guests: Prevent guests from sending to unsubscribed public streams.

This matches the overall security model of these users only having access to streams they are subscribed to.
2018-08-15 00:20:02 +05:30 · 2018-08-15 00:20:02 +05:30 · e784c95d97
parent e70cf3bd67
commit e784c95d97
2 changed files with 24 additions and 2 deletions
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@ -2008,8 +2008,8 @@ def validate_sender_can_write_to_stream(sender: UserProfile,
        if not (sender.is_realm_admin or is_cross_realm_bot_email(sender.email)):
            raise JsonableError(_("Only organization administrators can send to this stream."))

-    if not stream.invite_only:
-        # This is a public stream
+    if not (stream.invite_only or sender.is_guest):
+        # This is a public stream and sender is not a guest user
        return

    if subscribed_to_stream(sender, stream.id):
--- a/zerver/tests/test_messages.py
+++ b/zerver/tests/test_messages.py
@ -1781,6 +1781,28 @@ class MessagePOSTTest(ZulipTestCase):
        self.assertEqual(mirror_fred_user.email, email)
        m.assert_called()

+    def test_guest_user(self) -> None:
+        sender = self.example_user('polonius')
+
+        stream_name = 'public stream'
+        self.make_stream(stream_name, invite_only=False)
+        payload = dict(
+            type="stream",
+            to=stream_name,
+            sender=sender.email,
+            client='test suite',
+            subject='whatever',
+            content='whatever',
+        )
+
+        # Guest user can't send message to unsubscribed public streams
+        result = self.api_post(sender.email, "/api/v1/messages", payload)
+        self.assert_json_error(result, "Not authorized to send to stream 'public stream'")
+
+        self.subscribe(sender, stream_name)
+        # Guest user can send message to subscribed public streams
+        result = self.api_post(sender.email, "/api/v1/messages", payload)
+        self.assert_json_success(result)

 class ScheduledMessageTest(ZulipTestCase):