Quite a few aspects of this are very hackish (especially as related to
the templates and things that needed to be done to allow
topic_listing.jinja2 to be inherited from for this new one), but it's a
lot better than nothing.
Previously these methods for generating "base" and "normal" urls weren't
treating each route individually and just had a single list of query
vars that would be kept for all routes. This approach is a lot more
flexible and allows separating out only the variables relevant for a
particular route.
These limits were determined by looking at site activity so far, and
generally shouldn't have any impact on normal site usage.
This also adds a new request method - apply_rate_limit, which can be
used to check the rate limit and immediately raise an error if it's
exceeded, instead of needing to check and handle the result separately.
Previously this was also trying to catch ones at the beginning of new
paragraphs, but that seems to mostly just be causing unexpected issues
when people create ordered lists with a blank line between items. This
can probably be done properly in the future, but just restricting it to
the start of posts is probably better for now.
Allows (manually) granting permissions to allow users to re-tag topics,
move them between groups, and edit their titles.
This should probably be generalized in the near future, but this will do
the trick for now.
Previously there was a specific is_admin boolean column. This commit
changes to have a general permissions column which is stored in JSON,
and currently should either be a single string or list of strings. These
strings are used as the user's principals for the authorization system.
So now, setting a user as admin would involve adding the string "admin"
to their permissions column, instead of just setting is_admin to True.
As part of this change, I also moved the MutableDict associations onto
specific columns, instead of being attached to JSONB by default (since
this new column won't always be a dict).
Nothing too significant in here, just a few adjustments and other
follow-ups that I wanted to do:
* Make backup code usage a bit more lenient - allow uppercase, and
doesn't need exact spacing as originally displayed.
* Display the backup codes a little more nicely.
* Change the message on the settings page based on whether 2FA is
enabled or not.
* Use webargs instead of request.params.get
Black won't re-wrap comments because it has no way to determine when
that's a "safe" thing to do (that might break deliberate line-breaks).
So this is a quick pass through to re-wrap most multi-line comments and
docstrings to the new max line-length of 88.
This commit contains only changes that were made automatically by Black
(except for some minor fixes to string un-wrapping and two
format-disabling blocks in the user and group schemas). Some manual
cleanup/adjustments will probably need to be made in a follow-up commit,
but this one contains the result of running Black on the codebase
without significant further manual tweaking.
Boussole (which watches the SCSS files for changes and compiles them)
has just been running in the same venv as the main app until now, but
it's holding back the version of the click package. There's no real
reason that it needs to be in the app venv, so this moves it to its own
one, which also eliminates quite a few other packages that were only
being installed because of Boussole.
An example was recently added to the github cmark repo to show how to
set up the extensions from Python, so this is heavily based on that
code:
https://github.com/github/cmark/blob/master/wrappers/wrapper_ext.py
This should also fix a memory leak, since I wasn't manually freeing the
returned buffer (as the library recommends that you do).
Because of the way the topic_visits update works (only updating visits
that were before the comment was posted), this will only behave
correctly when the previous notifications are processed in the order
their comments were posted.
This process needs to be replaced soon anyway, but this should make it
work correctly for now.
Just a couple more tests for comment permissions that are more essential
to be working correctly - replying in locked threads, and viewing
removed comments. Also changes the "deleted comments lose all
permissions" test slightly to actually check all permissions instead of
a hard-coded (and obsolete) set of them.
The previous approach to writing ACLs made them difficult to follow,
which resulted in making it easy to make mistakes (like allowing users
to reply to themselves in locked threads). This approach should work
much better.
Unfortunately some of the triggers aren't currently testable due to
the fact that postgresql's NOW() and similar functions will always
return the same value during the entire test transaction, but this at
least tests a couple more of the behaviors.