diff --git a/zerver/lib/actions.py b/zerver/lib/actions.py index 0fdb1abb8e..2226af047c 100644 --- a/zerver/lib/actions.py +++ b/zerver/lib/actions.py @@ -3621,6 +3621,9 @@ def do_update_message_flags(user_profile: UserProfile, operation: str, flag: str, messages: List[int]) -> int: + valid_flags = [item for item in UserMessage.flags if item not in UserMessage.NON_API_FLAGS] + if flag not in valid_flags: + raise JsonableError(_("Invalid flag: '%s'" % (flag,))) flagattr = getattr(UserMessage.flags, flag) assert messages is not None diff --git a/zerver/tests/test_messages.py b/zerver/tests/test_messages.py index 5b41a79dad..9676909c7f 100644 --- a/zerver/tests/test_messages.py +++ b/zerver/tests/test_messages.py @@ -2386,6 +2386,32 @@ class MirroredMessageUsersTest(ZulipTestCase): self.assertTrue(bob.is_mirror_dummy) class MessageAccessTests(ZulipTestCase): + def test_update_invalid_flags(self) -> None: + message = self.send_personal_message( + self.example_email("cordelia"), + self.example_email("hamlet"), + "hello", + ) + + self.login(self.example_email("hamlet")) + result = self.client_post("/json/messages/flags", + {"messages": ujson.dumps([message]), + "op": "add", + "flag": "invalid"}) + self.assert_json_error(result, "Invalid flag: 'invalid'") + + result = self.client_post("/json/messages/flags", + {"messages": ujson.dumps([message]), + "op": "add", + "flag": "is_private"}) + self.assert_json_error(result, "Invalid flag: 'is_private'") + + result = self.client_post("/json/messages/flags", + {"messages": ujson.dumps([message]), + "op": "add", + "flag": "active_mobile_push_notification"}) + self.assert_json_error(result, "Invalid flag: 'active_mobile_push_notification'") + def change_star(self, messages: List[int], add: bool=True, **kwargs: Any) -> HttpResponse: return self.client_post("/json/messages/flags", {"messages": ujson.dumps(messages),