zulip/zerver/views
Sahil Batra 4c4caa7be4 CVE-2023-32677: Check permission to subscribe other users in invites.
This commit updates the API to check the permission to subscribe other
users while inviting.  The API will error if the user passes the
"stream_ids" parameter (even when it contains only default streams)
and the calling user does not having permission to subscribe others to
streams.

For users who do not have permission to subscribe others, the
invitee will be subscribed to default streams at the time of
accepting the invite.

There is no change for multiuse invites, since only admins are allowed
to send them, and admins always have the permission to subscribe
others to streams.
2023-05-19 16:13:32 -04:00
..
development emails: Inline CSS in emails in build_email. 2023-04-05 12:22:29 -07:00
__init__.py
alert_words.py actions: Split out zerver.actions.alert_words. 2022-04-14 17:14:31 -07:00
attachments.py actions: Split out zerver.actions.uploads. 2022-04-14 17:14:32 -07:00
auth.py maybe_send_to_registration: Remove password_required arg. 2023-05-19 16:13:00 -04:00
compatibility.py django: Use HttpRequest.headers. 2022-05-13 20:42:20 -07:00
custom_profile_fields.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
digest.py mypy: Fix most AnonymousUser type errors. 2021-07-24 14:55:46 -07:00
documentation.py api_url_context: Replace uri with url. 2023-04-26 16:37:16 -07:00
drafts.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
email_mirror.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
events_register.py linkifier: Support URL templates for linkifiers. 2023-04-19 12:20:49 -07:00
home.py accounts: Allow user to change email visibility during first login. 2023-05-16 13:52:56 -07:00
hotspots.py actions: Split out zerver.actions.hotspots. 2022-04-14 17:14:31 -07:00
invite.py CVE-2023-32677: Check permission to subscribe other users in invites. 2023-05-19 16:13:32 -04:00
message_edit.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
message_fetch.py Remove statsd support. 2023-04-25 19:58:16 -07:00
message_flags.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
message_send.py urls: Add new endpoint to create scheduled messages. 2023-04-28 17:25:00 -07:00
muted_users.py mute user: Remove unnecessary check for double muting. 2023-02-20 21:04:13 -08:00
presence.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
push_notifications.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
reactions.py actions: Split out zerver.actions.reactions. 2022-04-14 17:14:35 -07:00
read_receipts.py read_receipts: Exclude muted users from read receipts. 2022-09-16 16:19:54 -07:00
realm_domains.py realm_domains: Allow only owners to add, edit or delete domains. 2022-09-16 15:27:52 -07:00
realm_emoji.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
realm_export.py realm_export: Return export id from POST which create it. 2023-05-16 14:05:01 -07:00
realm_icon.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
realm_linkifiers.py linkifier: Support URL templates for linkifiers. 2023-04-19 12:20:49 -07:00
realm_logo.py upload: Add assertions before accessing uploaded files. 2022-06-23 22:09:05 -07:00
realm_playgrounds.py actions: Split out zerver.actions.realm_playgrounds. 2022-04-14 17:14:30 -07:00
realm.py models: Add ORG_TYPE_IDS constant field to Realm. 2023-04-27 12:28:37 -07:00
registration.py CVE-2023-28623: Prevent unauthorized signup with ldap + external auth. 2023-05-19 16:13:00 -04:00
report.py zerver: Remove now-unused report/ endpoints. 2023-05-09 13:16:28 -07:00
scheduled_messages.py scheduled-messages: Limit to parameter to user and stream IDs. 2023-05-09 12:45:11 -07:00
sentry.py sentry: Add the observed user's IP address before forwarding. 2023-05-18 16:25:54 -07:00
storage.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
streams.py subscriptions: Change in API used for adding new subscriptions. 2023-05-14 11:19:05 -07:00
submessage.py actions: Split out zerver.actions.submessage. 2022-04-14 17:14:30 -07:00
thumbnail.py docs: Remove some outdated references to thumbnailing.md doc. 2022-07-12 17:44:24 -07:00
tutorial.py backend: Add request as parameter to json_success. 2022-02-04 15:16:56 -08:00
typing.py message-type: Add support for "direct" as value for type parameter. 2023-04-18 12:29:33 -07:00
unsubscribe.py black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
upload.py upload: Use content_disposition_header from Django 4.2. 2023-05-11 14:51:28 -07:00
user_groups.py user_groups: Send a message on changing user-groups subscribers. 2023-04-06 19:03:26 -07:00
user_settings.py user_settings: Add web_mark_read_on_scroll_policy field. 2023-04-18 18:32:02 -07:00
user_topics.py user_topics: Add a new endpoint to update visibility_policy. 2023-04-03 22:31:49 -07:00
users.py users: Set tos_version to -1 for users who have not logged-in yet. 2023-05-16 13:52:56 -07:00
video_calls.py actions: Split out zerver.actions.video_calls. 2022-04-14 17:14:30 -07:00
zephyr.py ruff: Fix PLW0602 Using global but no assignment is done. 2023-01-04 16:25:07 -08:00