From bb0b6900df8a10d8b9df638c07f28ba069d05932 Mon Sep 17 00:00:00 2001 From: Ujjawal Modi Date: Mon, 17 Jul 2023 12:50:50 +0530 Subject: [PATCH] user_groups: Add a decorator to check group creation permission. Earlier there was a single decorator function to check whether user can create and edit user groups. This commit adds a new decorator function to check whether user has permissions to create user groups. This was done because in future commits we will be adding a realm level setting for configuring who can create user groups. --- zerver/decorator.py | 19 +++++++++++++++++++ zerver/models/users.py | 3 +++ zerver/views/user_groups.py | 8 ++++++-- 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/zerver/decorator.py b/zerver/decorator.py index 4e7f987112..2b4da1adc5 100644 --- a/zerver/decorator.py +++ b/zerver/decorator.py @@ -677,6 +677,25 @@ def require_user_group_edit_permission( return _wrapped_view_func +def require_user_group_create_permission( + view_func: Callable[Concatenate[HttpRequest, UserProfile, ParamT], HttpResponse], +) -> Callable[Concatenate[HttpRequest, UserProfile, ParamT], HttpResponse]: + @require_member_or_admin + @wraps(view_func) + def _wrapped_view_func( + request: HttpRequest, + user_profile: UserProfile, + /, + *args: ParamT.args, + **kwargs: ParamT.kwargs, + ) -> HttpResponse: + if not user_profile.can_create_user_groups(): + raise JsonableError(_("Insufficient permission")) + return view_func(request, user_profile, *args, **kwargs) + + return _wrapped_view_func + + # This API endpoint is used only for the mobile apps. It is part of a # workaround for the fact that React Native doesn't support setting # HTTP basic authentication headers. diff --git a/zerver/models/users.py b/zerver/models/users.py index 390000f39d..7bc6717e3a 100644 --- a/zerver/models/users.py +++ b/zerver/models/users.py @@ -844,6 +844,9 @@ class UserProfile(AbstractBaseUser, PermissionsMixin, UserBaseSettings): def can_move_messages_between_streams(self) -> bool: return self.has_permission("move_messages_between_streams_policy") + def can_create_user_groups(self) -> bool: + return self.has_permission("user_group_edit_policy") + def can_edit_user_groups(self) -> bool: return self.has_permission("user_group_edit_policy") diff --git a/zerver/views/user_groups.py b/zerver/views/user_groups.py index c0d084ca47..5a23a4de4c 100644 --- a/zerver/views/user_groups.py +++ b/zerver/views/user_groups.py @@ -17,7 +17,11 @@ from zerver.actions.user_groups import ( do_update_user_group_name, remove_subgroups_from_user_group, ) -from zerver.decorator import require_member_or_admin, require_user_group_edit_permission +from zerver.decorator import ( + require_member_or_admin, + require_user_group_create_permission, + require_user_group_edit_permission, +) from zerver.lib.exceptions import JsonableError from zerver.lib.mention import MentionBackend, silent_mention_syntax_for_user from zerver.lib.response import json_success @@ -46,7 +50,7 @@ from zerver.views.streams import compose_views @transaction.atomic(durable=True) -@require_user_group_edit_permission +@require_user_group_create_permission @typed_endpoint def add_user_group( request: HttpRequest,