decorators: Use human_users_only more aggressively.

zerver/tests/test_decorators.py

@@ -1023,10 +1023,16 @@ class TestHumanUsersOnlyDecorator(ZulipTestCase):
     def test_human_only_endpoints(self):
         # type: () -> None
         post_endpoints = [
-            "/api/v1/users/me/presence",
             "/api/v1/users/me/apns_device_token",
             "/api/v1/users/me/android_gcm_reg_id",
+            "/api/v1/users/me/enter-sends",
             "/api/v1/users/me/hotspots",
+            "/api/v1/users/me/presence",
+            "/api/v1/users/me/tutorial_status",
+            "/api/v1/report/error",
+            "/api/v1/report/send_times",
+            "/api/v1/report/narrow_times",
+            "/api/v1/report/unnarrow_times",
         ]
         for endpoint in post_endpoints:
             result = self.client_post(endpoint, **self.api_auth('default-bot@zulip.com'))

zerver/views/report.py

@@ -5,7 +5,8 @@ from typing import Any, Dict, Optional, Text
 from django.conf import settings
 from django.http import HttpRequest, HttpResponse
 
-from zerver.decorator import authenticated_json_post_view, to_non_negative_int
+from zerver.decorator import authenticated_json_post_view, human_users_only, \
+    to_non_negative_int
 from zerver.lib.bugdown import privacy_clean_markdown
 from zerver.lib.request import has_request_variables, REQ
 from zerver.lib.response import json_success
@@ -30,6 +31,7 @@ def get_js_source_map() -> Optional[SourceMap]:
         ])
     return js_source_map
 
+@human_users_only
 @has_request_variables
 def report_send_times(request, user_profile,
                       time=REQ(converter=to_non_negative_int),
@@ -52,6 +54,7 @@ def report_send_times(request, user_profile,
         statsd.incr('render_disparity')
     return json_success()
 
+@human_users_only
 @has_request_variables
 def report_narrow_times(request, user_profile,
                         initial_core=REQ(converter=to_non_negative_int),
@@ -65,6 +68,7 @@ def report_narrow_times(request, user_profile,
     statsd.timing("narrow.network.%s" % (base_key,), network)
     return json_success()
 
+@human_users_only
 @has_request_variables
 def report_unnarrow_times(request, user_profile,
                           initial_core=REQ(converter=to_non_negative_int),
@@ -76,6 +80,7 @@ def report_unnarrow_times(request, user_profile,
     statsd.timing("unnarrow.initial_free.%s" % (base_key,), initial_free)
     return json_success()
 
+@human_users_only
 @has_request_variables
 def report_error(request, user_profile, message=REQ(), stacktrace=REQ(),
                  ui_message=REQ(validator=check_bool), user_agent=REQ(),

zerver/views/tutorial.py

@@ -1,11 +1,13 @@
 
 from django.http import HttpRequest, HttpResponse
 
+from zerver.decorator import human_users_only
 from zerver.lib.request import has_request_variables, REQ
 from zerver.lib.response import json_success
 from zerver.lib.validator import check_string
 from zerver.models import UserProfile
 
+@human_users_only
 @has_request_variables
 def set_tutorial_status(request, user_profile,
                         status=REQ(validator=check_string)):

zerver/views/user_settings.py

@@ -236,6 +236,8 @@ def delete_avatar_backend(request, user_profile):
     )
     return json_success(json_result)
 
+# We don't use @human_users_only here, because there are use cases for
+# a bot regenerating its own API key.
 @has_request_variables
 def regenerate_api_key(request, user_profile):
     # type: (HttpRequest, UserProfile) -> HttpResponse
@@ -245,6 +247,7 @@ def regenerate_api_key(request, user_profile):
     )
     return json_success(json_result)
 
+@human_users_only
 @has_request_variables
 def change_enter_sends(request, user_profile,
                        enter_sends=REQ(validator=check_bool)):