settings: Add can_manage_all_groups setting to realm.

This commit does not add the logic of using this setting to actually
check the permission on the backend. That will be done in a later
commit.
Only owners can modify this setting, but we will add that logic in a
later commit in order to keep changes in this commit minimal.
Adding the setting breaks the frontend, since the frontend tries to find
a dropdown widget for the setting automatically. To avoid this, we've
added a small temporary if statement to `settings_org.js`.
Although, most lists where we insert this setting follow an unofficial
alphabetical order, `can_manage_all_groups` has been bunched together
with `can_create_groups` since keeping those similar settings together
would be nicer when checking any code related to creating/managing a
user group.

api_docs/changelog.md

@@ -26,6 +26,10 @@ format used by the Zulip server that they are interacting with.
   [`GET /events`](/api/get-events): Added `can_create_groups`
   realm setting, which is a [group-setting value](/api/group-setting-values)
   describing the set of users with permission to create user groups.
+* `PATCH /realm`, [`POST /register`](/api/register-queue),
+  [`GET /events`](/api/get-events): Added `can_manage_all_groups`
+  realm setting, which is a [group-setting value](/api/group-setting-values)
+  describing the set of users with permission to manage all user groups.
 
 **Feature level 298**
 

web/src/settings_org.js

@@ -845,6 +845,12 @@ export function set_up_dropdown_widget_for_realm_group_settings() {
             dropdown_list_item_click_callback = check_disable_message_delete_limit_setting_dropdown;
         }
 
+        if (setting_name === "can_manage_all_groups") {
+            // Temporarily skip this setting until further commits
+            // where this setting will be ready to use.
+            continue;
+        }
+
         set_up_dropdown_widget(
             "realm_" + setting_name,
             get_setting_options,

zerver/lib/event_schema.py

@@ -1075,6 +1075,7 @@ group_setting_update_data_type = DictType(
         ("create_multiuse_invite_group", int),
         ("can_access_all_users_group", int),
         ("can_create_groups", group_setting_type),
+        ("can_manage_all_groups", group_setting_type),
         ("can_create_public_channel_group", group_setting_type),
         ("can_create_private_channel_group", group_setting_type),
         ("can_create_web_public_channel_group", group_setting_type),

zerver/migrations/0591_realm_add_can_manage_all_groups.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.0.8 on 2024-09-13 14:34
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("zerver", "0590_alter_realm_can_create_groups"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="realm",
+            name="can_manage_all_groups",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.RESTRICT,
+                related_name="+",
+                to="zerver.usergroup",
+            ),
+        )
+    ]

zerver/migrations/0592_set_can_manage_all_groups.py

@@ -0,0 +1,55 @@
+# Generated by Django 5.0.8 on 2024-09-05 06:11
+
+from django.db import migrations
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+from django.db.migrations.state import StateApps
+from django.db.models import OuterRef
+
+
+def set_can_manage_all_groups_for_existing_realms(
+    apps: StateApps, schema_editor: BaseDatabaseSchemaEditor
+) -> None:
+    Realm = apps.get_model("zerver", "Realm")
+    NamedUserGroup = apps.get_model("zerver", "NamedUserGroup")
+
+    MEMBERS_ONLY = 1
+    ADMINS_ONLY = 2
+    FULL_MEMBERS_ONLY = 3
+    MODERATORS_ONLY = 4
+
+    Realm.objects.filter(can_manage_all_groups=None, user_group_edit_policy=MEMBERS_ONLY).update(
+        can_manage_all_groups=NamedUserGroup.objects.filter(
+            name="role:members", realm=OuterRef("id"), is_system_group=True
+        ).values("pk")
+    )
+    Realm.objects.filter(can_manage_all_groups=None, user_group_edit_policy=ADMINS_ONLY).update(
+        can_manage_all_groups=NamedUserGroup.objects.filter(
+            name="role:administrators", realm=OuterRef("id"), is_system_group=True
+        ).values("pk")
+    )
+    Realm.objects.filter(
+        can_manage_all_groups=None, user_group_edit_policy=FULL_MEMBERS_ONLY
+    ).update(
+        can_manage_all_groups=NamedUserGroup.objects.filter(
+            name="role:fullmembers", realm=OuterRef("id"), is_system_group=True
+        ).values("pk")
+    )
+    Realm.objects.filter(can_manage_all_groups=None, user_group_edit_policy=MODERATORS_ONLY).update(
+        can_manage_all_groups=NamedUserGroup.objects.filter(
+            name="role:moderators", realm=OuterRef("id"), is_system_group=True
+        ).values("pk")
+    )
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("zerver", "0591_realm_add_can_manage_all_groups"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            set_can_manage_all_groups_for_existing_realms,
+            elidable=True,
+            reverse_code=migrations.RunPython.noop,
+        )
+    ]

zerver/migrations/0593_alter_realm_manage_all_groups.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.0.8 on 2024-09-05 08:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("zerver", "0592_set_can_manage_all_groups"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="realm",
+            name="can_manage_all_groups",
+            field=models.ForeignKey(
+                on_delete=models.deletion.RESTRICT,
+                related_name="+",
+                to="zerver.usergroup",
+            ),
+        ),
+    ]

zerver/models/realms.py

@@ -344,6 +344,11 @@ class Realm(models.Model):  # type: ignore[django-manager-missing] # django-stub
     # UserGroup which is allowed to create groups.
     can_create_groups = models.ForeignKey("UserGroup", on_delete=models.RESTRICT, related_name="+")
 
+    # UserGroup which is allowed to manage all groups.
+    can_manage_all_groups = models.ForeignKey(
+        "UserGroup", on_delete=models.RESTRICT, related_name="+"
+    )
+
     # Who in the organization is allowed to invite other users to streams.
     invite_to_stream_policy = models.PositiveSmallIntegerField(
         default=CommonPolicyEnum.MEMBERS_ONLY
@@ -780,6 +785,15 @@ class Realm(models.Model):  # type: ignore[django-manager-missing] # django-stub
             default_group_name=SystemGroups.MEMBERS,
             id_field_name="can_create_groups_id",
         ),
+        can_manage_all_groups=GroupPermissionSetting(
+            require_system_group=False,
+            allow_internet_group=False,
+            allow_owners_group=True,
+            allow_nobody_group=False,
+            allow_everyone_group=False,
+            default_group_name=SystemGroups.OWNERS,
+            id_field_name="can_manage_all_groups_id",
+        ),
     )
 
     REALM_PERMISSION_GROUP_SETTINGS_WITH_NEW_API_FORMAT = [
@@ -791,6 +805,7 @@ class Realm(models.Model):  # type: ignore[django-manager-missing] # django-stub
         "direct_message_initiator_group",
         "direct_message_permission_group",
         "can_create_groups",
+        "can_manage_all_groups",
     ]
 
     DIGEST_WEEKDAY_VALUES = [0, 1, 2, 3, 4, 5, 6]
@@ -1168,6 +1183,8 @@ def get_realm_with_settings(realm_id: int) -> Realm:
         "direct_message_permission_group__named_user_group",
         "can_create_groups",
         "can_create_groups__named_user_group",
+        "can_manage_all_groups",
+        "can_manage_all_groups__named_user_group",
         "new_stream_announcements_stream",
         "signup_announcements_stream",
         "zulip_update_announcements_stream",

