests/test_signup.py` for form submissions
with long email addresses.
The hardcoded content (topic and message) for the screenshot configs are
loaded from `fixtureless_integrations.py`. Add a new
FIXTURELESS_SCREENSHOT_CONFIG_OPTIONAL_FIELDS dict to maintain the
optional fields of fixtureless screenshot configs, and load both into
FIXTURELESS_SCREENSHOT_CONFIG.
This commit does not set any screenshot configs, but only adds the
framework.
This does not include any screenshot configs, just defining the format,
and loading FIXTURELESS_SCREENSHOT_CONFIG from the file.
Co-authored-by: Lauryn Menard <lauryn@zulip.com>
