paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-12 18:06:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

user_groups: Add access_user_group_to_read_membership.

Browse Source 
This commit adds access_user_group_to_read_membership function
so that we can avoid calling get_user_group_by_id_in_realm with
"for_read=True" from views functions, which is better for security
since that function does not do any access checks.
This commit is contained in:
Sahil Batra
2024-10-01 12:25:12 +05:30
committed by Tim Abbott
parent 096fea48a0
commit c1973d2263
2 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
zerver/lib/user_groups.py
View File

@@ -125,6 +125,10 @@ def get_user_group_by_id_in_realm(
raise JsonableError(_("Invalid user group"))
def access_user_group_to_read_membership(user_group_id: int, realm: Realm) -> NamedUserGroup:
return get_user_group_by_id_in_realm(user_group_id, realm, for_read=True)
def check_permission_for_managing_all_groups(
user_group: UserGroup, user_profile: UserProfile
) -> bool:

8
zerver/views/user_groups.py
View File

@@ -28,11 +28,11 @@ from zerver.lib.user_groups import (
access_user_group_for_deactivation,
access_user_group_for_setting,
access_user_group_for_update,
access_user_group_to_read_membership,
check_user_group_name,
get_direct_memberships_of_users,
get_group_setting_value_for_api,
get_subgroup_ids,
get_user_group_by_id_in_realm,
get_user_group_direct_member_ids,
get_user_group_member_ids,
is_user_in_group,
@@ -448,7 +448,7 @@ def get_is_user_group_member(
user_id: PathOnly[Json[int]],
direct_member_only: Json[bool] = False,
) -> HttpResponse:
user_group = get_user_group_by_id_in_realm(user_group_id, user_profile.realm, for_read=True)
user_group = access_user_group_to_read_membership(user_group_id, user_profile.realm)
target_user = access_user_by_id(user_profile, user_id, for_admin=False)
return json_success(
@@ -470,7 +470,7 @@ def get_user_group_members(
user_group_id: PathOnly[Json[int]],
direct_member_only: Json[bool] = False,
) -> HttpResponse:
user_group = get_user_group_by_id_in_realm(user_group_id, user_profile.realm, for_read=True)
user_group = access_user_group_to_read_membership(user_group_id, user_profile.realm)
return json_success(
request,
@@ -489,7 +489,7 @@ def get_subgroups_of_user_group(
user_group_id: PathOnly[Json[int]],
direct_subgroup_only: Json[bool] = False,
) -> HttpResponse:
user_group = get_user_group_by_id_in_realm(user_group_id, user_profile.realm, for_read=True)
user_group = access_user_group_to_read_membership(user_group_id, user_profile.realm)
return json_success(
request,