spectators: Add comments and assertions on security model.

These tweaks help make reasoning about the spectators security model easier to understand.
2025-11-04 14:03:30 +00:00 · 2020-10-07 17:26:30 +05:30
parent d1d0e484ea
commit dff4ab0daf
2 changed files with 10 additions and 0 deletions
--- a/zerver/views/message_fetch.py
+++ b/zerver/views/message_fetch.py
@@ -965,6 +965,10 @@ def get_messages_backend(
        # cases of web-public queries (where we should return the
        # web-public results only) and clients with buggy
        # authentication code (where we should return an auth error).
+        #
+        # GetOldMessagesTest.test_unauthenticated_* tests ensure
+        # that we are not leaking any secure data (private messages and
+        # non web-public-stream messages) via this path.
        if not is_web_public_narrow(narrow):
            raise MissingAuthenticationError()
        assert narrow is not None