1. 03 Sep, 2014 3 commits
    • Alex Vandiver's avatar
      Standardize on the stricter Encode::encode("UTF-8", ...) everywhere · 1d18663b
      Alex Vandiver authored
      This is not only for code consistency, but also for consistency of
      output.  Encode::encode_utf8(...) is equivalent to
      Encode::encode("utf8",...) which is the non-"strict" form of UTF-8.
      Strict UTF-8 encoding differs in that (from `perldoc Encode`):
      
          ...its range is much narrower (0 ..  0x10_FFFF to cover only 21 bits
          instead of 32 or 64 bits) and some sequences are not allowed, like
          those used in surrogate pairs, the 31 non-character code points
          0xFDD0 .. 0xFDEF, the last two code points in any plane (0xXX_FFFE
          and 0xXX_FFFF), all non-shortest encodings, etc.
      
      RT deals with interchange with databases, email, and other systems.  In
      dealing with encodings, it should ensure that it does not produce byte
      sequences that are invalid according to official Unicode standards.
      1d18663b
    • Alex Vandiver's avatar
      Ensure all MIME::Entity headers are UTF-8 encoded bytes · 41d084f1
      Alex Vandiver authored
      Placing wide characters into MIME::Entity objects can lead to
      double-encoding, as discovered most recently in d469cacc.  Explicitly
      decode all headers as UTF-8 when retrieving them with ->get(), and
      encode them as UTF-8 before updating them with ->set() or ->replace().
      This also applies to headers passed to ->build().  The only exceptions
      to this are fixed strings in the source (which, in the absence of "use
      utf8", are always bytes).
      
      While the majority of these headers will never have wide characters in
      them, always decoding and encoding ensures the proper disipline to
      guarantee that strings with the "UTF8" flag do not get placed in a
      header, which can cause double-encoding.
      41d084f1
    • Alex Vandiver's avatar
      Ensure all MIME::Entity bodies are UTF-8 encoded bytes · 6d9bd63c
      Alex Vandiver authored
      Placing wide characters into MIME::Entity objects can lead to
      double-encoding.  Always treat them as byte stores, encoding as UTF-8
      and noting their character set.
      
      In the case of Approvals/index.html, there was no need for an explicit
      MIME::Entity object; ->Correspond creates one as needed from a "Content"
      argument.
      6d9bd63c
  2. 13 Aug, 2014 1 commit
  3. 07 Jul, 2014 1 commit
  4. 30 Jun, 2014 1 commit
    • Alex Vandiver's avatar
      Fix unsetting of core date fields · 39913ba6
      Alex Vandiver authored
      b4c54faf switched to using ->IsSet instead of checking ->Unix to
      determine if a date was set.  However, two of the changed tests (in
      RT::Interface::Web) actually check "defined $date->Unix" -- which is
      always true.  This led to it being impossible to unset core date fields.
      
      Remove ->IsSet checks entirely, as the appropriate replacement for
      "defined $date->Unix" is nothing, as it is always true.
      
      Fixes: I#30180
      39913ba6
  5. 18 Jun, 2014 1 commit
  6. 15 May, 2014 1 commit
  7. 30 Apr, 2014 1 commit
  8. 16 Apr, 2014 1 commit
  9. 26 Mar, 2014 1 commit
    • Wallace Reis's avatar
      I#28640: Set headers for static content · 915eb4b7
      Wallace Reis authored
      This is a regression fix since at some point the static content served
      from /static/ path had the 'Expires' and 'Cache-Control' headers removed
      (probably when started serving it with Static middleware). Additionally,
      add support for static content served from custom StaticRoots.
      915eb4b7
  10. 17 Mar, 2014 1 commit
    • sunnavy's avatar
      add $Type to %ARGS so we can specify the type of the textarea in the caller · c1c91d2a
      sunnavy authored
      by default, the type is controlled by the system config($MessageBoxRichText)
      and user preferences. however, sometimes we want to explicitly set the type no
      matter what system config or the user preference is.
      
      this is initially for the IPs and Addresses textareas in RTIR's ScriptedAction
      tool page(/RTIR/Tools/ScriptedAction.html), where rich texts are not useful at
      all(actually harmful as the backend doesn't handle the rich format).
      c1c91d2a
  11. 05 Mar, 2014 2 commits
    • Alex Vandiver's avatar
      Parse old-style (not chained) Categrory drop-down arguments correctly · ecf6b912
      Alex Vandiver authored
      As of 4b21442e, the string '-Category' is appended to the '-Value' or
      '-Values', instead of replacing it.  Update all of the locations which
      ignore the old-style Category to look for the suffix, instead of the
      fixed string.
      
      Without this, attempts to update custom field values with old-style
      categories produce "User asked for an unknown update type for custom
      field" warnings, and bulk update may erroneously set the CF values to
      their selected category, rather than their selected value.
      ecf6b912
    • Alex Vandiver's avatar
      Use the correct -Values on select-multiple checkbox inputs · dd44e3c5
      Alex Vandiver authored
      4b21442e changed to having a method to generate CF field names.
      However, it incorrectly encoded that all "List" renderings (both radio
      and checkboxes) should use the singular '-Value'.  Prior to 4b21442e,
      the _only_ rendering which used '-Value' was the radio rendering, which
      set $name explicitly; other locations hardcoded '-Values', or (in the case
      of checkboxes) set $name to '-Values'.
      
      This resulted in checkboxes using '-Value', which in turn caused the
      same value to be be able to be re-added, and appear multiple times on
      the same ticket; see [rt3 #29392].
      
      Switch the GetCustomFieldInputName method to only return '-Value' for
      the radio rendering of selects, restoring the same input names as prior
      to 4b21442e.  It also removes a now-misleading comment, as the $name
      variable is used for _all_ Select inputs, not just radio/checkboxes.  As
      such, ensure that (in the absence of a $Name, which currently occurs
      nowhere in core RT), the '-Value' option would still only be generated
      for radiobuttons.
      dd44e3c5
  12. 24 Feb, 2014 1 commit
  13. 03 Feb, 2014 1 commit
    • sunnavy's avatar
      refactor cf input name and abstract a sub to get it · 4b21442e
      sunnavy authored
      previously we have to do things like:
      
          my $input_name = "Object-RT::Ticket-" . $ticket->id . "-CustomField-" . $cf->id .  "-Value";
      
      this is complex enough to be wrapped into a sub, not mentioning that you need
      to figure out if it's "-Value" or "-Values". some notes:
      
      * the new sub mimics old naming convention for back compatibility.
      * old $NamePrefix is still supported(if the new added arg $Name is not set)
      * ...-Values-Magic is widened to ...-Magic(so there will be ...-Value-Magic,
        ...-Upload-Magic, etc because now we simply suffix "-Magic" to the input name)
      
      this commit respects current inconsistent "-Value" vs "-Values" usage, but we
      should fix it in the near future:
      
      * cfs with single-value should be named as single "-Value" instead of "-Values"
        e.g. Date, DateTime, single Select with render type "List" and maybe also
        Text and WikiText
      * upload cfs(Binary and Image) should be named as "-Uploads" if they are not single-valued.
      4b21442e
  14. 15 Jan, 2014 2 commits
    • Alex Vandiver's avatar
      bb68df31
    • Alex Vandiver's avatar
      Allow tables if HTML::Gumbo is installed · 6c0cbbbd
      Alex Vandiver authored
      HTML::Gumbo deals with ensuring that content cannot "escape" from the
      context that RT frames it in, by (for example) not allowing </td></tr>
      if the content has not opened its own table.  HTML::Gumbo has an
      HTML::Parser-like interface, but it is not quite close enough to serve
      as a drop-in replacement -- and the structure of HTML::Scrubber would
      not make such a substitution easy.
      
      As such, pre-parse the HTML content using Gumbo, if available, as a
      pre-parsing step before HTML::Scrubber.  This enables <table> tags and
      their ilk to be enabled without posing a security risk.
      6c0cbbbd
  15. 06 Jan, 2014 2 commits
  16. 10 Dec, 2013 1 commit
  17. 13 Nov, 2013 1 commit
    • Kevin Falcone's avatar
      ShowEmailRecord is a common link to hand out. · 10ce1a32
      Kevin Falcone authored
      Since it takes arguments, it triggers the CSRF warning, but it's a
      readonly page and it's common to tell someone "Here's a copy of the
      email that went out" - so let people visit it directly.
      10ce1a32
  18. 27 Sep, 2013 1 commit
  19. 18 Sep, 2013 1 commit
    • Kevin Falcone's avatar
      Only set X-RT-Encrypt|Sign if we get an argument. · 4c35a7c6
      Kevin Falcone authored
      The web ui has a hidden field and a checkbox.  If you check the
      checkbox, we get an arrayref and set X-RT-Encrypt: to 1.  If you don't
      check the checkbox, we get 0 and we set X-RT-Encrypt to 0.
      
      If you modify the UI so that users cannot uncheck Encrypt (and use
      Always Encrypt in your Queue config) this code would set X-RT-Encrypt: 0
      and ignore the Queue default.
      
      It now doesn't set a header, and the mail that is sent out uses
      WillSignEncrypt to look at the Queue and see that it should encrypt.
      4c35a7c6
  20. 03 Sep, 2013 1 commit
    • Ruslan Zakirov's avatar
      Process Sign/Encrypt values later on update · 528e0fae
      Ruslan Zakirov authored
      A value for Sign or Encrypt of undef is an indication of "do whatever
      the queue's options say."  d3341b78 resolved a bug of inserting array
      references into X-RT-Sign, but in doing so lost the possibility to pass
      undef into ProcessUpdateMessage, and have the queue default kick in.  In
      practice, this is only relevant if the signing controls were not
      submitted, but customizations may do so.
      528e0fae
  21. 30 Aug, 2013 2 commits
  22. 20 Aug, 2013 1 commit
  23. 06 Aug, 2013 1 commit
  24. 31 Jul, 2013 1 commit
  25. 29 Jul, 2013 1 commit
    • Ruslan Zakirov's avatar
      prevent double form submit by disabling buttons · f8637121
      Ruslan Zakirov authored
      Users have time to double click submit buttons and
      submit forms twice. This change disables submit buttons
      when a form is submitted. However, input is disabled
      a little bit earlier and browser wouldn't send its
      name/value pair to the server, so we add a hidden
      input.
      f8637121
  26. 26 Jul, 2013 2 commits
  27. 23 Jul, 2013 2 commits
    • Thomas Sibley's avatar
      Encode JSON strings as Perl character strings instead of UTF-8 bytes · 18a6bd8b
      Thomas Sibley authored
      If JSON() produces UTF-8 bytes, it can't be used in Mason pages with
      other content.  Mason pages are constructed using Perl character
      strings and then our PSGI response callback in
      RT::Interface::Web::Handler encodes all content as UTF-8 if it's not
      already encoded.  This leads to double-encoding when JSON() output is
      mixed with other content, such as in /Elements/JavascriptConfig.
      
      The autocomplete endpoints which used JSON() worked successfully because
      their _entire_ page content was UTF-8 already, so it wasn't encoded
      again by the response callback.  By switching JSON() away from UTF-8,
      interpolation issues are fixed and the autocomplete endpoints now rely
      on the request handler encoding to UTF-8 instead.
      
      Additionally, replace various uses of JSON::to_json() directly with
      JSON().
      18a6bd8b
    • Thomas Sibley's avatar
      Basic I18N for JS strings · 0d4faacc
      Thomas Sibley authored
      This simple solution doesn't scale, but it's tiny and sufficient for now.
      0d4faacc
  28. 19 Jul, 2013 2 commits
    • Alex Vandiver's avatar
      Allow explicit addresses to skip, in addition the SkipNotification sets · 2536348a
      Alex Vandiver authored
      RTIR uses the SkipNotification argument to Create (added in 7e0e0a54) to
      squelch whole classes of users at create time.  2047c321 added a
      TransSquelchTo argument to RT::Ticket->Create to implement this
      create-time squelching, but didn't allow explicit control of individual
      addresses at the level of the CreateTicket API.
      
      Add the same TransSquelchTo argument to RT::Interface::Email's
      CreateTicket, which allows an explicit additional set of addresses to
      squelch, in addition to those that SkipNotification adds.
      2536348a
    • Alex Vandiver's avatar
      Allow DryRun => 1 to CreateTicket, which returns the txn · 6503da83
      Alex Vandiver authored
      This can hence he used to implement PreviewScrips, at the cost of losing some ticket numbers.
      6503da83
  29. 12 Jul, 2013 1 commit
  30. 01 Jul, 2013 1 commit
    • Alex Vandiver's avatar
      Rename $WebExternalAuth and friends to reduce confusion, and be more specific · 165a4bcf
      Alex Vandiver authored
      In order to reduce confusion with the common extension
      RT::Authen::ExternalAuth, the following options have been renamed:
      
        WebExternalAuth           => WebRemoteUserAuth
        WebExternalAuthContinuous => WebRemoteUserContinuous
        WebFallbackToInternalAuth => WebFallbackToRTLogin
        WebExternalGecos          => WebRemoteUserGecos
        WebExternalAuto           => WebRemoteUserAutocreate
        AutoCreate                => UserAutocreateDefaultsOnLogin
      
      This also makes their utility more evident.
      165a4bcf
  31. 29 Jun, 2013 1 commit