settings: Add `can_invite_users_group` realm setting.

Added `can_invite_users_group` realm setting to replace
`invite_to_realm_policy`.
This commit is contained in:
Vector73 2024-11-20 17:43:52 +05:30 committed by Tim Abbott
parent 4e6d098cda
commit 4e89b4a88c
28 changed files with 318 additions and 214 deletions

View File

@ -20,6 +20,15 @@ format used by the Zulip server that they are interacting with.
## Changes in Zulip 10.0
**Feature level 321**
* `PATCH /realm`, [`GET /events`](/api/get-events),
[`POST /register`](/api/register-queue):
Added `can_invite_users_group` realm setting which is a
[group-setting value](/api/group-setting-values) describing the set of users
with permission to send email invitations for inviting other users to the
organization.
**Feature level 320**
* [`GET /users/me/subscriptions`](/api/get-subscriptions),

View File

@ -34,9 +34,7 @@ DESKTOP_WARNING_VERSION = "5.9.3"
# new level means in api_docs/changelog.md, as well as "**Changes**"
# entries in the endpoint's documentation in `zulip.yaml`.
API_FEATURE_LEVEL = (
320 # Last bumped for supporting anonymous groups for can_remove_subscribers_group
)
API_FEATURE_LEVEL = 321 # Last bumped for can_invite_users_group
# Bump the minor PROVISION_VERSION to indicate that folks should provision
# only when going from an old version of the code to a newer version. Bump

View File

@ -233,7 +233,6 @@ export function dispatch_normal_event(event) {
disallow_disposable_email_addresses: noop,
inline_image_preview: noop,
inline_url_embed_preview: noop,
invite_to_realm_policy: noop,
invite_required: noop,
mandatory_topics: noop,
message_content_edit_limit_seconds: noop,
@ -273,12 +272,6 @@ export function dispatch_normal_event(event) {
electron_bridge?.send_event("realm_name", event.value);
}
if (event.property === "invite_to_realm_policy") {
settings_invites.update_invite_user_panel();
sidebar_ui.update_invite_user_option();
gear_menu.rerender();
}
if (event.property === "enable_spectator_access") {
stream_settings_ui.update_stream_privacy_choices(
"can_create_web_public_channel_group",
@ -300,7 +293,10 @@ export function dispatch_normal_event(event) {
settings_org.sync_realm_settings(key);
}
if (key === "create_multiuse_invite_group") {
if (
key === "create_multiuse_invite_group" ||
key === "can_invite_users_group"
) {
settings_invites.update_invite_user_panel();
sidebar_ui.update_invite_user_option();
gear_menu.rerender();

View File

@ -238,7 +238,6 @@ export function get_subsection_property_elements($subsection: JQuery): HTMLEleme
export const simple_dropdown_realm_settings_schema = realm_schema.pick({
realm_invite_to_stream_policy: true,
realm_invite_to_realm_policy: true,
realm_wildcard_mention_policy: true,
realm_org_type: true,
});
@ -804,6 +803,7 @@ export function check_realm_settings_property_changed(elem: HTMLElement): boolea
case "realm_can_create_private_channel_group":
case "realm_can_delete_any_message_group":
case "realm_can_delete_own_message_group":
case "realm_can_invite_users_group":
case "realm_can_manage_all_groups":
case "realm_can_move_messages_between_channels_group":
case "realm_can_move_messages_between_topics_group":
@ -1055,6 +1055,7 @@ export function populate_data_for_realm_settings_request(
"can_manage_all_groups",
"can_delete_any_message_group",
"can_delete_own_message_group",
"can_invite_users_group",
"can_move_messages_between_channels_group",
"can_move_messages_between_topics_group",
"create_multiuse_invite_group",
@ -1502,6 +1503,7 @@ export const group_setting_widget_map = new Map<string, GroupSettingPillContaine
["realm_can_create_private_channel_group", null],
["realm_can_delete_any_message_group", null],
["realm_can_delete_own_message_group", null],
["realm_can_invite_users_group", null],
["realm_can_manage_all_groups", null],
["realm_can_move_messages_between_channels_group", null],
["realm_can_move_messages_between_topics_group", null],
@ -1618,6 +1620,7 @@ export const realm_group_setting_name_schema = z.enum([
"can_create_private_channel_group",
"can_delete_any_message_group",
"can_delete_own_message_group",
"can_invite_users_group",
"can_manage_all_groups",
"can_move_messages_between_channels_group",
"can_move_messages_between_topics_group",

View File

@ -266,34 +266,6 @@ export const common_policy_values = {
},
};
export const email_invite_to_realm_policy_values = {
nobody: {
order: 1,
code: 6,
description: $t({defaultMessage: "Nobody"}),
},
by_admins_only: {
order: 2,
code: 2,
description: $t({defaultMessage: "Admins"}),
},
by_moderators_only: {
order: 3,
code: 4,
description: $t({defaultMessage: "Admins and moderators"}),
},
by_full_members: {
order: 4,
code: 3,
description: $t({defaultMessage: "Admins, moderators and full members"}),
},
by_members: {
order: 5,
code: 1,
description: $t({defaultMessage: "Admins, moderators and members"}),
},
};
export const wildcard_mention_policy_values = {
by_everyone: {
order: 1,

View File

@ -59,14 +59,6 @@ export function user_can_change_logo(): boolean {
}
function user_has_permission(policy_value: number): boolean {
/* At present, nobody is not present in common_policy_values,
* but we include a check for it here, so that code using
* email_invite_to_realm_policy_values or other supersets can
* use this function. */
if (policy_value === settings_config.email_invite_to_realm_policy_values.nobody.code) {
return false;
}
if (current_user.is_admin) {
return true;
}
@ -121,7 +113,11 @@ export function user_has_permission_for_group_setting(
}
export function user_can_invite_users_by_email(): boolean {
return user_has_permission(realm.realm_invite_to_realm_policy);
return user_has_permission_for_group_setting(
realm.realm_can_invite_users_group,
"can_invite_users_group",
"realm",
);
}
export function user_can_create_multiuse_invite(): boolean {

View File

@ -15,7 +15,7 @@ import * as loading from "./loading.ts";
import * as people from "./people.ts";
import * as settings_config from "./settings_config.ts";
import * as settings_data from "./settings_data.ts";
import {current_user, realm} from "./state_data.ts";
import {current_user} from "./state_data.ts";
import * as timerender from "./timerender.ts";
import * as ui_report from "./ui_report.ts";
import * as util from "./util.ts";
@ -319,55 +319,18 @@ export function on_load_success(
}
export function update_invite_users_setting_tip(): void {
if (settings_data.user_can_invite_users_by_email() && !current_user.is_admin) {
if (settings_data.user_can_invite_users_by_email()) {
$(".invite-user-settings-tip").hide();
return;
}
const permission_type = settings_config.email_invite_to_realm_policy_values;
const current_permission = realm.realm_invite_to_realm_policy;
let tip_text;
switch (current_permission) {
case permission_type.by_admins_only.code: {
tip_text = $t({
defaultMessage:
"This organization is configured so that admins can invite users to this organization.",
});
break;
}
case permission_type.by_moderators_only.code: {
tip_text = $t({
defaultMessage:
"This organization is configured so that admins and moderators can invite users to this organization.",
});
break;
}
case permission_type.by_members.code: {
tip_text = $t({
defaultMessage:
"This organization is configured so that admins, moderators and members can invite users to this organization.",
});
break;
}
case permission_type.by_full_members.code: {
tip_text = $t({
defaultMessage:
"This organization is configured so that admins, moderators and full members can invite users to this organization.",
});
break;
}
default: {
tip_text = $t({
defaultMessage:
"This organization is configured so that nobody can invite users to this organization.",
});
}
}
$(".invite-user-settings-tip").show();
$(".invite-user-settings-tip").text(tip_text);
$(".invite-user-settings-tip").text(
$t({
defaultMessage:
"You do not have permission to send invite emails in this organization.",
}),
);
}
export function update_invite_user_panel(): void {

View File

@ -164,7 +164,6 @@ export function enable_or_disable_group_permission_settings(): void {
type OrganizationSettingsOptions = {
common_policy_values: SettingOptionValueWithKey[];
wildcard_mention_policy_values: SettingOptionValueWithKey[];
invite_to_realm_policy_values: SettingOptionValueWithKey[];
};
export function get_organization_settings_options(): OrganizationSettingsOptions {
@ -175,9 +174,6 @@ export function get_organization_settings_options(): OrganizationSettingsOptions
wildcard_mention_policy_values: settings_components.get_sorted_options_list(
settings_config.wildcard_mention_policy_values,
),
invite_to_realm_policy_values: settings_components.get_sorted_options_list(
settings_config.email_invite_to_realm_policy_values,
),
};
}
@ -528,6 +524,7 @@ export function discard_realm_property_element_changes(elem: HTMLElement): void
case "realm_can_create_private_channel_group":
case "realm_can_delete_any_message_group":
case "realm_can_delete_own_message_group":
case "realm_can_invite_users_group":
case "realm_can_manage_all_groups":
case "realm_can_move_messages_between_channels_group":
case "realm_can_move_messages_between_topics_group":

View File

@ -288,6 +288,7 @@ export const realm_schema = z.object({
realm_can_create_web_public_channel_group: z.number(),
realm_can_delete_any_message_group: group_setting_value_schema,
realm_can_delete_own_message_group: group_setting_value_schema,
realm_can_invite_users_group: group_setting_value_schema,
realm_can_manage_all_groups: group_setting_value_schema,
realm_can_move_messages_between_channels_group: group_setting_value_schema,
realm_can_move_messages_between_topics_group: group_setting_value_schema,
@ -350,7 +351,6 @@ export const realm_schema = z.object({
realm_inline_image_preview: z.boolean(),
realm_inline_url_embed_preview: z.boolean(),
realm_invite_required: z.boolean(),
realm_invite_to_realm_policy: z.number(),
realm_invite_to_stream_policy: z.number(),
realm_is_zephyr_mirror_realm: z.boolean(),
realm_jitsi_server_url: z.nullable(z.string()),

View File

@ -10,18 +10,10 @@
{{> settings_save_discard_widget section_name="join-settings" }}
</div>
<div class="m-10 inline-block organization-permissions-parent">
<div class="input-group">
{{> settings_checkbox
setting_name="realm_invite_required"
prefix="id_"
is_checked=realm_invite_required
label=admin_settings_label.realm_invite_required}}
<label for="id_realm_invite_to_realm_policy" class="settings-field-label">{{t "Who can send email invitations to new users" }}
</label>
<select name="realm_invite_to_realm_policy" id="id_realm_invite_to_realm_policy" class="prop-element settings_select bootstrap-focus-style" data-setting-widget-type="number">
{{> dropdown_options_widget option_values=invite_to_realm_policy_values}}
</select>
</div>
{{> group_setting_value_pill_input
setting_name="realm_can_invite_users_group"
label=(t 'Who can send email invitations to new users')}}
{{> group_setting_value_pill_input
setting_name="realm_create_multiuse_invite_group"

View File

@ -539,9 +539,6 @@ run_test("realm settings", ({override}) => {
event = event_fixtures.realm__update__invite_required;
test_realm_boolean(event, "realm_invite_required");
event = event_fixtures.realm__update__invite_to_realm_policy;
test_realm_integer(event, "realm_invite_to_realm_policy");
event = event_fixtures.realm__update__want_advertise_in_communities_directory;
test_realm_boolean(event, "realm_want_advertise_in_communities_directory");
@ -605,6 +602,7 @@ run_test("realm settings", ({override}) => {
override(realm, "realm_authentication_methods", {Google: {enabled: false, available: true}});
override(realm, "realm_can_add_custom_emoji_group", 1);
override(realm, "realm_can_create_public_channel_group", 1);
override(realm, "realm_can_invite_users_group", 1);
override(realm, "realm_can_move_messages_between_topics_group", 1);
override(realm, "realm_direct_message_permission_group", 1);
override(realm, "realm_plan_type", 2);
@ -620,6 +618,7 @@ run_test("realm settings", ({override}) => {
});
assert_same(realm.realm_can_add_custom_emoji_group, 3);
assert_same(realm.realm_can_create_public_channel_group, 3);
assert_same(realm.realm_can_invite_users_group, 3);
assert_same(realm.realm_can_move_messages_between_topics_group, 3);
assert_same(realm.realm_direct_message_permission_group, 3);
assert_same(realm.realm_plan_type, 3);

View File

@ -302,13 +302,6 @@ exports.fixtures = {
value: false,
},
realm__update__invite_to_realm_policy: {
type: "realm",
op: "update",
property: "invite_to_realm_policy",
value: 2,
},
realm__update__invite_to_stream_policy: {
type: "realm",
op: "update",
@ -371,6 +364,7 @@ exports.fixtures = {
},
can_add_custom_emoji_group: 3,
can_create_public_channel_group: 3,
can_invite_users_group: 3,
can_move_messages_between_topics_group: 3,
direct_message_permission_group: 3,
plan_type: 3,

View File

@ -157,11 +157,6 @@ test_policy(
"realm_invite_to_stream_policy",
settings_data.user_can_subscribe_other_users,
);
test_policy(
"user_can_invite_others_to_realm",
"realm_invite_to_realm_policy",
settings_data.user_can_invite_users_by_email,
);
test_realm_group_settings(
"realm_can_add_custom_emoji_group",
@ -178,6 +173,11 @@ test_realm_group_settings(
settings_data.user_can_delete_own_message,
);
test_realm_group_settings(
"realm_can_invite_users_group",
settings_data.user_can_invite_users_by_email,
);
test_realm_group_settings(
"realm_can_move_messages_between_channels_group",
settings_data.user_can_move_messages_between_streams,
@ -210,17 +210,6 @@ run_test("using_dark_theme", ({override}) => {
assert.equal(settings_data.using_dark_theme(), false);
});
run_test("user_can_invite_others_to_realm_nobody_case", ({override}) => {
override(current_user, "is_admin", true);
override(current_user, "is_guest", false);
override(
realm,
"realm_invite_to_realm_policy",
settings_config.email_invite_to_realm_policy_values.nobody.code,
);
assert.equal(settings_data.user_can_invite_users_by_email(), false);
});
run_test("user_email_not_configured", ({override}) => {
const user_email_not_configured = settings_data.user_email_not_configured;

View File

@ -105,7 +105,6 @@ function test_submit_settings_form(override, submit_form) {
realm_waiting_period_threshold: 1,
realm_default_language: '"es"',
realm_invite_to_stream_policy: settings_config.common_policy_values.by_admins_only.code,
realm_invite_to_realm_policy: settings_config.common_policy_values.by_members.code,
});
override(global, "setTimeout", (func) => func());
@ -142,15 +141,9 @@ function test_submit_settings_form(override, submit_form) {
$bot_creation_policy_elem.attr("id", "id_realm_bot_creation_policy");
$bot_creation_policy_elem.data = () => "number";
const $invite_to_realm_policy_elem = $("#id_realm_invite_to_realm_policy");
$invite_to_realm_policy_elem.val("2");
$invite_to_realm_policy_elem.attr("id", "id_realm_invite_to_realm_policy");
$invite_to_realm_policy_elem.data = () => "number";
let $subsection_elem = $(`#org-${CSS.escape(subsection)}`);
$subsection_elem.set_find_results(".prop-element", [
$bot_creation_policy_elem,
$invite_to_realm_policy_elem,
$invite_to_stream_policy_elem,
]);
@ -160,7 +153,6 @@ function test_submit_settings_form(override, submit_form) {
let expected_value = {
bot_creation_policy: 1,
invite_to_realm_policy: 2,
invite_to_stream_policy: 1,
};
assert.deepEqual(data, expected_value);
@ -317,7 +309,6 @@ function test_sync_realm_settings({override}) {
}
test_common_policy("invite_to_stream_policy");
test_common_policy("invite_to_realm_policy");
{
/* Test message content edit limit minutes sync */
@ -373,9 +364,9 @@ function test_sync_realm_settings({override}) {
{
// Test hiding save-discard buttons on live-updating.
const $property_elem = $("#id_realm_invite_to_realm_policy");
const $property_elem = $("#id_realm_invite_to_stream_policy");
$property_elem.length = 1;
$property_elem.attr("id", "id_realm_invite_to_realm_policy");
$property_elem.attr("id", "id_realm_invite_to_stream_policy");
$property_elem.closest = () => $subsection_stub;
const save_button_stubs = createSaveButtons("subsection-stub");
@ -386,13 +377,13 @@ function test_sync_realm_settings({override}) {
$property_elem.val(settings_config.common_policy_values.by_admins_only.code);
override(
realm,
"realm_invite_to_realm_policy",
"realm_invite_to_stream_policy",
settings_config.common_policy_values.by_members.code,
);
save_button_stubs.$save_button_controls.removeClass("hide");
$subsection_stub.set_find_results(".prop-element", [$property_elem]);
settings_org.sync_realm_settings("invite_to_realm_policy");
settings_org.sync_realm_settings("invite_to_stream_policy");
assert.equal(save_button_stubs.props.hidden, true);
}
}

View File

@ -37,7 +37,7 @@ from zerver.models import (
from zerver.models.groups import SystemGroups
from zerver.models.presence import PresenceSequence
from zerver.models.realm_audit_logs import AuditLogEventType
from zerver.models.realms import CommonPolicyEnum, InviteToRealmPolicyEnum
from zerver.models.realms import CommonPolicyEnum
from zproject.backends import all_default_backend_names
@ -115,8 +115,6 @@ def set_realm_permissions_based_on_org_type(realm: Realm) -> None:
Realm.ORG_TYPES["education_nonprofit"]["id"],
Realm.ORG_TYPES["education"]["id"],
):
# Limit user creation to administrators.
realm.invite_to_realm_policy = InviteToRealmPolicyEnum.ADMINS_ONLY
# Don't allow members (students) to manage user groups or
# stream subscriptions.
realm.invite_to_stream_policy = CommonPolicyEnum.MODERATORS_ONLY
@ -290,6 +288,10 @@ def do_create_realm(
Realm.ORG_TYPES["education_nonprofit"]["id"]: SystemGroups.MODERATORS,
Realm.ORG_TYPES["education"]["id"]: SystemGroups.MODERATORS,
},
"can_invite_users_group": {
Realm.ORG_TYPES["education_nonprofit"]["id"]: SystemGroups.ADMINISTRATORS,
Realm.ORG_TYPES["education"]["id"]: SystemGroups.ADMINISTRATORS,
},
"can_move_messages_between_channels_group": {
Realm.ORG_TYPES["education_nonprofit"]["id"]: SystemGroups.MODERATORS,
Realm.ORG_TYPES["education"]["id"]: SystemGroups.MODERATORS,

View File

@ -1077,6 +1077,7 @@ group_setting_update_data_type = DictType(
("can_create_web_public_channel_group", group_setting_type),
("can_delete_any_message_group", group_setting_type),
("can_delete_own_message_group", group_setting_type),
("can_invite_users_group", group_setting_type),
("can_manage_all_groups", group_setting_type),
("can_move_messages_between_channels_group", group_setting_type),
("can_move_messages_between_topics_group", group_setting_type),

View File

@ -589,7 +589,7 @@ def fetch_initial_state_data(
or state["can_create_web_public_streams"]
)
state["can_subscribe_other_users"] = settings_user.can_subscribe_other_users()
state["can_invite_others_to_realm"] = settings_user.can_invite_users_by_email()
state["can_invite_others_to_realm"] = settings_user.can_invite_users_by_email(realm)
state["is_admin"] = settings_user.is_realm_admin
state["is_owner"] = settings_user.is_realm_owner
state["is_moderator"] = settings_user.is_moderator
@ -1302,26 +1302,11 @@ def apply_event(
else state["server_jitsi_server_url"]
)
policy_permission_dict = {
"invite_to_stream_policy": "can_subscribe_other_users",
"invite_to_realm_policy": "can_invite_others_to_realm",
}
# Tricky interaction: Whether we can create streams and can subscribe other users
# can get changed here.
if field == "realm_waiting_period_threshold":
for policy, permission in policy_permission_dict.items():
if permission in state:
state[permission] = user_profile.has_permission(policy)
if (
event["property"] in policy_permission_dict
and policy_permission_dict[event["property"]] in state
event["property"] == "invite_to_stream_policy"
and "can_subscribe_other_users" in state
):
state[policy_permission_dict[event["property"]]] = user_profile.has_permission(
event["property"]
)
state["can_subscribe_other_users"] = user_profile.has_permission(event["property"])
elif event["op"] == "update_dict":
for key, value in event["data"].items():
if key == "max_file_upload_size_mib":
@ -1377,6 +1362,11 @@ def apply_event(
or state["can_create_web_public_streams"]
)
if key == "can_invite_users_group" and "can_invite_others_to_realm" in state:
state["can_invite_others_to_realm"] = user_profile.has_permission(
"can_invite_users_group"
)
if key == "plan_type":
# Then there are some extra fields that also need to be set.
state["zulip_plan_is_not_limited"] = value != Realm.PLAN_TYPE_LIMITED

View File

@ -0,0 +1,23 @@
# Generated by Django 5.0.9 on 2024-11-13 18:13
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("zerver", "0624_alter_realmexport_tarball_size_bytes"),
]
operations = [
migrations.AddField(
model_name="realm",
name="can_invite_users_group",
field=models.ForeignKey(
null=True,
on_delete=django.db.models.deletion.RESTRICT,
related_name="+",
to="zerver.usergroup",
),
),
]

View File

@ -0,0 +1,44 @@
# Generated by Django 4.2.1 on 2023-06-12 10:47
from django.db import migrations
from django.db.backends.base.schema import BaseDatabaseSchemaEditor
from django.db.migrations.state import StateApps
from django.db.models import OuterRef
def set_default_value_for_can_invite_users_group(
apps: StateApps, schema_editor: BaseDatabaseSchemaEditor
) -> None:
Realm = apps.get_model("zerver", "Realm")
NamedUserGroup = apps.get_model("zerver", "NamedUserGroup")
invite_to_realm_policy_to_group_name = {
1: "role:members",
2: "role:administrators",
3: "role:fullmembers",
4: "role:moderators",
6: "role:nobody",
}
for id, group_name in invite_to_realm_policy_to_group_name.items():
Realm.objects.filter(can_invite_users_group=None, invite_to_realm_policy=id).update(
can_invite_users_group=NamedUserGroup.objects.filter(
name=group_name, realm=OuterRef("id"), is_system_group=True
).values("pk")
)
class Migration(migrations.Migration):
atomic = False
dependencies = [
("zerver", "0625_realm_can_invite_users_group"),
]
operations = [
migrations.RunPython(
set_default_value_for_can_invite_users_group,
elidable=True,
reverse_code=migrations.RunPython.noop,
)
]

View File

@ -0,0 +1,22 @@
# Generated by Django 5.0.9 on 2024-11-16 07:59
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("zerver", "0626_set_default_value_for_can_invite_users_group"),
]
operations = [
migrations.AlterField(
model_name="realm",
name="can_invite_users_group",
field=models.ForeignKey(
on_delete=django.db.models.deletion.RESTRICT,
related_name="+",
to="zerver.usergroup",
),
),
]

View File

@ -305,6 +305,11 @@ class Realm(models.Model): # type: ignore[django-manager-missing] # django-stub
default=InviteToRealmPolicyEnum.MEMBERS_ONLY
)
# UserGroup whose members are allowed to invite other users to organization.
can_invite_users_group = models.ForeignKey(
"UserGroup", on_delete=models.RESTRICT, related_name="+"
)
# UserGroup whose members are allowed to create invite link.
create_multiuse_invite_group = models.ForeignKey(
"UserGroup", on_delete=models.RESTRICT, related_name="+"
@ -759,6 +764,15 @@ class Realm(models.Model): # type: ignore[django-manager-missing] # django-stub
default_group_name=SystemGroups.EVERYONE,
id_field_name="can_delete_own_message_group_id",
),
can_invite_users_group=GroupPermissionSetting(
require_system_group=False,
allow_internet_group=False,
allow_owners_group=False,
allow_nobody_group=True,
allow_everyone_group=False,
default_group_name=SystemGroups.MEMBERS,
id_field_name="can_invite_users_group_id",
),
can_manage_all_groups=GroupPermissionSetting(
require_system_group=False,
allow_internet_group=False,
@ -1198,6 +1212,8 @@ def get_realm_with_settings(realm_id: int) -> Realm:
"can_delete_any_message_group__named_user_group",
"can_delete_own_message_group",
"can_delete_own_message_group__named_user_group",
"can_invite_users_group",
"can_invite_users_group__named_user_group",
"can_manage_all_groups",
"can_manage_all_groups__named_user_group",
"can_move_messages_between_channels_group",

