🚧 This instance is under construction; expect occasional downtime. Runners available in /repos. Questions? Ask in #wikimedia-gitlab on libera.chat, or under GitLab on Phabricator.

  1. 30 Jun, 2021 7 commits
    • BryanDavis's avatar
      ui: Initial AuditLog support for tool lists · dafa7587
      BryanDavis authored
      Change-Id: Ide1bcecbef5ee9ebaef923f9c0ea74519db36e46
      dafa7587
    • BryanDavis's avatar
      api: Add ToolList storage and read-only API · 9032852a
      BryanDavis authored
      Add the basic storage system for lists of tools. Each list has a title,
      description, and icon in addition to an ordered set of tools. Lists can
      be marked as "favorites" meaning that the list is a private collection
      of tools only ever visible to the creating user. Alternately, a list can
      be marked as "published" meaning that the author is ready to share it
      with other users. Finally, a "published" list can be marked as
      "featured" which will be used in the future by users with a specific
      user right to highlight lists that are of high quality.
      
      API endpoints:
      * GET /api/lists/ - Paginated retrieval of list metadata. Returns count
        of tools in list along with all list metadata and summary information
        for included tools. Query parameters can be used to limit the results to
        "featured" lists. Only "published" lists will be returned unless the
        calling user is also the author of the list.
      * GET /api/lists/{id}/ - Full contents of a particular list. All list
        metadata plus an array of the full Tool details.
      
      Bug: T271484
      Bug: T271488
      Change-Id: Ia44d1eb5bacc2ea4a21efaad47f7c6049e061560
      9032852a
    • BryanDavis's avatar
      toolinfo: remove verbose logging from diff generation · 6528e56d
      BryanDavis authored
      Remove two lines of `warning` logging added to aid in debugging during
      the implementation of suppression restrictions for diff generation
      (b6cdc31d).
      
      Change-Id: Ib80cb8145131ba5e026be1e10b403d495cd0e8b2
      6528e56d
    • BryanDavis's avatar
      toolinfo: Add __str__ implementation to Tool model · fc2ce591
      BryanDavis authored
      Change-Id: Icfdd592b6493a0e88162a87caafaa22a5df8d6f1
      fc2ce591
    • BryanDavis's avatar
      auditlog: expose suppressed and patrolled state of revisions · 907a91f0
      BryanDavis authored
      Add params for the suppressed and patrolled state of the backing
      revision when an auditlog's params contain a revision id. This addition
      is done at output time rather than query time, so we are not currently
      able to offer an API filter to only show unpatrolled revisions through
      the GET /api/auditlogs/ endpoint.
      
      Bug: T283118
      Change-Id: I2cfa7f5f406d8a17676a71e543360f81602e40dc
      907a91f0
    • BryanDavis's avatar
      ui: Revamp AuditLog rendering · e307d40c
      BryanDavis authored
      Refactor and extend the method used to render AuditLog events to support
      more complex output and the new "params" extra data. The new LogEvent
      component is our first render function based component. This approach
      lets us encode the business logic for placing each templated element in
      native js logic rather than a sea of `v-if` checks.
      
      New components:
      * LogEvent - the <dl> containing the entire event
      * EventIcon - an icon that indicates the type of event being shown
      * EventTimestamp - pretty printing for the event timestamp
      * UserLink - links to User pages and optionally Talk pages
      
      This commit also introduces our first usage of the @vue/test-utils
      helper library for unit testing of components. This allows us to
      virtually render components and then inspect the resulting VNode objects
      which is a pretty cool way to verify output for a component with a lot
      of conditional branching in it's rendering.
      
      Bug: T283118
      Change-Id: I6310b8728167b58d408b0c10d06f9dfb3d9b93ed
      e307d40c
    • BryanDavis's avatar
      api: Add optional "params" to auditlog entries · 91559d10
      BryanDavis authored
      Some logged actions are more complex than the original (actor, action,
      target) tuples that auditlog was created with. Actions such as changing
      a user's group based permissions add additional "nouns" that should be
      tracked as part of the historical record. MediaWiki deals with this by
      having an opaque blob of data attached to each log event which
      contain arbitrary action (type in MW parlance) specific content.
      Consumers of the log events can then decode this information and use it
      when rendering the event for human consumption.
      
      This commit adds a "params" JSONSchema field to the Toolhub LogEvent
      model. It is initially used to document:
      * the user who's rights are being changed by an ADD or REMOVE event
      * the revision created by a CREATE or UPDATE event referencing
        a toolinfo record
      * the tool owning a revision changed by a HIDE or REVEAL event
      
      The storage schema can be extended in the future to document additional
      details that may be necessary or convenient for rendering other types of
      events.
      
