Add validation for private message recipients.

The function will reject messages where recipients aren't either a member of the realm or a member of cross_realm_user_emails. Fixes: #930.
2016-06-10 23:16:53 +05:30 · 2016-06-10 23:16:53 +05:30 · 77ec6217eb
parent a717c7df18
commit 77ec6217eb
3 changed files with 35 additions and 4 deletions
--- a/static/js/compose.js
+++ b/static/js/compose.js
@ -777,14 +777,38 @@ function validate_stream_message() {

    return true;
 }
-
+// The function checks whether the recipients are users of the realm or cross realm users (bots for now)
 function validate_private_message() {
    if (exports.recipient() === "") {
        compose_error("Please specify at least one recipient", $("#private_message_recipient"));
        return false;
-    }
+    } else {
+        var private_recipients = util.extract_pm_recipients(compose.recipient());
+        var invalid_recipients = [];
+        _.each(private_recipients, function (email) {
+            // This case occurs when exports.recipient() ends with ','
+            if (email === "") {
+                return;
+            }
+            if (people.realm_get(email) !== undefined) {
+                return;
+            }
+            if (util.string_in_list_case_insensitive(email, page_params.cross_realm_user_emails)) {
+                return;
+            }
+            invalid_recipients.push(email);
+        });

-    return true;
+        if (invalid_recipients.length === 1) {
+            compose_error("The recipient " + invalid_recipients.join() + " is not valid ", $("#private_message_recipient"));
+            return false;
+        } else if (invalid_recipients.length > 1) {
+            compose_error("The recipients " + invalid_recipients.join() + " are not valid ", $("#private_message_recipient"));
+            return false;
+        } else {
+            return true;
+        }
+    }
 }

 exports.validate = function () {
--- a/static/js/util.js
+++ b/static/js/util.js
@ -182,6 +182,11 @@ exports.array_compare = function util_array_compare(a, b) {
    return true;
 };

+exports.string_in_list_case_insensitive = function (str, list) {
+    var dict = Dict.from_array(list || [], {fold_case: true});
+    return dict.has(str);
+};
+
 /* Represents a value that is expensive to compute and should be
 * computed on demand and then cached.  The value can be forcefully
 * recalculated on the next call to get() by calling reset().
--- a/zerver/views/init.py
+++ b/zerver/views/init.py
@ -23,7 +23,8 @@ from zerver.models import Message, UserProfile, Stream, Subscription, Huddle, \
    PreregistrationUser, get_client, MitUser, UserActivity, PushDeviceToken, \
    get_stream, UserPresence, get_recipient, \
    split_email_to_domain, resolve_email_to_domain, email_to_username, get_realm, \
-    completely_open, get_unique_open_realm, remote_user_to_email, email_allowed_for_realm
+    completely_open, get_unique_open_realm, remote_user_to_email, email_allowed_for_realm, \
+    get_cross_realm_users
 from zerver.lib.actions import do_change_password, do_change_full_name, do_change_is_admin, \
    do_activate_user, do_create_user, \
    internal_send_message, update_user_presence, do_events_register, \
@ -836,6 +837,7 @@ def home(request):
        first_in_realm        = first_in_realm,
        prompt_for_invites    = prompt_for_invites,
        notifications_stream  = notifications_stream,
+        cross_realm_user_emails = list(get_cross_realm_users()),

        # Stream message notification settings:
        stream_desktop_notifications_enabled =