hypothesis/h

jmcarp


      Upgrade karma to latest.

db8b17a

hmstepanek


      Merge pull request #5217 from hypothesis/update-es-version-in-install…

…-docs

Update Elasticsearch version and URL in installation docs

dc24355

lyzadanger


      Add `h.views.admin` module and `__init__`

86613ee

lyzadanger


      Move `h.views.admin_admins` -> `h.views.admin.admins`

5f51144

lyzadanger


      Move `h.views.admin_badge` -> `h.views.admin.badge`

e871bda

lyzadanger


      Move `h.views.admin_features` -> `h.views.admin.admin`

b22ff2d

lyzadanger


      Move `h.views.admin_groups` -> `h.views.admin.groups`

0310a80

lyzadanger


      Move `h.views.admin_index` -> `h.views.admin.index`

1960c82

lyzadanger


      Move `h.views.admin_mailer` -> `h.views.admin.mailer`

c78621f

lyzadanger


      Move `h.views.admin_nipsa` -> `h.views.admin.nipsa`

41a5994

lyzadanger


      Move `h.views.admin_oauthclients` -> `h.views.admin.oauthclients`

64ed4da

lyzadanger


      Move `h.views.admin_organizations` -> `h.views.admin.organizations`

lyzadanger


      Move `h.views.admin_staff` -> `h.views.admin.staff`

314507f

lyzadanger


      Move `h.views.admin_users` -> `h.views.admin.users`

lyzadanger


      Normalize `admin_cohorts` to `admin.cohorts`

2d85eff

robertknight


      Make "gulp watch" task work with Gulp v4

 - The various "watch-*" tasks never complete, so they must be composed
   using `gulp.parallel` rather than `gulp.series`. Otherwise only the
   first one runs.

 - Adapt usage of `gulp.watch` in various "watch-*" tasks to pass a function as
   the argument instead of a task name as required by the Gulp v4 API [1].

 - Fix an existing issue where the "watch-css" task did not ensure that
   vendor CSS was built first.

   The issue mentioned in the existing comment about watching not
   working if the initial build failed appears not to apply any longer.

[1] https://github.com/gulpjs/gulp/blob/4.0/docs/API.md#gulpwatchglobs-opts-fn

14561a6

robertknight


      Merge pull request #5222 from jmcarp/npm-audit-fix

Upgrade vulnerable deps with `npm audit fix`.

a2f6883

robertknight


      Merge pull request #5230 from hypothesis/admin-views-refactor

Reorganize admin views into `h.views.admin` module

834d5ae

robertknight and seanh


      Pipe compressed archive to `docker build` (#5233)

On my system (git 2.18.0 from Homebrew, docker 18.06.0-ce, macOS),
the "make docker" task was failing with the error:

```
git archive HEAD | docker build -t hypothesis/hypothesis:dev -
Sending build context to Docker daemon  4.487MB
Error response from daemon: Syntax error - can't find = in "paster.bootstrap(config,". Must be of the form: name=value
make: *** [docker] Error 1
```

The "docker build" documentation [1] states that the context should be
compressed, and sure enough configuring `git archive` to generate a
compressed archive resolves the issue.

[1] https://docs.docker.com/engine/reference/commandline/build/#build-with--

658a05a

robertknight


      Remove an obsolete comment

Following the completion of the Elasticsearch 6 migration, these
functions are only called once each.

d94ae2c

robertknight


      Port a test from h/search/old_index_test.py to h/search/index_test.py

Port across a useful test from the old search indexing tests that were
missing from the new tests to verify that the conversion from Annotation
to JSON document indexed in Elasticsearch uses the expected method.

9dea68d

seanh


      Remove `# noqa: N803` from source code files

This is disabled globally.

09c701b

seanh


      Remove `# noqa: N802` from source code files

This is disabled globally.

90170f6

seanh


      Remove `# noqa: N806` from source code files

This is disabled globally.

04b0720

robertknight


      Re-use `get` fixture in more tests

Code for fetching the indexed JSON document from Elasticsearch was
duplicated in several deletion and batch-indexing tests.

Reuse the existing `get` fixture for this purpose, but rename it to
`get_indexed_ann` for clarity.

e75630b

lyzadanger and seanh


      Make `organization` nullable on Group model

4fa9fe5

lyzadanger and seanh


      Account for nullable `organization` in traversal Context

914c5be

robertknight


      Remove old search indexing tests

These unit tests which mock ES have been replaced with tests in
h/search/index_test.py which in most cases do actually make queries against
Elasticsearch and thus give us more confidence that passing tests ==
working production app.

eb90c8d

lyzadanger and seanh


      Update GroupJSONPresenter to support nullable organization

549d0fa

lyzadanger and seanh


      Update template to account for nullable `organization`

c4a5728

lyzadanger and seanh


      Update activity view to account for missing `organization`

2baeda1

lyzadanger and seanh


      Update group service to account for missing `organization`

08ca8bc

lyzadanger and seanh


      Add migration for making organization_id nullable on group

b519783

robertknight


      Remove the majority of the old-style search query tests

Remove the tests in old_query_test.py which cover functionality that is
also covered by the tests in query_test.py.

Add a note about one aspect of searching by URI which is not explicitly
covered in query_test.py and a note about needing to move the remaining
`Builder` tests.

17cba0a

robertknight


      Merge pull request #5240 from hypothesis/remove-old-search-index-tests

Remove old search indexing tests

ab8f618

robertknight


      Remove test that is covered by another in query_test.py

This case is covered by `TestBuilder.test_it_sorts_annotations` in
query_test.py.

e12126d

robertknight


      Merge pull request #5241 from hypothesis/remove-old-search-query-tests

Remove the majority of the old-style search query tests

fde35c2

lyzadanger


      Merge pull request #5223 from hypothesis/spike-organization-nullable

Make Group.organization nullable and create new private groups with no organization

robertknight


      Merge pull request #5239 from hypothesis/search-index-test-cleanup

Search indexing test cleanups

7da1527

lyzadanger


      Update API docs to indicate group.organization may be `null` (#5229)

35f8835

hmstepanek


      Decrease min group name to 3 characters

346347c

hmstepanek


      Change api docs to min 3 char group name

a35db5c

lyzadanger


      Constrain the use of `AuthClientPolicy` to the `POST /groups` endpoint

3f730a7

lyzadanger


      Apply new `APIAuthenticationPolicy`

56a7b74

lyzadanger


      Update groups endpoint to account for forwarded users

857899c

lyzadanger


      Make sure not to expose `ValueError` on invalid userid format

e0a7c27

lyzadanger


      Fix path-matching test for auth token policy

e9da63b

lyzadanger


      Parametrize policy tests for both good and bad client paths

777ccd9

lyzadanger


      Add functional test to assure add-member endpoint ignores forwarded u…

…sers

397c156

hmstepanek


      Merge pull request #5244 from hypothesis/decrease-min-group-name-to-3

Decrease min group name to 3 characters

00b7a49

seanh


      Install tox when running docs-related make commands

Automatically install `tox` in the developer's virtualenv when running
any of the various docs-related `Makefile` commands.

This fixes an issue that, if the developer didn't already have `tox`
available on their system, the various docs-related `Makefile` commands
will fail.

Having the `Makefile` explicitly install `tox` is consistent with how
`make test` already does it.

The use of `PIP_REQUIRE_VIRTUALENV` in the `Makefile` prevents `tox`
from being installed if the developer hasn't created and activated a
virtualenv for h - it won't try to install `tox` globally.

673189b

lyzadanger


      Merge pull request #5218 from hypothesis/connect-api-policy

Use API Policy; Restrict AuthClientPolicy to `POST /api/groups`

c418d02

hmstepanek


      Record which /api/search params are used

Add custom metrics to record if the offset param is being used-the
idea being we will know if people are still using it as it will be
deprecated and perhaps when no one is using it anymore we can safely
delete it.

Add custom metrics to record the use of tag and tags. tags is an alias
of tag. The idea being if no one is using it we could safely remove this
and simplify our search query params.

Add custom metrics to record the use of url and uri. url is an alias
of uri. The idea being if no one is using it we could safely remove this
and simplify our search query params.

372667b

robertknight


      Remove New Relic agent configuration for elasticsearch1 library

The elasticsearch1 library is no longer used by the h app following the
Elasticsearch 6 migration.

13d3aa2

robertknight


      Remove elasticsearch1-dsl library from tox setup

elasticsearch1-dsl is no longer used by h tests.

fd2bc4c

robertknight


      Add New Relic env vars to `run-docker` make task

This makes it easier to run h with New Relic reporting enabled locally
for performance analysis etc.

To use it:

 1. Set the `NEW_RELIC_LICENSE_KEY` env var to the key from your NR
    Account Settings page.
 2. Run `make docker` to build the docker image from git's HEAD commit
 3. Run `make run-docker`.

Metrics will now appear under the "h (dev)" application in your NR
account.

If you need more flexibility, see Hannah's answer at
https://stackoverflow.com/c/hypothesis/questions/98

8604e5d

hmstepanek


      Merge pull request #5249 from hypothesis/add-api-usage-metrics

Record which /api/search params are used

41a6c11

hmstepanek


      Remove remaining es1 switch statement

6180b92

hmstepanek


      Merge pull request #5250 from hypothesis/remove-es1-newrelic-hooks

Remove remaining references to elasticsearch1 and elasticsearch1-dsl from config files

249f9e2

hmstepanek


      Move old Builder tests to query_test module

9c3d87c

robertknight


      Merge pull request #5252 from hypothesis/remove-remaining-if-es1-swit…

…ches

Remove remaining es1 switch statement

0661fd6

robertknight


      Merge pull request #5253 from hypothesis/move-old-query-tests

Move old Builder tests to query_test module

31bb805

robertknight


      Add helper for validating query parameters using Colander

Add `validate_query_params` helper function for validating query
parameters (`request.GET` or `request.params`) using Colander schemas.

Compared to simply calling `schema.deserialize(request.params)` this
helper handles:

 - Raising a `ValidationError` with a single string error
   message if validation fails.

 - Preserving repeated fields. Ordinarily Colander will only return the
   last occurrence after parsing.

   In our case we want to preserve repeated fields for use in eg.
   requests such as `GET /api/search?tag=foo&tag=bar` to return
   annotations with tags "foo" and "bar".

10713d5

robertknight


      Merge pull request #5247 from hypothesis/colander-query-param-validation

Add helper for validating query parameters using colander

20a440f

jmcarp


      Rename `skip_plugin_check` to `check_icu_plugin`.

h/t @hmstepanek

8e41466

hmstepanek


      Add test to TestValidateQueryParams

Add test to check that a list field type can have a single value
specified and it still gets converted to a list in the multidict
to dict conversion and passes validation.

a04f79d

robertknight


      Merge pull request #5251 from hypothesis/add-newrelic-vars-to-run-docker

Add New Relic env vars to `run-docker` make task

37cd304

hmstepanek


      Limit search "offset" parameter to <= 9800

The window of annotations,from + size must be less than or equal to: 10000.
Since limit (the size) is set to be no larger than 200, that means the
offset must be no larger than 9800.

91b6e8b

hmstepanek


      Add colander SearchParamsSchema schema class

This schema will only pass expected search query params through to
be used when building the query. All unknown parameters will be ignored.
It also casts the parameters to their desired types and validates the value.

The following available fields in elasticsearch were not exposed for the following
reasons:

- deleted    There is a deleted filter that filters out deleted annotations
             everytime a search is run so exposing this would have no affect.
- id         This doesn't appear to work in practice and we prob shouldn't be
             exposing id's from our db anyway.
- nipsa      There is a filter for this that sorts these out so this would have
             no affect, not to mention exposing this could potentially allow
             a shadowbanned user from discovering they have been banned.
- shared     There is a filter for this already so it would have no effect, not
             to mention exposing this could be a permission escalation.
- tags_raw   There is already a nicer tags field for tag searches. The intention
             of tags_raw is to be used in aggregations.
- uri.parts  This is already covered by the any filter and keyword.
- user_raw   There is already a nicer tags field for user searches. The intention
             of user_raw is to be usedin aggregations.
- authority  There is a filter for this used on activity pages and this could be
             a permission escalation. Also this is something internal to h that we
             probably should avoid exposing anyway.
- updated    This is a date and it needs a range query filter which
             we don't currently have.

- created    This is a date and it needs a range query filter which
            we don't currently have.
- thread_ids This needs a more sensible name like "parent_of_annotations".
- target     This is a somewhat complex object that the user would never be
            able to pass in. It's broken up into smaller objects already.

6ff27d4

hmstepanek


      Add tests for testing SearchParamsSchema

ecd0b5b

hmstepanek


      Validate search query params in /api/search

Call validate_query_params in /api/search.

Change the type of request.params used in the tests from a dict
to a NestedMultiDict since this is what type request.params actually
is.

Since the SearchParamsSchema specifies defaults for certain params,
test_it_searches has to be changed to assert the default params were
passed into search as opposed to an empty dict.

f3b32f7

hmstepanek


      Update search api docs

f14cae4

hmstepanek


      Merge pull request #5224 from hypothesis/ignore-unknown-es-query-params

Ignore unknown es query params

1a0032f

hmstepanek


      Revert "Ignore unknown es query params"

c86bbfd

hmstepanek


      Merge pull request #5256 from hypothesis/revert-5224-ignore-unknown-e…

…s-query-params

Revert "Ignore unknown es query params"

7b9a5fc

hmstepanek


      Add test to TestValidateQueryParams

Add test to check that a list field type can have a single value
specified and it still gets converted to a list in the multidict
to dict conversion and passes validation.

654b3f1

hmstepanek


      Limit search "offset" parameter to <= 9800

The window of annotations,from + size must be less than or equal to: 10000.
Since limit (the size) is set to be no larger than 200, that means the
offset must be no larger than 9800.

e730ee0

hmstepanek


      Add tests for sorting search by user, id, & group

Add tests for sorting search by user, id, and group.

Add mapping of sort by user to the non-analyzed field user_raw.

06f301b

hmstepanek


      Add colander SearchParamsSchema schema class

This schema will only pass expected search query params through to
be used when building the query. All unknown parameters will be ignored.
It also casts the parameters to their desired types and validates the value.

The following available fields in elasticsearch were not exposed for the following
reasons:

- deleted    There is a deleted filter that filters out deleted annotations
             everytime a search is run so exposing this would have no affect.
- id         This doesn't appear to work in practice and we prob shouldn't be
             exposing id's from our db anyway.
- nipsa      There is a filter for this that sorts these out so this would have
             no affect, not to mention exposing this could potentially allow
             a shadowbanned user from discovering they have been banned.
- shared     There is a filter for this already so it would have no effect, not
             to mention exposing this could be a permission escalation.
- tags_raw   There is already a nicer tags field for tag searches. The intention
             of tags_raw is to be used in aggregations.
- uri.parts  This is already covered by the any filter and keyword.
- user_raw   There is already a nicer tags field for user searches. The intention
             of user_raw is to be usedin aggregations.
- authority  There is a filter for this used on activity pages and this could be
             a permission escalation. Also this is something internal to h that we
             probably should avoid exposing anyway.
- updated    This is a date and it needs a range query filter which
             we don't currently have.