      Bug: T283118
      Change-Id: I842bea8161c6f5398446f4afdb0e33389c0fd721
      91559d10
  2. 28 Jun, 2021 1 commit
  3. 25 Jun, 2021 1 commit
    • srishakatux's avatar
      UI for unpatrolled edits and marking an edit as patrolled · 8223ca6d
      srishakatux authored and BryanDavis's avatar BryanDavis committed
      Introduce a toggle label in the tool's history that:
      * Appears next to the hide/reveal button
      * Is visible to users with permissions to patrol "revision/version"
      * Allows marking a revision as patrolled
      * Icons to show both patrolled / unpatrolled edits
      
      Bug: T284616
      Change-Id: I951f4900e60e9c65f4e12801207e7fcbe91e3388
      8223ca6d
  4. 24 Jun, 2021 1 commit
  5. 23 Jun, 2021 1 commit
    • BryanDavis's avatar
      ui: Add build information and policy links · 6a463a20
      BryanDavis authored
      Add version + git hash build information and a collection of
      policy/documentation links to the nav drawer. Version is read from our
      package.json file and combined with the git hash of the build-time HEAD
      revision.
      
      .git/HEAD and .git/refs/heads/* files are copied into the build
      containers to support extracting the git hash while building with
      Blubber and PipelineLib.
      
      Privacy policy and Terms of use links are currently pointed at Wikimedia
      Foundation global default policies.
      
      Bug: T280069
      Change-Id: I07be3018c7ee75225d01cacf61dca1766e0e170d
      6a463a20
  6. 21 Jun, 2021 1 commit
  7. 14 Jun, 2021 1 commit
  8. 11 Jun, 2021 1 commit
    • BryanDavis's avatar
      api: Add toolinfo revision patrolling endpoint · 96749e11
      BryanDavis authored
      Add a new PATCH /api/tools/{tool_name}/revisions/{id}/patrolled/ which
      can be used by Patrollers and Administrators to mark individual
      revisions as reviewed.
      
      A `patrolled` member is also added to ToolRevisionSerializer to expose
      the patrolled state of each revision.
      
      CASL consumers should check for the 'patrol' action against the
      'reversion/version' model to determine if a user has the correct
      permissions to mark a revision as patrolled.
      
      Bug: T284517
      Change-Id: Ib6a3bd36dac1ff26c093030115b10cc90e036654
      96749e11
  9. 10 Jun, 2021 1 commit
  10. 09 Jun, 2021 1 commit
    • srishakatux's avatar
      UI to hide or reveal a revision · 23e3913b
      srishakatux authored and BryanDavis's avatar BryanDavis committed
      Introduce a toggle label in the tool's history that:
      * Appears next to the undo and revert buttons
      * Is visible to users with permissions to change "revision/version"
      * Allows hiding / revealing a revision
      
      Bug: T284358
      Change-Id: Ie8af8024742563cd96fb2b3e8e9235197583e41e
      23e3913b
  11. 08 Jun, 2021 3 commits
    • BryanDavis's avatar
      test: switch LocaleView tests to APIClient · 0d85b47f
      BryanDavis authored
      While working on another changeset I discovered that using APIClient
      changes some test behaviors slightly. The main thing that seems to
      change is the language code returned for our language tests. I haven't
      walked all the code to figure out exactly why our LANGUAGE_CODE setting
      is not the default return value once APIClient is invoked. Rather
      than fall deeply into debugging that trivial change, let's change the
      locale tests to use APIClient and update the test expectations.
      
      Change-Id: Ie3a0cc31df0f477c059fbe79bf48575ea329b574
      0d85b47f
    • BryanDavis's avatar
      db: refactor revision support to remove monkeypatch · af5f14c7
      BryanDavis authored
      In b2ba6165 when we introduced using the django-reversion library we
      copied the monkeypatch hack method used by Striker to add new metadata
      to a reversion.models.Version model. While preparing to implement
      a second flag for patrol status I discovered that there is a better way
      to work with the upstream library. The `reversion.add_meta()` function
      allows attaching an arbitrary model to each Revision model. Using this
      pattern, we can support adding any arbitrary flags and metadata we are
      interested in to the Revision.
      
      * Drop monkeypatch hacks to reversion.models.Version
      * Remove database migration associated with our old monkeypatch
      * Add a new RevisionMetadata model to hold flags and metadata for a Revision
      * Add new toolhub.apps.versioned app to hold our RevisionMetadata model
      * Update existing logic to use Version.revision.meta.* for metadata
        checks and changes.
      