View File

@ -816,10 +816,10 @@ class UserProfile(AbstractBaseUser, PermissionsMixin, UserBaseSettings):
from zerver.lib.user_groups import user_has_permission_for_group_setting
from zerver.models import Realm
if policy_name not in Realm.REALM_PERMISSION_GROUP_SETTINGS and policy_name not in [
"invite_to_stream_policy",
"invite_to_realm_policy",
]:
if (
policy_name not in Realm.REALM_PERMISSION_GROUP_SETTINGS
and policy_name != "invite_to_stream_policy"
):
raise AssertionError("Invalid policy")
if policy_name in Realm.REALM_PERMISSION_GROUP_SETTINGS:
@ -880,8 +880,8 @@ class UserProfile(AbstractBaseUser, PermissionsMixin, UserBaseSettings):
def can_subscribe_other_users(self) -> bool:
return self.has_permission("invite_to_stream_policy")
def can_invite_users_by_email(self) -> bool:
return self.has_permission("invite_to_realm_policy")
def can_invite_users_by_email(self, realm: Optional["Realm"] = None) -> bool:
return self.has_permission("can_invite_users_group", realm)
def can_create_multiuse_invite_to_realm(self) -> bool:
return self.has_permission("create_multiuse_invite_group")

View File

@ -4531,6 +4531,21 @@ paths:
setting controlled this permission; `true` corresponded to `Everyone`, and
`false` to `Admins`.
- $ref: "#/components/schemas/GroupSettingValue"
can_invite_users_group:
allOf:
- description: |
A [group-setting value](/api/group-setting-values) defining the set of
users who have permission to send email invitations for inviting other users
to the organization.
**Changes**: New in Zulip 10.0 (feature level 321). Previously, this
permission was controlled by the enum `invite_to_realm_policy`. Values
were 1=Members, 2=Admins, 3=Full members, 4=Moderators, 6=Nobody.
Before Zulip 4.0 (feature level 50), the `invite_by_admins_only` boolean
setting controlled this permission; `true` corresponded to `Admins`, and
`false` to `Members`.
- $ref: "#/components/schemas/GroupSettingValue"
can_move_messages_between_channels_group:
allOf:
- description: |
@ -16362,6 +16377,23 @@ paths:
setting controlled this permission; `true` corresponded to `Everyone`, and
`false` to `Admins`.
- $ref: "#/components/schemas/GroupSettingValue"
realm_can_invite_users_group:
allOf:
- description: |
Present if `realm` is present in `fetch_event_types`.
A [group-setting value](/api/group-setting-values) defining the set of
users who have permission to send email invitations for inviting other users
to the organization.
**Changes**: New in Zulip 10.0 (feature level 321). Previously, this
permission was controlled by the enum `invite_to_realm_policy`. Values
were 1=Members, 2=Admins, 3=Full members, 4=Moderators, 6=Nobody.
Before Zulip 4.0 (feature level 50), the `invite_by_admins_only` boolean
setting controlled this permission; `true` corresponded to `Admins`, and
`false` to `Members`.
- $ref: "#/components/schemas/GroupSettingValue"
realm_can_move_messages_between_channels_group:
allOf:
- description: |

View File

@ -1192,7 +1192,7 @@ class FetchQueriesTest(ZulipTestCase):
realm = get_realm_with_settings(realm_id=user.realm_id)
with (
self.assert_database_query_count(42),
self.assert_database_query_count(43),
mock.patch("zerver.lib.events.always_want") as want_mock,
):
fetch_initial_state_data(user, realm=realm)
@ -1217,7 +1217,7 @@ class FetchQueriesTest(ZulipTestCase):
realm_filters=0,
realm_linkifiers=0,
realm_playgrounds=1,
realm_user=4,
realm_user=5,
realm_user_groups=3,
realm_user_settings_defaults=1,
recent_private_conversations=1,

View File

@ -136,6 +136,7 @@ class HomeTest(ZulipTestCase):
"realm_can_create_web_public_channel_group",
"realm_can_delete_any_message_group",
"realm_can_delete_own_message_group",
"realm_can_invite_users_group",
"realm_can_manage_all_groups",
"realm_can_move_messages_between_channels_group",
"realm_can_move_messages_between_topics_group",
@ -271,7 +272,7 @@ class HomeTest(ZulipTestCase):
# Verify succeeds once logged-in
with (
self.assert_database_query_count(52),
self.assert_database_query_count(53),
patch("zerver.lib.cache.cache_set") as cache_mock,
):
result = self._get_home_page(stream="Denmark")
@ -576,7 +577,7 @@ class HomeTest(ZulipTestCase):
# Verify number of queries for Realm admin isn't much higher than for normal users.
self.login("iago")
with (
self.assert_database_query_count(52),
self.assert_database_query_count(53),
patch("zerver.lib.cache.cache_set") as cache_mock,
):
result = self._get_home_page()
@ -608,7 +609,7 @@ class HomeTest(ZulipTestCase):
self._get_home_page()
# Then for the second page load, measure the number of queries.
with self.assert_database_query_count(47):
with self.assert_database_query_count(48):
result = self._get_home_page()
# Do a sanity check that our new streams were in the payload.

View File

@ -43,6 +43,7 @@ from zerver.actions.realm_settings import (
do_change_realm_plan_type,
do_set_realm_property,
)
from zerver.actions.user_groups import check_add_user_group
from zerver.actions.user_settings import do_change_full_name
from zerver.actions.users import change_user_is_active
from zerver.context_processors import common_context
@ -68,7 +69,7 @@ from zerver.models import (
UserProfile,
)
from zerver.models.groups import SystemGroups
from zerver.models.realms import CommonPolicyEnum, InviteToRealmPolicyEnum, get_realm
from zerver.models.realms import CommonPolicyEnum, get_realm
from zerver.models.streams import get_stream
from zerver.models.users import get_user_by_delivery_email
from zerver.views.invite import INVITATION_LINK_VALIDITY_MINUTES, get_invitee_emails_set
@ -850,26 +851,33 @@ class InviteUserTest(InviteUserBase):
self.submit_reg_form_for_user(invitee, "password")
self.check_user_subscribed_only_to_streams("test1", [denmark, sandbox, verona, zulip])
def test_can_invite_others_to_realm(self) -> None:
def validation_func(user_profile: UserProfile) -> bool:
return user_profile.can_invite_users_by_email()
realm = get_realm("zulip")
do_set_realm_property(
realm, "invite_to_realm_policy", InviteToRealmPolicyEnum.NOBODY, acting_user=None
)
desdemona = self.example_user("desdemona")
self.assertFalse(validation_func(desdemona))
self.check_has_permission_policies("invite_to_realm_policy", validation_func)
def test_invite_others_to_realm_setting(self) -> None:
"""
The invite_to_realm_policy realm setting works properly.
The `can_invite_users_group` realm setting works properly.
"""
realm = get_realm("zulip")
do_set_realm_property(
realm, "invite_to_realm_policy", InviteToRealmPolicyEnum.NOBODY, acting_user=None
administrators_system_group = NamedUserGroup.objects.get(
name=SystemGroups.ADMINISTRATORS, realm=realm, is_system_group=True
)
moderators_system_group = NamedUserGroup.objects.get(
name=SystemGroups.MODERATORS, realm=realm, is_system_group=True
)
full_members_system_group = NamedUserGroup.objects.get(
name=SystemGroups.FULL_MEMBERS, realm=realm, is_system_group=True
)
members_system_group = NamedUserGroup.objects.get(
name=SystemGroups.MEMBERS, realm=realm, is_system_group=True
)
nobody_system_group = NamedUserGroup.objects.get(
name=SystemGroups.NOBODY, realm=realm, is_system_group=True
)
do_change_realm_permission_group_setting(
realm,
"can_invite_users_group",
nobody_system_group,
acting_user=None,
)
self.login("desdemona")
email = "alice-test@zulip.com"
@ -880,8 +888,11 @@ class InviteUserTest(InviteUserBase):
"Insufficient permission",
)
do_set_realm_property(
realm, "invite_to_realm_policy", InviteToRealmPolicyEnum.ADMINS_ONLY, acting_user=None
do_change_realm_permission_group_setting(
realm,
"can_invite_users_group",
administrators_system_group,
acting_user=None,
)
self.login("shiva")
@ -900,10 +911,10 @@ class InviteUserTest(InviteUserBase):
mail.outbox = []
do_set_realm_property(
do_change_realm_permission_group_setting(
realm,
"invite_to_realm_policy",
InviteToRealmPolicyEnum.MODERATORS_ONLY,
"can_invite_users_group",
moderators_system_group,
acting_user=None,
)
self.login("hamlet")
@ -923,8 +934,11 @@ class InviteUserTest(InviteUserBase):
mail.outbox = []
do_set_realm_property(
realm, "invite_to_realm_policy", InviteToRealmPolicyEnum.MEMBERS_ONLY, acting_user=None
do_change_realm_permission_group_setting(
realm,
"can_invite_users_group",
members_system_group,
acting_user=None,
)
self.login("polonius")
@ -941,16 +955,17 @@ class InviteUserTest(InviteUserBase):
mail.outbox = []
do_set_realm_property(
do_change_realm_permission_group_setting(
realm,
"invite_to_realm_policy",
InviteToRealmPolicyEnum.FULL_MEMBERS_ONLY,
"can_invite_users_group",
full_members_system_group,
acting_user=None,
)
do_set_realm_property(realm, "waiting_period_threshold", 1000, acting_user=None)
hamlet = self.example_user("hamlet")
hamlet.date_joined = timezone_now() - timedelta(days=realm.waiting_period_threshold - 1)
hamlet.date_joined = timezone_now() - timedelta(days=9)
do_set_realm_property(realm, "waiting_period_threshold", 10, acting_user=None)
email = "issac-test@zulip.com"
email2 = "steven-test@zulip.com"
@ -967,6 +982,60 @@ class InviteUserTest(InviteUserBase):
self.assertTrue(find_key_by_email(email2))
self.check_sent_emails([email, email2])
cordelia = self.example_user("cordelia")
# Test for checking setting for non-system user group.
user_group = check_add_user_group(
realm, "new_group", [hamlet, cordelia], acting_user=hamlet
)
do_change_realm_permission_group_setting(
realm, "can_invite_users_group", user_group, acting_user=None
)
# Hamlet and Cordelia are in the allowed user group, so can send email
# invitations.
self.login("hamlet")
self.assert_json_success(self.invite(invitee, ["Denmark"]))
self.login("cordelia")
self.assert_json_success(self.invite(invitee, ["Denmark"]))
# Iago is not in the allowed user group, so cannot send email
# invitations.
self.login("iago")
self.assert_json_error(
self.invite(invitee, ["Denmark"]),
"Insufficient permission",
)
# Test for checking the setting for anonymous user group.
anonymous_user_group = self.create_or_update_anonymous_group_for_setting(
[hamlet],
[administrators_system_group],
)
do_change_realm_permission_group_setting(
realm,
"can_invite_users_group",
anonymous_user_group,
acting_user=None,
)
# Hamlet is the direct member of the anonymous user group, so can send
# email invitations.
self.login("hamlet")
self.assert_json_success(self.invite(invitee, ["Denmark"]))
# Iago is in the `administrators_system_group` subgroup, so can send email
# invitations.
self.login("iago")
self.assert_json_success(self.invite(invitee, ["Denmark"]))
# Shiva is not in the anonymous user group, so cannot send email
# invitations.
self.login("shiva")
self.assert_json_error(
self.invite(invitee, ["Denmark"]),
"Insufficient permission",
)
def test_invite_user_signup_initial_history(self) -> None:
"""
Test that a new user invited to a stream receives some initial

View File

@ -113,13 +113,13 @@ class RealmTest(ZulipTestCase):
)
self.assertEqual(realm.can_create_public_channel_group_id, admins_group.id)
self.assertEqual(realm.invite_to_realm_policy, InviteToRealmPolicyEnum.ADMINS_ONLY)
self.assertEqual(realm.invite_to_stream_policy, CommonPolicyEnum.MODERATORS_ONLY)
realm = get_realm("test_education_non_profit")
moderators_group = NamedUserGroup.objects.get(
name=SystemGroups.MODERATORS, realm=realm, is_system_group=True
)
self.assertEqual(realm.can_create_groups.id, moderators_group.id)
self.assertEqual(realm.can_invite_users_group.id, admins_group.id)
self.assertEqual(realm.can_move_messages_between_channels_group.id, moderators_group.id)
def test_permission_for_education_for_profit_organization(self) -> None:
@ -134,13 +134,13 @@ class RealmTest(ZulipTestCase):
)
self.assertEqual(realm.can_create_public_channel_group_id, admins_group.id)
self.assertEqual(realm.invite_to_realm_policy, InviteToRealmPolicyEnum.ADMINS_ONLY)
self.assertEqual(realm.invite_to_stream_policy, CommonPolicyEnum.MODERATORS_ONLY)
realm = get_realm("test_education_for_profit")
moderators_group = NamedUserGroup.objects.get(
name=SystemGroups.MODERATORS, realm=realm, is_system_group=True
)
self.assertEqual(realm.can_create_groups.id, moderators_group.id)
self.assertEqual(realm.can_invite_users_group.id, admins_group.id)
self.assertEqual(realm.can_move_messages_between_channels_group.id, moderators_group.id)
def test_realm_enable_spectator_access(self) -> None:
@ -2349,6 +2349,9 @@ class RealmAPITest(ZulipTestCase):
def test_can_create_groups_setting_requires_owner(self) -> None:
self.do_test_changing_groups_setting_by_owners_only("can_create_groups")
def test_can_invite_users_group_setting_requires_owner(self) -> None:
self.do_test_changing_groups_setting_by_owners_only("can_invite_users_group")
def test_can_manage_all_groups_setting_requires_owner(self) -> None:
self.do_test_changing_groups_setting_by_owners_only("can_manage_all_groups")

View File

@ -139,6 +139,7 @@ def update_realm(
can_create_public_channel_group: Json[GroupSettingChangeRequest] | None = None,
can_create_private_channel_group: Json[GroupSettingChangeRequest] | None = None,
can_create_web_public_channel_group: Json[GroupSettingChangeRequest] | None = None,
can_invite_users_group: Json[GroupSettingChangeRequest] | None = None,
can_manage_all_groups: Json[GroupSettingChangeRequest] | None = None,
can_move_messages_between_channels_group: Json[GroupSettingChangeRequest] | None = None,
can_move_messages_between_topics_group: Json[GroupSettingChangeRequest] | None = None,
@ -223,6 +224,7 @@ def update_realm(
or invite_required is not None
or create_multiuse_invite_group is not None
or can_create_groups is not None
or can_invite_users_group is not None
or can_manage_all_groups is not None
) and not user_profile.is_realm_owner:
raise OrganizationOwnerRequiredError