diff --git a/zerver/lib/actions.py b/zerver/lib/actions.py index b6e76ebcb7..684ff76fe1 100644 --- a/zerver/lib/actions.py +++ b/zerver/lib/actions.py @@ -4011,15 +4011,7 @@ def do_get_user_invites(user_profile: UserProfile) -> List[Dict[str, Any]]: return invites -def do_revoke_user_invite(invite_id: int, realm_id: int) -> None: - try: - prereg_user = PreregistrationUser.objects.get(id=invite_id) - except PreregistrationUser.DoesNotExist: - raise JsonableError(_("Invalid invitation ID.")) - - if prereg_user.referred_by.realm_id != realm_id: - raise JsonableError(_("Invalid invitation ID.")) - +def do_revoke_user_invite(prereg_user: PreregistrationUser) -> None: email = prereg_user.email # Delete both the confirmation objects and the prereg_user object. @@ -4032,15 +4024,7 @@ def do_revoke_user_invite(invite_id: int, realm_id: int) -> None: prereg_user.delete() clear_scheduled_invitation_emails(email) -def do_resend_user_invite_email(invite_id: int, realm_id: int) -> str: - try: - prereg_user = PreregistrationUser.objects.get(id=invite_id) - except PreregistrationUser.DoesNotExist: - raise JsonableError(_("Invalid invitation ID.")) - - if (prereg_user.referred_by.realm_id != realm_id): - raise JsonableError(_("Invalid invitation ID.")) - +def do_resend_user_invite_email(prereg_user: PreregistrationUser) -> str: check_invite_limit(prereg_user.referred_by, 1) prereg_user.invited_at = timezone_now() diff --git a/zerver/tests/test_signup.py b/zerver/tests/test_signup.py index aba37d406f..df2510d1b6 100644 --- a/zerver/tests/test_signup.py +++ b/zerver/tests/test_signup.py @@ -1003,6 +1003,16 @@ class InvitationsTestCase(InviteUserBase): self.check_sent_emails([invitee], custom_from_name="Zulip") + def test_accessing_invites_in_another_realm(self) -> None: + invitor = UserProfile.objects.exclude(realm=get_realm('zulip')).first() + prereg_user = PreregistrationUser.objects.create( + email='email', referred_by=invitor, realm=invitor.realm) + self.login(self.example_email("iago")) + error_result = self.client_post('/json/invites/' + str(prereg_user.id) + '/resend') + self.assert_json_error(error_result, "Invalid invitation ID.") + error_result = self.client_delete('/json/invites/' + str(prereg_user.id)) + self.assert_json_error(error_result, "Invalid invitation ID.") + class InviteeEmailsParserTests(TestCase): def setUp(self) -> None: self.email1 = "email1@zulip.com" diff --git a/zerver/views/invite.py b/zerver/views/invite.py index 95c9321631..138549e943 100644 --- a/zerver/views/invite.py +++ b/zerver/views/invite.py @@ -74,12 +74,28 @@ def get_user_invites(request: HttpRequest, user_profile: UserProfile) -> HttpRes @has_request_variables def revoke_user_invite(request: HttpRequest, user_profile: UserProfile, prereg_id: int) -> HttpResponse: - do_revoke_user_invite(prereg_id, user_profile.realm_id) + try: + prereg_user = PreregistrationUser.objects.get(id=prereg_id) + except PreregistrationUser.DoesNotExist: + raise JsonableError(_("Invalid invitation ID.")) + + if prereg_user.referred_by.realm != user_profile.realm: + raise JsonableError(_("Invalid invitation ID.")) + + do_revoke_user_invite(prereg_user) return json_success() @require_realm_admin @has_request_variables def resend_user_invite_email(request: HttpRequest, user_profile: UserProfile, prereg_id: int) -> HttpResponse: - timestamp = do_resend_user_invite_email(prereg_id, user_profile.realm_id) + try: + prereg_user = PreregistrationUser.objects.get(id=prereg_id) + except PreregistrationUser.DoesNotExist: + raise JsonableError(_("Invalid invitation ID.")) + + if (prereg_user.referred_by.realm != user_profile.realm): + raise JsonableError(_("Invalid invitation ID.")) + + timestamp = do_resend_user_invite_email(prereg_user) return json_success({'timestamp': timestamp})