mirror of https://github.com/zulip/zulip.git
settings: Add can_manage_all_groups setting to realm.
This commit does not add the logic of using this setting to actually check the permission on the backend. That will be done in a later commit. Only owners can modify this setting, but we will add that logic in a later commit in order to keep changes in this commit minimal. Adding the setting breaks the frontend, since the frontend tries to find a dropdown widget for the setting automatically. To avoid this, we've added a small temporary if statement to `settings_org.js`. Although, most lists where we insert this setting follow an unofficial alphabetical order, `can_manage_all_groups` has been bunched together with `can_create_groups` since keeping those similar settings together would be nicer when checking any code related to creating/managing a user group.
This commit is contained in:
parent
a9e14a184c
commit
2b6414acfb
|
@ -26,6 +26,10 @@ format used by the Zulip server that they are interacting with.
|
||||||
[`GET /events`](/api/get-events): Added `can_create_groups`
|
[`GET /events`](/api/get-events): Added `can_create_groups`
|
||||||
realm setting, which is a [group-setting value](/api/group-setting-values)
|
realm setting, which is a [group-setting value](/api/group-setting-values)
|
||||||
describing the set of users with permission to create user groups.
|
describing the set of users with permission to create user groups.
|
||||||
|
* `PATCH /realm`, [`POST /register`](/api/register-queue),
|
||||||
|
[`GET /events`](/api/get-events): Added `can_manage_all_groups`
|
||||||
|
realm setting, which is a [group-setting value](/api/group-setting-values)
|
||||||
|
describing the set of users with permission to manage all user groups.
|
||||||
|
|
||||||
**Feature level 298**
|
**Feature level 298**
|
||||||
|
|
||||||
|
|
|
@ -845,6 +845,12 @@ export function set_up_dropdown_widget_for_realm_group_settings() {
|
||||||
dropdown_list_item_click_callback = check_disable_message_delete_limit_setting_dropdown;
|
dropdown_list_item_click_callback = check_disable_message_delete_limit_setting_dropdown;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (setting_name === "can_manage_all_groups") {
|
||||||
|
// Temporarily skip this setting until further commits
|
||||||
|
// where this setting will be ready to use.
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
set_up_dropdown_widget(
|
set_up_dropdown_widget(
|
||||||
"realm_" + setting_name,
|
"realm_" + setting_name,
|
||||||
get_setting_options,
|
get_setting_options,
|
||||||
|
|
|
@ -1075,6 +1075,7 @@ group_setting_update_data_type = DictType(
|
||||||
("create_multiuse_invite_group", int),
|
("create_multiuse_invite_group", int),
|
||||||
("can_access_all_users_group", int),
|
("can_access_all_users_group", int),
|
||||||
("can_create_groups", group_setting_type),
|
("can_create_groups", group_setting_type),
|
||||||
|
("can_manage_all_groups", group_setting_type),
|
||||||
("can_create_public_channel_group", group_setting_type),
|
("can_create_public_channel_group", group_setting_type),
|
||||||
("can_create_private_channel_group", group_setting_type),
|
("can_create_private_channel_group", group_setting_type),
|
||||||
("can_create_web_public_channel_group", group_setting_type),
|
("can_create_web_public_channel_group", group_setting_type),
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Generated by Django 5.0.8 on 2024-09-13 14:34
|
||||||
|
|
||||||
|
import django.db.models.deletion
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
dependencies = [
|
||||||
|
("zerver", "0590_alter_realm_can_create_groups"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.AddField(
|
||||||
|
model_name="realm",
|
||||||
|
name="can_manage_all_groups",
|
||||||
|
field=models.ForeignKey(
|
||||||
|
null=True,
|
||||||
|
on_delete=django.db.models.deletion.RESTRICT,
|
||||||
|
related_name="+",
|
||||||
|
to="zerver.usergroup",
|
||||||
|
),
|
||||||
|
)
|
||||||
|
]
|
|
@ -0,0 +1,55 @@
|
||||||
|
# Generated by Django 5.0.8 on 2024-09-05 06:11
|
||||||
|
|
||||||
|
from django.db import migrations
|
||||||
|
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
|
||||||
|
from django.db.migrations.state import StateApps
|
||||||
|
from django.db.models import OuterRef
|
||||||
|
|
||||||
|
|
||||||
|
def set_can_manage_all_groups_for_existing_realms(
|
||||||
|
apps: StateApps, schema_editor: BaseDatabaseSchemaEditor
|
||||||
|
) -> None:
|
||||||
|
Realm = apps.get_model("zerver", "Realm")
|
||||||
|
NamedUserGroup = apps.get_model("zerver", "NamedUserGroup")
|
||||||
|
|
||||||
|
MEMBERS_ONLY = 1
|
||||||
|
ADMINS_ONLY = 2
|
||||||
|
FULL_MEMBERS_ONLY = 3
|
||||||
|
MODERATORS_ONLY = 4
|
||||||
|
|
||||||
|
Realm.objects.filter(can_manage_all_groups=None, user_group_edit_policy=MEMBERS_ONLY).update(
|
||||||
|
can_manage_all_groups=NamedUserGroup.objects.filter(
|
||||||
|
name="role:members", realm=OuterRef("id"), is_system_group=True
|
||||||
|
).values("pk")
|
||||||
|
)
|
||||||
|
Realm.objects.filter(can_manage_all_groups=None, user_group_edit_policy=ADMINS_ONLY).update(
|
||||||
|
can_manage_all_groups=NamedUserGroup.objects.filter(
|
||||||
|
name="role:administrators", realm=OuterRef("id"), is_system_group=True
|
||||||
|
).values("pk")
|
||||||
|
)
|
||||||
|
Realm.objects.filter(
|
||||||
|
can_manage_all_groups=None, user_group_edit_policy=FULL_MEMBERS_ONLY
|
||||||
|
).update(
|
||||||
|
can_manage_all_groups=NamedUserGroup.objects.filter(
|
||||||
|
name="role:fullmembers", realm=OuterRef("id"), is_system_group=True
|
||||||
|
).values("pk")
|
||||||
|
)
|
||||||
|
Realm.objects.filter(can_manage_all_groups=None, user_group_edit_policy=MODERATORS_ONLY).update(
|
||||||
|
can_manage_all_groups=NamedUserGroup.objects.filter(
|
||||||
|
name="role:moderators", realm=OuterRef("id"), is_system_group=True
|
||||||
|
).values("pk")
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
dependencies = [
|
||||||
|
("zerver", "0591_realm_add_can_manage_all_groups"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.RunPython(
|
||||||
|
set_can_manage_all_groups_for_existing_realms,
|
||||||
|
elidable=True,
|
||||||
|
reverse_code=migrations.RunPython.noop,
|
||||||
|
)
|
||||||
|
]
|
|
@ -0,0 +1,21 @@
|
||||||
|
# Generated by Django 5.0.8 on 2024-09-05 08:34
|
||||||
|
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
dependencies = [
|
||||||
|
("zerver", "0592_set_can_manage_all_groups"),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.AlterField(
|
||||||
|
model_name="realm",
|
||||||
|
name="can_manage_all_groups",
|
||||||
|
field=models.ForeignKey(
|
||||||
|
on_delete=models.deletion.RESTRICT,
|
||||||
|
related_name="+",
|
||||||
|
to="zerver.usergroup",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
]
|
|
@ -344,6 +344,11 @@ class Realm(models.Model): # type: ignore[django-manager-missing] # django-stub
|
||||||
# UserGroup which is allowed to create groups.
|
# UserGroup which is allowed to create groups.
|
||||||
can_create_groups = models.ForeignKey("UserGroup", on_delete=models.RESTRICT, related_name="+")
|
can_create_groups = models.ForeignKey("UserGroup", on_delete=models.RESTRICT, related_name="+")
|
||||||
|
|
||||||
|
# UserGroup which is allowed to manage all groups.
|
||||||
|
can_manage_all_groups = models.ForeignKey(
|
||||||
|
"UserGroup", on_delete=models.RESTRICT, related_name="+"
|
||||||
|
)
|
||||||
|
|
||||||
# Who in the organization is allowed to invite other users to streams.
|
# Who in the organization is allowed to invite other users to streams.
|
||||||
invite_to_stream_policy = models.PositiveSmallIntegerField(
|
invite_to_stream_policy = models.PositiveSmallIntegerField(
|
||||||
default=CommonPolicyEnum.MEMBERS_ONLY
|
default=CommonPolicyEnum.MEMBERS_ONLY
|
||||||
|
@ -780,6 +785,15 @@ class Realm(models.Model): # type: ignore[django-manager-missing] # django-stub
|
||||||
default_group_name=SystemGroups.MEMBERS,
|
default_group_name=SystemGroups.MEMBERS,
|
||||||
id_field_name="can_create_groups_id",
|
id_field_name="can_create_groups_id",
|
||||||
),
|
),
|
||||||
|
can_manage_all_groups=GroupPermissionSetting(
|
||||||
|
require_system_group=False,
|
||||||
|
allow_internet_group=False,
|
||||||
|
allow_owners_group=True,
|
||||||
|
allow_nobody_group=False,
|
||||||
|
allow_everyone_group=False,
|
||||||
|
default_group_name=SystemGroups.OWNERS,
|
||||||
|
id_field_name="can_manage_all_groups_id",
|
||||||
|
),
|
||||||
)
|
)
|
||||||
|
|
||||||
REALM_PERMISSION_GROUP_SETTINGS_WITH_NEW_API_FORMAT = [
|
REALM_PERMISSION_GROUP_SETTINGS_WITH_NEW_API_FORMAT = [
|
||||||
|
@ -791,6 +805,7 @@ class Realm(models.Model): # type: ignore[django-manager-missing] # django-stub
|
||||||
"direct_message_initiator_group",
|
"direct_message_initiator_group",
|
||||||
"direct_message_permission_group",
|
"direct_message_permission_group",
|
||||||
"can_create_groups",
|
"can_create_groups",
|
||||||
|
"can_manage_all_groups",
|
||||||
]
|
]
|
||||||
|
|
||||||
DIGEST_WEEKDAY_VALUES = [0, 1, 2, 3, 4, 5, 6]
|
DIGEST_WEEKDAY_VALUES = [0, 1, 2, 3, 4, 5, 6]
|
||||||
|
@ -1168,6 +1183,8 @@ def get_realm_with_settings(realm_id: int) -> Realm:
|
||||||
"direct_message_permission_group__named_user_group",
|
"direct_message_permission_group__named_user_group",
|
||||||
"can_create_groups",
|
"can_create_groups",
|
||||||
"can_create_groups__named_user_group",
|
"can_create_groups__named_user_group",
|
||||||
|
"can_manage_all_groups",
|
||||||
|
"can_manage_all_groups__named_user_group",
|
||||||
"new_stream_announcements_stream",
|
"new_stream_announcements_stream",
|
||||||
"signup_announcements_stream",
|
"signup_announcements_stream",
|
||||||
"zulip_update_announcements_stream",
|
"zulip_update_announcements_stream",
|
||||||
|
|
|
@ -4310,6 +4310,36 @@ paths:
|
||||||
**Changes**: New in Zulip 10.0 (feature level 299). Previously
|
**Changes**: New in Zulip 10.0 (feature level 299). Previously
|
||||||
`user_group_edit_policy` field used to control the permission
|
`user_group_edit_policy` field used to control the permission
|
||||||
to create user groups.
|
to create user groups.
|
||||||
|
can_manage_all_groups:
|
||||||
|
allOf:
|
||||||
|
- $ref: "#/components/schemas/GroupSettingValue"
|
||||||
|
- description: |
|
||||||
|
A [group-setting value](/api/group-setting-values)
|
||||||
|
defining the set of users who have permission to
|
||||||
|
administer all existing groups in this organization.
|
||||||
|
|
||||||
|
This setting cannot be set to `"role:internet"`, `"role:everyone"`,
|
||||||
|
and `"role:nobody"` system groups.
|
||||||
|
|
||||||
|
**Changes**: Semantics to change in Zulip 10.0 (feature
|
||||||
|
level TBD). The original implementation of this setting
|
||||||
|
had different semantics, where only users who were a
|
||||||
|
member of the group or had the moderator role or above
|
||||||
|
could exercise the permission.
|
||||||
|
|
||||||
|
New in Zulip 10.0 (feature level 299). Previously the
|
||||||
|
`user_group_edit_policy` field controlled the permission
|
||||||
|
to manage user groups. Valid values were as follows:
|
||||||
|
|
||||||
|
- 1 = All members can create and edit user groups
|
||||||
|
- 2 = Only organization administrators can create and edit
|
||||||
|
user groups
|
||||||
|
- 3 = Only [full members][calc-full-member] can create and
|
||||||
|
edit user groups.
|
||||||
|
- 4 = Only organization administrators and moderators can
|
||||||
|
create and edit user groups.
|
||||||
|
|
||||||
|
[calc-full-member]: /api/roles-and-permissions#determining-if-a-user-is-a-full-member
|
||||||
can_create_public_channel_group:
|
can_create_public_channel_group:
|
||||||
allOf:
|
allOf:
|
||||||
- $ref: "#/components/schemas/GroupSettingValue"
|
- $ref: "#/components/schemas/GroupSettingValue"
|
||||||
|
@ -16078,6 +16108,36 @@ paths:
|
||||||
**Changes**: New in Zulip 10.0 (feature level 299). Previously
|
**Changes**: New in Zulip 10.0 (feature level 299). Previously
|
||||||
`realm_user_group_edit_policy` field used to control the
|
`realm_user_group_edit_policy` field used to control the
|
||||||
permission to create user groups.
|
permission to create user groups.
|
||||||
|
realm_can_manage_all_groups:
|
||||||
|
allOf:
|
||||||
|
- $ref: "#/components/schemas/GroupSettingValue"
|
||||||
|
- description: |
|
||||||
|
A [group-setting value](/api/group-setting-values)
|
||||||
|
defining the set of users who have permission to
|
||||||
|
administer all existing groups in this organization.
|
||||||
|
|
||||||
|
This setting cannot be set to `"role:internet"`, `"role:everyone"`,
|
||||||
|
and `"role:nobody"` system groups.
|
||||||
|
|
||||||
|
**Changes**: Semantics to change in Zulip 10.0 (feature
|
||||||
|
level TBD). The original implementation of this setting
|
||||||
|
had different semantics, where only users who were a
|
||||||
|
member of the group or had the moderator role or above
|
||||||
|
could exercise the permission.
|
||||||
|
|
||||||
|
New in Zulip 10.0 (feature level 299). Previously the
|
||||||
|
`user_group_edit_policy` field controlled the permission
|
||||||
|
to manage user groups. Valid values were as follows:
|
||||||
|
|
||||||
|
- 1 = All members can create and edit user groups
|
||||||
|
- 2 = Only organization administrators can create and edit
|
||||||
|
user groups
|
||||||
|
- 3 = Only [full members][calc-full-member] can create and
|
||||||
|
edit user groups.
|
||||||
|
- 4 = Only organization administrators and moderators can
|
||||||
|
create and edit user groups.
|
||||||
|
|
||||||
|
[calc-full-member]: /api/roles-and-permissions#determining-if-a-user-is-a-full-member
|
||||||
realm_can_create_public_channel_group:
|
realm_can_create_public_channel_group:
|
||||||
allOf:
|
allOf:
|
||||||
- $ref: "#/components/schemas/GroupSettingValue"
|
- $ref: "#/components/schemas/GroupSettingValue"
|
||||||
|
|
|
@ -131,6 +131,7 @@ class HomeTest(ZulipTestCase):
|
||||||
"realm_bots",
|
"realm_bots",
|
||||||
"realm_can_access_all_users_group",
|
"realm_can_access_all_users_group",
|
||||||
"realm_can_create_groups",
|
"realm_can_create_groups",
|
||||||
|
"realm_can_manage_all_groups",
|
||||||
"realm_can_create_private_channel_group",
|
"realm_can_create_private_channel_group",
|
||||||
"realm_can_create_public_channel_group",
|
"realm_can_create_public_channel_group",
|
||||||
"realm_can_create_web_public_channel_group",
|
"realm_can_create_web_public_channel_group",
|
||||||
|
|
|
@ -146,6 +146,7 @@ def update_realm(
|
||||||
direct_message_initiator_group: Json[GroupSettingChangeRequest] | None = None,
|
direct_message_initiator_group: Json[GroupSettingChangeRequest] | None = None,
|
||||||
direct_message_permission_group: Json[GroupSettingChangeRequest] | None = None,
|
direct_message_permission_group: Json[GroupSettingChangeRequest] | None = None,
|
||||||
can_create_groups: Json[GroupSettingChangeRequest] | None = None,
|
can_create_groups: Json[GroupSettingChangeRequest] | None = None,
|
||||||
|
can_manage_all_groups: Json[GroupSettingChangeRequest] | None = None,
|
||||||
invite_to_stream_policy: Json[CommonPolicyEnum] | None = None,
|
invite_to_stream_policy: Json[CommonPolicyEnum] | None = None,
|
||||||
move_messages_between_streams_policy: Json[MoveMessagesBetweenStreamsPolicyEnum] | None = None,
|
move_messages_between_streams_policy: Json[MoveMessagesBetweenStreamsPolicyEnum] | None = None,
|
||||||
user_group_edit_policy: Json[CommonPolicyEnum] | None = None,
|
user_group_edit_policy: Json[CommonPolicyEnum] | None = None,
|
||||||
|
|
Loading…
Reference in New Issue