1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-22 13:30:55 +01:00
Commit graph

464 commits

Author SHA1 Message Date
epriestley
15ef2fced0 Fix conservative CSRF token cycling limit
Summary:
We currently cycle CSRF tokens every hour and check for the last two valid ones.
This means that a form could go stale in as little as an hour, and is certainly
stale after two.

When a stale form is submitted, you basically get a terrible heisen-state where
some of your data might persist if you're lucky but more likely it all just
vanishes. The .js file below outlines some more details.

This is a pretty terrible UX and we don't need to be as conservative about CSRF
validation as we're being. Remedy this problem by:

  - Accepting the last 6 CSRF tokens instead of the last 1 (i.e., pages are
valid for at least 6 hours, and for as long as 7).
  - Using JS to refresh the CSRF token every 55 minutes (i.e., pages connected
to the internet are valid indefinitely).
  - Showing the user an explicit message about what went wrong when CSRF
validation fails so the experience is less bewildering.

They should now only be able to submit with a bad CSRF token if:

  - They load a page, disconnect from the internet for 7 hours, reconnect, and
submit the form within 55 minutes; or
  - They are actually the victim of a CSRF attack.

We could eventually fix the first one by tracking reconnects, which might be
"free" once the notification server gets built. It will probably never be an
issue in practice.

Test Plan:
  - Reduced CSRF cycle frequency to 2 seconds, submitted a form after 15
seconds, got the CSRF exception.
  - Reduced csrf-refresh cycle frequency to 3 seconds, submitted a form after 15
seconds, got a clean form post.
  - Added debugging code the the csrf refresh to make sure it was doing sensible
things (pulling different tokens, finding all the inputs).

Reviewed By: aran
Reviewers: tuomaspelkonen, jungejason, aran
CC: aran, epriestley
Differential Revision: 660
2011-07-14 08:09:40 -07:00
epriestley
c9acc5b8e9 Allow comment panel to be stuck/unstuck to the bottom of the display
Summary:
See T303. Enable comment panel haunting.

I hid the preview for the sticky panel, which I think is reasonable?

Test Plan:
https://secure.phabricator.com/file/view/PHID-FILE-64713fa8a7c2a22e5b93/
Reviewed By: broofa
Reviewers: broofa, jungejason, aran, tomo, tuomaspelkonen
CC: aran, broofa
Differential Revision: 615
2011-07-08 13:24:20 -07:00
epriestley
652baee54c D510 renamed this method to stringify. 2011-07-05 14:17:38 -07:00
epriestley
bb4cf7d6b3 Add an "Add CCs" action to Differential
Summary:
We currently have only an "Add reviewers" action, add "Add CCs". This can also
be accomplished less-discoverably with mentions.

Test Plan:
Added reviewers and CCs to revisions. Toggled display between reviewers and CCs.

Reviewed By: jungejason
Reviewers: tomo, mroch, jsp, jungejason, aran, tuomaspelkonen
CC: aran, jungejason
Differential Revision: 521
2011-06-28 06:41:38 -07:00
epriestley
2330a1e954 Improve visibility of the keyboard shortcut focus reticle
Summary:
This ended up being pretty hard to see, make it a bit easier.

Test Plan:
Focused things using the keyboard reticle.

Reviewed By: tomo
Reviewers: tomo, moskov, jungejason, tuomaspelkonen, aran
CC: aran, epriestley, tomo
Differential Revision: 483
2011-06-20 15:53:32 -07:00
epriestley
921164aab7 Allow keyboard navigation between individual changes
Summary:
Permit "j" and "k" to cycle through individual changeblocks, similar to how this
feature works in ReviewBoard. This still needs a bunch of refinement but it's
getting closer to being useful.

Also moved reticle underneath the table so you can click links through it (derp
derp).

Test Plan:
Used "j" and "k" to cycle through individual changes.

Reviewed By: aran
Reviewers: aran, jungejason, tuomaspelkonen
CC: moskov, aran, epriestley
Differential Revision: 426
2011-06-14 20:45:33 -07:00
epriestley
b49c5e9762 "Merge Duplicates" in Maniphest
Summary:
Allow duplicate tasks to be selected and merged in Maniphest.

