Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

stream_data: Fix 'can_access_stream_email' function. 

'can_access_stream_email' function determines who can
generate email to send message in a channel.

Earlier, the function was not considering stream post policy.
So, a user with a role which don't have permission to post in
a channel as per stream post policy could send messages in
a channel by generating stream email.

This commit makes sure to not show the "Generate email address"
button in such cases.

We show the button only if the current user or any of the bots
they control has the permission to post in the channel.

Fixes part of #31566.
This commit is contained in:
Prakhar Pratyush 2024-11-18 17:32:31 +05:30
parent 93c252366b
commit 9754421d4b
2 changed files with 108 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
web/src/stream_data.ts
View File

@ -1,6 +1,8 @@
import assert from "minimalistic-assert";
import * as blueslip from "./blueslip.ts";
import type {Bot} from "./bot_data.ts";
import * as bot_data from "./bot_data.ts";
import * as color_data from "./color_data.ts";
import {FoldDict} from "./fold_dict.ts";
import {page_params} from "./page_params.ts";
@ -496,10 +498,28 @@ export function can_toggle_subscription(sub: StreamSubscription): boolean {
);
}
export function get_current_user_and_their_bots_with_post_messages_permission(
sub: StreamSubscription,
): (User | Bot)[] {
const senders_with_post_messages_permission: (User | Bot)[] = [];
if (can_post_messages_in_stream(sub)) {
senders_with_post_messages_permission.push(people.get_by_user_id(current_user.user_id));
}
for (const bot of bot_data.get_all_bots_for_current_user()) {
if (bot.is_active && can_bot_post_messages_in_channel(sub, bot)) {
senders_with_post_messages_permission.push(bot);
}
}
return senders_with_post_messages_permission;
}
export function can_access_stream_email(sub: StreamSubscription): boolean {
return (
(sub.subscribed || sub.is_web_public || (!current_user.is_guest && !sub.invite_only)) &&
!page_params.is_spectator
!page_params.is_spectator &&
sub.subscribed &&
get_current_user_and_their_bots_with_post_messages_permission(sub).length > 0
);
}
@ -621,6 +641,54 @@ export function can_post_messages_in_stream(stream: StreamSubscription): boolean
return true;
}
export function can_bot_post_messages_in_channel(channel: StreamSubscription, bot: Bot): boolean {
const bot_user = people.get_by_user_id(bot.user_id);
assert(bot_user.is_bot);
if (channel.is_archived) {
return false;
}
if (bot_user.is_admin) {
return true;
}
if (channel.stream_post_policy === settings_config.stream_post_policy_values.admins.code) {
return false;
}
if (bot_user.is_moderator) {
return true;
}
if (channel.stream_post_policy === settings_config.stream_post_policy_values.moderators.code) {
return false;
}
if (
bot_user.is_guest &&
channel.stream_post_policy !== settings_config.stream_post_policy_values.everyone.code
) {
return false;
}
// Currently, this function is not used in a codepath with no bot owner.
assert(bot.owner_id !== null);
const bot_owner = people.get_by_user_id(bot.owner_id);
const current_datetime = Date.now();
const bot_owner_date_joined = new Date(bot_owner.date_joined).getTime();
const days = (current_datetime - bot_owner_date_joined) / 1000 / 86400;
if (
channel.stream_post_policy ===
settings_config.stream_post_policy_values.non_new_members.code &&
days < realm.realm_waiting_period_threshold
) {
return false;
}
return true;
}
export function is_subscribed(stream_id: number): boolean {
const sub = sub_store.get(stream_id);
return sub ? sub.subscribed : false;

64
web/tests/stream_data.test.cjs
View File

@ -11,6 +11,7 @@ const {page_params} = require("./lib/zpage_params.cjs");
// web_public_streams in production.
page_params.development_environment = true;
const bot_data = zrequire("bot_data");
const color_data = zrequire("color_data");
const peer_data = zrequire("peer_data");
const people = zrequire("people");
@ -1312,34 +1313,45 @@ test("can_access_stream_email", ({override}) => {
is_muted: false,
invite_only: true,
history_public_to_subscribers: false,
stream_post_policy: settings_config.stream_post_policy_values.admins.code,
};
override(current_user, "is_admin", false);
assert.equal(stream_data.can_access_stream_email(social), true);
override(current_user, "is_admin", true);
assert.equal(stream_data.can_access_stream_email(social), true);
social.subscribed = false;
assert.equal(stream_data.can_access_stream_email(social), false);
social.invite_only = false;
assert.equal(stream_data.can_access_stream_email(social), true);
override(current_user, "is_admin", false);
assert.equal(stream_data.can_access_stream_email(social), true);
override(current_user, "is_guest", true);
assert.equal(stream_data.can_access_stream_email(social), false);
social.subscribed = true;
assert.equal(stream_data.can_access_stream_email(social), true);
social.is_web_public = true;
assert.equal(stream_data.can_access_stream_email(social), true);
social.subscribed = false;
assert.equal(stream_data.can_access_stream_email(social), true);
const bot = {
is_active: true,
user_id: 999,
};
const bot_user = {
email: "bot@zulip.com",
full_name: "Bot User",
user_id: 999,
is_bot: true,
is_moderator: true,
};
people.add_active_user(bot_user);
override(bot_data, "get_all_bots_for_current_user", [bot]);
page_params.is_spectator = true;
assert.equal(stream_data.can_access_stream_email(social), false);
page_params.is_spectator = false;
social.subscribed = false;
assert.equal(stream_data.can_access_stream_email(social), false);
social.subscribed = true;
// Neither the user nor any of the bots they control can post message.
override(current_user, "is_moderator", true);
assert.equal(stream_data.can_access_stream_email(social), false);
// user can but none of the bots they control can post message.
override(current_user, "is_admin", true);
assert.equal(stream_data.can_access_stream_email(social), true);
// user can't but one of the bots they control can post message.
override(current_user, "is_admin", false);
override(current_user, "is_moderator", false);
social.stream_post_policy = settings_config.stream_post_policy_values.moderators.code;
assert.equal(stream_data.can_access_stream_email(social), true);
// Both the user and one of the bots they control can post message.
override(current_user, "is_moderator", true);
assert.equal(stream_data.can_access_stream_email(social), true);
});