tests: cleanup of unicode in test_create_non_ascii repository test
Repository names are generally conceptually unicode. Prepare for future changes by explicitly encoding repo_name as utf8 before appending a utf8 string.
Drop test_create_non_ascii - test_delete_non_ascii contains exactly the same test.
middleware: decode the repo_name received from http header to unicode
The middlewares seemed to make the incorrect assumption that the headers contained unicode. Or to put it differently: They relied on the Python default encoding to be able to convert to unicode instead of using safe_unicode. It would thus fail if running with LANG=C.
Instead, utilize that the header actually contains str_repo_name and explicitly decode that to unicode.
db: fix unknown exception type in commit error handling
efce61aac33d was a blind fix. It failed because `from sqlalchemy import *` doesn't import exc and the new except clause would thus fail. It also failed because the session has to be rolled back after a commit failure.
Now, rework it to fix these issues.
Note that we are able to detect whether the commit failed for valid reasons ... but we can't use that information to much ...
auth: fail pam and internal authentication attempts if no username is provided (Issue #180)
When the Mercurial client communicates with a server over HTTP, it will always first try to perform operations unauthenticated before providing credentials. Authentication attempts without credentials is usually pointless and will just slow operations down.
Some authentication plugins (such as LDAP) already skipped these unauthenticated requests. Now, do the same for other authentication plugions.
Other authentication plugins also skip if no password is provided ... but that doesn't seem necessary.
diff: get collapse target via .attr instead of .prop
Commit 3f017db297c4 was not fully tested and broke collapse/expand of diffs on changesets. $button is not a link with a target and the target can thus not be retrieved with .prop('target'); $button is just a span that happens to have a custom attribute with the name 'target'.
We thus revert back to the old way of retrieving it with .attr('target'). (It would perhaps be even better to use data attributes and name it data-target and use .data('target') ...)
files: fix Selection Link for multi-line selections
It broke in dacdea9fda2a when wrong casing in the translation lookup caused an undefined value which didn't show up in the UI and thus made the link unusable.
files: treat messages about 'File too big' as sentences and add a dot.
Make it more easy to read: File is too big to display Show full annotation anyway by treating them as two sentences: File is too big to display. Show full annotation anyway.
Similar messages about 'Changeset too big to display' in the changeset and pullrequest code are wrapped in an <h4> tag. Follow the same style when showing files or annotations.
files: support annotation on files larger than cut_off_limit
When requesting the annotation for a file larger than the cut_off_limit configured in the ini file, the only current option is to click the useless 'show as raw' (which is not an annotation).
Replace it with a link 'Show full annotation anyway' instead.
Commit b0774d79c7c95ec14ec6d23389d85ed544dd4b50 broke the 'Compare branches' button on the repository branches page, when attempting to replace a Yahoo UI click handler with jQuery.
Commit b0774d79c7c95ec14ec6d23389d85ed544dd4b50 broke the 'Compare bookmarks' button on the repository bookmarks page, when attempting to replace a Yahoo UI click handler with jQuery.
auth: note that we never emit authuser "cookies" for the default user
The only place where we set "authuser" in the session is in log_in_user, which is called only by the internal auth system and by auth plugins. The internal auth system cannot log a user in as the default user, because the default user doesn't have a password (and cannot have a password assigned). Auth plugins cannot log a user in as the default user, because the user doesn't have the right extern_type. As such, it's a bug if log_in_user is ever called with the default user (which this commit documents with an assert).
This realization makes the is_authenticated field of the authuser cookie redundant, as it's always True. It also emphasizes that is_default_user and is_authenticated are mutually exclusive.
auth: avoid setting AuthUser.is_authenticated for unauthenticated users
AuthUser.is_authenticated could be True for three reasons: because the user "was" the default user, because the user was authenticated by session cookie, or because the user was just authenticated by an auth module (including the internal auth module). In the last case, a session cookie is emitted (even when using container auth), so the last two cases are closely related.
This commit do that unauthenticated users (the first case) only get the is_default_user attribute set, and that the is_authenticated attribute only is set for authenticated users (for the second and third case).
This complicates some expressions, but allows others to be simplified. More importantly, it makes the code more explicit, and makes the "is_authenticated" name mean what it says.
(This will temporarily make the is_authenticated session value look even more weird than before.)
This makes makes a number of checks more readable.
The username of the default user is presently hardcoded to "default" (in db.User.DEFAULT_USER); this is currently what defines the default user, and this commit doesn't change that. (Even if the check that defines is_default_user is a comparison between user IDs and not usernames, the anonymous_user object used in the comparison is loaded by looking up the user named "default".)
All redirect does is to log "Generating 302 redirect" with logging the actual location and raise a WebOb HTTPFound exception, and the logging is redundant, as WebOb exceptions and their status codes are already logged.
Instead, just raise the exception directly, which is both explicit and simpler (and finally, gets rid of "return redirect" which never really returns).
All abort does is to look up the matching WebOb exception and raising that; so just raise it directly. WebOb exception names are also more readable than HTTP error codes. (And finally, don't "return abort", since abort never returns.)
notifications: mark notifications to self "pre-read"
When a user e.g. comments on its own pull request, that user receives a notification about its own comment. This is slightly dubious behavior, but at least brings a level of continuity to the notification history.
However, at the very least, the notification should not show as unread.
cache: when invalidating a cache, always just delete all 'live cache' records instead of marking them inactive
Keep it simple. Adding the record again might be slightly more expensive than just updating the active flag but instead we get get a simpler model and automatic cleanup without using the cache-keys paster command.
forms: don't use secure forms with authentication token for GET requests
The token is secret and should never be used in forms posted with GET which are URL encoded. aef21d16a262 was too aggresive in using secure forms everywhere and did thus also incorrectly use them for forms posted with GET.
Some token leakage was reported by Gjoko Krstic <gjoko@zeroscience.mk> of Zero Science Lab.