1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-23 15:22:41 +01:00
Commit graph

1663 commits

Author SHA1 Message Date
lkassianik
248b4dfa9d Projects for DifferentialRevision
Summary: T2628, Adding project tags to revisions

Test Plan: Edit revision, verify projects can be tagged. Add project hashtag to comments or commit templates, verify revision is tagged with project

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9686
2014-06-23 09:49:53 -07:00
epriestley
ef0a0b5727 First version of "Quest Tracker" Home NUX
Summary:
Ref T5317. General idea here is that Dashboards are replacing the home page soon. We think they'll do a good job for normal users, but they aren't very good for new administrators who have just completed an install. In this case, any dashboard we put there by default will be empty and not very useful or helpful. It's also technically a bit messy to build objects by default.

Instead, give new administrators a "Quest Tracker" UI to help them get through things. When they're done with setup steps, they build a dashboard and install it to replace the home page. They can add install-specific welcome messages during this process, so hopefully this will also ease onboarding for non-administrator users.

For now, you have to go to Config > Welcome Screen explicitly to see this UI. We can tweak/test it for a bit before replacing the home page.

Test Plan: {F169226}

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5317

Differential Revision: https://secure.phabricator.com/D9660
2014-06-23 09:37:51 -07:00
epriestley
b20884a842 Substantially support character encodings and "Highlight As" in changesets
Summary: Ref T5179. Ref T4045. Ref T832. We can now write non-utf8 hunks into the database, so try to do more reasonable things with them in the UI.

Test Plan: (See screenshots...)

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T832, T4045, T5179

Differential Revision: https://secure.phabricator.com/D9294
2014-06-20 11:49:41 -07:00
Chad Little
ca801c7ad4 PHUIImageMask
Summary: Adds a PHUI class for display images on a center point, with or without a mask.

Test Plan:
I am bad a math, so like, check that for me please. I tested using Photoshop. Class may need tweaked depending how we store the inline-comment coords.

{F167829}

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9614
2014-06-18 14:09:37 -07:00
epriestley
df3736e81e Garbage collect daemon logs
Summary:
We already have GC for daemon log events, but not for daemon logs themselves.

Collect old daemon logs which aren't still running.

Test Plan: Ran `phd debug garbage`, observed old logs get cleaned up. Started some daemons, re-ran garbage, made sure they stuck around.

Reviewers: joshuaspence

Reviewed By: joshuaspence

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9610
2014-06-17 15:33:08 -07:00
epriestley
df2c015e7c Make Dashboard tab panels editable by humans
Summary: Fixes T5335. This is not pretty, but should reasonably let normal humans create tab panels.

Test Plan: See screenshot.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5335

Differential Revision: https://secure.phabricator.com/D9600
2014-06-17 15:32:55 -07:00
epriestley
5aae1ee034 Make query panels editable by normal humans
Summary:
Ref T4986. Instead of requiring you to know engine class names and copy/paste URLs, provide select dropdowns that use SCARY JAVASCRIPT to do magical things.

I think this is mostly reasonable, the only issue is that it's hard to create a panel out of a completely ad-hoc query (you'd have to save it, then create a panel out of the saved query, then remove the saved query). Once we develop T5307 we can do a better job of this.

Test Plan: See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T4986

Differential Revision: https://secure.phabricator.com/D9572
2014-06-16 12:27:12 -07:00
Joshua Spence
bff58fac93 Move infrastructure tests up one directory.
Summary: Sometimes, the `PhabricatorInfrastructureTestCase` //would// fail, but we don't run it with `arc unit` because of the directory structure. See D9556 for an example.

Test Plan: This is essentially the same as D9557.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9559
2014-06-16 05:52:11 +10:00
epriestley
397d67ff3d Support "Projects" field for pholio mocks in Herald
Summary: Mocks can have projects now; allow Herald rules to be written against them.

