1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-04 20:52:43 +01:00
Commit graph

171 commits

Author SHA1 Message Date
Chad Little
96edc9d2bc Roll out more FontIcons
Summary: Sidenav launcher, search typeahead results, apps launcher

Test Plan:
Used each of these items

{F275814}

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Differential Revision: https://secure.phabricator.com/D11499
2015-01-26 08:19:22 -08:00
Chad Little
45ae9cf340 Move PhabricatorCrumbs to PHUICrumbs
Summary: Ref T7014, laying the groundwork for redesigning crumbs.

Test Plan: Tested numberous pages, grep'd locations.

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T7014

Differential Revision: https://secure.phabricator.com/D11478
2015-01-23 11:35:09 -08:00
Joshua Spence
c2ac63e9ad Increase visibility of PhabricatorController::buildApplicationMenu methods
Summary: Ref T6822. This method needs to be `public` because it is called from `PhabricatorApplicationSearchController::buildApplicationMenu()`.

Test Plan: I wouldn't expect //increasing// method visibility to break anything.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T6822

Differential Revision: https://secure.phabricator.com/D11416
2015-01-16 07:41:26 +11:00
epriestley
19845395d8 Allow PhutilTranslator::translate() to return defaults
Summary: Allow PhutilTranslator::translate() to return defaults

Test Plan: Just check some strings returned correctly.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: Korvin, Zolli, epriestley

Projects: #localization

Maniphest Tasks: T6845

Differential Revision: https://secure.phabricator.com/D11121
2015-01-01 08:15:40 -08:00
Bob Trahan
b718b429af Transactions - make quotes work for older transactions
Summary: Fixes T6731. I don't really understand the intent behind the two view classes here, but to get this to work I need to pass yet more data to the lower-level class.

Test Plan: Viewed a task with many comments. Clicked "show older". Quoted everything I could. Verified for each quote that it quoted correctly, inlcuding linking to the prior transaction.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T6731

Differential Revision: https://secure.phabricator.com/D10973
2014-12-11 10:27:28 -08:00
Bob Trahan
6ab3f06b6e Transactions - adding willRenderTimeline to handle tricky cases
Summary: Fixes T6693.

Test Plan:
Made a bunch of comments on a diff with differential, being sure to leave inlines here and there. This reproduced the issue in T6693. With this patch this issue no longer reproduces!

Successfully "showed older changes" in Maniphest too.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T6693

Differential Revision: https://secure.phabricator.com/D10931
2014-12-04 13:58:52 -08:00
Bob Trahan
d6341cfffe Transactions - add pagination to application transactions
Summary: Ref T4712. This adds pagination. Future diffs will need to deploy `buildTransactionTimeline` everywhere and massage this stuff as necessary if we hit any special cases.

Test Plan: Set page size to "5" to make it need to paginate often. Verified proper transactions loaded in and the javascript actions worked.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T4712

Differential Revision: https://secure.phabricator.com/D10887
2014-12-02 13:10:29 -08:00
epriestley
a1f5fc2231 Move directory SQL patch construction to abstract base class
Summary:
Ref T6238. I'm building the instance management application now, but not putting it in the upstream -- I think the only use case for it is to build SAAS. If someone comes up with a use case (maybe a college course that wants to create an instance per-class or something?) we could open it up eventually, but it seems cleaner to keep it out of the upstream until we have such a use case.

I need to add schema patches. Make it easier for a subclass to just "add all the patches in this directory", like "autopatches/" works.

Test Plan:
  - Ran `bin/storage status`, saw all normal patches still valid.
  - In some future diff, the instances application will use this to apply patches.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6238

Differential Revision: https://secure.phabricator.com/D10848
2014-11-14 14:50:50 -08:00
Bob Trahan
3fd16a9ba5 Transactions - introduce a buildTransactionTimeline function
Summary: ...way way down in PhabricatorController. Use it on ManiphestTaskDetailController to test it. Ref T4712. I think the pager logic to be added as part of T4712 can safely reside entirely within this method. As I said earlier, 5 parameters is a lot, so I don't really want to add more. Next diff would do the pagination logic and the diff after that would deploy it everywhere. If while deploying it everywhere I find something off, that will be a different diff.

Test Plan: viewed maniphest tasks and they looked as spiffy as ever.

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: Korvin, epriestley

Maniphest Tasks: T4712

Differential Revision: https://secure.phabricator.com/D10844
2014-11-13 14:44:55 -08:00
epriestley
9352c76e81 Decouple some aspects of request routing and construction
Summary:
Ref T5702. This is a forward-looking change which provides some very broad API improvements but does not implement them. In particular:

  - Controllers no longer require `$request` to construct. This is mostly for T5702, directly, but simplifies things in general. Instead, we call `setRequest()` before using a controller. Only a small number of sites activate controllers, so this is less code overall, and more consistent with most constructors not having any parameters or effects.
  - `$request` now offers `getURIData($key, ...)`. This is an alternate way of accessing `$data` which is currently only available on `willProcessRequest(array $data)`. Almost all controllers which implement this method do so in order to read one or two things out of the URI data. Instead, let them just read this data directly when processing the request.
  - Introduce `handleRequest(AphrontRequest $request)` and deprecate (very softly) `processRequest()`. The majority of `processRequest()` calls begin `$request = $this->getRequest()`, which is avoided with the more practical signature.
  - Provide `getViewer()` on `$request`, and a convenience `getViewer()` on `$controller`. This fixes `$viewer = $request->getUser();` into `$viewer = $request->getViewer();`, and converts the `$request + $viewer` two-liner into a single `$this->getViewer()`.

Test Plan:
  - Browsed around in general.
  - Hit special controllers (redirect, 404).
  - Hit AuditList controller (uses new style).

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5702

Differential Revision: https://secure.phabricator.com/D10698
2014-10-17 05:01:40 -07:00
epriestley
ad991b0197 Handle Phortune charge failures cleanly
Summary:
Ref T2787. Currently, we kill a cart and dead-end the workflow on a charge failure.

Instead, fail the charge and reset the cart so the user can try using a valid payment instrument like a normal checkout workflow would.

Some shakiness/smoothing on WePay for the moment; PayPal is still made up since we don't have a "Hold" state yet.

Test Plan: {F215214}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T2787

Differential Revision: https://secure.phabricator.com/D10666
2014-10-08 17:23:02 -07:00
epriestley
d3cd9115f9 Add ui.footer-items to add a custom page footer
Summary: Fixes T6052. Allow installs to link to legal documents, etc., in the page footer.

Test Plan:
  - Configured a footer.
  - Viewed workboards (no footer).
  - Viewed Conpherence (no apparent disruption, I think everything z-indexes over the footer).
  - Viewed stuff on mobile (seems OK).
  - Viewed login page (saw footer).

{F201718}

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T6052

Differential Revision: https://secure.phabricator.com/D10466
2014-09-10 14:44:34 -07:00
Joshua Spence
0151c38b10 Apply some autofix linter rules
Summary: Self-explanatory.

Test Plan: Eyeball it.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D10454
2014-09-10 06:55:05 +10:00
James Rhodes
a2a0f002f0 Fix security.require-https by marking redirect as external
Summary:
Resolves T5937.  HTTPS redirects caused by `security.require-https` use a full scheme, domain and port in the URI.  Consequently, this causes invocation of the new external redirect logic and prevents redirection from occurring properly when accessing the HTTP version of Phabricator that has `security.require-https` turned on.

I've also fixed the automatic slash redirection logic to add the external flag where appropriate.

Test Plan: Configured SSL on my local machine and turned on `security.require-https`.  Observed the "Refusing to redirect" exception on master, while the redirect completed successfully with this patch.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T5937

Differential Revision: https://secure.phabricator.com/D10318
2014-08-21 21:35:29 +10:00
Joshua Spence
0c8f487b0f Implement the getName method in PhabricatorApplication subclasses
Summary: Provide an implementation for the `getName` method rather than automagically determining the application name.

Test Plan: Saw reasonable application names in the launcher.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D10027
2014-07-23 23:52:50 +10:00
Joshua Spence
86c399b657 Rename PhabricatorApplication subclasses
Summary: Ref T5655. Some discussion in D9839. Generally speaking, `Phabricator{$name}Application` is clearer than `PhabricatorApplication{$name}`.

Test Plan:
# Pinned and uninstalled some applications.
# Applied patch and performed migrations.
# Verified that the pinned applications were still pinned and that the uninstalled applications were still uninstalled.
# Performed a sanity check on the database contents.

Reviewers: btrahan, epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: hach-que, epriestley, Korvin

Maniphest Tasks: T5655

Differential Revision: https://secure.phabricator.com/D9982
2014-07-23 10:03:09 +10:00
epriestley
c1f7b72dd8 Add "device ready" flag to standalone dialog pages
Summary: Fixes T5541. Standalone dialog pages, including the high-security auth page, should all work fine on mobile.

Test Plan: {F173598}

Reviewers: chad, joshuaspence

Reviewed By: joshuaspence

Subscribers: epriestley

Maniphest Tasks: T5541

Differential Revision: https://secure.phabricator.com/D9799
2014-07-02 18:49:06 -07:00
epriestley
ca6bd26475 Set device to false for all pages which don't specify device readiness
Summary:
Ref T5446.

  - For all callsites which do not specify a value, set `false` explicitly.
  - Make `true` the default.

Test Plan: Used `grep`, then manually went through everything.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5446

Differential Revision: https://secure.phabricator.com/D9687
2014-06-23 15:15:11 -07:00
Joshua Spence
0a62f13464 Change double quotes to single quotes.
Summary: Ran `arc lint --apply-patches --everything` over rP, mainly to change double quotes to single quotes where appropriate. These changes also validate that the `ArcanistXHPASTLinter::LINT_DOUBLE_QUOTE` rule is working as expected.

Test Plan: Eyeballed it.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, Korvin, hach-que

Differential Revision: https://secure.phabricator.com/D9431
2014-06-09 11:36:50 -07:00
epriestley
99c72a32d0 Allow installs to require multi-factor authentication for all users
Summary: Ref T5089. Adds a `security.require-multi-factor-auth` which forces all users to enroll in MFA before they can use their accounts.

Test Plan:
Config:

{F159750}

Roadblock:

{F159748}

After configuration:

{F159749}

  - Required MFA, got roadblocked, added MFA, got unblocked.
  - Removed MFA, got blocked again.
  - Used `bin/auth strip` to strip MFA, got blocked.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5089

Differential Revision: https://secure.phabricator.com/D9285
2014-06-03 16:50:27 -07:00
epriestley
6df1a02413 (Redesign) Clean up older "Tile" code
Summary:
This does some backend cleanup of the tile stuff, and some general cleanup of other application things:

  - Users who haven't customized preferences get a small, specific set of pinned applications: Differential, Maniphest, Diffusion, Audit, Phriction, Projects (and, for administrators, Auth, Config and People).
  - Old tile size methods are replaced with `isPinnnedByDefault()`.
  - Shortened some short descriptions.
  - `shouldAppearInLaunchView()` replaced by less ambiguous `isLaunchable()`.
  - Added a marker for third-party / extension applications.

Test Plan: Faked away my preferences and viewed the home page, saw a smaller set of default pins.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9358
2014-06-03 15:47:27 -07:00
Chad Little
b2f3001ec4 Replace Sprite-Icons with FontAwesome
Summary: The removes the sprite sheet 'icons' and replaces it with FontAwesome fonts.

Test Plan:
- Grep for SPRITE_ICONS and replace
- Grep for sprite-icons and replace
- Grep for PhabricatorActionList and choose all new icons
- Grep for Crumbs and fix icons
- Test/Replace PHUIList Icon support
- Test/Replace ObjectList Icon support (foot, epoch, etc)
- Browse as many pages as I could get to
- Remove sprite-icons and move remarkup to own sheet
- Review this diff in Differential

Reviewers: btrahan, epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin, hach-que

Differential Revision: https://secure.phabricator.com/D9052
2014-05-12 10:08:32 -07:00
epriestley
50376aad04 Require multiple auth factors to establish web sessions
Summary:
Ref T4398. This prompts users for multi-factor auth on login.

Roughly, this introduces the idea of "partial" sessions, which we haven't finished constructing yet. In practice, this means the session has made it through primary auth but not through multi-factor auth. Add a workflow for bringing a partial session up to a full one.

Test Plan:
  - Used Conduit.
  - Logged in as multi-factor user.
  - Logged in as no-factor user.
  - Tried to do non-login-things with a partial session.
  - Reviewed account activity logs.

{F149295}

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D8922
2014-05-01 10:23:02 -07:00
epriestley
730cb65913 Add aural label for "application" breadcrumb in crumbs
Summary: Ref T4843. This is a purely-visual link; label it with the application name.

Test Plan: {F149583}

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T4843

Differential Revision: https://secure.phabricator.com/D8927
2014-05-01 08:55:45 -07:00
epriestley
d8713f6f0b Make dialogs a little easier to use
Summary:
  - Dialog pages currently have no titles or crumbs, and look shoddy. Add titles and crumbs.
  - Dialog titles aren't always great for crumbs, add an optional "short title" for crumbs.
  - `AphrontDialogResponse` is pure boilerplate. Allow controllers to just return a `DialogView` instead and get the same effect.
  - Building dialogs requires a bit of boilerplate, and we generally construct them with no explicit `"action"`, which has some issues with T4593. Provide a convenience method to set the viewer and get a reasonable, explict submit URI.

Test Plan:
  - Viewed dialog on its own.
  - Viewed dialog as a dialog.

{F132353}

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8577
2014-03-21 14:40:05 -07:00
epriestley
7176240717 Whitelist controllers which can receive a 'code' parameter
Summary:
Ref T4593. There are a variety of clever attacks against OAuth which involve changing the redirect URI to some other URI on the same domain which exhibits unexpected behavior in response to an OAuth request. The best approach to dealing with this is for providers to lock to a specific path and refuse to redirect elsewhere, but not all providers do this.

