bots: Clean up editing bots impacting non-bot users.

This fixes a bug where the endpoint for editing bot users would allow
an organization administrator to edit the full name of a bot user.

A combination of this an another recently fixed bug made it possible
for this process to set a `bot_owner` for a non-bot user; so we also
include a migration to fix that for any users that might have had our
model invariants corrupted in that way.
This commit is contained in:
Tim Abbott 2018-04-02 18:55:51 -07:00
parent 3d900a733f
commit 758d7b9146
3 changed files with 34 additions and 0 deletions

View File

@ -0,0 +1,24 @@
# -*- coding: utf-8 -*-
# Generated by Django 1.11.6 on 2018-04-03 01:52
from __future__ import unicode_literals
from django.db import migrations
from django.db.backends.postgresql_psycopg2.schema import DatabaseSchemaEditor
from django.db.migrations.state import StateApps
def migrate_fix_invalid_bot_owner_values(apps: StateApps, schema_editor: DatabaseSchemaEditor) -> None:
"""Fixes UserProfile objects that incorrectly had a bot_owner set"""
UserProfile = apps.get_model('zerver', 'UserProfile')
UserProfile.objects.filter(is_bot=False).exclude(bot_owner=None).update(bot_owner=None)
class Migration(migrations.Migration):
dependencies = [
('zerver', '0153_remove_int_float_custom_fields'),
]
operations = [
migrations.RunPython(
migrate_fix_invalid_bot_owner_values,
reverse_code=migrations.RunPython.noop),
]

View File

@ -667,6 +667,14 @@ class BotTest(ZulipTestCase, UploadSerializeMixin):
bot = self.get_bot() bot = self.get_bot()
self.assertEqual('Fred', bot['full_name']) self.assertEqual('Fred', bot['full_name'])
def test_patch_bot_full_name_non_bot(self) -> None:
self.login(self.example_email('iago'))
bot_info = {
'full_name': 'Fred',
}
result = self.client_patch("/json/bots/hamlet@zulip.com", bot_info)
self.assert_json_error(result, "No such bot")
def test_patch_bot_owner(self) -> None: def test_patch_bot_owner(self) -> None:
self.login(self.example_email('hamlet')) self.login(self.example_email('hamlet'))
bot_info = { bot_info = {

View File

@ -172,6 +172,8 @@ def patch_bot_backend(
except UserProfile.DoesNotExist: except UserProfile.DoesNotExist:
return json_error(_('No such user')) return json_error(_('No such user'))
if not bot.is_bot:
return json_error(_('No such bot'))
if not user_profile.can_admin_user(bot): if not user_profile.can_admin_user(bot):
return json_error(_('Insufficient permission')) return json_error(_('Insufficient permission'))