streams: Add moderators option in stream_post_policy.

This commit adds a new option of STREAM_POST_POLICY_MODERATORS
in stream_post_policy which will allow only realm admins and
moderators to post in that stream.

zerver/lib/streams.py

@@ -195,6 +195,13 @@ def check_stream_access_based_on_stream_post_policy(sender: UserProfile, stream:
         pass
     elif stream.stream_post_policy == Stream.STREAM_POST_POLICY_ADMINS:
         raise JsonableError(_("Only organization administrators can send to this stream."))
+    elif (
+        stream.stream_post_policy == Stream.STREAM_POST_POLICY_MODERATORS
+        and not sender.is_moderator
+    ):
+        raise JsonableError(
+            _("Only organization administrators and moderators can send to this stream.")
+        )
     elif stream.stream_post_policy != Stream.STREAM_POST_POLICY_EVERYONE and sender.is_guest:
         raise JsonableError(_("Guests cannot send to this stream."))
     elif (

zerver/models.py

@@ -1699,6 +1699,7 @@ class Stream(models.Model):
     STREAM_POST_POLICY_EVERYONE = 1
     STREAM_POST_POLICY_ADMINS = 2
     STREAM_POST_POLICY_RESTRICT_NEW_MEMBERS = 3
+    STREAM_POST_POLICY_MODERATORS = 4
     # TODO: Implement policy to restrict posting to a user group or admins.
 
     # Who in the organization has permission to send messages to this stream.
@@ -1707,6 +1708,7 @@ class Stream(models.Model):
         STREAM_POST_POLICY_EVERYONE,
         STREAM_POST_POLICY_ADMINS,
         STREAM_POST_POLICY_RESTRICT_NEW_MEMBERS,
+        STREAM_POST_POLICY_MODERATORS,
     ]
 
     # The unique thing about Zephyr public streams is that we never list their

zerver/openapi/zulip.yaml

@@ -9536,6 +9536,7 @@ components:
             * 1 => Any user can post.
             * 2 => Only administrators can post.
             * 3 => Only full members can post.
+            * 4 => Only moderators can post.
 
             **Changes**: New in Zulip 3.0, replacing the previous
             `is_announcement_only` boolean.
@@ -10082,6 +10083,7 @@ components:
             * 1 => Any user can post.
             * 2 => Only administrators can post.
             * 3 => Only full members can post.
+            * 4 => Only moderators can post.
 
             **Changes**: New in Zulip 3.0, replacing the previous
             `is_announcement_only` boolean.
@@ -10993,6 +10995,7 @@ components:
         * 1 => Any user can post.
         * 2 => Only administrators can post.
         * 3 => Only full members can post.
+        * 4 => Only moderators can post.
 
         **Changes**: New in Zulip 3.0, replacing the previous
         `is_announcement_only` boolean.

zerver/tests/test_message_send.py

@@ -252,6 +252,88 @@ class MessagePOSTTest(ZulipTestCase):
             guest_profile, stream_name, "Only organization administrators can send to this stream."
         )
 
+    def test_sending_message_as_stream_post_policy_moderators(self) -> None:
+        """
+        Sending messages to streams which only the moderators can post to.
+        """
+        admin_profile = self.example_user("iago")
+        self.login_user(admin_profile)
+
+        stream_name = "Verona"
+        stream = get_stream(stream_name, admin_profile.realm)
+        do_change_stream_post_policy(stream, Stream.STREAM_POST_POLICY_MODERATORS)
+
+        # Admins and their owned bots can send to STREAM_POST_POLICY_MODERATORS streams
+        self._send_and_verify_message(admin_profile, stream_name)
+        admin_owned_bot = self.create_test_bot(
+            short_name="whatever1",
+            full_name="whatever1",
+            user_profile=admin_profile,
+        )
+        self._send_and_verify_message(admin_owned_bot, stream_name)
+
+        moderator_profile = self.example_user("shiva")
+        self.login_user(moderator_profile)
+
+        # Moderators and their owned bots can send to STREAM_POST_POLICY_MODERATORS streams
+        self._send_and_verify_message(moderator_profile, stream_name)
+        moderator_owned_bot = self.create_test_bot(
+            short_name="whatever2",
+            full_name="whatever2",
+            user_profile=moderator_profile,
+        )
+        self._send_and_verify_message(moderator_owned_bot, stream_name)
+
+        non_admin_profile = self.example_user("hamlet")
+        self.login_user(non_admin_profile)
+
+        # Members and their owned bots cannot send to STREAM_POST_POLICY_MODERATORS streams
+        self._send_and_verify_message(
+            non_admin_profile,
+            stream_name,
+            "Only organization administrators and moderators can send to this stream.",
+        )
+        non_admin_owned_bot = self.create_test_bot(
+            short_name="whatever3",
+            full_name="whatever3",
+            user_profile=non_admin_profile,
+        )
+        self._send_and_verify_message(
+            non_admin_owned_bot,
+            stream_name,
+            "Only organization administrators and moderators can send to this stream.",
+        )
+
+        # Bots without owner (except cross realm bot) cannot send to STREAM_POST_POLICY_MODERATORS streams.
+        bot_without_owner = do_create_user(
+            email="free-bot@zulip.testserver",
+            password="",
+            realm=non_admin_profile.realm,
+            full_name="freebot",
+            bot_type=UserProfile.DEFAULT_BOT,
+            acting_user=None,
+        )
+        self._send_and_verify_message(
+            bot_without_owner,
+            stream_name,
+            "Only organization administrators and moderators can send to this stream.",
+        )
+
+        # Cross realm bots should be allowed
+        notification_bot = get_system_bot("notification-bot@zulip.com")
+        internal_send_stream_message(
+            notification_bot, stream, "Test topic", "Test message by notification bot"
+        )
+        self.assertEqual(self.get_last_message().content, "Test message by notification bot")
+
+        guest_profile = self.example_user("polonius")
+        # Guests cannot send to non-STREAM_POST_POLICY_EVERYONE streams
+        self._send_and_verify_message(
+            guest_profile,
+            stream_name,
+            "Only organization administrators and moderators can send to this stream.",
+        )
+
     def test_sending_message_as_stream_post_policy_restrict_new_members(self) -> None:
         """
         Sending messages to streams which new members cannot post to.

zerver/tests/test_subs.py

@@ -1087,6 +1087,7 @@ class StreamAdminTest(ZulipTestCase):
 
         policies = [
             Stream.STREAM_POST_POLICY_ADMINS,
+            Stream.STREAM_POST_POLICY_MODERATORS,
             Stream.STREAM_POST_POLICY_RESTRICT_NEW_MEMBERS,
         ]
 
@@ -3722,6 +3723,23 @@ class SubscriptionAPITest(ZulipTestCase):
         self.assertEqual(json["subscribed"], {new_member.email: ["stream1"]})
         self.assertEqual(json["already_subscribed"], {})
 
+    def test_subscribe_to_stream_post_policy_moderators_stream(self) -> None:
+        """
+        Members can subscribe to streams where only admins and moderators can post
+        """
+        member = self.example_user("AARON")
+        stream = self.make_stream("stream1")
+        # Make sure that we are testing this with full member which is just below the moderator
+        # in the role hierarchy.
+        self.assertFalse(member.is_provisional_member)
+        do_change_stream_post_policy(stream, Stream.STREAM_POST_POLICY_MODERATORS)
+        result = self.common_subscribe_to_streams(member, ["stream1"])
+        self.assert_json_success(result)
+
+        json = result.json()
+        self.assertEqual(json["subscribed"], {member.email: ["stream1"]})
+        self.assertEqual(json["already_subscribed"], {})
+
     def test_guest_user_subscribe(self) -> None:
         """Guest users cannot subscribe themselves to anything"""
         guest_user = self.example_user("polonius")