Test Plan: Wrote a Herald mock rule about projects.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9552
2014-06-15 12:14:46 -07:00
epriestley
868ff166b1 Give Pholio mocks a configurable edit policy
Summary:
Ref T4566. Currently, mocks have a conservative (author only), immutable default edit policy.

Instead:

  - Let the edit policy be changed.
  - Default the edit policy to "all users", similar to other applications.
  - Add an application-level setting for it.
  - Migrate existing edit policies to be consistent with the old policy (just the author).

This stops short of adding a separate "owner" and letting that be changed, since Pholio doesn't really have any review/approve type features (at least, so far). We can look at doing this if we get more feedback about it, or if we make owners more meaningful (e.g., add more "review-like" process to mocks).

Test Plan:
  - Ran migration scripts.
  - Confirmed existing mocks retained their effective policies (author only).
  - Created a new mock, saw edit policy.
  - Changed edit policy.
  - Changed global edit policy default.
  - Tried to edit a mock I couldn't edit.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T4566

Differential Revision: https://secure.phabricator.com/D9550
2014-06-15 10:28:16 -07:00
epriestley
7ce8a1f437 Turn thumbs into a history grid thing
Summary:
This could probably use some refinement (and, like, explanatory text, and stronger cues about what rows and columns mean) but feels fairly good to me, at least on test data.

I didn't do any scrolling for now since we have to do full height on mobile anyway I think. I did swap it so the newer ones are on top.

Left/right navigate you among current images only, but you can click any thumb to review history.

Removed history view since it's no longer useful.

Some things that would probably help:

  - Some kind of header explaining what this is ("Mock History" or something).
  - Stronger visual cue that columns are related by being the same image.
  - Clearer cues about obsolete/deleted images (e.g., on the stage itself?)
  - Maybe general tweaks.
  - Maybe a placeholder (like a grey "X") for images which have been deleted.

(I'm planning to add comment counts too, which I think will be pretty useful, but that felt good to put in another diff.)

Test Plan: See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9543
2014-06-14 21:12:19 -07:00
epriestley
942f504893 Remove inline gutter in Pholio
Summary: This greatly simplifies inline comments while retaining their functionality. This is probably not where we want to end up, but will let us figure out what we're doing with the stage without worrying about inlines.

Test Plan: See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9537
2014-06-14 18:41:45 -07:00
epriestley
18757e43de Allow entire dashboards to be copied
Summary:
Further improve UX for dealing with policy rules on dashboards:

  - When in the "Manage" view of a dashboard you can not edit:
    - Don't show the panel management controls.
    - Show a notice that the board isn't editable, recommending you make a copy instead.
  - Add a "Copy Dashboard" action to create a copy which you //can// edit.

Test Plan: Copied some dashboards. See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9508
2014-06-12 21:49:19 -07:00
epriestley
6f4ebcb8d9 Create dashboard panels inline on dashboards
Summary:
Fixes T5308.

  - Allows you to create a panel directly on a dashboard.
  - Also, include existing panels with a select instead of a text field. This won't scale as well but should be fine for now, and is way easier to use.

Test Plan: See comment.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5308

Differential Revision: https://secure.phabricator.com/D9501
2014-06-12 13:22:27 -07:00
epriestley
b8bc0aa2b0 Allow users to select QueryPanel search engines from a list
Summary: Ref T4986. Instead of requiring users to know the name of an application search engine class, let them select from a list.

Test Plan:
Created a new panel.

{F165468}

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T4986

Differential Revision: https://secure.phabricator.com/D9500
2014-06-12 13:22:20 -07:00
Joshua Spence
747946eb5f Remove the deprecated PhabricatorIRCProtocolHandler class.
Summary: This class has been deprecated for a while now (see rP0a8b0d1392bd79b4e88fbf910b176c960d57b4b4). It should be safe to remove.

Test Plan: N/A

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9467
2014-06-11 05:50:35 -07:00
Joshua Spence
34cca383eb Remove the PhabricatorBotDifferentialNotificationHandler class.
Summary: This class has been deprecated for a while now (see rPdad7c65bf56384480be7c18e02fdc01ea67cf1ff). It should be safe to remove.

Test Plan: N/A

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9468
2014-06-11 05:50:13 -07:00
Joshua Spence
857c11a36e Remove deprecated PhabricatorIRCBot class.
Summary: This class has been deprecated for a while (see rP574bc3ba31cca2767bafe7844d7f854d90d6be1c). It should be safe to remove now.

Test Plan: N/A

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9469
2014-06-11 05:49:53 -07:00
Joshua Spence
ddf5412cbb Add a ./bin/aphlict build workflow.
Summary:
Currently, it is a bit tricky to build the Aphlict client SWF from the ActionScript source. Provide a `./bin/aphlict build` workflow that simplifies this process.

Depends on D9226.

Test Plan:
Executed the workflow:

```
> ./bin/aphlict build
Done.
```

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9338
2014-06-07 11:34:07 -07:00
Joshua Spence
8a7a7dcbf1 Make ./bin/aphlict behave more like a service.
Summary: Fixes T5126. Provide `start`, `stop`, `restart`, `debug` and `status` workflows for `./bin/aphlict`. This makes it easier to manage Aphlict as if it were a service.

Test Plan:
```
> sudo ./bin/aphlict status
Aphlict is not running.

> sudo ./bin/aphlict stop
Aphlict is not running.

> sudo ./bin/aphlict start
Aphlict Server started.

> sudo ./bin/aphlict status
Aphlict (12880) is running.

> sudo ./bin/aphlict restart
Stopping Aphlict Server (12880)...
Aphlict Server (12880) exited normally.
Aphlict Server started.

> sudo ./bin/aphlict stop
Stopping Aphlict Server (12895)...
Aphlict Server (12895) exited normally.

> sudo ./bin/aphlict debug
Starting Aphlict server in foreground...
Launching server:

    $ node '/usr/src/phabricator/src/applications/aphlict/management/../../../../support/aphlict/server/aphlict_server.js' --port='22280' --admin='22281' --host='localhost' --user='aphlict'

[Fri May 30 2014 09:56:14 GMT+0000 (UTC)] Started Server (PID 12911)
```

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: hach-que, epriestley, Korvin

Maniphest Tasks: T5126

Differential Revision: https://secure.phabricator.com/D9226
2014-06-05 12:13:45 -07:00
epriestley
5b1262c98b Add a bin/hunks script to manage migrations of hunk data
Summary:
Ref T4045. Ref T5179. While we'll eventually need to force a migration, we can let installs (particularly large installs) do an online migration for now. This moves hunks to the new storage format one at a time.

(Note that nothing writes to the new store yet, so this is the only way to populate it.)

WARNING: Installs, don't run this yet! It won't compress the data. Wait until it can also do compression.

Test Plan: Added a `break;` after migrating one row and moved a few rows over. Spot checked them in the database and viewed the affected diffs.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4045, T5179

Differential Revision: https://secure.phabricator.com/D9291
2014-06-03 18:01:23 -07:00
epriestley
0aa913805d Add an alternate "modern" hunk datastore
Summary:
Ref T4045. Ref T5179. Hunk storage has two major issues:

  - It's utf8, but actual diffs are binary.
  - It's huge and can't be compressed or archived.

This introduces a second datastore which solves these problems: by recording hunk encoding, supporting compression, and supporting alternate storage. There's no actual compression or storage support yet, but there's space in the table for them.

Since nothing actually uses hunk IDs, it's fine to have these tables exist at the same time and use the same IDs. We can migrate data between the tables gradually without requiring downtime or disrupting installs.

Test Plan:
  - There are no writes to the new table yet.
  - The only effect this has is making us issue one extra query when looking for hunks.
  - Observed the query issue, but everything else continue working fine.
  - Created a new diff.
  - Ran unit tests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4045, T5179

Differential Revision: https://secure.phabricator.com/D9290
2014-06-03 18:01:22 -07:00
epriestley
bb306b58d5 Introduce DifferentialChangesetQuery and remove loadHunks()
Summary: Ref T4045. Ref T5179. This removes all non-Query hunk loads.

Test Plan:
  - Viewed revisions.
  - Viewed standalone changesets.
  - Viewed raw old/new files.
  - Viewed vs diffs.
  - Enabled inline comments in mail and sent some transactions with inlines.
  - Called `differential.getrawdiff`.
  - Grepped for `loadHunks()`.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4045, T5179

Differential Revision: https://secure.phabricator.com/D9289
2014-06-03 18:01:21 -07:00
epriestley
71e9fb96b5 Move more hunk loads into DifferentialHunkQuery
Summary: Ref T5179. Ref T4045. I want to move all hunk loads into DifferentialHunkQuery so I can make it do magical things where hunks come from multiple places, handle non-utf8 encodings properly, handle compression, archive into Files, and so on.

Test Plan: Viewed some revisions. Called `differential.getrawdiff`.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4045, T5179

Differential Revision: https://secure.phabricator.com/D9287
2014-06-03 18:01:19 -07:00
epriestley
4b9765b896 Implement PhabricatorProjectInterface in Paste
Summary: Ref T2628. Implements PhabricatorProjectInterface (D9340) in Paste.

Test Plan: See screenshots.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T2628

Differential Revision: https://secure.phabricator.com/D9341
2014-06-03 17:22:09 -07:00
epriestley
4cda3e5811 Implement PhabricatorProjectInterface for marking that objects can be tagged with projects
Summary: Ref T2628. This makes Transactions understand objects that can have project relationships, extract project mentions, and handle watching.

Test Plan: See next diff.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T2628

Differential Revision: https://secure.phabricator.com/D9340
2014-06-03 17:19:40 -07:00
epriestley
99c72a32d0 Allow installs to require multi-factor authentication for all users
Summary: Ref T5089. Adds a `security.require-multi-factor-auth` which forces all users to enroll in MFA before they can use their accounts.

Test Plan:
Config:

{F159750}

Roadblock:

{F159748}

After configuration:

{F159749}

  - Required MFA, got roadblocked, added MFA, got unblocked.
  - Removed MFA, got blocked again.
  - Used `bin/auth strip` to strip MFA, got blocked.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5089

Differential Revision: https://secure.phabricator.com/D9285
2014-06-03 16:50:27 -07:00
epriestley
2264c2b4b5 Merge the new navigation design
For discussion, see T5241.
2014-06-03 15:50:08 -07:00
Joshua Spence
0d03bbe43c Allow repositories to be deleted using ./bin/remove.
Summary: Currently, repositories can be deleted using `./bin/repository delete`. It makes sense to expose this operate to the `./bin/remove` script as well, for consistency.

Test Plan: Deleted a repository with `./bin/remove rTEST`.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9350
2014-06-02 17:11:58 -07:00
lkassianik
7de4e80907 Move Dashboard and Panel edit history out of the way
Summary: Fixes T5170, Create new page for dashboard history

Test Plan: Open dashboard, manage dashboard, click on "View History". Dashboard history should appear. Panel history should appear on panel view page under panel.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Maniphest Tasks: T5170

Differential Revision: https://secure.phabricator.com/D9280
2014-05-24 12:29:28 -07:00
Bob Trahan
102befdede Project - add ability to select an icon for typeaheads and such
Summary: Fixes T5090. Introduced getIcon into Handle stack which allows you to specify a per handle icon. getIcon falls back ot getTypeIcon.

Test Plan: changed the icon on a project a bunch. verified transactions showed up. verified icon showed up in typeahead. verified icon showed up in tokens that were pre-generated (not typed in). units test passed.

