1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-11 01:12:41 +01:00
Commit graph

1673 commits

Author SHA1 Message Date
epriestley
41adc1b4c3 Use standard tag elements instead of "maniphest project tag" to show tags in list views
Summary:
Standardizes tag rendering in Maniphest and Maniphest/Diffusion list views.

(This might need some size/spacing tweaks, I tried to make it look reasonable.)

Test Plan: See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9741
2014-06-26 08:49:44 -07:00
epriestley
950d3668f9 Streamline Legalpad signature workflow
Summary:
Generally reduces friction, standardizes, and simplifies this workflow. Particularly, this removes "address" and "phone", which I think we can wait for user demand for.

For logged-in users, we just always use their primary email.

Test Plan: See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9735
2014-06-26 07:16:42 -07:00
epriestley
1abd74459f Make view/sign page the primary Legalpad page
Summary:
  - Makes the "legal document" page the main page.
  - Links to the "manage" page.
  - The "manage" operation now requires CAN_EDIT.
  - Modernize some crumbs and such.

Test Plan: {F170213}

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9733
2014-06-25 18:38:07 -07:00
epriestley
83cfbe7bb4 Allow linking to passphrase credential via remarkup
Summary: Fixes T5421, add linking to passphrase credentials

Test Plan: Open task, add a comment of '{K1}' where K1 is a passphrase credential. Preview and actual comment should be link to credential with the content of credential.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Maniphest Tasks: T5421

Differential Revision: https://secure.phabricator.com/D9725
2014-06-25 14:59:12 -07:00
epriestley
fe4dcd4063 Add an icon rule to Remarkup
Summary: Fixes T5468.

Test Plan: See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5468

Differential Revision: https://secure.phabricator.com/D9722
2014-06-24 21:56:34 -07:00
epriestley
9c59ce11ed Move typehaead dropdown up a few z-index levels
Summary: Fixes T5451.

Test Plan:
  - Added a custom date field, observed icon render underneath typeahead results.
  - Couldn't think of any reasons that typeaheads should be under any of the elements with index 9, 10, 11, or 12.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5451

Differential Revision: https://secure.phabricator.com/D9718
2014-06-24 20:21:27 -07:00
Chad Little
f8e7d8f65c Move ActionHeaders to PHUI, add ObjectBox Support, new Colors
Summary: Moves PhabricatorActionHeaderView to PHUIActionHeaderView, adds Red, Green, and Violet colors and extend ObjectBox to take colors and action headers.

Test Plan:
Tested new Welcome layout as well as UIExamples, Workboards, and Hovercards

{F169669}

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9707
2014-06-24 09:39:32 -07:00
Chad Little
640defde0e Remove PHUIWorkboard UIExample
Summary: This view is too specialized now as a general example (and its broken as an example).

Test Plan: Reload, nuked

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9685
2014-06-23 16:36:43 -07:00
epriestley
76cefde0b3 Show Aphlict connection status in notification menu
Summary:
Fixes T5373. Ref T5281. Several changes:

  - The `marshallExceptions` thing is useful if JS throws an exception when invoked from Flash, so set it. The resulting exceptions are a little odd (not escaped correctly, e.g.) but way better than nothing.
  - Put connection status in the notification menu.
  - When the connection fails, try to provide contextual help where we can.

Test Plan: {F169493}

Reviewers: chad, joshuaspence

Reviewed By: joshuaspence

Subscribers: epriestley

Maniphest Tasks: T5281, T5373

Differential Revision: https://secure.phabricator.com/D9700
2014-06-23 16:26:16 -07:00
epriestley
abcd3efa5a Allow administrators to set a dashboard as a global default
Summary:
Ref T4883.

  - When an administrator installs a dashbord, give them the option to install it as a global default.
  - On the home page, if a user does not have a dashboard installed, check for a global default.
  - On the Admin NUX/Welcome page, check for a global dashboard.

