Restrict the get_public_streams query to non-MIT or superusers

(imported from commit ede1dff6176e6a39da126948ce307941e6dffaec)
2025-11-17 04:12:02 +00:00 · 2013-01-10 14:47:25 -05:00
parent 76b1e4778d
commit 044fc61be2
1 changed files with 3 additions and 0 deletions
--- a/zephyr/views.py
+++ b/zephyr/views.py
@@ -755,6 +755,9 @@ def json_get_public_streams(request, user_profile):
    return get_public_streams_backend(request, user_profile)

 def get_public_streams_backend(request, user_profile):
+    if user_profile.realm.domain == "mit.edu" and not is_super_user_api(request):
+        return json_error("User not authorized for this query")
+
    # Only get streams someone is currently subscribed to
    subs_filter = Subscription.objects.filter(active=True).values('recipient_id')
    stream_ids = Recipient.objects.filter(