This commit prevents the save button in the save discard widget from
showing the "Saved" label when the user has made some other changes
in the settings while the saving process was in action — which resulted
in the "Save changes" label in the save button, and thus shouldn't be
replaced with "Saved".
This commit also fixes the failing puppeteer tests in
`web/e2e-tests/admin.test.ts` which was introduced in #34081.
(cherry picked from commit 7b45ff50ba)
Sometimes, in slower connections, Tornado long-polling callback can
reach the client at almost exactly the same time as the success
response, making the prediction of which arrives first
non-deterministic. Due to this, the server event call responsible for
syncing the realm settings across multiple users would sometimes take
over and hide and the save discard widget before the success callback
from `/json/realm` could show the "saved" state in the button.
This commit fixes this issue by blocking the "discarded" state from
hiding the save discard widget when the save button is already in the
"saving" or "succeeded" state, since in those conditions the visibility
of the save discard widget would anyways be handled by a "failed" or
"succeeded" state.
(cherry picked from commit 83c5733144)
This commit updates the save button style in the settings component to
ensure that the button appears as a borderless attention + success
intent action button alongside the "Saved" label, when an updated
setting is saved.
(cherry picked from commit b115368a81)
This commit moves the ComponentIntent type to types.ts since it is
common across all the components, and also moves the ActionButton type
from banners.ts to buttons.ts since it is specific to the button
component.
On top of that, the commit also updates the type declarations to be
based off of array declarations to make it easier to modify them
programmatically.
(cherry picked from commit 203ca08446)
This commit updates the save and discard buttons in the setting modals
to use redesigned button styles along with the new loading indicator.
(cherry picked from commit 6bf2887991)
Earlier, permission in edit panel of channel settings was not the
same as that of org permission, specifically for public channel
option.
This commit fixes that by updating the privacy option state.
Fixes:zulip#34526.
(cherry picked from commit fdf7bc0888)
Earlier, in `get_raw_unread_data` the ordering was applied inside
the CTE.
Once we leave the CTE scope and do a join, SQL makes no promise
about preserving the row order unless we re-specify ORDER BY in
the outer query.
Since, there was no ORDER BY clause in the outer query it was
resulting in a random ordering of the entries. This bug was caught
by `test_unreads_case_insensitive_topics` failing in a flaky way.
This commit fixes the bug.
(cherry picked from commit ccc82976dc)
Fetching a subscription and then checking if it exists was taking too
much space in a test and making it feel convoluted. We're planning to
check it more in future commits.
(cherry picked from commit 6baa106460)
In #34510 we fixed the underlying bug in the ldap integration, which
would cause users to end up with their system group memberships not
matching their .role value. However, users who may already be in that
state still need to be fixed through a migration. We implement that
here.
There are two things we fix here:
1. Group memberships. The user should have a direct group membership
for the specific system group implied by their .role.
2. We want to also add the missing RealmAuditLog entry.
This was broken, due the mechanism simply using our
is_guest/is_realm_admin/etc. role setters, but failing to adjust system
group memberships - resulting in corrupted database state.
We need to ensure that change_user_role is called for setting user role.
There are two relevant codepaths that run the sync based on
AUTH_LDAP_USER_FLAGS_BY_GROUP and thus need to get this right:
1. manage.py sync_ldap_user_data
2. Just-in-time user creation when a user without a Zulip account logs
in for the first using their ldap credentials. After
get_or_build_user returns, django-auth-ldap sees that the user
account has just been created, and proceeds to run ._populate_user().
Now that both user.save() and do_change_user_realm will be getting
called together, we need to ensure this always happens atomically.
This imposes the need to override _get_or_create_user to put it in a
transaction. The troublesome consequence is that this new
`atomic(savepoint=False)` causes the usual type of issue, where tests
testing error get their transaction rolled back and cannot continue
executing.
To get around that, we add a test helper
`artificial_transaction_savepoint` which allows these tests to wrap
their problematic blocks in an artificial transaction which provides a
savepoint, thus preventing the full test transaction rollback derailing
the rest of the test.
Without these overrides, we cannot test the functionality in DEVELOPMENT
and TESTING.
There are two codepaths that we're covering here:
1. The sync which happens via `sync_ldap_user_data`.
2. The sync which happens during just-in-time user creation upon first
login via ldap.
Both codepaths end up triggering ldap_user._get_or_create_user().
When an ldap user is signing up via the registration form, they are
required to enter their ldap password. This is in contract to "regular"
password signup, where the user sets the password for their new account.
Checking password strength makes sense in the latter case, but not in the
ldap case - the password is already set at the ldap level after all.
