New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable appropriate features for guest. #9714
Disable appropriate features for guest. #9714
Conversation
2cec6ac
to
ee53cc1
Compare
I think guest users should be able to deactivate bots that they own. The context here is that if a non-guest user transfers ownership of a bot to a guest user (which I can imagine supporting for a few special situations), then the guest user should be able to disable it. I guess stream creation should be on your list. Guest users' API keys should be available, yes. You need it for clients like zulip-terminal. |
ee53cc1
to
f321757
Compare
f321757
to
7fdbbd7
Compare
7fdbbd7
to
5265307
Compare
static/js/admin.js
Outdated
if (page_params.is_admin) { | ||
can_add_emojis = true; | ||
} else if (!(page_params.realm_add_emoji_by_admins_only || page_params.is_guest)) { | ||
can_add_emojis = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this is only 5 lines of code, but I think it's worth extracting to a function, which will allow you to flatten the code a bit and add direct tests to it:
exports.can_add_emoji = function () {
if (page_params.is_guest) {
return false;
}
if (page_params.is_admin) {
return true;
}
// for normal users, we depend on the setting
return !page_params.realm_add_emoji_by_admins_only;
};
Does that make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah... I was even not sure whether to extract this or not because most of this operations are done inline in the object code of options
itself. Thanks :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, makes sense. Most of the existing code is probably fine to leave as is, but if you see any opportunities for quick cleanup, it's nice to be able to test all these permission things directly.
@shubhamdhama This looks great! I have one inline comment. |
This is a minor refactor/deduplication and renaming of 'admin_only_bot_creation' to 'can_create_new_bots'
5265307
to
4b08426
Compare
Thanks, Steve, your review reminded me of an old |
This is great, merged, thanks @shubhamdhama! I agree we should think about the various tips for realm_emoji / bots; it may be worth just making a list of this sort of thing to come back to in a next pass (e.g. it seems possible we want a custom tip for guest users). I think the current list is just those two. |
This PR addresses #8385's point:
Opened as WIP to just check I'm disabling the right features.
Testing Plan:
WIP list of features getting disabled:
Questions:
deactivate_bot_backend
? Because guest user can't create any bot.get_members_backend
function. Having normal access over this endpoint means guest user have access to information from all members of the realm. So here we can either make this to function to return users only subscribers of streams to which the guest user is subscribed or do we have plans to hide bots and users table from guest user.get_raw_user_data
function.