stream settings: Allow realm admins to access all private stream subs.

This will allow realm admins to access subscribers of unsubscribed private stream. This is a preparatory commit for letting realm admins remove those users.
2025-11-03 21:43:21 +00:00 · 2018-02-14 22:29:01 +05:30
parent 37f9d5c193
commit 2031118545
11 changed files with 65 additions and 22 deletions
--- a/zerver/lib/streams.py
+++ b/zerver/lib/streams.py
@@ -29,9 +29,12 @@ def access_stream_for_delete_or_update(user_profile: UserProfile, stream_id: int

    return stream

+# Only set allow_realm_admin flag to True when you want to allow realm admin to
+# access unsubscribed private stream content.
 def access_stream_common(user_profile: UserProfile, stream: Stream,
                         error: Text,
-                         require_active: bool=True) -> Tuple[Recipient, Subscription]:
+                         require_active: bool=True,
+                         allow_realm_admin: bool=False) -> Tuple[Recipient, Subscription]:
    """Common function for backend code where the target use attempts to
    access the target stream, returning all the data fetched along the
    way.  If that user does not have permission to access that stream,
@@ -59,13 +62,21 @@ def access_stream_common(user_profile: UserProfile, stream: Stream,
    if sub is not None:
        return (recipient, sub)

+    # For some specific callers (e.g. getting list of subscribers,
+    # removing other users from a stream, and updating stream name and
+    # description), we allow realm admins to access stream even if
+    # they are not subscribed to a private stream.
+    if user_profile.is_realm_admin and allow_realm_admin:
+        return (recipient, sub)
+
    # Otherwise it is a private stream and you're not on it, so throw
    # an error.
    raise JsonableError(error)

 def access_stream_by_id(user_profile: UserProfile,
                        stream_id: int,
-                        require_active: bool=True) -> Tuple[Stream, Recipient, Subscription]:
+                        require_active: bool=True,
+                        allow_realm_admin: bool=False) -> Tuple[Stream, Recipient, Subscription]:
    error = _("Invalid stream id")
    try:
        stream = Stream.objects.get(id=stream_id)
@@ -73,7 +84,8 @@ def access_stream_by_id(user_profile: UserProfile,
        raise JsonableError(error)

    (recipient, sub) = access_stream_common(user_profile, stream, error,
-                                            require_active=require_active)
+                                            require_active=require_active,
+                                            allow_realm_admin=allow_realm_admin)
    return (stream, recipient, sub)

 def check_stream_name_available(realm: Realm, name: Text) -> None: