digest: Make newly registered users data inaccessible to guest users.

The new can_access_all_realm_members function is meant to act as a base function for guest users and Zephyr realm users regarding the accessibility of the information of other users in the realm.
2025-11-04 05:53:43 +00:00 · 2018-06-02 19:15:27 +05:30
parent 7f32c26731
commit 4483e33102
3 changed files with 32 additions and 2 deletions
--- a/zerver/lib/digest.py
+++ b/zerver/lib/digest.py
@@ -146,7 +146,7 @@ def gather_hot_conversations(user_profile: UserProfile, stream_messages: QuerySe
 def gather_new_users(user_profile: UserProfile, threshold: datetime.datetime) -> Tuple[int, List[str]]:
    # Gather information on users in the realm who have recently
    # joined.
-    if user_profile.realm.is_zephyr_mirror_realm:
+    if not user_profile.can_access_all_realm_members():
        new_users = []  # type: List[UserProfile]
    else:
        new_users = list(UserProfile.objects.filter(
--- a/zerver/models.py
+++ b/zerver/models.py
@@ -822,6 +822,9 @@ class UserProfile(AbstractBaseUser, PermissionsMixin):
    def can_access_public_streams(self) -> bool:
        return not (self.is_guest or self.realm.is_zephyr_mirror_realm)

+    def can_access_all_realm_members(self) -> bool:
+        return not (self.realm.is_zephyr_mirror_realm or self.is_guest)
+
    def major_tos_version(self) -> int:
        if self.tos_version is not None:
            return int(self.tos_version.split('.')[0])
--- a/zerver/tests/test_digest.py
+++ b/zerver/tests/test_digest.py
@@ -8,7 +8,8 @@ from django.test import override_settings
 from django.utils.timezone import now as timezone_now

 from zerver.lib.actions import create_stream_if_needed, do_create_user
-from zerver.lib.digest import gather_new_streams, handle_digest_email, enqueue_emails
+from zerver.lib.digest import gather_new_streams, handle_digest_email, enqueue_emails, \
+    gather_new_users
 from zerver.lib.test_classes import ZulipTestCase
 from zerver.models import get_client, get_realm, Realm, UserActivity, UserProfile

@@ -141,3 +142,29 @@ class TestDigestEmailMessages(ZulipTestCase):
        new_stream = gather_new_streams(cordelia, cutoff)[1]
        expected_html = "<a href='http://zulip.testserver/#narrow/stream/{stream_id}-New-stream'>New stream</a>".format(stream_id=stream_id)
        self.assertIn(expected_html, new_stream['html'])
+
+    @mock.patch('zerver.lib.digest.timezone_now')
+    def test_gather_new_users(self, mock_django_timezone: mock.MagicMock) -> None:
+        cutoff = timezone_now()
+        do_create_user('abc@example.com', password='abc', realm=get_realm('zulip'), full_name='abc', short_name='abc')
+
+        # Normal users get info about new users
+        user = self.example_user('aaron')
+        gathered_no_of_user, _ = gather_new_users(user, cutoff)
+        self.assertEqual(gathered_no_of_user, 1)
+
+        # Definitely, admin users get info about new users
+        user = self.example_user('iago')
+        gathered_no_of_user, _ = gather_new_users(user, cutoff)
+        self.assertEqual(gathered_no_of_user, 1)
+
+        # Guest users don't get info about new users
+        user = self.example_user('polonius')
+        gathered_no_of_user, _ = gather_new_users(user, cutoff)
+        self.assertEqual(gathered_no_of_user, 0)
+
+        # Zephyr users also don't get info about new users in their realm
+        user = self.mit_user('starnine')
+        do_create_user('abc@mit.edu', password='abc', realm=user.realm, full_name='abc', short_name='abc')
+        gathered_no_of_user, _ = gather_new_users(user, cutoff)
+        self.assertEqual(gathered_no_of_user, 0)