2020-10-22 20:30:35 +02:00
|
|
|
from argparse import ArgumentParser
|
|
|
|
|
from typing import Any
|
|
|
|
|
|
2024-09-09 21:00:11 +02:00
|
|
|
from django.conf import settings
|
2020-10-22 20:30:35 +02:00
|
|
|
from django.core.management.base import CommandError
|
2023-10-12 19:43:45 +02:00
|
|
|
from typing_extensions import override
|
2020-10-22 20:30:35 +02:00
|
|
|
|
2022-04-14 23:48:28 +02:00
|
|
|
from zerver.actions.users import (
|
2024-09-03 21:41:18 +02:00
|
|
|
do_change_can_change_user_emails,
|
2020-12-14 22:02:22 +01:00
|
|
|
do_change_can_create_users,
|
|
|
|
|
do_change_can_forge_sender,
|
2023-11-15 22:30:08 +01:00
|
|
|
do_change_is_billing_admin,
|
2020-12-14 22:02:22 +01:00
|
|
|
do_change_user_role,
|
|
|
|
|
)
|
2024-09-09 21:00:11 +02:00
|
|
|
from zerver.lib.exceptions import JsonableError
|
2020-10-22 20:30:35 +02:00
|
|
|
from zerver.lib.management import ZulipBaseCommand
|
|
|
|
|
from zerver.models import UserProfile
|
|
|
|
|
|
2023-12-14 23:40:34 +01:00
|
|
|
ROLE_CHOICES = [
|
|
|
|
|
"owner",
|
|
|
|
|
"admin",
|
|
|
|
|
"moderator",
|
|
|
|
|
"member",
|
|
|
|
|
"guest",
|
|
|
|
|
"can_forge_sender",
|
|
|
|
|
"can_create_users",
|
2024-09-03 21:41:18 +02:00
|
|
|
"can_change_user_emails",
|
2023-12-14 23:40:34 +01:00
|
|
|
"is_billing_admin",
|
|
|
|
|
]
|
|
|
|
|
|
2020-10-22 20:30:35 +02:00
|
|
|
|
|
|
|
|
class Command(ZulipBaseCommand):
|
|
|
|
|
help = """Change role of an existing user in their (own) Realm.
|
|
|
|
|
|
|
|
|
|
ONLY perform this on customer request from an authorized person.
|
|
|
|
|
"""
|
|
|
|
|
|
2023-10-12 19:43:45 +02:00
|
|
|
@override
|
2020-10-22 20:30:35 +02:00
|
|
|
def add_arguments(self, parser: ArgumentParser) -> None:
|
2021-02-12 08:20:45 +01:00
|
|
|
parser.add_argument("email", metavar="<email>", help="email of user to change role")
|
2021-02-12 08:19:30 +01:00
|
|
|
parser.add_argument(
|
2021-02-12 08:20:45 +01:00
|
|
|
"new_role",
|
|
|
|
|
metavar="<new_role>",
|
2023-12-14 23:40:34 +01:00
|
|
|
choices=ROLE_CHOICES,
|
|
|
|
|
help="new role of the user; choose from " + ", ".join(ROLE_CHOICES),
|
2021-02-12 08:19:30 +01:00
|
|
|
)
|
|
|
|
|
parser.add_argument(
|
2021-02-12 08:20:45 +01:00
|
|
|
"--revoke",
|
|
|
|
|
dest="grant",
|
2021-02-12 08:19:30 +01:00
|
|
|
action="store_false",
|
2021-02-12 08:20:45 +01:00
|
|
|
help="Remove can_forge_sender or can_create_users permission.",
|
2021-02-12 08:19:30 +01:00
|
|
|
)
|
2021-05-10 21:29:25 +02:00
|
|
|
self.add_realm_args(parser, required=True)
|
2020-10-22 20:30:35 +02:00
|
|
|
|
2023-10-12 19:43:45 +02:00
|
|
|
@override
|
2020-10-22 20:30:35 +02:00
|
|
|
def handle(self, *args: Any, **options: Any) -> None:
|
2021-02-12 08:20:45 +01:00
|
|
|
email = options["email"]
|
2020-10-22 20:30:35 +02:00
|
|
|
realm = self.get_realm(options)
|
2024-09-09 21:00:11 +02:00
|
|
|
assert realm is not None
|
2020-10-22 20:30:35 +02:00
|
|
|
user = self.get_user(email, realm)
|
|
|
|
|
|
2021-02-12 08:19:30 +01:00
|
|
|
user_role_map = {
|
2021-02-12 08:20:45 +01:00
|
|
|
"owner": UserProfile.ROLE_REALM_OWNER,
|
|
|
|
|
"admin": UserProfile.ROLE_REALM_ADMINISTRATOR,
|
2021-04-22 22:03:03 +02:00
|
|
|
"moderator": UserProfile.ROLE_MODERATOR,
|
2021-02-12 08:20:45 +01:00
|
|
|
"member": UserProfile.ROLE_MEMBER,
|
|
|
|
|
"guest": UserProfile.ROLE_GUEST,
|
2021-02-12 08:19:30 +01:00
|
|
|
}
|
2020-10-22 20:30:35 +02:00
|
|
|
|
2024-09-03 21:41:18 +02:00
|
|
|
if options["new_role"] not in [
|
|
|
|
|
"can_forge_sender",
|
|
|
|
|
"can_create_users",
|
|
|
|
|
"can_change_user_emails",
|
|
|
|
|
"is_billing_admin",
|
|
|
|
|
]:
|
2021-02-12 08:20:45 +01:00
|
|
|
new_role = user_role_map[options["new_role"]]
|
|
|
|
|
if not options["grant"]:
|
2021-02-12 08:19:30 +01:00
|
|
|
raise CommandError(
|
|
|
|
|
"Revoke not supported with this permission; please specify new role."
