json_fetch_raw_message: Allow fetching messages you received.

This also modifies the tests to verify that the user in question has access to the relevant message.
2016-09-22 09:48:42 -07:00 · 2016-09-22 09:48:42 -07:00 · d2e41ff48e
parent b38b186aef
commit d2e41ff48e
2 changed files with 54 additions and 4 deletions
--- a/zerver/tests/test_messages.py
+++ b/zerver/tests/test_messages.py
@ -827,7 +827,7 @@ class EditMessageTest(ZulipTestCase):
    def test_fetch_raw_message(self):
        # type: () -> None
        self.login("hamlet@zulip.com")
-        msg_id = self.send_message("hamlet@zulip.com", "Scotland", Recipient.STREAM,
+        msg_id = self.send_message("hamlet@zulip.com", "cordelia@zulip.com", Recipient.PERSONAL,
                                   subject="editing", content="**before** edit")
        result = self.client_post('/json/fetch_raw_message', dict(message_id=msg_id))
        self.assert_json_success(result)
@ -840,7 +840,40 @@ class EditMessageTest(ZulipTestCase):

        self.login("cordelia@zulip.com")
        result = self.client_post('/json/fetch_raw_message', dict(message_id=msg_id))
-        self.assert_json_error(result, 'Message was not sent by you')
+        self.assert_json_success(result)
+
+        self.login("othello@zulip.com")
+        result = self.client_post('/json/fetch_raw_message', dict(message_id=msg_id))
+        self.assert_json_error(result, 'Message is a private message you did not receive')
+
+    def test_fetch_raw_message_stream_wrong_realm(self):
+        # type: () -> None
+        email = "hamlet@zulip.com"
+        self.login(email)
+        stream, _ = create_stream_if_needed(get_realm("zulip.com"), 'public_stream')
+        self.subscribe_to_stream(email, stream.name)
+        msg_id = self.send_message(email, stream.name, Recipient.STREAM,
+                                   subject="test", content="test")
+        result = self.client_post('/json/fetch_raw_message', dict(message_id=msg_id))
+        self.assert_json_success(result)
+
+        self.login("sipbtest@mit.edu")
+        result = self.client_post('/json/fetch_raw_message', dict(message_id=msg_id))
+        self.assert_json_error(result, 'Message was sent to a stream you cannot read')
+
+    def test_fetch_raw_message_private_stream(self):
+        # type: () -> None
+        email = "hamlet@zulip.com"
+        self.login(email)
+        stream, _ = create_stream_if_needed(get_realm("zulip.com"), 'private_stream', invite_only=True)
+        self.subscribe_to_stream(email, stream.name)
+        msg_id = self.send_message(email, stream.name, Recipient.STREAM,
+                                   subject="test", content="test")
+        result = self.client_post('/json/fetch_raw_message', dict(message_id=msg_id))
+        self.assert_json_success(result)
+        self.login("othello@zulip.com")
+        result = self.client_post('/json/fetch_raw_message', dict(message_id=msg_id))
+        self.assert_json_error(result, 'Message was sent to a stream you cannot read')

    def test_edit_message_no_changes(self):
        # type: () -> None
--- a/zerver/views/messages.py
+++ b/zerver/views/messages.py
@ -933,13 +933,30 @@ def update_message_backend(request, user_profile,
 def json_fetch_raw_message(request, user_profile,
                           message_id=REQ(converter=to_non_negative_int)):
    # type: (HttpRequest, UserProfile, int) -> HttpResponse
+    """
+    You can fetch raw content for messages that either:
+    (1) You received (aka have a UserMessage row for)
+    (2) Were sent to a public stream in your realm.
+    """
    try:
        message = Message.objects.get(id=message_id)
    except Message.DoesNotExist:
        return json_error(_("No such message"))

-    if message.sender != user_profile:
-        return json_error(_("Message was not sent by you"))
+    try:
+        user_message = UserMessage.objects.get(user_profile=user_profile, message=message)
+    except UserMessage.DoesNotExist:
+        user_message = None
+
+    if user_message is None:
+        if message.recipient.type != Recipient.STREAM:
+            return json_error(_("Message is a private message you did not receive"))
+        stream = Stream.objects.get(id=message.recipient.type_id)
+        if stream.realm != user_profile.realm or stream.invite_only:
+            return json_error(_("Message was sent to a stream you cannot read"))
+        # Otherwise, the message must have been sent to a public
+        # stream in your realm, so you have access to read it, so fall
+        # through.

    return json_success({"raw_content": message.content})