Move API super users configuration into the database.

(imported from commit 3cc702f93e7252b42930dba4bde93a915b6dbf44)

zerver/lib/actions.py

@@ -1462,12 +1462,13 @@ def do_change_default_all_public_streams(user_profile, value, log=True):
                                 default_all_public_streams=user_profile.default_all_public_streams,)),
                     bot_owner_userids(user_profile))
 
-def do_change_is_admin(user_profile, is_admin):
+def do_change_is_admin(user_profile, is_admin, permission='administer'):
     if is_admin:
-        assign_perm('administer', user_profile, user_profile.realm)
+        assign_perm(permission, user_profile, user_profile.realm)
     else:
-        remove_perm('administer', user_profile, user_profile.realm)
+        remove_perm(permission, user_profile, user_profile.realm)
 
+    if permission == 'administer':
         event = dict(type="realm_user", op="update",
                      person=dict(email=user_profile.email,
                                  is_admin=is_admin))

zerver/management/commands/knight.py

@@ -24,6 +24,11 @@ ONLY perform this on customer request from an authorized person.
                             action="store_false",
                             default=True,
                             help='Remove an administrator\'s rights.')
+        parser.add_argument('--permission',
+                            dest='permission',
+                            action="store",
+                            default='administer',
+                            help='Permission to grant/remove.')
         parser.add_argument('email', metavar='<email>', type=str,
                             help="email of user to knight")
 
@@ -35,21 +40,21 @@ ONLY perform this on customer request from an authorized person.
             raise CommandError("No such user.")
 
         if options['grant']:
-            if profile.has_perm('administer', profile.realm):
+            if profile.has_perm(options['permission'], profile.realm):
                 raise CommandError("User already has permission for this realm.")
             else:
                 if options['ack']:
-                    do_change_is_admin(profile, True)
+                    do_change_is_admin(profile, True, permission=options['permission'])
                     print "Done!"
                 else:
-                    print "Would have made %s an administrator for %s" % (email, profile.realm.domain)
+                    print "Would have granted %s %s rights for %s" % (email, options['permission'], profile.realm.domain)
         else:
-            if profile.has_perm('administer', profile.realm):
+            if profile.has_perm(options['permission'], profile.realm):
                 if options['ack']:
-                    do_change_is_admin(profile, False)
+                    do_change_is_admin(profile, False, permission=options['permission'])
                     print "Done!"
                 else:
-                    print "Would have removed %s's administrator rights on %s" % (email,
+                    print "Would have removed %s's %s rights on %s" % (email, options['permission'],
                             profile.realm.domain)
             else:
                 raise CommandError("User did not have permission for this realm!")

zerver/migrations/0005_auto_20150920_1340.py

@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import models, migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('zerver', '0004_userprofile_left_side_userlist'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='realm',
+            options={'permissions': (('administer', 'Administer a realm'), ('api_super_user', 'Can send messages as other users for mirroring'))},
+        ),
+    ]

zerver/models.py

@@ -34,8 +34,8 @@ bugdown = None
 MAX_SUBJECT_LENGTH = 60
 MAX_MESSAGE_LENGTH = 10000
 
-def is_super_user(user):
-    return user.email in settings.API_SUPER_USERS
+def is_super_user(user_profile):
+    return user_profile.is_api_super_user()
 
 def is_super_user_api(request):
     return request.user.is_authenticated() and is_super_user(request.user)
@@ -158,6 +158,7 @@ class Realm(models.Model):
     class Meta:
         permissions = (
             ('administer', "Administer a realm"),
+            ('api_super_user', "Can send messages as other users for mirroring"),
         )
 
 post_save.connect(flush_realm, sender=Realm)
@@ -385,6 +386,11 @@ class UserProfile(AbstractBaseUser, PermissionsMixin):
     def is_admin(self):
         return self.has_perm('administer', self.realm)
 
+    def is_api_super_user(self):
+        # TODO: Remove API_SUPER_USERS hack; fixing this will require
+        # setting the email bot as a super user in the provision process.
+        return self.has_perm('api_super_user', self.realm) or self.email in settings.API_SUPER_USERS
+
     def last_reminder_tzaware(self):
         if self.last_reminder is not None and timezone.is_naive(self.last_reminder):
             logging.warning("Loaded a user_profile.last_reminder for user %s that's not tz-aware: %s"

zerver/test_messages.py

@@ -443,6 +443,33 @@ class StreamMessagesTest(AuthedTestCase):
         message = most_recent_message(user_profile)
         assert(UserMessage.objects.get(user_profile=user_profile, message=message).flags.mentioned.is_set)
 
+    def test_stream_message_mirroring(self):
+        from zerver.lib.actions import do_change_is_admin
+        user_profile = get_user_profile_by_email("iago@zulip.com")
+
+        do_change_is_admin(user_profile, True, 'api_super_user')
+        result = self.client.post("/api/v1/send_message", {"type": "stream",
+                                                           "to": "Verona",
+                                                           "sender": "cordelia@zulip.com",
+                                                           "client": "test suite",
+                                                           "subject": "announcement",
+                                                           "content": "Everyone knows Iago rules",
+                                                           "forged": "true",
+                                                           "email": user_profile.email,
+                                                           "api-key": user_profile.api_key})
+        self.assert_json_success(result)
+        do_change_is_admin(user_profile, False, 'api_super_user')
+        result = self.client.post("/api/v1/send_message", {"type": "stream",
+                                                           "to": "Verona",
+                                                           "sender": "cordelia@zulip.com",
+                                                           "client": "test suite",
+                                                           "subject": "announcement",
+                                                           "content": "Everyone knows Iago rules",
+                                                           "forged": "true",
+                                                           "email": user_profile.email,
+                                                           "api-key": user_profile.api_key})
+        self.assert_json_error(result, "User not authorized for this query")
+
     @slow(0.28, 'checks all users')
     def test_message_to_stream(self):
         """

zproject/local_settings.py

@@ -111,14 +111,6 @@ NAGIOS_STAGING_RECEIVE_BOT = 'cordelia@zulip.com'
 # Also used for support email in emails templates
 ZULIP_ADMINISTRATOR = 'support@zulip.com'
 
-# TODO: Store this info in the database
-# Also note -- the email gateway bot is automatically added.
-API_SUPER_USERS = set(["tabbott/extra@mit.edu",
-                       "irc-bot@zulip.com",
-                       "bot1@customer35.invalid",
-                       "bot1@customer36.invalid",
-                       "hipchat-bot@zulip.com",])
-
 ADMINS = (
     ('Zulip Error Reports', 'errors@zulip.com'),
 )