message_fetch: Allow access to web-public msgs for unauth users.

Via API, users can now access messages which are in web-public
streams without any authentication.

If the user is not authenticated, we assume it is a web-public
query and add `streams:web-public` narrow if not already present
to the narrow. web-public streams are also directly accessible.

Any malformed narrow which is not allowed in a web-public query
results in a 400 or 401. See test_message_fetch for the allowed
queries.

zerver/lib/streams.py

@@ -285,6 +285,13 @@ def get_public_streams_queryset(realm: Realm) -> 'QuerySet[Stream]':
     return Stream.objects.filter(realm=realm, invite_only=False,
                                  history_public_to_subscribers=True)
 
+def get_web_public_streams_queryset(realm: Realm) -> 'QuerySet[Stream]':
+    # In theory, is_web_public=True implies invite_only=False and
+    # history_public_to_subscribers=True, but it's safer to include
+    # this in the query.
+    return Stream.objects.filter(realm=realm, deactivated=False, invite_only=False,
+                                 history_public_to_subscribers=True, is_web_public=True)
+
 def get_stream_by_id(stream_id: int) -> Stream:
     error = _("Invalid stream id")
     try: