paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 21:13:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5082182e37a453ce66af41796db43458f6455875
zulip/zerver
History
Sahil Batra 7c2693a2c6 CVE-2023-32677: Check permission to subscribe other users in invites. 
This commit updates the API to check the permission to subscribe other
users while inviting.  The API will error if the user passes the
"stream_ids" parameter (even when it contains only default streams)
and the calling user does not having permission to subscribe others to
streams.

For users who do not have permission to subscribe others, the
invitee will be subscribed to default streams at the time of
accepting the invite.

There is no change for multiuse invites, since only admins are allowed
to send them, and admins always have the permission to subscribe
others to streams.
2023-05-18 21:49:20 +00:00
..
actions
invites: Do not add user to default streams if streams list is empty.
2023-05-12 17:52:57 -07:00
data_import
black: Reformat with Black 23.
2023-04-05 16:07:58 -07:00
integration_fixtures/nagios
lib
requirements: Upgrade Python requirements.
2023-05-15 16:11:36 -07:00
management
python: Import F, Q, QuerySet from their canonical module.
2023-04-05 16:07:58 -07:00
migrations
Fix typos caught by typos.
2023-04-06 09:30:23 -07:00
openapi
requirements: Upgrade Python requirements.
2023-05-15 16:11:36 -07:00
tests
CVE-2023-32677: Check permission to subscribe other users in invites.
2023-05-18 21:49:20 +00:00
tornado
requirements: Upgrade Python requirements.
2023-05-15 16:11:36 -07:00
views
CVE-2023-32677: Check permission to subscribe other users in invites.
2023-05-18 21:49:20 +00:00
webhooks
Fix typos caught by typos.
2023-04-06 09:30:23 -07:00
worker
workers: Rewrite missedmessage_emails with a worker thread.
2023-04-18 15:47:51 -07:00
__init__.py
apps.py
sentry: Initialize sentry in AppConfig ready hook.
2022-09-26 12:42:36 -07:00
context_processors.py
apps: Fix redirect from /apps -> https://zulip.com/apps/.
2022-12-30 17:48:22 -08:00
decorator.py
decorator: Do not send HEAD response with non-empty body.
2023-01-19 11:05:04 -05:00
filters.py
forms.py
ruff: Fix N818 exception name should be named with an Error suffix.
2022-12-06 12:07:06 -08:00
logging_handlers.py
middleware.py
requirements: Upgrade Python requirements.
2023-05-15 16:11:36 -07:00
models.py
python: Import F, Q, QuerySet from their canonical module.
2023-04-05 16:07:58 -07:00
signals.py
requirements: Upgrade to Django 4.0.
2022-07-13 16:07:17 -07:00