Test Plan:
  - Installed a global dashboard, checked homepage, saw it.
  - Installed a personal dashboard over it.
  - Checked non-admin flow.
  - Checked Admin NUX page for quest completion.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T4883

Differential Revision: https://secure.phabricator.com/D9670
2014-06-23 15:14:38 -07:00
lkassianik
248b4dfa9d Projects for DifferentialRevision
Summary: T2628, Adding project tags to revisions

Test Plan: Edit revision, verify projects can be tagged. Add project hashtag to comments or commit templates, verify revision is tagged with project

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9686
2014-06-23 09:49:53 -07:00
epriestley
ef0a0b5727 First version of "Quest Tracker" Home NUX
Summary:
Ref T5317. General idea here is that Dashboards are replacing the home page soon. We think they'll do a good job for normal users, but they aren't very good for new administrators who have just completed an install. In this case, any dashboard we put there by default will be empty and not very useful or helpful. It's also technically a bit messy to build objects by default.

Instead, give new administrators a "Quest Tracker" UI to help them get through things. When they're done with setup steps, they build a dashboard and install it to replace the home page. They can add install-specific welcome messages during this process, so hopefully this will also ease onboarding for non-administrator users.

For now, you have to go to Config > Welcome Screen explicitly to see this UI. We can tweak/test it for a bit before replacing the home page.

Test Plan: {F169226}

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5317

Differential Revision: https://secure.phabricator.com/D9660
2014-06-23 09:37:51 -07:00
epriestley
b20884a842 Substantially support character encodings and "Highlight As" in changesets
Summary: Ref T5179. Ref T4045. Ref T832. We can now write non-utf8 hunks into the database, so try to do more reasonable things with them in the UI.

Test Plan: (See screenshots...)

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T832, T4045, T5179

Differential Revision: https://secure.phabricator.com/D9294
2014-06-20 11:49:41 -07:00
Chad Little
ca801c7ad4 PHUIImageMask
Summary: Adds a PHUI class for display images on a center point, with or without a mask.

Test Plan:
I am bad a math, so like, check that for me please. I tested using Photoshop. Class may need tweaked depending how we store the inline-comment coords.

{F167829}

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9614
2014-06-18 14:09:37 -07:00
epriestley
df3736e81e Garbage collect daemon logs
Summary:
We already have GC for daemon log events, but not for daemon logs themselves.

Collect old daemon logs which aren't still running.

Test Plan: Ran `phd debug garbage`, observed old logs get cleaned up. Started some daemons, re-ran garbage, made sure they stuck around.

Reviewers: joshuaspence

Reviewed By: joshuaspence

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9610
2014-06-17 15:33:08 -07:00
epriestley
df2c015e7c Make Dashboard tab panels editable by humans
Summary: Fixes T5335. This is not pretty, but should reasonably let normal humans create tab panels.

Test Plan: See screenshot.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5335

Differential Revision: https://secure.phabricator.com/D9600
2014-06-17 15:32:55 -07:00
epriestley
5aae1ee034 Make query panels editable by normal humans
Summary:
Ref T4986. Instead of requiring you to know engine class names and copy/paste URLs, provide select dropdowns that use SCARY JAVASCRIPT to do magical things.

I think this is mostly reasonable, the only issue is that it's hard to create a panel out of a completely ad-hoc query (you'd have to save it, then create a panel out of the saved query, then remove the saved query). Once we develop T5307 we can do a better job of this.

Test Plan: See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T4986

Differential Revision: https://secure.phabricator.com/D9572
2014-06-16 12:27:12 -07:00
Joshua Spence
bff58fac93 Move infrastructure tests up one directory.
Summary: Sometimes, the `PhabricatorInfrastructureTestCase` //would// fail, but we don't run it with `arc unit` because of the directory structure. See D9556 for an example.

Test Plan: This is essentially the same as D9557.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9559
2014-06-16 05:52:11 +10:00
epriestley
397d67ff3d Support "Projects" field for pholio mocks in Herald
Summary: Mocks can have projects now; allow Herald rules to be written against them.

Test Plan: Wrote a Herald mock rule about projects.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9552
2014-06-15 12:14:46 -07:00
epriestley
868ff166b1 Give Pholio mocks a configurable edit policy
Summary:
Ref T4566. Currently, mocks have a conservative (author only), immutable default edit policy.

Instead:

  - Let the edit policy be changed.
  - Default the edit policy to "all users", similar to other applications.
  - Add an application-level setting for it.
  - Migrate existing edit policies to be consistent with the old policy (just the author).

This stops short of adding a separate "owner" and letting that be changed, since Pholio doesn't really have any review/approve type features (at least, so far). We can look at doing this if we get more feedback about it, or if we make owners more meaningful (e.g., add more "review-like" process to mocks).