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T5090

Differential Revision: https://secure.phabricator.com/D9264
2014-05-23 10:41:24 -07:00
epriestley
27a369d15a Make it much easier to add one-off event listeners
Summary:
Ref T4657. Right now, you have to muck with `events.listeners` to install listeners. Instead, automatically install all subclasses of AutoEventListener.

Primarily, this makes it easier to resolve requests with "drop this file in `src/extensions/`, no warranty", which seems to have worked well so far in resolving things like custom remarkup rules, etc.

Test Plan:
  - Added such a listener, had it autoregister.
  - Clicked around and saw the effects of normal listeners.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4657

Differential Revision: https://secure.phabricator.com/D9262
2014-05-22 15:19:28 -07:00
Bob Trahan
922e5c0849 Projects - add "Additional Hashtags" to projects
Summary:
Fixes T4021. Chooses to keep a "primary" slug based off the name - including all that lovely logic - and allow the user to specify "additional" slugs. Expose these as "hashtags" to the user.

Sets us up for a fun diff where we can delete all the Project => Phriction automagicalness. In terms of this diff, see the TODOs i added.

Test Plan:
added a primary slug as an additional slug - got an error. added a slug in use on another project - got an error. added multiple good slugs and they worked. removed slugs and it worked. made some remark using multiple new slugs and they all linked to the correct project

ran epriestley's case

 - Create project "A".
 - Give it additional slug "B".
 - Try to create project "B".

and i got a nice error about hashtag collision

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T4021

Differential Revision: https://secure.phabricator.com/D9250
2014-05-22 11:19:03 -07:00
lkassianik
6302414883 Make the default view of dashboards be just the dashboard
Summary: Fixes T4985, add manage page, change view page to show only panels. Arguably, PhabricatorDashboardArrangeController is no longer necessary. Also, still trying to figure out if I updated all flows that involve "arrange/{id}". Probably missed some. Also not sure of the Manage Dashboard icon. Please advise.

Test Plan: Create dashboard, add panels, "view/{id}" should show just panels, Manage Dashboard should show timeline and edit links.

Reviewers: #blessed_reviewers, epriestley, chad

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T4985

Differential Revision: https://secure.phabricator.com/D9258
2014-05-22 11:10:53 -07:00
epriestley
f1534e6feb Make password reset emails use one-time tokens
Summary:
Ref T4398. This code hadn't been touched in a while and had a few crufty bits.

**One Time Resets**: Currently, password reset (and similar links) are valid for about 48 hours, but we always use one token to generate them (it's bound to the account). This isn't horrible, but it could be better, and it produces a lot of false positives on HackerOne.

Instead, use TemporaryTokens to make each link one-time only and good for no more than 24 hours.

**Coupling of Email Verification and One-Time Login**: Currently, one-time login links ("password reset links") are tightly bound to an email address, and using a link verifies that email address.

This is convenient for "Welcome" emails, so the user doesn't need to go through two rounds of checking email in order to login, then very their email, then actually get access to Phabricator.

However, for other types of these links (like those generated by `bin/auth recover`) there's no need to do any email verification.

Instead, make the email verification part optional, and use it on welcome links but not other types of links.

**Message Customization**: These links can come out of several workflows: welcome, password reset, username change, or `bin/auth recover`. Add a hint to the URI so the text on the page can be customized a bit to help users through the workflow.

**Reset Emails Going to Main Account Email**: Previously, we would send password reset email to the user's primary account email. However, since we verify email coming from reset links this isn't correct and could allow a user to verify an email without actually controlling it.

Since the user needs a real account in the first place this does not seem useful on its own, but might be a component in some other attack. The user might also no longer have access to their primary account, in which case this wouldn't be wrong, but would not be very useful.

Mitigate this in two ways:

  - First, send to the actual email address the user entered, not the primary account email address.
  - Second, don't let these links verify emails: they're just login links. This primarily makes it more difficult for an attacker to add someone else's email to their account, send them a reset link, get them to login and implicitly verify the email by not reading very carefully, and then figure out something interesting to do (there's currently no followup attack here, but allowing this does seem undesirable).

**Password Reset Without Old Password**: After a user logs in via email, we send them to the password settings panel (if passwords are enabled) with a code that lets them set a new password without knowing the old one.

Previously, this code was static and based on the email address. Instead, issue a one-time code.

**Jump Into Hisec**: Normally, when a user who has multi-factor auth on their account logs in, we prompt them for factors but don't put them in high security. You usually don't want to go do high-security stuff immediately after login, and it would be confusing and annoying if normal logins gave you a "YOU ARE IN HIGH SECURITY" alert bubble.

However, if we're taking you to the password reset screen, we //do// want to put the user in high security, since that screen requires high security. If we don't do this, the user gets two factor prompts in a row.

To accomplish this, we set a cookie when we know we're sending the user into a high security workflow. This cookie makes login finalization upgrade all the way from "partial" to "high security", instead of stopping halfway at "normal". This is safe because the user has just passed a factor check; the only reason we don't normally do this is to reduce annoyance.

**Some UI Cleanup**: Some of this was using really old UI. Modernize it a bit.

Test Plan:
  - **One Time Resets**
    - Used a reset link.
    - Tried to reuse a reset link, got denied.
    - Verified each link is different.
  - **Coupling of Email Verification and One-Time Login**
    - Verified that `bin/auth`, password reset, and username change links do not have an email verifying URI component.
    - Tried to tack one on, got denied.
    - Used the welcome email link to login + verify.
    - Tried to mutate the URI to not verify, or verify something else: got denied.
  - **Message Customization**
    - Viewed messages on the different workflows. They seemed OK.
  - **Reset Emails Going to Main Account Email**
    - Sent password reset email to non-primary email.
    - Received email at specified address.
    - Verified it does not verify the address.
  - **Password Reset Without Old Password**
    - Reset password without knowledge of old one after email reset.
    - Tried to do that without a key, got denied.
    - Tried to reuse a key, got denied.
  - **Jump Into Hisec**
    - Logged in with MFA user, got factor'd, jumped directly into hisec.
    - Logged in with non-MFA user, no factors, normal password reset.
  - **Some UI Cleanup**
    - Viewed new UI.
  - **Misc**
    - Created accounts, logged in with welcome link, got verified.
    - Changed a username, used link to log back in.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D9252
2014-05-22 10:41:00 -07:00
epriestley
cac61980f9 Add "temporary tokens" to auth, for SMS codes, TOTP codes, reset codes, etc
Summary:
Ref T4398. We have several auth-related systems which require (or are improved by) the ability to hand out one-time codes which expire after a short period of time.

In particular, these are:

  - SMS multi-factor: we need to be able to hand out one-time codes for this in order to prove the user has the phone.
  - Password reset emails: we use a time-based rotating token right now, but we could improve this with a one-time token, so once you reset your password the link is dead.
  - TOTP auth: we don't need to verify/invalidate keys, but can improve security by doing so.

This adds a generic one-time code storage table, and strengthens the TOTP enrollment process by using it. Specifically, you can no longer edit the enrollment form (the one with a QR code) to force your own key as the TOTP key: only keys Phabricator generated are accepted. This has no practical security impact, but generally helps raise the barrier potential attackers face.

Followup changes will use this for reset emails, then implement SMS multi-factor.

Test Plan:
  - Enrolled in TOTP multi-factor auth.
  - Submitted an error in the form, saw the same key presented.
  - Edited the form with web tools to provide a different key, saw it reject and the server generate an alternate.
  - Change the expiration to 5 seconds instead of 1 hour, submitted the form over and over again, saw it cycle the key after 5 seconds.
  - Looked at the database and saw the tokens I expected.
  - Ran the GC and saw all the 5-second expiry tokens get cleaned up.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D9217
2014-05-20 11:43:45 -07:00
lkassianik
8a429c51ac Embed dashboard panels in comments
Summary: Fixes T4983, Panel prefix 'W' should be recognized as a shortcut to a dashboard panel

Test Plan: Open any comment input, type '{W1}', or other existing panel, preview should embed that panel.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Maniphest Tasks: T4983

Differential Revision: https://secure.phabricator.com/D9215
2014-05-20 11:37:40 -07:00
Bob Trahan
5f33aa5b4f Dashboards - add ability to install dashboard as home
Summary:
See title. Adds PhabricatorDashboardInstall data object which scopes installs to objectPHID + applicationClass. This is because we already have a collision for user home pages and user profiles. Assume only one dashboard per objectPHID + applicationClass though at the database level.

Fixes T5076.

Test Plan: From dashboard view, installed a dashboard - success! Went back to dashboard view and uninstalled it!

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T5076

Differential Revision: https://secure.phabricator.com/D9206
2014-05-19 16:09:31 -07:00
Bob Trahan
d9058d7f3f Dashboards - add remove functionality
Summary: To get there, upgrade "headerless" to "headerMode". Add a new removepanel controller. Fixes T5084.

Test Plan: removed some panels to much success

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T5078, T5084

Differential Revision: https://secure.phabricator.com/D9156
2014-05-19 14:04:26 -07:00
epriestley
3a31554268 Allow projects to be "watched", sort of a super-subscribe
Summary:
Ref T4967. Adds a "Watch" relationship to projects, which is stronger than member/subscribed.

Specifically, when a task is tagged with a project, we'll include all project watchers in the email/notifications. Normally we don't include projects unless they're explicitly CC'd, or have some other active role in the object (like being a reviewer or auditor).

This allows you to closely follow a project without needing to write a Herald rule for every project you care about.

Test Plan:
  - Watched/unwatched a project.
  - Tested the watch/subscribe/member relationships:
    - Watching implies subscribe.
    - Joining implies subscribe.
    - Leaving implies unsubscribe + unwatch.
    - You can't unsubscribe until you unwatch (slightly better would be unsubscribe implies unwatch, but this is a bit tricky).
  - Watched a project, then recevied email about a tagged task without otherwise being involved.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4967

Differential Revision: https://secure.phabricator.com/D9185
2014-05-19 12:40:57 -07:00
epriestley
7a9d5f8f2d Fix JIRA issue URI selection for JIRA installs which are not on the domain root
Summary: Fixes T4859. See that for details.

Test Plan:
  - Verified things still work on my local (domain root) install.
  - Added some unit tests.
  - Did not verify a non-root install since I don't have one handy, hopefully @salehe can help.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: salehe, epriestley

Maniphest Tasks: T4859

Differential Revision: https://secure.phabricator.com/D8836
2014-05-18 05:45:21 -07:00
epriestley
a74545c9da Provide a rough, unstable API for reporting coverage into Diffusion
Summary:
Ref T4994. This stuff works:

  - You can dump a blob of coverage information into `diffusion.updatecoverage`. This wipes existing coverage information and replaces it.
  - It shows up when viewing files.
  - It shows up when viewing commits.

This stuff does not work:

  - When viewing files, the Javascript hover interaction isn't tied in yet.
  - We always show this information, even if you're behind the commit where it was generated.
  - You can't do incremental updates.
  - There's no aggregation at the file (this file has 90% coverage), diff (the changes in this commit are 90% covered), or directory (the code in this directory has 90% coverage) levels yet.
  - This is probably not the final form of the UI, storage, or API, so you should expect occasional changes over time. I've marked the method as "Unstable" for now.

Test Plan:
  - Ran `save_lint.php` to check for collateral damage; it worked fine.
  - Ran `save_lint.php` on a new branch to check creation.
  - Published some fake coverage information.
  - Viewed an affected commit.
  - Viewed an affected file.

