paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-04 14:03:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

user_groups: Do not allow editing system user groups from API.

Browse Source 
We do not allow any user to edit the system user groups (including
renaming, deleting, adding or removing members, etc.) from the
API. These user groups will change only by the code when a new
user is added or role of a user is changed.

This is implemented by rejecting access_user_group_by_id always
except the case when it is use to get the user group for sending
email and push notifications, as we would need to send notifications
to the mentioned user group.
This commit is contained in:
Sahil Batra
2021-08-06 18:52:08 +05:30
committed by Tim Abbott
parent 4bd1dc0a56
commit 4c290a49d3
5 changed files with 81 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
zerver/lib/push_notifications.py
View File

@@ -937,7 +937,9 @@ def handle_push_notification(user_profile_id: int, missed_message: Dict[str, Any
mentioned_user_group_id = missed_message.get("mentioned_user_group_id")
if mentioned_user_group_id is not None:
user_group = access_user_group_by_id(mentioned_user_group_id, user_profile)
user_group = access_user_group_by_id(
mentioned_user_group_id, user_profile, for_mention=True
)
mentioned_user_group_name = user_group.name
apns_payload = get_message_payload_apns(