realm: Only owners should be able to configure `can_create_groups`.

We might introduce a generic testing function similar to
do_test_changing_settings_by_owners_only later, but not right now, since
there is only 1 setting at the moment needing that test.

zerver/tests/test_realm.py

@@ -2391,6 +2391,26 @@ class RealmAPITest(ZulipTestCase):
         self.do_test_changing_settings_by_owners_only("disallow_disposable_email_addresses")
         self.do_test_changing_settings_by_owners_only("waiting_period_threshold")
 
+    def test_can_create_groups_setting_requires_owner(self) -> None:
+        realm = get_realm("zulip")
+        admins_group = NamedUserGroup.objects.get(
+            name=SystemGroups.ADMINISTRATORS, realm=realm, is_system_group=True
+        )
+
+        self.login("iago")
+        result = self.client_patch(
+            "/json/realm", {"can_create_groups": orjson.dumps({"new": admins_group.id}).decode()}
+        )
+        self.assert_json_error(result, "Must be an organization owner")
+
+        self.login("desdemona")
+        result = self.client_patch(
+            "/json/realm", {"can_create_groups": orjson.dumps({"new": admins_group.id}).decode()}
+        )
+        self.assert_json_success(result)
+        realm = get_realm("zulip")
+        self.assertEqual(realm.can_create_groups.id, admins_group.id)
+
     def test_enable_spectator_access_for_limited_plan_realms(self) -> None:
         self.login("iago")
         realm = get_realm("zulip")

zerver/views/realm.py

@@ -228,6 +228,7 @@ def update_realm(
         invite_to_realm_policy is not None
         or invite_required is not None
         or create_multiuse_invite_group_id is not None
+        or can_create_groups is not None
     ) and not user_profile.is_realm_owner:
         raise OrganizationOwnerRequiredError