message_edit: Topic editing permission should not depend on message sender.

This commit changes the topic edit permssions to not depend whether the user
editing the message had sent the message or it was sent by someone else.
We only do backend changes in this commit and frontend changes will be done
in further commits.

Previously, we always allowed topic edits when the user themseleves had
sent the message not considering the edit_topic_policy and the 3-day time
limit. But now we consider all messages as same and editing is allowed only
according to edit_topic_policy setting and the time limit of 3 days in
addition for users who are not admins or moderators.
This commit is contained in:
Sahil Batra 2022-07-28 20:33:42 +05:30 committed by Tim Abbott
parent e6ec2badb5
commit cbdb4e98e5
5 changed files with 28 additions and 12 deletions

View File

@ -30,6 +30,8 @@ format used by the Zulip server that they are interacting with.
`move_messages_between_streams_policy`. `move_messages_between_streams_policy`.
* [`PATCH /messages/{message_id}`](/api/update-message): Permission to edit stream * [`PATCH /messages/{message_id}`](/api/update-message): Permission to edit stream
and topic of messages do not depend on `allow_message_editing` setting now. and topic of messages do not depend on `allow_message_editing` setting now.
* [`PATCH /messages/{message_id}`](/api/update-message): Message senders are not
allowed to edit topics indefinitely now.
Feature levels 157-158 are reserved for future use in 6.x maintenance Feature levels 157-158 are reserved for future use in 6.x maintenance
releases. releases.

View File

@ -33,7 +33,7 @@ DESKTOP_WARNING_VERSION = "5.4.3"
# Changes should be accompanied by documentation explaining what the # Changes should be accompanied by documentation explaining what the
# new level means in templates/zerver/api/changelog.md, as well as # new level means in templates/zerver/api/changelog.md, as well as
# "**Changes**" entries in the endpoint's documentation in `zulip.yaml`. # "**Changes**" entries in the endpoint's documentation in `zulip.yaml`.
API_FEATURE_LEVEL = 156 API_FEATURE_LEVEL = 159
# Bump the minor PROVISION_VERSION to indicate that folks should provision # Bump the minor PROVISION_VERSION to indicate that folks should provision
# only when going from an old version of the code to a newer version. Bump # only when going from an old version of the code to a newer version. Bump

View File

@ -105,14 +105,9 @@ def validate_message_edit_payload(
def can_edit_topic( def can_edit_topic(
message: Message,
user_profile: UserProfile, user_profile: UserProfile,
is_no_topic_msg: bool, is_no_topic_msg: bool,
) -> bool: ) -> bool:
# You have permission to edit the message topic if you sent it.
if message.sender_id == user_profile.id:
return True
# We allow anyone to edit (no topic) messages to help tend them. # We allow anyone to edit (no topic) messages to help tend them.
if is_no_topic_msg: if is_no_topic_msg:
return True return True
@ -939,7 +934,7 @@ def check_update_message(
is_no_topic_msg = message.topic_name() == "(no topic)" is_no_topic_msg = message.topic_name() == "(no topic)"
if topic_name is not None and not can_edit_topic(message, user_profile, is_no_topic_msg): if topic_name is not None and not can_edit_topic(user_profile, is_no_topic_msg):
raise JsonableError(_("You don't have permission to edit this message")) raise JsonableError(_("You don't have permission to edit this message"))
# If there is a change to the content, check that it hasn't been too long # If there is a change to the content, check that it hasn't been too long
@ -954,12 +949,10 @@ def check_update_message(
raise JsonableError(_("The time limit for editing this message has passed")) raise JsonableError(_("The time limit for editing this message has passed"))
# If there is a change to the topic, check that the user is allowed to # If there is a change to the topic, check that the user is allowed to
# edit it and that it has not been too long. If this is not the user who # edit it and that it has not been too long. If user is not admin or moderator,
# sent the message, they are not the admin, and the time limit for editing # and the time limit for editing topics is passed, raise an error.
# topics is passed, raise an error.
if ( if (
topic_name is not None topic_name is not None
and message.sender != user_profile
and not user_profile.is_realm_admin and not user_profile.is_realm_admin
and not user_profile.is_moderator and not user_profile.is_moderator
and not is_no_topic_msg and not is_no_topic_msg