- created    This is a date and it needs a range query filter which
            we don't currently have.
- thread_ids This needs a more sensible name like "parent_of_annotations".
- target     This is a somewhat complex object that the user would never be
            able to pass in. It's broken up into smaller objects already.

ab067d3

hmstepanek


      Add tests for testing SearchParamsSchema

9af2bb2

hmstepanek


      Validate search query params in /api/search

Call validate_query_params in /api/search.

Change the type of request.params used in the tests from a dict
to a NestedMultiDict since this is what type request.params actually
is.

Since the SearchParamsSchema specifies defaults for certain params,
test_it_searches has to be changed to assert the default params were
passed into search as opposed to an empty dict.

f0c76ae

hmstepanek


      Update search api docs

5c52341

hmstepanek


      Merge pull request #5258 from hypothesis/add-search-params-schema

Ignore unknown es query params

1fdde9a

seanh


      Fix a tox warning and remove some duplication

Fix a "Conflicting basepython for environment 'functional-py3'" warning
that tox was printing out, and also remove some duplication from the
tox.ini file.

The problem was that tox testenv names, such as "py27", "functional",
"functional-py3", "coverage", etc in our tox.ini file, are actually
hyphen-separated lists of what tox calls "factors":

https://tox.readthedocs.io/en/latest/config.html?highlight=factors#factors-and-factor-conditional-settings

Tox sees the testenv name "functional-py3" as two factors "functional"
and "py3". And "py3" is the name of one of tox's builtin factors.
The testenv name "functional-py3" activates the builtin "py3" factor
which sets `basepython = python3`. This conflicts with the
`basepython = python3.6` within the testenv definition
(py3 != python3.6).

Fix this by:

1. Renaming the functional-py3 testenv to functional-py36, so that it
triggers the builtin py36 factor (basepython = python3.6) instead of
the py3 one.

2. Removing the `basepython = python3.6` from the testenv definition
body. It's not needed as the "-py36" in the testenv name has already
set that basepython.

Also remove the `basepython = python2.7` from `[testenv:functional]` as
it's not needed - testenvs inherit the `basepython` from the default
testenv which, in our tox.ini file, is tox's builtin py27 testenv.

Also remove the `skip_install = true` from `[testenv:functional]` - it
already inherits this from `[testenv]`.

Also remove some duplication by adding a `tox.ini`-file section
`[functional]` and having both `[testenv:functional]` and
`[testenv:functional-py36]` use values from it.

570c2b3

seanh


      Remove Sphinx deps

`make docs` and other docs-related Makefile commands run in tox-managed
venvs, so it's no longer necessary to install docs stuff in yout
development venv.

86546ed

robertknight


      Merge pull request #5259 from hypothesis/fix-tox-warning

Fix a tox warning and remove some duplication

e1e14a5

robertknight


      Merge pull request #5260 from hypothesis/remove-sphinx-deps

Remove Sphinx deps

4a221e6

hmstepanek


      Use elasticsearch_dsl in filters

Convert filters/matchers/aggs to use elasticsearch_dsl. This means
now each filter will take in a search argument that is the elasticsearch_dsl
search object. Filters/Matchers will return a new modified search object,
while aggs will modify the search object in place.

Refactor the Search class to use these new classes and remove use of the old
Builder class.

6c342c7

hmstepanek


      Reorg existing tests into test classes

Reorganize the existing tests into their corresponding test classes:
TestSorter, TestLimiter, and TestKeyValueMatcher.

50c2fa2

hmstepanek


      Change append_filter to append_modifier

162c33c

robertknight


      Merge pull request #5219 from hypothesis/replace-builder-with-dsl

Replace Builder class with elasticsearch_dsl

e121949

robertknight


      Fix RSS stream

The `/stream.rss` and `/stream.atom` views were broken by
6c342c7 because the `params.copy()`
call in `h.search.query.Builder.build` was removed. As a result
`Search.run` tried to modify its input `params` dict which crashed in
views were that argument is the read-only `request.params`.

It seems less surprising for `Search.run` not to mutate its input dict,
so restore that behavior.

7be9ab6

lyzadanger


      Add new `h.schemas.forms.accounts` module

e724dd2

lyzadanger


      Create new `h.schemas.forms.accounts.edit_profile` module and tests

Update `h.views.accounts` to use new `EditProfileSchema`
Remove `EditProfileSchema` from `h.accounts.schemas`

e99283c

lyzadanger


      Create new `h.schemas.forms.accounts.login` module and tests

Update `h.views.accounts` to use new `LoginSchema`

Remove `LoginSchema` from `h.accounts.schemas`

ff8a8cb

lyzadanger


      Create new `h.schemas.forms.accounts.forgot_password` module and tests

Update `h.views.accounts` to use new `ForgotPasswordSchema`

Remove `ForgotPasswordSchema` from `h.accounts.schemas`

ea7ee60

lyzadanger


      Create new `h.schemas.forms.accounts.reset_password` module and tests

Update `h.views.accounts` to use new `ResetPasswordSchema`

Remove `ResetPasswordSchema` from `h.accounts.schemas`

903eba3

lyzadanger


      Merge pull request #5255 from hypothesis/refactor-accounts-schemas

Factor out some of `h.accounts.schemas` into separate modules

03c6af9

robertknight


      Merge pull request #5262 from hypothesis/fix-rss-stream

Fix RSS stream

b138574

lyzadanger


      Fix security documentation for POST api/groups/{id}/members/{user}

810fc51

lyzadanger


      Revert "Factor out some of `h.accounts.schemas` into separate modules"

7952b1d

lyzadanger


      Merge pull request #5267 from hypothesis/revert-5255-refactor-account…

…s-schemas

Revert "Factor out some of `h.accounts.schemas` into separate modules"

ad6d028

lyzadanger


      Add new `h.schemas.forms.accounts` module

d578ca0

lyzadanger


      Create new `h.schemas.forms.accounts.edit_profile` module and tests

Update `h.views.accounts` to use new `EditProfileSchema`
Remove `EditProfileSchema` from `h.accounts.schemas`

3e1c486

lyzadanger


      Create new `h.schemas.forms.accounts.login` module and tests

Update `h.views.accounts` to use new `LoginSchema`

Remove `LoginSchema` from `h.accounts.schemas`

dfb245d

lyzadanger


      Create new `h.schemas.forms.accounts.forgot_password` module and tests

Update `h.views.accounts` to use new `ForgotPasswordSchema`

Remove `ForgotPasswordSchema` from `h.accounts.schemas`

3ab4ca3

lyzadanger


      Create new `h.schemas.forms.accounts.reset_password` module and tests

Update `h.views.accounts` to use new `ResetPasswordSchema`

Remove `ResetPasswordSchema` from `h.accounts.schemas`

6356f7b

lyzadanger


      Update `ResetCode` and add tests for views

170de48

lyzadanger


      Make `h.views.api.groups` handle userid ValueError from user service

Make sure the view does not expose the ValueError that can result
from invoking the `fetch` method on the `user_service` with a
malformed `userid`.

Return a 404 instead.

hmstepanek


      Add search_after in search query & tests

Previously the param "offset" was being used to set the
"from" property in the search query to search from "offset" annotations to
"limit" number of annotations. This will be deprecated.

Going forward, it will use the param "search_after" to set the
"search_after" property in the search query to search starting at
sort field "search_after" to "limit" number of annotations.

search_after does not run through the parser to format the dates so we
must run the datetime parsing before it is passed to search_after. search_after
only accepts the number epoch_miliseconds as that is the raw format in es for
the created and updated fields.

Add tests for search_after.

34a1c5f

hmstepanek


      Add search_after to api docs

8e35824

hmstepanek


      Add search_after to schema & deprecate offset

bee1454

hmstepanek


      Ignore/strip offset when search_after is specified

Offset has been deprecated in favor of search_after. This means both
the Limiter and the Sorter have to handle the case where both offset
and search_after have been specified. This is because we make no
guarantee that the Sorter will be run before the Limiter or vise
versa.

If the Sorter is run first the offset should be popped.

If the Limiter is run first the offset should be popped and ignored.

Add tests for both cases ^.

Cleanup the extract offset and limit logic.

0d9924d

hmstepanek


      Validate search_after interactions in the schema

Validate at the schema level the following:
 - Validate that search_after is the correct format based on the value
   of sort.
 - Default offset to 0 if search_after is set.

Add schema tests to validate the above additions to the schema validation.

Remove the handling of both offset and search_after being set in the
Sorter and Limiter classes since this is now handled by the schema.

Remove query tests that validate the handling of both offset and
search_after being set since this is handled by the schema now.

1ff3965

robertknight


      Include CORS headers on error responses from the API

The `h.views.api.config.api_config` decorator applies a CORS header decorator
to API views, but the headers added by this decorator are not applied if
any part of the view processing pipeline raises an exception and an
exception view is invoked instead. Given that most API error handling
involves raising exceptions which then render responses using views in
`h.views.api.exceptions`, the result is that CORS headers were not set.

As a result, failing API requests caused surprising and confusing error
messages in the console about disallowed cross-origin requests, instead
of reporting the actual error.

Fixes #5264

robertknight


      Remove code that establishes elasticsearch_dsl's default connection

We are using elasticsearch_dsl for generating and executing search
queries in app code and tests, but we've opted to stick with the
existing method of establishing a connection to Elasticsearch rather
than using elasticsearch_dsl's default connection.

The existing method of creating a connection and exposing it via
`request.es` is convenient to work with in tests, since it can be easily
mocked. It is also more consistent with how we set up and expose
connections to other external services such as statsd or the database
session.

2d19b65

lyzadanger


      Merge pull request #5269 from hypothesis/redux-refactor-accounts-schemas

Redux: refactor accounts schemas

0ae0644

lyzadanger


      Rename `request.authority` -> `request.default_authority`

1676e44

lyzadanger


      Update `h.activity.query` for `request.default_authority`

Also fix some mocking in tests

a9c5af1

lyzadanger


      Update `h.emails.reply_notification` for `request.default_authority`

22c27c6

lyzadanger


      Update `h.session` for `request.default_authority`

0c2bca0

lyzadanger


      Update `h.links` for `request.default_authority`

096ea7d

lyzadanger


      Update `h.cli.commands.user` for `request.default_authority`

ef7ae53

lyzadanger


      Update `h.traversal.roots` for `request.default_authority`

615a65c

lyzadanger


      Update `h.views.client` for `request.default_authority`

5dadbf2

lyzadanger


      Update `h.views.admin.staff` for `request.default_authority`

f002cf4

lyzadanger


      Update `h.views.admin.oauthclients` for `request.default_authority`

1206fac

lyzadanger


      Update `h.views.admin.users` for `request.default_authority`

13bdd12

lyzadanger


      Update `h.views.admin.features` for `request.default_authority`

a1b5655

lyzadanger


      Update `h.views.admin.nipsa` for `request.default_authority`

e2fa10c

lyzadanger


      Update `h.views.admin.admins` for `request.default_authority`

ceeb5e5

lyzadanger


      Update `h.views.admin.organizations` for `request.default_authority`

e7192c8

lyzadanger


      Update `h.views.api.groups` for `request.default_authority`

2450f8e

lyzadanger


      Update `h.services.user_signup` for `request.default_authority`

d2fbd79

lyzadanger


      Update `h.services.group_finder` for `request.default_authority`

lyzadanger


      Update `h.services.group_links` for `request.default_authority`

a6fb69c

lyzadanger


      Update `h.services.links` for `request.default_authority`

cba6e33

lyzadanger


      Update `h.services.list_groups` for `request.default_authority`

ca00fcc

lyzadanger


      Update `h.services.user` for `request.default_authority`

db29f24

lyzadanger


      Update `h.schemas.forms.admin.group` for `request.default_authority`

f3574c0

lyzadanger


      Update breaking tests for `request.default_authority`

These tests are for modules whose code doesn’t have any broken
references to `request.authority`, but their tests do

d1ee8d8

lyzadanger


      Update `h.schemas.forms.accounts.*` for `request.default_authority`

e54b143

lyzadanger


      Rename `request_authority` -> `default_authority` in `list_groups` svc

3b21ae1

lyzadanger


      Update `h.accounts.schemas` for `request.default_authority`

df22070

lyzadanger


      Merge pull request #5254 from hypothesis/default-authority

Change `request.authority` -> `request.default_authority`

30dde12

robertknight


      Add documentation to h.views.api.config.cors_policy

d55391c

robertknight


      Add a note the `cors_policy` decorator and API exception views

d1ad769

robertknight


      Enable CORS headers on `json_error` view

Despite being in `h/views/api/*` this view is used by some non-API
routes, which we may not want to be cross-origin readable. However it
doesn't leak any information about the error.

In future this will be split into two separate views for API and non-API
routes as per https://hypothes-is.slack.com/archives/C4K6M7P5E/p1536243261000100

4a79f73

robertknight


      Merge pull request #5270 from hypothesis/fix-api-error-view-cors-headers

Add missing CORS headers to API error responses

2df8d1a

robertknight


      Split json_error exception view into API and non-API request handlers

We have API and non-API views that return JSON. For consistency handle
unexpected exceptions (aka. Internal Server Errors) for API views in
a view defined in `h/views/api/exceptions.py` and for other views in a
view defined in `h/views/exceptions.py`.

Right now the only difference is that the API view adds CORS headers to
the response.

I have also changed the error message to make it shorter and thus be
easier to read if it gets displayed to the user directly, eg. as the
Hypothesis client will do in a toaster at the top of the sidebar.

295206d

hmstepanek


      Add check_icu_plugin param to search.init

Instead of passing in a full dictionary of settings into search.init,
change search.init to accept a single boolean value for check_icu_plugin
and default it to True. This way the settings don't get passed around the
code, it is backwards compatible, and is a lot less invasive of a change.

ef896b5

hmstepanek


      Merge pull request #5220 from jmcarp/skip-plugin-check

Optionally skip elastic plugin check.

b24b4d2

hmstepanek


      Merge pull request #5271 from hypothesis/remove-es-connect

Remove code that establishes elasticsearch_dsl's default connection

e1400cd

hmstepanek


      Fix date parsing logic

There was a problem where if a date that was just a year such as
"2017" was passed into the date parsing logic it would be interpreted
as ms since the epoch instead of going through the date parser.
This has been fixed along with some subtle cleanups to names of
methods and doc strings to make the code more readable.

fdd28ef

robertknight


      Allow "uri.parts" as a query param argument to /api/search

This existing query param was missed when validation of query params to
the search API was added recently.

Many users of this parameter will be better served by the upcoming
wildcard URI search support, but since there were users of the existing
query param, it makes sense to continue to support it.

