tornado: Raise the same error for nonexistent and unauthorized queues.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2025-11-02 21:13:36 +00:00 · 2022-09-17 12:55:15 -07:00
parent f929050230
commit 7222f3fe2b
4 changed files with 65 additions and 17 deletions
--- a/zerver/tornado/event_queue.py
+++ b/zerver/tornado/event_queue.py
@@ -442,11 +442,19 @@ def add_client_gc_hook(hook: Callable[[int, ClientDescriptor, bool], None]) -> N
    gc_hooks.append(hook)


-def get_client_descriptor(queue_id: str) -> ClientDescriptor:
-    try:
-        return clients[queue_id]
-    except KeyError:
-        raise BadEventQueueIdError(queue_id)
+def access_client_descriptor(user_id: int, queue_id: str) -> ClientDescriptor:
+    client = clients.get(queue_id)
+    if client is not None:
+        if user_id == client.user_profile_id:
+            return client
+        logging.warning(
+            "User %d is not authorized for queue %s (%d via %s)",
+            user_id,
+            queue_id,
+            client.user_profile_id,
+            client.current_client_name,
+        )
+    raise BadEventQueueIdError(queue_id)


 def get_client_descriptors_for_user(user_profile_id: int) -> List[ClientDescriptor]:
@@ -644,9 +652,7 @@ def fetch_events(
        else:
            if last_event_id is None:
                raise JsonableError(_("Missing 'last_event_id' argument"))
-            client = get_client_descriptor(queue_id)
-            if user_profile_id != client.user_profile_id:
-                raise JsonableError(_("You are not authorized to get events from this queue"))
+            client = access_client_descriptor(user_profile_id, queue_id)
            if (
                client.event_queue.newest_pruned_id is not None
                and last_event_id < client.event_queue.newest_pruned_id
--- a/zerver/tornado/views.py
+++ b/zerver/tornado/views.py
@@ -19,8 +19,7 @@ from zerver.lib.validator import (
    to_non_negative_int,
 )
 from zerver.models import Client, UserProfile, get_client, get_user_profile_by_id
-from zerver.tornado.event_queue import fetch_events, get_client_descriptor, process_notification
-from zerver.tornado.exceptions import BadEventQueueIdError
+from zerver.tornado.event_queue import access_client_descriptor, fetch_events, process_notification

 P = ParamSpec("P")
 T = TypeVar("T")
@@ -46,11 +45,7 @@ def notify(
 def cleanup_event_queue(
    request: HttpRequest, user_profile: UserProfile, queue_id: str = REQ()
 ) -> HttpResponse:
-    client = get_client_descriptor(str(queue_id))
-    if client is None:
-        raise BadEventQueueIdError(queue_id)
-    if user_profile.id != client.user_profile_id:
-        raise JsonableError(_("You are not authorized to access this queue"))
+    client = access_client_descriptor(user_profile.id, queue_id)
    log_data = RequestNotes.get_notes(request).log_data
    assert log_data is not None
    log_data["extra"] = f"[{queue_id}]"