View File

@ -6464,6 +6464,8 @@ paths:
streams and topics of messages was forbidden if streams and topics of messages was forbidden if
`allow_message_editing` was `false`, regardless of the `allow_message_editing` was `false`, regardless of the
`edit_topic_policy` or `move_messages_between_streams_policy`. `edit_topic_policy` or `move_messages_between_streams_policy`.
Before Zulip 7.0 (feature level 159), message senders were allowed
to edit the topic indefinitely.
[config-message-editing]: /help/configure-message-editing-and-deletion [config-message-editing]: /help/configure-message-editing-and-deletion
x-curl-examples-parameters: x-curl-examples-parameters:

View File

@ -1126,23 +1126,38 @@ class EditMessageTest(EditMessageTestCase):
set_message_editing_params(True, "unlimited", Realm.POLICY_FULL_MEMBERS_ONLY) set_message_editing_params(True, "unlimited", Realm.POLICY_FULL_MEMBERS_ONLY)
cordelia = self.example_user("cordelia") cordelia = self.example_user("cordelia")
hamlet = self.example_user("hamlet")
do_set_realm_property(cordelia.realm, "waiting_period_threshold", 10, acting_user=None) do_set_realm_property(cordelia.realm, "waiting_period_threshold", 10, acting_user=None)
cordelia.date_joined = timezone_now() - datetime.timedelta(days=9) cordelia.date_joined = timezone_now() - datetime.timedelta(days=9)
cordelia.save() cordelia.save()
hamlet.date_joined = timezone_now() - datetime.timedelta(days=9)
hamlet.save()
do_edit_message_assert_error( do_edit_message_assert_error(
id_, "C", "You don't have permission to edit this message", "cordelia" id_, "C", "You don't have permission to edit this message", "cordelia"
) )
# User who sent the message but is not a full member cannot edit
# the topic
do_edit_message_assert_error(
id_, "C", "You don't have permission to edit this message", "hamlet"
)
cordelia.date_joined = timezone_now() - datetime.timedelta(days=11) cordelia.date_joined = timezone_now() - datetime.timedelta(days=11)
cordelia.save() cordelia.save()
hamlet.date_joined = timezone_now() - datetime.timedelta(days=11)
hamlet.save()
do_edit_message_assert_success(id_, "C", "cordelia") do_edit_message_assert_success(id_, "C", "cordelia")
do_edit_message_assert_success(id_, "CD", "hamlet")
# only moderators can edit topic of a message # only moderators can edit topic of a message
set_message_editing_params(True, "unlimited", Realm.POLICY_MODERATORS_ONLY) set_message_editing_params(True, "unlimited", Realm.POLICY_MODERATORS_ONLY)
do_edit_message_assert_error( do_edit_message_assert_error(
id_, "D", "You don't have permission to edit this message", "cordelia" id_, "D", "You don't have permission to edit this message", "cordelia"
) )
# even user who sent the message but is not a moderator cannot edit the topic.
do_edit_message_assert_error(
id_, "D", "You don't have permission to edit this message", "hamlet"
)
do_edit_message_assert_success(id_, "D", "shiva") do_edit_message_assert_success(id_, "D", "shiva")
# only admins can edit the topics of messages # only admins can edit the topics of messages
@ -1165,7 +1180,8 @@ class EditMessageTest(EditMessageTestCase):
set_message_editing_params(False, "unlimited", Realm.POLICY_EVERYONE) set_message_editing_params(False, "unlimited", Realm.POLICY_EVERYONE)
do_edit_message_assert_success(id_, "D", "cordelia") do_edit_message_assert_success(id_, "D", "cordelia")
# non-admin users cannot edit topics sent > 72 hrs ago # non-admin users cannot edit topics sent > 72 hrs ago including
# sender of the message.
message.date_sent = message.date_sent - datetime.timedelta(seconds=290000) message.date_sent = message.date_sent - datetime.timedelta(seconds=290000)
message.save() message.save()
set_message_editing_params(True, "unlimited", Realm.POLICY_EVERYONE) set_message_editing_params(True, "unlimited", Realm.POLICY_EVERYONE)
@ -1174,6 +1190,9 @@ class EditMessageTest(EditMessageTestCase):
do_edit_message_assert_error( do_edit_message_assert_error(
id_, "G", "The time limit for editing this message's topic has passed", "cordelia" id_, "G", "The time limit for editing this message's topic has passed", "cordelia"
) )
do_edit_message_assert_error(
id_, "G", "The time limit for editing this message's topic has passed", "hamlet"
)
# anyone should be able to edit "no topic" indefinitely # anyone should be able to edit "no topic" indefinitely
message.set_topic_name("(no topic)") message.set_topic_name("(no topic)")