subscriptions: Change in API used for adding new subscriptions.

Earlier when a user who is not allowed to add subscribers to a stream because of realm level setting "Who can add users to streams" is subscribing other users while creating a new stream than new stream was created but no one is subscribed to stream. To fix this issue this commit makes changes in the API used for adding subscriptions. Now stream will be created only when user has permissions to add other users. With a rewrite of the test by Tim Abbott.
2025-11-02 21:13:36 +00:00 · 2023-03-28 22:49:35 +05:30
parent a47569bf47
commit 2a6146110c
2 changed files with 39 additions and 22 deletions
--- a/zerver/views/streams.py
+++ b/zerver/views/streams.py
@@ -619,6 +619,21 @@ def add_subscriptions_backend(

        stream_dicts.append(stream_dict_copy)

+    is_subscribing_other_users = False
+    if len(principals) > 0 and not all(user_id == user_profile.id for user_id in principals):
+        is_subscribing_other_users = True
+
+    if is_subscribing_other_users:
+        if not user_profile.can_subscribe_other_users():
+            # Guest users case will not be handled here as it will
+            # be handled by the decorator above.
+            raise JsonableError(_("Insufficient permission"))
+        subscribers = {
+            principal_to_user_profile(user_profile, principal) for principal in principals
+        }
+    else:
+        subscribers = {user_profile}
+
    # Validation of the streams arguments, including enforcement of
    # can_create_streams policy and check_stream_name policy is inside
    # list_to_streams.
@@ -635,20 +650,14 @@ def add_subscriptions_backend(
    # Newly created streams are also authorized for the creator
    streams = authorized_streams + created_streams

-    if len(principals) > 0:
-        if realm.is_zephyr_mirror_realm and not all(stream.invite_only for stream in streams):
-            raise JsonableError(
-                _("You can only invite other Zephyr mirroring users to private streams.")
-            )
-        if not user_profile.can_subscribe_other_users():
-            # Guest users case will not be handled here as it will
-            # be handled by the decorator above.
-            raise JsonableError(_("Insufficient permission"))
-        subscribers = {
-            principal_to_user_profile(user_profile, principal) for principal in principals
-        }
-    else:
-        subscribers = {user_profile}
+    if (
+        is_subscribing_other_users
+        and realm.is_zephyr_mirror_realm
+        and not all(stream.invite_only for stream in streams)
+    ):
+        raise JsonableError(
+            _("You can only invite other Zephyr mirroring users to private streams.")
+        )

    (subscribed, already_subscribed) = bulk_add_subscriptions(
        realm, streams, subscribers, acting_user=user_profile, color_map=color_map