user_groups: Add API restrictions for long user group names.

Previously we had database level restriction on length of
user group names. Now we add the same restriction to API
level as well, so we can return a better error response.
This commit is contained in:
Sahil Batra 2023-07-03 11:31:01 +05:30 committed by Tim Abbott
parent 89381a8072
commit ea3a7a9e6f
4 changed files with 29 additions and 1 deletions

View File

@ -101,6 +101,15 @@ def access_user_group_for_setting(
return user_group
def check_user_group_name(group_name: str) -> str:
if len(group_name) > UserGroup.MAX_NAME_LENGTH:
raise JsonableError(
_("User group name cannot exceed {} characters.").format(UserGroup.MAX_NAME_LENGTH)
)
return group_name
def user_groups_in_realm_serialized(realm: Realm) -> List[UserGroupDict]:
"""This function is used in do_events_register code path so this code
should be performant. We need to do 2 database queries because

View File

@ -2234,8 +2234,10 @@ class PasswordTooWeakError(Exception):
class UserGroup(models.Model): # type: ignore[django-manager-missing] # django-stubs cannot resolve the custom CTEManager yet https://github.com/typeddjango/django-stubs/issues/1023
MAX_NAME_LENGTH = 100
objects: CTEManager = CTEManager()
name = models.CharField(max_length=100)
name = models.CharField(max_length=MAX_NAME_LENGTH)
direct_members = models.ManyToManyField(
UserProfile, through="UserGroupMembership", related_name="direct_groups"
)

View File

@ -267,6 +267,16 @@ class UserGroupAPITestCase(UserGroupTestCase):
self.assert_json_error(result, "User group 'support' already exists.")
self.assert_length(UserGroup.objects.filter(realm=hamlet.realm), 10)
# Test we cannot create group with same name again
params = {
"name": "a" * (UserGroup.MAX_NAME_LENGTH + 1),
"members": orjson.dumps([hamlet.id]).decode(),
"description": "Test group",
}
result = self.client_post("/json/user_groups/create", info=params)
self.assert_json_error(result, "User group name cannot exceed 100 characters.")
self.assert_length(UserGroup.objects.filter(realm=hamlet.realm), 10)
def test_can_mention_group_setting_during_user_group_creation(self) -> None:
self.login("hamlet")
hamlet = self.example_user("hamlet")
@ -411,6 +421,10 @@ class UserGroupAPITestCase(UserGroupTestCase):
result = self.client_patch(f"/json/user_groups/{lear_test_group.id}", info=params)
self.assert_json_error(result, "Invalid user group")
params = {"name": "a" * (UserGroup.MAX_NAME_LENGTH + 1)}
result = self.client_patch(f"/json/user_groups/{user_group.id}", info=params)
self.assert_json_error(result, "User group name cannot exceed 100 characters.")
def test_update_can_mention_group_setting(self) -> None:
hamlet = self.example_user("hamlet")
support_group = check_add_user_group(hamlet.realm, "support", [hamlet], acting_user=None)

View File

@ -26,6 +26,7 @@ from zerver.lib.user_groups import (
access_user_group_by_id,
access_user_group_for_setting,
access_user_groups_as_potential_subgroups,
check_user_group_name,
get_direct_memberships_of_users,
get_recursive_subgroups_for_groups,
get_subgroup_ids,
@ -51,6 +52,7 @@ def add_user_group(
can_mention_group_id: Optional[int] = REQ(json_validator=check_int, default=None),
) -> HttpResponse:
user_profiles = user_ids_to_users(members, user_profile.realm)
name = check_user_group_name(name)
group_settings_map = {}
request_settings_dict = locals()
@ -107,6 +109,7 @@ def edit_user_group(
user_group = access_user_group_by_id(user_group_id, user_profile)
if name is not None and name != user_group.name:
name = check_user_group_name(name)
do_update_user_group_name(user_group, name, acting_user=user_profile)
if description is not None and description != user_group.description: