Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver
History
Sahil Batra 0df7bd71f3 CVE-2024-21630: Check permission to subscribe others using invite link. 
This commit updates the API to check the permission to subscribe other
users while creating multi-use invites. The API will raise error if
the user passes the "stream_ids" parameter (even when it contains only
default streams) and the calling user does not have permission to
subscribe others to streams.

We did not add this before as we only allowed admins to create
multiuse invites, but now we have added a setting which can be used
to allow users with other roles as well to create multiuse invites.
 		2024-01-24 16:46:02 -08:00
..
actions models: Move query_for_ids to zerver.lib.query_helpers. 2024-01-05 10:32:54 -05:00
data_import import: Merge duplicate slack email addresses. 2024-01-22 18:19:09 -08:00
integration_fixtures/nagios
lib import: Rewrite "delivered_message" column of scheduled messages. 2024-01-24 16:38:46 -08:00
management process_queue: For threaded workers, create them when they start. 2024-01-15 12:02:53 -08:00
migrations models: Extract zerver.models.realm_audit_logs. 2024-01-05 10:32:54 -05:00
models models: Extract zerver.models.lookups. 2024-01-05 10:32:54 -05:00
openapi user_topics: Validate 'topic' parameter length <= max_topic_length. 2024-01-05 10:32:54 -05:00
tests CVE-2024-21630: Check permission to subscribe others using invite link. 2024-01-24 16:46:02 -08:00
tornado models: Extract zerver.models.clients. 2024-01-05 10:32:54 -05:00
transaction_tests models: Extract zerver.models.realms. 2024-01-05 10:32:54 -05:00
views CVE-2024-21630: Check permission to subscribe others using invite link. 2024-01-24 16:46:02 -08:00
webhooks models: Extract zerver.models.clients. 2024-01-05 10:32:54 -05:00
worker queue_processors: Defer initial email connection creation. 2024-01-15 12:02:53 -08:00
__init__.py
apps.py mypy: Enable new error explicit-override. 2023-10-12 12:28:41 -07:00
context_processors.py models: Extract zerver.models.realms. 2024-01-05 10:32:54 -05:00
decorator.py auth: Add hardening authenticate(use_dummy_backend=True) in do_login. 2024-01-18 15:58:02 -08:00
filters.py mypy: Enable new error explicit-override. 2023-10-12 12:28:41 -07:00
forms.py models: Extract zerver.models.realms. 2024-01-05 10:32:54 -05:00
logging_handlers.py error_notify: Remove custom email error reporting handler. 2023-07-20 11:00:09 -07:00
middleware.py models: Extract zerver.models.realms. 2024-01-05 10:32:54 -05:00
signals.py email: Add a space after the time and AM/PM in the login email. 2023-11-27 09:47:30 -08:00