create_user: Update data in user creation events for guests.

We do not send the original user data in user creation events to guests if user access is restricted in realm, as they would receive the information about user if user is subscribed to some common streams after account creation.
2023-11-03 09:09:40 +05:30 · 2023-11-03 09:09:40 +05:30 · 6f14d105a7
parent a23eff20fe
commit 6f14d105a7
4 changed files with 45 additions and 4 deletions
--- a/zerver/actions/create_user.py
+++ b/zerver/actions/create_user.py
@ -29,6 +29,8 @@ from zerver.lib.users import (
    can_access_delivery_email,
    format_user_row,
    get_api_key,
+    get_data_for_inaccessible_user,
+    user_access_restricted_in_realm,
    user_profile_to_user_row,
 )
 from zerver.models import (
@ -320,13 +322,32 @@ def notify_created_user(user_profile: UserProfile) -> None:
        "custom_profile_field_data": {},
    }

-    active_users = user_profile.realm.get_active_users()
+    user_ids_without_access_to_created_user: List[int] = []
+    users_with_access_to_created_users: List[UserProfile] = []
+    active_realm_users = list(user_profile.realm.get_active_users())
+
+    # This call to user_access_restricted_in_realm results in
+    # one extra query in the user creation codepath to check
+    # "realm.can_access_all_users_group.name" because we do
+    # not prefetch realm and its related fields when fetching
+    # PreregistrationUser object.
+    if user_access_restricted_in_realm(user_profile):
+        for user in active_realm_users:
+            if user.is_guest:
+                # This logic assumes that can_access_all_users_group
+                # setting can only be set to EVERYONE or MEMBERS.
+                user_ids_without_access_to_created_user.append(user.id)
+            else:
+                users_with_access_to_created_users.append(user)
+    else:
+        users_with_access_to_created_users = active_realm_users
+
    user_ids_with_real_email_access = []
    user_ids_without_real_email_access = []

    person_for_real_email_access_users = None
    person_for_without_real_email_access_users = None
-    for recipient_user in active_users:
+    for recipient_user in users_with_access_to_created_users:
        if can_access_delivery_email(
            recipient_user, user_profile.id, user_row["email_address_visibility"]
        ):
@ -359,6 +380,14 @@ def notify_created_user(user_profile: UserProfile) -> None:
        event = dict(type="realm_user", op="add", person=person_for_without_real_email_access_users)
        send_event_on_commit(user_profile.realm, event, user_ids_without_real_email_access)

+    if user_ids_without_access_to_created_user:
+        event = dict(
+            type="realm_user",
+            op="add",
+            person=get_data_for_inaccessible_user(user_profile.realm, user_profile.id),
+        )
+        send_event_on_commit(user_profile.realm, event, user_ids_without_access_to_created_user)
+

 def created_bot_event(user_profile: UserProfile) -> Dict[str, Any]:
    def stream_name(stream: Optional[Stream]) -> Optional[str]:
--- a/zerver/tests/test_events.py
+++ b/zerver/tests/test_events.py
@ -1491,6 +1491,18 @@ class NormalActionsTest(BaseAction):
        check_user_group_add_members("events[2]", events[2])
        check_user_group_add_members("events[3]", events[3])

+    def test_register_events_for_restricted_users(self) -> None:
+        self.set_up_db_for_testing_user_access()
+        self.user_profile = self.example_user("polonius")
+
+        events = self.verify_action(lambda: self.register("test1@zulip.com", "test1"), num_events=3)
+
+        check_realm_user_add("events[0]", events[0])
+        self.assertEqual(events[0]["person"]["full_name"], "Unknown user")
+
+        check_user_group_add_members("events[1]", events[1])
+        check_user_group_add_members("events[2]", events[2])
+
    def test_alert_words_events(self) -> None:
        events = self.verify_action(lambda: do_add_alert_words(self.user_profile, ["alert_word"]))
        check_alert_words("events[0]", events[0])
--- a/zerver/tests/test_signup.py
+++ b/zerver/tests/test_signup.py
@ -935,7 +935,7 @@ class LoginTest(ZulipTestCase):
        # seem to be any O(N) behavior.  Some of the cache hits are related
        # to sending messages, such as getting the welcome bot, looking up
        # the alert words for a realm, etc.
-        with self.assert_database_query_count(103), self.assert_memcached_count(18):
+        with self.assert_database_query_count(104), self.assert_memcached_count(18):
            with self.captureOnCommitCallbacks(execute=True):
                self.register(self.nonreg_email("test"), "test")

--- a/zerver/tests/test_users.py
+++ b/zerver/tests/test_users.py
@ -826,7 +826,7 @@ class QueryCountTest(ZulipTestCase):

        prereg_user = PreregistrationUser.objects.get(email="fred@zulip.com")

-        with self.assert_database_query_count(93):
+        with self.assert_database_query_count(94):
            with self.assert_memcached_count(23):
                with self.capture_send_event_calls(expected_num_events=11) as events:
                    fred = do_create_user(