In any case, the password_strength validator is not even added to the
form field with `id="ldap-password"`, so this was bugged throwing errors
such as
```
TypeError: $.validator.methods[method] is undefined. Exception occurred when checking element ldap-password, check the 'password_strength' method. at http://localhost:9991/webpack/vendors-node_modules_pnpm_jquery-validation_1_21_0_jquery_3_7_1_node_modules_jquery-validatio-b912f7.js:810
at check .pnpm/jquery-validation@1.21.0_jquery@3.7.1/node_modules/jquery-validation/dist/jquery.validate.js:803
at element .pnpm/jquery-validation@1.21.0_jquery@3.7.1/node_modules/jquery-validation/dist/jquery.validate.js:510
at onfocusout .pnpm/jquery-validation@1.21.0_jquery@3.7.1/node_modules/jquery-validation/dist/jquery.validate.js:310
at delegate .pnpm/jquery-validation@1.21.0_jquery@3.7.1/node_modules/jquery-validation/dist/jquery.validate.js:441
at dispatch .pnpm/jquery@3.7.1/node_modules/jquery/dist/jquery.js:5145
at ../node_modules/.pnpm/jquery jquery/dist/jquery.js?1d73/</add/elemData.handle@http://localhost:9991/webpack/vendors-node_modules_pnpm_error-stack-parser_2_1_4_node_modules_error-stack-parser_error-stac-967546.js:16502
at trigger .pnpm/jquery@3.7.1/node_modules/jquery/dist/jquery.js:8629
at simulate .pnpm/jquery@3.7.1/node_modules/jquery/dist/jquery.js:8698
at focusMappedHandler .pnpm/jquery@3.7.1/node_modules/jquery/dist/jquery.js:5574
```
when interacting with the form.
Zulip supports a configuration where account creation is limited solely
by being able to authenticate with a single-sign on authentication
backend, such as Google Authentication, SAML, or LDAP (i.e., the
organization places no restrictions on email address domains or
invitations being required to join, but has disabled the
EmailAuthBackend that is used for email/password authentication).
A bug in the Zulip server meant that Zulip allowed users to create an
account in such organizations by confirming their email address, without
having an account with the SSO authentication backend.
Co-authored-by: Tim Abbott <tabbott@zulip.com>
Opening settings and stream settings UI was not working for guests
if they could not access all users. This was because is_person_active
did not handle inaccessible users correctly, if they were not added in
the users data, when being called in get_group_members to render
group pills.
(cherry picked from commit 4f80823191)
When user cannot type in the input, because of contenteditable
being set to "false", typeahead should not be shown when clicking
on the input element.
(cherry picked from commit 3739081792)
Previously, we showed confirmation modal when user was unsubscribing
themselves from the private stream from "Unsubscribe" button in
subscribers list, even when user had the permission to subscribe
to the stream again.
This commit fixes it to not show the confirmation modal if user
has permission to subscribe again. We already have same behavior
when user tries to unsubscribe from the button present at the
right of tabs.
(cherry picked from commit 722d501107)
We no longer archive the stream when private stream becomes
vacant, so removed that part from the warning.
When a private stream becomes vacant, everyone in the organization
can lose content access to it if no one has permission to subscribe
themselves or others to the stream. So, the warning is updated to
mention this.
(cherry picked from commit d3c06234e2)
This works around tus/tusd#322, which in turn is caused by
aws/aws-sdk-go-v2#1816. This requires separate authentication via
service account key.
Fixes: #34186.
(cherry picked from commit e1aa8b1cb0)
We have filtered the group in the get_user_groups argument of
set_up_pill_typeahead. We could have done it in `set_up_combined` but
that would have made that function non-generic and specific to these two
settings. We could also have filtered it in get_all_realm_user_groups by
adding an argument on whether to exclude it or not, but that would have
been very hard to read and track. This seemed like the better of the
options we had.
Fixes https://chat.zulip.org/#narrow/channel/9-issues/topic/.22Nobody.22.20group.20in.20UI.20to.20add.20subscribers.2Fgroup.20members
(cherry picked from commit 349e88adc6)
The tusd protocol allows DELETE requests ("terminations") at any
point, including after a file has successfully been uploaded. This
can allow tusd to remove a file from the bucket, out from under Zulip.
We use the new-in-2.7.0 pre-terminate hook to look up the file which
the client is requesting to terminate, and reject the termination if
it is a file that the Zulip database is already aware of.
(cherry picked from commit cf51013bb7)
This provides access logging metrics to Prometheus. For cardinality
reasons, we cannot (nor would we want to) put every request path into
its own label value -- but we do separate out the most-frequent access
paths (as well as some low-frequency but high-interest ones) into
their own label values.
In order to differentiate accesses to https://zulip.com/ from
https://example.zulipchat.com/ (both of which appear at path `/`), we
use a `grok_exporter.realm_names_regex` value in `zulip.conf`, which
is expected to be set to match the hostname of all possible realms.
(cherry picked from commit 840fa74854)
To avoid restore tooltip of message from being displayed outside
the overlay, we define a boundary, outside which the tooltip
cannot exist. Popper library is smart enough to render the tooltip
correctly by respecting the provided boundary and flipping the
tooltip placement if required.
(cherry picked from commit cd439c0232)
The type_id is the id of a UserProfile, Stream, or DirectMessageGroup,
not the id of a type.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
(cherry picked from commit ad31ef22f2)
- Rename the variable "pills" to "email_pill_widget". To conform better
with other pill widgets.
- Re-use the email pill creation function.
- Directly access `item.email`, skipping function call.
(cherry picked from commit cabea0ea9a)
