sync_groups: Don't allow syncing of system groups.

Trying to sync system groups with this would easily lead to database corruption and we should completely disallow it.
2025-10-23 04:52:12 +00:00 · 2025-05-15 22:26:07 +02:00
parent 1dc845f07b
commit 53aaa0e918
1 changed files with 7 additions and 0 deletions
--- a/zproject/backends.py
+++ b/zproject/backends.py
@@ -100,6 +100,7 @@ from zerver.models import (
    UserProfile,
 )
 from zerver.models.custom_profile_fields import custom_profile_fields_for_realm
+from zerver.models.groups import SystemGroups
 from zerver.models.realms import (
    DisposableEmailError,
    DomainNotAllowedForRealmError,
@@ -1656,6 +1657,11 @@ def sync_groups(
    The idea is that intended_group_names is the set of names of groups to which
    the user should belong, within the universe specified by all_group_names.
    """
+    for system_group_name in SystemGroups.GROUP_DISPLAY_NAME_MAP:
+        # system groups are not allowed to be synced.
+        assert system_group_name not in all_group_names
+        assert system_group_name not in intended_group_names
+
    user_id = user_profile.id
    realm = user_profile.realm
    logger.debug("Starting group sync for user %s in realm %s", user_id, realm.string_id)
@@ -1664,6 +1670,7 @@ def sync_groups(
        UserGroupMembership.objects.filter(
            user_group__realm=realm,
            user_group__named_user_group__name__in=all_group_names,
+            user_group__named_user_group__is_system_group=False,
            user_profile__id=user_id,
        ).values_list("user_group__named_user_group__name", flat=True)
    )