settings: Disallow everyone group for new setting.

This is important because the "guests" value isn't one that we'd
expect anyone to pick intentionally, and in particular isn't an
available option for the similar/adjacent "email invitations" setting.
This commit is contained in:
Tim Abbott 2023-09-06 17:06:51 -07:00
parent 88ec312b21
commit 6c83bbcbdb
9 changed files with 34 additions and 2 deletions

View File

@ -3,6 +3,7 @@ type GroupPermissionSetting = {
allow_internet_group: boolean; allow_internet_group: boolean;
allow_owners_group: boolean; allow_owners_group: boolean;
allow_nobody_group: boolean; allow_nobody_group: boolean;
allow_everyone_group: boolean;
}; };
const group_permission_config_dict = new Map<string, GroupPermissionSetting>([ const group_permission_config_dict = new Map<string, GroupPermissionSetting>([
@ -13,6 +14,7 @@ const group_permission_config_dict = new Map<string, GroupPermissionSetting>([
allow_internet_group: false, allow_internet_group: false,
allow_owners_group: false, allow_owners_group: false,
allow_nobody_group: false, allow_nobody_group: false,
allow_everyone_group: true,
}, },
], ],
[ [
@ -22,6 +24,7 @@ const group_permission_config_dict = new Map<string, GroupPermissionSetting>([
allow_internet_group: false, allow_internet_group: false,
allow_owners_group: false, allow_owners_group: false,
allow_nobody_group: true, allow_nobody_group: true,
allow_everyone_group: false,
}, },
], ],
]); ]);

View File

@ -231,8 +231,13 @@ export function get_realm_user_groups_for_dropdown_list_widget(
return []; return [];
} }
const {require_system_group, allow_internet_group, allow_owners_group, allow_nobody_group} = const {
group_setting_config; require_system_group,
allow_internet_group,
allow_owners_group,
allow_nobody_group,
allow_everyone_group,
} = group_setting_config;
const system_user_groups = settings_config.system_user_groups_list const system_user_groups = settings_config.system_user_groups_list
.filter((group) => { .filter((group) => {
@ -248,6 +253,10 @@ export function get_realm_user_groups_for_dropdown_list_widget(
return false; return false;
} }
if (!allow_everyone_group && group.name === "role:everyone") {
return false;
}
return true; return true;
}) })
.map((group) => { .map((group) => {

View File

@ -287,6 +287,7 @@ class GroupPermissionSetting:
allow_internet_group: bool allow_internet_group: bool
allow_owners_group: bool allow_owners_group: bool
allow_nobody_group: bool allow_nobody_group: bool
allow_everyone_group: bool
default_group_name: str default_group_name: str
id_field_name: str id_field_name: str
default_for_system_groups: Optional[str] = None default_for_system_groups: Optional[str] = None

View File

@ -173,6 +173,7 @@ def access_user_group_for_setting(
allow_internet_group: bool = False, allow_internet_group: bool = False,
allow_owners_group: bool = False, allow_owners_group: bool = False,
allow_nobody_group: bool = True, allow_nobody_group: bool = True,
allow_everyone_group: bool = True,
) -> UserGroup: ) -> UserGroup:
user_group = access_user_group_by_id(user_group_id, user_profile, for_read=True) user_group = access_user_group_by_id(user_group_id, user_profile, for_read=True)
@ -202,6 +203,13 @@ def access_user_group_for_setting(
) )
) )
if not allow_everyone_group and user_group.name == UserGroup.EVERYONE_GROUP_NAME:
raise JsonableError(
_("'{setting_name}' setting cannot be set to 'role:everyone' group.").format(
setting_name=setting_name
)
)
return user_group return user_group

View File

@ -765,6 +765,7 @@ class Realm(models.Model): # type: ignore[django-manager-missing] # django-stub
allow_internet_group=False, allow_internet_group=False,
allow_owners_group=False, allow_owners_group=False,
allow_nobody_group=True, allow_nobody_group=True,
allow_everyone_group=False,
default_group_name=ADMINISTRATORS_GROUP_NAME, default_group_name=ADMINISTRATORS_GROUP_NAME,
id_field_name="create_multiuse_invite_group_id", id_field_name="create_multiuse_invite_group_id",
), ),
@ -2296,6 +2297,7 @@ class UserGroup(models.Model): # type: ignore[django-manager-missing] # django-
allow_internet_group=False, allow_internet_group=False,
allow_owners_group=False, allow_owners_group=False,
allow_nobody_group=True, allow_nobody_group=True,
allow_everyone_group=True,
default_group_name=EVERYONE_GROUP_NAME, default_group_name=EVERYONE_GROUP_NAME,
default_for_system_groups=NOBODY_GROUP_NAME, default_for_system_groups=NOBODY_GROUP_NAME,
id_field_name="can_mention_group_id", id_field_name="can_mention_group_id",
@ -2657,6 +2659,7 @@ class Stream(models.Model):
allow_internet_group=False, allow_internet_group=False,
allow_owners_group=False, allow_owners_group=False,
allow_nobody_group=False, allow_nobody_group=False,
allow_everyone_group=True,
default_group_name=UserGroup.ADMINISTRATORS_GROUP_NAME, default_group_name=UserGroup.ADMINISTRATORS_GROUP_NAME,
id_field_name="can_remove_subscribers_group_id", id_field_name="can_remove_subscribers_group_id",
), ),

View File

@ -1240,6 +1240,10 @@ class RealmAPITest(ZulipTestCase):
user_group.name == UserGroup.NOBODY_GROUP_NAME user_group.name == UserGroup.NOBODY_GROUP_NAME
and not setting_permission_configuration.allow_nobody_group and not setting_permission_configuration.allow_nobody_group
) )
or (
user_group.name == UserGroup.EVERYONE_GROUP_NAME
and not setting_permission_configuration.allow_everyone_group
)
or ( or (
user_group.name == UserGroup.OWNERS_GROUP_NAME user_group.name == UserGroup.OWNERS_GROUP_NAME
and not setting_permission_configuration.allow_owners_group and not setting_permission_configuration.allow_owners_group

View File

@ -318,6 +318,7 @@ def update_realm(
allow_internet_group=permissions_configuration.allow_internet_group, allow_internet_group=permissions_configuration.allow_internet_group,
allow_owners_group=permissions_configuration.allow_owners_group, allow_owners_group=permissions_configuration.allow_owners_group,
allow_nobody_group=permissions_configuration.allow_nobody_group, allow_nobody_group=permissions_configuration.allow_nobody_group,
allow_everyone_group=permissions_configuration.allow_everyone_group,
) )
do_change_realm_permission_group_setting( do_change_realm_permission_group_setting(
realm, setting_name, user_group, acting_user=user_profile realm, setting_name, user_group, acting_user=user_profile

View File

@ -399,6 +399,7 @@ def update_stream_backend(
allow_internet_group=permissions_configuration.allow_internet_group, allow_internet_group=permissions_configuration.allow_internet_group,
allow_owners_group=permissions_configuration.allow_owners_group, allow_owners_group=permissions_configuration.allow_owners_group,
allow_nobody_group=permissions_configuration.allow_nobody_group, allow_nobody_group=permissions_configuration.allow_nobody_group,
allow_everyone_group=permissions_configuration.allow_everyone_group,
) )
do_change_stream_group_based_setting( do_change_stream_group_based_setting(
stream, setting_name, user_group, acting_user=user_profile stream, setting_name, user_group, acting_user=user_profile

View File

@ -74,6 +74,7 @@ def add_user_group(
allow_internet_group=permission_config.allow_internet_group, allow_internet_group=permission_config.allow_internet_group,
allow_owners_group=permission_config.allow_owners_group, allow_owners_group=permission_config.allow_owners_group,
allow_nobody_group=permission_config.allow_nobody_group, allow_nobody_group=permission_config.allow_nobody_group,
allow_everyone_group=permission_config.allow_everyone_group,
) )
group_settings_map[setting_name] = setting_value_group group_settings_map[setting_name] = setting_value_group
@ -139,6 +140,7 @@ def edit_user_group(
allow_internet_group=permission_config.allow_internet_group, allow_internet_group=permission_config.allow_internet_group,
allow_owners_group=permission_config.allow_owners_group, allow_owners_group=permission_config.allow_owners_group,
allow_nobody_group=permission_config.allow_nobody_group, allow_nobody_group=permission_config.allow_nobody_group,
allow_everyone_group=permission_config.allow_everyone_group,
) )
do_change_user_group_permission_setting( do_change_user_group_permission_setting(
user_group, setting_name, setting_value_group, acting_user=user_profile user_group, setting_name, setting_value_group, acting_user=user_profile