subdomains: Refactor check_subdomain to a clearer interface.

Now that every call site of check_subdomain produces its second argument in exactly the same way, push that shared bit of logic into a new wrapper for check_subdomain. Also give that new function a name that says more specifically what it's checking -- which I think is easier to articulate for this interface than for that of check_subdomain.
2017-10-19 17:53:24 -07:00 · 2017-10-19 17:53:24 -07:00 · c9457d4af0
parent 7c467a8f01
commit c9457d4af0
4 changed files with 19 additions and 15 deletions
--- a/zerver/decorator.py
+++ b/zerver/decorator.py
@ -12,7 +12,7 @@ from django.utils.decorators import available_attrs
 from django.utils.timezone import now as timezone_now
 from django.conf import settings
 from zerver.lib.queue import queue_json_publish
-from zerver.lib.subdomains import get_subdomain, check_subdomain
+from zerver.lib.subdomains import get_subdomain, user_matches_subdomain
 from zerver.lib.timestamp import datetime_to_timestamp, timestamp_to_datetime
 from zerver.lib.utils import statsd, is_remote_server
 from zerver.lib.exceptions import RateLimited, JsonableError, ErrorCode
@ -229,7 +229,7 @@ def validate_account_and_subdomain(request, user_profile):
    # in the message_sender worker (which will have already had the
    # subdomain validated), or we're accessing Tornado from and to
    # localhost (aka spoofing a request as the user).
-    if (not check_subdomain(get_subdomain(request), user_profile.realm.subdomain) and
+    if (not user_matches_subdomain(get_subdomain(request), user_profile) and
        not (request.method == "SOCKET" and
             request.META['SERVER_NAME'] == "127.0.0.1") and
        not (settings.RUNNING_INSIDE_TORNADO and
@ -361,7 +361,7 @@ def logged_in_and_active(request):
        return False
    if request.user.realm.deactivated:
        return False
-    return check_subdomain(get_subdomain(request), request.user.realm.subdomain)
+    return user_matches_subdomain(get_subdomain(request), request.user)

 def do_login(request, user_profile):
    # type: (HttpRequest, UserProfile) -> None
--- a/zerver/forms.py
+++ b/zerver/forms.py
@ -22,7 +22,7 @@ from zerver.lib.actions import do_change_password, user_email_is_unique, \
 from zerver.lib.name_restrictions import is_reserved_subdomain, is_disposable_domain
 from zerver.lib.request import JsonableError
 from zerver.lib.send_email import send_email, FromAddress
-from zerver.lib.subdomains import get_subdomain, check_subdomain, is_root_domain_available
+from zerver.lib.subdomains import get_subdomain, user_matches_subdomain, is_root_domain_available
 from zerver.lib.users import check_full_name
 from zerver.models import Realm, get_user_profile_by_email, UserProfile, \
    get_realm, email_to_domain, email_allowed_for_realm
@ -218,7 +218,7 @@ class ZulipPasswordResetForm(PasswordResetForm):
        user = get_user_profile_by_email(to_email)
        attempted_subdomain = get_subdomain(self.request)
        context['attempted_realm'] = False
-        if not check_subdomain(attempted_subdomain, user.realm.subdomain):
+        if not user_matches_subdomain(attempted_subdomain, user):
            context['attempted_realm'] = get_realm(attempted_subdomain)

        send_email('zerver/emails/password_reset', to_user_id=user.id,
@ -293,7 +293,7 @@ Please contact %s to reactivate this group.""" % (
                u"If you're not sure who that is, try contacting %s.") % (FromAddress.SUPPORT,)
            raise ValidationError(mark_safe(error_msg))

-        if not check_subdomain(get_subdomain(self.request), user_profile.realm.subdomain):
+        if not user_matches_subdomain(get_subdomain(self.request), user_profile):
            logging.warning("User %s attempted to password login to wrong subdomain %s" %
                            (user_profile.email, get_subdomain(self.request)))
            raise ValidationError(mark_safe(WRONG_SUBDOMAIN_ERROR))
--- a/zerver/lib/subdomains.py
+++ b/zerver/lib/subdomains.py
@ -4,7 +4,7 @@ from django.conf import settings
 from django.http import HttpRequest
 from typing import Optional, Text

-from zerver.models import get_realm, Realm
+from zerver.models import get_realm, Realm, UserProfile

 def _extract_subdomain(request):
    # type: (HttpRequest) -> Text
@ -33,6 +33,10 @@ def check_subdomain(realm_subdomain, user_subdomain):
            return False
    return True

+def user_matches_subdomain(realm_subdomain, user_profile):
+    # type: (Optional[Text], UserProfile) -> bool
+    return check_subdomain(realm_subdomain, user_profile.realm.subdomain)
+
 def is_root_domain_available():
    # type: () -> bool
    if settings.ROOT_DOMAIN_LANDING_PAGE:
--- a/zproject/backends.py
+++ b/zproject/backends.py
@ -17,7 +17,7 @@ from social_django.strategy import DjangoStrategy

 from zerver.lib.actions import do_create_user
 from zerver.lib.request import JsonableError
-from zerver.lib.subdomains import check_subdomain, get_subdomain
+from zerver.lib.subdomains import user_matches_subdomain, get_subdomain
 from zerver.lib.users import check_full_name
 from zerver.models import UserProfile, Realm, get_user_profile_by_id, \
    get_user_profile_by_email, remote_user_to_email, email_to_username, \
@ -177,8 +177,8 @@ class SocialAuthMixin(ZulipAuthMixin):
            return_data["inactive_realm"] = True
            return None

-        if not check_subdomain(kwargs.get("realm_subdomain"),
-                               user_profile.realm.subdomain):
+        if not user_matches_subdomain(kwargs.get("realm_subdomain"),
+                                      user_profile):
            return_data["invalid_subdomain"] = True
            return None

@ -265,7 +265,7 @@ class ZulipDummyBackend(ZulipAuthMixin):
            user_profile = common_get_active_user_by_email(username)
            if user_profile is None:
                return None
-            if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
+            if not user_matches_subdomain(realm_subdomain, user_profile):
                if return_data is not None:
                    return_data["invalid_subdomain"] = True
                return None
@ -301,7 +301,7 @@ class EmailAuthBackend(ZulipAuthMixin):
                return_data['email_auth_disabled'] = True
            return None
        if user_profile.check_password(password):
-            if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
+            if not user_matches_subdomain(realm_subdomain, user_profile):
                if return_data is not None:
                    return_data["invalid_subdomain"] = True
                return None
@ -341,7 +341,7 @@ class GoogleMobileOauth2Backend(ZulipAuthMixin):
            if user_profile.realm.deactivated:
                return_data["inactive_realm"] = True
                return None
-            if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
+            if not user_matches_subdomain(realm_subdomain, user_profile):
                return_data["invalid_subdomain"] = True
                return None
            if not google_auth_enabled(realm=user_profile.realm):
@ -364,7 +364,7 @@ class ZulipRemoteUserBackend(RemoteUserBackend):
        user_profile = common_get_active_user_by_email(email)
        if user_profile is None:
            return None
-        if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
+        if not user_matches_subdomain(realm_subdomain, user_profile):
            return None
        if not auth_enabled_helper([u"RemoteUser"], user_profile.realm):
            return None
@ -427,7 +427,7 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
                                                                 password=password)
            if user_profile is None:
                return None
-            if not check_subdomain(realm_subdomain, user_profile.realm.subdomain):
+            if not user_matches_subdomain(realm_subdomain, user_profile):
                return None
            return user_profile
        except Realm.DoesNotExist: