2023-11-19 19:45:19 +01:00
|
|
|
from datetime import datetime
|
2023-06-15 05:24:23 +02:00
|
|
|
from typing import Dict, List, Mapping, Optional, Sequence, TypedDict, Union
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
import django.db.utils
|
|
|
|
from django.db import transaction
|
|
|
|
from django.utils.timezone import now as timezone_now
|
|
|
|
from django.utils.translation import gettext as _
|
|
|
|
|
|
|
|
from zerver.lib.exceptions import JsonableError
|
2023-06-12 13:27:47 +02:00
|
|
|
from zerver.lib.user_groups import (
|
|
|
|
get_role_based_system_groups_dict,
|
|
|
|
set_defaults_for_group_settings,
|
|
|
|
)
|
2022-03-01 07:52:47 +01:00
|
|
|
from zerver.models import (
|
|
|
|
GroupGroupMembership,
|
|
|
|
Realm,
|
2022-11-21 05:43:03 +01:00
|
|
|
RealmAuditLog,
|
2023-09-21 13:06:39 +02:00
|
|
|
SystemGroups,
|
2022-03-01 07:52:47 +01:00
|
|
|
UserGroup,
|
|
|
|
UserGroupMembership,
|
|
|
|
UserProfile,
|
|
|
|
)
|
2023-12-15 01:16:00 +01:00
|
|
|
from zerver.models.users import active_user_ids
|
django_api: Extract send_event_on_commit helper.
django-stubs 4.2.1 gives transaction.on_commit a more accurate type
annotation, but this exposed that mypy can’t handle the lambda default
parameters that we use to recapture loop variables such as
for stream_id in public_stream_ids:
peer_user_ids = …
event = …
transaction.on_commit(
lambda event=event, peer_user_ids=peer_user_ids: send_event(
realm, event, peer_user_ids
)
)
https://github.com/python/mypy/issues/15459
A workaround that mypy accepts is
transaction.on_commit(
(
lambda event, peer_user_ids: lambda: send_event(
realm, event, peer_user_ids
)
)(event, peer_user_ids)
)
But that’s kind of ugly and potentially error-prone, so let’s make a
helper function for this very common pattern.
send_event_on_commit(realm, event, peer_user_ids)
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-06-17 20:53:07 +02:00
|
|
|
from zerver.tornado.django_api import send_event, send_event_on_commit
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
|
2022-07-15 18:10:00 +02:00
|
|
|
class MemberGroupUserDict(TypedDict):
|
|
|
|
id: int
|
|
|
|
role: int
|
2023-11-19 19:45:19 +01:00
|
|
|
date_joined: datetime
|
2022-07-15 18:10:00 +02:00
|
|
|
|
|
|
|
|
2022-12-12 04:17:49 +01:00
|
|
|
@transaction.atomic
|
2022-12-14 06:53:21 +01:00
|
|
|
def create_user_group_in_database(
|
2022-12-12 04:17:49 +01:00
|
|
|
name: str,
|
|
|
|
members: List[UserProfile],
|
|
|
|
realm: Realm,
|
|
|
|
*,
|
|
|
|
acting_user: Optional[UserProfile],
|
|
|
|
description: str = "",
|
2023-06-14 16:48:58 +02:00
|
|
|
group_settings_map: Mapping[str, UserGroup] = {},
|
2022-12-12 04:17:49 +01:00
|
|
|
is_system_group: bool = False,
|
|
|
|
) -> UserGroup:
|
2023-06-12 13:27:47 +02:00
|
|
|
user_group = UserGroup(
|
2022-12-12 04:17:49 +01:00
|
|
|
name=name, realm=realm, description=description, is_system_group=is_system_group
|
|
|
|
)
|
2023-06-12 13:27:47 +02:00
|
|
|
|
2023-06-14 16:48:58 +02:00
|
|
|
for setting_name, setting_value in group_settings_map.items():
|
|
|
|
setattr(user_group, setting_name, setting_value)
|
|
|
|
|
|
|
|
system_groups_name_dict = get_role_based_system_groups_dict(realm)
|
|
|
|
user_group = set_defaults_for_group_settings(
|
|
|
|
user_group, group_settings_map, system_groups_name_dict
|
|
|
|
)
|
2023-06-12 13:27:47 +02:00
|
|
|
user_group.save()
|
|
|
|
|
2022-12-12 04:17:49 +01:00
|
|
|
UserGroupMembership.objects.bulk_create(
|
|
|
|
UserGroupMembership(user_profile=member, user_group=user_group) for member in members
|
|
|
|
)
|
2022-11-21 05:43:03 +01:00
|
|
|
|
|
|
|
creation_time = timezone_now()
|
|
|
|
audit_log_entries = [
|
|
|
|
RealmAuditLog(
|
|
|
|
realm=realm,
|
|
|
|
acting_user=acting_user,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_CREATED,
|
|
|
|
event_time=creation_time,
|
|
|
|
modified_user_group=user_group,
|
2023-06-05 22:34:52 +02:00
|
|
|
),
|
|
|
|
RealmAuditLog(
|
|
|
|
realm=realm,
|
|
|
|
acting_user=acting_user,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_GROUP_BASED_SETTING_CHANGED,
|
|
|
|
event_time=creation_time,
|
|
|
|
modified_user_group=user_group,
|
2023-07-13 19:46:06 +02:00
|
|
|
extra_data={
|
|
|
|
RealmAuditLog.OLD_VALUE: None,
|
|
|
|
RealmAuditLog.NEW_VALUE: user_group.can_mention_group.id,
|
|
|
|
"property": "can_mention_group",
|
|
|
|
},
|
2023-06-05 22:34:52 +02:00
|
|
|
),
|
2022-11-21 05:43:03 +01:00
|
|
|
] + [
|
|
|
|
RealmAuditLog(
|
|
|
|
realm=realm,
|
|
|
|
acting_user=acting_user,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_DIRECT_USER_MEMBERSHIP_ADDED,
|
|
|
|
event_time=creation_time,
|
|
|
|
modified_user=member,
|
|
|
|
modified_user_group=user_group,
|
|
|
|
)
|
|
|
|
for member in members
|
|
|
|
]
|
|
|
|
RealmAuditLog.objects.bulk_create(audit_log_entries)
|
2022-12-12 04:17:49 +01:00
|
|
|
return user_group
|
|
|
|
|
|
|
|
|
2022-04-14 23:30:17 +02:00
|
|
|
@transaction.atomic(savepoint=False)
|
|
|
|
def update_users_in_full_members_system_group(
|
2022-11-21 03:30:07 +01:00
|
|
|
realm: Realm, affected_user_ids: Sequence[int] = [], *, acting_user: Optional[UserProfile]
|
2022-04-14 23:30:17 +02:00
|
|
|
) -> None:
|
|
|
|
full_members_system_group = UserGroup.objects.get(
|
2023-09-21 13:06:39 +02:00
|
|
|
realm=realm, name=SystemGroups.FULL_MEMBERS, is_system_group=True
|
2022-04-14 23:30:17 +02:00
|
|
|
)
|
|
|
|
members_system_group = UserGroup.objects.get(
|
2023-09-21 13:06:39 +02:00
|
|
|
realm=realm, name=SystemGroups.MEMBERS, is_system_group=True
|
2022-04-14 23:30:17 +02:00
|
|
|
)
|
|
|
|
|
2022-07-15 18:10:00 +02:00
|
|
|
full_member_group_users: List[MemberGroupUserDict] = list()
|
|
|
|
member_group_users: List[MemberGroupUserDict] = list()
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
if affected_user_ids:
|
|
|
|
full_member_group_users = list(
|
|
|
|
full_members_system_group.direct_members.filter(id__in=affected_user_ids).values(
|
|
|
|
"id", "role", "date_joined"
|
|
|
|
)
|
|
|
|
)
|
|
|
|
member_group_users = list(
|
|
|
|
members_system_group.direct_members.filter(id__in=affected_user_ids).values(
|
|
|
|
"id", "role", "date_joined"
|
|
|
|
)
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
full_member_group_users = list(
|
|
|
|
full_members_system_group.direct_members.all().values("id", "role", "date_joined")
|
|
|
|
)
|
|
|
|
member_group_users = list(
|
|
|
|
members_system_group.direct_members.all().values("id", "role", "date_joined")
|
|
|
|
)
|
|
|
|
|
2022-07-15 18:10:00 +02:00
|
|
|
def is_provisional_member(user: MemberGroupUserDict) -> bool:
|
2022-04-14 23:30:17 +02:00
|
|
|
diff = (timezone_now() - user["date_joined"]).days