819bde9

robertknight


      Add "uri.parts" query param to /api/search documentation

89e2896

robertknight


      Merge pull request #5273 from hypothesis/split-json-error-view

Split json_error exception view into API and non-API request handlers

cc0e7e5

robertknight


      Merge pull request #5235 from hypothesis/fix-sliding-window

Fix sliding window

3e8ee13

lyzadanger


      Merge pull request #5265 from hypothesis/api-docs-group-security

Fix security documentation for POST api/groups/{id}/members/{user}

a3b92ae

lyzadanger


      Merge pull request #5268 from hypothesis/handle-userid-value-error-api

Make `h.views.api.groups` handle userid ValueError from user service

fa0420d

lyzadanger


      Add `client_authority` function and tests

56fcd5c

lyzadanger


      Merge pull request #5274 from hypothesis/client-authority-util

Add utility method to determine current auth client authority

56a3b7f

robertknight


      Add minimal functional tests for RSS feeds

We inadvertently broke the RSS feeds in production. This was resolved in
#5262 but I think it would be useful
to have a couple of basic functional tests as extra security.

d871f6d

lyzadanger


      Change auth_client `authority` principal -> `client_authority`

f8e829d

hmstepanek


      Change keywords to keyword in uri.parts desc

b0e468c

hmstepanek


      Merge pull request #5276 from hypothesis/add-uri-parts-to-schema

Allow "uri.parts" as a query param argument to /api/search

339da67

robertknight


      Merge pull request #5277 from hypothesis/rss-functional-tests

Add minimal functional tests for RSS feeds

1db033f

lyzadanger


      Merge pull request #5278 from hypothesis/adjust-auth-client-principals

Change auth_client `authority` principal to `client_authority`

d7f868c

lyzadanger


      Add `AuthClient` role-principal and assign it to authClient requests

005a725

robertknight


      Replace deprecated `log.warn` with `log.warning`

See deprecation notice in https://docs.python.org/3/library/logging.html#logging.Logger.warning

seanh


      Merge pull request #5283 from hypothesis/log-warn-to-warning

Replace deprecated `log.warn` with `log.warning`

a1fcdea

lyzadanger


      Add `member_add` permission to group model ACL

8f82ffa

lyzadanger


      Extend AuthClient policy to member-add endpoint; use permission on view

Extend the AuthClient policy to `POST /api/groups/{pubid}/members/{userid}`
and change the group to authorize on permission `member_add` on Group

Remove old view-level auth code and update tests

cbbdf5c

lyzadanger


      Add rudimentary tests to `h.traversal.roots.Root`

1c731b0

lyzadanger


      Merge pull request #5279 from hypothesis/authz-for-add-group-member

Extend AuthPolicy, add Authorization to API add-group-member endpoint

e2427ce

lyzadanger


      Merge pull request #5285 from hypothesis/add-root-tests

Add rudimentary tests to `h.traversal.roots.Root`

03f8277

lyzadanger


      Merge pull request #5284 from hypothesis/auth-client-role

Add `AuthClient` role-principal and assign it to authClient requests

a1d3d81

seanh


      Fix dangerous default values

f117e27

seanh


      Remove an unnecessary default value

This function is never called without passing `expand`, and `expand` is
never `None`.

fcfc1ac

seanh


      Fix another dangerous default value

Remove the argument entirely because it's only ever used by the tests,
and the only to pass in the same value as the default value.

93ac1e5

seanh


      Merge pull request #5238 from hypothesis/fix-dangerous-default-values

Fix dangerous default values

50a5f5b

dwolfe


      Change page title and button text for create group page.

Since we have different types of groups, and previously
we didn't explicitly say what type of group is created with
this form, we're updating the page title to be more clear.
Fixes #5290

fca56e8

dwolfe


      Merge pull request #5291 from hypothesis/change-page-title

Change page title and button text for create group page.

a6a5300

seanh


      Don't call pytest fixtures directly

Several tests were triggering "fixtures are not meant to be called
directly" warnings from pytest, and in a future version of pytest it
won't even be _possible_ to call fixtures directly. Fix the code to no
longer call fixtures directly.

seanh


      Fix an SQLAlchemy unicode warning

We're reading the value of the X-Forwarded-User header, which in Python
2 is a byte string, and then using it in an SQLAlchemy query which is
triggering a unicode warning from SQLAlchemy:

    Unicode type received non-unicode bind param value

This is because we're passing SQLAlchemy a byte string and asking it to
match it against a unicode column.

Fix this by decoding the byte string to unicode first.

Once we've moved to Python 3 we can remove this decoding: request header
values are unicode already in Python 3.

3cc0b5a

seanh


      Merge pull request #5293 from hypothesis/fix-sqlalchemy-unicode-warning

Fix an SQLAlchemy unicode warning

0cfdc6c

seanh


      Fix Pyramid deprecation warning

`check_csrf` was deprecated in Pyramid 1.7:

https://docs.pylonsproject.org/projects/pyramid/en/latest/whatsnew-1.7.html?highlight=check_csrf#deprecations

The new `require_csrf` view option was added in Pyramid 1.7, to be used
instead of `check_csrf`:

https://docs.pylonsproject.org/projects/pyramid/en/latest/whatsnew-1.7.html?highlight=check_csrf#feature-additions

The docs for the old, deprecated `check_csrf` can be found on this page:

https://docs.pylonsproject.org/projects/pyramid/en/1.6-branch/api/config.html?highlight=check_csrf#pyramid.config.Configurator.add_view

And here's the new `require_csrf`:

https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/viewconfig.html?highlight=require_csrf#non-predicate-arguments

649275d

seanh


      Replace deprecated readfp()

Calling readfp() prints a warning in Python 3:

    DeprecationWarning: This method will be removed in future versions.  Use 'parser.read_file()' instead.

Fix this by calling read_file() instead. But read_file() isn't available
in Python < 3.2, so still use readfp() in older versions.

Here's the docs for the old, deprecated readfp():

https://docs.python.org/2/library/configparser.html?highlight=readfp#ConfigParser.RawConfigParser.readfp

Here's the docs for the new read_file():

https://docs.python.org/3/library/configparser.html?highlight=read_file#configparser.ConfigParser.read_file

6857b64

seanh


      Replace deprecated warn()

warn() is deprecated and prints a warning in newer versions of Python.
Use warning() instead.

f53a82e

seanh


      Upgrade Jinja2

Upgrade Jinja2 to the latest version by running this command:

    $ pip-compile --upgrade-package jinja2

This fixes a warning that the tests were printing out when run in Python
3:

    DeprecationWarning: Flags not at the start of the expression '\\w+(?u)'

Changelog: http://jinja.pocoo.org/docs/2.10/changelog/

4ddfaae

robertknight


      Merge pull request #5295 from hypothesis/replace-deprecated-readfp

Replace deprecated readfp()

3ab1e0f

robertknight


      Merge pull request #5292 from hypothesis/dont-call-fixtures-directly

Don't call pytest fixtures directly

29bce2a

robertknight


      Merge pull request #5296 from hypothesis/replace-deprecated-warn

Replace deprecated warn()

e3f32eb

robertknight


      Merge pull request #5294 from hypothesis/fix-check_csrf-deprecation-w…

…arning

Fix Pyramid deprecation warning

6ef27f4

seanh


      Fix invalid string escapes

\ is the escape character in Python string literals:

https://docs.python.org/3/reference/lexical_analysis.html#string-and-bytes-literals

For example if you want to put a tab character in a string you would do:

    >>> print("foo \t bar")
    foo 	 bar

If you want to put a literal \ in a string you have to use \\:

    >>> print("foo \\ bar")
    foo \ bar

Or use a "raw string":

    >>> print(r"foo \ bar")
    foo \ bar

You can't just go putting backslashes in string literals whenever you
want one. A backslash isn't valid when not followed by one of the valid
escape sequences, and newer versions of Python print a deprecation
warning. For example \A isn't an escape sequence:

    $ python3.6 -Wd -c '"\A"'
    <string>:1: DeprecationWarning: invalid escape sequence \A

See: https://bugs.python.org/issue27364

If your backslash sequence does accidentally match one of Python's
escape sequences, but you didn't mean it to, that's even worse.

So you should always use raw strings or \\.

