streams: Restrict access to archived streams.

2024-06-05 20:15:52 +05:30 · 2024-06-05 20:15:52 +05:30 · c73038edea
parent 795b2ba14e
commit c73038edea
4 changed files with 75 additions and 4 deletions
--- a/zerver/lib/message.py
+++ b/zerver/lib/message.py
@ -386,6 +386,10 @@ def has_message_access(
        # You can't access public stream messages in other realms
        return False

+    if stream.deactivated:
+        # You can't access messages in deactivated streams
+        return False
+
    def is_subscribed_helper() -> bool:
        if is_subscribed is not None:
            return is_subscribed
--- a/zerver/lib/streams.py
+++ b/zerver/lib/streams.py
@ -290,8 +290,13 @@ def access_stream_for_send_message(
        else:
            raise JsonableError(_("User not authorized for this query"))

-    if archived_channel_notice:
-        return
+    # Deactivated streams are not accessible.
+    if stream.deactivated:
+        if archived_channel_notice:
+            return
+        raise JsonableError(
+            _("Not authorized to send to channel '{channel_name}'").format(channel_name=stream.name)
+        )

    if is_cross_realm_bot_email(sender.delivery_email):
        return
@ -431,7 +436,9 @@ def access_stream_common(
    except Subscription.DoesNotExist:
        sub = None

-    if check_basic_stream_access(user_profile, stream, sub, allow_realm_admin=allow_realm_admin):
+    if not stream.deactivated and check_basic_stream_access(
+        user_profile, stream, sub, allow_realm_admin=allow_realm_admin
+    ):
        return sub

    # Otherwise it is a private stream and you're not on it, so throw
@ -667,6 +674,11 @@ def filter_stream_authorization(

    unauthorized_streams: list[Stream] = []
    for stream in streams:
+        # Deactivated streams are not accessible
+        if stream.deactivated:
+            unauthorized_streams.append(stream)
+            continue
+
        # The user is authorized for their own streams
        if stream.recipient_id in subscribed_recipient_ids:
            continue
--- a/zerver/tests/test_message_edit.py
+++ b/zerver/tests/test_message_edit.py
@ -976,6 +976,33 @@ class EditMessageTest(ZulipTestCase):
        set_message_editing_params(False, "unlimited", EditTopicPolicyEnum.ADMINS_ONLY)
        do_edit_message_assert_success(id_, "G", True)

+    def test_edit_message_in_archived_stream(self) -> None:
+        user = self.example_user("hamlet")
+        self.login("hamlet")
+        stream_name = "archived stream"
+        archived_stream = self.make_stream(stream_name)
+        self.subscribe(user, stream_name)
+        msg_id = self.send_stream_message(
+            user, "archived stream", topic_name="editing", content="before edit"
+        )
+        result = self.client_patch(
+            f"/json/messages/{msg_id}",
+            {
+                "content": "content after edit",
+            },
+        )
+        self.assert_json_success(result)
+
+        do_deactivate_stream(archived_stream, acting_user=None)
+
+        result = self.client_patch(
+            f"/json/messages/{msg_id}",
+            {
+                "content": "editing second time",
+            },
+        )
+        self.assert_json_error(result, "Invalid message(s)")
+
    def test_edit_topic_policy(self) -> None:
        def set_message_editing_params(
            allow_message_editing: bool,
--- a/zerver/tests/test_message_send.py
+++ b/zerver/tests/test_message_send.py
@ -30,7 +30,7 @@ from zerver.actions.realm_settings import (
    do_change_realm_permission_group_setting,
    do_set_realm_property,
 )
-from zerver.actions.streams import do_change_stream_post_policy
+from zerver.actions.streams import do_change_stream_post_policy, do_deactivate_stream
 from zerver.actions.user_groups import add_subgroups_to_user_group, check_add_user_group
 from zerver.actions.user_settings import do_change_user_setting
 from zerver.actions.users import do_change_can_forge_sender, do_deactivate_user
@ -1337,6 +1337,34 @@ class MessagePOSTTest(ZulipTestCase):
        msg = self.get_last_message()
        self.assertEqual(int(datetime_to_timestamp(msg.date_sent)), int(fake_timestamp))

+    def test_send_message_in_archived_stream(self) -> None:
+        self.login("hamlet")
+        stream_name = "archived stream"
+        stream = self.make_stream(stream_name)
+        result = self.client_post(
+            "/json/messages",
+            {
+                "type": "channel",
+                "to": orjson.dumps([stream.id]).decode(),
+                "content": "Test message",
+                "topic": "Test topic",
+            },
+        )
+        self.assert_json_success(result)
+
+        do_deactivate_stream(stream, acting_user=None)
+
+        result = self.client_post(
+            "/json/messages",
+            {
+                "type": "channel",
+                "to": orjson.dumps([stream.id]).decode(),
+                "content": "Second Test message",
+                "topic": "Test topic",
+            },
+        )
+        self.assert_json_error(result, f"Not authorized to send to channel '{stream.name}'")
+
    def test_unsubscribed_can_forge_sender(self) -> None:
        reset_email_visibility_to_everyone_in_zulip_realm()