We haven't had any specific issues related to this, but the anchor issue in T4593 was only a step away.

To mitigate this in general, we can reject the OAuth2 `'code'` parameter on //every// page by default, and then whitelist it on the tiny number of controllers which should be able to receive it.

This is very coarse, kind of overkill, and has some fallout (we can't use `'code'` as a normal parameter in the application), but I think it's relatively well-contained and seems reasonable. A better approach might be to whitelist parameters on every controller (i.e., have each controller specify the parameters it can receive), but that would be a ton of work and probably cause a lot of false positives for a long time.

Since we don't use `'code'` normally anywhere (as far as I can tell), the coarseness of this approach seems reasonable.

Test Plan:
  - Logged in with OAuth.
  - Hit any other page with `?code=...` in the URL, got an exception.
  - Grepped for `'code'` and `"code"`, and examined each use to see if it was impacted.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: aran, epriestley

Maniphest Tasks: T4593

Differential Revision: https://secure.phabricator.com/D8499
2014-03-12 11:30:04 -07:00
Joshua Spence
e11adc4ad7 Added some additional assertion methods.
Summary:
There are quite a few tests in Arcanist, libphutil and Phabricator that do something similar to `$this->assertEqual(false, ...)` or `$this->assertEqual(true, ...)`.

This is unnecessarily verbose and it would be cleaner if we had `assertFalse` and `assertTrue` methods.

Test Plan: I contemplated adding a unit test for the `getCallerInfo` method but wasn't sure if it was required / where it should live.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley

CC: Korvin, epriestley, aran

Differential Revision: https://secure.phabricator.com/D8460
2014-03-08 19:16:21 -08:00
epriestley
270929dd6b Include Source Sans on-demand with Celerity
Summary:
Unwinds the mess I made in D8422 / D8430:

  - Remove `'fonts'`, since individual fonts can be included via Celerity now.
  - Include Source Sans from the local source when a document uses it as a fontkit.

Test Plan: Browsed Diviner, saw Source Sans.

Reviewers: chad

Reviewed By: chad

CC: aran

Differential Revision: https://secure.phabricator.com/D8431
2014-03-06 11:39:48 -08:00
epriestley
270916a26e Support WOFF files in Celerity and add Source Sans Pro
Summary:
  - Allow Celerity to map and serve WOFF files.
  - Add Source Sans Pro, Source Sans Pro Bold, and the corresponding LICENSE.
  - Add a `font-source-sans-pro` resource for the font.

Test Plan:
  - Changed body `font-face` to `'Source Sans Pro'`.
  - Added `require_celerity_resource('font-source-sans-pro')` in StandardPageView.

Works in Firefox/Chrome/Safari, at least:

{F123296}

{F123297}

{F123298}

Reviewers: btrahan, chad

Reviewed By: chad

CC: chad, aran

Differential Revision: https://secure.phabricator.com/D8430
2014-03-06 11:28:24 -08:00
Joshua Spence
6270114767 Various linter fixes.
Summary:
- Removed trailing newlines.
- Added newline at EOF.
- Removed leading newlines.
- Trimmed trailing whitespace.
- Spelling fix.
- Added newline at EOF

Test Plan: N/A

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley

CC: hach-que, chad, Korvin, epriestley, aran

Differential Revision: https://secure.phabricator.com/D8344
2014-02-26 12:44:58 -08:00
epriestley
11786fb1cc Don't try to set anonymous session cookie on CDN/file domain
Summary:
Ref T2380. If an install has a CDN domain configured, but does not list it as an alternate domain (which is standard/correct, but not incredibly common, see T2380), we'll currently try to set anonymous cookies on it. These will correctly fail security rules.

Instead, don't try to set these cookies.

I missed this in testing yesterday because I have a file domain, but I also have it configured as an alternate domain, which allows cookies to be set. Generally, domain management is due for some refactoring.

Test Plan: Set file domain but not as an alternate, logged out, nuked file domain cookies, reloaded page. No error after patch.

Reviewers: btrahan, csilvers

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2380

Differential Revision: https://secure.phabricator.com/D8057
2014-01-24 12:29:03 -08:00
epriestley
5b1d9c935a After writing "next_uri", don't write it again for a while
Summary:
Fixes T3793. There's a lot of history here, see D4012, T2102. Basically, the problem is that things used to work like this:

  - User is logged out and accesses `/xyz/`. After they login, we'd like to send them back to `/xyz/`, so we set a `next_uri` cookie.
  - User's browser has a bunch of extensions and now makes a ton of requests for stuff that doesn't exist, like `humans.txt` and `apple-touch-icon.png`. We can't distinguish between these requests and normal requests in a general way, so we write `next_uri` cookies, overwriting the user's intent (`/xyz/`).

To fix this, we made the 404 page not set `next_uri`, in D4012. So if the browser requests `humans.txt`, we 404 with no cookie, and the `/xyz/` cookie is preserved. However, this is bad because an attacker can determine if objects exist and applications are installed, by visiting, e.g., `/T123` and seeing if they get a 404 page (resource really does not exist) or a login page (resource exists). We'd rather not leak this information.

The comment in the body text describes this in more detail.

This diff sort of tries to do the right thing most of the time: we write the cookie only if we haven't written it in the last 2 minutes. Generally, this should mean that the original request to `/xyz/` writes it, all the `humans.txt` requests don't write it, and things work like users expect. This may occasionally do the wrong thing, but it should be very rare, and we stop leaking information about applications and objects.

Test Plan: Logged out, clicked around / logged in, used Charles to verify that cookies were set in the expected way.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T3793

Differential Revision: https://secure.phabricator.com/D8047
2014-01-23 14:16:08 -08:00
epriestley
f9ac534f25 Support CSRF for logged-out users
Summary: Fixes T4339. If you're anonymous, we use a digest of your session key to generate a CSRF token. Otherwise, everything works normally.

Test Plan: Logged out, logged in, tweaked CSRF in forms -- I'll add some inlines.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4339

Differential Revision: https://secure.phabricator.com/D8046
2014-01-23 14:03:54 -08:00
epriestley
69ddb0ced6 Issue "anonymous" sessions for logged-out users
Summary:
Ref T4339. Ref T4310. Currently, sessions look like `"afad85d675fda87a4fadd54"`, and are only issued for logged-in users. To support logged-out CSRF and (eventually) external user sessions, I made two small changes:

  - First, sessions now have a "kind", which is indicated by a prefix, like `"A/ab987asdcas7dca"`. This mostly allows us to issue session queries more efficiently: we don't have to issue a query at all for anonymous sessions, and can join the correct table for user and external sessions and save a query. Generally, this gives us more debugging information and more opportunity to recover from issues in a user-friendly way, as with the "invalid session" error in this diff.
  - Secondly, if you load a page and don't have a session, we give you an anonymous session. This is just a secret with no special significance.

This does not implement CSRF yet, but gives us a client secret we can use to implement it.

Test Plan:
  - Logged in.
  - Logged out.
  - Browsed around.
  - Logged in again.
  - Went through link/register.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4310, T4339

Differential Revision: https://secure.phabricator.com/D8043
2014-01-23 14:03:22 -08:00
epriestley
0727418023 Consolidate use of magical cookie name strings
Summary: Ref T4339. We have more magical cookie names than we should, move them all to a central location.

Test Plan: Registered, logged in, linked account, logged out. See inlines.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4339

Differential Revision: https://secure.phabricator.com/D8041
2014-01-23 14:01:35 -08:00
epriestley
d392a8f157 Replace "web" and "conduit" magic session strings with constants
Summary: Ref T4310. Ref T3720. We use bare strings to refer to session types in several places right now; use constants instead.

Test Plan: grep; logged out; logged in; ran Conduit commands.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4310, T3720

Differential Revision: https://secure.phabricator.com/D7963
2014-01-14 13:22:34 -08:00
epriestley
eef314b701 Separate session management from PhabricatorUser
Summary: Ref T4310. Ref T3720. Session operations are currently part of PhabricatorUser. This is more tightly coupled than needbe, and makes it difficult to establish login sessions for non-users. Move all the session management code to a `SessionEngine`.

Test Plan:
  - Viewed sessions.
  - Regenerated Conduit certificate.
  - Verified Conduit sessions were destroyed.
  - Logged out.
  - Logged in.
  - Ran conduit commands.
  - Viewed sessions again.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4310, T3720

Differential Revision: https://secure.phabricator.com/D7962
2014-01-14 13:22:27 -08:00
epriestley
3d9e328fb3 Add an "active login sessions" table to Settings
Summary: Ref T4310. Ref T3720. Partly, this makes it easier for users to understand login sessions. Partly, it makes it easier for me to make changes to login sessions for T4310 / T3720 without messing anything up.

Test Plan: {F101512}

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T3720, T4310

Differential Revision: https://secure.phabricator.com/D7954
2014-01-14 11:05:45 -08:00
epriestley
31b6f69ff7 Allow CelerityResourceResponse to hold resources from multiple maps
Summary:
Ref T4222. Currently, CelerityResourceResponse holds response resources in flat maps. Instead, specify which map resources appear in.

Also, provide `requireResource()` and `initBehavior()` APIs on the Controller and View base classes. These provide a cleaner abstraction over `require_celerity_resource()` and `Javelin::initBehavior()`, but are otherwise the same. Move a few callsites over.

Test Plan:
  - Reloaded pages.
  - Browsed around Differential.

Reviewers: btrahan, hach-que

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4222

Differential Revision: https://secure.phabricator.com/D7876
2014-01-02 11:59:35 -08:00
epriestley
0fa411083f Show an "approval queue" item on the home page for admins, and sort out menu item visibility
Summary:
  - If you're an administrator and there are users waiting for approval, show a count on the home page.
  - Sort out the `isUserActivated()` access check.
  - Hide all the menu widgets except "Logout" for disabled and unapproved users.
  - Add a "Log In" item.
  - Add a bunch of unit tests.

Test Plan: Ran unit tests, clicked around as unapproved/approved/logged-in/logged-out users.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, chad

Differential Revision: https://secure.phabricator.com/D7574
2013-11-13 11:24:38 -08:00
epriestley
c8320923c4 Implement most of the administrative UI for approval queues
Summary:
Nothing fancy here, just:

  - UI to show users needing approval.
  - "Approve" and "Disable" actions.
  - Send "Approved" email on approve.
  - "Approve" edit + log operations.
  - "Wait for Approval" state for users who need approval.

There's still no natural way for users to end up not-approved -- you have to write directly to the database.

Test Plan: See screenshots.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D7573
2013-11-13 11:24:18 -08:00
epriestley
7f11e8d740 Improve handling of email verification and "activated" accounts
Summary:
Small step forward which improves existing stuff or lays groudwork for future stuff:

  - Currently, to check for email verification, we have to single-query the email address on every page. Instead, denoramlize it into the user object.
    - Migrate all the existing users.
    - When the user verifies an email, mark them as `isEmailVerified` if the email is their primary email.
    - Just make the checks look at the `isEmailVerified` field.
  - Add a new check, `isUserActivated()`, to cover email-verified plus disabled. Currently, a non-verified-but-not-disabled user could theoretically use Conduit over SSH, if anyone deployed it. Tighten that up.
  - Add an `isApproved` flag, which is always true for now. In a future diff, I want to add a default-on admin approval queue for new accounts, to prevent configuration mistakes. The way it will work is:
    - When the queue is enabled, registering users are created with `isApproved = false`.
    - Admins are sent an email, "[Phabricator] New User Approval (alincoln)", telling them that a new user is waiting for approval.
    - They go to the web UI and approve the user.
    - Manually-created accounts are auto-approved.
    - The email will have instructions for disabling the queue.

I think this queue will be helpful for new installs and give them peace of mind, and when you go to disable it we have a better opportunity to warn you about exactly what that means.

Generally, I want to improve the default safety of registration, since if you just blindly coast through the path of least resistance right now your install ends up pretty open, and realistically few installs are on VPNs.

Test Plan:
  - Ran migration, verified `isEmailVerified` populated correctly.
  - Created a new user, checked DB for verified (not verified).
  - Verified, checked DB (now verified).
  - Used Conduit, People, Diffusion.

Reviewers: btrahan

Reviewed By: btrahan

CC: chad, aran

Differential Revision: https://secure.phabricator.com/D7572
2013-11-12 14:37:04 -08:00
Jakub Vrana
a29b5b070f Replace some hsprintf() by phutil_tag()
Test Plan: Looked at a diff with inline comment.

Reviewers: epriestley

Reviewed By: epriestley

CC: Korvin, epriestley, aran

Differential Revision: https://secure.phabricator.com/D7549
2013-11-11 09:23:23 -08:00
epriestley
d5f41ef70e Return HTTP 500, not HTTP 200, on exception pages
Summary: Ref T4064. The response code here isn't normally relevant, but we can hit these via `git clone http://../`, etc., and it's clearly more correct to use HTTP 500.

Test Plan: Added a fake `throw new Exception()` and verified I got an HTTP 500 response.

Reviewers: jamesr, btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4064

Differential Revision: https://secure.phabricator.com/D7507
2013-11-05 15:25:12 -08:00
epriestley
c7f23f522a Accept and route VCS HTTP requests
Summary:
Mostly ripped from D7391, with some changes:

  - Serve repositories at `/diffusion/X/`, with no special `/git/` or `/serve/` URI component.
    - This requires a little bit of magic, but I got the magic working for Git, Mercurial and SVN, and it seems reasonable.
    - I think having one URI for everything will make it easier for users to understand.
    - One downside is that git will clone into `X` by default, but I think that's not a big deal, and we can work around that in the future easily enough.
  - Accept HTTP requests for Git, SVN and Mercurial repositories.
  - Auth logic is a little different in order to be more consistent with how other things work.
  - Instead of AphrontBasicAuthResponse, added "VCSResponse". Mercurial can print strings we send it on the CLI if we're careful, so support that. I did a fair amount of digging and didn't have any luck with git or svn.
  - Commands we don't know about are assumed to require "Push" capability by default.

No actual VCS data going over the wire yet.

Test Plan:
Ran a bunch of stuff like this:

  $ hg clone http://local.aphront.com:8080/diffusion/P/
  abort: HTTP Error 403: This repository is not available over HTTP.

...and got pretty reasonable-seeming errors in all cases. All this can do is produce errors for now.

Reviewers: hach-que, btrahan

Reviewed By: hach-que

CC: aran

Maniphest Tasks: T2230

Differential Revision: https://secure.phabricator.com/D7417
2013-10-29 15:32:40 -07:00
epriestley
314673f4f6 Fix an issue with rendering PHID lists containing null in Maniphest
Summary: See IRC. Someone got a `null` in CCPHIDs somehow. Moving to subscriptions should prevent this, but paper over it for now.

Test Plan: Will have @dctrwatson check.

Reviewers: btrahan, dctrwatson

Reviewed By: btrahan

CC: dctrwatson, aran

Differential Revision: https://secure.phabricator.com/D7330
2013-10-16 12:46:34 -07:00
epriestley
3147a6ca57 Improve messaging of special policy rules in applications
Summary: Ref T603. When the user encounters an action which is controlled by a special policy rule in the application, make it easier for applications to show the user what policy controls the action and what the setting is. I took this about halfway before and left a TODO, but turn it into something more useful.

Test Plan: See screenshots.

Reviewers: btrahan, chad

Reviewed By: chad

CC: chad, aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7265
2013-10-09 13:52:04 -07:00
epriestley
c8127edfe9 Tighten up some policy interactions in Herald
Summary:
Ref T603. Herald is a bit of a policy minefield right now, although I think pretty much everything has straightforward solutions. This change:

  - Introduces "create" and "create global" permisions for Herald.
    - Maybe "create" is sort of redundant since there's no reason to have access to the application if not creating rules, but I think this won't be the case for most applications, so having an explicit "create" permission is more consistent.
  - Add some application policy helper functions.
  - Improve rendering a bit -- I think we probably need to build some `PolicyType` class, similar to `PHIDType`, to really get this right.
  - Don't let users who can't use application X create Herald rules for application X.
  - Remove Maniphest/Pholio rules when those applications are not installed.

Test Plan:
  - Restricted access to Maniphest and uninstalled Pholio.
  - Verified Pholio rules no longer appear for anyone.
  - Verified Maniphest ruls no longer appear for restricted users.
  - Verified users without CREATE_GLOBAL can not create global ruls.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7219
2013-10-04 15:15:48 -07:00
epriestley
a6c4117ec4 Fix controller-level access rules
Summary:
Ref T603. I had to partially revert this earlier because it accidentally blocked access to Conduit and File data for installs without "policy.allow-public", since the applications are available to "all users" but some endpoints actually need to be available even when not logged in.

This readjusts the gating in the controller to properly apply application visibility restrictions, and then adds a giant pile of unit test coverage to make sure it sticks and all the weird cases are covered.

Test Plan:
  - Added and executed unit tests.
  - Executed most of the tests manually, by using logged in / admin / public / disabled users.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7211
2013-10-03 19:05:47 -07:00
epriestley
1296c3d347 Fix two excessively aggressive policy checks
Summary:

  - Some applications need public access regardless of policy configuration.
  - The file data endpoint should ignore policies.
2013-10-03 14:38:08 -07:00
epriestley
0d83e1d66f If a user can't see an application, prevent them from using its controllers
Summary:
Ref T603. Broadly, this allows you to implement a policy like "Only users in Engineering can use Differential."

This isn't complete, and there will be a long tail of special cases to deal with. Some examples:

  - If you can't use Differential, should you still be able to attach/detach revisions from tasks?
    - You currently will be able to.
    - This actually seems pretty reasonable.
    - But in other cases it might not be: the "send user a message" action should probably require access to Conpherence.
  - If you can't use Differential, should you still be able to see feed stories about it?
    - You currently will be able to, if you can see the revisions.
    - This seems not-so-reasonable and we should probably lock it down.
  - If you can't use Differential, can users CC you on revisions?
    - Currently, they can, and you can't do anything about it.
    - Probably they shouldn't be able to? This seems challenging to explain in the UI.
  - If you can't use Differential, can you write a Herald rule against it?
    - You currently will be able to.
    - Seems like you obviously shouldn't be able to.
    - I think this is a general issue right now (you can still write Differential herald rules even if you uninstall the application, I believe).

There are probably a few more things I haven't thought of. However, there are a finite number of these things and I suspect there aren't //too/ many more than this -- I can't come up with like 100 of them, and half of the ones above have easy fixes.

Despite the rough edges, I think this accomplishes 95% of what installs expect from it.

Test Plan: Restricted Differential and saw it vanish from the home page.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D7203
2013-10-03 12:39:41 -07:00
Bob Trahan
b902005bed Kill PhabricatorObjectDataHandle
Summary: Ref T603. Killing this class is cool because the classes that replace it are policy-aware. Tried to keep my wits about me as I did this and fixed a few random things along the way. (Ones I remember right now are pulling a query outside of a foreach loop in Releeph and fixing the text in UIExample to note that the ace of hearts if "a powerful" card and not the "most powerful" card (Q of spades gets that honor IMO))

Test Plan: tested the first few changes (execute, executeOne X handle, object) then got real mechanical / careful with the other changes.

Reviewers: epriestley

Reviewed By: epriestley

CC: Korvin, aran, FacebookPOC

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D6941
2013-09-11 12:27:28 -07:00
Chad Little
9ef0ea91c4 Remove dust pattern for common bg color.
Summary: Depends on D6769, removes 'dust' and uses a similar color background.

Test Plan: Review colors in sandbox.

Reviewers: epriestley

Reviewed By: epriestley

CC: Korvin, aran

Differential Revision: https://secure.phabricator.com/D6772
2013-08-19 18:15:52 -07:00
epriestley
1834584e98 Provide contextual help on auth provider configuration
Summary:
Ref T1536.

  - Move all the provider-specific help into contextual help in Auth.
  - This provides help much more contextually, and we can just tell the user the right values to use to configure things.
  - Rewrite account/registration help to reflect the newer state of the word.
  - Also clean up a few other loose ends.

Test Plan: {F46937}

Reviewers: chad, btrahan

Reviewed By: chad

CC: aran

Maniphest Tasks: T1536

Differential Revision: https://secure.phabricator.com/D6247
2013-06-20 11:18:48 -07:00
epriestley
73c2c1d2e6 Send old login code to the bottom of the sea
Summary:
Ref T1536. This is extremely reachable and changes the login code to the new stuff.

Notes:

  - I've hard-disabled password registration since I want installs to explicitly flip it on via config if they want it. New installs will get it by default in the future, but old installs shouldn't have their auth options change.
  - Google doesn't let us change the redirect URI, so keep the old one working.
  - We need to keep a bit of LDAP around for now for LDAP import.
  - **Facebook:** This causes substantive changes in what login code is executed.

Test Plan:
  - Logged in / logged out / registered, hit new flows.
  - Logged in with google.
  - Verified no password registration by default.

Reviewers: btrahan, chad

Reviewed By: chad

CC: wez, nh, aran, mbishopim3

Maniphest Tasks: T1536

Differential Revision: https://secure.phabricator.com/D6222
2013-06-19 01:33:27 -07:00
epriestley
fe29b27582 Fix several issues with "Logout"
Summary:
Ref T1536.

  - When we render a dialog on a page by itself, put it on a dust background.
  - Currently, we render "Logout" in two different places. Stop doing that.
  - Make sure the surviving one has workflow so we get a modal ajax dialog if possible.

Test Plan: {F46731}

Reviewers: chad, btrahan

Reviewed By: chad

CC: aran

Maniphest Tasks: T1536

Differential Revision: https://secure.phabricator.com/D6226
2013-06-18 11:05:28 -07:00
epriestley
7cf7f36452 Restyle username/password login for reduced hideousness
Summary: Ref T1536. Error state is a bit gross but we need to sort that out in general.

Test Plan:
{F46549}

{F46550}

Reviewers: chad, btrahan

Reviewed By: chad

CC: aran

Maniphest Tasks: T1536

Differential Revision: https://secure.phabricator.com/D6208
2013-06-16 16:31:14 -07:00
Jakub Vrana
32f91557f8 Store hash of session key
Summary:
This prevents security by obscurity.
If I have read-only access to the database then I can pretend to be any logged-in user.

I've used `PhabricatorHash::digest()` (even though we don't need salt as the hashed string is random) to be compatible with user log.

Test Plan:
Applied patch.
Verified I'm still logged in.
Logged out.
Logged in.

  $ arc tasks

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D6080
2013-05-30 17:30:06 -07:00
Bob Trahan
4295de508f Conpherence - add createthread method
Summary: Ref T3166. I moved the create logic into a static method in the editor class to keep things tidy.

Test Plan: created a conpherence from UI. purdy. tried errors and got UI to show "required". for conduit, created a thread with all the bells and whistles and it worked. verified i got proper exceptions with bum conduit calls

Reviewers: epriestley

Reviewed By: epriestley

CC: chad, aran, Korvin

Maniphest Tasks: T3166

Differential Revision: https://secure.phabricator.com/D6083
2013-05-30 16:37:51 -07:00
epriestley
2214f96d3f Fix some small notification / token issues
Summary:
Fixes T3218.

  - Currently, Paste pages don't clear notifications about the paste (notably, token notifications).
  - Currently, Paste pages don't show tooltips on tokens.
  - `buildApplicationPage()` stopped respecting `pageObjects` (which controls whether "this page has been updated" is shown). Restore that.
  - Make `pageObjects` imply "clear notifications on this stuff".

Test Plan: Viewed a tokened Paste. Verified it cleared the notification and hovering over a token showed a tip.

Reviewers: btrahan, chad

Reviewed By: chad

CC: aran

Maniphest Tasks: T3218

Differential Revision: https://secure.phabricator.com/D5971
2013-05-19 07:51:31 -07:00
Anh Nhan Nguyen
843d0bdcde Introduce some convenience methods for handle rendering
Summary:
So I don't have to copy/paste everything again.

Used them at places I could find with my limited `grep` skills.

Test Plan: Visited hovercards, revision and tasks. No crashes.

Reviewers: epriestley, btrahan, chad

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5592
2013-04-05 17:01:44 -07:00
Jakub Vrana
4741b6cefc Use 'Bacon Ice Cream for Breakfast' only for untitled pages
Test Plan: /

Reviewers: nh, epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5490
2013-03-30 12:46:03 -07:00
Nick Harper
d2b7bb9504 Fix title for phabricator home page
Summary:
My browser was showing the url of phabricator as the title instead of the real
title. Fix it so the title set for the home page actually gets used.

Test Plan: load phabricator and see "Bacon Ice Cream for Breakfast" as the title

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin, chad

Differential Revision: https://secure.phabricator.com/D5428
2013-03-26 15:40:14 -07:00
Chad Little
3c11d9103e Optional body class for dust background.
Summary: This adds an option dust background for certain application designs, like Macro and Pholio to help make the list views pop more.

Test Plan: Reviewed Macro and Pholio.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5209
2013-03-04 10:35:50 -08:00
Chad Little
7ab7783ad3 Modernize Countdown
Summary: Crumbs, phts, and mobile layouts for Countdown.

Test Plan: Tested new, edit and delete timer. Verified timer works. Unable to get 'remove chrome' to work, will investigate.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5101
2013-02-25 12:48:55 -08:00
epriestley
ef7f16180c Restore merge of phutil_tag. 2013-02-13 14:51:18 -08:00
epriestley
73cce6e131 Revert "Promote phutil-tag again"
This reverts commit 8fbabdc06d, reversing
changes made to 2dab1c1e42.
2013-02-13 14:08:57 -08:00
vrana
4eb84149c2 Convert everything to safe HTML
Summary: Sgrepped for `"=~/</"` and manually changed every HTML.

Test Plan: This doesn't work yet but it is hopefully one of the last diffs before Phabricator will be undoubtedly HTML safe.

Reviewers: epriestley

CC: aran, Korvin

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4927
2013-02-13 12:35:40 -08:00
vrana
37b98450a5 Replace array_interleave() by phutil_implode_html()
Summary:
I like this abstraction better.
Result of `phutil_implode_html()` may be also used as a param of `hsprintf()`.

Test Plan: None.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D4904
2013-02-11 15:27:43 -08:00
vrana
2f508bf0dc Delete some phutil_safe_html()
Test Plan: Displayed revision.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4829
2013-02-05 15:52:48 -08:00
epriestley
40547030a5 render_tag -> tag: PropertyListView
Summary: Converts callsites in PropertyListView (addDetail() and setTextContent()).

Test Plan: Grepped for PhabricatorPropertyListView, addDetail() and setTextContent().

Reviewers: vrana

Reviewed By: vrana

CC: aran

Maniphest Tasks: T2432

Differential Revision: https://secure.phabricator.com/D4695
2013-01-29 11:01:47 -08:00
vrana
a54a60df36 Fix check request event
Summary: Broken since birth.

Test Plan: Used it.

Reviewers: nh, epriestley

Reviewed By: nh

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D4602
2013-01-23 14:18:35 -08:00
skarphet
76e44ad930 Removed RenderFooter
Removed RenderFooter from PhabricatorController
2013-01-19 20:22:18 -08:00
Andrei Antonescu
f919f000e7 Created a preference pane for DarkConsole, instead of link
Summary: Just removed the link and created a new field under preferences. Now the setting is under Display Preferences.

Test Plan: Enablied/Disabled dark console to see if it works.

Reviewers: epriestley

Reviewed By: epriestley

CC: irinav, aran, Korvin

Maniphest Tasks: T2344

Differential Revision: https://secure.phabricator.com/D4549

Conflicts:

	src/view/page/PhabricatorStandardPageView.php
2013-01-19 17:42:54 -08:00
epriestley
7ad3147b3b Remove all older-style navs
Summary: Move all navs to use the newer-style, darker, textured look. I'm //pretty// sure this doesn't break anything.

Test Plan: Looked at a bunch of apps.

Reviewers: btrahan, chad

Reviewed By: chad

CC: aran

Differential Revision: https://secure.phabricator.com/D4376
2013-01-09 12:03:58 -08:00
epriestley
dd669c6d4e Make AphrontProxyResponse reduce to a real response instead of building a string
Summary: Currently, AphrontProxyResponse is expected to build a string. This prevents some response types (like Dialog) from being proxied, because they have special rules. Instead, make proxy responses reduce into a non-proxied response so it's possible to proxy any type of response and hit all the normal rules for it.

Test Plan: Built a proxied DialogResponse on top of this.

Reviewers: btrahan, vrana

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2104, T912

Differential Revision: https://secure.phabricator.com/D4159
2012-12-11 17:27:25 -08:00
epriestley
03a1148480 Restore Maniphest to use comma-style lists for subscribers, projects
Summary: D4153 made these render with newlines between items; use commas instead.

Test Plan: {F26950}

Reviewers: btrahan, chad, vrana

Reviewed By: chad

CC: aran

Differential Revision: https://secure.phabricator.com/D4162
2012-12-11 17:15:59 -08:00
epriestley
f306cab653 Use application icons for "Eye" menu and Crumbs
Summary:
Issues here:

  - Need an application-sized "eye", or a "home" icon for "Phabricator Home".
  - Some of the "apps_lb_2x" sliced images are the "_dark_" versions, not the light versions.
  - If you slice an application-sized "logout" (power off) icon and application-sized "help" (questionmark in circle) icon I can replace the current menu icons and nearly get rid of "autosprite".
  - To replace the icons on /applications/, the non-retina size is "4x", so we'd need "8x" for retina. Alternatively I can reduce the icon sizes by 50%.
  - The "Help", "Settings" and "Logout" items currently have a "glowing" hover state, which needs a variant (or we can drop it).
  - The /applications/ icons have a white hover state (or we can drop it).
  - The 1x application (14x14) icons aren't used anywhere right now, should they be? Maybe in the feed in the future, etc?
  - The "apps-2x" and "apps-large" sheets are the same image, but getting them to actually use the same file is a bit tricky, so I just left them separate for now.

Test Plan:
{F26698}
{F26699}

Reviewers: chad

Reviewed By: chad

CC: aran

Maniphest Tasks: T1960

Differential Revision: https://secure.phabricator.com/D4108
2012-12-07 13:37:28 -08:00
epriestley
1c9a6be979 Add a breadcrumbs element
Summary:
Add a basic breadcrumbs element, and implement it in Paste.

This needs some polish but is most of the way there.

Test Plan:
{F26443}
{F26444}
{F26445}

(This element is not visible on devices.)

Reviewers: chad

Reviewed By: chad

CC: aran, btrahan

Maniphest Tasks: T1960

Differential Revision: https://secure.phabricator.com/D4087
2012-12-07 13:35:17 -08:00
epriestley
f910e38ecc Provide a mobile application menu
Summary:
Adds a right-hand-side application menu, based roughly on `frame_v3.png`.

This has the same icon as the left menu until we get real design in, but is functionally reasonable.

Test Plan: {F26170} {F26169}

Reviewers: chad

Reviewed By: chad

CC: aran

Maniphest Tasks: T1960

Differential Revision: https://secure.phabricator.com/D4061
2012-12-07 13:34:44 -08:00
epriestley
6482876cf3 Remove the application menu
Summary:
Toss this completely as per discussion elsewhere. Basically it doesn't feel as useful as we imagined it would, and breadcrumbs from T1960 will replace the primary useful part (navigating up).

There's some more cleanup to do but I'll hit that in the next few diffs.

Closes T1828 as wontfix.

Test Plan: Viewed app + local, app-without-local interfaces. Saw no app menus.

Reviewers: chad

Reviewed By: chad

CC: aran, vrana

Maniphest Tasks: T1828, T1960

Differential Revision: https://secure.phabricator.com/D4033
2012-12-07 13:29:44 -08:00
epriestley
66c648cc56 Fix a redirect-on-login issue by allowing logged-out users to view 404 pages
Summary:
See T2102 and inline for discussion. This seems like the least-bad approach until we have something better.

The utility of next_uri seems much greater than the minor exposure of routable URIs.

Note that attackers can //not// detect if routable URIs are //valid// (e.g., "/D999" will always hit the login page whether it exists or not), just that they're routable. So you can only really tell if apps are installed or not.

Test Plan: Hit `/alsdknlkasnbla` while logged out, got 404 instead of login.

Reviewers: vrana, codeblock, btrahan

Reviewed By: codeblock

CC: aran

Maniphest Tasks: T2102

Differential Revision: https://secure.phabricator.com/D4012
2012-11-21 14:43:35 -08:00
Bob Trahan
730cf80a36 Expose subscribers in search and some polish
Summary: was poking at T654 and noticed subscribers weren't exposed in search UI so I did so. Also make ponder a little less silly on the double handles load. Finally, stopped showing the "Examine Index" link to non admins since they can't click it. Note this introduces a UI oddity in that you Users and Phriction Documents don't currently have the subscribe functionality.

Test Plan: searched for subscribers in all applications - it worked!

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D3907
2012-11-06 15:35:26 -08:00
vrana
ef85f49adc Delete license headers from files
Summary:
This commit doesn't change license of any file. It just makes the license implicit (inherited from LICENSE file in the root directory).

We are removing the headers for these reasons:

- It wastes space in editors, less code is visible in editor upon opening a file.
- It brings noise to diff of the first change of any file every year.
- It confuses Git file copy detection when creating small files.
- We don't have an explicit license header in other files (JS, CSS, images, documentation).
- Using license header in every file is not obligatory: http://www.apache.org/dev/apply-license.html#new.

This change is approved by Alma Chao (Lead Open Source and IP Counsel at Facebook).

Test Plan: Verified that the license survived only in LICENSE file and that it didn't modify externals.

Reviewers: epriestley, davidrecordon

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T2035

Differential Revision: https://secure.phabricator.com/D3886
2012-11-05 11:16:51 -08:00
epriestley
c02a588b4e Remove "admin page" color/styles
Summary: These haven't had any effect since the redesign, and we're moving to a more granular policy model so it probably doesn't make sense to ever restore them.

Test Plan: Grepped for "admin" and removed all relevant code.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D3710
2012-10-16 10:33:37 -07:00
epriestley
6b1c27eb0e Make "public" pastes meaningfully visible to logged-out users
Summary:
  - Introduce `shouldAllowPublic()`, indicating that logged-out users are OK in a controller if the install is configured to permit public policies.
  - Make Paste views and lists allow public users.
  - Make UI do sensible things with respect to disabling links, etc.
  - Improve behavior of "you need to login" with respect to policy exceptions and Ajax requests.

Test Plan: Looked at "public" paste, saw all unavailable UI disabled, clicked it, got appropraite prompts.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran

Maniphest Tasks: T603

Differential Revision: https://secure.phabricator.com/D3502
2012-09-30 19:44:09 -07:00
vrana
5a5d0b2b56 Allow custom request checker prior to displaying page
Summary: We want to allow a broader access to our installation but we need to check the request in that case.

Test Plan:
Created a simple `PhabricatorRequestChecker` returning a custom controller.
Verified that this controller is used when accessing any page.
Returned `null` from this checker and verified that all 209 Phabricator pages are accessible.

Reviewers: epriestley

Reviewed By: epriestley

CC: scottmac, aran, Korvin, btrahan

Differential Revision: https://secure.phabricator.com/D2488
2012-09-27 15:34:54 -07:00
epriestley
b77b4f7155 Fix another missing strlen for users with username "0". 2012-09-13 17:00:53 -07:00
Nick Harper
7e1f5bc9df Allow redirecting when not logged in
Summary:
Without this, the https redirect doesn't work if you're not logged in, because
the login check in willBeginExecution happens before the redirect controller
can redirect. This also has the unpleasant effect of the login page on http
(when it should have redirected to https) not having any css or js.

Test Plan:
With the https redirect enabled, loaded phabricator without being logged in,
and saw that I got redirected to the https login page instead of seeing a
http login page.

Reviewers: epriestley, vrana

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D3438
2012-09-05 14:16:46 -07:00
vrana
8ff52c0b6c Set viewer for all handles loaded in controllers
Summary:
I've replaced all `id(new PhabricatorObjectHandleData(...))->loadHandles()` by `$this->loadViewerHandles(...)`.
Lint caught one usage in a static method.

Test Plan: Displayed revision with sporadic author.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D3432
2012-09-04 23:14:26 -07:00
epriestley
1bf338170a Minor, resolve a method name conflict between ManiphestController and PhabricatorController. 2012-08-15 13:58:37 -07:00
epriestley
84c32dd928 Restore "Forks" to Paste
Summary:
I just put them in the property table instead of a list at the foot, they looked weird down there and were too bulky relative to their importance.

This won't scale great if someone forks a paste ten thousand times or whatever, but we can deal with that when we get there.

Also clean up a few things and tweak some styles,

Test Plan: Looked at forked, unforked pastes.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D3295
2012-08-15 13:45:53 -07:00
epriestley
70a8e8b6e8 Modernize Paste
Summary:
  - Add a PhabricatorApplication.
  - Make most of the views work well on tablets / phones. The actual "Create" form doesn't, but everything else is good -- need to make device-friendly form layouts before I can do the form.

Test Plan: Will attach screenshots.

Reviewers: btrahan, chad, vrana

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T1569

Differential Revision: https://secure.phabricator.com/D3293
2012-08-15 10:45:06 -07:00
epriestley
b2f12a09b5 Modernize MetaMTA
Summary:
  - Add an Application.
  - Move routes to the application.
  - Move nav out of tabs (which no longer exist).
  - Fix a couple of random things.

Test Plan: Viewed sent/received mail logs. Performed send/receive tests. Viewed email details.

Reviewers: btrahan, vrana

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T631, T1569

Differential Revision: https://secure.phabricator.com/D3255
2012-08-13 12:37:06 -07:00
epriestley
74b438db13 Move "Mailing Lists" to a separate application
Summary:
There's currently no way to get here from the UI since nav tabs don't exist anymore. It's also always been hard to find this feature even when we had the tabs, since it's surprising that it's inside "MetaMTA".

  - Move mailing lists to a separate application.
  - Add `buildApplicationPage()`, since we don't really need `buildStandardPageResponse()` any more -- we can infer all the information from `PhabricatorApplication`. This will let us get rid of a lot of the `PhabricatorXXXController` classes which just define application information.
  - Add `getApplicationURI()` to reduce code duplication, and in case we want to let you move applications around some day.

Test Plan: Looked/edited/saved mailing lists.

Reviewers: btrahan, vrana

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T631

Differential Revision: https://secure.phabricator.com/D3248
2012-08-12 19:19:46 -07:00
epriestley
314c25365d Drive menu icons from Applications
Summary:
This makes no changes, it just moves the menu icons to the applications instead of hard-coded on the page.

I'm going to try to address some of the angst in T1593 next...

Test Plan: Loaded logged-in / logged out pages. Clicked menu items. Looked at /applications/.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran

Maniphest Tasks: T1593, T1569

Differential Revision: https://secure.phabricator.com/D3146
2012-08-05 14:12:43 -07:00
vrana
e84f9f9ec9 Send Differential e-mails in user's language
Summary:
Works this way:

- Select users' language with multiplexing.
- Select default language otherwise (it can be different from current user's language).
- Build body and subject for each user individually.
- Set the original language after sending the mails.

Test Plan:
- Comment on a diff of user with custom translation.
- Set default to a custom translation. Comment on a diff of user with default translation.
- Set default to a default translation. Comment on a diff of user with default translation.

Repeat with/without multiplexing.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T1139

Differential Revision: https://secure.phabricator.com/D2774
2012-06-18 12:41:09 -07:00
vrana
48ebcf0679 Allow user override translation and implement PhutilPerson
Test Plan:
Altered database.
Wrote a custom translation and selected it in preferences.
Verified that the text is custom translated.
Set language back to default.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T1139

Differential Revision: https://secure.phabricator.com/D2757
2012-06-14 18:33:00 -07:00
vrana
6cc196a2e5 Move files in Phabricator one level up
Summary:
- `kill_init.php` said "Moving 1000 files" - I hope that this is not some limit in `FileFinder`.
- [src/infrastructure/celerity] `git mv utils.php map.php; git mv api/utils.php api.php`
- Comment `phutil_libraries` in `.arcconfig` and run `arc liberate`.

NOTE: `arc diff` timed out so I'm pushing it without review.

Test Plan:
/D1234
Browsed around, especially in `applications/repository/worker/commitchangeparser` and `applications/` in general.

Auditors: epriestley

Maniphest Tasks: T1103
2012-06-01 12:32:44 -07:00
vrana
1ebf9186b4 Depend on class autoloading
Test Plan:
Run setup.
/differential/

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Koolvin

Maniphest Tasks: T1103

Differential Revision: https://secure.phabricator.com/D2612
2012-05-30 16:57:21 -07:00