It's important to remember that a string literal is still a string
literal even if that string is intended to be used as a regular
expression. Python's regular expression syntax supports lots of special
sequences that begin with \. For example \A matches the start of a
string. But \A is not valid in a Python string literal! This is invalid:

    my_regex = "\Afoo"

Instead you should do this:

    my_regex = r"\Afoo"

See: https://docs.python.org/3/library/re.html

Docstrings are another one to remember: docstrings are string literals
too, and invalid \ sequences are invalid in docstrings too! Use raw
strings (`r"""..."""`) for docstrings if they contain \'s.

9fbfde5

seanh


      Merge pull request #5298 from hypothesis/fix-invalid-string-escapes

Fix invalid string escapes

682764d

judell and hmstepanek


      Add UriCombinedWildcardFilter

Searching for a partial url is a common use case. It is particularly
useful for publishers who want to know who has been making annotations
on all their articles. It is also useful for users who simply can't
remember the entire url of an article they have annotated.

Add UriCombinedWildcardFilter has two configurations:
 1. seperate_keys=True
    Wildcards are only present in wildcard_uri param values and exact
    matches are present in uri/url param values.
 1. seperate_keys=False
    Wildcards and exact matches are present in uri/url param values.

UriCombinedWildcardFilter igores all wildcard uri's that have wildcards
in the domain.

Remove UriFilter from default modifier list in Search class since
the UriCombinedWildcardFilter will need to replace it in certain
cases and there is no way to selectively remove modifiers. The
current design pattern is if the modifier is used by all searches,
then it is in the default list, since it will not be, drop it from
the default list.

Add both UriFilter and UriCombinedWildcardFilter's to the search __init__
module as they will be appended to the Search class modifier list as needed.

Modify all existing code that runs Search to append the UriFilter to the list
of modifiers before running a search.

bca9fce

hmstepanek


      Fix misspelling of seperate to separate

422ec2c

hmstepanek


      Normalize http://foo.com/* to http://foo.com

Import urlparse from h._compat
Wildcard uri's that don't contain wildcards are invalid.
Simplify test_matches tests.
Normalize http://foo.com/* to http://foo.com by also stripping `*`'s
before normalizing wildcard uri's.

fixup

80c7efa

hmstepanek


      fixup: logic for uri's w/o authority

Improve wording of Ignore invalid uri's comment.

s/compinsate/compensate

Escape backslashes in docstring.

s/ending_question_wildcard/trailing_wildcard in wildcard normalizer.

s/expected/expected_ann_idxs in test_matches.

a7e22dd

hmstepanek


      fixup: simplify the logic in wildcard_uri_is_valid

02afae1

hmstepanek


      fixup: change idxs to indexes in wildcard tests

4bb34ab

hmstepanek


      fixup: spelling treate->treat intrepted->interpreted

e975ca1

hmstepanek


      Remove use of using="default" for es connection

Since we chose not to go forward with using elasticsearch-dsl to
generate an elasticsearch connection, using "default" doesn't make
sense so simply pass the elasticsearch-dsl search the request.es.conn
in the tests instead.
This keeps the tests consistent with the rest of the code.

1820bcf

hmstepanek


      Merge pull request #5275 from hypothesis/add-uri-wildcard-filter

Add wildcard uri filter

0ef9193

robertknight


      Merge pull request #5303 from hypothesis/remove-use-of-es-dsl-default…

…-connection

Remove use of using="default" for es connection

2ee5dc5

seanh


      Merge pull request #5297 from hypothesis/upgrade-jinja2

Upgrade Jinja2

b4842c1

seanh


      Make the tests fail if any warnings are printed

42042dd

seanh


      Merge pull request #5287 from hypothesis/fail-tests-on-warnings

Make the tests fail if any warnings are printed

9094e81

judell and hmstepanek


      Append UriCombinedWildcardFilter in /api/search

This will allow searching for uri's containing wildcards via the
wildcard_uri parameter.

Add the wildcard_uri parameter to the schema and raise a validation
error if the uri value is invalid (aka contains wildcards in the
domain of the uri).

Update the docs to reflect the additional wildcard_uri parameter.

b5fd417

hmstepanek


      fixup: wildcard_uri documentation

17630d4

hmstepanek


      Add warning about wildcard being in beta in docs

d27d90b

hmstepanek


      Fix * at ends of netloc returning valid wildcard uri

aacff57

hmstepanek


      Default search_after date to 1/1/1970 00:00:00 0ms

Datetimes default the date to be the current date for fields that
aren't specified. This behavior is unintuitive and undesireable.
Dates should be defaulted to the first month, first day, 00:00:00 0ms.

9a55a83

hmstepanek


      Refactor es-dsl search obj creation into fixture

fc3cccf

hmstepanek


      Merge pull request #5286 from hypothesis/add-uri-wildcard-to-api-search

Add wildcard_uri parameter to /api/search

b673eeb

hmstepanek


      Merge pull request #5302 from hypothesis/fix-default-search-query-date

Default search_after date to 1/1/1970 00:00:00 0ms

0858a77

sheetaluk


      Add a field called hidden to an annotation document at the time of in…

…dexing.

This new field is set when all children of an annotation AND the
annotation itself, have been moderated.
We will then use this field to determine which annotations are displayed
and which ones are filtered out.

See hypothesis/product-backlog#583

a83e95c

sheetaluk


      Merge pull request #5289 from hypothesis/nipsas

Add a field called hidden to an annotation document at the time of indexing

91997c5

hmstepanek


      Enable searching for wildcard url's on activity pages (#5299)

* Add UriCombinedWildcardFilter to activity pages

Replace the UriFilter with the UriCombinedWildcardFilter on activity
pages so that the url facet now accepts and searches for wildcard urls.

Add a test.

* Add wildcard desc to url facet on activity pages

* Switch on wildcard activity page feature flag

* fixup: change wording of url facet

c96a9d2

hmstepanek


      Use popall in es search query modifiers (#5304)

* Use _pop_param_values in es search query modifiers

Previously each modifier had essentially the same code to extact
all values of the same key from the params multidict, now they just
call _pop_param_values(key) instead.

Some of the tests were passing in a dict-type value for params instead of
a MultiDict-type. This change forces the params to now be a MultiDict as it
uses a MultiDict-only method called getall().

* Set params type MultiDict in Search.run doc-string

* Rename _pop_param_values to popall

* Change Search to no longer make a copy of params

Search previously made a copy of the params that were passed to it.
This functioned mainly as a way of casting a NestedMultiDict type (readonly)
coming from request into a MultiDict type (mutable). Search calls
query filters that pop the params. In half of the cases where Search
is used, the params that are passed in are already in a poppable state
and copying is expensive thus let the code that calls Search decide whether
to copy/cast the params or not.

The badge view and tests were updated to pass a MultiDict.

The feeds view was updated to cast the request.params into a MultiDict.

The test for verifying the Search doesn't modify params was removed as this
is now expected behavior.

Update the description of params to explain that they will be popped.

2c85928

lyzadanger


      Add `create` permission to `GroupRoot`

28a96d9

lyzadanger


      Add `UserRoot` as route factory for `/api/users`

307abcd

sheetaluk


      Change the NipsaFilter to HiddenFilter to filter annotations which ar…

…e moderated or belong to a nipsaed user.

See hypothesis/product-backlog#583

5c76a16

lyzadanger


      Update AuthClientPolicy route whitelisting

The former method of pattern-matching on request.path was kludgy and
resulted in at least one bug from oversight. The new whitelist here
is easier to read as a human and is matched against the
request’s `matched_route` object.

0fbc240

lyzadanger


      Protect `POST /api/users` with permission instead of view logic

Remove view-level auth* checking on auth-client as authn now happens
in AuthClientPolicy and authz via a permission on the `UserRoot`
traversal root.

