user_groups: Allow members of subgroups to manage group.

Previously, if the user_group_edit_policy was set to allow members or full members to manage the group, the user had to be the direct member of the group being managed. This commit updates the code to allow members of the subgroups as well to manage the group as technically members of the subgroups are member of the group. This also improves the code to not fetch all the group members to check this, and instead directly call is_user_in_group which uses "exists" to check it.
2024-09-30 15:37:00 +05:30 · 2024-09-30 15:37:00 +05:30 · b554106e6d
parent 233775d257
commit b554106e6d
2 changed files with 14 additions and 6 deletions
--- a/zerver/lib/user_groups.py
+++ b/zerver/lib/user_groups.py
@ -120,9 +120,7 @@ def check_permission_for_managing_all_groups(
        if user_profile.is_realm_admin or user_profile.is_moderator:
            return True

-        group_members = get_user_group_direct_member_ids(user_group)
-        if user_profile.id in group_members:
-            return True
+        return is_user_in_group(user_group, user_profile)
    return False


--- a/zerver/tests/test_user_groups.py
+++ b/zerver/tests/test_user_groups.py
@ -1883,6 +1883,17 @@ class UserGroupAPITestCase(UserGroupTestCase):
        )
        check_update_user_group("help", "Troubleshooting team", "othello")

+        # Check user who is member of a subgroup of the group being updated
+        # can also update the group.
+        cordelia = self.example_user("cordelia")
+        subgroup = check_add_user_group(realm, "leadership", [cordelia], acting_user=cordelia)
+        add_subgroups_to_user_group(user_group, [subgroup], acting_user=None)
+        check_update_user_group(
+            "support",
+            "Support team",
+            "cordelia",
+        )
+
        # Check only full members are allowed to update the user group and only if belong to the
        # user group.
        do_set_realm_property(
@ -1897,10 +1908,9 @@ class UserGroupAPITestCase(UserGroupTestCase):
        cordelia.date_joined = timezone_now() - timedelta(days=11)
        cordelia.save()
        check_update_user_group(
-            "support",
-            "Support team",
+            "help",
+            "Troubleshooting team",
            "cordelia",
-            "Insufficient permission",
        )
        check_update_user_group("support", "Support team", "othello", "Insufficient permission")