zerver/openapi/zulip.yaml

@@ -4310,6 +4310,36 @@ paths:
                                             **Changes**: New in Zulip 10.0 (feature level 299). Previously
                                             `user_group_edit_policy` field used to control the permission
                                             to create user groups.
+                                    can_manage_all_groups:
+                                      allOf:
+                                        - $ref: "#/components/schemas/GroupSettingValue"
+                                        - description: |
+                                            A [group-setting value](/api/group-setting-values)
+                                            defining the set of users who have permission to
+                                            administer all existing groups in this organization.
+
+                                            This setting cannot be set to `"role:internet"`, `"role:everyone"`,
+                                            and `"role:nobody"` system groups.
+
+                                            **Changes**: Semantics to change in Zulip 10.0 (feature
+                                            level TBD). The original implementation of this setting
+                                            had different semantics, where only users who were a
+                                            member of the group or had the moderator role or above
+                                            could exercise the permission.
+
+                                            New in Zulip 10.0 (feature level 299). Previously the
+                                            `user_group_edit_policy` field controlled the permission
+                                            to manage user groups. Valid values were as follows:
+
+                                            - 1 = All members can create and edit user groups
+                                            - 2 = Only organization administrators can create and edit
+                                              user groups
+                                            - 3 = Only [full members][calc-full-member] can create and
+                                              edit user groups.
+                                            - 4 = Only organization administrators and moderators can
+                                              create and edit user groups.
+
+                                            [calc-full-member]: /api/roles-and-permissions#determining-if-a-user-is-a-full-member
                                     can_create_public_channel_group:
                                       allOf:
                                         - $ref: "#/components/schemas/GroupSettingValue"
@@ -16078,6 +16108,36 @@ paths:
                               **Changes**: New in Zulip 10.0 (feature level 299). Previously
                               `realm_user_group_edit_policy` field used to control the
                               permission to create user groups.
+                      realm_can_manage_all_groups:
+                        allOf:
+                          - $ref: "#/components/schemas/GroupSettingValue"
+                          - description: |
+                              A [group-setting value](/api/group-setting-values)
+                              defining the set of users who have permission to
+                              administer all existing groups in this organization.
+
+                              This setting cannot be set to `"role:internet"`, `"role:everyone"`,
+                              and `"role:nobody"` system groups.
+
+                              **Changes**: Semantics to change in Zulip 10.0 (feature
+                              level TBD). The original implementation of this setting
+                              had different semantics, where only users who were a
+                              member of the group or had the moderator role or above
+                              could exercise the permission.
+
+                              New in Zulip 10.0 (feature level 299). Previously the
+                              `user_group_edit_policy` field controlled the permission
+                              to manage user groups. Valid values were as follows:
+
+                              - 1 = All members can create and edit user groups
+                              - 2 = Only organization administrators can create and edit
+                                user groups
+                              - 3 = Only [full members][calc-full-member] can create and
+                                edit user groups.
+                              - 4 = Only organization administrators and moderators can
+                                create and edit user groups.
+
+                              [calc-full-member]: /api/roles-and-permissions#determining-if-a-user-is-a-full-member
                       realm_can_create_public_channel_group:
                         allOf:
                           - $ref: "#/components/schemas/GroupSettingValue"

zerver/tests/test_home.py

@@ -131,6 +131,7 @@ class HomeTest(ZulipTestCase):
         "realm_bots",
         "realm_can_access_all_users_group",
         "realm_can_create_groups",
+        "realm_can_manage_all_groups",
         "realm_can_create_private_channel_group",
         "realm_can_create_public_channel_group",
         "realm_can_create_web_public_channel_group",

zerver/views/realm.py

@@ -146,6 +146,7 @@ def update_realm(
     direct_message_initiator_group: Json[GroupSettingChangeRequest] | None = None,
     direct_message_permission_group: Json[GroupSettingChangeRequest] | None = None,
     can_create_groups: Json[GroupSettingChangeRequest] | None = None,
+    can_manage_all_groups: Json[GroupSettingChangeRequest] | None = None,
     invite_to_stream_policy: Json[CommonPolicyEnum] | None = None,
     move_messages_between_streams_policy: Json[MoveMessagesBetweenStreamsPolicyEnum] | None = None,
     user_group_edit_policy: Json[CommonPolicyEnum] | None = None,