      Bug: T271370
      Bug: T275229
      Change-Id: I9fd1db2db281b57d98be38d4effadcae6390c6bf
      af5f14c7
    • BryanDavis's avatar
      ui: Upgrade rapidoc to v9.0.0 · a5254cc2
      BryanDavis authored and BryanDavis's avatar BryanDavis committed
      Bug: T279466
      Change-Id: I2b5a9d03f73ef2c3ffcf4fa7f968d87e41ef3da6
      a5254cc2
  12. 07 Jun, 2021 1 commit
  13. 04 Jun, 2021 2 commits
    • BryanDavis's avatar
      api: Add missing unit tests for hide/reveal · 67d2a3a0
      BryanDavis authored
      Follow up to d4c9fe5c. Add unit tests for our
      /api/tools/{tool_name}/revisions/{id}/hide/ and
      /api/tools/{tool_name}/revisions/{id}/reveal/ endpoints.
      
      Bug: T283086
      Change-Id: Ibca0910632acfe59cf72066602353ba144f17fd4
      67d2a3a0
    • BryanDavis's avatar
      api: enforce suppression when creating diffs · b6cdc31d
      BryanDavis authored
      Add object level permissions checks when generating diffs between two
      toolinfo records to ensure that suppressed content is not leaked to
      unprivledged users. These checks are made against the start/end
      revisions for the diff. This means that there may be leaks of content
      differences if between the start and end revisions there is an
      additional un-reverted but suppressed revision.
      
      Bug: T283086
      Change-Id: I15d6e1ee5a831a7ffe45405bbaa21d9c5c1641b8
      b6cdc31d
  14. 03 Jun, 2021 7 commits
    • BryanDavis's avatar
      ui: Handle suppressed edits in toolinfo history · 61d9ec02
      BryanDavis authored
      A suppressed edit is a historical revision of a toolinfo record which
      has been hidden from normal users by an Administrator or Oversighter.
      The date, user information, and edit summary for a suppressed edit are
      rendered as though wrapped in `<s></s>` strikethrough elements. The
      drilldown link to the revision content is only shown to users with
      elevated rights.
      
      Bug: T283086
      Change-Id: I6e0955d0e738d52078b606f2ac21eee13ed6e473
      61d9ec02
    • BryanDavis's avatar
      api: Add endpoints for suppressing a toolinfo edit · d4c9fe5c
      BryanDavis authored
      Add API endpoints which allow members of the Administrators and
      Oversighters groups to toggle the visibility of a historical revision of
      a toolinfo record. When a revision is hidden normal users will be able
      to see that an edit was made, but unable to see the details of who made
      the edit, what they changed, and the edit summary. This type of behavior
      is called "revision deletion" in MediaWiki.
      
      * PATCH /api/tools/{tool_name}/revisions/{id}/hide/
      * PATCH /api/tools/{tool_name}/revisions/{id}/reveal/
      
      Bug: T283086
      Change-Id: Ie7a417776acafd37f8d1fef3e6ea578eeb115704
      d4c9fe5c
    • srishakatux's avatar
      Guard /developer-settings against anon users · 391a5e1b
      srishakatux authored and BryanDavis's avatar BryanDavis committed
      Idea is to:
      * Keep the `register` button disabled for anon users
      * Not try to fetch authorized apps for anon users
      * Show a message on authorized apps tab to anon users informing that they need to login to view apps
      
      Bug: T282629
      Change-Id: I55840207a760775edbab970ece1209384ff68a4b
      391a5e1b
    • BryanDavis's avatar
      auditlog: guard against corrupt database data · e87d0b05
      BryanDavis authored
      Catch IndexError when transforming an auditlog event's 'action' to
      a display string and fallback to the raw database value. This should
      really only ever happen in a development environment where some data has
      been put into the database via an unmerged patch and later that patch
      has been popped off to work on or review another patch.
      
      Change-Id: I462b8045987eac447e7a79bbbb42911b35562deb
      e87d0b05
    • BryanDavis's avatar
      backend: add missing db migration · 9616e43b
      BryanDavis authored
      Add a database schema migration that was missed when updating toolinfo
      models in the past. This is really a no-op for the database we use, but
      Django likes to keep track of all changes to model fields with
      migrations.
      
      Change-Id: I784455d373f3e8a1a9521588b810cc7fddf84c84
      9616e43b
    • Srishakatux's avatar
      ui: Members list page with features to add or remove members from groups · 667379ee
      Srishakatux authored and BryanDavis's avatar BryanDavis committed
      
      
      Allow users to browse the list of connected user accounts and filter that
      list by name and/or group associations. Users with Oversighter or Admin
      rights can also add/remove other users from groups.
      
