From 2b6414acfb5841e68f90e341ac1bf7d528671949 Mon Sep 17 00:00:00 2001 From: Shubham Padia Date: Fri, 13 Sep 2024 18:24:59 +0000 Subject: [PATCH] settings: Add can_manage_all_groups setting to realm. This commit does not add the logic of using this setting to actually check the permission on the backend. That will be done in a later commit. Only owners can modify this setting, but we will add that logic in a later commit in order to keep changes in this commit minimal. Adding the setting breaks the frontend, since the frontend tries to find a dropdown widget for the setting automatically. To avoid this, we've added a small temporary if statement to `settings_org.js`. Although, most lists where we insert this setting follow an unofficial alphabetical order, `can_manage_all_groups` has been bunched together with `can_create_groups` since keeping those similar settings together would be nicer when checking any code related to creating/managing a user group. --- api_docs/changelog.md | 4 ++ web/src/settings_org.js | 6 ++ zerver/lib/event_schema.py | 1 + .../0591_realm_add_can_manage_all_groups.py | 23 +++++++ .../0592_set_can_manage_all_groups.py | 55 +++++++++++++++++ .../0593_alter_realm_manage_all_groups.py | 21 +++++++ zerver/models/realms.py | 17 ++++++ zerver/openapi/zulip.yaml | 60 +++++++++++++++++++ zerver/tests/test_home.py | 1 + zerver/views/realm.py | 1 + 10 files changed, 189 insertions(+) create mode 100644 zerver/migrations/0591_realm_add_can_manage_all_groups.py create mode 100644 zerver/migrations/0592_set_can_manage_all_groups.py create mode 100644 zerver/migrations/0593_alter_realm_manage_all_groups.py diff --git a/api_docs/changelog.md b/api_docs/changelog.md index 0d2e98a67b..88a596cfbc 100644 --- a/api_docs/changelog.md +++ b/api_docs/changelog.md @@ -26,6 +26,10 @@ format used by the Zulip server that they are interacting with. [`GET /events`](/api/get-events): Added `can_create_groups` realm setting, which is a [group-setting value](/api/group-setting-values) describing the set of users with permission to create user groups. +* `PATCH /realm`, [`POST /register`](/api/register-queue), + [`GET /events`](/api/get-events): Added `can_manage_all_groups` + realm setting, which is a [group-setting value](/api/group-setting-values) + describing the set of users with permission to manage all user groups. **Feature level 298** diff --git a/web/src/settings_org.js b/web/src/settings_org.js index 78a88cad18..846ac1c2df 100644 --- a/web/src/settings_org.js +++ b/web/src/settings_org.js @@ -845,6 +845,12 @@ export function set_up_dropdown_widget_for_realm_group_settings() { dropdown_list_item_click_callback = check_disable_message_delete_limit_setting_dropdown; } + if (setting_name === "can_manage_all_groups") { + // Temporarily skip this setting until further commits + // where this setting will be ready to use. + continue; + } + set_up_dropdown_widget( "realm_" + setting_name, get_setting_options, diff --git a/zerver/lib/event_schema.py b/zerver/lib/event_schema.py index 3b95855880..a59b3aa293 100644 --- a/zerver/lib/event_schema.py +++ b/zerver/lib/event_schema.py @@ -1075,6 +1075,7 @@ group_setting_update_data_type = DictType( ("create_multiuse_invite_group", int), ("can_access_all_users_group", int), ("can_create_groups", group_setting_type), + ("can_manage_all_groups", group_setting_type), ("can_create_public_channel_group", group_setting_type), ("can_create_private_channel_group", group_setting_type), ("can_create_web_public_channel_group", group_setting_type), diff --git a/zerver/migrations/0591_realm_add_can_manage_all_groups.py b/zerver/migrations/0591_realm_add_can_manage_all_groups.py new file mode 100644 index 0000000000..0c43c5cfaa --- /dev/null +++ b/zerver/migrations/0591_realm_add_can_manage_all_groups.py @@ -0,0 +1,23 @@ +# Generated by Django 5.0.8 on 2024-09-13 14:34 + +import django.db.models.deletion +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("zerver", "0590_alter_realm_can_create_groups"), + ] + + operations = [ + migrations.AddField( + model_name="realm", + name="can_manage_all_groups", + field=models.ForeignKey( + null=True, + on_delete=django.db.models.deletion.RESTRICT, + related_name="+", + to="zerver.usergroup", + ), + ) + ] diff --git a/zerver/migrations/0592_set_can_manage_all_groups.py b/zerver/migrations/0592_set_can_manage_all_groups.py new file mode 100644 index 0000000000..a9803843df --- /dev/null +++ b/zerver/migrations/0592_set_can_manage_all_groups.py @@ -0,0 +1,55 @@ +# Generated by Django 5.0.8 on 2024-09-05 06:11 + +from django.db import migrations +from django.db.backends.base.schema import BaseDatabaseSchemaEditor +from django.db.migrations.state import StateApps +from django.db.models import OuterRef + + +def set_can_manage_all_groups_for_existing_realms( + apps: StateApps, schema_editor: BaseDatabaseSchemaEditor +) -> None: + Realm = apps.get_model("zerver", "Realm") + NamedUserGroup = apps.get_model("zerver", "NamedUserGroup") + + MEMBERS_ONLY = 1 + ADMINS_ONLY = 2 + FULL_MEMBERS_ONLY = 3 + MODERATORS_ONLY = 4 + + Realm.objects.filter(can_manage_all_groups=None, user_group_edit_policy=MEMBERS_ONLY).update( + can_manage_all_groups=NamedUserGroup.objects.filter( + name="role:members", realm=OuterRef("id"), is_system_group=True + ).values("pk") + ) + Realm.objects.filter(can_manage_all_groups=None, user_group_edit_policy=ADMINS_ONLY).update( + can_manage_all_groups=NamedUserGroup.objects.filter( + name="role:administrators", realm=OuterRef("id"), is_system_group=True + ).values("pk") + ) + Realm.objects.filter( + can_manage_all_groups=None, user_group_edit_policy=FULL_MEMBERS_ONLY + ).update( + can_manage_all_groups=NamedUserGroup.objects.filter( + name="role:fullmembers", realm=OuterRef("id"), is_system_group=True + ).values("pk") + ) + Realm.objects.filter(can_manage_all_groups=None, user_group_edit_policy=MODERATORS_ONLY).update( + can_manage_all_groups=NamedUserGroup.objects.filter( + name="role:moderators", realm=OuterRef("id"), is_system_group=True + ).values("pk") + ) + + +class Migration(migrations.Migration): + dependencies = [ + ("zerver", "0591_realm_add_can_manage_all_groups"), + ] + + operations = [ + migrations.RunPython( + set_can_manage_all_groups_for_existing_realms, + elidable=True, + reverse_code=migrations.RunPython.noop, + ) + ] diff --git a/zerver/migrations/0593_alter_realm_manage_all_groups.py b/zerver/migrations/0593_alter_realm_manage_all_groups.py new file mode 100644 index 0000000000..610df2ee0f --- /dev/null +++ b/zerver/migrations/0593_alter_realm_manage_all_groups.py @@ -0,0 +1,21 @@ +# Generated by Django 5.0.8 on 2024-09-05 08:34 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("zerver", "0592_set_can_manage_all_groups"), + ] + + operations = [ + migrations.AlterField( + model_name="realm", + name="can_manage_all_groups", + field=models.ForeignKey( + on_delete=models.deletion.RESTRICT, + related_name="+", + to="zerver.usergroup", + ), + ), + ] diff --git a/zerver/models/realms.py b/zerver/models/realms.py index ae8183d2ee..e59d09fa4c 100644 --- a/zerver/models/realms.py +++ b/zerver/models/realms.py @@ -344,6 +344,11 @@ class Realm(models.Model): # type: ignore[django-manager-missing] # django-stub # UserGroup which is allowed to create groups. can_create_groups = models.ForeignKey("UserGroup", on_delete=models.RESTRICT, related_name="+") + # UserGroup which is allowed to manage all groups. + can_manage_all_groups = models.ForeignKey( + "UserGroup", on_delete=models.RESTRICT, related_name="+" + ) + # Who in the organization is allowed to invite other users to streams. invite_to_stream_policy = models.PositiveSmallIntegerField( default=CommonPolicyEnum.MEMBERS_ONLY @@ -780,6 +785,15 @@ class Realm(models.Model): # type: ignore[django-manager-missing] # django-stub default_group_name=SystemGroups.MEMBERS, id_field_name="can_create_groups_id", ), + can_manage_all_groups=GroupPermissionSetting( + require_system_group=False, + allow_internet_group=False, + allow_owners_group=True, + allow_nobody_group=False, + allow_everyone_group=False, + default_group_name=SystemGroups.OWNERS, + id_field_name="can_manage_all_groups_id", + ), ) REALM_PERMISSION_GROUP_SETTINGS_WITH_NEW_API_FORMAT = [ @@ -791,6 +805,7 @@ class Realm(models.Model): # type: ignore[django-manager-missing] # django-stub "direct_message_initiator_group", "direct_message_permission_group", "can_create_groups", + "can_manage_all_groups", ] DIGEST_WEEKDAY_VALUES = [0, 1, 2, 3, 4, 5, 6] @@ -1168,6 +1183,8 @@ def get_realm_with_settings(realm_id: int) -> Realm: "direct_message_permission_group__named_user_group", "can_create_groups", "can_create_groups__named_user_group", + "can_manage_all_groups", + "can_manage_all_groups__named_user_group", "new_stream_announcements_stream", "signup_announcements_stream", "zulip_update_announcements_stream", diff --git a/zerver/openapi/zulip.yaml b/zerver/openapi/zulip.yaml index bf0d953260..4de6e46498 100644 --- a/zerver/openapi/zulip.yaml +++ b/zerver/openapi/zulip.yaml @@ -4310,6 +4310,36 @@ paths: **Changes**: New in Zulip 10.0 (feature level 299). Previously `user_group_edit_policy` field used to control the permission to create user groups. + can_manage_all_groups: + allOf: + - $ref: "#/components/schemas/GroupSettingValue" + - description: | + A [group-setting value](/api/group-setting-values) + defining the set of users who have permission to + administer all existing groups in this organization. + + This setting cannot be set to `"role:internet"`, `"role:everyone"`, + and `"role:nobody"` system groups. + + **Changes**: Semantics to change in Zulip 10.0 (feature + level TBD). The original implementation of this setting + had different semantics, where only users who were a + member of the group or had the moderator role or above + could exercise the permission. + + New in Zulip 10.0 (feature level 299). Previously the + `user_group_edit_policy` field controlled the permission + to manage user groups. Valid values were as follows: + + - 1 = All members can create and edit user groups + - 2 = Only organization administrators can create and edit + user groups + - 3 = Only [full members][calc-full-member] can create and + edit user groups. + - 4 = Only organization administrators and moderators can + create and edit user groups. + + [calc-full-member]: /api/roles-and-permissions#determining-if-a-user-is-a-full-member can_create_public_channel_group: allOf: - $ref: "#/components/schemas/GroupSettingValue" @@ -16078,6 +16108,36 @@ paths: **Changes**: New in Zulip 10.0 (feature level 299). Previously `realm_user_group_edit_policy` field used to control the permission to create user groups. + realm_can_manage_all_groups: + allOf: + - $ref: "#/components/schemas/GroupSettingValue" + - description: | + A [group-setting value](/api/group-setting-values) + defining the set of users who have permission to + administer all existing groups in this organization. + + This setting cannot be set to `"role:internet"`, `"role:everyone"`, + and `"role:nobody"` system groups. + + **Changes**: Semantics to change in Zulip 10.0 (feature + level TBD). The original implementation of this setting + had different semantics, where only users who were a + member of the group or had the moderator role or above + could exercise the permission. + + New in Zulip 10.0 (feature level 299). Previously the + `user_group_edit_policy` field controlled the permission + to manage user groups. Valid values were as follows: + + - 1 = All members can create and edit user groups + - 2 = Only organization administrators can create and edit + user groups + - 3 = Only [full members][calc-full-member] can create and + edit user groups. + - 4 = Only organization administrators and moderators can + create and edit user groups. + + [calc-full-member]: /api/roles-and-permissions#determining-if-a-user-is-a-full-member realm_can_create_public_channel_group: allOf: - $ref: "#/components/schemas/GroupSettingValue" diff --git a/zerver/tests/test_home.py b/zerver/tests/test_home.py index e4fe51ec5c..90d0376fc2 100644 --- a/zerver/tests/test_home.py +++ b/zerver/tests/test_home.py @@ -131,6 +131,7 @@ class HomeTest(ZulipTestCase): "realm_bots", "realm_can_access_all_users_group", "realm_can_create_groups", + "realm_can_manage_all_groups", "realm_can_create_private_channel_group", "realm_can_create_public_channel_group", "realm_can_create_web_public_channel_group", diff --git a/zerver/views/realm.py b/zerver/views/realm.py index 35b1dc5fc2..ba18d6e498 100644 --- a/zerver/views/realm.py +++ b/zerver/views/realm.py @@ -146,6 +146,7 @@ def update_realm( direct_message_initiator_group: Json[GroupSettingChangeRequest] | None = None, direct_message_permission_group: Json[GroupSettingChangeRequest] | None = None, can_create_groups: Json[GroupSettingChangeRequest] | None = None, + can_manage_all_groups: Json[GroupSettingChangeRequest] | None = None, invite_to_stream_policy: Json[CommonPolicyEnum] | None = None, move_messages_between_streams_policy: Json[MoveMessagesBetweenStreamsPolicyEnum] | None = None, user_group_edit_policy: Json[CommonPolicyEnum] | None = None,