user_settings: Disable bot access to several endpoints.

These settings have no effect on bots, so this change is mostly about just avoiding confusion.
2025-11-02 21:13:36 +00:00 · 2017-04-16 13:10:56 -07:00
parent e14c940ecc
commit 0c8575e2dc
2 changed files with 15 additions and 3 deletions
--- a/zerver/tests/test_decorators.py
+++ b/zerver/tests/test_decorators.py
@@ -892,13 +892,22 @@ class TestInternalNotifyView(TestCase):
 class TestHumanUsersOnlyDecorator(ZulipTestCase):
    def test_human_only_endpoints(self):
        # type: () -> None
-        endpoints = [
+        post_endpoints = [
            "/api/v1/users/me/presence",
        ]
-        for endpoint in endpoints:
+        for endpoint in post_endpoints:
            result = self.client_post(endpoint, **self.api_auth('default-bot@zulip.com'))
            self.assert_json_error(result, "This endpoint does not accept bot requests.")

+        patch_endpoints = [
+            "/api/v1/settings/display",
+            "/api/v1/settings/notifications",
+            "/api/v1/settings/ui",
+        ]
+        for endpoint in patch_endpoints:
+            result = self.client_patch(endpoint, **self.api_auth('default-bot@zulip.com'))
+            self.assert_json_error(result, "This endpoint does not accept bot requests.")
+
 class TestAuthenticatedJsonPostViewDecorator(ZulipTestCase):
    def test_authenticated_json_post_view_if_everything_is_correct(self):
        # type: () -> None
--- a/zerver/views/user_settings.py
+++ b/zerver/views/user_settings.py
@@ -12,7 +12,7 @@ from django.template.loader import render_to_string
 from django.urls import reverse

 from zerver.decorator import authenticated_json_post_view, has_request_variables, \
-    zulip_login_required, REQ
+    zulip_login_required, REQ, human_users_only
 from zerver.lib.actions import do_change_password, \
    do_change_enable_desktop_notifications, \
    do_change_enter_sends, do_change_enable_sounds, \
@@ -74,6 +74,7 @@ def confirm_email_change(request, confirmation_key):
    }
    return render(request, 'confirmation/confirm_email_change.html', context=ctx)

+@human_users_only
@has_request_variables
 def json_change_ui_settings(request, user_profile,
                            autoscroll_forever=REQ(validator=check_bool,
@@ -153,6 +154,7 @@ def json_change_settings(request, user_profile,

    return json_success(result)

+@human_users_only
@has_request_variables
 def update_display_settings_backend(request, user_profile,
                                    twenty_four_hour_time=REQ(validator=check_bool, default=None),
@@ -197,6 +199,7 @@ def update_display_settings_backend(request, user_profile,

    return json_success(result)

+@human_users_only
@has_request_variables
 def json_change_notify_settings(request, user_profile,
                                enable_stream_desktop_notifications=REQ(validator=check_bool,