From 166d9282b896bdeecedca7ae4e01ba2369ca4407 Mon Sep 17 00:00:00 2001
From: Sahil Batra <sahil@zulip.com>
Date: Mon, 24 Feb 2025 20:14:11 +0530
Subject: [PATCH] streams: Use can_subscribe_group setting for checking
 permission.

This commit adds code to use can_subscribe_group setting in webapp.

Fixes part of #33417.
---
 tools/lib/capitalization.py                   |  2 +
 web/src/group_permission_settings.ts          |  1 +
 web/src/settings_config.ts                    |  3 +
 web/src/stream_create.ts                      |  2 +
 web/src/stream_data.ts                        | 64 +++++++++----
 web/src/stream_edit.ts                        |  5 +
 web/src/stream_events.ts                      |  3 +
 web/src/stream_settings_components.ts         |  6 +-
 web/src/stream_settings_ui.ts                 | 12 +++
 web/src/stream_types.ts                       |  2 +
 web/src/stream_ui_updates.ts                  | 10 ++
 .../group_setting_value_pill_input.hbs        |  8 +-
 .../stream_can_subscribe_group_label.hbs      |  4 +
 .../stream_settings/stream_types.hbs          |  5 +
 web/tests/compose_validate.test.cjs           |  3 +
 web/tests/composebox_typeahead.test.cjs       |  5 +
 web/tests/lib/example_settings.cjs            |  8 ++
 web/tests/message_view.test.cjs               |  1 +
 web/tests/peer_data.test.cjs                  |  1 +
 web/tests/stream_data.test.cjs                | 94 ++++++++++++++++++-
 web/tests/stream_events.test.cjs              | 21 +++++
 web/tests/stream_pill.test.cjs                |  3 +
 web/tests/stream_settings_ui.test.cjs         |  8 ++
 23 files changed, 244 insertions(+), 27 deletions(-)
 create mode 100644 web/templates/stream_settings/stream_can_subscribe_group_label.hbs

diff --git a/tools/lib/capitalization.py b/tools/lib/capitalization.py
index 491d639c68..6ca84803f4 100644
--- a/tools/lib/capitalization.py
+++ b/tools/lib/capitalization.py
@@ -180,6 +180,8 @@ IGNORED_PHRASES = [
     r"weeks",
     # Used in "Who can subscribe others to this channel" label.
     r"must be subscribed",
+    # Used in "Who can subscribe to this channel" label.
+    r"everyone except guests can subscribe to any public channel",
 ]
 
 # Sort regexes in descending order of their lengths. As a result, the
diff --git a/web/src/group_permission_settings.ts b/web/src/group_permission_settings.ts
index f08e594455..39bc6c4f74 100644
--- a/web/src/group_permission_settings.ts
+++ b/web/src/group_permission_settings.ts
@@ -69,6 +69,7 @@ export const stream_group_setting_name_schema = z.enum([
     "can_administer_channel_group",
     "can_remove_subscribers_group",
     "can_send_message_group",
+    "can_subscribe_group",
 ]);
 export type StreamGroupSettingName = z.infer<typeof stream_group_setting_name_schema>;
 
diff --git a/web/src/settings_config.ts b/web/src/settings_config.ts
index 494f0b5032..27f448fe23 100644
--- a/web/src/settings_config.ts
+++ b/web/src/settings_config.ts
@@ -662,6 +662,7 @@ export const all_group_setting_labels = {
         can_add_subscribers_group: $t({defaultMessage: "Who can subscribe anyone to this channel"}),
         can_send_message_group: $t({defaultMessage: "Who can post to this channel"}),
         can_administer_channel_group: $t({defaultMessage: "Who can administer this channel"}),
+        can_subscribe_group: $t({defaultMessage: "Who can subscribe to this channel"}),
         can_remove_subscribers_group: $t({
             defaultMessage: "Who can unsubscribe anyone from this channel",
         }),
@@ -752,12 +753,14 @@ export const owner_editable_realm_group_permission_settings = new Set([
 export const stream_group_permission_settings: StreamGroupSettingName[] = [
     "can_send_message_group",
     "can_administer_channel_group",
+    "can_subscribe_group",
     "can_add_subscribers_group",
     "can_remove_subscribers_group",
 ];
 
 export const stream_group_permission_settings_requiring_content_access: StreamGroupSettingName[] = [
     "can_add_subscribers_group",
+    "can_subscribe_group",
 ];
 
