zulip/zerver/views
Anders Kaseorg 751b2a03e5 CVE-2022-31168: Fix authorization check for changing bot roles.
Due to an incorrect authorization check in Zulip Server 5.4 and
earlier, a member of an organization could craft an API call that
grants organization administrator privileges to one of their bots.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2022-07-21 17:59:09 -07:00
..
development email-log: Move `forward_address` to `REQ` framework. 2022-07-20 14:22:25 -07:00
__init__.py
alert_words.py actions: Split out zerver.actions.alert_words. 2022-04-14 17:14:31 -07:00
attachments.py actions: Split out zerver.actions.uploads. 2022-04-14 17:14:32 -07:00
auth.py confirmation: Tighten logic around the mark_object_used parameter. 2022-07-21 15:18:15 -07:00
compatibility.py django: Use HttpRequest.headers. 2022-05-13 20:42:20 -07:00
custom_profile_fields.py custom_profile: Use cast to ensure ProfieDataElementUpdateDict. 2022-07-15 14:55:03 -07:00
digest.py mypy: Fix most AnonymousUser type errors. 2021-07-24 14:55:46 -07:00
documentation.py documentation: Make get compatible with the supertype. 2022-07-19 17:48:27 -07:00
drafts.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
email_mirror.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
events_register.py events_register: Pass spectator set language to client in user_settings. 2022-07-14 14:27:32 -07:00
home.py typing: Add none-checks for miscellaneous cases. 2022-05-31 09:43:55 -07:00
hotspots.py actions: Split out zerver.actions.hotspots. 2022-04-14 17:14:31 -07:00
invite.py invites: Capitalize "ID" in the error raised for invalid stream ids. 2022-05-27 17:06:03 -07:00
message_edit.py actions: Split out zerver.actions.message_edit. 2022-04-14 17:14:36 -07:00
message_fetch.py python: Unquote some unnecessarily quoted type annotations. 2022-06-26 17:37:41 -07:00
message_flags.py Revert "message_flags: Filter msgs having (or not) the flag before updating." 2022-07-21 14:29:54 -07:00
message_send.py requirements: Upgrade to Django 4.0. 2022-07-13 16:07:17 -07:00
muting.py actions: Split out zerver.actions.muted_users. 2022-04-14 17:14:36 -07:00
portico.py middleware: Fix URL encoding of next parameter. 2022-05-12 17:51:51 -07:00
presence.py actions: Split out zerver.actions.presence. 2022-04-14 17:14:32 -07:00
push_notifications.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
reactions.py actions: Split out zerver.actions.reactions. 2022-04-14 17:14:35 -07:00
realm.py confirmation: Tighten logic around the mark_object_used parameter. 2022-07-21 15:18:15 -07:00
realm_domains.py actions: Split out zerver.actions.realm_domains. 2022-04-14 17:14:37 -07:00
realm_emoji.py upload: Add assertions before accessing uploaded files. 2022-06-23 22:09:05 -07:00
realm_export.py actions: Split out zerver.actions.realm_export. 2022-04-14 17:14:31 -07:00
realm_icon.py upload: Add assertions before accessing uploaded files. 2022-06-23 22:09:05 -07:00
realm_linkifiers.py actions: Split out zerver.actions.realm_linkifiers. 2022-04-14 17:14:31 -07:00
realm_logo.py upload: Add assertions before accessing uploaded files. 2022-06-23 22:09:05 -07:00
realm_playgrounds.py actions: Split out zerver.actions.realm_playgrounds. 2022-04-14 17:14:30 -07:00
registration.py confirmation: Tighten logic around the mark_object_used parameter. 2022-07-21 15:18:15 -07:00
report.py report: Strengthen report_csp_violations type using WildValue. 2022-03-15 13:02:02 -07:00
storage.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
streams.py typing: Add none-checks for stream.recipient_id. 2022-06-23 19:25:48 -07:00
submessage.py actions: Split out zerver.actions.submessage. 2022-04-14 17:14:30 -07:00
thumbnail.py docs: Remove some outdated references to thumbnailing.md doc. 2022-07-12 17:44:24 -07:00
tutorial.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
typing.py actions: Split out zerver.actions.typing. 2022-04-14 17:14:30 -07:00
unsubscribe.py confirmation: Tighten logic around the mark_object_used parameter. 2022-07-21 15:18:15 -07:00
upload.py upload: Add assertions before accessing uploaded files. 2022-06-23 22:09:05 -07:00
user_groups.py user_groups: Rename existing_subgroups variable to existing_direct_subgroup_ids. 2022-05-17 14:51:55 -07:00
user_settings.py get_object_from_key: Make mark_object_used an obligatory kwarg. 2022-07-21 15:18:15 -07:00
users.py CVE-2022-31168: Fix authorization check for changing bot roles. 2022-07-21 17:59:09 -07:00
video_calls.py actions: Split out zerver.actions.video_calls. 2022-04-14 17:14:30 -07:00
zephyr.py python: Use Python 3.8 shlex.join function. 2022-04-27 12:57:49 -07:00