Test Plan:
  - Ran migration scripts.
  - Confirmed existing mocks retained their effective policies (author only).
  - Created a new mock, saw edit policy.
  - Changed edit policy.
  - Changed global edit policy default.
  - Tried to edit a mock I couldn't edit.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T4566

Differential Revision: https://secure.phabricator.com/D9550
2014-06-15 10:28:16 -07:00
epriestley
7ce8a1f437 Turn thumbs into a history grid thing
Summary:
This could probably use some refinement (and, like, explanatory text, and stronger cues about what rows and columns mean) but feels fairly good to me, at least on test data.

I didn't do any scrolling for now since we have to do full height on mobile anyway I think. I did swap it so the newer ones are on top.

Left/right navigate you among current images only, but you can click any thumb to review history.

Removed history view since it's no longer useful.

Some things that would probably help:

  - Some kind of header explaining what this is ("Mock History" or something).
  - Stronger visual cue that columns are related by being the same image.
  - Clearer cues about obsolete/deleted images (e.g., on the stage itself?)
  - Maybe general tweaks.
  - Maybe a placeholder (like a grey "X") for images which have been deleted.

(I'm planning to add comment counts too, which I think will be pretty useful, but that felt good to put in another diff.)

Test Plan: See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9543
2014-06-14 21:12:19 -07:00
epriestley
942f504893 Remove inline gutter in Pholio
Summary: This greatly simplifies inline comments while retaining their functionality. This is probably not where we want to end up, but will let us figure out what we're doing with the stage without worrying about inlines.

Test Plan: See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9537
2014-06-14 18:41:45 -07:00
epriestley
18757e43de Allow entire dashboards to be copied
Summary:
Further improve UX for dealing with policy rules on dashboards:

  - When in the "Manage" view of a dashboard you can not edit:
    - Don't show the panel management controls.
    - Show a notice that the board isn't editable, recommending you make a copy instead.
  - Add a "Copy Dashboard" action to create a copy which you //can// edit.

Test Plan: Copied some dashboards. See screenshots.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D9508
2014-06-12 21:49:19 -07:00
epriestley
6f4ebcb8d9 Create dashboard panels inline on dashboards
Summary:
Fixes T5308.

  - Allows you to create a panel directly on a dashboard.
  - Also, include existing panels with a select instead of a text field. This won't scale as well but should be fine for now, and is way easier to use.

Test Plan: See comment.

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T5308

Differential Revision: https://secure.phabricator.com/D9501
2014-06-12 13:22:27 -07:00
epriestley
b8bc0aa2b0 Allow users to select QueryPanel search engines from a list
Summary: Ref T4986. Instead of requiring users to know the name of an application search engine class, let them select from a list.

Test Plan:
Created a new panel.

{F165468}

Reviewers: chad

Reviewed By: chad

Subscribers: epriestley

Maniphest Tasks: T4986

Differential Revision: https://secure.phabricator.com/D9500
2014-06-12 13:22:20 -07:00
Joshua Spence
747946eb5f Remove the deprecated PhabricatorIRCProtocolHandler class.
Summary: This class has been deprecated for a while now (see rP0a8b0d1392bd79b4e88fbf910b176c960d57b4b4). It should be safe to remove.

Test Plan: N/A

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9467
2014-06-11 05:50:35 -07:00
Joshua Spence
34cca383eb Remove the PhabricatorBotDifferentialNotificationHandler class.
Summary: This class has been deprecated for a while now (see rPdad7c65bf56384480be7c18e02fdc01ea67cf1ff). It should be safe to remove.

Test Plan: N/A

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9468
2014-06-11 05:50:13 -07:00
Joshua Spence
857c11a36e Remove deprecated PhabricatorIRCBot class.
Summary: This class has been deprecated for a while (see rP574bc3ba31cca2767bafe7844d7f854d90d6be1c). It should be safe to remove now.

Test Plan: N/A

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9469
2014-06-11 05:49:53 -07:00
Joshua Spence
ddf5412cbb Add a ./bin/aphlict build workflow.
Summary:
Currently, it is a bit tricky to build the Aphlict client SWF from the ActionScript source. Provide a `./bin/aphlict build` workflow that simplifies this process.

Depends on D9226.

Test Plan:
Executed the workflow:

```
> ./bin/aphlict build
Done.
```

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9338
2014-06-07 11:34:07 -07:00
Joshua Spence
8a7a7dcbf1 Make ./bin/aphlict behave more like a service.
Summary: Fixes T5126. Provide `start`, `stop`, `restart`, `debug` and `status` workflows for `./bin/aphlict`. This makes it easier to manage Aphlict as if it were a service.

Test Plan:
```
> sudo ./bin/aphlict status
Aphlict is not running.

> sudo ./bin/aphlict stop
Aphlict is not running.

> sudo ./bin/aphlict start
Aphlict Server started.

> sudo ./bin/aphlict status
Aphlict (12880) is running.

> sudo ./bin/aphlict restart
Stopping Aphlict Server (12880)...
Aphlict Server (12880) exited normally.
Aphlict Server started.

> sudo ./bin/aphlict stop
Stopping Aphlict Server (12895)...
Aphlict Server (12895) exited normally.

> sudo ./bin/aphlict debug
Starting Aphlict server in foreground...
Launching server:

    $ node '/usr/src/phabricator/src/applications/aphlict/management/../../../../support/aphlict/server/aphlict_server.js' --port='22280' --admin='22281' --host='localhost' --user='aphlict'

[Fri May 30 2014 09:56:14 GMT+0000 (UTC)] Started Server (PID 12911)
```

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: hach-que, epriestley, Korvin

Maniphest Tasks: T5126

Differential Revision: https://secure.phabricator.com/D9226
2014-06-05 12:13:45 -07:00
epriestley
5b1262c98b Add a bin/hunks script to manage migrations of hunk data
Summary:
Ref T4045. Ref T5179. While we'll eventually need to force a migration, we can let installs (particularly large installs) do an online migration for now. This moves hunks to the new storage format one at a time.

(Note that nothing writes to the new store yet, so this is the only way to populate it.)

WARNING: Installs, don't run this yet! It won't compress the data. Wait until it can also do compression.

Test Plan: Added a `break;` after migrating one row and moved a few rows over. Spot checked them in the database and viewed the affected diffs.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4045, T5179

Differential Revision: https://secure.phabricator.com/D9291
2014-06-03 18:01:23 -07:00
epriestley
0aa913805d Add an alternate "modern" hunk datastore
Summary:
Ref T4045. Ref T5179. Hunk storage has two major issues:

  - It's utf8, but actual diffs are binary.
  - It's huge and can't be compressed or archived.

This introduces a second datastore which solves these problems: by recording hunk encoding, supporting compression, and supporting alternate storage. There's no actual compression or storage support yet, but there's space in the table for them.

Since nothing actually uses hunk IDs, it's fine to have these tables exist at the same time and use the same IDs. We can migrate data between the tables gradually without requiring downtime or disrupting installs.

Test Plan:
  - There are no writes to the new table yet.
  - The only effect this has is making us issue one extra query when looking for hunks.
  - Observed the query issue, but everything else continue working fine.
  - Created a new diff.
  - Ran unit tests.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4045, T5179

Differential Revision: https://secure.phabricator.com/D9290
2014-06-03 18:01:22 -07:00
epriestley
bb306b58d5 Introduce DifferentialChangesetQuery and remove loadHunks()
Summary: Ref T4045. Ref T5179. This removes all non-Query hunk loads.

Test Plan:
  - Viewed revisions.
  - Viewed standalone changesets.
  - Viewed raw old/new files.
  - Viewed vs diffs.
  - Enabled inline comments in mail and sent some transactions with inlines.
  - Called `differential.getrawdiff`.
  - Grepped for `loadHunks()`.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4045, T5179

Differential Revision: https://secure.phabricator.com/D9289
2014-06-03 18:01:21 -07:00
epriestley
71e9fb96b5 Move more hunk loads into DifferentialHunkQuery
Summary: Ref T5179. Ref T4045. I want to move all hunk loads into DifferentialHunkQuery so I can make it do magical things where hunks come from multiple places, handle non-utf8 encodings properly, handle compression, archive into Files, and so on.

Test Plan: Viewed some revisions. Called `differential.getrawdiff`.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4045, T5179

Differential Revision: https://secure.phabricator.com/D9287
2014-06-03 18:01:19 -07:00
epriestley
4b9765b896 Implement PhabricatorProjectInterface in Paste
Summary: Ref T2628. Implements PhabricatorProjectInterface (D9340) in Paste.

Test Plan: See screenshots.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T2628

Differential Revision: https://secure.phabricator.com/D9341
2014-06-03 17:22:09 -07:00
epriestley
4cda3e5811 Implement PhabricatorProjectInterface for marking that objects can be tagged with projects
Summary: Ref T2628. This makes Transactions understand objects that can have project relationships, extract project mentions, and handle watching.

Test Plan: See next diff.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T2628

Differential Revision: https://secure.phabricator.com/D9340
2014-06-03 17:19:40 -07:00
epriestley
99c72a32d0 Allow installs to require multi-factor authentication for all users
Summary: Ref T5089. Adds a `security.require-multi-factor-auth` which forces all users to enroll in MFA before they can use their accounts.

Test Plan:
Config:

{F159750}

Roadblock:

{F159748}

After configuration:

{F159749}

  - Required MFA, got roadblocked, added MFA, got unblocked.
  - Removed MFA, got blocked again.
  - Used `bin/auth strip` to strip MFA, got blocked.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5089

Differential Revision: https://secure.phabricator.com/D9285
2014-06-03 16:50:27 -07:00
epriestley
2264c2b4b5 Merge the new navigation design
For discussion, see T5241.
2014-06-03 15:50:08 -07:00
Joshua Spence
0d03bbe43c Allow repositories to be deleted using ./bin/remove.
Summary: Currently, repositories can be deleted using `./bin/repository delete`. It makes sense to expose this operate to the `./bin/remove` script as well, for consistency.

Test Plan: Deleted a repository with `./bin/remove rTEST`.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D9350
2014-06-02 17:11:58 -07:00
lkassianik
7de4e80907 Move Dashboard and Panel edit history out of the way
Summary: Fixes T5170, Create new page for dashboard history

Test Plan: Open dashboard, manage dashboard, click on "View History". Dashboard history should appear. Panel history should appear on panel view page under panel.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Maniphest Tasks: T5170

Differential Revision: https://secure.phabricator.com/D9280
2014-05-24 12:29:28 -07:00
Bob Trahan
102befdede Project - add ability to select an icon for typeaheads and such
Summary: Fixes T5090. Introduced getIcon into Handle stack which allows you to specify a per handle icon. getIcon falls back ot getTypeIcon.

Test Plan: changed the icon on a project a bunch. verified transactions showed up. verified icon showed up in typeahead. verified icon showed up in tokens that were pre-generated (not typed in). units test passed.

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T5090

Differential Revision: https://secure.phabricator.com/D9264
2014-05-23 10:41:24 -07:00
epriestley
27a369d15a Make it much easier to add one-off event listeners
Summary:
Ref T4657. Right now, you have to muck with `events.listeners` to install listeners. Instead, automatically install all subclasses of AutoEventListener.

Primarily, this makes it easier to resolve requests with "drop this file in `src/extensions/`, no warranty", which seems to have worked well so far in resolving things like custom remarkup rules, etc.

Test Plan:
  - Added such a listener, had it autoregister.
  - Clicked around and saw the effects of normal listeners.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4657

Differential Revision: https://secure.phabricator.com/D9262
2014-05-22 15:19:28 -07:00
Bob Trahan
922e5c0849 Projects - add "Additional Hashtags" to projects
Summary:
Fixes T4021. Chooses to keep a "primary" slug based off the name - including all that lovely logic - and allow the user to specify "additional" slugs. Expose these as "hashtags" to the user.

Sets us up for a fun diff where we can delete all the Project => Phriction automagicalness. In terms of this diff, see the TODOs i added.

Test Plan:
added a primary slug as an additional slug - got an error. added a slug in use on another project - got an error. added multiple good slugs and they worked. removed slugs and it worked. made some remark using multiple new slugs and they all linked to the correct project

ran epriestley's case

 - Create project "A".
 - Give it additional slug "B".
 - Try to create project "B".

and i got a nice error about hashtag collision

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T4021

Differential Revision: https://secure.phabricator.com/D9250
2014-05-22 11:19:03 -07:00
lkassianik
6302414883 Make the default view of dashboards be just the dashboard
Summary: Fixes T4985, add manage page, change view page to show only panels. Arguably, PhabricatorDashboardArrangeController is no longer necessary. Also, still trying to figure out if I updated all flows that involve "arrange/{id}". Probably missed some. Also not sure of the Manage Dashboard icon. Please advise.

Test Plan: Create dashboard, add panels, "view/{id}" should show just panels, Manage Dashboard should show timeline and edit links.

Reviewers: #blessed_reviewers, epriestley, chad

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T4985

Differential Revision: https://secure.phabricator.com/D9258
2014-05-22 11:10:53 -07:00
epriestley
f1534e6feb Make password reset emails use one-time tokens
Summary:
Ref T4398. This code hadn't been touched in a while and had a few crufty bits.

**One Time Resets**: Currently, password reset (and similar links) are valid for about 48 hours, but we always use one token to generate them (it's bound to the account). This isn't horrible, but it could be better, and it produces a lot of false positives on HackerOne.

Instead, use TemporaryTokens to make each link one-time only and good for no more than 24 hours.

**Coupling of Email Verification and One-Time Login**: Currently, one-time login links ("password reset links") are tightly bound to an email address, and using a link verifies that email address.

This is convenient for "Welcome" emails, so the user doesn't need to go through two rounds of checking email in order to login, then very their email, then actually get access to Phabricator.

However, for other types of these links (like those generated by `bin/auth recover`) there's no need to do any email verification.

Instead, make the email verification part optional, and use it on welcome links but not other types of links.

**Message Customization**: These links can come out of several workflows: welcome, password reset, username change, or `bin/auth recover`. Add a hint to the URI so the text on the page can be customized a bit to help users through the workflow.

**Reset Emails Going to Main Account Email**: Previously, we would send password reset email to the user's primary account email. However, since we verify email coming from reset links this isn't correct and could allow a user to verify an email without actually controlling it.

Since the user needs a real account in the first place this does not seem useful on its own, but might be a component in some other attack. The user might also no longer have access to their primary account, in which case this wouldn't be wrong, but would not be very useful.

Mitigate this in two ways:

  - First, send to the actual email address the user entered, not the primary account email address.
  - Second, don't let these links verify emails: they're just login links. This primarily makes it more difficult for an attacker to add someone else's email to their account, send them a reset link, get them to login and implicitly verify the email by not reading very carefully, and then figure out something interesting to do (there's currently no followup attack here, but allowing this does seem undesirable).

**Password Reset Without Old Password**: After a user logs in via email, we send them to the password settings panel (if passwords are enabled) with a code that lets them set a new password without knowing the old one.

Previously, this code was static and based on the email address. Instead, issue a one-time code.

**Jump Into Hisec**: Normally, when a user who has multi-factor auth on their account logs in, we prompt them for factors but don't put them in high security. You usually don't want to go do high-security stuff immediately after login, and it would be confusing and annoying if normal logins gave you a "YOU ARE IN HIGH SECURITY" alert bubble.

However, if we're taking you to the password reset screen, we //do// want to put the user in high security, since that screen requires high security. If we don't do this, the user gets two factor prompts in a row.

To accomplish this, we set a cookie when we know we're sending the user into a high security workflow. This cookie makes login finalization upgrade all the way from "partial" to "high security", instead of stopping halfway at "normal". This is safe because the user has just passed a factor check; the only reason we don't normally do this is to reduce annoyance.

**Some UI Cleanup**: Some of this was using really old UI. Modernize it a bit.

Test Plan:
  - **One Time Resets**
    - Used a reset link.
    - Tried to reuse a reset link, got denied.
    - Verified each link is different.
  - **Coupling of Email Verification and One-Time Login**
    - Verified that `bin/auth`, password reset, and username change links do not have an email verifying URI component.
    - Tried to tack one on, got denied.
    - Used the welcome email link to login + verify.
    - Tried to mutate the URI to not verify, or verify something else: got denied.
  - **Message Customization**
    - Viewed messages on the different workflows. They seemed OK.
  - **Reset Emails Going to Main Account Email**
    - Sent password reset email to non-primary email.
    - Received email at specified address.
    - Verified it does not verify the address.
  - **Password Reset Without Old Password**
    - Reset password without knowledge of old one after email reset.
    - Tried to do that without a key, got denied.
    - Tried to reuse a key, got denied.
  - **Jump Into Hisec**
    - Logged in with MFA user, got factor'd, jumped directly into hisec.
    - Logged in with non-MFA user, no factors, normal password reset.
  - **Some UI Cleanup**
    - Viewed new UI.
  - **Misc**
    - Created accounts, logged in with welcome link, got verified.
    - Changed a username, used link to log back in.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D9252
2014-05-22 10:41:00 -07:00
epriestley
cac61980f9 Add "temporary tokens" to auth, for SMS codes, TOTP codes, reset codes, etc
Summary:
Ref T4398. We have several auth-related systems which require (or are improved by) the ability to hand out one-time codes which expire after a short period of time.

In particular, these are:

  - SMS multi-factor: we need to be able to hand out one-time codes for this in order to prove the user has the phone.
  - Password reset emails: we use a time-based rotating token right now, but we could improve this with a one-time token, so once you reset your password the link is dead.
  - TOTP auth: we don't need to verify/invalidate keys, but can improve security by doing so.

This adds a generic one-time code storage table, and strengthens the TOTP enrollment process by using it. Specifically, you can no longer edit the enrollment form (the one with a QR code) to force your own key as the TOTP key: only keys Phabricator generated are accepted. This has no practical security impact, but generally helps raise the barrier potential attackers face.

Followup changes will use this for reset emails, then implement SMS multi-factor.

Test Plan:
  - Enrolled in TOTP multi-factor auth.
  - Submitted an error in the form, saw the same key presented.
  - Edited the form with web tools to provide a different key, saw it reject and the server generate an alternate.
  - Change the expiration to 5 seconds instead of 1 hour, submitted the form over and over again, saw it cycle the key after 5 seconds.
  - Looked at the database and saw the tokens I expected.
  - Ran the GC and saw all the 5-second expiry tokens get cleaned up.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D9217
2014-05-20 11:43:45 -07:00
lkassianik
8a429c51ac Embed dashboard panels in comments
Summary: Fixes T4983, Panel prefix 'W' should be recognized as a shortcut to a dashboard panel

Test Plan: Open any comment input, type '{W1}', or other existing panel, preview should embed that panel.

Reviewers: epriestley, #blessed_reviewers

Reviewed By: epriestley, #blessed_reviewers

Subscribers: epriestley, Korvin

Maniphest Tasks: T4983

Differential Revision: https://secure.phabricator.com/D9215
2014-05-20 11:37:40 -07:00
Bob Trahan
5f33aa5b4f Dashboards - add ability to install dashboard as home
Summary:
See title. Adds PhabricatorDashboardInstall data object which scopes installs to objectPHID + applicationClass. This is because we already have a collision for user home pages and user profiles. Assume only one dashboard per objectPHID + applicationClass though at the database level.

Fixes T5076.

Test Plan: From dashboard view, installed a dashboard - success! Went back to dashboard view and uninstalled it!

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T5076

Differential Revision: https://secure.phabricator.com/D9206
2014-05-19 16:09:31 -07:00
Bob Trahan
d9058d7f3f Dashboards - add remove functionality
Summary: To get there, upgrade "headerless" to "headerMode". Add a new removepanel controller. Fixes T5084.

Test Plan: removed some panels to much success

Reviewers: chad, epriestley

Reviewed By: epriestley

Subscribers: epriestley, Korvin

Maniphest Tasks: T5078, T5084

Differential Revision: https://secure.phabricator.com/D9156
2014-05-19 14:04:26 -07:00
epriestley
3a31554268 Allow projects to be "watched", sort of a super-subscribe
Summary:
Ref T4967. Adds a "Watch" relationship to projects, which is stronger than member/subscribed.

Specifically, when a task is tagged with a project, we'll include all project watchers in the email/notifications. Normally we don't include projects unless they're explicitly CC'd, or have some other active role in the object (like being a reviewer or auditor).

This allows you to closely follow a project without needing to write a Herald rule for every project you care about.

Test Plan:
  - Watched/unwatched a project.
  - Tested the watch/subscribe/member relationships:
    - Watching implies subscribe.
    - Joining implies subscribe.
    - Leaving implies unsubscribe + unwatch.
    - You can't unsubscribe until you unwatch (slightly better would be unsubscribe implies unwatch, but this is a bit tricky).
  - Watched a project, then recevied email about a tagged task without otherwise being involved.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4967

Differential Revision: https://secure.phabricator.com/D9185
2014-05-19 12:40:57 -07:00