message_fetch: Allow access to web-public msgs for unauth users.

Via API, users can now access messages which are in web-public
streams without any authentication.

If the user is not authenticated, we assume it is a web-public
query and add `streams:web-public` narrow if not already present
to the narrow. web-public streams are also directly accessible.

Any malformed narrow which is not allowed in a web-public query
results in a 400 or 401. See test_message_fetch for the allowed
queries.

zerver/lib/narrow.py

@@ -23,7 +23,7 @@ def check_supported_events_narrow_filter(narrow: Iterable[Sequence[str]]) -> Non
         if operator not in ["stream", "topic", "sender", "is"]:
             raise JsonableError(_("Operator {} not supported.").format(operator))
 
-def is_web_public_compatible(narrow: Iterable[Dict[str, str]]) -> bool:
+def is_web_public_compatible(narrow: Iterable[Dict[str, Any]]) -> bool:
     for element in narrow:
         operator = element['operator']
         if 'operand' not in element:
@@ -32,6 +32,18 @@ def is_web_public_compatible(narrow: Iterable[Dict[str, str]]) -> bool:
             return False
     return True
 
+def is_web_public_narrow(narrow: Optional[Iterable[Dict[str, Any]]]) -> bool:
+    if narrow is None:
+        return False
+
+    for term in narrow:
+        # Web public queries are only allowed for limited types of narrows.
+        # term == {'operator': 'streams', 'operand': 'web-public', 'negated': False}
+        if term['operator'] == 'streams' and term['operand'] == 'web-public' and term['negated'] is False:
+            return True
+
+    return False
+
 def build_narrow_filter(narrow: Iterable[Sequence[str]]) -> Callable[[Mapping[str, Any]], bool]:
     """Changes to this function should come with corresponding changes to
     BuildNarrowFilterTest."""