Add validation for private message recipients.

The function will reject messages where recipients aren't either a
member of the realm or a member of cross_realm_user_emails.

Fixes: #930.

static/js/compose.js

@@ -777,14 +777,38 @@ function validate_stream_message() {
 
     return true;
 }
-
+// The function checks whether the recipients are users of the realm or cross realm users (bots for now)
 function validate_private_message() {
     if (exports.recipient() === "") {
         compose_error("Please specify at least one recipient", $("#private_message_recipient"));
         return false;
-    }
+    } else {
+        var private_recipients = util.extract_pm_recipients(compose.recipient());
+        var invalid_recipients = [];
+        _.each(private_recipients, function (email) {
+            // This case occurs when exports.recipient() ends with ','
+            if (email === "") {
+                return;
+            }
+            if (people.realm_get(email) !== undefined) {
+                return;
+            }
+            if (util.string_in_list_case_insensitive(email, page_params.cross_realm_user_emails)) {
+                return;
+            }
+            invalid_recipients.push(email);
+        });
 
-    return true;
+        if (invalid_recipients.length === 1) {
+            compose_error("The recipient " + invalid_recipients.join() + " is not valid ", $("#private_message_recipient"));
+            return false;
+        } else if (invalid_recipients.length > 1) {
+            compose_error("The recipients " + invalid_recipients.join() + " are not valid ", $("#private_message_recipient"));
+            return false;
+        } else {
+            return true;
+        }
+    }
 }
 
 exports.validate = function () {

static/js/util.js

@@ -182,6 +182,11 @@ exports.array_compare = function util_array_compare(a, b) {
     return true;
 };
 
+exports.string_in_list_case_insensitive = function (str, list) {
+    var dict = Dict.from_array(list || [], {fold_case: true});
+    return dict.has(str);
+};
+
 /* Represents a value that is expensive to compute and should be
  * computed on demand and then cached.  The value can be forcefully
  * recalculated on the next call to get() by calling reset().

zerver/views/__init__.py

@@ -23,7 +23,8 @@ from zerver.models import Message, UserProfile, Stream, Subscription, Huddle, \
     PreregistrationUser, get_client, MitUser, UserActivity, PushDeviceToken, \
     get_stream, UserPresence, get_recipient, \
     split_email_to_domain, resolve_email_to_domain, email_to_username, get_realm, \
-    completely_open, get_unique_open_realm, remote_user_to_email, email_allowed_for_realm
+    completely_open, get_unique_open_realm, remote_user_to_email, email_allowed_for_realm, \
+    get_cross_realm_users
 from zerver.lib.actions import do_change_password, do_change_full_name, do_change_is_admin, \
     do_activate_user, do_create_user, \
     internal_send_message, update_user_presence, do_events_register, \
@@ -836,6 +837,7 @@ def home(request):
         first_in_realm        = first_in_realm,
         prompt_for_invites    = prompt_for_invites,
         notifications_stream  = notifications_stream,
+        cross_realm_user_emails = list(get_cross_realm_users()),
 
         # Stream message notification settings:
         stream_desktop_notifications_enabled =