mirror of https://github.com/zulip/zulip.git
guests: Prevent guests from sending to unsubscribed public streams.
This matches the overall security model of these users only having access to streams they are subscribed to.
This commit is contained in:
parent
e70cf3bd67
commit
e784c95d97
|
@ -2008,8 +2008,8 @@ def validate_sender_can_write_to_stream(sender: UserProfile,
|
||||||
if not (sender.is_realm_admin or is_cross_realm_bot_email(sender.email)):
|
if not (sender.is_realm_admin or is_cross_realm_bot_email(sender.email)):
|
||||||
raise JsonableError(_("Only organization administrators can send to this stream."))
|
raise JsonableError(_("Only organization administrators can send to this stream."))
|
||||||
|
|
||||||
if not stream.invite_only:
|
if not (stream.invite_only or sender.is_guest):
|
||||||
# This is a public stream
|
# This is a public stream and sender is not a guest user
|
||||||
return
|
return
|
||||||
|
|
||||||
if subscribed_to_stream(sender, stream.id):
|
if subscribed_to_stream(sender, stream.id):
|
||||||
|
|
|
@ -1781,6 +1781,28 @@ class MessagePOSTTest(ZulipTestCase):
|
||||||
self.assertEqual(mirror_fred_user.email, email)
|
self.assertEqual(mirror_fred_user.email, email)
|
||||||
m.assert_called()
|
m.assert_called()
|
||||||
|
|
||||||
|
def test_guest_user(self) -> None:
|
||||||
|
sender = self.example_user('polonius')
|
||||||
|
|
||||||
|
stream_name = 'public stream'
|
||||||
|
self.make_stream(stream_name, invite_only=False)
|
||||||
|
payload = dict(
|
||||||
|
type="stream",
|
||||||
|
to=stream_name,
|
||||||
|
sender=sender.email,
|
||||||
|
client='test suite',
|
||||||
|
subject='whatever',
|
||||||
|
content='whatever',
|
||||||
|
)
|
||||||
|
|
||||||
|
# Guest user can't send message to unsubscribed public streams
|
||||||
|
result = self.api_post(sender.email, "/api/v1/messages", payload)
|
||||||
|
self.assert_json_error(result, "Not authorized to send to stream 'public stream'")
|
||||||
|
|
||||||
|
self.subscribe(sender, stream_name)
|
||||||
|
# Guest user can send message to subscribed public streams
|
||||||
|
result = self.api_post(sender.email, "/api/v1/messages", payload)
|
||||||
|
self.assert_json_success(result)
|
||||||
|
|
||||||
class ScheduledMessageTest(ZulipTestCase):
|
class ScheduledMessageTest(ZulipTestCase):
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue