From 9735025167a5063460dc2a6897c1adeda0d8e826 Mon Sep 17 00:00:00 2001
From: Reid Barton <rwbarton@gmail.com>
Date: Tue, 12 Jan 2016 10:24:34 -0500
Subject: [PATCH] Refactor logic around restricted_to_domain.

Add a function email_allowed_for_realm that checks whether a user with
given email is allowed to join a given realm (either because the email
has the right domain, or because the realm is open), and use it
whenever deciding whether to allow adding a user to a realm.

This commit is not intended to change any behavior, except in one case
where the Zulip realm's domain was not being converted to lowercase.
---
 zerver/lib/actions.py                               |  4 ++--
 zerver/management/commands/generate_invite_links.py |  6 ++----
 zerver/models.py                                    | 13 +++++++++++++
 zerver/views/__init__.py                            |  4 ++--
 4 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/zerver/lib/actions.py b/zerver/lib/actions.py
index efcb438682..373c2562d0 100644
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@@ -12,7 +12,7 @@ from zerver.models import Realm, RealmEmoji, Stream, UserProfile, UserActivity,
     MAX_MESSAGE_LENGTH, get_client, get_stream, get_recipient, get_huddle, \
     get_user_profile_by_id, PreregistrationUser, get_display_recipient, \
     to_dict_cache_key, get_realm, stringify_message_dict, bulk_get_recipients, \
-    resolve_email_to_domain, email_to_username, display_recipient_cache_key, \
+    email_allowed_for_realm, email_to_username, display_recipient_cache_key, \
     get_user_profile_by_email, get_stream_cache_key, to_dict_cache_key_id, \
     UserActivityInterval, get_active_user_dicts_in_realm, get_active_streams, \
     realm_filters_for_domain, RealmFilter, receives_offline_notifications, \
@@ -2798,7 +2798,7 @@ def do_invite_users(user_profile, invitee_emails, streams):
             errors.append((email, "Invalid address."))
             continue
 
-        if user_profile.realm.restricted_to_domain and resolve_email_to_domain(email) != user_profile.realm.domain.lower():
+        if not email_allowed_for_realm(email, user_profile.realm):
             errors.append((email, "Outside your domain."))
             continue
 
diff --git a/zerver/management/commands/generate_invite_links.py b/zerver/management/commands/generate_invite_links.py
index 7d1342ad91..b517cc57d3 100644
--- a/zerver/management/commands/generate_invite_links.py
+++ b/zerver/management/commands/generate_invite_links.py
@@ -4,7 +4,7 @@ from __future__ import print_function
 from django.core.management.base import BaseCommand
 from confirmation.models import Confirmation
 from zerver.models import UserProfile, PreregistrationUser, \
-    get_user_profile_by_email, get_realm
+    get_user_profile_by_email, get_realm, email_allowed_for_realm
 
 class Command(BaseCommand):
     help = "Generate activation links for users and print them to stdout."
@@ -47,9 +47,7 @@ class Command(BaseCommand):
 
         for email in options['emails']:
             if realm:
-                if realm.restricted_to_domain and \
-                        domain.lower() != email.split("@", 1)[-1].lower() and \
-                        not options["force"]:
+                if not email_allowed_for_realm(email, realm) and not options["force"]:
                     print("You've asked to add an external user (%s) to a closed realm (%s)." % (
                         email, domain))
                     print("Are you sure? To do this, pass --force.")
diff --git a/zerver/models.py b/zerver/models.py
index 82ab73b79a..a4a848f345 100644
--- a/zerver/models.py
+++ b/zerver/models.py
@@ -188,6 +188,19 @@ def resolve_email_to_domain(email):
         domain = alias.realm.domain
     return domain
 
+# Is a user with the given email address allowed to be in the given realm?
+# (This function does not check whether the user has been invited to the realm.
+# So for invite-only realms, this is the test for whether a user can be invited,
+# not whether the user can sign up currently.)
+def email_allowed_for_realm(email, realm):
+    # Anyone can be in an open realm
+    if not realm.restricted_to_domain:
+        return True
+
+    # Otherwise, domains must match (case-insensitively)
+    email_domain = resolve_email_to_domain(email)
+    return email_domain == realm.domain.lower()
+
 def alias_for_realm(domain):
     try:
         return RealmAlias.objects.get(domain=domain)
diff --git a/zerver/views/__init__.py b/zerver/views/__init__.py
index 939d3db03f..6e17054586 100644
--- a/zerver/views/__init__.py
+++ b/zerver/views/__init__.py
@@ -22,7 +22,7 @@ from zerver.models import Message, UserProfile, Stream, Subscription, Huddle, \
     PreregistrationUser, get_client, MitUser, UserActivity, PushDeviceToken, \
     get_stream, UserPresence, get_recipient, \
     split_email_to_domain, resolve_email_to_domain, email_to_username, get_realm, \
-    completely_open, get_unique_open_realm, remote_user_to_email
+    completely_open, get_unique_open_realm, remote_user_to_email, email_allowed_for_realm
 from zerver.lib.actions import do_change_password, do_change_full_name, do_change_is_admin, \
     do_activate_user, do_create_user, \
     internal_send_message, update_user_presence, do_events_register, \
@@ -97,7 +97,7 @@ def accounts_register(request):
         # MitUsers can't be referred and don't have a referred_by field.
         realm = prereg_user.referred_by.realm
         domain = realm.domain
-        if realm.restricted_to_domain and domain != resolve_email_to_domain(email):
+        if not email_allowed_for_realm(email, realm):
             return render_to_response("zerver/closed_realm.html", {"closed_domain_name": realm.name})
     elif not mit_beta_user and prereg_user.realm:
         # You have a realm set, even though nobody referred you. This