user_groups: Do not allow editing system user groups from API.

We do not allow any user to edit the system user groups (including renaming, deleting, adding or removing members, etc.) from the API. These user groups will change only by the code when a new user is added or role of a user is changed. This is implemented by rejecting access_user_group_by_id always except the case when it is use to get the user group for sending email and push notifications, as we would need to send notifications to the mentioned user group.
2025-11-04 14:03:30 +00:00 · 2021-08-06 18:52:08 +05:30
parent 4bd1dc0a56
commit 4c290a49d3
5 changed files with 81 additions and 5 deletions
--- a/zerver/lib/user_groups.py
+++ b/zerver/lib/user_groups.py
@@ -7,9 +7,13 @@ from zerver.lib.exceptions import JsonableError
 from zerver.models import Realm, UserGroup, UserGroupMembership, UserProfile


-def access_user_group_by_id(user_group_id: int, user_profile: UserProfile) -> UserGroup:
+def access_user_group_by_id(
+    user_group_id: int, user_profile: UserProfile, for_mention: bool = False
+) -> UserGroup:
    try:
        user_group = UserGroup.objects.get(id=user_group_id, realm=user_profile.realm)
+        if not for_mention and user_group.is_system_group:
+            raise JsonableError(_("Insufficient permission"))
        group_member_ids = get_user_group_members(user_group)
        if (
            not user_profile.is_realm_admin
@@ -61,10 +65,17 @@ def remove_user_from_user_group(user_profile: UserProfile, user_group: UserGroup


 def create_user_group(
-    name: str, members: List[UserProfile], realm: Realm, *, description: str = ""
+    name: str,
+    members: List[UserProfile],
+    realm: Realm,
+    *,
+    description: str = "",
+    is_system_group: bool = False,
 ) -> UserGroup:
    with transaction.atomic():
-        user_group = UserGroup.objects.create(name=name, realm=realm, description=description)
+        user_group = UserGroup.objects.create(
+            name=name, realm=realm, description=description, is_system_group=is_system_group
+        )
        UserGroupMembership.objects.bulk_create(
            UserGroupMembership(user_profile=member, user_group=user_group) for member in members
        )