Brion Vibber [Tue, 28 Dec 2010 19:34:02 +0000 (11:34 -0800)]
Prevent group creation by silenced users.
* adds Right::CREATEGROUP
* logic in Profile::hasRight() checks for silencing
* NewgroupAction checks for the permission before letting you see or process the form in the UI
* User_group::register() logic does a low-level check on the specified initial group admin, and rejects creation if that user doesn't have the right; guaranteeing that API methods etc will also have this restriction applied sensibly.
Brion Vibber [Wed, 22 Dec 2010 23:20:07 +0000 (15:20 -0800)]
Break xbImportNode.js and geometa.js back out of util.js; the Makefile in js has been updated to combine them with util.js source when building util.min.js
Revert "combine our standard scripts into one big script"
Brion Vibber [Wed, 22 Dec 2010 22:55:13 +0000 (14:55 -0800)]
When queueing is off, restore runs immediately. Indicate that we've already finished processing on the success page in this case; otherwise continue to show the 'will take a few minutes' message.
Brion Vibber [Wed, 22 Dec 2010 21:56:19 +0000 (13:56 -0800)]
Don't trust text/xml mime types; generic content detection gives useless stuff like that on SVG images! Todo: replace the extension check in this case with better content-based checks.
Brion Vibber [Wed, 22 Dec 2010 19:13:57 +0000 (11:13 -0800)]
Error handling cleanup on backup/restore:
* avoid PHP notice from using wrong variable
* show a visible error instead of blank screen if no file submitted with restore form
* avoid PHP strict warning from using calling "non-static" DOMDocument::loadXML statically
* suppress PHP warning from XML parse errors
Brion Vibber [Sat, 18 Dec 2010 00:22:26 +0000 (16:22 -0800)]
Sort indexing fix for profile sidebar: add group_member_profile_id_created_idx to group_member table, streamlines sorting of your group memberships in the sidebar
Brion Vibber [Fri, 17 Dec 2010 21:03:18 +0000 (13:03 -0800)]
Notice::whereSinceId() and Notice::whereMaxId() encapsulate logic for building where clauses for since_id/max_id parameters. Can override the field names from 'id' and 'created'.
Brion Vibber [Fri, 17 Dec 2010 20:09:02 +0000 (12:09 -0800)]
Notice::getAsTimestamp() static function to look up the timestamp for a given notice, even if it's been deleted. To be used for converting since_id/max_id processing to use timestamp sorting internally.
Brion Vibber [Fri, 17 Dec 2010 01:02:02 +0000 (17:02 -0800)]
Tickets #2112, 2333, 1677, 2362, 2831: fix AJAX form posting on SSL page views with ssl=sometimes
These have been failing for ages due to our outputting full URLs all the time, usually with the default protocol instead of the current one.
Forms would get output with an http: URL in their contents even when destined for an HTTPS page; while a regular form submission would just warn you about the secure->insecure transition, the AJAX code was failing outright and then not bothering to fall back to the regular submission.
I found it was easy to detect the mismatch -- just check the target URL and the current page's protocol before submitting.
Since failing over to non-AJAX submission to the HTTP URL throws up a warning, I figured it'd be easier (and much nicer for users) to just let it rewrite the target URL to use the secure protocol & hostname before doing the final submit.
This check is now automatically done for anything that calls SN.U.FormXHR() -- making most of our buttons on notices and profile/group headers work naturally.
The notice form setup code also runs the rewrite, which gets posting working without an error dialog.
I'd prefer in the long run to simply use relative URLs in most of our output; it avoids this problem completely and lets users simply stay in the current protocol mode instead of being constantly switched back to HTTP when clicking around.
(Note that folks using the SSLAlways extension to Firefox, for instance, will have their browsers constantly sending them back to HTTP pages, mimicking the desired user experience even though we haven't fully implemented it. These folks are likely going to be a lot happier with forms that submit correctly to go along with it!)
Brion Vibber [Fri, 17 Dec 2010 00:18:49 +0000 (16:18 -0800)]
Fix for ticket #2910: fix inconsistencies in notice posting response display that broke help command, could be generally wonky
Previous code was importing nodes from the XHR result into current document, then pulling text content of what might be the right element, then concat'ing that straight into HTML. Eww! Now pulling the text content straight from the XHR result -- same element that we check for existence of -- and using jQuery's own text() to do the getting and setting of text. Also note that some browsers might have been pulling HTML instead of text, or other funkiness.
Brion Vibber [Wed, 15 Dec 2010 22:57:09 +0000 (14:57 -0800)]
Fix for ticket #2942: character counter now updates on cut and paste operations made with mouse or menu
This uses the 'copy' and 'paste' DOM events to trigger a counter update. I haven't had a chance to 100% confirm that middle-button click on X11 triggers the event, but it ought to.
Cut and paste events from context menu and main edit menu known good in:
* Firefox 4.08b-pre
* IE 9 preview 7
* IE 8 current
* Chrome 8 beta current
* Safari 5.0.3
Opera is listed as not supporting these events, oh well.
Note that using a *delete* command from a menu doesn't trigger an event. Sigh, you can't win everything.
Evan Prodromou [Wed, 15 Dec 2010 22:53:38 +0000 (17:53 -0500)]
Move account restoration code to a shared library
Moved most of the heavy-lifting for account restoration out of
restoreuser.php and into its own class, with the hope that we'll do
the work from the Web eventually.
Brion Vibber [Wed, 15 Dec 2010 20:14:25 +0000 (12:14 -0800)]
Cleaner code to avoid a couple PHP notices from accessing uninitialized variables in ostatus profile discovery (these cases hit checking diaspora accounts)
Brion Vibber [Wed, 15 Dec 2010 00:14:15 +0000 (16:14 -0800)]
Mark OembedAction, XrdAction, and (plugin) AutocompleteAction as read-only. Tweaked ApiStatusesShow and ApiTimelineUser to still claim read-only when hit with a HEAD request (usually link checkers or a precursor to a GET, and should be semantically equivalent to a GET without actually transferring data)
Evan Prodromou [Tue, 14 Dec 2010 17:38:43 +0000 (12:38 -0500)]
An action to delete your own account
The new DeleteaccountAction lets a user delete their own account
(subject to global rights set by the admin). It presents a form to
delete the account, with an "I am sure." text entry box.
It then schedules the account for deletion and logs the user out.
Brion Vibber [Mon, 13 Dec 2010 20:12:22 +0000 (12:12 -0800)]
TwitterBridge: partial merge of id_str usage from 0.9.x for improved 32-bit and pre-5.2.10 compatibility. (on 64-bit in 5.2.6 we can pull the integer IDs, but silently lose some precision on the end.)
Fixes for Twitter bridge breakage on 32-bit servers. New "Snowflake" 64-bit IDs have become too big to fit in the integer portion of double-precision floats, so to reliably use these IDs we need to pull the new string form now.
Machines with 64-bit PHP installation should have had no problems (except on Windows, where integers are still 32 bits)
Conflicts:
plugins/TwitterBridge/twitterimport.php <- as this hasn't been broken out, the import code is NOT FULLY UPDATED HERE.