guests: Prevent guests from sending to unsubscribed public streams.

This matches the overall security model of these users only having
access to streams they are subscribed to.
This commit is contained in:
Shubham Dhama 2018-08-15 00:20:02 +05:30 committed by Tim Abbott
parent e70cf3bd67
commit e784c95d97
2 changed files with 24 additions and 2 deletions

View File

@ -2008,8 +2008,8 @@ def validate_sender_can_write_to_stream(sender: UserProfile,
if not (sender.is_realm_admin or is_cross_realm_bot_email(sender.email)): if not (sender.is_realm_admin or is_cross_realm_bot_email(sender.email)):
raise JsonableError(_("Only organization administrators can send to this stream.")) raise JsonableError(_("Only organization administrators can send to this stream."))
if not stream.invite_only: if not (stream.invite_only or sender.is_guest):
# This is a public stream # This is a public stream and sender is not a guest user
return return
if subscribed_to_stream(sender, stream.id): if subscribed_to_stream(sender, stream.id):

View File

@ -1781,6 +1781,28 @@ class MessagePOSTTest(ZulipTestCase):
self.assertEqual(mirror_fred_user.email, email) self.assertEqual(mirror_fred_user.email, email)
m.assert_called() m.assert_called()
def test_guest_user(self) -> None:
sender = self.example_user('polonius')
stream_name = 'public stream'
self.make_stream(stream_name, invite_only=False)
payload = dict(
type="stream",
to=stream_name,
sender=sender.email,
client='test suite',
subject='whatever',
content='whatever',
)
# Guest user can't send message to unsubscribed public streams
result = self.api_post(sender.email, "/api/v1/messages", payload)
self.assert_json_error(result, "Not authorized to send to stream 'public stream'")
self.subscribe(sender, stream_name)
# Guest user can send message to subscribed public streams
result = self.api_post(sender.email, "/api/v1/messages", payload)
self.assert_json_success(result)
class ScheduledMessageTest(ZulipTestCase): class ScheduledMessageTest(ZulipTestCase):