 // Order of settings is important, as this list is used to
diff --git a/web/src/stream_create.ts b/web/src/stream_create.ts
index e1596962be..c9a0e26456 100644
--- a/web/src/stream_create.ts
+++ b/web/src/stream_create.ts
@@ -515,6 +515,7 @@ export function show_new_stream_modal(): void {
     $("#stream_creation_form .default-stream input").prop("checked", false);
     update_announce_stream_state();
     stream_ui_updates.update_can_add_subscribers_group_label($("#stream-creation"));
+    stream_ui_updates.update_can_subscribe_group_label($("#stream-creation"));
     stream_ui_updates.update_default_stream_and_stream_privacy_state($("#stream-creation"));
     clear_error_display();
 }
@@ -545,6 +546,7 @@ export function set_up_handlers(): void {
     $container.on("change", ".stream-privacy-values input", () => {
         update_announce_stream_state();
         stream_ui_updates.update_default_stream_and_stream_privacy_state($container);
+        stream_ui_updates.update_can_subscribe_group_label($container);
         // We update the label on `can_add_subscribers_groups` in the
         // listener attached to `.stream-privacy-values input` on
         // `#channels_overlay_container` which covers both stream
diff --git a/web/src/stream_data.ts b/web/src/stream_data.ts
index 297cde89b3..42bf7d5aae 100644
--- a/web/src/stream_data.ts
+++ b/web/src/stream_data.ts
@@ -518,6 +518,37 @@ export function has_metadata_access(sub: StreamSubscription): boolean {
         return true;
     }
 
+    const can_subscribe = settings_data.user_has_permission_for_group_setting(
+        sub.can_subscribe_group,
+        "can_subscribe_group",
+        "stream",
+    );
+    if (can_subscribe) {
+        return true;
+    }
+
+    return false;
+}
+
+export function has_content_access_via_group_permissions(sub: StreamSubscription): boolean {
+    const can_add_subscribers = settings_data.user_has_permission_for_group_setting(
+        sub.can_add_subscribers_group,
+        "can_add_subscribers_group",
+        "stream",
+    );
+    if (can_add_subscribers) {
+        return true;
+    }
+
+    const can_subscribe = settings_data.user_has_permission_for_group_setting(
+        sub.can_subscribe_group,
+        "can_subscribe_group",
+        "stream",
+    );
+    if (can_subscribe) {
+        return true;
+    }
+
     return false;
 }
 
@@ -543,12 +574,7 @@ export let has_content_access = (sub: StreamSubscription): boolean => {
         return false;
     }
 
-    const can_add_subscribers = settings_data.user_has_permission_for_group_setting(
-        sub.can_add_subscribers_group,
-        "can_add_subscribers_group",
-        "stream",
-    );
-    if (can_add_subscribers) {
+    if (has_content_access_via_group_permissions(sub)) {
         return true;
     }
 
@@ -584,18 +610,20 @@ function can_administer_channel(sub: StreamSubscription): boolean {
 }
 
 export function can_toggle_subscription(sub: StreamSubscription): boolean {
-    // You can always remove your subscription if you're subscribed.
-    //
-    // One can only join a stream if it is public (!invite_only) and
-    // your role is Member or above (!is_guest).
-    // Spectators cannot subscribe to any streams.
-    //
-    // Note that the correctness of this logic relies on the fact that
-    // one cannot be subscribed to a deactivated stream.
-    return (
-        (sub.subscribed || (!current_user.is_guest && !(sub.invite_only || sub.is_archived))) &&
-        !page_params.is_spectator
-    );
+    if (page_params.is_spectator) {
+        return false;
+    }
+
+    // Currently, you can always remove your subscription if you're subscribed.
+    if (sub.subscribed) {
+        return true;
+    }
+
+    if (has_content_access(sub)) {
+        return true;
+    }
+
+    return false;
 }
 
 export function get_current_user_and_their_bots_with_post_messages_permission(
diff --git a/web/src/stream_edit.ts b/web/src/stream_edit.ts
index 0b1b46f39d..15e6690c5a 100644
--- a/web/src/stream_edit.ts
+++ b/web/src/stream_edit.ts
@@ -287,6 +287,7 @@ export function show_settings_for(node: HTMLElement): void {
     stream_ui_updates.enable_or_disable_permission_settings_in_edit_panel(sub);
     setup_group_setting_widgets(slim_sub);
     stream_ui_updates.update_can_add_subscribers_group_label($edit_container);
+    stream_ui_updates.update_can_subscribe_group_label($edit_container);
 
