actions.py: Block client interaction with flags in the NON_API_FLAGS.

Raise error if flag is present in NON_API_FLAGS or is not present in UserMessage.flags.
2018-08-10 03:47:36 +05:30 · 2018-08-10 03:47:36 +05:30 · a524d425ad
parent fe9eeecda1
commit a524d425ad
2 changed files with 29 additions and 0 deletions
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@ -3621,6 +3621,9 @@ def do_update_message_flags(user_profile: UserProfile,
                            operation: str,
                            flag: str,
                            messages: List[int]) -> int:
+    valid_flags = [item for item in UserMessage.flags if item not in UserMessage.NON_API_FLAGS]
+    if flag not in valid_flags:
+        raise JsonableError(_("Invalid flag: '%s'" % (flag,)))
    flagattr = getattr(UserMessage.flags, flag)

    assert messages is not None
--- a/zerver/tests/test_messages.py
+++ b/zerver/tests/test_messages.py
@ -2386,6 +2386,32 @@ class MirroredMessageUsersTest(ZulipTestCase):
        self.assertTrue(bob.is_mirror_dummy)

 class MessageAccessTests(ZulipTestCase):
+    def test_update_invalid_flags(self) -> None:
+        message = self.send_personal_message(
+            self.example_email("cordelia"),
+            self.example_email("hamlet"),
+            "hello",
+        )
+
+        self.login(self.example_email("hamlet"))
+        result = self.client_post("/json/messages/flags",
+                                  {"messages": ujson.dumps([message]),
+                                   "op": "add",
+                                   "flag": "invalid"})
+        self.assert_json_error(result, "Invalid flag: 'invalid'")
+
+        result = self.client_post("/json/messages/flags",
+                                  {"messages": ujson.dumps([message]),
+                                   "op": "add",
+                                   "flag": "is_private"})
+        self.assert_json_error(result, "Invalid flag: 'is_private'")
+
+        result = self.client_post("/json/messages/flags",
+                                  {"messages": ujson.dumps([message]),
+                                   "op": "add",
+                                   "flag": "active_mobile_push_notification"})
+        self.assert_json_error(result, "Invalid flag: 'active_mobile_push_notification'")
+
    def change_star(self, messages: List[int], add: bool=True, **kwargs: Any) -> HttpResponse:
        return self.client_post("/json/messages/flags",
                                {"messages": ujson.dumps(messages),