When an ldap user is signing up via the registration form, they are
required to enter their ldap password. This is in contract to "regular"
password signup, where the user sets the password for their new account.
Checking password strength makes sense in the latter case, but not in the
ldap case - the password is already set at the ldap level after all.
In any case, the password_strength validator is not even added to the
form field with `id="ldap-password"`, so this was bugged throwing errors
such as
```
TypeError: $.validator.methods[method] is undefined. Exception occurred when checking element ldap-password, check the 'password_strength' method. at http://localhost:9991/webpack/vendors-node_modules_pnpm_jquery-validation_1_21_0_jquery_3_7_1_node_modules_jquery-validatio-b912f7.js:810
at check .pnpm/jquery-validation@1.21.0_jquery@3.7.1/node_modules/jquery-validation/dist/jquery.validate.js:803
at element .pnpm/jquery-validation@1.21.0_jquery@3.7.1/node_modules/jquery-validation/dist/jquery.validate.js:510
at onfocusout .pnpm/jquery-validation@1.21.0_jquery@3.7.1/node_modules/jquery-validation/dist/jquery.validate.js:310
at delegate .pnpm/jquery-validation@1.21.0_jquery@3.7.1/node_modules/jquery-validation/dist/jquery.validate.js:441
at dispatch .pnpm/jquery@3.7.1/node_modules/jquery/dist/jquery.js:5145
at ../node_modules/.pnpm/jquery jquery/dist/jquery.js?1d73/</add/elemData.handle@http://localhost:9991/webpack/vendors-node_modules_pnpm_error-stack-parser_2_1_4_node_modules_error-stack-parser_error-stac-967546.js:16502
at trigger .pnpm/jquery@3.7.1/node_modules/jquery/dist/jquery.js:8629
at simulate .pnpm/jquery@3.7.1/node_modules/jquery/dist/jquery.js:8698
at focusMappedHandler .pnpm/jquery@3.7.1/node_modules/jquery/dist/jquery.js:5574
```
when interacting with the form.
Zulip supports a configuration where account creation is limited solely
by being able to authenticate with a single-sign on authentication
backend, such as Google Authentication, SAML, or LDAP (i.e., the
organization places no restrictions on email address domains or
invitations being required to join, but has disabled the
EmailAuthBackend that is used for email/password authentication).
A bug in the Zulip server meant that Zulip allowed users to create an
account in such organizations by confirming their email address, without
having an account with the SSO authentication backend.
Co-authored-by: Tim Abbott <tabbott@zulip.com>
Opening settings and stream settings UI was not working for guests
if they could not access all users. This was because is_person_active
did not handle inaccessible users correctly, if they were not added in
the users data, when being called in get_group_members to render
group pills.
(cherry picked from commit 4f80823191)
When user cannot type in the input, because of contenteditable
being set to "false", typeahead should not be shown when clicking
on the input element.
(cherry picked from commit 3739081792)
Previously, we showed confirmation modal when user was unsubscribing
themselves from the private stream from "Unsubscribe" button in
subscribers list, even when user had the permission to subscribe
to the stream again.
This commit fixes it to not show the confirmation modal if user
has permission to subscribe again. We already have same behavior
when user tries to unsubscribe from the button present at the
right of tabs.
(cherry picked from commit 722d501107)
We no longer archive the stream when private stream becomes
vacant, so removed that part from the warning.
When a private stream becomes vacant, everyone in the organization
can lose content access to it if no one has permission to subscribe
themselves or others to the stream. So, the warning is updated to
mention this.
(cherry picked from commit d3c06234e2)
This works around tus/tusd#322, which in turn is caused by
aws/aws-sdk-go-v2#1816. This requires separate authentication via
service account key.
Fixes: #34186.
(cherry picked from commit e1aa8b1cb0)
We have filtered the group in the get_user_groups argument of
set_up_pill_typeahead. We could have done it in `set_up_combined` but
that would have made that function non-generic and specific to these two
settings. We could also have filtered it in get_all_realm_user_groups by
adding an argument on whether to exclude it or not, but that would have
been very hard to read and track. This seemed like the better of the
options we had.
Fixes https://chat.zulip.org/#narrow/channel/9-issues/topic/.22Nobody.22.20group.20in.20UI.20to.20add.20subscribers.2Fgroup.20members
(cherry picked from commit 349e88adc6)
The tusd protocol allows DELETE requests ("terminations") at any
point, including after a file has successfully been uploaded. This
can allow tusd to remove a file from the bucket, out from under Zulip.
We use the new-in-2.7.0 pre-terminate hook to look up the file which
the client is requesting to terminate, and reject the termination if
it is a file that the Zulip database is already aware of.
(cherry picked from commit cf51013bb7)
This provides access logging metrics to Prometheus. For cardinality
reasons, we cannot (nor would we want to) put every request path into
its own label value -- but we do separate out the most-frequent access
paths (as well as some low-frequency but high-interest ones) into
their own label values.
In order to differentiate accesses to https://zulip.com/ from
https://example.zulipchat.com/ (both of which appear at path `/`), we
use a `grok_exporter.realm_names_regex` value in `zulip.conf`, which
is expected to be set to match the hostname of all possible realms.
(cherry picked from commit 840fa74854)
To avoid restore tooltip of message from being displayed outside
the overlay, we define a boundary, outside which the tooltip
cannot exist. Popper library is smart enough to render the tooltip
correctly by respecting the provided boundary and flipping the
tooltip placement if required.
(cherry picked from commit cd439c0232)
The type_id is the id of a UserProfile, Stream, or DirectMessageGroup,
not the id of a type.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
(cherry picked from commit ad31ef22f2)
- Rename the variable "pills" to "email_pill_widget". To conform better
with other pill widgets.
- Re-use the email pill creation function.
- Directly access `item.email`, skipping function call.
(cherry picked from commit cabea0ea9a)
We should not key off of `S3_KEY`/`S3_SECRET_KEY`, since those are
optional if the host is in EC2 and using instance profiles. Instead,
check if `LOCAL_UPLOADS_DIR` is None1, which is the authoritative
source for if the S3 backend is in use.
(cherry picked from commit ba5d1108c0)
Unilaterally adding the port can cause CSRF failures when the port is
a default port, and thus optional. Switch to providing the exact
`Host` header that the original request contained.
(cherry picked from commit 5f783ed5ad)
We forgot to store the actual values in the audit log, making these logs
not very helpful in actually auditing a user's email change history.
(cherry picked from commit 5814ac559f)
While uploading a file, if you close the compose box, and reopen
it, compose send button remains disabled due to upload in progress
being true.
To fix it, we update upload status for compose when upload is
cancelled.
(cherry picked from commit b8651e78e7)
This prevents a thundering herd for videos -- if a very large video is
posted to a channel with many active clients, all of them
simultaneously request it, to provide the in-feed preview image.
While these requests come with a `Range` header which is intended to
limit the request to just the first couple MB, nginx ignores this
header when making its request to the upstream -- so it can obtain and
cache the whole file locally. This results in multiple competing
requests for the whole content from S3, all racing to store the
content in the cache.
Use cache slicing to split the content cache into chunks of 5MB; the
cache is filled one slice at a time, as needed based on the byte
ranges that clients request. Clients making requests without a
`Range` header are provided with the content transparently stitched
together from the individual slices.
The slice size of 5MB is chosen to encompass more 95% of file
uploads (saving an extra trip to the origin) while also being large
enough to be able to provide video thumbnails in a single slice, as
well as not take too much time to obtain from the upstream.
(cherry picked from commit 23e8eb5c7c)
Fixes#32970
When navigating from a short message to a tall message via up
keypress, we used to jump to the top of the message. This
doesn't align with user's expectation that up / down keypress
will let them see the entire message feed.
To fix it, we can `page_up` which scrolls up the correct amount
and then our message selection logic kicks in to select the
correct message on screen.
(cherry picked from commit 203cc69969)
In the move topic modal, the `new_topic_name` input is disabled if
the user doesn't have permission to move messages between topics.
This commit fixes a bug where `new_topic_name` is undefined since its
input is disabled. This causes `show_topic_already_exists_warning()`
to throw an AssertionError. Hence, the warning is not shown.
Specifically, this bug occurs when a user moves a topic to an
already existing topic in a different channel when he has permission
to move messages between channels but not between topics.
(cherry picked from commit 62745ddccb)
In the move topic modal, the stream ID from the dropdown widget
should be passed to `update_submit_button_disabled_state()`
function instead of `current_stream_id`. This fixes a bug where
the submit button was incorrectly disabled after editing the
move topic input.
Specifically, when selecting a different channel and an existing
topic, the submit button remains enabled initially. However, if a
character is removed and then retyped in the move topic input,
the submit button becomes disabled incorrectly.
(cherry picked from commit 57c1a12853)
This commit fixes a bug where the Rename topic modal did not resize
when the "topic already exists" warning was shown or hidden. This
caused the topic edit typeahead for topics in a channel
with similar prefixes to be misaligned.
(cherry picked from commit 725fd707fe)
Otherwise we get spammed with “Dropped breadcrumb because no client
bound” log messages.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
(cherry picked from commit e8faa4a029)
Legacy settings contained type "Dict" which were removed in zulip 9.0,
so this type was wrong, but it also serves no purpose.
(The non-commented types are checked in the development environment).
(cherry picked from commit c95dd65d75)
Changes banner text to "This conversation also has older unread
messages. Jump to first unread message?"
Updates button label from "Jump to first unread" to "Jump".
(cherry picked from commit 1e4eec9803)
