Refactor logic around restricted_to_domain.

Add a function email_allowed_for_realm that checks whether a user with given email is allowed to join a given realm (either because the email has the right domain, or because the realm is open), and use it whenever deciding whether to allow adding a user to a realm. This commit is not intended to change any behavior, except in one case where the Zulip realm's domain was not being converted to lowercase.
2016-01-12 10:24:34 -05:00 · 2016-01-12 10:24:34 -05:00 · 9735025167
parent 0755b51c2e
commit 9735025167
4 changed files with 19 additions and 8 deletions
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@ -12,7 +12,7 @@ from zerver.models import Realm, RealmEmoji, Stream, UserProfile, UserActivity,
    MAX_MESSAGE_LENGTH, get_client, get_stream, get_recipient, get_huddle, \
    get_user_profile_by_id, PreregistrationUser, get_display_recipient, \
    to_dict_cache_key, get_realm, stringify_message_dict, bulk_get_recipients, \
-    resolve_email_to_domain, email_to_username, display_recipient_cache_key, \
+    email_allowed_for_realm, email_to_username, display_recipient_cache_key, \
    get_user_profile_by_email, get_stream_cache_key, to_dict_cache_key_id, \
    UserActivityInterval, get_active_user_dicts_in_realm, get_active_streams, \
    realm_filters_for_domain, RealmFilter, receives_offline_notifications, \
@ -2798,7 +2798,7 @@ def do_invite_users(user_profile, invitee_emails, streams):
            errors.append((email, "Invalid address."))
            continue

-        if user_profile.realm.restricted_to_domain and resolve_email_to_domain(email) != user_profile.realm.domain.lower():
+        if not email_allowed_for_realm(email, user_profile.realm):
            errors.append((email, "Outside your domain."))
            continue

--- a/zerver/management/commands/generate_invite_links.py
+++ b/zerver/management/commands/generate_invite_links.py
@ -4,7 +4,7 @@ from __future__ import print_function
 from django.core.management.base import BaseCommand
 from confirmation.models import Confirmation
 from zerver.models import UserProfile, PreregistrationUser, \
-    get_user_profile_by_email, get_realm
+    get_user_profile_by_email, get_realm, email_allowed_for_realm

 class Command(BaseCommand):
    help = "Generate activation links for users and print them to stdout."
@ -47,9 +47,7 @@ class Command(BaseCommand):

        for email in options['emails']:
            if realm:
-                if realm.restricted_to_domain and \
-                        domain.lower() != email.split("@", 1)[-1].lower() and \
-                        not options["force"]:
+                if not email_allowed_for_realm(email, realm) and not options["force"]:
                    print("You've asked to add an external user (%s) to a closed realm (%s)." % (
                        email, domain))
                    print("Are you sure? To do this, pass --force.")
--- a/zerver/models.py
+++ b/zerver/models.py
@ -188,6 +188,19 @@ def resolve_email_to_domain(email):
        domain = alias.realm.domain
    return domain

+# Is a user with the given email address allowed to be in the given realm?
+# (This function does not check whether the user has been invited to the realm.
+# So for invite-only realms, this is the test for whether a user can be invited,
+# not whether the user can sign up currently.)
+def email_allowed_for_realm(email, realm):
+    # Anyone can be in an open realm
+    if not realm.restricted_to_domain:
+        return True
+
+    # Otherwise, domains must match (case-insensitively)
+    email_domain = resolve_email_to_domain(email)
+    return email_domain == realm.domain.lower()
+
 def alias_for_realm(domain):
    try:
        return RealmAlias.objects.get(domain=domain)
--- a/zerver/views/init.py
+++ b/zerver/views/init.py
@ -22,7 +22,7 @@ from zerver.models import Message, UserProfile, Stream, Subscription, Huddle, \
    PreregistrationUser, get_client, MitUser, UserActivity, PushDeviceToken, \
    get_stream, UserPresence, get_recipient, \
    split_email_to_domain, resolve_email_to_domain, email_to_username, get_realm, \
-    completely_open, get_unique_open_realm, remote_user_to_email
+    completely_open, get_unique_open_realm, remote_user_to_email, email_allowed_for_realm
 from zerver.lib.actions import do_change_password, do_change_full_name, do_change_is_admin, \
    do_activate_user, do_create_user, \
    internal_send_message, update_user_presence, do_events_register, \
@ -97,7 +97,7 @@ def accounts_register(request):
        # MitUsers can't be referred and don't have a referred_by field.
        realm = prereg_user.referred_by.realm
        domain = realm.domain
-        if realm.restricted_to_domain and domain != resolve_email_to_domain(email):
+        if not email_allowed_for_realm(email, realm):
            return render_to_response("zerver/closed_realm.html", {"closed_domain_name": realm.name})
    elif not mit_beta_user and prereg_user.realm:
        # You have a realm set, even though nobody referred you. This