|
|
|
|
|
)
|
2020-10-22 20:30:35 +02:00
|
|
|
if new_role == user.role:
|
|
|
|
|
raise CommandError("User already has this role.")
|
2024-09-09 21:00:11 +02:00
|
|
|
if settings.BILLING_ENABLED and user.is_guest:
|
|
|
|
|
from corporate.lib.registration import (
|
|
|
|
|
check_spare_license_available_for_changing_guest_user_role,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
check_spare_license_available_for_changing_guest_user_role(realm)
|
|
|
|
|
except JsonableError:
|
|
|
|
|
raise CommandError(
|
|
|
|
|
"This realm does not have enough licenses to change a guest user's role."
|
|
|
|
|
)
|
2020-10-22 20:30:35 +02:00
|
|
|
old_role_name = UserProfile.ROLE_ID_TO_NAME_MAP[user.role]
|
|
|
|
|
do_change_user_role(user, new_role, acting_user=None)
|
|
|
|
|
new_role_name = UserProfile.ROLE_ID_TO_NAME_MAP[user.role]
|
2021-02-12 08:19:30 +01:00
|
|
|
print(
|
|
|
|
|
f"Role for {user.delivery_email} changed from {old_role_name} to {new_role_name}."
|
|
|
|
|
)
|
2020-12-14 22:02:22 +01:00
|
|
|
return
|
|
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
if options["new_role"] == "can_forge_sender":
|
|
|
|
|
if user.can_forge_sender and options["grant"]:
|
2020-12-20 14:21:42 +01:00
|
|
|
raise CommandError("User can already forge messages for this realm.")
|
2021-02-12 08:20:45 +01:00
|
|
|
elif not user.can_forge_sender and not options["grant"]:
|
2020-12-20 14:21:42 +01:00
|
|
|
raise CommandError("User can't forge messages for this realm.")
|
2021-02-12 08:20:45 +01:00
|
|
|
do_change_can_forge_sender(user, options["grant"])
|
2020-12-14 22:02:22 +01:00
|
|
|
|
2021-02-12 08:20:45 +01:00
|
|
|
granted_text = "have" if options["grant"] else "not have"
|
2021-02-12 08:19:30 +01:00
|
|
|
print(
|
|
|
|
|
f"{user.delivery_email} changed to {granted_text} {options['new_role']} permission."
|
|
|
|
|
)
|
2023-11-15 22:30:08 +01:00
|
|
|
elif options["new_role"] == "can_create_users":
|
2021-02-12 08:20:45 +01:00
|
|
|
if user.can_create_users and options["grant"]:
|
2020-12-14 22:02:22 +01:00
|
|
|
raise CommandError("User can already create users for this realm.")
|
2021-02-12 08:20:45 +01:00
|
|
|
elif not user.can_create_users and not options["grant"]:
|
2020-12-14 22:02:22 +01:00
|
|
|
raise CommandError("User can't create users for this realm.")
|
2021-02-12 08:20:45 +01:00
|
|
|
do_change_can_create_users(user, options["grant"])
|
2024-09-03 21:41:18 +02:00
|
|
|
elif options["new_role"] == "can_change_user_emails":
|
|
|
|
|
if user.can_change_user_emails and options["grant"]:
|
|
|
|
|
raise CommandError("User can already change user emails for this realm.")
|
|
|
|
|
elif not user.can_change_user_emails and not options["grant"]:
|
|
|
|
|
raise CommandError("User can't change user emails for this realm.")
|
|
|
|
|
do_change_can_change_user_emails(user, options["grant"])
|
2023-11-15 22:30:08 +01:00
|
|
|
else:
|
|
|
|
|
assert options["new_role"] == "is_billing_admin"
|
|
|
|
|
if user.is_billing_admin and options["grant"]:
|
|
|
|
|
raise CommandError("User already is a billing admin for this realm.")
|
|
|
|
|
elif not user.is_billing_admin and not options["grant"]:
|
|
|
|
|
raise CommandError("User is not a billing admin for this realm.")
|
|
|
|
|
|
|
|
|
|
do_change_is_billing_admin(user, options["grant"])
|
