invites: Lock the realm when determining invitation counts.

This prevents users from hammering the invitation endpoint, causing races, and inviting more users than they should otherwise be allowed to. Doing this requires that we not raise InvitationError when we have partially succeeded; that behaviour is left to the one callsite of do_invite_users. Reported by Lakshit Agarwal (@chiekosec).
2025-11-03 21:43:21 +00:00 · 2024-01-10 21:01:21 +00:00
parent eef5d22944
commit d863aa56de
12 changed files with 263 additions and 206 deletions
--- a/zerver/tests/test_users.py
+++ b/zerver/tests/test_users.py
@@ -897,12 +897,13 @@ class QueryCountTest(ZulipTestCase):
        streams = [get_stream(stream_name, realm) for stream_name in stream_names]

        invite_expires_in_minutes = 4 * 24 * 60
-        do_invite_users(
-            user_profile=self.example_user("hamlet"),
-            invitee_emails=["fred@zulip.com"],
-            streams=streams,
-            invite_expires_in_minutes=invite_expires_in_minutes,
-        )
+        with self.captureOnCommitCallbacks(execute=True):
+            do_invite_users(
+                user_profile=self.example_user("hamlet"),
+                invitee_emails=["fred@zulip.com"],
+                streams=streams,
+                invite_expires_in_minutes=invite_expires_in_minutes,
+            )

        prereg_user = PreregistrationUser.objects.get(email="fred@zulip.com")

@@ -1701,35 +1702,36 @@ class ActivateTest(ZulipTestCase):
        desdemona = self.example_user("desdemona")

        invite_expires_in_minutes = 2 * 24 * 60
-        do_invite_users(
-            iago,
-            ["new1@zulip.com", "new2@zulip.com"],
-            [],
-            invite_expires_in_minutes=invite_expires_in_minutes,
-            invite_as=PreregistrationUser.INVITE_AS["REALM_ADMIN"],
-        )
-        do_invite_users(
-            desdemona,
-            ["new3@zulip.com", "new4@zulip.com"],
-            [],
-            invite_expires_in_minutes=invite_expires_in_minutes,
-            invite_as=PreregistrationUser.INVITE_AS["REALM_ADMIN"],
-        )
+        with self.captureOnCommitCallbacks(execute=True):
+            do_invite_users(
+                iago,
+                ["new1@zulip.com", "new2@zulip.com"],
+                [],
+                invite_expires_in_minutes=invite_expires_in_minutes,
+                invite_as=PreregistrationUser.INVITE_AS["REALM_ADMIN"],
+            )
+            do_invite_users(
+                desdemona,
+                ["new3@zulip.com", "new4@zulip.com"],
+                [],
+                invite_expires_in_minutes=invite_expires_in_minutes,
+                invite_as=PreregistrationUser.INVITE_AS["REALM_ADMIN"],
+            )

-        do_invite_users(
-            iago,
-            ["new5@zulip.com"],
-            [],
-            invite_expires_in_minutes=None,
-            invite_as=PreregistrationUser.INVITE_AS["REALM_ADMIN"],
-        )
-        do_invite_users(
-            desdemona,
-            ["new6@zulip.com"],
-            [],
-            invite_expires_in_minutes=None,
-            invite_as=PreregistrationUser.INVITE_AS["REALM_ADMIN"],
-        )
+            do_invite_users(
+                iago,
+                ["new5@zulip.com"],
+                [],
+                invite_expires_in_minutes=None,
+                invite_as=PreregistrationUser.INVITE_AS["REALM_ADMIN"],
+            )
+            do_invite_users(
+                desdemona,
+                ["new6@zulip.com"],
+                [],
+                invite_expires_in_minutes=None,
+                invite_as=PreregistrationUser.INVITE_AS["REALM_ADMIN"],
+            )

        iago_multiuse_key = do_create_multiuse_invite_link(
            iago, PreregistrationUser.INVITE_AS["MEMBER"], invite_expires_in_minutes