This wasn't intended to make its way into a public repo. :)
The existing key was a long-forgotten kluge that was supposed to be
temporary, allowing internal services to create quotes without
authentication. The chances of this being practically exploited are minimal
in our environment, and it's auditable using webserver logs.
This moves the skey into a configuration file, which allows it to vary by
server and be rotated until a better solution is made available. skey is
disabled by default (empty string), and when used by us internally, the keys
are now generated using a CSPRNG rather than a brute-forcable 5-byte key
that was hard-coded.
The fact that this appears in webserver logs is a big issue as well. I
added a task to address that.
* conf/vanilla-server.json (skey): New key. Default empty.
* src/server/daemon/Daemon.js (start): Provide skey to `#getRouters'.
(getRouters): Provide skey to `#getProgramController'.
(getProgramController): Set skey on `controller'.
* src/server/daemon/controller.js (skey): New mutable export (unideal; quick
change).
(has_skey): Use it.
quicksave data wouldn't always be cleared on save, meaning it might not be
cleared until the next _empty_ quicksave from the client.
* src/server/db/MongoServerDao.js (saveQuote): Always clear quicksave.
An error was being thrown outside the stack of the actual test, which
apparently was never noticed until more recent versions of node. We're
still on a pretty ancient version for local development. :x
* test/ui/step/GeneralStepUiTest.js (createElementStyler)[getAnswerElementByName]:
Properly return array for stub jQuery element.
Before this change, since `undefined' is encoded as `null' when serialized,
there was no way for the server to disambiguate between unmodified values
and a truncation point. For example:
[ undefined, undefined, null, null, null ]
The above array represents two unmodified and three removed indexes. But
this is serialzed into JSON as:
[ null, null, null, null, null ]
It isn't possible for the server to determine what the truncation point is
from that diff. The solution is to therefore truncate the array _before_
sending it to the server, providing a trailing null to indicate that a
truncation has occurred:
[ null, null, null ]
The above means that the first two indexes are unmodified, and that index 2
and later should all be truncated.
* doc/client.texi (Saving to Server): New section.
* src/client/transport/XhttpQuoteTransport.js (_truncateDiff): New method to
perform truncation.
(getBucketDataJson): Use it.
* test/client/transport/XhttpQuoteTransportTest.js: New file with respective
test case.
* src/client/Client.js (_defaultId): New property.
(__construct)[default_id]: New parameter. Set `_defaultId'.
(_getProgramId): Use `_defaultId' if not found in URL.
* src/ui/nav/HashNav.js (_initUrl): Do not require leading program id.
This technically worked fine before with our URL scheme, but that is not
guaranteed to be the case generally.
This is something that managed to slip by (but not unnoticed) for almost
exactly one year to this day (028606242a). It
can only be reproduced by changing classes that result in visibility changes
differing on the same field by index. The issue hides itself on first
load (because all fields are shown by default) and on refresh.
The problem is that, when one index shows a field but another hides it, the
hide overrode the show indexes, so only the hide took place.
* src/client/Cmatch.js (markShowHide): Make virtual. New implementation to
support concurrent show/hide.
(_handleClassMatch): Use it.
* test/client/CmatchTest.js: New test.
* npm-shrinkwrap.json: ease.js v0.2.{8=>9}.
This is to give us a fairly easy means of testing this logic for a bugfix.
This refactoring also obviates a pretty nasty bug; see docblock.
* src/client/Cmatch.js (_handleClassMatch): Extract show/hide marking.
(markShowHide): New method.
This makes the minimal number of changes necessary to ensure that all object
references remain available. It is a mess.
And despite moving all of this, Client is still a massive clusterfuck.
* src/client/Client.js (system): Add import.
(_cmatch): Now references new Cmatch class instance.
(_cmatchHidden, _classMatcher): Remove fields.
(_forceCmatchAction): Rename to `forceCmatchAction'.
(_hookClassifier, _postProcessCmatch, _cmatchVisFromUi, _handleClassMatch,
_mergeCmatchHidden, _clearCmatchFields): Extract methods. Update
references as necessary.
(getCmatchData): Remove unused method.
(_handleError): Rename to `handleError' to make accessible to
Cmatch. Update references.
* src/client/ClientDependencyFactory.js (FieldClassMatcher): Remove import.
(createFieldClassMatcher): Remove method. See `system/client'.
* src/client/Cmatch.js: New class.
* src/system/client.js (Cmatch, field): Add imports.
(cmatch): Add export.
All of the old events have been removed!
* src/client/Client.js (handleEvent): Remove remainder of old system (after
last commit, all that was left was error handling). Correct docblock.
The `set' event already existed---this merely extracts it into its own
handler.
* src/client/Client.js (handleEvent): Extract `set' handler.
* src/client/ClientDependencyFactory.js (createClientEventHandler): Add
`set'.
* src/client/event/ValueSetEventHandler.js: New class.
* test/event/ValueSetEventHandlerTest.js: Associated test case.
This matches the behavior of assertions.
This needs to be refactored into an even handler.
* src/client/Client.js (handleEvent)[set]: Use last available index.
* src/ui/ElementStyler.js (setValueByName)[change_event]: Re-add
`change_event' check, but as a warning instead of an Error. This
shouldn't be used anymore, but let's be certain _without_ breaking
things.
The intent wasn't go have this be permanant, and apparently it _is_ being
used in generated code!
* src/ui/ElementStyler.js (setValueByName): Remove error on `change_event'.
Useful for random historical facts that give useful context for developers
of Liza. It hopefully helps to mitigate some of the issues of Theory
Building as noted by Peter Naur.
* doc/liza.css: Refactor some styles to make them more concise.
(.trivia): Add styling.
* doc/macros.texi (trivia): Add macro.
Continued eradication of jQuery for performance reasons.
* src/ui/ElementStyler.js (setValueByName): Do not use jQuery for
legacyradio styling. Throw exception on `change_event' argument set (this
should no longer be used).
This used to be a thing back when we used Dojo, but it doesn't appear to be
used anymore.
* src/ui/ElementStyler.js (setValueByName): Remove `autochange' check.
Lines starting
The primary motivation behind this change was documentation of
links. Developers (including myself---it's been a while) misinterpreted
then as references to existing groups, not arbitrary names.
* doc/program.texi (Defining Groups): New section.
(Group Styles): Reference to new section.
* doc/liza.css: Each of the entities below may have additional selectors
following them, not listed here.
(.doc-notice.dev): Renamed to `.devnotice'.
(.doc-notice.devnotice, .doc-notice.devnote): New classes.
* doc/macros.texi (devnotice): {dev=>devnotice} @noticestart argument.
(devnote): New macro.
These animations are ugly and slow when there are many questions on a
step. I've wanted them gone for quite some time, and now we don't have a
disagreement among developers.
* src/client/ClientDependencyFactory.js (createNaFieldStyler): Remove
NaFieldStylerAnimation mixin.
* src/ui/styler/NaFieldStylerAnimation.js: Remove trait.
This is necessary to truncate on index removal; otherwise, it's not possible
to remove indexes through the editor.
* src/client/debug/BucketClientDebugTab.js (_getStagingButtons): Append null
on value change.