From 5baeb35ac8f9be322f5bdb62c04344febb4b5463 Mon Sep 17 00:00:00 2001 From: Tim Abbott Date: Wed, 17 May 2017 17:45:20 -0700 Subject: [PATCH] invite: Fix invite_by_admins_only to be enforced in backend. Apparently, this setting never actually was wired up to anything other than hiding the UI widget. Huge thanks to Ibram Marzouk from the HackerOne community for finding this security bug. --- zerver/tests/test_signup.py | 23 +++++++++++++++++++++++ zerver/views/invite.py | 2 ++ 2 files changed, 25 insertions(+) diff --git a/zerver/tests/test_signup.py b/zerver/tests/test_signup.py index de4890daefd83..e4fa7cf26e3a2 100644 --- a/zerver/tests/test_signup.py +++ b/zerver/tests/test_signup.py @@ -407,6 +407,29 @@ def test_successful_invite_user_with_name_and_normal_one(self): self.assertTrue(find_key_by_email(email2)) self.check_sent_emails([email, email2]) + def test_require_realm_admin(self): + # type: () -> None + """ + The invite_by_admins_only realm setting works properly. + """ + realm = get_realm('zulip') + realm.invite_by_admins_only = True + realm.save() + + self.login("hamlet@zulip.com") + email = "alice-test@zulip.com" + email2 = "bob-test@zulip.com" + invitee = "Alice Test <{}>, {}".format(email, email2) + self.assert_json_error(self.invite(invitee, ["Denmark"]), + "Must be a realm administrator") + + # Now verify an administrator can do it + self.login("iago@zulip.com") + self.assert_json_success(self.invite(invitee, ["Denmark"])) + self.assertTrue(find_key_by_email(email)) + self.assertTrue(find_key_by_email(email2)) + self.check_sent_emails([email, email2]) + def test_invite_user_signup_initial_history(self): # type: () -> None """ diff --git a/zerver/views/invite.py b/zerver/views/invite.py index 464e6da7a0071..760ef42d869f3 100644 --- a/zerver/views/invite.py +++ b/zerver/views/invite.py @@ -22,6 +22,8 @@ @has_request_variables def json_invite_users(request, user_profile, invitee_emails_raw=REQ("invitee_emails")): # type: (HttpRequest, UserProfile, str) -> HttpResponse + if user_profile.realm.invite_by_admins_only and not user_profile.is_realm_admin: + return json_error(_("Must be a realm administrator")) if not invitee_emails_raw: return json_error(_("You must specify at least one email address."))