CVE-2023-32677: Check permission to subscribe other users in invites.

This commit updates the API to check the permission to subscribe other users while inviting. The API will error if the user passes the "stream_ids" parameter (even when it contains only default streams) and the calling user does not having permission to subscribe others to streams. For users who do not have permission to subscribe others, the invitee will be subscribed to default streams at the time of accepting the invite. There is no change for multiuse invites, since only admins are allowed to send them, and admins always have the permission to subscribe others to streams.
2025-10-31 12:03:46 +00:00 · 2023-05-02 14:48:13 +05:30
parent a23b077b79
commit 4c4caa7be4
2 changed files with 38 additions and 0 deletions
--- a/zerver/tests/test_invite.py
+++ b/zerver/tests/test_invite.py
@@ -1201,6 +1201,41 @@ so we didn't send them an invitation. We did send invitations to everyone else!"

        self.assert_json_success(self.invite(invitee, [stream_name]))

+    def test_invite_without_permission_to_subscribe_others(self) -> None:
+        realm = get_realm("zulip")
+        do_set_realm_property(
+            realm, "invite_to_stream_policy", Realm.POLICY_ADMINS_ONLY, acting_user=None
+        )
+
+        invitee = self.nonreg_email("alice")
+
+        self.login("hamlet")
+        result = self.invite(invitee, ["Denmark", "Scotland"])
+        self.assert_json_error(
+            result, "You do not have permission to subscribe other users to streams."
+        )
+
+        result = self.invite(invitee, [])
+        self.assert_json_success(result)
+        self.check_sent_emails([invitee])
+        mail.outbox.pop()
+
+        self.login("iago")
+        invitee = self.nonreg_email("bob")
+        result = self.invite(invitee, ["Denmark", "Scotland"])
+        self.assert_json_success(result)
+        self.check_sent_emails([invitee])
+        mail.outbox.pop()
+
+        do_set_realm_property(
+            realm, "invite_to_stream_policy", Realm.POLICY_MEMBERS_ONLY, acting_user=None
+        )
+        self.login("hamlet")
+        invitee = self.nonreg_email("test")
+        result = self.invite(invitee, ["Denmark", "Scotland"])
+        self.assert_json_success(result)
+        self.check_sent_emails([invitee])
+
    def test_invitation_reminder_email(self) -> None:
        # All users belong to zulip realm
        referrer_name = "hamlet"
--- a/zerver/views/invite.py
+++ b/zerver/views/invite.py
@@ -83,6 +83,9 @@ def invite_users_backend(
            )
        streams.append(stream)

+    if len(streams) and not user_profile.can_subscribe_other_users():
+        raise JsonableError(_("You do not have permission to subscribe other users to streams."))
+
    do_invite_users(
        user_profile,
        invitee_emails,