      Bug: T282288
      Co-authored-by: BryanDavis's avatarBryan Davis <bd808@wikimedia.org>
      Change-Id: I385d8feb2b86e8451914bedbf360641d410db4fa
      667379ee
    • Translation updater bot's avatar
      Localisation updates from https://translatewiki.net. · 4b5ed302
      Translation updater bot authored
      Change-Id: I6d4c9b8bcaa1f405fd59237b43d536ab79303d01
      4b5ed302
  15. 01 Jun, 2021 3 commits
    • libraryupgrader's avatar
      build: Updating npm dependencies · d98fd5e6
      libraryupgrader authored
      * hosted-git-info: 2.8.8 → 2.8.9
        * https://npmjs.com/advisories/1677 (CVE-2021-23362)
      * dns-packet: 1.3.1 → 1.3.4
        * https://npmjs.com/advisories/1745 (CVE-2021-23386)
      
      Change-Id: I894ea42233a9aeef65776f826c06c5d9fb0c18ed
      d98fd5e6
    • Srishakatux's avatar
      UI for audit logs filtering · e4c4b7d5
      Srishakatux authored
      
      
      Users will be able to filter through the logs by choosing a target type
      from a list, date range and providing a username. There is also an
      option to clear the filters.
      
      Bug: T280854
      Bug: T280855
      Co-authored-by: BryanDavis's avatarBryan Davis <bd808@wikimedia.org>
      Change-Id: Ibf937bfda6e6c2903a19c05f3591f244daefd17c
      e4c4b7d5
    • BryanDavis's avatar
      vue: Treat timestamps as UTC when rendering · a459a74f
      BryanDavis authored
      Toolhub stores and returns all timestamps in UTC time. Previously we
      were rendering timestamps in the UI in the user's local timezone. This
      is neat stuff, but gets into weird edge cases that are difficult to
      manage when adding features that involve backend dates. The problem
      there becomes figuring out how to translate from user local time into
      UTC and back in all the right places. To simplify this for now (we can
      always change our minds later!) we can render timestamps in the UI in
      their native UTC form. With input and output in UTC we don't have to
      reason about timezone conversions at all.
      
      Change-Id: I6d1c755d7787885bc8d1e056a98058947745d75b
      a459a74f
  16. 27 May, 2021 2 commits
  17. 24 May, 2021 1 commit
  18. 18 May, 2021 5 commits
    • BryanDavis's avatar
      authz: pass authz data to frontend and use in vue · b5cad9f4
      BryanDavis authored
      Use the CASL library (<https://casl.js.org/v5/en/>) to provide a rules
      based authorization system in our vue frontend application. The rules
      are created on the backend via a transformation of the same permissions
      which are used to guard our API endpoints. These rules are delivered to
      the frontend as part of the payload of the /api/user/ endpoint which is
      used to inform the frontend of the identity and state of the current
      user.
      
      CASL was selected for this because it works in a very similar way to the
      django-rules backend library that we chose to implement object level
      permissions (T278025).
      
      On the frontend, permission checks are done using a vue plugin which
      exposes the CASL `can` function. Checks can be done for rights related
      to a class of business objects:
      
        $can( 'add', 'toolinfo/tool' )
      
      or for a specific object:
      
        $can( 'delete', url )
      
      Bug: T282186
      Change-Id: Iaad5bbdf267a590db6b3fceb917c36e28ad8382d
      b5cad9f4
    • libraryupgrader's avatar
      build: Updating hosted-git-info to 3.0.8 · 1f0f8a57
      libraryupgrader authored
      * https://npmjs.com/advisories/1677 (CVE-2021-23362)
      
      Change-Id: I9808a0901b3e68b0cb243a97d13f0a7231dc6fb2
      1f0f8a57
    • BryanDavis's avatar
      lint: Remove unneeded es/no-object-assign disable · aac3dee5
      BryanDavis authored
      Welcome to the wonderful world of es6/es2015 where we can actually use language
      features from only 6 years ago and the linter is ok with that!
      
      Bug: T279471
      Change-Id: Iad7ec7875807e195b335a1e5e9a45bdce87fb185
      aac3dee5
    • BryanDavis's avatar
      lint: Convert package.json and package-lock.json to tabs · 9475f02a
      BryanDavis authored
      Follow the eslint-config-wikimedia 0.20.0 rules for json files by
      converting package.json and package-lock.json to use tab indents.
      
      Bug: T279471
      Change-Id: Ie98a74fc6a9c8506300dcc57751352102731271e
      9475f02a
    • BryanDavis's avatar
      lint: upgrade to eslint-config-wikimedia 0.20.0 · cdddcf03
      BryanDavis authored
      Bug: T279471
      Change-Id: I31de0b1487846c865932fa53a4f41564281ad92f
      cdddcf03