paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-10 17:07:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

bots: Check bot owner for deactivated users and bots.

Browse Source 
We should not allow deactivated users and bots as a
bot owner.
This commit is contained in:
Shubham Dhama
2018-02-13 16:24:16 +05:30
committed by Tim Abbott
parent adfc905c3f
commit 03e4026c62
2 changed files with 43 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
zerver/tests/test_bots.py
View File

@@ -9,7 +9,7 @@ from django.test import override_settings
from mock import patch from mock import patch
from typing import Any, Dict, List, Mapping from typing import Any, Dict, List, Mapping
from zerver.lib.actions import do_change_stream_invite_only from zerver.lib.actions import do_change_stream_invite_only, do_deactivate_user
from zerver.lib.bot_config import get_bot_config from zerver.lib.bot_config import get_bot_config
from zerver.models import get_realm, get_stream, \ from zerver.models import get_realm, get_stream, \
Realm, Stream, UserProfile, get_user, get_bot_services, Service, \ Realm, Stream, UserProfile, get_user, get_bot_services, Service, \
@@ -663,6 +663,44 @@ class BotTest(ZulipTestCase, UploadSerializeMixin):
profile = get_user('hambot-bot@zulip.testserver', get_realm('zulip')) profile = get_user('hambot-bot@zulip.testserver', get_realm('zulip'))
self.assertEqual(profile.bot_owner, self.example_user("hamlet")) self.assertEqual(profile.bot_owner, self.example_user("hamlet"))
def test_patch_bot_owner_deactivated(self) -> None:
self.login(self.example_email('hamlet'))
self.create_bot()
self.assert_num_bots_equal(1)
target_user_profile = self.example_user("othello")
do_deactivate_user(target_user_profile)
target_user_profile = self.example_user('othello')
self.assertFalse(target_user_profile.is_active)
bot_info = {
'bot_owner': self.example_email('othello'),
}
result = self.client_patch("/json/bots/hambot-bot@zulip.testserver", bot_info)
self.assert_json_error(result, "Failed to change owner, user is deactivated")
profile = get_user('hambot-bot@zulip.testserver', get_realm('zulip'))
self.assertEqual(profile.bot_owner, self.example_user("hamlet"))
def test_patch_bot_owner_a_bot(self) -> None:
self.login(self.example_email('hamlet'))
self.create_bot()
self.assert_num_bots_equal(1)
bot_info = {
'full_name': u'Another Bot of Hamlet',
'short_name': u'hamelbot',
}
result = self.client_post("/json/bots", bot_info)
self.assert_json_success(result)
bot_info = {
'bot_owner': 'hamelbot-bot@zulip.testserver',
}
result = self.client_patch("/json/bots/hambot-bot@zulip.testserver", bot_info)
self.assert_json_error(result, "Failed to change owner, bots can't own other bots")
profile = get_user('hambot-bot@zulip.testserver', get_realm('zulip'))
self.assertEqual(profile.bot_owner, self.example_user("hamlet"))
@override_settings(LOCAL_UPLOADS_DIR='var/bot_avatar') @override_settings(LOCAL_UPLOADS_DIR='var/bot_avatar')
def test_patch_bot_avatar(self) -> None: def test_patch_bot_avatar(self) -> None:
self.login(self.example_email('hamlet')) self.login(self.example_email('hamlet'))

4
zerver/views/users.py
View File

@@ -177,6 +177,10 @@ def patch_bot_backend(
owner = get_user(bot_owner, user_profile.realm) owner = get_user(bot_owner, user_profile.realm)
except UserProfile.DoesNotExist: except UserProfile.DoesNotExist:
return json_error(_('Failed to change owner, no such user')) return json_error(_('Failed to change owner, no such user'))
if not owner.is_active:
return json_error(_('Failed to change owner, user is deactivated'))
if owner.is_bot:
return json_error(_("Failed to change owner, bots can't own other bots"))
do_change_bot_owner(bot, owner, user_profile) do_change_bot_owner(bot, owner, user_profile)
if default_sending_stream is not None: if default_sending_stream is not None: