Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix users in deactivated realms sending webhook messages. 

In a deactivated realm, webhooks would still successfully send
messages, since there was no check for whether the realm was active in
api_key_only_webhook_view.
This commit is contained in:
Tim Abbott 2016-04-21 12:10:46 -07:00
parent 9da73b22d3
commit b31ac1eca9
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
zerver/decorator.py
View File

@ -172,9 +172,13 @@ def api_key_only_webhook_view(view_func):
*args, **kwargs):
try:
user_profile = UserProfile.objects.get(api_key=api_key, is_active=True)
user_profile = UserProfile.objects.get(api_key=api_key)
except UserProfile.DoesNotExist:
raise JsonableError("Invalid API key")
if not user_profile.is_active:
raise JsonableError("Account not active")
if user_profile.realm.deactivated:
raise JsonableError("Realm for account has been deactivated")
request.user = user_profile
request._email = user_profile.email