The following changes are still to be decided:
- how to tell userr when the service will be up
again on the PaaS failwhale page
- contact information for both pages
Anytime a user clicks "sign out" we should be signing them out server side as well. This can be accomplished by setting the Users.current_session_id = null.
I found that the method User.logged_in_elsewhere doesn't need to check if the current_session_id is None. The current_session_ids in the cookie and db (redis or postgres) then the user should be forced to log in again.
previously it assumed that invalid_pages would always exist, however it
might be `None` if the error isn't on a specific page. Errors on
specific pages include a page not being A4 or content being outside the
boundary. Errors not on specific pages include the file not being a pdf,
or containing too many pages
Cookies using the hostname as a domain will be set
with a prefix of `.` by browsers, it seems to
ensure all subdomains are included in the scope.
When deleting the `seen_cookie_message` cookie we
want to set its domain without a `.` prefix, to
match the domain set by the original code.
Leaving the `domain` attribute out from the cookie
string will ensure the `.` prefix is not set.
make sure everything is using the `nl2br` formatter that properly wraps
it in markdown to keep everything sanitised nicely. Also write a couple
of tests
We have been clearing all the Google Analytics
cookies on each page request.
It is now possible for a user to consent to having
Google Analytics cookies so this should have been
checking for that before deleting them.
This makes that change, with tests for those
scenarios.
Removes the following fields from the tracker
config:
- `name`, which was erroring due to it
including a `.`
- `displayFeaturesTask` which seems to be
deprecated
Also refactors the `create` command to put all
fields into the options parameter, as shown in the
developer docs:
https://developers.google.com/analytics/devguides/collection/analyticsjs/creating-trackers
service contact blocks contain new lines - and jinja2 normally ignores
newlines (as in it keeps them as new lines) - but we need to turn them
into `<br>` tags so that we can show the formatting that the user has
added. We were previously just doing `{{ block | nl2br | safe }}`. nl2br
turns the new lines into `<br>` tags, and then `safe` tells jinja that
it doesn't need to escape the html.
this causes issues if the user adds `<script>alert(1)</script>` to their
contact block (or some other evil xss hack), where that will get let
through due to the safe flag
To solve this, use `Markup(html='escape')` to sanitise any html, and
then convert new lines to <br>.
bump utils
another xss
`recently_created` says it would just be looking at the `created_at`
field to see if it's been created recently. Technically this method
isn't doing that, whilst its behaviour would be similar, it's actually
different and maybe therefore a bit misleading.
Rather than hard-coding a format string in a bunch of different places
we can use the function we already have in utils.
This commit also refactors some logic around password resets to put the
date-parsing changes in the most sensible bit of the codebase, so it’s
clearer what the intention of the view-layer code is.
The too many pages error was being returned when the file couldn’t be
read. This commit corrects the error message, and adds a test to make
sure this case is covered.
The API response for jobs includes a field called `job_status`. The API
response for uploads doesn’t.
The `Job` mode handles uploads and jobs, so it needs to account for the
possibility of the field not being there.
app/assets/javascripts/errorTracking.js sent
events to `window.ga`.
This extends the API of `window.GOVUK.Analytics`
to include support for sending events so all
calls to `window.ga` can use it instead of direct
access.
This use of `window.ga` was missed from the
initial work on `window.GOVUK.Anaytics`.
It looks like a link so its semantics should
identify it as one.
This can effect users of speech recognition
software, in scenarios where they instruct it to
click an element which looks like one thing but
the software can only identify as something else.
Visual users get the context from the proximity to
the h2 but we need to provide this for others.
I've tried using `aria-describedby` to link them
to the h2 but this ends up making the h2 text the
button's description in the accessibility tree. In
Voiceover this means you only get that information
as extra context, announced a while after the
label if the VO cursor stays on the button.
We want all the information in the accessible
label so chose this approach instead.
Paired with @aliuk2012 on the implementation and
with a view to making the component generic enough
to be used on digital marketplace apps as well.
These changes came from that session.
They include:
- removal of an unused `data-accept-cookies`
attribute
- removal of `govuk-!-padding-top-4` class and
moving of associated styles into component CSS
- swapping out the `aria-label` on the parent
element for an `aria-describedby` linked to the
h2 to have one thing labelling the banner region
- removal of unused CSS and any already provided
by the govuk-button class
- inclusion of @import's for styles attached to
govuk-body and govuk-button classes
