users: Create RealmAuditLog in misc do_change_... functions.

We've been meaning to fill this gap and create RealmAuditLog entries in these.
2025-10-23 16:14:02 +00:00 · 2024-08-13 01:24:26 +02:00
parent 18357404b5
commit 5bba9b4018
3 changed files with 104 additions and 0 deletions
--- a/zerver/actions/users.py
+++ b/zerver/actions/users.py
@@ -536,23 +536,74 @@ def do_change_user_role(

@transaction.atomic(savepoint=False)
 def do_change_is_billing_admin(user_profile: UserProfile, value: bool) -> None:
+    event_time = timezone_now()
+    old_value = user_profile.is_billing_admin
+
    user_profile.is_billing_admin = value
    user_profile.save(update_fields=["is_billing_admin"])
+
+    RealmAuditLog.objects.create(
+        realm=user_profile.realm,
+        event_type=AuditLogEventType.USER_SPECIAL_PERMISSION_CHANGED,
+        event_time=event_time,
+        acting_user=None,
+        modified_user=user_profile,
+        extra_data={
+            RealmAuditLog.OLD_VALUE: old_value,
+            RealmAuditLog.NEW_VALUE: value,
+            "property": "is_billing_admin",
+        },
+    )
+
    event = dict(
        type="realm_user", op="update", person=dict(user_id=user_profile.id, is_billing_admin=value)
    )
    send_event_on_commit(user_profile.realm, event, get_user_ids_who_can_access_user(user_profile))


+@transaction.atomic(savepoint=False)
 def do_change_can_forge_sender(user_profile: UserProfile, value: bool) -> None:
+    event_time = timezone_now()
+    old_value = user_profile.can_forge_sender
+
    user_profile.can_forge_sender = value
    user_profile.save(update_fields=["can_forge_sender"])

+    RealmAuditLog.objects.create(
+        realm=user_profile.realm,
+        event_type=AuditLogEventType.USER_SPECIAL_PERMISSION_CHANGED,
+        event_time=event_time,
+        acting_user=None,
+        modified_user=user_profile,
+        extra_data={
+            RealmAuditLog.OLD_VALUE: old_value,
+            RealmAuditLog.NEW_VALUE: value,
+            "property": "can_forge_sender",
+        },
+    )

+
+@transaction.atomic(savepoint=False)
 def do_change_can_create_users(user_profile: UserProfile, value: bool) -> None:
+    event_time = timezone_now()
+    old_value = user_profile.can_create_users
+
    user_profile.can_create_users = value
    user_profile.save(update_fields=["can_create_users"])

+    RealmAuditLog.objects.create(
+        realm=user_profile.realm,
+        event_type=AuditLogEventType.USER_SPECIAL_PERMISSION_CHANGED,
+        event_time=event_time,
+        acting_user=None,
+        modified_user=user_profile,
+        extra_data={
+            RealmAuditLog.OLD_VALUE: old_value,
+            RealmAuditLog.NEW_VALUE: value,
+            "property": "can_create_users",
+        },
+    )
+

@transaction.atomic(durable=True)
 def do_update_outgoing_webhook_service(
--- a/zerver/models/realm_audit_logs.py
+++ b/zerver/models/realm_audit_logs.py
@@ -20,6 +20,7 @@ class AuditLogEventType(IntEnum):
    USER_ROLE_CHANGED = 105
    USER_DELETED = 106
    USER_DELETED_PRESERVING_MESSAGES = 107
+    USER_SPECIAL_PERMISSION_CHANGED = 108

    USER_SOFT_ACTIVATED = 120
    USER_SOFT_DEACTIVATED = 121
--- a/zerver/tests/test_users.py
+++ b/zerver/tests/test_users.py
@@ -24,6 +24,8 @@ from zerver.actions.user_topics import do_set_user_topic_visibility_policy
 from zerver.actions.users import (
    change_user_is_active,
    do_change_can_create_users,
+    do_change_can_forge_sender,
+    do_change_is_billing_admin,
    do_change_user_role,
    do_deactivate_user,
    do_delete_user,
@@ -929,6 +931,56 @@ class PermissionTest(ZulipTestCase):
        )
        self.assert_json_error(result, "Insufficient permission")

+    def test_do_change_user_special_permissions(self) -> None:
+        desdemona = self.example_user("desdemona")
+        do_change_can_forge_sender(desdemona, True)
+
+        last_realm_audit_log = RealmAuditLog.objects.last()
+        assert last_realm_audit_log is not None
+
+        self.assertEqual(
+            last_realm_audit_log.event_type, AuditLogEventType.USER_SPECIAL_PERMISSION_CHANGED
+        )
+        self.assertEqual(last_realm_audit_log.modified_user, desdemona)
+        expected_extra_data = {
+            "property": "can_forge_sender",
+            RealmAuditLog.OLD_VALUE: False,
+            RealmAuditLog.NEW_VALUE: True,
+        }
+        self.assertEqual(last_realm_audit_log.extra_data, expected_extra_data)
+
+        do_change_can_create_users(desdemona, True)
+
+        last_realm_audit_log = RealmAuditLog.objects.last()
+        assert last_realm_audit_log is not None
+
+        self.assertEqual(
+            last_realm_audit_log.event_type, AuditLogEventType.USER_SPECIAL_PERMISSION_CHANGED
+        )
+        self.assertEqual(last_realm_audit_log.modified_user, desdemona)
+        expected_extra_data = {
+            "property": "can_create_users",
+            RealmAuditLog.OLD_VALUE: False,
+            RealmAuditLog.NEW_VALUE: True,
+        }
+        self.assertEqual(last_realm_audit_log.extra_data, expected_extra_data)
+
+        do_change_is_billing_admin(desdemona, True)
+
+        last_realm_audit_log = RealmAuditLog.objects.last()
+        assert last_realm_audit_log is not None
+
+        self.assertEqual(
+            last_realm_audit_log.event_type, AuditLogEventType.USER_SPECIAL_PERMISSION_CHANGED
+        )
+        self.assertEqual(last_realm_audit_log.modified_user, desdemona)
+        expected_extra_data = {
+            "property": "is_billing_admin",
+            RealmAuditLog.OLD_VALUE: False,
+            RealmAuditLog.NEW_VALUE: True,
+        }
+        self.assertEqual(last_realm_audit_log.extra_data, expected_extra_data)
+

 class QueryCountTest(ZulipTestCase):
    def test_create_user_with_multiple_streams(self) -> None: