stream_data: Fix code to check permission for unsubscribe others.

We no longer allow admins to unsubscribe others from stream if they are not allowed as per the can_remove_subscribers_group setting.
2025-11-03 13:33:24 +00:00 · 2024-11-19 16:42:44 +05:30
parent f4c00ce053
commit 7c6110e47a
2 changed files with 2 additions and 7 deletions
--- a/web/src/stream_data.ts
+++ b/web/src/stream_data.ts
@@ -565,10 +565,6 @@ export function can_unsubscribe_others(sub: StreamSubscription): boolean {
        return false;
    }

-    if (current_user.is_admin) {
-        return true;
-    }
-
    return user_groups.is_user_in_setting_group(
        sub.can_remove_subscribers_group,
        people.my_current_user_id(),
--- a/web/tests/stream_data.test.cjs
+++ b/web/tests/stream_data.test.cjs
@@ -1187,14 +1187,13 @@ test("can_unsubscribe_others", ({override}) => {
    people.initialize_current_user(member_user_id);
    assert.equal(stream_data.can_unsubscribe_others(sub), true);

-    // Even with the nobody system group, admins can still unsubscribe others.
+    // With the nobody system group, admins cannot unsubscribe others.
    sub.can_remove_subscribers_group = nobody.id;
    override(current_user, "is_admin", true);
-    assert.equal(stream_data.can_unsubscribe_others(sub), true);
-    override(current_user, "is_admin", false);
    assert.equal(stream_data.can_unsubscribe_others(sub), false);

    // This isn't a real state, but we want coverage on !can_view_subscribers.
+    sub.can_remove_subscribers_group = all.id;
    sub.subscribed = false;
    sub.invite_only = true;
    override(current_user, "is_admin", true);