     $("#channels_overlay_container").on(
         "click",
@@ -804,6 +805,8 @@ export function initialize(): void {
             );
             if (sub && $subsection.attr("id") === "stream_permission_settings") {
                 stream_ui_updates.update_default_stream_and_stream_privacy_state($subsection);
+                const $edit_container = stream_settings_containers.get_edit_container(sub);
+                stream_ui_updates.update_can_subscribe_group_label($edit_container);
             }
             return true;
         },
@@ -871,6 +874,8 @@ export function initialize(): void {
             settings_org.discard_stream_settings_subsection_changes($subsection, sub);
             if ($subsection.attr("id") === "stream_permission_settings") {
                 stream_ui_updates.update_default_stream_and_stream_privacy_state($subsection);
+                const $edit_container = stream_settings_containers.get_edit_container(sub);
+                stream_ui_updates.update_can_subscribe_group_label($edit_container);
             }
         },
     );
diff --git a/web/src/stream_events.ts b/web/src/stream_events.ts
index 0080a7e46a..4a84801eab 100644
--- a/web/src/stream_events.ts
+++ b/web/src/stream_events.ts
@@ -104,6 +104,9 @@ export function update_property<P extends keyof UpdatableStreamProperties>(
             sub,
             group_setting_value_schema.parse(value),
         );
+        if (property === "can_subscribe_group" || property === "can_add_subscribers_group") {
+            stream_settings_ui.update_subscription_elements(sub);
+        }
         user_group_edit.update_stream_setting_in_permissions_panel(
             stream_permission_group_settings_schema.parse(property),
             group_setting_value_schema.parse(value),
diff --git a/web/src/stream_settings_components.ts b/web/src/stream_settings_components.ts
index 775f427a20..10c12fddc0 100644
--- a/web/src/stream_settings_components.ts
+++ b/web/src/stream_settings_components.ts
@@ -15,6 +15,7 @@ import * as peer_data from "./peer_data.ts";
 import * as settings_config from "./settings_config.ts";
 import * as settings_data from "./settings_data.ts";
 import {current_user} from "./state_data.ts";
+import * as stream_data from "./stream_data.ts";
 import * as stream_ui_updates from "./stream_ui_updates.ts";
 import type {StreamSubscription} from "./sub_store.ts";
 import * as ui_report from "./ui_report.ts";
@@ -255,7 +256,10 @@ export function sub_or_unsub(
 ): void {
     if (sub.subscribed) {
         // TODO: This next line should allow guests to access web-public streams.
-        if (sub.invite_only || current_user.is_guest) {
+        if (
+            (sub.invite_only && !stream_data.has_content_access_via_group_permissions(sub)) ||
+            current_user.is_guest
+        ) {
             unsubscribe_from_private_stream(sub);
             return;
         }
diff --git a/web/src/stream_settings_ui.ts b/web/src/stream_settings_ui.ts
index f3115a4d95..aae8379f3b 100644
--- a/web/src/stream_settings_ui.ts
+++ b/web/src/stream_settings_ui.ts
@@ -39,6 +39,7 @@ import * as stream_edit_toggler from "./stream_edit_toggler.ts";
 import * as stream_list from "./stream_list.ts";
 import * as stream_settings_api from "./stream_settings_api.ts";
 import * as stream_settings_components from "./stream_settings_components.ts";
+import * as stream_settings_containers from "./stream_settings_containers.ts";
 import * as stream_settings_data from "./stream_settings_data.ts";
 import type {StreamPermissionGroupSetting} from "./stream_types.ts";
 import * as stream_ui_updates from "./stream_ui_updates.ts";
@@ -192,6 +193,8 @@ export function update_stream_privacy(
     const active_data = stream_settings_components.get_active_data();
     if (active_data.id === sub.stream_id) {
         stream_settings_components.set_right_panel_title(sub);
+        const $edit_container = stream_settings_containers.get_edit_container(sub);
+        stream_ui_updates.update_can_subscribe_group_label($edit_container);
     }
 
     // Update navbar if needed
@@ -231,6 +234,15 @@ export function update_subscribers_ui(sub: StreamSubscription): void {
     message_view_header.maybe_rerender_title_area_for_stream(sub.stream_id);
 }
 
+export function update_subscription_elements(sub: StreamSubscription): void {
+    if (!overlays.streams_open()) {
+        return;
+    }
+
+    update_left_panel_row(sub);
+    stream_ui_updates.update_settings_button_for_sub(sub);
+}
+
 export function add_sub_to_table(sub: StreamSubscription): void {
     if (is_sub_already_present(sub)) {
         // If a stream is already listed/added in subscription modal,
diff --git a/web/src/stream_types.ts b/web/src/stream_types.ts
index 0eabe8a389..08386ae90b 100644
--- a/web/src/stream_types.ts
+++ b/web/src/stream_types.ts
@@ -14,6 +14,7 @@ export const stream_permission_group_settings_schema = z.enum([
     "can_administer_channel_group",
     "can_remove_subscribers_group",
     "can_send_message_group",
+    "can_subscribe_group",
 ]);
 export type StreamPermissionGroupSetting = z.infer<typeof stream_permission_group_settings_schema>;
 
@@ -42,6 +43,7 @@ export const stream_schema = z.object({
     can_administer_channel_group: group_setting_value_schema,
     can_remove_subscribers_group: group_setting_value_schema,
     can_send_message_group: group_setting_value_schema,
+    can_subscribe_group: group_setting_value_schema,
     is_recently_active: z.boolean(),
 });
 
diff --git a/web/src/stream_ui_updates.ts b/web/src/stream_ui_updates.ts
index b1377f5a21..2f318c9bc5 100644
--- a/web/src/stream_ui_updates.ts
+++ b/web/src/stream_ui_updates.ts
@@ -4,6 +4,7 @@ import type * as tippy from "tippy.js";
 
 import render_announce_stream_checkbox from "../templates/stream_settings/announce_stream_checkbox.hbs";
 import render_stream_can_add_subscribers_group_label from "../templates/stream_settings/stream_can_add_subscribers_group_label.hbs";
+import render_stream_can_subscribe_group_label from "../templates/stream_settings/stream_can_subscribe_group_label.hbs";
 import render_stream_privacy_icon from "../templates/stream_settings/stream_privacy_icon.hbs";
 import render_stream_settings_tip from "../templates/stream_settings/stream_settings_tip.hbs";
 
@@ -269,6 +270,15 @@ export function update_can_add_subscribers_group_label($container: JQuery): void
     );
 }
 
+export function update_can_subscribe_group_label($container: JQuery): void {
+    const privacy_type = $container.find("input[type=radio][name=privacy]:checked").val();
+    const is_invite_only =
+        privacy_type === "invite-only" || privacy_type === "invite-only-public-history";
+
+    const $can_subscribe_group_label = $container.find(".can_subscribe_group_label");
+    $can_subscribe_group_label.html(render_stream_can_subscribe_group_label({is_invite_only}));
+}
+
 export function enable_or_disable_permission_settings_in_edit_panel(
     sub: SettingsSubscription,
 ): void {
diff --git a/web/templates/settings/group_setting_value_pill_input.hbs b/web/templates/settings/group_setting_value_pill_input.hbs
index 6f41c5e83a..370d6aadc6 100644
--- a/web/templates/settings/group_setting_value_pill_input.hbs
+++ b/web/templates/settings/group_setting_value_pill_input.hbs
@@ -1,8 +1,8 @@
 <div class="input-group">
-    {{!-- We are using snake case for the id since setting_name is always
-    in snake case and it would be weird to have the resultant id be a mix
-    of two types of cases. --}}
-    <label class="group-setting-label" id="group_setting_label_{{setting_name}}">
+    {{!-- We are using snake case for the id and one of the classes since
+    setting_name is always in snake case and it would be weird to have the
+    resultant id be a mix of two types of cases. --}}
+    <label class="group-setting-label {{setting_name}}_label" id="group_setting_label_{{setting_name}}">
         {{label}}
         {{#if label_parens_text}}(<i>{{label_parens_text}}</i>){{/if}}
         {{#if help_link}}
diff --git a/web/templates/stream_settings/stream_can_subscribe_group_label.hbs b/web/templates/stream_settings/stream_can_subscribe_group_label.hbs
new file mode 100644
index 0000000000..cbc05976e3
--- /dev/null
+++ b/web/templates/stream_settings/stream_can_subscribe_group_label.hbs
@@ -0,0 +1,4 @@
+{{t "Who can subscribe to this channel"}}
+{{#unless is_invite_only}}
+<i>({{t "everyone except guests can subscribe to any public channel"}})</i>
+{{/unless}}
diff --git a/web/templates/stream_settings/stream_types.hbs b/web/templates/stream_settings/stream_types.hbs
index 3ea9e98ecf..d6798a6b34 100644
--- a/web/templates/stream_settings/stream_types.hbs
+++ b/web/templates/stream_settings/stream_types.hbs
@@ -67,6 +67,11 @@
           label=group_setting_labels.can_administer_channel_group
           prefix=prefix }}
 
+        {{> ../settings/group_setting_value_pill_input
+          setting_name="can_subscribe_group"
+          label=group_setting_labels.can_subscribe_group
+          prefix=prefix }}
+
         {{> ../settings/group_setting_value_pill_input
           setting_name="can_add_subscribers_group"
           label=group_setting_labels.can_add_subscribers_group
diff --git a/web/tests/compose_validate.test.cjs b/web/tests/compose_validate.test.cjs
index b94f1ad47d..835f3cd01f 100644
--- a/web/tests/compose_validate.test.cjs
+++ b/web/tests/compose_validate.test.cjs
@@ -186,6 +186,8 @@ test_ui("validate_stream_message_address_info", ({mock_template}) => {
         stream_id: 101,
         name: "party",
         subscribed: true,
+        can_add_subscribers_group: nobody.id,
+        can_subscribe_group: nobody.id,
     };
     stream_data.add_sub(party_sub);
     assert.ok(compose_validate.validate_stream_message_address_info(party_sub));
@@ -714,6 +716,7 @@ test_ui("warn_if_mentioning_unsubscribed_user", ({override, mock_template}) => {
         name: "random",
         can_add_subscribers_group: admin.id,
         can_administer_channel_group: admin.id,
+        can_subscribe_group: admin.id,
     };
     stream_data.add_sub(sub);
     compose_state.set_stream_id(sub.stream_id);
diff --git a/web/tests/composebox_typeahead.test.cjs b/web/tests/composebox_typeahead.test.cjs
index 38c4c9edb7..e01e863d04 100644
--- a/web/tests/composebox_typeahead.test.cjs
+++ b/web/tests/composebox_typeahead.test.cjs
@@ -514,6 +514,7 @@ const sweden_stream = stream_item({
     subscribed: true,
     can_administer_channel_group: support.id,
     can_add_subscribers_group: support.id,
+    can_subscribe_group: support.id,
 });
 const denmark_stream = stream_item({
     name: "Denmark",
@@ -522,6 +523,7 @@ const denmark_stream = stream_item({
     subscribed: true,
     can_administer_channel_group: support.id,
     can_add_subscribers_group: support.id,
+    can_subscribe_group: support.id,
 });
 const netherland_stream = stream_item({
     name: "The Netherlands",
@@ -530,6 +532,7 @@ const netherland_stream = stream_item({
     subscribed: false,
     can_administer_channel_group: support.id,
     can_add_subscribers_group: support.id,
+    can_subscribe_group: support.id,
 });
 const mobile_stream = stream_item({
     name: "Mobile",
@@ -538,6 +541,7 @@ const mobile_stream = stream_item({
     subscribed: false,
     can_administer_channel_group: support.id,
     can_add_subscribers_group: support.id,
+    can_subscribe_group: support.id,
 });
 const mobile_team_stream = stream_item({
     name: "Mobile team",
@@ -546,6 +550,7 @@ const mobile_team_stream = stream_item({
     subscribed: true,
     can_administer_channel_group: support.id,
     can_add_subscribers_group: support.id,
+    can_subscribe_group: support.id,
 });
 const broken_link_stream = stream_item({
     name: "A* Algorithm",
diff --git a/web/tests/lib/example_settings.cjs b/web/tests/lib/example_settings.cjs
index 303b1b2ac0..2cc5f9e022 100644
--- a/web/tests/lib/example_settings.cjs
+++ b/web/tests/lib/example_settings.cjs
@@ -26,6 +26,14 @@ exports.server_supported_permission_settings = {
             default_group_name: "role:administrators",
             allowed_system_groups: [],
         },
+        can_subscribe_group: {
+            require_system_group: false,
+            allow_internet_group: false,
+            allow_nobody_group: true,
+            allow_everyone_group: false,
+            default_group_name: "role:nobody",
+            allowed_system_groups: [],
+        },
     },
     realm: {
         create_multiuse_invite_group: {
diff --git a/web/tests/message_view.test.cjs b/web/tests/message_view.test.cjs
index d09826c338..12b0bdc7be 100644
--- a/web/tests/message_view.test.cjs
+++ b/web/tests/message_view.test.cjs
@@ -35,6 +35,7 @@ mock_esm("../src/compose_banner", {
 const compose_pm_pill = mock_esm("../src/compose_pm_pill");
 mock_esm("../src/settings_data", {
     user_can_access_all_other_users: () => true,
+    user_has_permission_for_group_setting: () => true,
 });
 mock_esm("../src/spectators", {
     login_to_access() {},
diff --git a/web/tests/peer_data.test.cjs b/web/tests/peer_data.test.cjs
index b352266ee9..533e99cc1e 100644
--- a/web/tests/peer_data.test.cjs
+++ b/web/tests/peer_data.test.cjs
@@ -119,6 +119,7 @@ test("subscribers", () => {
         stream_id: 1001,
         can_add_subscribers_group: nobody_group.id,
         can_administer_channel_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     };
     stream_data.add_sub(sub);
 
diff --git a/web/tests/stream_data.test.cjs b/web/tests/stream_data.test.cjs
index 1ad1386bf6..429809e158 100644
--- a/web/tests/stream_data.test.cjs
+++ b/web/tests/stream_data.test.cjs
@@ -340,6 +340,7 @@ test("get_streams_for_user", ({override}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
     };
     const social = {
         color: "red",
@@ -351,6 +352,7 @@ test("get_streams_for_user", ({override}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
     };
     const test = {
         color: "yellow",
@@ -361,6 +363,7 @@ test("get_streams_for_user", ({override}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
     };
     const world = {
         color: "blue",
@@ -372,6 +375,7 @@ test("get_streams_for_user", ({override}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
     };
     const errors = {
         color: "green",
@@ -383,6 +387,7 @@ test("get_streams_for_user", ({override}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
     };
     const subs = [denmark, social, test, world, errors];
     for (const sub of subs) {
@@ -471,6 +476,7 @@ test("admin_options", ({override}) => {
             can_remove_subscribers_group: admins_group.id,
             can_administer_channel_group,
             can_add_subscribers_group: admins_group.id,
+            can_subscribe_group: admins_group.id,
             date_created: 1691057093,
             creator_id: null,
         };
@@ -574,6 +580,7 @@ test("stream_settings", ({override}) => {
         can_remove_subscribers_group: admins_group.id,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -587,6 +594,7 @@ test("stream_settings", ({override}) => {
         can_remove_subscribers_group: admins_group.id,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -602,6 +610,7 @@ test("stream_settings", ({override}) => {
         can_remove_subscribers_group: admins_group.id,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -1123,6 +1132,7 @@ test("get_invite_stream_data", ({override}) => {
         is_web_public: false,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     };
 
     people.init();
@@ -1145,6 +1155,7 @@ test("get_invite_stream_data", ({override}) => {
             is_web_public: false,
             can_administer_channel_group: nobody_group.id,
             can_add_subscribers_group: nobody_group.id,
+            can_subscribe_group: nobody_group.id,
         },
     ];
     assert.deepEqual(stream_data.get_invite_stream_data(), expected_list);
@@ -1157,6 +1168,7 @@ test("get_invite_stream_data", ({override}) => {
         is_web_public: false,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     };
     stream_data.add_sub(inviter);
 
@@ -1168,6 +1180,7 @@ test("get_invite_stream_data", ({override}) => {
         is_web_public: false,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     });
     assert.deepEqual(stream_data.get_invite_stream_data(), expected_list);
 
@@ -1180,6 +1193,7 @@ test("get_invite_stream_data", ({override}) => {
         is_web_public: false,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     };
 
     stream_data.add_sub(tokyo);
@@ -1193,6 +1207,7 @@ test("get_invite_stream_data", ({override}) => {
         is_web_public: false,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     };
 
     stream_data.add_sub(random);
@@ -1205,6 +1220,7 @@ test("get_invite_stream_data", ({override}) => {
         is_web_public: false,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     });
     assert.deepEqual(stream_data.get_invite_stream_data(), expected_list);
 });
@@ -1272,6 +1288,7 @@ test("can_unsubscribe_others", ({override}) => {
         can_remove_subscribers_group: admins_group.id,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     };
     stream_data.add_sub(sub);
 
@@ -1549,6 +1566,7 @@ test("has_metadata_access", ({override}) => {
         history_public_to_subscribers: false,
         can_add_subscribers_group: nobody_group.id,
         can_administer_channel_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     };
 
     assert.equal(stream_data.has_metadata_access(social), true);
@@ -1589,10 +1607,10 @@ test("has_metadata_access", ({override}) => {
     override(current_user, "is_guest", false);
     social.can_administer_channel_group = nobody_group.id;
 
-    // Users that can add other subscribers to a private channel
-    // have content access to that channel. Having content access
-    // should give them metadata access to that private channel even
-    // when unsubscribed.
+    // Users that can add other subscribers or subscribe themselves
+    // to a private channel have content access to that channel.
+    // Having content access should give them metadata access to
+    // that private channel even when unsubscribed.
     assert.equal(stream_data.has_metadata_access(social), false);
     social.can_add_subscribers_group = me_group.id;
     assert.equal(stream_data.has_metadata_access(social), true);
@@ -1601,6 +1619,14 @@ test("has_metadata_access", ({override}) => {
     override(current_user, "is_guest", false);
     social.can_add_subscribers_group = nobody_group.id;
 
+    assert.equal(stream_data.has_metadata_access(social), false);
+    social.can_subscribe_group = me_group.id;
+    assert.equal(stream_data.has_metadata_access(social), true);
+    override(current_user, "is_guest", true);
+    assert.equal(stream_data.has_metadata_access(social), false);
+    override(current_user, "is_guest", false);
+    social.can_subscribe_group = nobody_group.id;
+
     // Non-admin and non-guest user should have access to public
     // channel.
     assert.equal(stream_data.has_metadata_access(social), false);
@@ -1629,6 +1655,7 @@ test("has_content_access", ({override}) => {
         history_public_to_subscribers: false,
         can_add_subscribers_group: nobody_group.id,
         can_administer_channel_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     };
 
     assert.equal(stream_data.has_content_access(social), true);
@@ -1689,10 +1716,19 @@ test("has_content_access", ({override}) => {
     social.subscribed = false;
     assert.equal(stream_data.has_content_access(social), false);
 
+    // Users part of can_subscribe_group or can_add_subscribers_group
+    // should have content access even when unsubscribed.
     assert.equal(stream_data.has_content_access(social), false);
     social.can_add_subscribers_group = me_group.id;
     assert.equal(stream_data.has_content_access(social), true);
     social.can_add_subscribers_group = nobody_group.id;
+    assert.equal(stream_data.has_content_access(social), false);
+
+    social.can_subscribe_group = me_group.id;
+    assert.equal(stream_data.has_content_access(social), true);
+
+    social.can_subscribe_group = nobody_group.id;
+    assert.equal(stream_data.has_content_access(social), false);
 });
 
 test("can_preview", ({override_rewire}) => {
@@ -1704,6 +1740,7 @@ test("can_preview", ({override_rewire}) => {
         history_public_to_subscribers: true,
         can_add_subscribers_group: nobody_group.id,
         can_administer_channel_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
     };
 
     override_rewire(stream_data, "has_content_access", () => true);
@@ -1715,3 +1752,52 @@ test("can_preview", ({override_rewire}) => {
     override_rewire(stream_data, "has_content_access", () => false);
     assert.equal(stream_data.can_preview(social), false);
 });
+
+run_test("can_toggle_subscription", ({override}) => {
+    const social = {
+        subscribed: false,
+        color: "red",
+        name: "social",
+        stream_id: 2,
+        is_muted: false,
+        invite_only: false,
+        history_public_to_subscribers: false,
+        can_add_subscribers_group: nobody_group.id,
+        can_administer_channel_group: nobody_group.id,
+        can_subscribe_group: nobody_group.id,
+    };
+    social.subscribed = true;
+
+    override(current_user, "user_id", me.user_id);
+
+    override(page_params, "is_spectator", true);
+    assert.equal(stream_data.can_toggle_subscription(social), false);
+
+    override(page_params, "is_spectator", false);
+    assert.equal(stream_data.can_toggle_subscription(social), true);
+
+    override(current_user, "is_guest", true);
+    assert.equal(stream_data.can_toggle_subscription(social), true);
+
+    social.subscribed = false;
+    assert.equal(stream_data.can_toggle_subscription(social), false);
+
+    override(current_user, "is_guest", false);
+    assert.equal(stream_data.can_toggle_subscription(social), true);
+
+    social.invite_only = true;
+    assert.equal(stream_data.can_toggle_subscription(social), false);
+
+    override(current_user, "is_admin", true);
+    assert.equal(stream_data.can_toggle_subscription(social), false);
+
+    override(current_user, "is_admin", false);
+
+    social.can_add_subscribers_group = me_group.id;
+    assert.equal(stream_data.can_toggle_subscription(social), true);
+
+    social.can_add_subscribers_group = nobody_group.id;
+    assert.equal(stream_data.can_toggle_subscription(social), false);
+    social.can_subscribe_group = me_group.id;
+    assert.equal(stream_data.can_toggle_subscription(social), true);
+});
diff --git a/web/tests/stream_events.test.cjs b/web/tests/stream_events.test.cjs
index 1fa12176e5..76e8b4265b 100644
--- a/web/tests/stream_events.test.cjs
+++ b/web/tests/stream_events.test.cjs
@@ -292,6 +292,27 @@ test("update_property", ({override}) => {
         assert.equal(args.val, 3);
     }
 
+    // Test stream can_subscribe_group change event
+    {
+        const stub = make_stub();
+        override(stream_settings_ui, "update_stream_permission_group_setting", stub.f);
+        const update_subscription_elements_stub = make_stub();
+        override(
+            stream_settings_ui,
+            "update_subscription_elements",
+            update_subscription_elements_stub.f,
+        );
+        stream_events.update_property(stream_id, "can_subscribe_group", 3);
+        assert.equal(stub.num_calls, 1);
+        assert.equal(update_subscription_elements_stub.num_calls, 1);
+        let args = stub.get_args("setting_name", "sub", "val");
+        assert.equal(args.setting_name, "can_subscribe_group");
+        assert.equal(args.sub.stream_id, stream_id);
+        assert.equal(args.val, 3);
+        args = update_subscription_elements_stub.get_args("sub");
+        assert.equal(args.sub, sub);
+    }
+
     // Test deprecated properties for coverage.
     {
         stream_events.update_property(stream_id, "stream_post_policy", 2);
diff --git a/web/tests/stream_pill.test.cjs b/web/tests/stream_pill.test.cjs
index 35255eb93e..e73e9f64b2 100644
--- a/web/tests/stream_pill.test.cjs
+++ b/web/tests/stream_pill.test.cjs
@@ -45,6 +45,7 @@ const denmark = {
     subscribed: true,
     can_administer_channel_group: nobody_group.id,
     can_add_subscribers_group: nobody_group.id,
+    can_subscribe_group: nobody_group.id,
 };
 const sweden = {
     stream_id: 102,
@@ -52,6 +53,7 @@ const sweden = {
     subscribed: false,
     can_administer_channel_group: nobody_group.id,
     can_add_subscribers_group: nobody_group.id,
+    can_subscribe_group: nobody_group.id,
 };
 const germany = {
     stream_id: 103,
@@ -60,6 +62,7 @@ const germany = {
     invite_only: true,
     can_administer_channel_group: nobody_group.id,
     can_add_subscribers_group: nobody_group.id,
+    can_subscribe_group: nobody_group.id,
 };
 
 peer_data.set_subscribers(denmark.stream_id, [1, 2, 77]);
diff --git a/web/tests/stream_settings_ui.test.cjs b/web/tests/stream_settings_ui.test.cjs
index 7135dc9460..c2181183b9 100644
--- a/web/tests/stream_settings_ui.test.cjs
+++ b/web/tests/stream_settings_ui.test.cjs
@@ -80,6 +80,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_administer_channel_group: nobody_group.id,
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -95,6 +96,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_administer_channel_group: nobody_group.id,
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -110,6 +112,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_remove_subscribers_group: admins_group.id,
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -125,6 +128,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_administer_channel_group: nobody_group.id,
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -140,6 +144,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_administer_channel_group: nobody_group.id,
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -155,6 +160,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_administer_channel_group: nobody_group.id,
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -170,6 +176,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_administer_channel_group: nobody_group.id,
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -185,6 +192,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_administer_channel_group: nobody_group.id,
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
+        can_subscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
     };