/json/bots: Return "No user" if access other realms bot.

Instead of returning warning "Insufficient Permission", return
"No such bot" warning if user tries to access other realms bot."
This commit is contained in:
Yashashvi Dave 2018-05-18 01:29:04 +05:30 committed by Tim Abbott
parent 4162e61f33
commit 38db31779b
2 changed files with 4 additions and 4 deletions

View File

@ -487,7 +487,7 @@ class BotTest(ZulipTestCase, UploadSerializeMixin):
bot = get_user(bot_email, realm)
self.login(self.example_email("iago"))
result = self.client_delete("/json/bots/{}".format(bot.id))
self.assert_json_error(result, 'Insufficient permission')
self.assert_json_error(result, 'No such bot')
def test_bot_deactivation_attacks(self) -> None:
"""You cannot deactivate somebody else's bot."""

View File

@ -63,7 +63,7 @@ def check_last_admin(user_profile: UserProfile) -> bool:
def deactivate_bot_backend(request: HttpRequest, user_profile: UserProfile,
bot_id: int) -> HttpResponse:
try:
target = get_user_profile_by_id(bot_id)
target = get_user_profile_by_id_in_realm(bot_id, user_profile.realm)
except UserProfile.DoesNotExist:
return json_error(_('No such bot'))
if not target.is_bot:
@ -170,7 +170,7 @@ def patch_bot_backend(
default_all_public_streams: Optional[bool]=REQ(default=None, validator=check_bool)
) -> HttpResponse:
try:
bot = get_user_profile_by_id(bot_id)
bot = get_user_profile_by_id_in_realm(bot_id, user_profile.realm)
except UserProfile.DoesNotExist:
return json_error(_('No such user'))
@ -248,7 +248,7 @@ def patch_bot_backend(
@has_request_variables
def regenerate_bot_api_key(request: HttpRequest, user_profile: UserProfile, bot_id: int) -> HttpResponse:
try:
bot = get_user_profile_by_id(bot_id)
bot = get_user_profile_by_id_in_realm(bot_id, user_profile.realm)
except UserProfile.DoesNotExist:
return json_error(_('No such user'))