paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 21:43:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

bots: Clean up editing bots impacting non-bot users.

Browse Source 
This fixes a bug where the endpoint for editing bot users would allow
an organization administrator to edit the full name of a bot user.

A combination of this an another recently fixed bug made it possible
for this process to set a `bot_owner` for a non-bot user; so we also
include a migration to fix that for any users that might have had our
model invariants corrupted in that way.
This commit is contained in:
Tim Abbott
2018-04-02 18:55:51 -07:00
parent 3d900a733f
commit 758d7b9146
3 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
zerver/views/users.py
View File

@@ -172,6 +172,8 @@ def patch_bot_backend(
except UserProfile.DoesNotExist:
return json_error(_('No such user'))
if not bot.is_bot:
return json_error(_('No such bot'))
if not user_profile.can_admin_user(bot):
return json_error(_('Insufficient permission'))