Make tests explicit about cross-realm loophole.

We can currently send a PM to a user in another realm, as long as we copy a cross-realm bot from the same realm. This loophole doesn't yet affect us in practice--all cross-realm bots are generally configured for the "admin" realm like the old zulip.com-- but we should lock it down in a subsequent commit.
2016-11-02 09:28:33 -07:00 · 2016-11-02 09:28:33 -07:00 · 497b8e8bc4
parent 7d50598454
commit 497b8e8bc4
1 changed files with 9 additions and 1 deletions
--- a/zerver/tests/test_messages.py
+++ b/zerver/tests/test_messages.py
@ -112,7 +112,7 @@ class TestCrossRealmPMs(ZulipTestCase):
        user1 = self.create_user(user1_email)
        user1a = self.create_user(user1a_email)
        user2 = self.create_user(user2_email)
-        self.create_user(user3_email)
+        user3 = self.create_user(user3_email)
        feedback_bot = self.create_user(feedback_email)
        support_bot = self.create_user(support_email)

@ -138,6 +138,14 @@ class TestCrossRealmPMs(ZulipTestCase):
        self.send_message(user1_email, [support_email], Recipient.PERSONAL)
        assert_message_received(support_bot, user1)

+        # We have a loophole where I can send PMs to other users as long
+        # as I copy a cross-realm bot from the same realm.  In practice this
+        # not a bug, since our only cross-realm bots are on the zulip.com
+        # realm.
+        self.send_message(user1_email, [user3_email, support_email], Recipient.PERSONAL)
+        assert_message_received(user3, user1)
+        assert_message_received(support_bot, user1)
+
        # Users can't email two cross-realm bots at once. (This is just
        # an anomaly of the current implementation.)
        with assert_disallowed():