streams: Don't allow adding deactivated users to streams.

This query was incorreclty not checking whether a user was deactivated before managing their subscriptions. This isn't an important bug, but should prevent some weird corner cases (like trying to send a notification PM to a deactivated user, which fails).
2025-11-03 05:23:35 +00:00 · 2018-05-20 18:54:42 -07:00
parent cedad52c59
commit 2609274719
2 changed files with 18 additions and 2 deletions
--- a/zerver/tests/test_subs.py
+++ b/zerver/tests/test_subs.py
@@ -55,6 +55,7 @@ from zerver.lib.actions import (
    create_stream_if_needed, create_streams_if_needed,
    ensure_stream,
    do_deactivate_stream,
+    do_deactivate_user,
    stream_welcome_message,
    do_create_default_stream_group,
    do_add_streams_to_default_stream_group, do_remove_streams_from_default_stream_group,
@@ -2303,6 +2304,21 @@ class SubscriptionAPITest(ZulipTestCase):
        invite_streams = self.make_random_stream_names(current_streams)
        self.assert_adding_subscriptions_for_principal(invitee_email, invitee_realm, invite_streams)

+    def test_subscriptions_add_for_principal_deactivated(self) -> None:
+        """
+        You can't subscribe deactivated people to streams.
+        """
+        target_profile = self.example_user("cordelia")
+        result = self.common_subscribe_to_streams(self.test_email, "Verona",
+                                                  {"principals": ujson.dumps([target_profile.email])})
+        self.assert_json_success(result)
+
+        do_deactivate_user(target_profile)
+        result = self.common_subscribe_to_streams(self.test_email, "Denmark",
+                                                  {"principals": ujson.dumps([target_profile.email])})
+        self.assert_json_error(result, "User not authorized to execute queries on behalf of 'cordelia@zulip.com'",
+                               status_code=403)
+
    def test_subscriptions_add_for_principal_invite_only(self) -> None:
        """
        You can subscribe other people to invite only streams.
--- a/zerver/views/streams.py
+++ b/zerver/views/streams.py
@@ -30,7 +30,7 @@ from zerver.lib.validator import check_string, check_int, check_list, check_dict
    check_bool, check_variable_type, check_capped_string
 from zerver.models import UserProfile, Stream, Realm, Subscription, \
    Recipient, get_recipient, get_stream, \
-    get_system_bot, get_user
+    get_system_bot, get_active_user

 from collections import defaultdict
 import ujson
@@ -49,7 +49,7 @@ class PrincipalError(JsonableError):

 def principal_to_user_profile(agent: UserProfile, principal: str) -> UserProfile:
    try:
-        return get_user(principal, agent.realm)
+        return get_active_user(principal, agent.realm)
    except UserProfile.DoesNotExist:
        # We have to make sure we don't leak information about which users
        # are registered for Zulip in a different realm.  We could do