Add new is_incoming_webhook bot type.

This type of bot is only able to send messages via webhook endpoints.

zerver/decorator.py

@@ -369,6 +369,8 @@ def authenticate_log_and_execute_json(request, view_func, *args, **kwargs):
         raise JsonableError(_("Account not active"))
     if user_profile.realm.deactivated:
         raise JsonableError(_("Realm for account has been deactivated"))
+    if user_profile.is_incoming_webhook:
+        raise JsonableError(_("Webhook bots can only access webhooks"))
     process_client(request, user_profile, True)
     request._email = user_profile.email
     return view_func(request, user_profile, *args, **kwargs)

zerver/models.py

@@ -335,6 +335,12 @@ post_delete.connect(flush_realm_filter, sender=RealmFilter)
 
 class UserProfile(AbstractBaseUser, PermissionsMixin):
     DEFAULT_BOT = 1
+    """
+    Incoming webhook bots are limited to only sending messages via webhooks.
+    Thus, it is less of a security risk to expose their API keys to third-party services,
+    since they can't be used to read messages.
+    """
+    INCOMING_WEBHOOK_BOT = 2
 
     # Fields from models.AbstractUser minus last_name and first_name,
     # which we don't use; email is modified to make it indexed and unique.
@@ -464,6 +470,10 @@ class UserProfile(AbstractBaseUser, PermissionsMixin):
         # type: () -> str
         return self.__repr__()
 
+    @property
+    def is_incoming_webhook(self):
+        return self.bot_type == UserProfile.INCOMING_WEBHOOK_BOT
+
     @staticmethod
     def emails_from_ids(user_ids):
         # type: (Sequence[int]) -> Dict[int, text_type]