realms: Create default system user groups for internal realm. #22352
Conversation
zerver/migrations/0395_create_role_based_groups_for_internal_realms.py
Outdated
Show resolved
Hide resolved
sahil839
force-pushed
the
internal-realm
branch
3 times, most recently
from
fdca74c
to
e4c2725
Compare
sahil839
force-pushed
the
internal-realm
branch
4 times, most recently
from
64852f9
to
bf91d04
Compare
|
@timabbott this is ready for your review. |
sahil839
force-pushed
the
internal-realm
branch
3 times, most recently
from
c73dfd7
to
b66e2c8
Compare
|
@timabbott can you review this? Would be good to get this one completed as I will open the next PR for adding a new setting based on groups model tommorrow, and would be nice to get this one off the list. |
timabbott
force-pushed
the
internal-realm
branch
from
7f05eec
to
c4a27c4
Compare
|
This looks to me to be a correct implementation of fixing this inconsistency by adding these groups to the system bot realm. I feel like it might be more correct to instead remove them from the system bot realm, if that realm doesn't contain users beyond the system bots... but I'm not sure how to code that in a safe fashion. @mateuszmandera thoughts? I can see going either way on this, given our eventual goal to eliminate the system bot realm as a concept... |
|
We currently define internal bots in |
Hmm, what would the advantage be? Isn't it simpler to just have the clear property |
| @@ -116,6 +118,26 @@ def bulk_create_users( | |||
|
|
|||
| Subscription.objects.bulk_create(subscriptions_to_create) | |||
|
|
|||
| full_members_system_group = UserGroup.objects.get( | |||
There was a problem hiding this comment.
This codepath is also called via do_import_system_bots calling create_users, which calls this bulk_create_users - in import_realm.py - have you checked if this will work fine? E.g. if importing from another server, which has these UserGroupMemberships in the internal realm, won't an error happen due to the UserGroupMemberships being attempted to be created twice - once through this codepath and once through the import of user groups?
I haven't looked at this in-depth, just a tricky edge case that came to mind that is not clear to me if was addressed - we can audit further if needed
There was a problem hiding this comment.
I checked it once again now and this will work fine. do_import_system_bots is called after importing realm, and we also check whether the bots are already created or not and I think we can assume that the UserGroupMemberships objects in the import data will only be present if UserProfile objects are present in import data.
There was a problem hiding this comment.
Okay, cool thanks for checking!
There was a problem hiding this comment.
I think the comment here is incorrect right now, though, since this is called from the data import code path. However, as noted in the thread I started here:
https://chat.zulip.org/#narrow/stream/3-backend/topic/do_import_system_bots/near/1417790
I think that the data import code path is a noop (and would be a bug if it weren't) and should be deleted, so the comment is likely fine as written.
zerver/lib/bulk_create.py
Outdated
| @@ -116,6 +118,26 @@ def bulk_create_users( | |||
|
|
|||
| Subscription.objects.bulk_create(subscriptions_to_create) | |||
|
|
|||
| full_members_system_group = UserGroup.objects.get( | |||
| name="@role:fullmembers", realm=realm, is_system_group=True | |||
There was a problem hiding this comment.
Should these "@role:fullmembers" etc. string be deduplicated and instead be centrally hard-coded in UserGroup.FULL_MEMBERS etc. or something like that? There's some other places where these strings are repeated. Or is that intended since maybe this popped up in the reviews of the original implementation?
There was a problem hiding this comment.
I don't think we discussed in the original implementation, but I liked the idea of deduplicating this, does UserGroup.FULL_MEMBERS_GROUP_NAME sounds good. For other cases we can probably use UserGroup.SYSTEM_USER_GROUP_ROLE_MAP, I know this would be long but we already declare name of user groups there.
There was a problem hiding this comment.
Yeah, that name sounds good to me
There was a problem hiding this comment.
Yeah those names sound great.
There was a problem hiding this comment.
Reading this, I think the UserGroup.SYSTEM_USER_GROUP_ROLE_MAP references feel cumbersome. I think it's pretty reasonable to define constants like EVERYONE_ON_INTERNET_GROUP_NAME = "@role:internet" for all 5-6 of them, and have SYSTEM_USER_GROUP_ROLE_MAP use those values in its definitions, rather than this approach.
I'll drop the last commit and also tweak the other two final commits to fit that proposed pattern.
zerver/migrations/0401_create_role_based_groups_for_internal_realms.py
Outdated
Show resolved
Hide resolved
sahil839
force-pushed
the
internal-realm
branch
from
c4a27c4
to
ecb4273
Compare
|
Added the assert statement and a comment in migration as asked above. |
sahil839
force-pushed
the
internal-realm
branch
2 times, most recently
from
f8d95da
to
4656dc6
Compare
|
Added commits to add constants for user group names wherever requried and using them and |
timabbott
force-pushed
the
internal-realm
branch
from
4656dc6
to
6c2bcc1
Compare
|
This is great, merged with a few changes:
|
sahil839
force-pushed
the
internal-realm
branch
from
6c2bcc1
to
7bc0d4e
Compare
|
@timabbott This was not merge automatically because CI was failing due to linter error. I fixed it and also added commits for other group names. CI is not passing due to puppeteer error, which I think would be fixed by #22692. |
Since we include internal realms while creating system groups in "0382_create_role_based_system_groups.py", we should do it when creating new internal realms as well to be consistent. Tests are changed accordingly as UserGroup objects are created. We also change the user group ids used in api docs examples such that user groups are of correct realm.
This commit modifies bulk_create_users to add the users to the respective system groups. And due to this change, now bots in development environment are also added to system groups. Tests are changed accordingly as more UserGroupMembeship objects are created.
There may be some internal realms which were created after applying "0382_create_role_based_system_groups.py" migration and this migration is used to create system groups for those realms.
We now use FULL_MEMBERS_GROUP_NAME instead of writing the actual full members system group name at multiple places, so that we can have all the group names coded at one place only.
We now use EVERYONE_ON_INTERNET_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use OWNERS_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use ADMINISTRATORS_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use MODERATORS_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use MEMBERS_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
We now use EVERYONE_GROUP_NAME instead of writing the actual group name at multiple places, so that we can have all the group names coded at one place only.
sahil839
force-pushed
the
internal-realm
branch
from
7bc0d4e
to
8c5f94c
Compare
|
Ohh, this got auto-merged as I repushed again for CI to pass. But I added some more commits too. |
|
Yeah, that's a possibly surprising interaction with how GitHub's "merge once CI passes" feature works -- basically it'll merge the next time the PR passes CI, regardless of whether there are actual changes or not. In this case, I've reviewed the new commits and they look great, so not a problem :) |
Since we include internal realms while creating system groups
in "0382_create_role_based_system_groups.py", we should do it
when creating new internal realms as well to be consistent.
This PR also modifies
bulk_create_usersto add the usersto the respective system groups.
And we would also need a migration to add the groups to internal
realms created after the previous migration.
Self-review checklist
(variable names, code reuse, readability, etc.).
Communicate decisions, questions, and potential concerns.
Individual commits are ready for review (see commit discipline).
Completed manual review and testing of the following: