Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver/views
History
Sahil Batra ae0aba064f CVE-2024-21630: Check permission to subscribe others using invite link. 
This commit updates the API to check the permission to subscribe other
users while creating multi-use invites. The API will raise error if
the user passes the "stream_ids" parameter (even when it contains only
default streams) and the calling user does not have permission to
subscribe others to streams.

We did not add this before as we only allowed admins to create
multiuse invites, but now we have added a setting which can be used
to allow users with other roles as well to create multiuse invites.
 		2024-01-24 17:41:10 -08:00
..
development find_account: Remove emails as URL parameters. 2024-01-16 09:39:00 -08:00
__init__.py
alert_words.py alert_words: Migrate alert_words to use @typed_endpoint. 2023-09-08 08:20:17 -07:00
attachments.py attachments: Correct attachment_id type from string to integer. 2023-10-22 17:06:34 -07:00
auth.py auth: Add a configurable wrapper around authenticate calls. 2024-01-15 12:18:48 -08:00
compatibility.py django: Use HttpRequest.headers. 2022-05-13 20:42:20 -07:00
custom_profile_fields.py models: Extract zerver.models.custom_profile_fields. 2023-12-16 22:08:44 -08:00
digest.py mypy: Fix most AnonymousUser type errors. 2021-07-24 14:55:46 -07:00
documentation.py documentation: Support having no sidebar for policies docs. 2024-01-07 19:11:16 -08:00
drafts.py drafts: Migrate drafts to use @typed_endpoint. 2023-09-08 08:20:17 -07:00
email_mirror.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
errors.py config_error: Return status code 500. 2023-10-11 17:13:01 -07:00
events_register.py register: Add client capability to not receive unknown users data. 2023-12-06 00:09:53 -08:00
health.py views: Add a /health healthcheck endpoint. 2023-09-20 09:53:59 -07:00
home.py home: Redirect https://selfhosting.zuliphostname/ to /serverlogin/. 2024-01-15 17:55:42 -08:00
hotspots.py urls: Add a new endpoint for hotspot and deprecate the old one. 2023-12-06 18:19:20 -08:00
invite.py CVE-2024-21630: Check permission to subscribe others using invite link. 2024-01-24 17:41:10 -08:00
message_edit.py views: Rename *topic local variables to *topic_name. 2024-01-15 09:40:43 -08:00
message_fetch.py message: Do not include details of inaccessible users in message data. 2023-12-09 17:23:16 -08:00
message_flags.py response: Remove "result: partially_completed" for success responses. 2023-09-18 13:18:24 -07:00
message_send.py models: Extract zerver.models.users. 2023-12-16 22:08:44 -08:00
muted_users.py bots: Fix muting of cross realm bots. 2023-11-27 16:16:23 -08:00
presence.py models: Extract zerver.models.users. 2023-12-16 22:08:44 -08:00
push_notifications.py templates: Move remote_realm_server_mismatch_error.html to zerver. 2024-01-15 16:50:48 -08:00
reactions.py message: Access realm object directly from message. 2023-08-23 11:38:32 -07:00
read_receipts.py read_receipts: Exclude muted users from read receipts. 2022-09-16 16:19:54 -07:00
realm.py realm: Enfore length restriction on jitsi_server_url at API level. 2023-12-14 12:11:59 -08:00
realm_domains.py models: Extract zerver.models.realms. 2023-12-16 22:08:44 -08:00
realm_emoji.py models: Extract zerver.models.realm_emoji. 2023-12-16 22:08:44 -08:00
realm_export.py migration: Rename extra_data_json to extra_data in audit log models. 2023-08-16 17:18:14 -07:00
realm_icon.py ruff: Fix RUF015 Prefer `next(...)` over single element slice. 2023-07-23 15:20:53 -07:00
realm_linkifiers.py models: Extract zerver.models.linkifiers. 2023-12-16 22:08:44 -08:00
realm_logo.py ruff: Fix RUF015 Prefer `next(...)` over single element slice. 2023-07-23 15:20:53 -07:00
realm_playgrounds.py realm_playgrounds: Refactor error handling for validation on creation. 2023-07-24 17:40:59 -07:00
registration.py find_account: Add button to send another email. 2024-01-19 09:02:03 -08:00
report.py ruff: Collapse short multi-line import statements. 2023-08-02 17:41:41 -07:00
scheduled_messages.py message_send: Add read_by_sender API parameter. 2023-12-14 08:16:31 -08:00
sentry.py python: Use urlsplit instead of urlparse. 2023-12-05 13:03:07 -08:00
storage.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
streams.py actions: Rename *topic local variables to *topic_name. 2024-01-15 09:40:43 -08:00
submessage.py actions: Split out zerver.actions.submessage. 2022-04-14 17:14:30 -07:00
thumbnail.py models: Move some functions to zerver.lib.attachments. 2023-12-16 22:08:44 -08:00
tutorial.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
typing.py typing_indicator: Add a 'stream_id' parameter to 'POST /typing'. 2023-10-12 09:53:09 -07:00
unsubscribe.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
upload.py models: Move some functions to zerver.lib.attachments. 2023-12-16 22:08:44 -08:00
user_groups.py models: Extract zerver.models.users. 2023-12-16 22:08:44 -08:00
user_settings.py models: Extract zerver.models.realms. 2023-12-16 22:08:44 -08:00
user_topics.py user_topics: Validate 'topic' parameter length <= max_topic_length. 2024-01-04 09:43:27 -08:00
users.py models: Extract zerver.models.realms. 2023-12-16 22:08:44 -08:00
video_calls.py models: Extract zerver.models.realms. 2023-12-16 22:08:44 -08:00
zephyr.py ruff: Fix PLW0602 Using global but no assignment is done. 2023-01-04 16:25:07 -08:00