{F151915}

{F151916}

Reviewers: chad, btrahan

Reviewed By: btrahan

Subscribers: jhurwitz, epriestley, zeeg

Maniphest Tasks: T5044, T4994

Differential Revision: https://secure.phabricator.com/D9022
2014-05-17 16:10:54 -07:00
epriestley
bf6e87da24 Add a "tabs" dashboard panel type
Summary:
Ref T4986. Allows you to create a dashboard panel out of dashboard panels.

bwahaha

Test Plan:
{F155472}

{F155473}

Reviewers: chad, btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4986

Differential Revision: https://secure.phabricator.com/D9141
2014-05-15 19:23:13 -07:00
epriestley
e5e95352c7 Move Maniphest list rendering to SearchEngine
Summary: Ref T4986. Moves Maniphest over. Nothing tricky here, just a complex block of rendering.

Test Plan: Viewed Maniphest list. Created Maniphest panel. Used batch editor, drag-and-drop.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4986

Differential Revision: https://secure.phabricator.com/D9139
2014-05-15 19:17:38 -07:00
Bob Trahan
6300955661 Dashboards - add layout mode to dashboards
Summary:
This gets us the ability to specify a "layout mode" and which column a panel should appear in at panel add time. Changing the layout mode from a multi column view to a single column view or vice versa will reset all panels to the left most column.

You can also drag and drop where columns appear via the "arrange" mode.

We also have a new dashboard create flow. Create dashboard -> arrange mode. (As opposed to view mode.) This could all possibly use massaging.

Fixes T4996.

Test Plan:
made a dashboard with panels in multiple columns. verified correct widths for various layout modes

re-arranged collumns like whoa.

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T4996

Differential Revision: https://secure.phabricator.com/D9031
2014-05-15 19:12:40 -07:00
Aviv Eyal
f2c0e94ea8 Show command transactions in Harbormaster builds
Summary:
Create transaction, editor, etc, and move command generation over to editor.
Show in a timeline in the buildable page.

Also prevent Engine from creating an empty transaction when build starts (Fixes T4885).

Fixes T4886.

Test Plan: Restart builds and buildables, look at timeline.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T4885, T4886

Differential Revision: https://secure.phabricator.com/D9110
2014-05-15 07:04:34 -07:00
epriestley
436f0563e8 Add a SublimeText-style repository typeahead
Summary:
Allows you to quickly search for files within a repository. Roughly:

  - We build a big tree of everything and ship it to the client.
  - The client implements a bunch of Sublime-ish magic to find paths.

Test Plan: {F154007}

Reviewers: chad, btrahan

Reviewed By: btrahan

Subscribers: epriestley, zeeg

Differential Revision: https://secure.phabricator.com/D9087
2014-05-13 14:08:21 -07:00
epriestley
82102cd95a Move Push log rendering to SearchEngine
Summary: Ref T4986. Move push logs to a View, then have all the stuff that needs to use it use that View.

Test Plan: Viewed push logs and transaction detail in Diffusion. Created a panel.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4986

Differential Revision: https://secure.phabricator.com/D9104
2014-05-13 14:00:24 -07:00
epriestley
b80b851600 Throw a more tailored exception after failing to resolve a ref
Summary: Ref T2683. Throw a more tailored exception to allow callers to distinguish between bad refs (which are expected, if users try to visit garbage branches) and other types of errors.

Test Plan: Tried to view branch "alksndfklansdf". Viewed branch "master".

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T2683

Differential Revision: https://secure.phabricator.com/D9094
2014-05-13 13:52:33 -07:00
epriestley
38f5894b58 Move Drydock object list rendering to SearchEngine
Summary: Ref T4986. Allows the Drydock search engines to render as panels.

Test Plan: Viewed affected interfaces in Drydock. Created panels from each engine.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4986

Differential Revision: https://secure.phabricator.com/D9103
2014-05-13 12:14:33 -07:00