user_groups: Check permission to manage groups based on group setting.

We also add exception for the group creator to manage groups. See https://chat.zulip.org/#narrow/stream/3-backend/topic/Group.20creation.20-.20who.20can.20change.20the.20setting.2E/near/1943861 for more details. For the tests, wherever possible, we've just added an acting_user when creating a group to test. We've also added an acting_user argument to create_user_group_for_test. We will not remove `user_group_edit_policy` yet. That will be removed once we have introduced this setting to the frontend.
2025-10-23 04:52:12 +00:00 · 2024-09-16 17:19:43 +00:00
parent 91953eca28
commit 6e9d56eaf4
5 changed files with 154 additions and 88 deletions
--- a/tools/test-api
+++ b/tools/test-api
@@ -32,10 +32,15 @@ with test_server_running(
    # zerver imports should happen after `django.setup()` is run
    # by the test_server_running decorator.
    from zerver.actions.create_user import do_create_user, do_reactivate_user
-    from zerver.actions.realm_settings import do_deactivate_realm, do_reactivate_realm
+    from zerver.actions.realm_settings import (
+        do_change_realm_permission_group_setting,
+        do_deactivate_realm,
+        do_reactivate_realm,
+    )
    from zerver.actions.users import change_user_is_active
    from zerver.lib.test_helpers import reset_email_visibility_to_everyone_in_zulip_realm
    from zerver.lib.users import get_api_key
+    from zerver.models.groups import NamedUserGroup, SystemGroups
    from zerver.models.realms import get_realm
    from zerver.models.users import get_user
    from zerver.openapi.javascript_examples import test_js_bindings
@@ -55,6 +60,15 @@ with test_server_running(
    email = "iago@zulip.com"  # Iago is an admin
    realm = get_realm("zulip")
    user = get_user(email, realm)
+
+    # Iago needs permission to manage all user groups.
+    admins_group = NamedUserGroup.objects.get(
+        name=SystemGroups.ADMINISTRATORS, realm=realm, is_system_group=True
+    )
+    do_change_realm_permission_group_setting(
+        realm, "can_manage_all_groups", admins_group, acting_user=None
+    )
+
    # Required to test can_create_users endpoints.
    user.can_create_users = True
    user.save(update_fields=["can_create_users"])