Don't let non-subscribers of invite-only streams query the membership.

(imported from commit 01bd8ea089dec96e487e5e82fb38df65703679ae)
2025-11-09 00:18:12 +00:00 · 2013-02-04 17:41:49 -05:00
parent a1506779ca
commit fdb0d15080
2 changed files with 17 additions and 3 deletions
--- a/zephyr/lib/actions.py
+++ b/zephyr/lib/actions.py
@@ -346,6 +346,17 @@ def process_user_activity_event(event):
    query = event["query"]
    return do_update_user_activity(user_profile, client, query, log_time)

+def subscribed_to_stream(user_profile, stream):
+    try:
+        if Subscription.objects.get(user_profile=user_profile,
+                                    active=True,
+                                    recipient__type=Recipient.STREAM,
+                                    recipient__type_id=stream.id):
+            return True
+        return False
+    except Subscription.DoesNotExist:
+        return False
+
 def gather_subscriptions(user_profile):
    # This is a little awkward because the StreamColor table has foreign keys
    # to Subscription, but not vice versa, and not all Subscriptions have a
--- a/zephyr/views.py
+++ b/zephyr/views.py
@@ -20,7 +20,7 @@ from zephyr.lib.actions import do_add_subscription, do_remove_subscription, \
    do_change_full_name, do_change_enable_desktop_notifications, \
    do_activate_user, add_default_subs, do_create_user, do_send_message, \
    log_subscription_property_change, internal_send_message, \
-    create_stream_if_needed, gather_subscriptions
+    create_stream_if_needed, gather_subscriptions, subscribed_to_stream
 from zephyr.forms import RegistrationForm, HomepageForm, ToSForm, is_unique, \
    is_active, isnt_mit
 from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
@@ -951,8 +951,7 @@ def add_subscriptions_backend(request, user_profile,
        stream, created = create_stream_if_needed(user_profile.realm, stream_name, invite_only = invite_only)
        # Users cannot subscribe themselves or other people to an invite-only
        # stream they're not on.
-        if stream.invite_only and not created and \
-                stream.name not in [sub[0] for sub in gather_subscriptions(user_profile)]:
+        if stream.invite_only and not created and not subscribed_to_stream(user_profile, stream):
            return json_error("Unable to join an invite-only stream")

        for subscriber in subscribers:
@@ -1008,6 +1007,10 @@ def get_subscribers_backend(request, user_profile, stream_name=POST('stream')):
    stream = get_stream(stream_name, user_profile.realm)
    if stream is None:
        return json_error("Stream does not exist: %s" % stream_name)
+
+    if stream.invite_only and not subscribed_to_stream(user_profile, stream):
+        return json_error("Unable to retrieve subscribers for invite-only stream")
+
    subscriptions = Subscription.objects.filter(recipient__type=Recipient.STREAM,
                                                recipient__type_id=stream.id,
                                                active=True).select_related()