This endpoint will temporarily return a 404 instead of a 403 on
authz fail because of the way that API view exceptions intercept
403s. To be fixed soon

3e617ac

lyzadanger


      raise `ValidationError` if `authority` param mismatch

Raise a `ValidationError` if supplied `authority` param
does not match the verified auth client authority

065f787

lyzadanger


      Factor out new `h.views.api.index` module

82b8d45

lyzadanger


      Add security warning on admin/create-oauth-client form

a726ebf

robertknight and lyzadanger


      Put the security warning in a yellow box to make it stand out more

dfeda28

lyzadanger


      fixup! Factor out new `h.views.api.index` module

lyzadanger


      Merge pull request #5314 from hypothesis/admin-auth-client-warning

Add security warning on admin/create-oauth-client form

2b1f5bd

sheetaluk


      Merge pull request #5309 from hypothesis/filters

Add new HiddenFilter to filter annotations which are moderated or belong to a nipsaed user.

e9f6143

lyzadanger


      Update documentation about API Authorizations

Expand explanation of `clientCredentials` and add section for
forwarded users

68828d1

sheetaluk


      Revert "Add new HiddenFilter to filter annotations which are moderate…

…d or belong to a nipsaed user."

cad8662

sheetaluk


      Merge pull request #5317 from hypothesis/revert-5309-filters

Revert "Add new HiddenFilter to filter annotations which are moderated or belong to a nipsaed user."

fe6d7ab

lyzadanger


      Merge pull request #5316 from hypothesis/api-authorization-docs

Update documentation about API Authorizations

8ce91ca

lyzadanger


      Merge pull request #5315 from hypothesis/api-index

Factor out new `h.views.api.index` module

3a72a63

lyzadanger


      Merge pull request #5288 from hypothesis/add-create-user-permission

Add create user permission and update `POST /api/users` authz

2936c6e

lyzadanger


      Make `UserRoot.__getitem__` aware of `client_authority`

Make it possible to retrieve User models from third-party authorities
when a verified/auth’d auth client is present in the request.

e3bab68

lyzadanger


      Add functional tests for `PATCH /api/user/{username}`

7a5ab3a

lyzadanger


      Add factory and traversal to `PATCH /api/users` route

819d85d

lyzadanger


      Add `PATCH /api/users/{username}` to auth_client whitelist

2a7a1da

lyzadanger


      Add ACL to `h.models.user`

a5e6c8e

lyzadanger


      Protect `PATCH /api/users/{username}` with a permission

Instead of using view-level logic, update the view to
match on a permission assigned in the User model’s ACL

893af11

lyzadanger


      Factor out `links` module in `h.views.api`

876d963

lyzadanger


      Merge pull request #5319 from hypothesis/api-links

Factor out `links` module in `h.views.api`

8962ed9

lyzadanger


      Move `h.validators` -> `h.schemas.validators`

ee213f0

robertknight


      Merge pull request #5320 from hypothesis/move-validators-schemas

Move `h.validators` -> `h.schemas.validators`

f8225b5

lyzadanger


      Merge pull request #5318 from hypothesis/add-update-user-permission

Add update-user permission; use AuthClient auth'n for `PATCH /api/user/{username}`

a0a6cca

@@ -0,0 +1,13 @@
+    [run]
+    branch = True
+    omit =
+        # development
+        h/debug.py
+        # migrations
+        h/migrations/*
+    [paths]
+    source =
+       src/memex
+       .tox/*/lib/python*/site-packages/memex

@@ -0,0 +1,20 @@
+    root = true
+    [*]
+    charset = utf-8
+    end_of_line = lf
+    indent_style = space
+    insert_final_newline = true
+    trim_trailing_whitespace = true
+    [*.{html,jinja2,js,json,scss,yaml,yml}]
+    indent_size = 2
+    [*.py]
+    indent_size = 4
+    [Makefile]
+    indent_style = tab
+    [{.travis.yml}]
+    indent_size = 2

@@ -0,0 +1,12 @@
+    {
+      "extends": "hypothesis",
+      "rules": {
+        "arrow-parens": ["error", "as-needed", { "requireForBlockBody": true }],
+        "arrow-spacing": "error",
+        "no-var": "error",
+        "keyword-spacing": "error",
+        "prefer-arrow-callback": "error",
+        "prefer-const": ["error", { "destructuring": "all" }],
+        "space-before-blocks": "error"
+      }
+    }

@@ -1 +1,3 @@
     h/_version.py export-subst
+    h/browser/chrome/content/build/* linguist-vendored
+    h/browser/chrome/content/web/* linguist-vendored

@@ -0,0 +1,36 @@
+    <!--
+    Thank you for reporting an issue with Hypothesis! This is our bug tracker. If
+    you have any support questions please email support@hypothes.is instead.
+    In order to make it easy for us to help you, please note the following:
+. Only report **bugs** with Hypothesis here. If you want to discuss potential
+       new features, please use our developer mailing list:
+           https://groups.google.com/a/list.hypothes.is/forum/#!forum/dev
+. Be sure to check that the bug you're reporting isn't already reported. You
+       can use the GitHub issues search box to help with this.
+. Fill out the information requested by the template below. If you can't supply
+       all the information, don't worry, but do please use the template.
+    -->
+    ### Steps to reproduce
+.
+.
+.
+    ### Expected behaviour
+    Tell us what should happen.
+    ### Actual behaviour
+    Tell us what happens instead.
+    ### Browser/system information
+    Tell us which browser, browser version, and operating system you were using when
+    you encountered this issue.
+    ### Additional details
+    If you have other information which might be helpful, please include it. If a
+    screenshot will help to illustrate the issue you are reporting, please include
+    one.

hypothesis/h

Comparing changes

Open a pull request

No commit comments for this range

@@ -0,0 +1,3 @@
+    {
+      "presets": ["es2015"]
+    }

@@ -0,0 +1,4 @@
+    # Label to use when marking as stale
+    staleLabel: stale
+    # Limit to only `issues` or `pulls`
+    only: pulls

@@ -1,27 +1,38 @@
-    /*.db
-    /*.db-journal
-    /*.egg
-    /*.egg-info
-    /*.ini
-    /MANIFEST
-    /bin
-    /build
-    /dist
-    /docs/_build
-    /h/css
-    /h/js
-    /h/lib
-    /h/static/.sass-cache
-    /h/static/.webassets-cache
-    /include
-    /lib
-    /local
-    /man
-    /node_modules
-    /share
-    /src
+    MANIFEST
+    build/
+    dist/
+    docs/_build/
+    node_modules/
+    # Pyramid debug mailer
+    mail/
+    # py.test state cache
+    .cache/
+    .coverage
+    .coverage.*
+    .hypothesis/
+    .tox/
+    .eggs/
+    *.egg
+    *.egg-info
+    .pydeps
+    .pytest_cache
+    # development TLS cert/key
+    .tlscert.pem
+    .tlscsr.pem
+    .tlskey.pem
     *.pyc
     *.pyo
+    *.pid
     *.log
+    celerybeat-schedule
+    celerybeat-schedule.*
+    # Temp file for `make test-py3` target
+    tests/py3-actual-failures.txt

@@ -0,0 +1,26 @@
+    A. Frederick Dudley <a.frederick.dudley@gmail.com>
+    Alice Wyan <alice@finitud.org> Alice Wyan <finitud@users.noreply.github.com>
+    Alice Wyan <alice@finitud.org> keybase.io/wyan <wyan@keybase.io>
+    Aron Carroll <aron@hypothes.is> Aron Carroll <aron@users.noreply.github.com>
+    Aron Carroll <aron@hypothes.is> Aron Carroll <self@aroncarroll.com>
+    Benjamin Young <byoung@bigbluehat.com>
+    Christof Dorner <christof@chdorner.com>
+    Conor Delahunty <conordelahunty@hypothes.is>
+    Gerben <gerben@treora.com> Gerben <Treora@users.noreply.github.com>
+    Gergely Ujvari <ujvari@hypothes.is>
+    Gergely Ujvari <ujvari@hypothes.is> Ujvari Gergely <ujvari@cliqz.com>
+    Gergely Ujvari <ujvari@hypothes.is> ujvari <ujvari@Nibiru.Gaia>
+    Jake Hartnell <jakehartnell@hypothes.is>
+    Jake Hartnell <jakehartnell@hypothes.is> Jake Hartnell <Jake.Hartnell@berkeley.edu>
+    Jake Hartnell <jakehartnell@hypothes.is> Jake Hartnell <Jake.Hartnell@gmail.com>
+    Jake Hartnell <jakehartnell@hypothes.is> Jake Hartnell <JakeHartnell@hypothes.is>
+    Jake Hartnell <jakehartnell@hypothes.is> Jake Hartnell <RawKStar77@aol.com>
+    Jake Hartnell <jakehartnell@hypothes.is> RawKStar77 <RawKStar77@aol.com>
+    Jehan Tremback <jehan.tremback@gmail.com> Jehan <jehan.tremback@gmail.com>
+    José Padilla <jpadilla@webapplicate.com>
+    Kristof Csillag <csillag@hypothes.is> Kristof Csillag <csillag@nolmecolindor.com>
+    Kristof Csillag <csillag@hypothes.is> csillag <csillag@harmacolindor.com>
+    Lena Gunn <lenazun@gmail.com>
+    Randall Leeds <tilgovi@hypothes.is> Randall Leeds <randall.leeds@gmail.com>
+    Randall Leeds <tilgovi@hypothes.is> Randall Leeds <randall@bleeds.info>
+    Sean Hammond <git@seanh.cc> Sean Hammond <seanh@users.noreply.github.com>

@@ -1,19 +1,63 @@
-    output_format: grouped
-    inherits:
-      - full_pep8
-      - strictness_low
+    output-format: grouped
+    strictness: veryhigh
+    doc-warnings: true
+    max-line-length: 160
+    # We run flake8 first and then prospector as a second-pass linter.
+    # Since flake8 already runs pyflakes, pep8 and mccabe, don't run them again
+    # with prospector.
+    mccabe:
+      run: false
+    pep8:
+      run: false
+    pep257:
+      disable:
+        - D203 # "1 blank line required before class docstring" conflicts with
+               # another pep257 rule D211 "No blank lines allowed before class
+               # docstring"!
+        - D212 # "Multi-line docstring summary should start at the first line"
+               # conflicts with another pep257 rule D213 "Multi-line docstring
+               # summary should start at the second line"
+    pyflakes:
+      run: false
     pylint:
+      enable:
+        - relative-import
       disable:
-        # This check (for missing method arguments) is broken in latest pylint:
-        #
-        #     https://bitbucket.org/logilab/pylint/issue/205
-        - E1120
-        # This check (for inherited objects to be classes) is broken in pylint 1.4
-        # for zope.interface.Interface.
-        - E0239
-    pep8:
+        - line-too-long  # PEP8 checks this and doesn't complain about
+                         # unavoidable long lines (such as URLs).
+        - missing-docstring  # The pep257 tool reports missing docstrings to us
+                             # so we don't need pylint to do so.
+        - too-few-public-methods
       options:
-        max-line-length: 79
-    ignore:
-      - "^_version.py"
-      - "^migrations/"
+        # Some good names that pylint would otherwise reject:
+        #
+        # - _: placeholder
+        # - i,j,k: counters
+        # - k,v: dict iteration
+        # - db,fn: common abbreviations
+        # - fp: python idiom for file handles
+        #
+        # Some good "constant" names that pylint would otherwise reject:
+        #
+        # - log: common in "log = logging.getLogger(__name__)" pattern
+        # - parser: common in modules that use argparse
+        # - id: Commonly used as a class attribute / database column name in
+        #       sqlalchemy model classes. Note that if you use id as the name of
+        #       a local variable or parameter, pylint will still complain that
+        #       you're shadowing the builtin.
+        #
+        good-names: _,i,j,k,v,e,db,fn,fp,log,parser,id,es
+    pyroma:
+      run: true
+    ignore-paths:
+      - gunicorn.conf.py
+      - h/_version.py
+      - h/migrations/
+      - h/static/
+      - node_modules/
+      - versioneer.py
+    ignore-patterns:
+      - '.*\.egg'
+      - '.*conftest\.py'

@@ -0,0 +1,4 @@
+    # autogenerated pyup.io config file
+    # see https://pyup.io/docs/configuration/ for all available options
+    update: insecure

@@ -1,25 +1,75 @@
-    language:
-      - python
-    python:
-      - '2.7'
-    before_install:
-      - sudo /usr/share/elasticsearch/bin/plugin -install elasticsearch/elasticsearch-analysis-icu/2.3.0
-      - sudo service elasticsearch restart
-    install:
-      - gem install sass
-      - gem install compass
-      - pip install prospector
-      - make
-    services:
-      - elasticsearch
-    script:
-      - make test
-      - prospector -P .prospector.yaml h
-      - hypothesis extension development.ini chrome http://localhost
-      - hypothesis extension development.ini firefox http://localhost
+    # use Travis container build infrastructure
+    sudo: false
+    matrix:
+      include:
+        # Python (backend) tests
+        - env: ACTION=tox
+          language: python
+          python: '2.7'
+          addons:
+            postgresql: "9.4"
+          before_install:
+            - ./scripts/elasticsearch.sh
+          install: pip install tox
+          before_script: createdb htest
+          script: tox
+          after_success:
+            tox -e coverage
+            tox -e codecov
+        - env: ACTION=tox-py3
+          language: python
+          python: '3.6'
+          addons:
+            postgresql: '9.4'
+          before_install:
+            - ./scripts/elasticsearch.sh
+          install: pip install tox
+          before_script: createdb htest
+          script:
+            make test-py3
+        # Test web application frontend
+        - env: ACTION=gulp
+          language: node_js
+          # We currently build production against Alpine v3.4:
+          #
+          #   https://pkgs.alpinelinux.org/packages?name=nodejs&branch=v3.4
+          node_js: '6.7'
+          before_install: npm install gulp-cli
+          script: gulp test
+        # Lint frontend code
+        - env: ACTION=frontend-lint
+          language: node_js
+          node_js: '6.7'
+          script:
+            gulp lint
+        # Lint backend code
+        - env: ACTION=backend-lint
+          language: python
+          python: '3.6'
+          script:
+            make lint
+        # Check the docs build for warnings or errors.
+        - env: ACTION=check-docs
+          language: python
+          python: '3.6'
+          install: pip install tox
+          script:
+            make checkdocs
+    cache:
+      directories:
+        - node_modules
+        - $HOME/.cache/pip
+    before_cache:
+      - rm -f $HOME/.cache/pip/log/debug.log
     notifications:
-      irc:
-        channels:
-           "chat.freenode.net#hypothes.is"
-        on_success: "change"
-        on_failure: "always"
+      slack:
+        rooms:
+          - secure: SKPwtfoH32aDop6hLhQdgrUhl58gM6CMBUATMdq0KMmEwCxskPbIArqxGUKxeeiO3c3jBQ+Yuq3b4m8GbR2AJxxelO0DRLNyV1lAjfeJ/QzCc3Taxqo0yel4uAFNg/oCYWH50dv2oAgDP3CHk/tKXmsgDWOjcm6A6k35xst16xI=
+        on_success: change
+        on_failure: always