emoji: Make uploading new realm emoji inaccessible for guest users.

2025-11-09 16:37:23 +00:00 · 2018-06-08 19:00:44 +05:30
parent 596ce5b60f
commit d40c2bb166
5 changed files with 28 additions and 3 deletions
--- a/static/js/admin.js
+++ b/static/js/admin.js
@@ -56,7 +56,7 @@ exports.setup_page = function () {
        realm_name_changes_disabled: page_params.realm_name_changes_disabled,
        realm_email_changes_disabled: page_params.realm_email_changes_disabled,
        realm_add_emoji_by_admins_only: page_params.realm_add_emoji_by_admins_only,
-        can_admin_emojis: page_params.is_admin || !page_params.realm_add_emoji_by_admins_only,
+        can_add_emojis: settings_emoji.can_add_emoji(),
        realm_allow_community_topic_editing: page_params.realm_allow_community_topic_editing,
        realm_message_content_edit_limit_minutes:
            settings_org.get_realm_time_limits_in_minutes('realm_message_content_edit_limit_seconds'),
--- a/static/js/settings_emoji.js
+++ b/static/js/settings_emoji.js
@@ -6,6 +6,19 @@ var meta = {
    loaded: false,
 };

+exports.can_add_emoji = function () {
+    if (page_params.is_guest) {
+        return false;
+    }
+
+    if (page_params.is_admin) {
+        return true;
+    }
+
+    // for normal users, we depend on the setting
+    return !page_params.realm_add_emoji_by_admins_only;
+};
+
 function can_admin_emoji(emoji) {
    if (page_params.is_admin) {
        return true;
--- a/static/templates/settings/emoji-settings-admin.handlebars
+++ b/static/templates/settings/emoji-settings-admin.handlebars
@@ -1,8 +1,10 @@
-<div id="emoji-settings" data-name="emoji-settings" class="settings-section {{#if can_admin_emojis}}can-edit{{/if}}">
+<div id="emoji-settings" data-name="emoji-settings" class="settings-section {{#if can_add_emojis}}can-edit{{/if}}">
    <div class="emoji-settings-tip-container">
+        {{#unless is_guest}}
        {{partial "emoji-settings-tip"}}
+        {{/unless}}
    </div>
-    <form class="form-horizontal admin-emoji-form {{#unless can_admin_emojis}}hide{{/unless}}">
+    <form class="form-horizontal admin-emoji-form {{#unless can_add_emojis}}hide{{/unless}}">
        <div class="add-new-emoji-box grey-box">
            <div class="new-emoji-form">
                <div class="settings-section-title new-emoji-section-title no-padding">{{t "Add a new emoji" }}</div>
--- a/zerver/tests/test_realm_emoji.py
+++ b/zerver/tests/test_realm_emoji.py
@@ -129,6 +129,14 @@ class RealmEmojiTest(ZulipTestCase):
            result = self.client_post('/json/realm/emoji/my_emoji', info=emoji_data)
        self.assert_json_success(result)

+    def test_emoji_upload_by_guest_user(self) -> None:
+        email = self.example_email('polonius')
+        self.login(email)
+        with get_test_image_file('img.png') as fp1:
+            emoji_data = {'f1': fp1}
+            result = self.client_post('/json/realm/emoji/my_emoji', info=emoji_data)
+        self.assert_json_error(result, 'Not allowed for guest users')
+
    def test_delete(self) -> None:
        emoji_author = self.example_user('iago')
        self.login(emoji_author.email)
--- a/zerver/views/realm_emoji.py
+++ b/zerver/views/realm_emoji.py
@@ -8,6 +8,7 @@ from zerver.lib.emoji import check_emoji_admin, check_valid_emoji_name, check_va
 from zerver.lib.request import JsonableError, REQ, has_request_variables
 from zerver.lib.response import json_success, json_error
 from zerver.lib.actions import check_add_realm_emoji, do_remove_realm_emoji
+from zerver.decorator import require_non_guest_human_user


 def list_emoji(request: HttpRequest, user_profile: UserProfile) -> HttpResponse:
@@ -17,6 +18,7 @@ def list_emoji(request: HttpRequest, user_profile: UserProfile) -> HttpResponse:
    return json_success({'emoji': user_profile.realm.get_emoji()})


+@require_non_guest_human_user
@has_request_variables
 def upload_emoji(request: HttpRequest, user_profile: UserProfile,
                 emoji_name: str=REQ()) -> HttpResponse: