Add validation for private message recipients.

The function will reject messages where recipients aren't either a
member of the realm or a member of cross_realm_user_emails.

Fixes: #930.
This commit is contained in:
Vishnu Ks 2016-06-10 23:16:53 +05:30 committed by Tim Abbott
parent a717c7df18
commit 77ec6217eb
3 changed files with 35 additions and 4 deletions

View File

@ -777,14 +777,38 @@ function validate_stream_message() {
return true;
}
// The function checks whether the recipients are users of the realm or cross realm users (bots for now)
function validate_private_message() {
if (exports.recipient() === "") {
compose_error("Please specify at least one recipient", $("#private_message_recipient"));
return false;
} else {
var private_recipients = util.extract_pm_recipients(compose.recipient());
var invalid_recipients = [];
_.each(private_recipients, function (email) {
// This case occurs when exports.recipient() ends with ','
if (email === "") {
return;
}
if (people.realm_get(email) !== undefined) {
return;
}
if (util.string_in_list_case_insensitive(email, page_params.cross_realm_user_emails)) {
return;
}
invalid_recipients.push(email);
});
if (invalid_recipients.length === 1) {
compose_error("The recipient " + invalid_recipients.join() + " is not valid ", $("#private_message_recipient"));
return false;
} else if (invalid_recipients.length > 1) {
compose_error("The recipients " + invalid_recipients.join() + " are not valid ", $("#private_message_recipient"));
return false;
} else {
return true;
}
}
}
exports.validate = function () {

View File

@ -182,6 +182,11 @@ exports.array_compare = function util_array_compare(a, b) {
return true;
};
exports.string_in_list_case_insensitive = function (str, list) {
var dict = Dict.from_array(list || [], {fold_case: true});
return dict.has(str);
};
/* Represents a value that is expensive to compute and should be
* computed on demand and then cached. The value can be forcefully
* recalculated on the next call to get() by calling reset().

View File

@ -23,7 +23,8 @@ from zerver.models import Message, UserProfile, Stream, Subscription, Huddle, \
PreregistrationUser, get_client, MitUser, UserActivity, PushDeviceToken, \
get_stream, UserPresence, get_recipient, \
split_email_to_domain, resolve_email_to_domain, email_to_username, get_realm, \
completely_open, get_unique_open_realm, remote_user_to_email, email_allowed_for_realm
completely_open, get_unique_open_realm, remote_user_to_email, email_allowed_for_realm, \
get_cross_realm_users
from zerver.lib.actions import do_change_password, do_change_full_name, do_change_is_admin, \
do_activate_user, do_create_user, \
internal_send_message, update_user_presence, do_events_register, \
@ -836,6 +837,7 @@ def home(request):
first_in_realm = first_in_realm,
prompt_for_invites = prompt_for_invites,
notifications_stream = notifications_stream,
cross_realm_user_emails = list(get_cross_realm_users()),
# Stream message notification settings:
stream_desktop_notifications_enabled =