diffs: avoid conflicts between inline diff mechanism and special markup
It would sometimes emit markup like <pre><ins><u</ins> <ins>class</ins><ins>=</ins><ins>"cr</ins><ins>"></u></ins></pre> instead of <pre><ins><u class="cr"></u></ins></pre>
helpers: make desc_stylize work when given html escaped strings
The function returns strings with html markup. The result can thus not be escaped and we must assume that the input already has been escaped. That may or may not the case yet.
privacy: on password reset, don't tell strangers if email is valid or not
Password reset form might be used to check if users with specific email addresses have accounts in the system by requesting their password to be reset. It's probably not a good idea to give this sort of information to complete strangers.
users: add extra checks on editing the default user
There is no need to be able to edit e-mails or permissions of the default user, so add the same checks as present in many other methods in the users controller.
Note that one specific unittest has been commented because it relies on pytest features (monkeypatch). When pytest is the default test runner, the test should be uncommented.
login: preserve GET arguments throughout login redirection (issue #104)
When redirecting a user to the login page and while handling this login and redirecting to the original page, the GET arguments passed to the original URL are lost through the login redirection process.
For example, when creating a pull request for a specific revision from the repository changelog, there are rev_start and rev_end arguments passed in the URL. Through the login redirection, they are lost.
Fix the issue by passing along the GET arguments to the login page, in the login form action, and when redirecting back to the original page. Tests are added to cover these cases, including tests with unicode GET arguments (in URL encoding).
pullrequest/compare: add logical changeset index to clarify the order
Is the parent-most changeset in a changeset the one at the top or at the bottom? When the revision numbers are not shown, it is not obvious to determine this.
This commit adds a logical changeset index to the commit list in a pullrequest or compare view. The index starts at 1 (the parent-most commit) and has no relation whatsoever with the commit hash or revision number.
select2: move "exact prefix matches" to the top of the search
Further improvements to this could be to sort by the position of your filter in the results so searching for foo means that release/foo comes before a/branch/of/doom//foo .
issue: when deleting comments in a list of comments on the same line, sometimes the add new comment button stops working
root cause: when deleting a comment in a list of comments that are all on the same line, the wrong previous tr is chosen, the chosen tr could be an inline comments instead of a line tr, resulting in the fact that injectinlineform function will return immediatly
solution: loop over the found tr until its no longer an inline comment
remark: could probably be optimised futher to immediatly search for the line tr object
The Last Revision column of the file browser linked to URLs with the changeset as: r14:abcdef0123 which is not a valid changeset id. Instead, use .raw_id.
comments: refactor the DOM handling for previous/next comment links
Make it more clear which div the links are put into and set the whole content of that div instead of appending. This prepares for repeatedly re-linking the comments when new comments or comment forms are inserted in the text.
tests: move pytest settings from kallithea/tests/pytest.ini to setup.cfg
pytest.ini was added in 9b8ba0f1c87b but didn't work. pytest only uses one configuration file and does not merge settings from multiple files [1]. The first detected file is setup.cfg thus should contain all relevant configuration.
tests: restrict pytest test collection to kallithea/tests
When the kallithea root directory contains a populated virtualenv, pytest would also collect tests in python packages installed there.
Restrict the tests to be considered to any test_*.py file inside kallithea/tests.
Additionally, by renaming unwanted test files in kallithea/tests/scripts to _not_ match this pattern, we can completely get rid of the 'norecursedirs' option.
Change the template to use CSS classes names compatible with what Bootstrap provides. That would allow the login page to have sane appearance with Bootstrap CSS immediately.
The template changes also remove extra vertical space between the ‘Log in’ button and extra links at the bottom for the sake of having a simpler markup.
middleware: use secure cookies over secure connections
HTTP cookie spec defines secure cookies, which are transmitted only over secure connections (HTTPS). Using them helps protect against some attacks, but cookies shouldn't be made secure when we don't have HTTPS configured. As it is now, it's left at user's discretion, but probably it's a good idea to force secure cookies when they can be used.
In the current implementation, cookies are issued to users before they actually try to log in, on the first page load. So if that happens over HTTPS, it's probably safe to assume secure cookies can be used, and to default to normal "insecure" cookies if HTTPS isn't available.
It's not easy to sneak into Beaker's internals, and it doesn't support selective secureness, so we use our own wrapper around Beaker's SessionMiddleware class to give secure cookies over HTTPS connections. Beaker's built-in mechanism for secure cookies is forced to add the flag when needed only.
comments: fix permalink symbol appearance on hover
It broke when 293066605a43 did that the permalink a no longer was immediate child of a div. Instead, accept an intermediate span ... and thus make the hover target bigger.
middleware: apply HttpsFixup to Hg/Git operations too (Issue #132)
Fix regression from 6a0964373a30. 'Require SSL for vcs operations' might make the protocol operations depend on the protocol type reported by a proxy even though they don't generate URLs.
auth: return early in LoginRequired on API key validation
Simplify the logic in the LoginRequired decorator when Kallithea is accessed using an API key. Either: - the key is valid and API access is allowed for the accessed method (continue), or - the key is invalid (redirect to login page), or - the accessed method does not allow API access (403 Forbidden)
In none of these cases does it make sense to continue checking for user authentication, so return early.
Simplify the code of the LoginRequired decorator by returning early when an unacceptable condition is met.
Note: the 'return' of redirect_to_login() is not strictly needed since we should not return from that function (redirection occurs). Adding it, however, is a security measure in case redirect_to_login does not do what it should do.
notifications: use stupid mail static-except-[] subjects to please gmail and its broken threading
This gives reasonable threading, both with gmail and proper mail clients, at the cost of making the email subjects slightly obscure.
Gmail is clueless - also about mail threading, ignoring our References headers and the wisdom of jwz. Gmail will start a new thread for each subject. The only way to make all mails related to the same PR belong to the same thread is thus to let all mails for a PR have the same subject. Gmail will however ignore content in square brackets at the beginning of the subject so we can put the interesting parts there.
* display the ellipsis just once and centered instead of showing in twice in both - and + columns * expand column width as needed to accomodate longer numbers (previously, the column width was fixed) * enable box-sizing: border-box for the number links to make it easier to set paddings
rst: in @mention parser, escape spaces so they don't go to HTML
This eliminates extra spaces around @mentions. Every time mention was followed by a comma, for example:
@username, have you seen it?
it turned into:
@username , have you seen it?
So an extra space was inserted. It was inserted because otherwise rst parser might not recognise the markup (i.e. @user1,@user2 is replaced by **user1**,**user2** — that would be interpreted as <b>user1**,**user2</b>).
Currently, a pull request id is referenced as #5, and the '#' symbol is fixed and repeated in several places. This commit adds a class method make_nice_id, that returns a string reference to a pull request, currently in the form '#5'.
This function could be overridden by an organization if they need references in another form, for example PR-5.
The method nice_id uses this for the pullrequest's own id.
diff view: do not hide overflow on very long lines that cannot be wrapped
When a change contains very long lines that cannot be wrapped because they contain very long 'words' without spaces, the overflow is currently not visible at all. This occurrence of such very long non-wrappable words is pretty uncommon, but can for example happen in comma-separated value files.
Not touching the existing behavior of trying to wrap long lines, this patch adds horizontal scrollbars for these exceptional cases of unavoidable overflow. On normal lines and long lines that can be wrapped, the diff block remains the same as before.