digest: Make newly registered users data inaccessible to guest users.

The new can_access_all_realm_members function is meant to act as a
base function for guest users and Zephyr realm users regarding the
accessibility of the information of other users in the realm.

zerver/lib/digest.py

@@ -146,7 +146,7 @@ def gather_hot_conversations(user_profile: UserProfile, stream_messages: QuerySe
 def gather_new_users(user_profile: UserProfile, threshold: datetime.datetime) -> Tuple[int, List[str]]:
     # Gather information on users in the realm who have recently
     # joined.
-    if user_profile.realm.is_zephyr_mirror_realm:
+    if not user_profile.can_access_all_realm_members():
         new_users = []  # type: List[UserProfile]
     else:
         new_users = list(UserProfile.objects.filter(

zerver/models.py

@@ -822,6 +822,9 @@ class UserProfile(AbstractBaseUser, PermissionsMixin):
     def can_access_public_streams(self) -> bool:
         return not (self.is_guest or self.realm.is_zephyr_mirror_realm)
 
+    def can_access_all_realm_members(self) -> bool:
+        return not (self.realm.is_zephyr_mirror_realm or self.is_guest)
+
     def major_tos_version(self) -> int:
         if self.tos_version is not None:
             return int(self.tos_version.split('.')[0])

zerver/tests/test_digest.py

@@ -8,7 +8,8 @@ from django.test import override_settings
 from django.utils.timezone import now as timezone_now
 
 from zerver.lib.actions import create_stream_if_needed, do_create_user
-from zerver.lib.digest import gather_new_streams, handle_digest_email, enqueue_emails
+from zerver.lib.digest import gather_new_streams, handle_digest_email, enqueue_emails, \
+    gather_new_users
 from zerver.lib.test_classes import ZulipTestCase
 from zerver.models import get_client, get_realm, Realm, UserActivity, UserProfile
 
@@ -141,3 +142,29 @@ class TestDigestEmailMessages(ZulipTestCase):
         new_stream = gather_new_streams(cordelia, cutoff)[1]
         expected_html = "<a href='http://zulip.testserver/#narrow/stream/{stream_id}-New-stream'>New stream</a>".format(stream_id=stream_id)
         self.assertIn(expected_html, new_stream['html'])
+
+    @mock.patch('zerver.lib.digest.timezone_now')
+    def test_gather_new_users(self, mock_django_timezone: mock.MagicMock) -> None:
+        cutoff = timezone_now()
+        do_create_user('abc@example.com', password='abc', realm=get_realm('zulip'), full_name='abc', short_name='abc')
+
+        # Normal users get info about new users
+        user = self.example_user('aaron')
+        gathered_no_of_user, _ = gather_new_users(user, cutoff)
+        self.assertEqual(gathered_no_of_user, 1)
+
+        # Definitely, admin users get info about new users
+        user = self.example_user('iago')
+        gathered_no_of_user, _ = gather_new_users(user, cutoff)
+        self.assertEqual(gathered_no_of_user, 1)
+
+        # Guest users don't get info about new users
+        user = self.example_user('polonius')
+        gathered_no_of_user, _ = gather_new_users(user, cutoff)
+        self.assertEqual(gathered_no_of_user, 0)
+
+        # Zephyr users also don't get info about new users in their realm
+        user = self.mit_user('starnine')
+        do_create_user('abc@mit.edu', password='abc', realm=user.realm, full_name='abc', short_name='abc')
+        gathered_no_of_user, _ = gather_new_users(user, cutoff)
+        self.assertEqual(gathered_no_of_user, 0)