api: Allow incoming webhook bots to use the send_message API.

zulip · Aug 22, 2017 · 58edf75 · 58edf75
1 parent 8aa5a02
commit 58edf75
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 3 deletions.
diff --git a/zerver/lib/rest.py b/zerver/lib/rest.py
@@ -98,7 +98,10 @@ def rest_dispatch(request, **kwargs):
         elif request.META.get('HTTP_AUTHORIZATION', None):
             # Wrap function with decorator to authenticate the user before
             # proceeding
-            target_function = authenticated_rest_api_view()(target_function)
+            view_kwargs = {}
+            if 'allow_incoming_webhooks' in view_flags:
+                view_kwargs['is_webhook'] = True
+            target_function = authenticated_rest_api_view(**view_kwargs)(target_function)
         # Pick a way to tell user they're not authed based on how the request was made
         else:
             # If this looks like a request from a top-level page in a

diff --git a/zerver/tests/test_decorators.py b/zerver/tests/test_decorators.py
@@ -35,7 +35,7 @@
     check_variable_type, equals, check_none_or, check_url,
 )
 from zerver.models import \
-    get_realm, get_user, UserProfile, Client, Realm
+    get_realm, get_user, UserProfile, Client, Realm, Recipient
 
 import ujson
 
@@ -871,6 +871,27 @@ def test_webhook_deactivated_user(self):
         self.assert_json_error_contains(result, "Account not active", status_code=400)
 
 
+class TestIncomingWebhookBot(ZulipTestCase):
+    def setUp(self):
+        # type: () -> None
+        zulip_realm = get_realm('zulip')
+        self.webhook_bot = get_user('webhook-bot@zulip.com', zulip_realm)
+
+    def test_webhook_bot_permissions(self):
+        # type: () -> None
+        result = self.client_post("/api/v1/messages", {
+            "type": "private",
+            "content": "Test message",
+            "client": "test suite",
+            "to": self.example_email("othello")
+        }, **self.api_auth("webhook-bot@zulip.com"))
+        self.assert_json_success(result)
+        post_params = {"anchor": 1, "num_before": 1, "num_after": 1}
+        result = self.client_get("/api/v1/messages", dict(post_params),
+                                 **self.api_auth("webhook-bot@zulip.com"))
+        self.assert_json_error(result, 'This API is not available to incoming webhook bots.',
+                               status_code=401)
+
 class TestValidateApiKey(ZulipTestCase):
     def setUp(self):
         # type: () -> None

diff --git a/zerver/tests/test_urls.py b/zerver/tests/test_urls.py
@@ -129,6 +129,8 @@ def test_rest_api_url_resolution(self):
             callback_str = self.get_callback_string(pattern)
             if callback_str and hasattr(pattern, "default_args"):
                 for func_string in pattern.default_args.values():
+                    if isinstance(func_string, tuple):
+                        func_string = func_string[0]
                     module_name, view = func_string.rsplit('.', 1)
                     self.check_function_exists(module_name, view)
 

diff --git a/zproject/urls.py b/zproject/urls.py
@@ -271,7 +271,8 @@
     # GET returns messages, possibly filtered, POST sends a message
     url(r'^messages$', rest_dispatch,
         {'GET': 'zerver.views.messages.get_messages_backend',
-         'POST': 'zerver.views.messages.send_message_backend'}),
+         'POST': ('zerver.views.messages.send_message_backend',
+                  {'allow_incoming_webhooks'})}),
     url(r'^messages/(?P<message_id>[0-9]+)$', rest_dispatch,
         {'GET': 'zerver.views.messages.json_fetch_raw_message',
          'PATCH': 'zerver.views.messages.update_message_backend',