paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-15 11:22:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

subscriptions: Change in API used for adding new subscriptions.

Browse Source 
Earlier when a user who is not allowed to add subscribers to a
stream because of realm level setting "Who can add users to streams"
is subscribing other users while creating a new stream than new stream
was created but no one is subscribed to stream.

To fix this issue this commit makes changes in the API used
for adding subscriptions. Now stream will be created only when user
has permissions to add other users.

With a rewrite of the test by Tim Abbott.
This commit is contained in:
Ujjawal Modi
2023-03-28 22:49:35 +05:30
committed by Tim Abbott
parent a47569bf47
commit 2a6146110c
2 changed files with 39 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
zerver/tests/test_subs.py
View File

@@ -4422,7 +4422,7 @@ class SubscriptionAPITest(ZulipTestCase):
# Now add ourselves # Now add ourselves
with self.capture_send_event_calls(expected_num_events=2) as events: with self.capture_send_event_calls(expected_num_events=2) as events:
with self.assert_database_query_count(13): with self.assert_database_query_count(12):
self.common_subscribe_to_streams( self.common_subscribe_to_streams(
self.test_user, self.test_user,
streams_to_sub, streams_to_sub,
@@ -4731,28 +4731,36 @@ class SubscriptionAPITest(ZulipTestCase):
def test_bulk_subscribe_MIT(self) -> None: def test_bulk_subscribe_MIT(self) -> None:
mit_user = self.mit_user("starnine") mit_user = self.mit_user("starnine")
num_streams = 15
realm = get_realm("zephyr") realm = get_realm("zephyr")
stream_names = [f"stream_{i}" for i in range(40)] stream_names = [f"stream_{i}" for i in range(num_streams)]
streams = [self.make_stream(stream_name, realm=realm) for stream_name in stream_names] streams = [self.make_stream(stream_name, realm=realm) for stream_name in stream_names]
for stream in streams: for stream in streams:
stream.is_in_zephyr_realm = True stream.is_in_zephyr_realm = True
stream.save() stream.save()
# Make sure Zephyr mirroring realms such as MIT do not get # Verify that peer_event events are never sent in Zephyr
# any tornado subscription events # realm. This does generate stream creation events from
with self.capture_send_event_calls(expected_num_events=0): # send_stream_creation_events_for_private_streams.
with self.assert_database_query_count(5): with self.capture_send_event_calls(expected_num_events=num_streams + 1) as events:
with self.assert_database_query_count(num_streams + 12):
self.common_subscribe_to_streams( self.common_subscribe_to_streams(
mit_user, mit_user,
stream_names, stream_names,
dict(principals=orjson.dumps([mit_user.id]).decode()), dict(principals=orjson.dumps([mit_user.id]).decode()),
subdomain="zephyr", subdomain="zephyr",
allow_fail=True,
) )
# num_streams stream creation events:
self.assertEqual(
{(event["event"]["type"], event["event"]["op"]) for event in events[0:num_streams]},
{("stream", "create")},
)
# Followed by one subscription event:
self.assertEqual(events[num_streams]["event"]["type"], "subscription")
with self.capture_send_event_calls(expected_num_events=0): with self.capture_send_event_calls(expected_num_events=1):
bulk_remove_subscriptions( bulk_remove_subscriptions(
realm, realm,
users=[mit_user], users=[mit_user],

37
zerver/views/streams.py
View File

@@ -619,6 +619,21 @@ def add_subscriptions_backend(
stream_dicts.append(stream_dict_copy) stream_dicts.append(stream_dict_copy)
is_subscribing_other_users = False
if len(principals) > 0 and not all(user_id == user_profile.id for user_id in principals):
is_subscribing_other_users = True
if is_subscribing_other_users:
if not user_profile.can_subscribe_other_users():
# Guest users case will not be handled here as it will
# be handled by the decorator above.
raise JsonableError(_("Insufficient permission"))
subscribers = {
principal_to_user_profile(user_profile, principal) for principal in principals
}
else:
subscribers = {user_profile}
# Validation of the streams arguments, including enforcement of # Validation of the streams arguments, including enforcement of
# can_create_streams policy and check_stream_name policy is inside # can_create_streams policy and check_stream_name policy is inside
# list_to_streams. # list_to_streams.
@@ -635,20 +650,14 @@ def add_subscriptions_backend(
# Newly created streams are also authorized for the creator # Newly created streams are also authorized for the creator
streams = authorized_streams + created_streams streams = authorized_streams + created_streams
if len(principals) > 0: if (
if realm.is_zephyr_mirror_realm and not all(stream.invite_only for stream in streams): is_subscribing_other_users
raise JsonableError( and realm.is_zephyr_mirror_realm
_("You can only invite other Zephyr mirroring users to private streams.") and not all(stream.invite_only for stream in streams)
) ):
if not user_profile.can_subscribe_other_users(): raise JsonableError(
# Guest users case will not be handled here as it will _("You can only invite other Zephyr mirroring users to private streams.")
# be handled by the decorator above. )
raise JsonableError(_("Insufficient permission"))
subscribers = {
principal_to_user_profile(user_profile, principal) for principal in principals
}
else:
subscribers = {user_profile}
(subscribed, already_subscribed) = bulk_add_subscriptions( (subscribed, already_subscribed) = bulk_add_subscriptions(
realm, streams, subscribers, acting_user=user_profile, color_map=color_map realm, streams, subscribers, acting_user=user_profile, color_map=color_map