paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-09 16:37:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Don't let non-subscribers of invite-only streams query the membership.

Browse Source 
(imported from commit 01bd8ea089dec96e487e5e82fb38df65703679ae)
This commit is contained in:
Jessica McKellar
2013-02-04 17:41:49 -05:00
parent a1506779ca
commit fdb0d15080
2 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
zephyr/lib/actions.py
View File

@@ -346,6 +346,17 @@ def process_user_activity_event(event):
query = event["query"] query = event["query"]
return do_update_user_activity(user_profile, client, query, log_time) return do_update_user_activity(user_profile, client, query, log_time)
def subscribed_to_stream(user_profile, stream):
try:
if Subscription.objects.get(user_profile=user_profile,
active=True,
recipient__type=Recipient.STREAM,
recipient__type_id=stream.id):
return True
return False
except Subscription.DoesNotExist:
return False
def gather_subscriptions(user_profile): def gather_subscriptions(user_profile):
# This is a little awkward because the StreamColor table has foreign keys # This is a little awkward because the StreamColor table has foreign keys
# to Subscription, but not vice versa, and not all Subscriptions have a # to Subscription, but not vice versa, and not all Subscriptions have a

9
zephyr/views.py
View File

@@ -20,7 +20,7 @@ from zephyr.lib.actions import do_add_subscription, do_remove_subscription, \
do_change_full_name, do_change_enable_desktop_notifications, \ do_change_full_name, do_change_enable_desktop_notifications, \
do_activate_user, add_default_subs, do_create_user, do_send_message, \ do_activate_user, add_default_subs, do_create_user, do_send_message, \
log_subscription_property_change, internal_send_message, \ log_subscription_property_change, internal_send_message, \
create_stream_if_needed, gather_subscriptions create_stream_if_needed, gather_subscriptions, subscribed_to_stream
from zephyr.forms import RegistrationForm, HomepageForm, ToSForm, is_unique, \ from zephyr.forms import RegistrationForm, HomepageForm, ToSForm, is_unique, \
is_active, isnt_mit is_active, isnt_mit
from django.views.decorators.csrf import csrf_exempt, requires_csrf_token from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
@@ -951,8 +951,7 @@ def add_subscriptions_backend(request, user_profile,
stream, created = create_stream_if_needed(user_profile.realm, stream_name, invite_only = invite_only) stream, created = create_stream_if_needed(user_profile.realm, stream_name, invite_only = invite_only)
# Users cannot subscribe themselves or other people to an invite-only # Users cannot subscribe themselves or other people to an invite-only
# stream they're not on. # stream they're not on.
if stream.invite_only and not created and \ if stream.invite_only and not created and not subscribed_to_stream(user_profile, stream):
stream.name not in [sub[0] for sub in gather_subscriptions(user_profile)]:
return json_error("Unable to join an invite-only stream") return json_error("Unable to join an invite-only stream")
for subscriber in subscribers: for subscriber in subscribers:
@@ -1008,6 +1007,10 @@ def get_subscribers_backend(request, user_profile, stream_name=POST('stream')):
stream = get_stream(stream_name, user_profile.realm) stream = get_stream(stream_name, user_profile.realm)
if stream is None: if stream is None:
return json_error("Stream does not exist: %s" % stream_name) return json_error("Stream does not exist: %s" % stream_name)
if stream.invite_only and not subscribed_to_stream(user_profile, stream):
return json_error("Unable to retrieve subscribers for invite-only stream")
subscriptions = Subscription.objects.filter(recipient__type=Recipient.STREAM, subscriptions = Subscription.objects.filter(recipient__type=Recipient.STREAM,
recipient__type_id=stream.id, recipient__type_id=stream.id,
active=True).select_related() active=True).select_related()