paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-17 20:41:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restrict the get_public_streams query to non-MIT or superusers

Browse Source 
(imported from commit ede1dff6176e6a39da126948ce307941e6dffaec)
This commit is contained in:
Zev Benjamin
2013-01-10 14:47:25 -05:00
parent 76b1e4778d
commit 044fc61be2
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
zephyr/views.py
View File

@@ -755,6 +755,9 @@ def json_get_public_streams(request, user_profile):
return get_public_streams_backend(request, user_profile) return get_public_streams_backend(request, user_profile)
def get_public_streams_backend(request, user_profile): def get_public_streams_backend(request, user_profile):
if user_profile.realm.domain == "mit.edu" and not is_super_user_api(request):
return json_error("User not authorized for this query")
# Only get streams someone is currently subscribed to # Only get streams someone is currently subscribed to
subs_filter = Subscription.objects.filter(active=True).values('recipient_id') subs_filter = Subscription.objects.filter(active=True).values('recipient_id')
stream_ids = Recipient.objects.filter( stream_ids = Recipient.objects.filter(