From 9f7fab4213685b5bd60289e3edb8e8d1b74a3073 Mon Sep 17 00:00:00 2001
From: Zixuan James Li <p359101898@gmail.com>
Date: Tue, 22 Aug 2023 18:11:09 -0400
Subject: [PATCH] user_groups: Extract has_user_group_access helper.

Similar to has_message, we can maintain a helper dedicated to managing
access to user groups. Future permission related changes should be added
here.
---
 zerver/lib/user_groups.py | 43 +++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 15 deletions(-)

diff --git a/zerver/lib/user_groups.py b/zerver/lib/user_groups.py
index f61fe1199d..55b69fe50d 100644
--- a/zerver/lib/user_groups.py
+++ b/zerver/lib/user_groups.py
@@ -28,6 +28,31 @@ class UserGroupDict(TypedDict):
     can_mention_group: int
 
 
+def has_user_group_access(
+    user_group: UserGroup, user_profile: UserProfile, *, for_read: bool
+) -> bool:
+    if for_read and not user_profile.is_guest:
+        # Everyone is allowed to read a user group and check who
+        # are its members. Guests should be unable to reach this
+        # code path, since they can't access user groups API
+        # endpoints, but we check for guests here for defense in
+        # depth.
+        return True
+
+    if user_group.is_system_group:
+        return False
+
+    group_member_ids = get_user_group_direct_member_ids(user_group)
+    if (
+        not user_profile.is_realm_admin
+        and not user_profile.is_moderator
+        and user_profile.id not in group_member_ids
+    ):
+        return False
+
+    return True
+
+
 def access_user_group_by_id(
     user_group_id: int, user_profile: UserProfile, *, for_read: bool
 ) -> UserGroup:
@@ -35,22 +60,10 @@ def access_user_group_by_id(
         user_group = UserGroup.objects.get(id=user_group_id, realm=user_profile.realm)
     except UserGroup.DoesNotExist:
         raise JsonableError(_("Invalid user group"))
-    if for_read and not user_profile.is_guest:
-        # Everyone is allowed to read a user group and check who
-        # are its members. Guests should be unable to reach this
-        # code path, since they can't access user groups API
-        # endpoints, but we check for guests here for defense in
-        # depth.
-        return user_group
-    if user_group.is_system_group:
-        raise JsonableError(_("Insufficient permission"))
-    group_member_ids = get_user_group_direct_member_ids(user_group)
-    if (
-        not user_profile.is_realm_admin
-        and not user_profile.is_moderator
-        and user_profile.id not in group_member_ids
-    ):
+
+    if not has_user_group_access(user_group, user_profile, for_read=for_read):
         raise JsonableError(_("Insufficient permission"))
+
     return user_group