message_edit: Require access to messages to move between streams.

Currently, moving messages between streams is an action limited to
organization administrators. A big part of the motivation for that
restriction was to prevent users from moving messages from a private
stream without shared history as a way to access messages they should
not have access to.

Organization administrators can already just make the stream have
shared history if they want to access its messages, but allowing
non-administrators to move messages between would have
introduced a security bug without this change.

zerver/lib/topic.py

@@ -159,7 +159,17 @@ def update_messages_for_topic_edit(
 
     update_fields = ["edit_history", "last_edit_time"]
 
-    # Evaluate the query before running the update
+    if new_stream is not None:
+        # If we're moving the messages between streams, only move
+        # messages that the acting user can access, so that one cannot
+        # gain access to messages through moving them.
+        from zerver.lib.message import bulk_access_messages
+
+        messages_list = bulk_access_messages(acting_user, messages, stream=old_stream)
+    else:
+        # For single-message edits or topic moves within a stream, we
+        # allow moving history the user may not have access in order
+        # to keep topics together.
         messages_list = list(messages)
 
     # The cached ORM objects are not changed by the upcoming

zerver/tests/test_message_edit.py

@@ -1326,7 +1326,7 @@ class EditMessageTest(ZulipTestCase):
                     "topic": "new topic",
                 },
             )
-        self.assertEqual(len(queries), 50)
+        self.assertEqual(len(queries), 52)
         self.assertEqual(len(cache_tries), 13)
 
         messages = get_topic_messages(user_profile, old_stream, "test")