paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-04 14:03:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

streams: Prevent members from creating admin-only streams.

Browse Source 
This a check on server side to verify whether the user sending request
to create stream where only admins can post is an admin or not; Raises
a JsonableError when the user is not the realm admin.
This commit is contained in:
Vaibhav
2019-01-24 13:46:35 +05:30
committed by Tim Abbott
parent 2b81d66537
commit 268c25e95f
2 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
zerver/lib/streams.py
View File

@@ -242,10 +242,14 @@ def list_to_streams(streams_raw: Iterable[Mapping[str, Any]],
missing_stream_dicts = [] # type: List[Mapping[str, Any]] missing_stream_dicts = [] # type: List[Mapping[str, Any]]
existing_stream_map = bulk_get_streams(user_profile.realm, stream_set) existing_stream_map = bulk_get_streams(user_profile.realm, stream_set)
member_creating_announcement_only_stream = False
for stream_dict in streams_raw: for stream_dict in streams_raw:
stream_name = stream_dict["name"] stream_name = stream_dict["name"]
stream = existing_stream_map.get(stream_name.lower()) stream = existing_stream_map.get(stream_name.lower())
if stream is None: if stream is None:
if stream_dict.get("is_announcement_only", False) and not user_profile.is_realm_admin:
member_creating_announcement_only_stream = True
missing_stream_dicts.append(stream_dict) missing_stream_dicts.append(stream_dict)
else: else:
existing_streams.append(stream) existing_streams.append(stream)
@@ -261,6 +265,8 @@ def list_to_streams(streams_raw: Iterable[Mapping[str, Any]],
elif not autocreate: elif not autocreate:
raise JsonableError(_("Stream(s) (%s) do not exist") % ", ".join( raise JsonableError(_("Stream(s) (%s) do not exist") % ", ".join(
stream_dict["name"] for stream_dict in missing_stream_dicts)) stream_dict["name"] for stream_dict in missing_stream_dicts))
elif member_creating_announcement_only_stream:
raise JsonableError(_('User cannot create a stream with these settings.'))
# We already filtered out existing streams, so dup_streams # We already filtered out existing streams, so dup_streams
# will normally be an empty list below, but we protect against somebody # will normally be an empty list below, but we protect against somebody

24
zerver/tests/test_subs.py
View File

@@ -2305,6 +2305,30 @@ class SubscriptionAPITest(ZulipTestCase):
self.assertEqual(add_event['event']['op'], 'add') self.assertEqual(add_event['event']['op'], 'add')
self.assertEqual(add_event['users'], [self.example_user("iago").id]) self.assertEqual(add_event['users'], [self.example_user("iago").id])
def test_subscibe_to_announce_only_stream(self) -> None:
"""
Members can subscribe to streams where only admins can post
but not create those streams, only realm admins can
"""
member = self.example_user("AARON")
result = self.common_subscribe_to_streams(member.email, ["announce"])
self.assert_json_success(result)
streams_raw = [{
'name': 'new_stream',
'is_announcement_only': True,
}]
with self.assertRaisesRegex(
JsonableError, "User cannot create a stream with these settings."):
list_to_streams(streams_raw, member, autocreate=True)
admin = self.example_user("iago")
result = list_to_streams(streams_raw, admin, autocreate=True)
self.assert_length(result[0], 0)
self.assert_length(result[1], 1)
self.assertEqual(result[1][0].name, 'new_stream')
self.assertEqual(result[1][0].is_announcement_only, True)
def test_guest_user_subscribe(self) -> None: def test_guest_user_subscribe(self) -> None:
"""Guest users cannot subscribe themselves to anything""" """Guest users cannot subscribe themselves to anything"""
guest_user = self.example_user("polonius") guest_user = self.example_user("polonius")