auth: Ensure a realm can't be created on SOCIAL_AUTH_SUBDOMAIN.

2025-11-17 20:41:46 +00:00 · 2021-08-23 15:14:05 +02:00
parent f5b5ca6928
commit f064e3ebac
4 changed files with 16 additions and 0 deletions
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@@ -4973,6 +4973,8 @@ def do_create_realm(
    date_created: Optional[datetime.datetime] = None,
    is_demo_organization: Optional[bool] = False,
 ) -> Realm:
+    if string_id == settings.SOCIAL_AUTH_SUBDOMAIN:
+        raise AssertionError("Creating a realm on SOCIAL_AUTH_SUBDOMAIN is not allowed!")
    if Realm.objects.filter(string_id=string_id).exists():
        raise AssertionError(f"Realm {string_id} already exists!")
    if not server_initialized():
--- a/zerver/lib/name_restrictions.py
+++ b/zerver/lib/name_restrictions.py
@@ -1,7 +1,10 @@
 from disposable_email_domains import blacklist
+from django.conf import settings


 def is_reserved_subdomain(subdomain: str) -> bool:
+    if subdomain == settings.SOCIAL_AUTH_SUBDOMAIN:
+        return True
    if subdomain in ZULIP_RESERVED_SUBDOMAINS:
        return True
    if subdomain[-1] == "s" and subdomain[:-1] in ZULIP_RESERVED_SUBDOMAINS:
--- a/zerver/tests/test_realm.py
+++ b/zerver/tests/test_realm.py
@@ -59,6 +59,11 @@ class RealmTest(ZulipTestCase):
                ["INFO:root:Server not yet initialized. Creating the internal realm first."],
            )

+    def test_realm_creation_on_social_auth_subdomain_disallowed(self) -> None:
+        with self.settings(SOCIAL_AUTH_SUBDOMAIN="zulipauth"):
+            with self.assertRaises(AssertionError):
+                do_create_realm("zulipauth", "Test Realm")
+
    def test_do_set_realm_name_caching(self) -> None:
        """The main complicated thing about setting realm names is fighting the
        cache, and we start by populating the cache for Hamlet, and we end
--- a/zerver/tests/test_signup.py
+++ b/zerver/tests/test_signup.py
@@ -3409,6 +3409,12 @@ class RealmCreationTest(ZulipTestCase):
            ["Subdomain can only have lowercase letters, numbers, and '-'s."], result
        )

+        with self.settings(SOCIAL_AUTH_SUBDOMAIN="zulipauth"):
+            result = self.client_get("/json/realm/subdomain/zulipauth")
+            self.assert_in_success_response(
+                ["Subdomain unavailable. Please choose a different one."], result
+            )
+
        result = self.client_get("/json/realm/subdomain/hufflepuff")
        self.assert_in_success_response(["available"], result)
        self.assert_not_in_success_response(["unavailable"], result)