-
-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
realms: Create default system user groups for internal realm. #22352
Conversation
zerver/migrations/0395_create_role_based_groups_for_internal_realms.py
Outdated
Show resolved
Hide resolved
fdca74c
to
e4c2725
Compare
64852f9
to
bf91d04
Compare
@timabbott this is ready for your review. |
c73dfd7
to
b66e2c8
Compare
@timabbott can you review this? Would be good to get this one completed as I will open the next PR for adding a new setting based on groups model tommorrow, and would be nice to get this one off the list. |
7f05eec
to
c4a27c4
Compare
This looks to me to be a correct implementation of fixing this inconsistency by adding these groups to the system bot realm. I feel like it might be more correct to instead remove them from the system bot realm, if that realm doesn't contain users beyond the system bots... but I'm not sure how to code that in a safe fashion. @mateuszmandera thoughts? I can see going either way on this, given our eventual goal to eliminate the system bot realm as a concept... |
We currently define internal bots in |
Hmm, what would the advantage be? Isn't it simpler to just have the clear property |
@@ -116,6 +118,26 @@ def bulk_create_users( | |||
|
|||
Subscription.objects.bulk_create(subscriptions_to_create) | |||
|
|||
full_members_system_group = UserGroup.objects.get( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This codepath is also called via do_import_system_bots
calling create_users
, which calls this bulk_create_users
- in import_realm.py
- have you checked if this will work fine? E.g. if importing from another server, which has these UserGroupMembership
s in the internal realm, won't an error happen due to the UserGroupMembership
s being attempted to be created twice - once through this codepath and once through the import of user groups?
I haven't looked at this in-depth, just a tricky edge case that came to mind that is not clear to me if was addressed - we can audit further if needed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I checked it once again now and this will work fine. do_import_system_bots
is called after importing realm, and we also check whether the bots are already created or not and I think we can assume that the UserGroupMemberships
objects in the import data will only be present if UserProfile
objects are present in import data.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, cool thanks for checking!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the comment here is incorrect right now, though, since this is called from the data import code path. However, as noted in the thread I started here:
https://chat.zulip.org/#narrow/stream/3-backend/topic/do_import_system_bots/near/1417790
I think that the data import code path is a noop (and would be a bug if it weren't) and should be deleted, so the comment is likely fine as written.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good I think with those couple of tiny tweaks mentioned
zerver/lib/bulk_create.py
Outdated
@@ -116,6 +118,26 @@ def bulk_create_users( | |||
|
|||
Subscription.objects.bulk_create(subscriptions_to_create) | |||
|
|||
full_members_system_group = UserGroup.objects.get( | |||
name="@role:fullmembers", realm=realm, is_system_group=True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these "@role:fullmembers"
etc. string be deduplicated and instead be centrally hard-coded in UserGroup.FULL_MEMBERS
etc. or something like that? There's some other places where these strings are repeated. Or is that intended since maybe this popped up in the reviews of the original implementation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we discussed in the original implementation, but I liked the idea of deduplicating this, does UserGroup.FULL_MEMBERS_GROUP_NAME
sounds good. For other cases we can probably use UserGroup.SYSTEM_USER_GROUP_ROLE_MAP
, I know this would be long but we already declare name of user groups there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that name sounds good to me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah those names sound great.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading this, I think the UserGroup.SYSTEM_USER_GROUP_ROLE_MAP
references feel cumbersome. I think it's pretty reasonable to define constants like EVERYONE_ON_INTERNET_GROUP_NAME = "@role:internet"
for all 5-6 of them, and have SYSTEM_USER_GROUP_ROLE_MAP
use those values in its definitions, rather than this approach.
I'll drop the last commit and also tweak the other two final commits to fit that proposed pattern.
zerver/migrations/0401_create_role_based_groups_for_internal_realms.py
Outdated
Show resolved
Hide resolved
c4a27c4
to
ecb4273
Compare
Added the assert statement and a comment in migration as asked above. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thanks!
f8d95da
to
4656dc6
Compare
Added commits to add constants for user group names wherever requried and using them and |
4656dc6
to
6c2bcc1
Compare
This is great, merged with a few changes:
|
6c2bcc1
to
7bc0d4e
Compare
@timabbott This was not merge automatically because CI was failing due to linter error. I fixed it and also added commits for other group names. CI is not passing due to puppeteer error, which I think would be fixed by #22692. |
Since we include internal realms while creating system groups in "0382_create_role_based_system_groups.py", we should do it when creating new internal realms as well to be consistent. Tests are changed accordingly as UserGroup objects are created. We also change the user group ids used in api docs examples such that user groups are of correct realm.
This commit modifies bulk_create_users to add the users to the respective system groups. And due to this change, now bots in development environment are also added to system groups. Tests are changed accordingly as more UserGroupMembeship objects are created.
There may be some internal realms which were created after applying "0382_create_role_based_system_groups.py" migration and this migration is used to create system groups for those realms.
We now use FULL_MEMBERS_GROUP_NAME instead of writing the actual full members system group name at multiple places, so that we can have all the group names coded at one place only.
We now use EVERYONE_ON_INTERNET_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use OWNERS_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use ADMINISTRATORS_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use MODERATORS_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use MEMBERS_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use EVERYONE_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
7bc0d4e
to
8c5f94c
Compare
Ohh, this got auto-merged as I repushed again for CI to pass. But I added some more commits too. |
Yeah, that's a possibly surprising interaction with how GitHub's "merge once CI passes" feature works -- basically it'll merge the next time the PR passes CI, regardless of whether there are actual changes or not. In this case, I've reviewed the new commits and they look great, so not a problem :) |
Since we include internal realms while creating system groups
in "0382_create_role_based_system_groups.py", we should do it
when creating new internal realms as well to be consistent.
This PR also modifies
bulk_create_users
to add the usersto the respective system groups.
And we would also need a migration to add the groups to internal
realms created after the previous migration.
Self-review checklist
(variable names, code reuse, readability, etc.).
Communicate decisions, questions, and potential concerns.
Individual commits are ready for review (see commit discipline).
Completed manual review and testing of the following: