Validate principals in add_subscriptions_backend.

Make sure that principles is a list a of strings (unless it is None). This includes a unit test. (imported from commit c2e3f1c0cafc207ceca67d5a174ef4e29a32c6ca)
2025-11-02 13:03:29 +00:00 · 2013-12-12 22:35:56 -05:00
parent 7e04b205fa
commit 668c0ab529
2 changed files with 20 additions and 0 deletions
--- a/zerver/tests.py
+++ b/zerver/tests.py
@@ -1479,6 +1479,21 @@ class SubscriptionRestApiTest(AuthedTestCase):
        check_for_error([{'bogus': 'foo'}], 'name key is missing from add[0]')
        check_for_error([{'name': {}}], 'add[0]["name"] is not a string')

+    def test_bad_principals(self):
+        email = 'hamlet@zulip.com'
+        self.login(email)
+
+        request = {
+            'add': ujson.dumps([{'name': 'my_new_stream'}]),
+            'principals': ujson.dumps([{}]),
+        }
+        result = self.client_patch(
+            "/api/v1/users/me/subscriptions",
+            request,
+            **self.api_auth(email)
+        )
+        self.assert_json_error(result, 'principals[0] is not a string')
+
    def test_bad_delete_parameters(self):
        email = 'hamlet@zulip.com'
        self.login(email)
--- a/zerver/views/init.py
+++ b/zerver/views/init.py
@@ -1641,6 +1641,11 @@ def add_subscriptions_backend(request, user_profile,
                              principals = REQ(converter=json_to_list, default=None),
                              authorization_errors_fatal = REQ(converter=json_to_bool, default=True)):

+    if principals is not None:
+        error = check_list(check_string)('principals', principals)
+        if error:
+            return json_error(error)
+
    stream_names = []
    for stream in streams_raw:
        if not isinstance(stream, dict):