I didn't create a separate transaction type for this because that implies a
bunch of really complicated rules which I don't want to sort out right now
(e.g., do we need to do cycle detection for merges? If so, what do we do when we
detect a cycle?) since I think it's unnecessary to get right for the initial
implementation (my Tasks merge implementation was similar to this and worked
quite well) and if/when we eventually need the metadata to be available in a
computer-readable form that need should inform the implementation.

Plenty of room for improvement here, of course.

Test Plan:
Merged duplicate tasks, tried to perform invalid merge operations (e.g., merge a
task into itself).
Tested existing attach workflows (task -> revision, revision -> task).

Reviewed By: aran
Reviewers: tuomaspelkonen, jungejason, aran
CC: anjali, aran
Differential Revision: 459
2011-06-14 20:44:58 -07:00
epriestley
33e6229969 Don't bring up multiple help dialogs when the user hits "?" multiple times
Summary:
Some day, maybe close the existing dialog too but there's no public method on
JX.Workflow for that right now.

Test Plan:
Hit "??????", then "esc", got back to the page instead of just popping a deep
stack.

Reviewed By: tomo
Reviewers: tomo
CC: aran, tomo
Differential Revision: 450
2011-06-13 13:41:45 -07:00
tuomaspelkonen
501c001520 Added a big warning if reviewer is about to accept a diff with lint or unit
errors.

Summary:
Make sure reviewers know what they are doing.

Test Plan:
Tested with different diffs that had lint and unit problems.

Reviewed By: epriestley
Reviewers: epriestley, jungejason
CC: grglr, aran, epriestley, tuomaspelkonen
Differential Revision: 432
2011-06-13 11:49:31 -07:00
epriestley
eab768f705 Allow projects to be quickly added from the Maniphest task creation interface
Summary:
Provide a quick workflow for adding a new project. This ended up being sort of
complicated because we don't currently put forms in dialogs. I separated the
actual <form /> tag out of the display/layout of AphrontFormView to enable this
(the dialog is itself a form).

Limitations: if you create a new project and then remove it, it won't appear in
the tokenizer until you reload the page. We need to add the ability for the
datasource to drop its cache to enable this, which is super complicated.

Test Plan:
Used "Create new project" to add a new project when creating a task.

Reviewed By: aran
Reviewers: jungejason, tuomaspelkonen, aran
CC: anjali, aran, epriestley
Differential Revision: 422
2011-06-13 10:17:08 -07:00
Hafsteinn Baldvinsson
a11b5e8bbc Countdown
Summary:
Addon that allows you to create a live countdown page to
some event.

Here is the ticket that this code is based on
https://secure.phabricator.com/T36

Test Plan:
Tested by manually setting dates in the timer.js file and
checking if they made sense.
I'm not sure if it works across different timezones though.

Reviewers: epriestley

CC:

Differential Revision: 436
2011-06-13 02:23:46 +00:00
epriestley
d52cf835a9 Fix problem with adding Differential inline comments to the last line of a file
Summary:
We use a 'null' row to indicate the element should be appended to the end of the
table (otherwise, it is prepended to the row in question), but also derive the
table from the row. This needs more cleanup in general but fix the immediate
issue at least.

Test Plan:
Added an inline comment to the last line of a file.

Reviewed By: jungejason
Reviewers: tuomaspelkonen, jungejason, aran
CC: aran, jungejason
Differential Revision: 425
2011-06-11 16:00:37 -07:00
epriestley
17306b7a92 Provide basic keyboard navigation support for Differential.
Summary:
ReviewBoard has a fancier version of this feature that's more granular -- the
keyboard can focus on individual changes. I think that's good and intend to
implement something similar, but this gets us a step closer and gets rid of some
of the bookkeeping stuff like making shortcuts discoverable.

(I have another brnach with Maniphest merging which also uses fatcow icons,
which is why the README seems a little out of context.)

Test Plan:
Used "j" and "k" to jump between changesets. Pressed "?" and got a list of
available shortcuts.

Reviewed By: tuomaspelkonen
Reviewers: aran, jungejason, tuomaspelkonen
CC: moskov, aran, epriestley, tuomaspelkonen
Differential Revision: 412
2011-06-09 14:55:44 -07:00
epriestley
94d0adb140 Add "Undo" for editing Differential inline comments
Summary:
When a user hits 'cancel' on a 'new', 'edit', or 'reply' operation, add a little
"Changes discarded. __Undo__" insert so they can get their change back. No undo
for delete since there's an explicit prompt. Once this lands we can make
'escape' work again to close dialogs.

This change started feeling really good when I was merging all the duplicate
code and making things more consistent, but by the time I started writing client
rendering it felt gross. I'm not really thrilled with it but I guess it's a step
forward? The feature seems pretty OK in practice. Let me know how much barfing
this causes and I can try to remedy the most acute concerns.

This also fixes a bug where replies always (?) appear on the 'new' side of the
diff (I think?).

Test Plan:
Applied 'new', 'edit', 'delete' and 'reply' operations, pressed 'cancel' and
'okay' in each case, with and without changing text where relevant. All
behaviors seem to conform with expectations, except that canceling out of 'edit'
without changing the text gives you an option to undo when it shouldn't really.
There's no super easy way to get at the original text right now.

Reviewed By: aran
Reviewers: aran, jungejason, tuomaspelkonen
CC: simpkins, aran, epriestley
Differential Revision: 406
2011-06-08 10:44:01 -07:00
epriestley
19d0d28089 Use keyboard shortcuts for the "`" darkconsole toggle.
Summary:
This simplifies it a lot and prevents it from spazzing out when some control is
foucsed.

Test Plan:
Hit "?", "`".

Reviewed By: aran
Reviewers: jungejason, aran, tuomaspelkonen
CC: aran
Differential Revision: 410
2011-06-08 10:42:19 -07:00
epriestley
48ec1f6d98 Provide basic structure for keyboard shortcuts
Summary: Implements a simple infrastructure for keyboard shortcuts, see T184, and a "help" shortcut.

There's a lot of room for refinement here but I think it basically works. Each shortcut can also provide a "tooltip" handler which allows it to show help when the alt/option key is held down.

Test Plan: Pressed "?" and got help. Pressed "?" in various contexts where it should not activate (modifier keys, text input focused) and didn't get help.

Reviewers: aran, tuomaspelkonen, jungejason

CC: moskov

Differential Revision: 362
2011-06-07 11:23:19 -07:00
epriestley
d96d515cc2 Add comment linking to Maniphest and Differential
Summary:
Allows you to link to comments with "D123#3" or "T123#3", then adds a pile of JS
to try to make it not terrible. :/

The thing I'm trying to avoid here is when someone says "look at this!
http://blog.com/#comment-239291" and you click and your browser jumps somewhere
random and you have no idea which comment they meant. Since I really hate this,
I've tried to avoid it by making sure the comment is always highlighted.

Test Plan:
Put T1#1 and D1#1 in remarkup and verified they linked properly.

Clicked anchors on individual comments.

Faked all comments hidden in Differential and verified they expanded on anchor
or anchor change.

Reviewed By: aran
Reviewers: aran, tomo, mroch, jungejason, tuomaspelkonen
CC: aran, epriestley
Differential Revision: 383
2011-05-31 11:11:19 -07:00
epriestley
109a202b6c Improve drag-and-drop uploader
Summary:
Make it discoverable, show uploading progress, show file thumbnails, allow you
to remove files, make it a generic form component.

Test Plan:
Uploaded ducks

Reviewed By: tomo
Reviewers: aran, tomo, jungejason, tuomaspelkonen
CC: anjali, aran, epriestley, tomo
Differential Revision: 334
2011-05-27 09:34:29 -07:00
tuomaspelkonen
d21a056f1c Multiple comment submissions for a diff is prevented now.
Summary:
It was possible to submit a comment multiple times if the submit
button was pressed more than once quickly. Added javascript code
that disables the button when it is clicked.

Test Plan:
Tried to click the button multiple times very quickly, but the
button was disabled after the first click.

Reviewed By: epriestley
Reviewers: epriestley, jungejason
Commenters: aran
CC: aran, epriestley, tuomaspelkonen
Differential Revision: 337
2011-05-25 12:14:43 -07:00
epriestley
553c6c78fe Raise PhabricatorShapedRequest request timeout
Summary:
We hit this very short (1s) timeout when the browser chooses to resolve all the
diff requests before the preview request. In the long term we could start the
preview request only after all the diff requests resolve, but this solves the
issue for now and there's no reason for such a short timeout.

The historical reason to have this timeout at all is that intern was megaflaky
and that's no longer a problem.

Test Plan:
Faked it so it would use a 1ms timeout the first time and then a 20s timeout;
got reasonable behavior.

Reviewed By: aran
Reviewers: jungejason, tuomaspelkonen, aran
CC: aran
Differential Revision: 329
2011-05-22 14:48:26 -07:00
epriestley
9f65a5efb8 Drag-and-drop upload for Maniphest
Summary:
This needs a bunch of UI polish (critically, it's totally undiscoverable) but it
basically works correctly. I'll clean it up in some followups.

Test Plan:
Uploaded some files via drag-and-drop, made comments, etc.

Reviewed By: aran
Reviewers: tomo, aran, jungejason, tuomaspelkonen
CC: anjali, aran
Differential Revision: 332
2011-05-22 14:47:04 -07:00
epriestley
386a5eecb7 Show description changes in Maniphest
Summary:
When a task description is updated, there's currently no way to see the change.
Build an "expanded summary" mode for transactions that shows description change
details. Also include changes in the email.

Test Plan:
Changed task descriptions, clicked "show details", read email.

Reviewed By: aran
Reviewers: tuomaspelkonen, jungejason, aran
CC: anjali, aran, epriestley
Differential Revision: 320
2011-05-21 21:17:45 -07:00
epriestley
4b92b2cead Allow revisions to be edited from Maniphest
Summary:
You can currently attach tasks to revisions from Differential, but not revisions
to tasks from Maniphest. Allow editing from either side.

This logic is kind of tricky but the alternative was massive code duplication.

Test Plan:
Added and removed revisions from maniphest. Added and removed tasks from
differential.

This should have no impact on the Facebook install since none of this is used
there.

Reviewed By: aran
Reviewers: tomo, tuomaspelkonen, jungejason, aran
CC: aran, epriestley
Differential Revision: 288
2011-05-16 15:31:46 -07:00
epriestley
54154e4f48 Move "Rendering References" to the DifferentialChangesetParser level
Summary:
Separates changeset IDs from rendering. Now each changeset has a "rendering
reference" which is basically a description of what the ajax endpoint should
render. For Differential, it's in the form "id/vs". For Diffusion,
"branch/path;commit".

I believe this fixes pretty much all of the bugs related to "show more" breaking
in various obscure ways, although I never got a great repro for T153.

Test Plan:
Clicked "show more" in diffusion change and commit views and differential diff,
diff-of-diff, standalone-diff, standalone-diff-of-diff views. Verified refs and
'whitespace' were always sent correctly.

Made inline comments on diffs and diffs-of-diffs. Used "Reply".

Reviewed By: tuomaspelkonen
Reviewers: tuomaspelkonen, jungejason, aran
CC: aran, tuomaspelkonen, epriestley
Differential Revision: 274
2011-05-13 06:10:57 -07:00
tuomaspelkonen
43f6cc75f6 Added 'Next' and 'Previous' links to differential
Summary:
Browsing comments was a bit difficult without the possibllity to jump
between comments. These links will make the browsing easier.

Test Plan:
Tested on multiple diffs that the links were working correctly.

Reviewed By: epriestley
Reviewers: epriestley
CC: jungejason, aran, tuomaspelkonen, epriestley
Differential Revision: 266
2011-05-11 14:46:00 -07:00
epriestley
47895afbd1 Show transaction types in Maniphest previews
Summary: When rendering a Maniphest comment preview, also render a preview of the transaction.

Test Plan: tested previews for all transaction types, got reasonable renders
2011-05-11 04:17:48 -07:00
epriestley
3b8ff34f9b Fix some minor Celerity / ShapedRequest bugs:
- Force celerity to do disk reads in dev.
  - Clean up some ShapedRequest clownery.
2011-05-11 03:43:40 -07:00
tuomaspelkonen
e4f42dcd7d Correct whitespace option is passed to 'Show All Lines' request.
Summary:
Expanding lines duplicated some lines occasionally, because whitespace
option was different for the original request and the following request.

Test Plan:
Tested that the broken changeset was correct now.

Reviewed By: epriestley
Reviewers: epriestley
CC: jungejason, aran, epriestley
Differential Revision: 263
2011-05-10 18:05:13 -07:00
epriestley
90364cafdc Add comment previews to Maniphest
Summary:
Moves shared code from Differential and Maniphest comment previews into
PhabricatorShapedRequest, and then implements Maniphest previews.

This doesn't implement comment drafts, I'll follow up with that but it requires
this and is completely separable.

This also always shows the preview as "commented" rather than previewing the
actual transaction. I'll follow up with that but I think it will require a
little factoring and this is useful even without transaction details.

I need to tweak the styling a bit too.

Test Plan:
Typed text in Maniphest and Differential. Toggled Differential action. Made
comments.

Reviewed By: rm
Reviewers: rm, tuomaspelkonen, jungejason, aran
CC: aran, rm
Differential Revision: 258
2011-05-10 14:35:00 -07:00
epriestley
2a39fd09eb Bring Javelin into Phabricator via git submodule, not copy-and-paste
Summary:
Javelin is currently embedded in Phabricator via copy-and-paste of prebuilt
packages. This is not so great.

Pull it in as a submodule instead and make all the Phabriator resources declare
proper dependency trees. Add Javelin linting.

Test Plan:
I tried to run through pretty much all the JS functionality on the site. This is
still a high-risk change, but I did a pretty thorough test

Differential: inline comments, revealing diffs, list tokenizers, comment
preview, editing/deleting comments, add review action.
Maniphest: list tokenizer, comment actions
Herald: rule editing, tokenizers, add/remove rows

Reviewed By: tomo
Reviewers: aran, tomo, mroch, jungejason, tuomaspelkonen
CC: aran, tomo, epriestley
Differential Revision: 223
2011-05-08 13:20:10 -07:00
epriestley
4e8968aff3 Don't send a new query if the keydown doesn't edit the query value,
i.e. command-tab or shift.
2011-04-14 19:17:17 -07:00
adonohue
acd1cc8d22 "Reply" for inline comments
Summary:
"Reply" for inline comments

Test Plan:
Add consecutive and overlapping new inline comments and replies.

Reviewed By: epriestley
Reviewers: epriestley
CC: aran, epriestley
Differential Revision: 143
2011-04-14 18:31:21 -07:00
tuomaspelkonen
d5ee8c792c Modified DarkConsole Error Log to show more detailed information.
Summary:
When function phlog() is called, stacktrace and detailed log information
is shown in DarkConsole.

Test Plan:
Called 'phlog' function from various places in Phabricator and checked that
the debug information was available in DarkConsole.

Reviewed By: epriestley
Reviewers: epriestley
CC: jungejason, epriestley
Differential Revision: 101
2011-04-06 14:30:54 -07:00
tuomaspelkonen
1c6487197f Object selector does live-updates without requiring user to hit 'search'
Summary:
Editing Maniphest tasks for a Differential Revision required user to hit
'search' every time he changed search parameters. Now select and text input
changes trigger search automatically.

Test Plan:
Tested that changing the select and entering text automatically gave the
correct results.

Reviewed By: epriestley
Reviewers: epriestley, jungejason
Commenters: jungejason
CC: epriestley, jungejason
Differential Revision: 102
2011-04-05 15:24:10 -07:00
epriestley
5038ab850c Some owners read workflows. 2011-04-03 19:20:47 -07:00
epriestley
c99df1f4eb Add more change metadata to SVN and git. 2011-03-30 23:27:06 -07:00
jungejason
431552c357 Add syntax highlight to diffusion.
Summary:
use XHPAST parser to parse the file, and generate a table for
the code to highlight it.  This is part of the task of "Port Diffusion's
Browse File view to Phabricator".

Test Plan:
browse file, try commit version, line number functionality.

Reviewed By: epriestley
Reviewers: epriestley
CC: epriestley
Differential Revision: 83
2011-03-25 17:41:51 -07:00
epriestley
deb12c9fe8 Some herald improvements. 2011-03-22 20:43:19 -07:00
epriestley
08fc13598d Improve search relevance. 2011-03-22 17:19:52 -07:00
epriestley
b060f0a80f Herald JS basics. 2011-03-22 17:08:08 -07:00
epriestley
505c82236d Improve search functionality.
Summary:

Test Plan:

Reviewers:

CC:
2011-02-18 17:16:00 -08:00
epriestley
eec3e8e3aa Move object-selector closable to being usable.
Summary:

Test Plan:

Reviewers:

CC:
2011-02-18 15:12:15 -08:00
epriestley
258e0cdded Very basic Object Selector interface.
Summary: Interface for selecting objects to attach to other objects
(e.g., Maniphest tasks to Differential diffs and vice versa).

Test Plan: still rough

Reviewers:

CC:
2011-02-16 23:00:13 -08:00
epriestley
6ec5e682f4 Maniphest wireframes
Summary:

Test Plan:

Reviewers:

CC:
2011-02-08 20:39:56 -08:00
epriestley
addfe3aa79 DarkConsole toggle, workflow behavior. 2011-02-05 11:45:13 -08:00
epriestley
53f2a433f7 Collapse comments in long threads. 2011-02-05 11:06:56 -08:00
epriestley
18c0515440 Add reviewers workflow fixes. 2011-02-04 22:45:42 -08:00
epriestley
905870d793 Various fixes, particularly on the revision update workflow. 2011-02-04 17:53:14 -08:00
epriestley
12df78ed6a Rough cut of diff-of-diffs. 2011-02-03 15:41:58 -08:00
epriestley
5fd28d35d9 Diff-of-diffs radio button logic. 2011-02-03 13:26:52 -08:00
epriestley
c93dd9c090 Flesh out some DarkConsole stuff. 2011-02-02 22:38:42 -08:00
epriestley
4aa72aa5ff Inline comment-related fixes. 2011-02-02 19:38:43 -08:00
epriestley
223ac18287 Straighten out some reviewer-realtd horribleness. 2011-02-02 17:38:03 -08:00
epriestley
c5ce156e71 Edit/Delete for inline comments 2011-02-02 13:51:45 -08:00
epriestley
759eec3a77 Very rough cut of DarkConsole + XHProf 2011-02-02 13:48:52 -08:00
epriestley
246cba2bf0 InlineComments 2011-02-01 21:09:28 -08:00
epriestley
9dac0ed9f1 Bring in JX.Workflow and the inline commenting behavior, plus sync Javelin. 2011-02-01 15:52:04 -08:00
epriestley
233953bc4a Straighten out the "show more context" stuff. 2011-01-31 20:38:13 -08:00
epriestley
4736b320ff Differential comment previews. 2011-01-31 18:05:20 -08:00
epriestley
a997e77693 RevisionList 2011-01-25 16:02:36 -08:00
epriestley
14ed5482ab Typeaheads 2011-01-25 14:41:32 -08:00
epriestley
16ad2386d8 Javelin integration. 2011-01-25 12:41:55 -08:00
epriestley
7bb0db1365 Celerity, a Haste-style static resource management system. 2011-01-25 10:18:44 -08:00
epriestley
fed4c583c5 Add Javelin. 2011-01-25 08:18:27 -08:00