Apparently, Django's CSRF protection mechanism changed at some point,
and now we get a different CSRF token every time the webapp is loaded.
This, in turn, caused our reload logic to avoid losing state to be
completely ineffective, since the CSRF check in reload.initialize
always failed.
We fix this in a secure fashion by passing the reload instructions
from the browser to its reloaded self via localstorage, keyed by a
randomly generated token. The token randomization is primarily
relevant for handling several Zulip tabs in the same browser, but also
servers to make it very difficult for an attacker to ever trigger this
code path by redirecting a browser to `/#reload` URLs.
Fixes#3411.
Fixes#3687.
This was actually being done in 2 ways: via not saving the narrow in
the reload and second through calling `change_tab_to('#home')`. The
code is so ancient that it seems unlikely that this behavior was still
intentional.
Fixes part of #3687 (the remainder is fixed in a few commits).
We now track our inbound timing events using code in
typing_data.js.
This code may be a little more robust with variations on how
recipients are represented in events, although there are no known
bugs here.
This change moves most of the logic related to starting and
stopping outbound typing indicators to a new module called
typing_status.js that is heavily unit tested.
While this was in some sense a rewrite, the logic was mostly
inspired by the existing code.
This change does fix one known bug, which is that when we
were changing recipients before (while typing was active), we
were not stopping and starting typing indicators. This was
a fairly minor bug, since usually users leave the compose
box to change recipients, and we would do stop/start under
that scenario. Now we also handle the case where the user
does not leave the compose box to change recipients.
Previously, we would let the backend pick a color and send it to the
frontend; then the frontend would ignore that color and pick a
different color and send it to the backend, which would in turn resync
to us.
Fixes#3572.
Fixes#3858.
This fixes two bugs:
* If a user is not subscribed to a default stream, he or she would not
be have the option to invite users to that default stream.
* The initial streams checked in the invite modal were the
non-invite-only streams the user was subscribed to, not their
default streams.
Fixes: #4209.
The old code may have had some subtle bugs related to sorting of
ids or stringification or failed Dict lookups. The new data
layer should be more robust. We had some tracebacks recently
from the old code, and they should go away now.
This fixes the styling to stay on the screen of most reasonably sized
monitors along with extending the JavaScript code to allow for the
video to be keyed to in the lightbox.
This fixes the hubot text that still stays when you transition to
integration details along with fixing the first animation that is
choppy and previews briefly before fading in.
Fixes#4210.
Replacing file input doesn't work for value clearing. The best
way is to clean value directly, which excludes accidentally adding
wrong file after upload-widget validation error.
This makes it much more convenient to close the emoji reactions
popover after opening it with the hotkeys.
It'd be great if we had a test suite for escape so that we could add
tests for this.
Fixes part of #4197.