|
|
|
|
if diff < realm.waiting_period_threshold:
|
|
|
|
return True
|
|
|
|
return False
|
|
|
|
|
|
|
|
old_full_members = [
|
|
|
|
user
|
|
|
|
for user in full_member_group_users
|
|
|
|
if is_provisional_member(user) or user["role"] != UserProfile.ROLE_MEMBER
|
|
|
|
]
|
|
|
|
|
|
|
|
full_member_group_user_ids = [user["id"] for user in full_member_group_users]
|
|
|
|
members_excluding_full_members = [
|
|
|
|
user for user in member_group_users if user["id"] not in full_member_group_user_ids
|
|
|
|
]
|
|
|
|
|
|
|
|
new_full_members = [
|
|
|
|
user for user in members_excluding_full_members if not is_provisional_member(user)
|
|
|
|
]
|
|
|
|
|
|
|
|
old_full_member_ids = [user["id"] for user in old_full_members]
|
|
|
|
new_full_member_ids = [user["id"] for user in new_full_members]
|
|
|
|
|
|
|
|
if len(old_full_members) > 0:
|
2023-09-29 01:45:53 +02:00
|
|
|
bulk_remove_members_from_user_groups(
|
|
|
|
[full_members_system_group], old_full_member_ids, acting_user=acting_user
|
2022-11-21 04:06:15 +01:00
|
|
|
)
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
if len(new_full_members) > 0:
|
2023-09-29 01:45:53 +02:00
|
|
|
bulk_add_members_to_user_groups(
|
|
|
|
[full_members_system_group], new_full_member_ids, acting_user=acting_user
|
2022-11-21 03:48:10 +01:00
|
|
|
)
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
|
|
|
|
def promote_new_full_members() -> None:
|
|
|
|
for realm in Realm.objects.filter(deactivated=False).exclude(waiting_period_threshold=0):
|
2022-11-21 03:30:07 +01:00
|
|
|
update_users_in_full_members_system_group(realm, acting_user=None)
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
|
2022-02-28 11:50:33 +01:00
|
|
|
def do_send_create_user_group_event(
|
2022-05-17 10:06:02 +02:00
|
|
|
user_group: UserGroup, members: List[UserProfile], direct_subgroups: Sequence[UserGroup] = []
|
2022-02-28 11:50:33 +01:00
|
|
|
) -> None:
|
2022-04-14 23:30:17 +02:00
|
|
|
event = dict(
|
|
|
|
type="user_group",
|
|
|
|
op="add",
|
|
|
|
group=dict(
|
|
|
|
name=user_group.name,
|
|
|
|
members=[member.id for member in members],
|
|
|
|
description=user_group.description,
|
|
|
|
id=user_group.id,
|
|
|
|
is_system_group=user_group.is_system_group,
|
2022-05-17 10:06:02 +02:00
|
|
|
direct_subgroup_ids=[direct_subgroup.id for direct_subgroup in direct_subgroups],
|
2023-07-14 06:50:33 +02:00
|
|
|
can_mention_group=user_group.can_mention_group_id,
|
2022-04-14 23:30:17 +02:00
|
|
|
),
|
|
|
|
)
|
|
|
|
send_event(user_group.realm, event, active_user_ids(user_group.realm_id))
|
|
|
|
|
|
|
|
|
|
|
|
def check_add_user_group(
|
2022-11-21 03:37:11 +01:00
|
|
|
realm: Realm,
|
|
|
|
name: str,
|
|
|
|
initial_members: List[UserProfile],
|
2022-12-14 06:45:55 +01:00
|
|
|
description: str = "",
|
2023-06-14 16:48:58 +02:00
|
|
|
group_settings_map: Mapping[str, UserGroup] = {},
|
2022-11-21 03:37:11 +01:00
|
|
|
*,
|
|
|
|
acting_user: Optional[UserProfile],
|
2022-12-14 06:45:55 +01:00
|
|
|
) -> UserGroup:
|
2022-04-14 23:30:17 +02:00
|
|
|
try:
|
2022-12-14 06:53:21 +01:00
|
|
|
user_group = create_user_group_in_database(
|
2023-06-14 16:48:58 +02:00
|
|
|
name,
|
|
|
|
initial_members,
|
|
|
|
realm,
|
|
|
|
description=description,
|
|
|
|
group_settings_map=group_settings_map,
|
|
|
|
acting_user=acting_user,
|
2022-11-21 03:37:11 +01:00
|
|
|
)
|
2022-04-14 23:30:17 +02:00
|
|
|
do_send_create_user_group_event(user_group, initial_members)
|
2022-12-14 06:45:55 +01:00
|
|
|
return user_group
|
2022-04-14 23:30:17 +02:00
|
|
|
except django.db.utils.IntegrityError:
|
2023-07-17 22:40:33 +02:00
|
|
|
raise JsonableError(_("User group '{group_name}' already exists.").format(group_name=name))
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
|
2023-06-15 05:24:23 +02:00
|
|
|
def do_send_user_group_update_event(
|
|
|
|
user_group: UserGroup, data: Dict[str, Union[str, int]]
|
|
|
|
) -> None:
|
2022-04-14 23:30:17 +02:00
|
|
|
event = dict(type="user_group", op="update", group_id=user_group.id, data=data)
|
|
|
|
send_event(user_group.realm, event, active_user_ids(user_group.realm_id))
|
|
|
|
|
|
|
|
|
2023-06-05 22:34:52 +02:00
|
|
|
@transaction.atomic(savepoint=False)
|
2022-11-21 03:43:48 +01:00
|
|
|
def do_update_user_group_name(
|
|
|
|
user_group: UserGroup, name: str, *, acting_user: Optional[UserProfile]
|
|
|
|
) -> None:
|
2022-04-14 23:30:17 +02:00
|
|
|
try:
|
2023-06-05 22:34:52 +02:00
|
|
|
old_value = user_group.name
|
2022-04-14 23:30:17 +02:00
|
|
|
user_group.name = name
|
|
|
|
user_group.save(update_fields=["name"])
|
2023-06-05 22:34:52 +02:00
|
|
|
RealmAuditLog.objects.create(
|
|
|
|
realm=user_group.realm,
|
|
|
|
modified_user_group=user_group,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_NAME_CHANGED,
|
|
|
|
event_time=timezone_now(),
|
|
|
|
acting_user=acting_user,
|
2023-07-13 19:46:06 +02:00
|
|
|
extra_data={
|
|
|
|
RealmAuditLog.OLD_VALUE: old_value,
|
|
|
|
RealmAuditLog.NEW_VALUE: name,
|
|
|
|
},
|
2023-06-05 22:34:52 +02:00
|
|
|
)
|
2022-04-14 23:30:17 +02:00
|
|
|
except django.db.utils.IntegrityError:
|
2023-07-17 22:40:33 +02:00
|
|
|
raise JsonableError(_("User group '{group_name}' already exists.").format(group_name=name))
|
2022-04-14 23:30:17 +02:00
|
|
|
do_send_user_group_update_event(user_group, dict(name=name))
|
|
|
|
|
|
|
|
|
2023-06-05 22:34:52 +02:00
|
|
|
@transaction.atomic(savepoint=False)
|
2022-11-21 03:45:16 +01:00
|
|
|
def do_update_user_group_description(
|
|
|
|
user_group: UserGroup, description: str, *, acting_user: Optional[UserProfile]
|
|
|
|
) -> None:
|
2023-06-05 22:34:52 +02:00
|
|
|
old_value = user_group.description
|
2022-04-14 23:30:17 +02:00
|
|
|
user_group.description = description
|
|
|
|
user_group.save(update_fields=["description"])
|
2023-06-05 22:34:52 +02:00
|
|
|
RealmAuditLog.objects.create(
|
|
|
|
realm=user_group.realm,
|
|
|
|
modified_user_group=user_group,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_DESCRIPTION_CHANGED,
|
|
|
|
event_time=timezone_now(),
|
|
|
|
acting_user=acting_user,
|
2023-07-13 19:46:06 +02:00
|
|
|
extra_data={
|
|
|
|
RealmAuditLog.OLD_VALUE: old_value,
|
|
|
|
RealmAuditLog.NEW_VALUE: description,
|
|
|
|
},
|
2023-06-05 22:34:52 +02:00
|
|
|
)
|
2022-04-14 23:30:17 +02:00
|
|
|
do_send_user_group_update_event(user_group, dict(description=description))
|
|
|
|
|
|
|
|
|
|
|
|
def do_send_user_group_members_update_event(
|
|
|
|
event_name: str, user_group: UserGroup, user_ids: List[int]
|
|
|
|
) -> None:
|
|
|
|
event = dict(type="user_group", op=event_name, group_id=user_group.id, user_ids=user_ids)
|
django_api: Extract send_event_on_commit helper.
django-stubs 4.2.1 gives transaction.on_commit a more accurate type
annotation, but this exposed that mypy can’t handle the lambda default
parameters that we use to recapture loop variables such as
for stream_id in public_stream_ids:
peer_user_ids = …
event = …
transaction.on_commit(
lambda event=event, peer_user_ids=peer_user_ids: send_event(
realm, event, peer_user_ids
)
)
https://github.com/python/mypy/issues/15459
A workaround that mypy accepts is
transaction.on_commit(
(
lambda event, peer_user_ids: lambda: send_event(
realm, event, peer_user_ids
)
)(event, peer_user_ids)
)
But that’s kind of ugly and potentially error-prone, so let’s make a
helper function for this very common pattern.
send_event_on_commit(realm, event, peer_user_ids)
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-06-17 20:53:07 +02:00
|
|
|
send_event_on_commit(user_group.realm, event, active_user_ids(user_group.realm_id))
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
|
|
|
|
@transaction.atomic(savepoint=False)
|
2023-09-29 01:45:53 +02:00
|
|
|
def bulk_add_members_to_user_groups(
|
|
|
|
user_groups: List[UserGroup],
|
|
|
|
user_profile_ids: List[int],
|
|
|
|
*,
|
|
|
|
acting_user: Optional[UserProfile],
|
2022-11-21 03:48:10 +01:00
|
|
|
) -> None:
|
2023-09-29 01:45:53 +02:00
|
|
|
# All intended callers of this function involve a single user
|
|
|
|
# being added to one or more groups, or many users being added to
|
|
|
|
# a single group; but it's easy enough for the implementation to
|
|
|
|
# support both.
|
|
|
|
|
2022-04-14 23:30:17 +02:00
|
|
|
memberships = [
|
|
|
|
UserGroupMembership(user_group_id=user_group.id, user_profile_id=user_id)
|
|
|
|
for user_id in user_profile_ids
|
2023-09-29 01:45:53 +02:00
|
|
|
for user_group in user_groups
|
2022-04-14 23:30:17 +02:00
|
|
|
]
|
|
|
|
UserGroupMembership.objects.bulk_create(memberships)
|
2022-11-21 07:26:34 +01:00
|
|
|
now = timezone_now()
|
|
|
|
RealmAuditLog.objects.bulk_create(
|
|
|
|
RealmAuditLog(
|
|
|
|
realm=user_group.realm,
|
|
|
|
modified_user_id=user_id,
|
|
|
|
modified_user_group=user_group,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_DIRECT_USER_MEMBERSHIP_ADDED,
|
|
|
|
event_time=now,
|
|
|
|
acting_user=acting_user,
|
|
|
|
)
|
|
|
|
for user_id in user_profile_ids
|
2023-09-29 01:45:53 +02:00
|
|
|
for user_group in user_groups
|
2022-11-21 07:26:34 +01:00
|
|
|
)
|
2022-04-14 23:30:17 +02:00
|
|
|
|
2023-09-29 01:45:53 +02:00
|
|
|
for user_group in user_groups:
|
|
|
|
do_send_user_group_members_update_event("add_members", user_group, user_profile_ids)
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
|
|
|
|
@transaction.atomic(savepoint=False)
|
2023-09-29 01:45:53 +02:00
|
|
|
def bulk_remove_members_from_user_groups(
|
|
|
|
user_groups: List[UserGroup],
|
|
|
|
user_profile_ids: List[int],
|
|
|
|
*,
|
|
|
|
acting_user: Optional[UserProfile],
|
2022-11-21 04:06:15 +01:00
|
|
|
) -> None:
|
2023-09-29 01:45:53 +02:00
|
|
|
# All intended callers of this function involve a single user
|
|
|
|
# being added to one or more groups, or many users being added to
|
|
|
|
# a single group; but it's easy enough for the implementation to
|
|
|
|
# support both.
|
|
|
|
|
2022-04-14 23:30:17 +02:00
|
|
|
UserGroupMembership.objects.filter(
|
2023-09-29 01:45:53 +02:00
|
|
|
user_group__in=user_groups, user_profile_id__in=user_profile_ids
|
2022-04-14 23:30:17 +02:00
|
|
|
).delete()
|
2022-11-21 07:26:34 +01:00
|
|
|
now = timezone_now()
|
|
|
|
RealmAuditLog.objects.bulk_create(
|
|
|
|
RealmAuditLog(
|
|
|
|
realm=user_group.realm,
|
|
|
|
modified_user_id=user_id,
|
|
|
|
modified_user_group=user_group,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_DIRECT_USER_MEMBERSHIP_REMOVED,
|
|
|
|
event_time=now,
|
|
|
|
acting_user=acting_user,
|
|
|
|
)
|
|
|
|
for user_id in user_profile_ids
|
2023-09-29 01:45:53 +02:00
|
|
|
for user_group in user_groups
|
2022-11-21 07:26:34 +01:00
|
|
|
)
|
2022-04-14 23:30:17 +02:00
|
|
|
|
2023-09-29 01:45:53 +02:00
|
|
|
for user_group in user_groups:
|
|
|
|
do_send_user_group_members_update_event("remove_members", user_group, user_profile_ids)
|
2022-04-14 23:30:17 +02:00
|
|
|
|
|
|
|
|
2022-03-01 07:52:47 +01:00
|
|
|
def do_send_subgroups_update_event(
|
|
|
|
event_name: str, user_group: UserGroup, subgroup_ids: List[int]
|
|
|
|
) -> None:
|
|
|
|
event = dict(
|
2022-05-16 17:02:44 +02:00
|
|
|
type="user_group", op=event_name, group_id=user_group.id, direct_subgroup_ids=subgroup_ids
|
2022-03-01 07:52:47 +01:00
|
|
|
)
|
django_api: Extract send_event_on_commit helper.
django-stubs 4.2.1 gives transaction.on_commit a more accurate type
annotation, but this exposed that mypy can’t handle the lambda default
parameters that we use to recapture loop variables such as
for stream_id in public_stream_ids:
peer_user_ids = …
event = …
transaction.on_commit(
lambda event=event, peer_user_ids=peer_user_ids: send_event(
realm, event, peer_user_ids
)
)
https://github.com/python/mypy/issues/15459
A workaround that mypy accepts is
transaction.on_commit(
(
lambda event, peer_user_ids: lambda: send_event(
realm, event, peer_user_ids
)
)(event, peer_user_ids)
)
But that’s kind of ugly and potentially error-prone, so let’s make a
helper function for this very common pattern.
send_event_on_commit(realm, event, peer_user_ids)
Signed-off-by: Anders Kaseorg <anders@zulip.com>
2023-06-17 20:53:07 +02:00
|
|
|
send_event_on_commit(user_group.realm, event, active_user_ids(user_group.realm_id))
|
2022-03-01 07:52:47 +01:00
|
|
|
|
|
|
|
|
|
|
|
@transaction.atomic
|
2022-11-21 04:09:19 +01:00
|
|
|
def add_subgroups_to_user_group(
|
|
|
|
user_group: UserGroup, subgroups: List[UserGroup], *, acting_user: Optional[UserProfile]
|
|
|
|
) -> None:
|
2022-03-01 07:52:47 +01:00
|
|
|
group_memberships = [
|
|
|
|
GroupGroupMembership(supergroup=user_group, subgroup=subgroup) for subgroup in subgroups
|
|
|
|
]
|
|
|
|
GroupGroupMembership.objects.bulk_create(group_memberships)
|
|
|
|
|
|
|
|
subgroup_ids = [subgroup.id for subgroup in subgroups]
|
2022-12-12 03:29:10 +01:00
|
|
|
now = timezone_now()
|
2022-12-12 03:29:10 +01:00
|
|
|
audit_log_entries = [
|
|
|
|
RealmAuditLog(
|
|
|
|
realm=user_group.realm,
|
|
|
|
modified_user_group=user_group,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_DIRECT_SUBGROUP_MEMBERSHIP_ADDED,
|
|
|
|
event_time=now,
|
|
|
|
acting_user=acting_user,
|
2023-07-13 19:46:06 +02:00
|
|
|
extra_data={"subgroup_ids": subgroup_ids},
|
2023-07-31 22:52:35 +02:00
|
|
|
),
|
|
|
|
*(
|
2022-12-12 03:29:10 +01:00
|
|
|
RealmAuditLog(
|
|
|
|
realm=user_group.realm,
|
|
|
|
modified_user_group_id=subgroup_id,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_DIRECT_SUPERGROUP_MEMBERSHIP_ADDED,
|
|
|
|
event_time=now,
|
|
|
|
acting_user=acting_user,
|
2023-07-13 19:46:06 +02:00
|
|
|
extra_data={"supergroup_ids": [user_group.id]},
|
2022-12-12 03:29:10 +01:00
|
|
|
)
|
2023-07-31 22:52:35 +02:00
|
|
|
for subgroup_id in subgroup_ids
|
|
|
|
),
|
|
|
|
]
|
2022-12-12 03:29:10 +01:00
|
|
|
RealmAuditLog.objects.bulk_create(audit_log_entries)
|
2022-12-12 03:29:10 +01:00
|
|
|
|
2022-03-01 07:52:47 +01:00
|
|
|
do_send_subgroups_update_event("add_subgroups", user_group, subgroup_ids)
|
|
|
|
|
|
|
|
|
|
|
|
@transaction.atomic
|
2022-11-21 04:10:48 +01:00
|
|
|
def remove_subgroups_from_user_group(
|
|
|
|
user_group: UserGroup, subgroups: List[UserGroup], *, acting_user: Optional[UserProfile]
|
|
|
|
) -> None:
|
2022-03-01 07:52:47 +01:00
|
|
|
GroupGroupMembership.objects.filter(supergroup=user_group, subgroup__in=subgroups).delete()
|
|
|
|
|
|
|
|
subgroup_ids = [subgroup.id for subgroup in subgroups]
|
2022-12-12 03:29:10 +01:00
|
|
|
now = timezone_now()
|
2022-12-12 03:29:10 +01:00
|
|
|
audit_log_entries = [
|
|
|
|
RealmAuditLog(
|
|
|
|
realm=user_group.realm,
|
|
|
|
modified_user_group=user_group,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_DIRECT_SUBGROUP_MEMBERSHIP_REMOVED,
|
|
|
|
event_time=now,
|
|
|
|
acting_user=acting_user,
|
2023-07-13 19:46:06 +02:00
|
|
|
extra_data={"subgroup_ids": subgroup_ids},
|
2023-07-31 22:52:35 +02:00
|
|
|
),
|
|
|
|
*(
|
2022-12-12 03:29:10 +01:00
|
|
|
RealmAuditLog(
|
|
|
|
realm=user_group.realm,
|
|
|
|
modified_user_group_id=subgroup_id,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_DIRECT_SUPERGROUP_MEMBERSHIP_REMOVED,
|
|
|
|
event_time=now,
|
|
|
|
acting_user=acting_user,
|
2023-07-13 19:46:06 +02:00
|
|
|
extra_data={"supergroup_ids": [user_group.id]},
|
2022-12-12 03:29:10 +01:00
|
|
|
)
|
2023-07-31 22:52:35 +02:00
|
|
|
for subgroup_id in subgroup_ids
|
|
|
|
),
|
|
|
|
]
|
2022-12-12 03:29:10 +01:00
|
|
|
RealmAuditLog.objects.bulk_create(audit_log_entries)
|
2022-12-12 03:29:10 +01:00
|
|
|
|
2022-03-01 07:52:47 +01:00
|
|
|
do_send_subgroups_update_event("remove_subgroups", user_group, subgroup_ids)
|
|
|
|
|
|
|
|
|
2022-04-14 23:30:17 +02:00
|
|
|
def do_send_delete_user_group_event(realm: Realm, user_group_id: int, realm_id: int) -> None:
|
|
|
|
event = dict(type="user_group", op="remove", group_id=user_group_id)
|
|
|
|
send_event(realm, event, active_user_ids(realm_id))
|
|
|
|
|
|
|
|
|
user_groups: Make locks required for updating user group memberships.
**Background**
User groups are expected to comply with the DAG constraint for the
many-to-many inter-group membership. The check for this constraint has
to be performed recursively so that we can find all direct and indirect
subgroups of the user group to be added.
This kind of check is vulnerable to phantom reads which is possible at
the default read committed isolation level because we cannot guarantee
that the check is still valid when we are adding the subgroups to the
user group.
**Solution**
To avoid having another transaction concurrently update one of the
to-be-subgroup after the recursive check is done, and before the subgroup
is added, we use SELECT FOR UPDATE to lock the user group rows.
The lock needs to be acquired before a group membership change is about
to occur before any check has been conducted.
Suppose that we are adding subgroup B to supergroup A, the locking protocol
is specified as follows:
1. Acquire a lock for B and all its direct and indirect subgroups.
2. Acquire a lock for A.
For the removal of user groups, we acquire a lock for the user group to
be removed with all its direct and indirect subgroups. This is the special
case A=B, which is still complaint with the protocol.
**Error handling**
We currently rely on Postgres' deadlock detection to abort transactions
and show an error for the users. In the future, we might need some
recovery mechanism or at least better error handling.
**Notes**
An important note is that we need to reuse the recursive CTE query that
finds the direct and indirect subgroups when applying the lock on the
rows. And the lock needs to be acquired the same way for the addition and
removal of direct subgroups.
User membership change (as opposed to user group membership) is not
affected. Read-only queries aren't either. The locks only protect
critical regions where the user group dependency graph might violate
the DAG constraint, where users are not participating.
**Testing**
We implement a transaction test case targeting some typical scenarios
when an internal server error is expected to happen (this means that the
user group view makes the correct decision to abort the transaction when
something goes wrong with locks).
To achieve this, we add a development view intended only for unit tests.
It has a global BARRIER that can be shared across threads, so that we
can synchronize them to consistently reproduce certain potential race
conditions prevented by the database locks.
The transaction test case lanuches pairs of threads initiating possibly
conflicting requests at the same time. The tests are set up such that exactly N
of them are expected to succeed with a certain error message (while we don't
know each one).
**Security notes**
get_recursive_subgroups_for_groups will no longer fetch user groups from
other realms. As a result, trying to add/remove a subgroup from another
realm results in a UserGroup not found error response.
We also implement subgroup-specific checks in has_user_group_access to
keep permission managing in a single place. Do note that the API
currently don't have a way to violate that check because we are only
checking the realm ID now.
2023-06-17 04:39:52 +02:00
|
|
|
def check_delete_user_group(user_group: UserGroup, *, acting_user: UserProfile) -> None:
|
|
|
|
user_group_id = user_group.id
|
2022-04-14 23:30:17 +02:00
|
|
|
user_group.delete()
|
2023-06-17 04:30:12 +02:00
|
|
|
do_send_delete_user_group_event(acting_user.realm, user_group_id, acting_user.realm.id)
|
2023-06-15 05:24:23 +02:00
|
|
|
|
|
|
|
|
2023-06-05 22:34:52 +02:00
|
|
|
@transaction.atomic(savepoint=False)
|
2023-06-15 05:24:23 +02:00
|
|
|
def do_change_user_group_permission_setting(
|
|
|
|
user_group: UserGroup,
|
|
|
|
setting_name: str,
|
|
|
|
setting_value_group: UserGroup,
|
|
|
|
*,
|
|
|
|
acting_user: Optional[UserProfile],
|
|
|
|
) -> None:
|
2023-06-05 22:34:52 +02:00
|
|
|
old_value = getattr(user_group, setting_name)
|
2023-06-15 05:24:23 +02:00
|
|
|
setattr(user_group, setting_name, setting_value_group)
|
|
|
|
user_group.save()
|
2023-06-05 22:34:52 +02:00
|
|
|
RealmAuditLog.objects.create(
|
|
|
|
realm=user_group.realm,
|
|
|
|
acting_user=acting_user,
|
|
|
|
event_type=RealmAuditLog.USER_GROUP_GROUP_BASED_SETTING_CHANGED,
|
|
|
|
event_time=timezone_now(),
|
|
|
|
modified_user_group=user_group,
|
2023-07-13 19:46:06 +02:00
|
|
|
extra_data={
|
|
|
|
RealmAuditLog.OLD_VALUE: old_value.id,
|
|
|
|
RealmAuditLog.NEW_VALUE: setting_value_group.id,
|
|
|
|
"property": setting_name,
|
|
|
|
},
|
2023-06-05 22:34:52 +02:00
|
|
|
)
|
2023-06-15 05:24:23 +02:00
|
|
|
|
2023-07-14 06:50:33 +02:00
|
|
|
event_data_dict: Dict[str, Union[str, int]] = {setting_name: setting_value_group.id}
|
2023-06-15 05:24:23 +02:00
|
|
|
do_send_user_group_update_event(user_group, event_data_dict)
|