Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

spectators: Add comments and assertions on security model. 

These tweaks help make reasoning about the spectators security model
easier to understand.
This commit is contained in:
Aman Agrawal 2020-10-07 17:26:30 +05:30 committed by Tim Abbott
parent d1d0e484ea
commit dff4ab0daf
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
zerver/lib/events.py
View File

@ -577,6 +577,12 @@ def fetch_initial_state_data(
# abuse. # abuse.
state["giphy_api_key"] = settings.GIPHY_API_KEY if settings.GIPHY_API_KEY else "" state["giphy_api_key"] = settings.GIPHY_API_KEY if settings.GIPHY_API_KEY else ""
if user_profile is None:
# To ensure we have the correct user state set.
assert state["is_admin"] is False
assert state["is_owner"] is False
assert state["is_guest"] is True
return state return state

4
zerver/views/message_fetch.py
View File

@ -965,6 +965,10 @@ def get_messages_backend(
# cases of web-public queries (where we should return the # cases of web-public queries (where we should return the
# web-public results only) and clients with buggy # web-public results only) and clients with buggy
# authentication code (where we should return an auth error). # authentication code (where we should return an auth error).
#
# GetOldMessagesTest.test_unauthenticated_* tests ensure
# that we are not leaking any secure data (private messages and
# non web-public-stream messages) via this path.
if not is_web_public_narrow(narrow): if not is_web_public_narrow(narrow):
raise MissingAuthenticationError() raise MissingAuthenticationError()
assert narrow is not None assert narrow is not None