From 54661115477577ba135329ee5c6ff22bcc9b0a7a Mon Sep 17 00:00:00 2001
From: Aditya Kumar Kasaudhan <74228301+Aditya8840@users.noreply.github.com>
Date: Sat, 5 Apr 2025 11:24:42 +0530
Subject: [PATCH 1/4] streams: Separate bulk_check_basic_stream_access
 function.

This commit extracts the common logic for bulk-checking basic stream
access into a separate function, reducing redundancy when introducing
can_unsubscribe_group.
---
 zerver/lib/streams.py | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/zerver/lib/streams.py b/zerver/lib/streams.py
index ccf561da81ac9..8207c5b5b9b6a 100644
--- a/zerver/lib/streams.py
+++ b/zerver/lib/streams.py
@@ -1254,6 +1254,23 @@ def can_resolve_topics(user: UserProfile, orig_stream: Stream, target_stream: St
     return False
 
 
+def bulk_check_basic_stream_access(user_profile: UserProfile, streams: list[Stream]) -> bool:
+    existing_recipient_ids = [stream.recipient_id for stream in streams]
+    sub_recipient_ids = Subscription.objects.filter(
+        user_profile=user_profile, recipient_id__in=existing_recipient_ids, active=True
+    ).values_list("recipient_id", flat=True)
+
+    for stream in streams:
+        assert stream.recipient_id is not None
+        is_subscribed = stream.recipient_id in sub_recipient_ids
+        if not check_basic_stream_access(
+            user_profile, stream, is_subscribed=is_subscribed, require_content_access=False
+        ):
+            return False
+
+    return True
+
+
 def bulk_can_remove_subscribers_from_streams(
     streams: list[Stream], user_profile: UserProfile
 ) -> bool:
@@ -1285,18 +1302,8 @@ def bulk_can_remove_subscribers_from_streams(
     if not bool(permission_failure_streams):
         return True
 
-    existing_recipient_ids = [stream.recipient_id for stream in streams]
-    sub_recipient_ids = Subscription.objects.filter(
-        user_profile=user_profile, recipient_id__in=existing_recipient_ids, active=True
-    ).values_list("recipient_id", flat=True)
-
-    for stream in streams:
-        assert stream.recipient_id is not None
-        is_subscribed = stream.recipient_id in sub_recipient_ids
-        if not check_basic_stream_access(
-            user_profile, stream, is_subscribed=is_subscribed, require_content_access=False
-        ):
-            return False
+    if not bulk_check_basic_stream_access(user_profile, streams):
+        return False
 
     for stream in streams:
         if not is_user_in_can_remove_subscribers_group(stream, user_recursive_group_ids):

From 433405c8bda811f2665176d7cb8c1db99d7d474a Mon Sep 17 00:00:00 2001
From: Aditya Kumar Kasaudhan <74228301+Aditya8840@users.noreply.github.com>
Date: Thu, 29 May 2025 01:04:22 +0530
Subject: [PATCH 2/4] streams: Rename popover for subscription toggle
 restrictions.

This commit makes the function reusable, helping reduce code
duplication.
---
 web/src/stream_edit.ts       | 2 +-
 web/src/stream_ui_updates.ts | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/web/src/stream_edit.ts b/web/src/stream_edit.ts
index 630a1d09359b4..8362a9eccd8f8 100644
--- a/web/src/stream_edit.ts
+++ b/web/src/stream_edit.ts
@@ -172,7 +172,7 @@ function show_subscription_settings(sub: SettingsSubscription): void {
     stream_ui_updates.update_add_subscriptions_elements(sub);
 
     if (!stream_data.can_toggle_subscription(sub)) {
-        stream_ui_updates.initialize_cant_subscribe_popover();
+        stream_ui_updates.initialize_subscription_toggle_disabled_popover();
     }
 
     const $subscriber_container = $edit_container.find(".edit_subscribers_for_stream");
diff --git a/web/src/stream_ui_updates.ts b/web/src/stream_ui_updates.ts
index defcc5370ee6a..f7822dfec3761 100644
--- a/web/src/stream_ui_updates.ts
+++ b/web/src/stream_ui_updates.ts
@@ -139,7 +139,7 @@ export function update_private_stream_privacy_option_state(
         .toggleClass("default_stream_private_tooltip", is_default_stream);
 }
 
-export function initialize_cant_subscribe_popover(): void {
+export function initialize_subscription_toggle_disabled_popover(): void {
     const $button_wrapper = $(".settings .stream_settings_header .sub_unsub_button_wrapper");
     settings_components.initialize_disable_button_hint_popover($button_wrapper, undefined);
 }
@@ -220,7 +220,7 @@ export function update_settings_button_for_sub(sub: StreamSubscription): void {
         $settings_button.addClass("toggle-subscription-tooltip");
     } else {
         $settings_button.attr("title", "");
-        initialize_cant_subscribe_popover();
+        initialize_subscription_toggle_disabled_popover();
         $settings_button.prop("disabled", true);
         $settings_button.removeClass("toggle-subscription-tooltip");
     }

From bc0efba8406b5d430f4ace83780748d230999c06 Mon Sep 17 00:00:00 2001
From: Aditya Kumar Kasaudhan <74228301+Aditya8840@users.noreply.github.com>
Date: Fri, 21 Mar 2025 04:41:02 +0530
Subject: [PATCH 3/4] streams: Add new can_unsubscribe_group permission
 setting.

Fixes: #33413.
---
 api_docs/unmerged.d/ZF-1abcca.md              |   9 ++
 web/src/group_permission_settings.ts          |   1 +
 web/src/settings_config.ts                    |   4 +
 web/src/stream_data.ts                        |  20 ++-
 web/src/stream_events.ts                      |   8 +-
 web/src/stream_popover.ts                     |   5 +-
 web/src/stream_types.ts                       |   2 +
 web/src/stream_ui_updates.ts                  |   6 +
 web/src/user_profile.ts                       |   3 +-
 web/styles/subscriptions.css                  |   8 ++
 .../left_sidebar_stream_actions_popover.hbs   |   2 +
 .../browse_streams_list_item.hbs              |  22 ++-
 .../stream_settings/stream_permissions.hbs    |   5 +
 .../stream_settings/stream_settings.hbs       |   9 +-
 web/tests/lib/example_settings.cjs            |   8 ++
 web/tests/stream_data.test.cjs                |  45 +++++-
 web/tests/stream_events.test.cjs              |  35 +++++
 web/tests/stream_settings_ui.test.cjs         |   8 ++
 zerver/actions/streams.py                     |   1 +
 zerver/lib/streams.py                         |  48 +++++++
 zerver/lib/subscription_info.py               |  14 ++
 zerver/lib/types.py                           |   4 +
 .../0755_stream_can_unsubscribe_group.py      |  23 +++
 ...efault_for_stream_can_unsubscribe_group.py |  54 +++++++
 ...0757_alter_stream_can_unsubscribe_group.py |  22 +++
 zerver/models/streams.py                      |   9 ++
 zerver/openapi/zulip.yaml                     |  92 ++++++++++--
 zerver/tests/test_channel_creation.py         |   3 +
 zerver/tests/test_channel_permissions.py      | 134 ++++++++++++++++++
 zerver/views/streams.py                       |   8 ++
 30 files changed, 588 insertions(+), 24 deletions(-)
 create mode 100644 api_docs/unmerged.d/ZF-1abcca.md
 create mode 100644 zerver/migrations/0755_stream_can_unsubscribe_group.py
 create mode 100644 zerver/migrations/0756_set_default_for_stream_can_unsubscribe_group.py
 create mode 100644 zerver/migrations/0757_alter_stream_can_unsubscribe_group.py

diff --git a/api_docs/unmerged.d/ZF-1abcca.md b/api_docs/unmerged.d/ZF-1abcca.md
new file mode 100644
index 0000000000000..57897c514155b
--- /dev/null
+++ b/api_docs/unmerged.d/ZF-1abcca.md
@@ -0,0 +1,9 @@
+* [`GET /users/me/subscriptions`](/api/get-subscriptions),
+  [`GET /streams`](/api/get-streams), [`GET /events`](/api/get-events),
+  [`POST /register`](/api/register-queue): Added `can_unsubscribe_group`
+  field to Stream and Subscription objects.
+* [`POST /users/me/subscriptions`](/api/subscribe),
+  [`PATCH /streams/{stream_id}`](/api/update-stream): Added `can_unsubscribe_group`
+  parameter for setting the user group whose members can unsubscribe themselves from channel.
+* [`DELETE /users/me/subscriptions`](/api/unsubscribe): Unsubscription is allowed for organization administrators,
+  users who can administer the channel or remove other subscribers, and members of the channel's `can_unsubscribe_group`.
diff --git a/web/src/group_permission_settings.ts b/web/src/group_permission_settings.ts
index f89e543ce491c..0beaf1541c964 100644
--- a/web/src/group_permission_settings.ts
+++ b/web/src/group_permission_settings.ts
@@ -90,6 +90,7 @@ export const stream_group_setting_name_schema = z.enum([
     "can_remove_subscribers_group",
     "can_send_message_group",
     "can_subscribe_group",
+    "can_unsubscribe_group",
     "can_resolve_topics_group",
 ]);
 export type StreamGroupSettingName = z.infer<typeof stream_group_setting_name_schema>;
diff --git a/web/src/settings_config.ts b/web/src/settings_config.ts
index 0ef5443732e02..8f3ba65dce52d 100644
--- a/web/src/settings_config.ts
+++ b/web/src/settings_config.ts
@@ -786,6 +786,9 @@ export const all_group_setting_labels = {
         can_send_message_group: $t({defaultMessage: "Who can post to this channel"}),
         can_administer_channel_group: $t({defaultMessage: "Who can administer this channel"}),
         can_subscribe_group: $t({defaultMessage: "Who can subscribe to this channel"}),
+        can_unsubscribe_group: $t({
+            defaultMessage: "Who can unsubscribe from this channel",
+        }),
         can_remove_subscribers_group: $t({
             defaultMessage: "Who can unsubscribe anyone from this channel",
         }),
@@ -888,6 +891,7 @@ export const stream_group_permission_settings: StreamGroupSettingName[] = [
     "can_move_messages_out_of_channel_group",
     "can_move_messages_within_channel_group",
     "can_subscribe_group",
+    "can_unsubscribe_group",
     "can_add_subscribers_group",
     "can_remove_subscribers_group",
     "can_resolve_topics_group",
diff --git a/web/src/stream_data.ts b/web/src/stream_data.ts
index 6562a483529f2..41b801f6a6475 100644
--- a/web/src/stream_data.ts
+++ b/web/src/stream_data.ts
@@ -690,14 +690,30 @@ export function user_can_set_topics_policy(sub?: StreamSubscription): boolean {
     return user_can_set_topics_policy && can_administer_channel(sub);
 }
 
+export function can_unsubscribe(sub: StreamSubscription): boolean {
+    // Handles if the user is an organization admin, or in one of these groups:
+    // can_administer_channel_group or can_remove_subscribers_group.
+    if (can_unsubscribe_others(sub)) {
+        return true;
+    }
+
+    return settings_data.user_has_permission_for_group_setting(
+        sub.can_unsubscribe_group,
+        "can_unsubscribe_group",
+        "stream",
+    );
+}
+
 export function can_toggle_subscription(sub: StreamSubscription): boolean {
     if (page_params.is_spectator) {
         return false;
     }
 
-    // Currently, you can always remove your subscription if you're subscribed.
+    // If the user is subscribed, they can unsubscribe themselves only if they are
+    // an organization admin, or in one of these groups: can_administer_channel_group,
+    // can_remove_subscribers_group, or can_unsubscribe_group.
     if (sub.subscribed) {
-        return true;
+        return can_unsubscribe(sub);
     }
 
     if (has_content_access(sub)) {
diff --git a/web/src/stream_events.ts b/web/src/stream_events.ts
index 5868ecd31f41c..80fcc0a524328 100644
--- a/web/src/stream_events.ts
+++ b/web/src/stream_events.ts
@@ -108,7 +108,13 @@ export function update_property<P extends keyof UpdatableStreamProperties>(
             sub,
             group_setting_value_schema.parse(value),
         );
-        if (property === "can_subscribe_group" || property === "can_add_subscribers_group") {
+        if (
+            property === "can_subscribe_group" ||
+            property === "can_add_subscribers_group" ||
+            property === "can_unsubscribe_group" ||
+            property === "can_remove_subscribers_group" ||
+            property === "can_administer_channel_group"
+        ) {
             stream_settings_ui.update_subscription_elements(sub);
         }
         if (property === "can_administer_channel_group") {
diff --git a/web/src/stream_popover.ts b/web/src/stream_popover.ts
index ab344e294360c..62e1668b50bb6 100644
--- a/web/src/stream_popover.ts
+++ b/web/src/stream_popover.ts
@@ -121,12 +121,15 @@ function build_stream_popover(opts: {elt: HTMLElement; stream_id: number}): void
     const stream_unread = unread.unread_count_info_for_stream(stream_id);
     const stream_unread_count = stream_unread.unmuted_count + stream_unread.muted_count;
     const has_unread_messages = stream_unread_count > 0;
+    const stream_subscription = sub_store.get(stream_id);
+    assert(stream_subscription !== undefined);
     const content = render_left_sidebar_stream_actions_popover({
         stream: {
-            ...sub_store.get(stream_id),
+            ...stream_subscription,
             url: browser_history.get_full_url(stream_hash),
             list_of_topics_view_url: hash_util.by_channel_topic_list_url(stream_id),
         },
+        should_display_unsubscribe_button: stream_data.can_unsubscribe(stream_subscription),
         has_unread_messages,
         show_go_to_channel_feed,
         show_go_to_list_of_topics,
diff --git a/web/src/stream_types.ts b/web/src/stream_types.ts
index ce62c4f45c1ff..3418ed5d7fd59 100644
--- a/web/src/stream_types.ts
+++ b/web/src/stream_types.ts
@@ -21,6 +21,7 @@ export const stream_permission_group_settings_schema = z.enum([
     "can_resolve_topics_group",
     "can_send_message_group",
     "can_subscribe_group",
+    "can_unsubscribe_group",
 ]);
 export type StreamPermissionGroupSetting = z.infer<typeof stream_permission_group_settings_schema>;
 
@@ -44,6 +45,7 @@ export const stream_schema = z.object({
     can_resolve_topics_group: group_setting_value_schema,
     can_send_message_group: group_setting_value_schema,
     can_subscribe_group: group_setting_value_schema,
+    can_unsubscribe_group: group_setting_value_schema,
     creator_id: z.nullable(z.number()),
     date_created: z.number(),
     description: z.string(),
diff --git a/web/src/stream_ui_updates.ts b/web/src/stream_ui_updates.ts
index f7822dfec3761..8bef79ae511cc 100644
--- a/web/src/stream_ui_updates.ts
+++ b/web/src/stream_ui_updates.ts
@@ -210,6 +210,7 @@ export function update_settings_button_for_sub(sub: StreamSubscription): void {
             .addClass("unsubscribed action-button-quiet-brand")
             .removeClass("action-button-quiet-neutral");
     }
+    const $parent = $settings_button.parent();
     if (stream_data.can_toggle_subscription(sub)) {
         $settings_button.prop("disabled", false);
         const $parent_element: tippy.ReferenceElement & HTMLElement = util.the(
@@ -220,6 +221,11 @@ export function update_settings_button_for_sub(sub: StreamSubscription): void {
         $settings_button.addClass("toggle-subscription-tooltip");
     } else {
         $settings_button.attr("title", "");
+        if (sub.subscribed) {
+            $parent.attr("data-tooltip-template-id", "cannot-unsubscribe-tooltip-template");
+        } else {
+            $parent.attr("data-tooltip-template-id", "cannot-subscribe-tooltip-template");
+        }
         initialize_subscription_toggle_disabled_popover();
         $settings_button.prop("disabled", true);
         $settings_button.removeClass("toggle-subscription-tooltip");
diff --git a/web/src/user_profile.ts b/web/src/user_profile.ts
index e73e962229d5d..dffaedb1653d8 100644
--- a/web/src/user_profile.ts
+++ b/web/src/user_profile.ts
@@ -283,7 +283,8 @@ export function get_user_unsub_streams(user_id: number): dropdown_widget.Option[
 
 function format_user_stream_list_item_html(stream: StreamSubscription, user: User): string {
     const show_unsubscribe_button =
-        people.can_admin_user(user) || stream_data.can_unsubscribe_others(stream);
+        stream_data.can_unsubscribe_others(stream) ||
+        (people.is_my_user_id(user.user_id) && stream_data.can_unsubscribe(stream));
     const show_private_stream_unsub_tooltip =
         people.is_my_user_id(user.user_id) && stream.invite_only;
     const show_last_user_in_private_stream_unsub_tooltip =
diff --git a/web/styles/subscriptions.css b/web/styles/subscriptions.css
index 5dc3b14699349..30c9aa7e18965 100644
--- a/web/styles/subscriptions.css
+++ b/web/styles/subscriptions.css
@@ -780,6 +780,14 @@ h4.user_group_setting_subsection_title {
                 color: var(--color-stream-group-row-plus-icon-disabled);
             }
 
+            &.checked svg {
+                opacity: 0.5;
+            }
+
+            &.checked svg {
+                opacity: 0.5;
+            }
+
             .sub-unsub-icon {
                 color: var(--color-stream-group-row-checked-icon-disabled);
                 cursor: not-allowed;
diff --git a/web/templates/popovers/left_sidebar/left_sidebar_stream_actions_popover.hbs b/web/templates/popovers/left_sidebar/left_sidebar_stream_actions_popover.hbs
index 6c421ccb3196b..26cf391483aaf 100644
--- a/web/templates/popovers/left_sidebar/left_sidebar_stream_actions_popover.hbs
+++ b/web/templates/popovers/left_sidebar/left_sidebar_stream_actions_popover.hbs
@@ -77,12 +77,14 @@
             </a>
         </li>
         {{#unless stream.is_archived}}
+        {{#if should_display_unsubscribe_button}}
         <li role="none" class="link-item popover-menu-list-item hidden-for-spectators">
             <a role="menuitem" class="popover_sub_unsub_button popover-menu-link" tabindex="0">
                 <i class="popover-menu-icon zulip-icon zulip-icon-circle-x" aria-hidden="true"></i>
                 <span class="popover-menu-label">{{t "Unsubscribe"}}</span>
             </a>
         </li>
+        {{/if}}
         <li role="separator" class="popover-menu-separator hidden-for-spectators"></li>
         <li role="none" class="link-item popover-menu-list-item hidden-for-spectators">
             <a role="menuitem" class="choose_stream_color popover-menu-link" data-stream-id="{{ stream.stream_id }}" tabindex="0">
diff --git a/web/templates/stream_settings/browse_streams_list_item.hbs b/web/templates/stream_settings/browse_streams_list_item.hbs
index b9acac3cbc936..71667e8dec1f6 100644
--- a/web/templates/stream_settings/browse_streams_list_item.hbs
+++ b/web/templates/stream_settings/browse_streams_list_item.hbs
@@ -2,10 +2,10 @@
 <div class="stream-row" data-stream-id="{{stream_id}}" data-stream-name="{{name}}">
 
     {{#if subscribed}}
-        <div class="check checked sub_unsub_button">
+        <div class="check checked sub_unsub_button {{#unless should_display_subscription_button}}disabled{{/unless}}">
 
-            <div class="tippy-zulip-tooltip" data-tooltip-template-id="unsubscribe-from-{{stream_id}}-stream-tooltip-template">
-                <template id="unsubscribe-from-{{stream_id}}-stream-tooltip-template">
+            <div class="tippy-zulip-tooltip" data-tooltip-template-id="{{#if should_display_subscription_button}}unsubscribe-from-{{stream_id}}-stream-tooltip-template{{else}}cannot-unsubscribe-from-{{stream_id}}-stream-tooltip-template{{/if}}">
+                <template id="unsubscribe-from-{{name}}-stream-tooltip-template">
                     <span>
                         {{#tr}}
                             Unsubscribe from <z-stream></z-stream>
@@ -14,6 +14,22 @@
                     </span>
                 </template>
 
+                <template id="cannot-unsubscribe-from-{{name}}-stream-tooltip-template">
+                    <span>
+                        {{#tr}}
+                            You are not allowed to unsubscribe from this channel.
+                        {{/tr}}
+                    </span>
+                </template>
+
+                <template id="cannot-unsubscribe-from-{{name}}-stream-tooltip-template">
+                    <span>
+                        {{#tr}}
+                            You are not allowed to unsubscribe from this channel.
+                        {{/tr}}
+                    </span>
+                </template>
+
                 <i class="zulip-icon zulip-icon-subscriber-check sub-unsub-icon"></i>
             </div>
             <div class='sub_unsub_status'></div>
diff --git a/web/templates/stream_settings/stream_permissions.hbs b/web/templates/stream_settings/stream_permissions.hbs
index 8cf96ee31f10c..2ab4489cf3c24 100644
--- a/web/templates/stream_settings/stream_permissions.hbs
+++ b/web/templates/stream_settings/stream_permissions.hbs
@@ -108,6 +108,11 @@
               label=group_setting_labels.can_add_subscribers_group
               prefix=prefix }}
 
+            {{> ../settings/group_setting_value_pill_input
+              setting_name="can_unsubscribe_group"
+              label=group_setting_labels.can_unsubscribe_group
+              prefix=prefix }}
+
             {{> ../settings/group_setting_value_pill_input
               setting_name="can_remove_subscribers_group"
               label=group_setting_labels.can_remove_subscribers_group
diff --git a/web/templates/stream_settings/stream_settings.hbs b/web/templates/stream_settings/stream_settings.hbs
index 24e586b902fb8..1b8ad23a0ef52 100644
--- a/web/templates/stream_settings/stream_settings.hbs
+++ b/web/templates/stream_settings/stream_settings.hbs
@@ -2,7 +2,14 @@
     <div class="tab-container"></div>
     {{#with sub}}
     <div class="button-group">
-        <div class="sub_unsub_button_wrapper inline-block {{#unless should_display_subscription_button }}cannot-subscribe-tooltip{{/unless}}" data-tooltip-template-id="cannot-subscribe-tooltip-template">
+        <div class="sub_unsub_button_wrapper inline-block" data-tooltip-template-id="{{#if subscribed}}cannot-unsubscribe-tooltip-template{{else}}cannot-subscribe-tooltip-template{{/if}}">
+            <template id="cannot-unsubscribe-tooltip-template">
+                <span>
+                    {{#tr}}
+                        You are not allowed to unsubscribe from this channel.
+                    {{/tr}}
+                </span>
+            </template>
             <template id="cannot-subscribe-tooltip-template">
                 <span>
                     {{#tr}}
diff --git a/web/tests/lib/example_settings.cjs b/web/tests/lib/example_settings.cjs
index d5369f0bd5027..dfd39516d5c02 100644
--- a/web/tests/lib/example_settings.cjs
+++ b/web/tests/lib/example_settings.cjs
@@ -34,6 +34,14 @@ exports.server_supported_permission_settings = {
             default_group_name: "role:nobody",
             allowed_system_groups: [],
         },
+        can_unsubscribe_group: {
+            require_system_group: false,
+            allow_internet_group: false,
+            allow_nobody_group: true,
+            allow_everyone_group: true,
+            default_group_name: "role:nobody",
+            allowed_system_groups: [],
+        },
         can_resolve_topics_group: {
             require_system_group: false,
             allow_internet_group: false,
diff --git a/web/tests/stream_data.test.cjs b/web/tests/stream_data.test.cjs
index 183cdf15be079..40a2b68bf90d2 100644
--- a/web/tests/stream_data.test.cjs
+++ b/web/tests/stream_data.test.cjs
@@ -532,6 +532,7 @@ test("get_streams_for_user", ({override}) => {
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
     const social = {
         color: "red",
@@ -544,6 +545,7 @@ test("get_streams_for_user", ({override}) => {
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
     const test = {
         color: "yellow",
@@ -555,6 +557,7 @@ test("get_streams_for_user", ({override}) => {
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
     const world = {
         color: "blue",
@@ -567,6 +570,7 @@ test("get_streams_for_user", ({override}) => {
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
     const errors = {
         color: "green",
@@ -579,6 +583,7 @@ test("get_streams_for_user", ({override}) => {
         can_add_subscribers_group: admins_group.id,
         can_administer_channel_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
     const subs = [denmark, social, test, world, errors];
     for (const sub of subs) {
@@ -668,6 +673,7 @@ test("admin_options", ({override}) => {
             can_administer_channel_group,
             can_add_subscribers_group: admins_group.id,
             can_subscribe_group: admins_group.id,
+            can_unsubscribe_group: everyone_group.id,
             date_created: 1691057093,
             creator_id: null,
         };
@@ -772,6 +778,7 @@ test("stream_settings", ({override}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: nobody_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -786,6 +793,7 @@ test("stream_settings", ({override}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: nobody_group.id,
         date_created: 1691057093,
         creator_id: null,
     };
@@ -802,6 +810,7 @@ test("stream_settings", ({override}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: nobody_group.id,
         date_created: 1691057093,
         creator_id: null,
         is_archived: true,
@@ -1387,6 +1396,7 @@ test("get_invite_stream_data", ({override}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
 
     people.init();
@@ -1410,6 +1420,7 @@ test("get_invite_stream_data", ({override}) => {
             can_administer_channel_group: nobody_group.id,
             can_add_subscribers_group: nobody_group.id,
             can_subscribe_group: nobody_group.id,
+            can_unsubscribe_group: nobody_group.id,
         },
     ];
     assert.deepEqual(stream_data.get_invite_stream_data(), expected_list);
@@ -1423,6 +1434,7 @@ test("get_invite_stream_data", ({override}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
     stream_data.add_sub_for_tests(inviter);
 
@@ -1435,6 +1447,7 @@ test("get_invite_stream_data", ({override}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     });
     assert.deepEqual(stream_data.get_invite_stream_data(), expected_list);
 
@@ -1448,6 +1461,7 @@ test("get_invite_stream_data", ({override}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
 
     stream_data.add_sub_for_tests(tokyo);
@@ -1462,6 +1476,7 @@ test("get_invite_stream_data", ({override}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
 
     stream_data.add_sub_for_tests(random);
@@ -1475,6 +1490,7 @@ test("get_invite_stream_data", ({override}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     });
     assert.deepEqual(stream_data.get_invite_stream_data(), expected_list);
 });
@@ -1996,6 +2012,7 @@ test("has_metadata_access", ({override}) => {
         can_add_subscribers_group: nobody_group.id,
         can_administer_channel_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
 
     assert.equal(stream_data.has_metadata_access(social), true);
@@ -2085,6 +2102,7 @@ test("has_content_access", ({override}) => {
         can_add_subscribers_group: nobody_group.id,
         can_administer_channel_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
 
     assert.equal(stream_data.has_content_access(social), true);
@@ -2170,6 +2188,7 @@ test("can_preview", ({override_rewire}) => {
         can_add_subscribers_group: nobody_group.id,
         can_administer_channel_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
 
     override_rewire(stream_data, "has_content_access", () => true);
@@ -2193,7 +2212,9 @@ run_test("can_toggle_subscription", ({override}) => {
         history_public_to_subscribers: false,
         can_add_subscribers_group: nobody_group.id,
         can_administer_channel_group: nobody_group.id,
+        can_remove_subscribers_group: nobody_group.id,
         can_subscribe_group: nobody_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
     social.subscribed = true;
 
@@ -2203,10 +2224,10 @@ run_test("can_toggle_subscription", ({override}) => {
     assert.equal(stream_data.can_toggle_subscription(social), false);
 
     override(page_params, "is_spectator", false);
-    assert.equal(stream_data.can_toggle_subscription(social), true);
+    assert.equal(stream_data.can_toggle_subscription(social), false);
 
     override(current_user, "is_guest", true);
-    assert.equal(stream_data.can_toggle_subscription(social), true);
+    assert.equal(stream_data.can_toggle_subscription(social), false);
 
     social.subscribed = false;
     assert.equal(stream_data.can_toggle_subscription(social), false);
@@ -2229,6 +2250,25 @@ run_test("can_toggle_subscription", ({override}) => {
     assert.equal(stream_data.can_toggle_subscription(social), false);
     social.can_subscribe_group = me_group.id;
     assert.equal(stream_data.can_toggle_subscription(social), true);
+
+    social.subscribed = true;
+    assert.equal(stream_data.can_toggle_subscription(social), false);
+
+    social.can_remove_subscribers_group = me_group.id;
+    assert.equal(stream_data.can_toggle_subscription(social), true);
+
+    social.can_unsubscribe_group = everyone_group.id;
+    social.can_remove_subscribers_group = nobody_group.id;
+    assert.equal(stream_data.can_toggle_subscription(social), true);
+
+    social.can_unsubscribe_group = me_group.id;
+    assert.equal(stream_data.can_toggle_subscription(social), true);
+
+    social.can_unsubscribe_group = nobody_group.id;
+    assert.equal(stream_data.can_toggle_subscription(social), false);
+
+    override(current_user, "is_admin", true);
+    assert.equal(stream_data.can_toggle_subscription(social), true);
 });
 
 run_test("can_archive_stream", ({override}) => {
@@ -2243,6 +2283,7 @@ run_test("can_archive_stream", ({override}) => {
         can_add_subscribers_group: me_group.id,
         can_administer_channel_group: nobody_group.id,
         can_subscribe_group: me_group.id,
+        can_unsubscribe_group: nobody_group.id,
     };
     override(current_user, "user_id", me.user_id);
 
diff --git a/web/tests/stream_events.test.cjs b/web/tests/stream_events.test.cjs
index 0a2bca925c63a..1180806e6f03a 100644
--- a/web/tests/stream_events.test.cjs
+++ b/web/tests/stream_events.test.cjs
@@ -296,8 +296,15 @@ test("update_property", ({override}) => {
     {
         const stub = make_stub();
         override(stream_settings_ui, "update_stream_permission_group_setting", stub.f);
+        const update_subscription_elements_stub = make_stub();
+        override(
+            stream_settings_ui,
+            "update_subscription_elements",
+            update_subscription_elements_stub.f,
+        );
         stream_events.update_property(stream_id, "can_remove_subscribers_group", 3);
         assert.equal(stub.num_calls, 1);
+        assert.equal(update_subscription_elements_stub.num_calls, 1);
         const args = stub.get_args("setting_name", "sub", "val");
         assert.equal(args.setting_name, "can_remove_subscribers_group");
         assert.equal(args.sub.stream_id, stream_id);
@@ -308,12 +315,19 @@ test("update_property", ({override}) => {
     {
         const stub = make_stub();
         override(stream_settings_ui, "update_stream_permission_group_setting", stub.f);
+        const update_subscription_elements_stub = make_stub();
+        override(
+            stream_settings_ui,
+            "update_subscription_elements",
+            update_subscription_elements_stub.f,
+        );
         override(stream_settings_data, "get_sub_for_settings", () => ({
             can_add_subscribers: false,
             ...sub,
         }));
         stream_events.update_property(stream_id, "can_administer_channel_group", 3);
         assert.equal(stub.num_calls, 1);
+        assert.equal(update_subscription_elements_stub.num_calls, 1);
         const args = stub.get_args("setting_name", "sub", "val");
         assert.equal(args.setting_name, "can_administer_channel_group");
         assert.equal(args.sub.stream_id, stream_id);
@@ -354,6 +368,27 @@ test("update_property", ({override}) => {
         assert.equal(args.sub, sub);
     }
 
+    // Test stream can_unsubscribe_group change event
+    {
+        const stub = make_stub();
+        override(stream_settings_ui, "update_stream_permission_group_setting", stub.f);
+        const update_subscription_elements_stub = make_stub();
+        override(
+            stream_settings_ui,
+            "update_subscription_elements",
+            update_subscription_elements_stub.f,
+        );
+        stream_events.update_property(stream_id, "can_unsubscribe_group", 2);
+        assert.equal(stub.num_calls, 1);
+        assert.equal(update_subscription_elements_stub.num_calls, 1);
+        let args = stub.get_args("setting_name", "sub", "val");
+        assert.equal(args.setting_name, "can_unsubscribe_group");
+        assert.equal(args.sub.stream_id, stream_id);
+        assert.equal(args.val, 2);
+        args = update_subscription_elements_stub.get_args("sub");
+        assert.equal(args.sub, sub);
+    }
+
     // Update channel folder
     {
         const stub = make_stub();
diff --git a/web/tests/stream_settings_ui.test.cjs b/web/tests/stream_settings_ui.test.cjs
index 246fdb2a234d1..16884aafb6621 100644
--- a/web/tests/stream_settings_ui.test.cjs
+++ b/web/tests/stream_settings_ui.test.cjs
@@ -88,6 +88,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
         subscriber_count: 0,
@@ -105,6 +106,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
         subscriber_count: 0,
@@ -122,6 +124,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_administer_channel_group: nobody_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
         subscriber_count: 0,
@@ -139,6 +142,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
         subscriber_count: 0,
@@ -156,6 +160,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
         subscriber_count: 0,
@@ -173,6 +178,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
         subscriber_count: 0,
@@ -190,6 +196,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
         subscriber_count: 0,
@@ -207,6 +214,7 @@ run_test("redraw_left_panel", ({override, mock_template}) => {
         can_remove_subscribers_group: admins_group.id,
         can_add_subscribers_group: admins_group.id,
         can_subscribe_group: admins_group.id,
+        can_unsubscribe_group: admins_group.id,
         date_created: 1691057093,
         creator_id: null,
         subscriber_count: 0,
diff --git a/zerver/actions/streams.py b/zerver/actions/streams.py
index f8656c57aacce..d0c1782a6c258 100644
--- a/zerver/actions/streams.py
+++ b/zerver/actions/streams.py
@@ -468,6 +468,7 @@ def send_subscription_add_events(
                 can_remove_subscribers_group=stream_dict["can_remove_subscribers_group"],
                 can_resolve_topics_group=stream_dict["can_resolve_topics_group"],
                 can_subscribe_group=stream_dict["can_subscribe_group"],
+                can_unsubscribe_group=stream_dict["can_unsubscribe_group"],
                 creator_id=stream_dict["creator_id"],
                 date_created=stream_dict["date_created"],
                 description=stream_dict["description"],
diff --git a/zerver/lib/streams.py b/zerver/lib/streams.py
index 8207c5b5b9b6a..f56829e987745 100644
--- a/zerver/lib/streams.py
+++ b/zerver/lib/streams.py
@@ -101,6 +101,7 @@ class StreamDict(TypedDict, total=False):
     can_remove_subscribers_group: UserGroup | None
     can_resolve_topics_group: UserGroup | None
     can_subscribe_group: UserGroup | None
+    can_unsubscribe_group: UserGroup | None
     folder: ChannelFolder | None
 
 
@@ -356,6 +357,7 @@ def create_stream_if_needed(
     can_remove_subscribers_group: UserGroup | None = None,
     can_resolve_topics_group: UserGroup | None = None,
     can_subscribe_group: UserGroup | None = None,
+    can_unsubscribe_group: UserGroup | None = None,
     folder: ChannelFolder | None = None,
     acting_user: UserProfile | None = None,
     anonymous_group_membership: dict[int, UserGroupMembersData] | None = None,
@@ -489,6 +491,7 @@ def create_streams_if_needed(
             can_remove_subscribers_group=stream_dict.get("can_remove_subscribers_group", None),
             can_resolve_topics_group=stream_dict.get("can_resolve_topics_group", None),
             can_subscribe_group=stream_dict.get("can_subscribe_group", None),
+            can_unsubscribe_group=stream_dict.get("can_unsubscribe_group", None),
             folder=stream_dict.get("folder", None),
             acting_user=acting_user,
             anonymous_group_membership=anonymous_group_membership,
@@ -541,6 +544,11 @@ def is_user_in_can_subscribe_group(stream: Stream, user_recursive_group_ids: set
     return group_allowed_to_subscribe_id in user_recursive_group_ids
 
 
+def is_user_in_can_unsubscribe_group(stream: Stream, user_recursive_group_ids: set[int]) -> bool:
+    group_allowed_to_unsubscribe_id = stream.can_unsubscribe_group_id
+    return group_allowed_to_unsubscribe_id in user_recursive_group_ids
+
+
 def is_user_in_groups_granting_content_access(
     stream: Stream, user_recursive_group_ids: set[int]
 ) -> bool:
@@ -1312,6 +1320,37 @@ def bulk_can_remove_subscribers_from_streams(
     return True
 
 
+def bulk_can_unsubscribe_self_from_streams(
+    streams: list[Stream], user_profile: UserProfile
+) -> bool:
+    if user_profile.is_realm_admin:
+        return True
+
+    user_recursive_group_ids = set(
+        get_recursive_membership_groups(user_profile).values_list("id", flat=True)
+    )
+
+    can_administer_all_streams: bool = True
+    for stream in streams:
+        if not is_user_in_can_administer_channel_group(stream, user_recursive_group_ids):
+            can_administer_all_streams = False
+
+    if can_administer_all_streams:
+        return True
+
+    if not bulk_check_basic_stream_access(user_profile, streams):
+        raise JsonableError(_("Invalid channel ID"))
+
+    for stream in streams:
+        if not (
+            is_user_in_can_remove_subscribers_group(stream, user_recursive_group_ids)
+            or is_user_in_can_unsubscribe_group(stream, user_recursive_group_ids)
+        ):
+            return False
+
+    return True
+
+
 def get_streams_to_which_user_cannot_add_subscribers(
     streams: list[Stream],
     user_profile: UserProfile,
@@ -1544,6 +1583,7 @@ def list_to_streams(
     user_profile: UserProfile,
     autocreate: bool = False,
     unsubscribing_others: bool = False,
+    unsubscribing_self: bool = False,
     is_default_stream: bool = False,
     request_settings_dict: dict[str, Any] | None = None,
 ) -> tuple[list[Stream], list[Stream]]:
@@ -1573,6 +1613,10 @@ def list_to_streams(
     existing_streams: list[Stream] = []
     missing_stream_dicts: list[StreamDict] = []
     existing_stream_map = bulk_get_streams(user_profile.realm, stream_set)
+    if unsubscribing_self and not bulk_can_unsubscribe_self_from_streams(
+        list(existing_stream_map.values()), user_profile
+    ):
+        raise JsonableError(_("Insufficient permission"))
 
     if unsubscribing_others and not bulk_can_remove_subscribers_from_streams(
         list(existing_stream_map.values()), user_profile
@@ -1758,6 +1802,9 @@ def stream_to_dict(
     can_subscribe_group = get_group_setting_value_for_register_api(
         stream.can_subscribe_group_id, anonymous_group_membership
     )
+    can_unsubscribe_group = get_group_setting_value_for_register_api(
+        stream.can_unsubscribe_group_id, anonymous_group_membership
+    )
 
     stream_post_policy = get_stream_post_policy_value_based_on_group_setting(
         stream.can_send_message_group
@@ -1775,6 +1822,7 @@ def stream_to_dict(
         can_remove_subscribers_group=can_remove_subscribers_group,
         can_resolve_topics_group=can_resolve_topics_group,
         can_subscribe_group=can_subscribe_group,
+        can_unsubscribe_group=can_unsubscribe_group,
         creator_id=stream.creator_id,
         date_created=datetime_to_timestamp(stream.date_created),
         description=stream.description,
diff --git a/zerver/lib/subscription_info.py b/zerver/lib/subscription_info.py
index d025536c3faf2..9dfec0f325671 100644
--- a/zerver/lib/subscription_info.py
+++ b/zerver/lib/subscription_info.py
@@ -95,6 +95,9 @@ def get_next_color() -> str:
         can_subscribe_group = get_group_setting_value_for_register_api(
             stream.can_subscribe_group_id, anonymous_group_membership
         )
+        can_unsubscribe_group = get_group_setting_value_for_register_api(
+            stream.can_unsubscribe_group_id, anonymous_group_membership
+        )
         creator_id = stream.creator_id
         date_created = datetime_to_timestamp(stream.date_created)
         description = stream.description
@@ -142,6 +145,7 @@ def get_next_color() -> str:
             can_remove_subscribers_group=can_remove_subscribers_group,
             can_resolve_topics_group=can_resolve_topics_group,
             can_subscribe_group=can_subscribe_group,
+            can_unsubscribe_group=can_unsubscribe_group,
             color=color,
             creator_id=creator_id,
             date_created=date_created,
@@ -234,6 +238,9 @@ def build_stream_api_dict(
     can_subscribe_group = get_group_setting_value_for_register_api(
         raw_stream_dict["can_subscribe_group_id"], anonymous_group_membership
     )
+    can_unsubscribe_group = get_group_setting_value_for_register_api(
+        raw_stream_dict["can_unsubscribe_group_id"], anonymous_group_membership
+    )
 
     return APIStreamDict(
         is_archived=raw_stream_dict["deactivated"],
@@ -246,6 +253,7 @@ def build_stream_api_dict(
         can_send_message_group=can_send_message_group,
         can_remove_subscribers_group=can_remove_subscribers_group,
         can_subscribe_group=can_subscribe_group,
+        can_unsubscribe_group=can_unsubscribe_group,
         can_resolve_topics_group=can_resolve_topics_group,
         creator_id=raw_stream_dict["creator_id"],
         date_created=datetime_to_timestamp(raw_stream_dict["date_created"]),
@@ -285,6 +293,7 @@ def build_stream_dict_for_sub(
     can_remove_subscribers_group = stream_dict["can_remove_subscribers_group"]
     can_resolve_topics_group = stream_dict["can_resolve_topics_group"]
     can_subscribe_group = stream_dict["can_subscribe_group"]
+    can_unsubscribe_group = stream_dict["can_unsubscribe_group"]
     creator_id = stream_dict["creator_id"]
     date_created = stream_dict["date_created"]
     description = stream_dict["description"]
@@ -332,6 +341,7 @@ def build_stream_dict_for_sub(
         can_remove_subscribers_group=can_remove_subscribers_group,
         can_resolve_topics_group=can_resolve_topics_group,
         can_subscribe_group=can_subscribe_group,
+        can_unsubscribe_group=can_unsubscribe_group,
         color=color,
         creator_id=creator_id,
         date_created=date_created,
@@ -421,6 +431,9 @@ def build_stream_dict_for_never_sub(
     can_subscribe_group_value = get_group_setting_value_for_register_api(
         raw_stream_dict["can_subscribe_group_id"], anonymous_group_membership
     )
+    can_unsubscribe_group_value = get_group_setting_value_for_register_api(
+        raw_stream_dict["can_unsubscribe_group_id"], anonymous_group_membership
+    )
 
     # Backwards-compatibility addition of removed field.
     is_announcement_only = raw_stream_dict["stream_post_policy"] == Stream.STREAM_POST_POLICY_ADMINS
@@ -438,6 +451,7 @@ def build_stream_dict_for_never_sub(
         can_remove_subscribers_group=can_remove_subscribers_group_value,
         can_resolve_topics_group=can_resolve_topics_group_value,
         can_subscribe_group=can_subscribe_group_value,
+        can_unsubscribe_group=can_unsubscribe_group_value,
         creator_id=creator_id,
         date_created=date_created,
         description=description,
diff --git a/zerver/lib/types.py b/zerver/lib/types.py
index db336f7de96dd..ffb4c51de1f40 100644
--- a/zerver/lib/types.py
+++ b/zerver/lib/types.py
@@ -168,6 +168,7 @@ class RawStreamDict(TypedDict):
     can_remove_subscribers_group_id: int
     can_resolve_topics_group_id: int
     can_subscribe_group_id: int
+    can_unsubscribe_group_id: int
     creator_id: int | None
     date_created: datetime
     deactivated: bool
@@ -222,6 +223,7 @@ class SubscriptionStreamDict(TypedDict):
     can_remove_subscribers_group: int | UserGroupMembersDict
     can_resolve_topics_group: int | UserGroupMembersDict
     can_subscribe_group: int | UserGroupMembersDict
+    can_unsubscribe_group: int | UserGroupMembersDict
     color: str
     creator_id: int | None
     date_created: int
@@ -265,6 +267,7 @@ class NeverSubscribedStreamDict(TypedDict):
     can_remove_subscribers_group: int | UserGroupMembersDict
     can_resolve_topics_group: int | UserGroupMembersDict
     can_subscribe_group: int | UserGroupMembersDict
+    can_unsubscribe_group: int | UserGroupMembersDict
     creator_id: int | None
     date_created: int
     description: str
@@ -304,6 +307,7 @@ class DefaultStreamDict(TypedDict):
     can_remove_subscribers_group: int | UserGroupMembersDict
     can_resolve_topics_group: int | UserGroupMembersDict
     can_subscribe_group: int | UserGroupMembersDict
+    can_unsubscribe_group: int | UserGroupMembersDict
     creator_id: int | None
     date_created: int
     description: str
diff --git a/zerver/migrations/0755_stream_can_unsubscribe_group.py b/zerver/migrations/0755_stream_can_unsubscribe_group.py
new file mode 100644
index 0000000000000..6c1cb35f2604c
--- /dev/null
+++ b/zerver/migrations/0755_stream_can_unsubscribe_group.py
@@ -0,0 +1,23 @@
+# Generated by Django 5.2.7 on 2025-10-25 22:45
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("zerver", "0754_merge_20251014_1855"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="stream",
+            name="can_unsubscribe_group",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.RESTRICT,
+                related_name="+",
+                to="zerver.usergroup",
+            ),
+        ),
+    ]
diff --git a/zerver/migrations/0756_set_default_for_stream_can_unsubscribe_group.py b/zerver/migrations/0756_set_default_for_stream_can_unsubscribe_group.py
new file mode 100644
index 0000000000000..701de3e5e6e7e
--- /dev/null
+++ b/zerver/migrations/0756_set_default_for_stream_can_unsubscribe_group.py
@@ -0,0 +1,54 @@
+# Generated by Django 5.2.7 on 2025-10-25 22:49
+
+from django.db import migrations, transaction
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+from django.db.migrations.state import StateApps
+from django.db.models import Max, Min, OuterRef
+
+
+def set_default_value_for_can_unsubscribe_group(
+    apps: StateApps,
+    schema_editor: BaseDatabaseSchemaEditor,
+) -> None:
+    Stream = apps.get_model("zerver", "Stream")
+    NamedUserGroup = apps.get_model("zerver", "NamedUserGroup")
+
+    BATCH_SIZE = 1000
+
+    max_id = Stream.objects.filter(can_unsubscribe_group=None).aggregate(Max("id"))["id__max"]
+    if max_id is None:
+        return
+
+    lower_bound = Stream.objects.filter(can_unsubscribe_group=None).aggregate(Min("id"))["id__min"]
+    while lower_bound <= max_id + BATCH_SIZE / 2:
+        upper_bound = lower_bound + BATCH_SIZE - 1
+
+        with transaction.atomic():
+            Stream.objects.filter(
+                id__range=(lower_bound, upper_bound),
+                can_unsubscribe_group=None,
+            ).update(
+                can_unsubscribe_group=NamedUserGroup.objects.filter(
+                    name="role:nobody",
+                    realm_for_sharding=OuterRef("realm_id"),
+                    is_system_group=True,
+                ).values("pk")
+            )
+
+        lower_bound += BATCH_SIZE
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("zerver", "0755_stream_can_unsubscribe_group"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            set_default_value_for_can_unsubscribe_group,
+            elidable=True,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
diff --git a/zerver/migrations/0757_alter_stream_can_unsubscribe_group.py b/zerver/migrations/0757_alter_stream_can_unsubscribe_group.py
new file mode 100644
index 0000000000000..f7f37df9a39d7
--- /dev/null
+++ b/zerver/migrations/0757_alter_stream_can_unsubscribe_group.py
@@ -0,0 +1,22 @@
+# Generated by Django 5.2.7 on 2025-10-25 22:56
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("zerver", "0756_set_default_for_stream_can_unsubscribe_group"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="stream",
+            name="can_unsubscribe_group",
+            field=models.ForeignKey(
+                on_delete=django.db.models.deletion.RESTRICT,
+                related_name="+",
+                to="zerver.usergroup",
+            ),
+        ),
+    ]
diff --git a/zerver/models/streams.py b/zerver/models/streams.py
index c9c6668078e35..deb4d3b9a3b7e 100644
--- a/zerver/models/streams.py
+++ b/zerver/models/streams.py
@@ -146,6 +146,9 @@ class Stream(models.Model):
         UserGroup, on_delete=models.RESTRICT, related_name="+"
     )
     can_subscribe_group = models.ForeignKey(UserGroup, on_delete=models.RESTRICT, related_name="+")
+    can_unsubscribe_group = models.ForeignKey(
+        UserGroup, on_delete=models.RESTRICT, related_name="+"
+    )
     can_resolve_topics_group = models.ForeignKey(
         UserGroup, on_delete=models.RESTRICT, related_name="+"
     )
@@ -208,6 +211,11 @@ class Stream(models.Model):
             allow_everyone_group=False,
             default_group_name=SystemGroups.NOBODY,
         ),
+        "can_unsubscribe_group": GroupPermissionSetting(
+            allow_nobody_group=True,
+            allow_everyone_group=True,
+            default_group_name=SystemGroups.NOBODY,
+        ),
         "can_resolve_topics_group": GroupPermissionSetting(
             allow_nobody_group=True,
             allow_everyone_group=True,
@@ -279,6 +287,7 @@ def is_history_public_to_subscribers(self) -> bool:
         "can_send_message_group_id",
         "can_remove_subscribers_group_id",
         "can_subscribe_group_id",
+        "can_unsubscribe_group_id",
         "can_resolve_topics_group_id",
         "is_recently_active",
         "topics_policy",
diff --git a/zerver/openapi/zulip.yaml b/zerver/openapi/zulip.yaml
index 9bee5a097c90e..f29ae3533c5aa 100644
--- a/zerver/openapi/zulip.yaml
+++ b/zerver/openapi/zulip.yaml
@@ -711,6 +711,7 @@ paths:
                                         "can_add_subscribers_group": 2,
                                         "can_remove_subscribers_group": 2,
                                         "can_subscribe_group": 2,
+                                        "can_unsubscribe_group": 2,
                                         "subscribers": [10],
                                       },
                                     ],
@@ -1416,6 +1417,7 @@ paths:
                                         "can_add_subscribers_group": 2,
                                         "can_remove_subscribers_group": 2,
                                         "can_subscribe_group": 2,
+                                        "can_unsubscribe_group": 2,
                                         "stream_weekly_traffic": null,
                                         "subscriber_count": 0,
                                       },
@@ -12128,6 +12130,8 @@ paths:
                   $ref: "#/components/schemas/CanSendMessageGroup"
                 can_subscribe_group:
                   $ref: "#/components/schemas/CanSubscribeGroup"
+                can_unsubscribe_group:
+                  $ref: "#/components/schemas/CanUnsubscribeGroup"
                 can_resolve_topics_group:
                   $ref: "#/components/schemas/CanResolveTopicsGroup"
                 folder_id:
@@ -12179,6 +12183,8 @@ paths:
                 contentType: application/json
               can_subscribe_group:
                 contentType: application/json
+              can_unsubscribe_group:
+                contentType: application/json
               can_resolve_topics_group:
                 contentType: application/json
               folder_id:
@@ -12412,19 +12418,33 @@ paths:
       description: |
         Unsubscribe yourself or other users from one or more channels.
 
-        In addition to managing the current user's subscriptions, this
-        endpoint can be used to remove other users from channels. This
-        is possible in 3 situations:
-
-        - Organization administrators can remove any user from any
-          channel.
-        - Users can remove a bot that they own from any channel that
-          the user [can access](/help/channel-permissions).
-        - Users can unsubscribe any user from a channel if they [have
-          access](/help/channel-permissions) to the channel and are a
-          member of the [user group](/api/get-user-groups) specified
-          by the [`can_remove_subscribers_group`][can-remove-parameter]
-          for the channel.
+        This endpoint allows managing the current user's subscriptions
+        and can also be used to remove other users from channels under
+        specific conditions:
+
+        - Self-unsubscription:
+
+          - Organization administrators can always unsubscribe themselves from
+            any channel if they are subscribed to.
+          - Users can unsubscribe themselves from a channel if they are
+            a member of the [user group](/api/get-user-groups) specified
+            by either the `can_unsubscribe_group`, `can_remove_subscribers_group`,
+            or `can_administer_channel_group` for that channel.
+
+        - Unsubscribing others:
+          - Organization administrators can remove any user from any
+            channel.
+          - Users can remove a bot that they own from any channel that
+            the user [can access](/help/channel-permissions).
+          - Users can unsubscribe any user from a channel if they [have
+            access](/help/channel-permissions) to the channel and are a
+            member of the [user group](/api/get-user-groups) specified
+            by the [`can_remove_subscribers_group`][can-remove-parameter]
+            for the channel.
+
+        **Changes**: Before Zulip 11.0 (feature level ZF-1abcca), the
+        `can_unsubscribe_group` permission, which allows members of the
+        group to unsubscribe themselves from channel, did not exist.
 
         **Changes**: Before Zulip 10.0 (feature level 362),
         subscriptions in archived channels could not be modified.
@@ -17313,6 +17333,7 @@ paths:
                                 can_move_messages_within_channel_group: {}
                                 can_send_message_group: {}
                                 can_subscribe_group: {}
+                                can_unsubscribe_group: {}
                                 can_resolve_topics_group: {}
                                 subscriber_count: {}
                                 stream_weekly_traffic:
@@ -22755,6 +22776,7 @@ paths:
                                 can_send_message_group: {}
                                 can_resolve_topics_group: {}
                                 can_subscribe_group: {}
+                                can_unsubscribe_group: {}
                                 subscriber_count: {}
                                 stream_weekly_traffic:
                                   type: integer
@@ -22799,6 +22821,7 @@ paths:
                                 - is_announcement_only
                                 - can_remove_subscribers_group
                                 - can_subscribe_group
+                                - can_unsubscribe_group
                                 - stream_weekly_traffic
                                 - is_recently_active
                                 - subscriber_count
@@ -22812,6 +22835,7 @@ paths:
                               "can_add_subscribers_group": 10,
                               "can_remove_subscribers_group": 10,
                               "can_subscribe_group": 10,
+                              "can_unsubscribe_group": 10,
                               "creator_id": null,
                               "date_created": 1691057093,
                               "description": "A private channel",
@@ -22836,6 +22860,7 @@ paths:
                               "can_add_subscribers_group": 9,
                               "can_remove_subscribers_group": 9,
                               "can_subscribe_group": 10,
+                              "can_unsubscribe_group": 10,
                               "creator_id": 12,
                               "date_created": 1691057093,
                               "description": "A default public channel",
@@ -22909,6 +22934,7 @@ paths:
                             "can_add_subscribers_group": 2,
                             "can_remove_subscribers_group": 2,
                             "can_subscribe_group": 2,
+                            "can_unsubscribe_group": 2,
                             "stream_weekly_traffic": null,
                             subscriber_count: 12,
                           },
@@ -23328,6 +23354,25 @@ paths:
                           "old": 15,
                         }
                     - $ref: "#/components/schemas/GroupSettingValueUpdate"
+                can_unsubscribe_group:
+                  allOf:
+                    - description: |
+                        The set of users who have permission to unsubscribe themselves from this
+                        channel expressed as an [update to a group-setting value][update-group-setting].
+
+                        [update-group-setting]: /api/group-setting-values#updating-group-setting-values
+
+                        Note that a user must have metadata access to a channel and permission
+                        to administer the channel in order to modify this setting.
+
+                        **Changes**: New in Zulip 11.0 (feature level ZF-1abcca).
+                      example:
+                        {
+                          "new":
+                            {"direct_members": [10], "direct_subgroups": [11]},
+                          "old": 15,
+                        }
+                    - $ref: "#/components/schemas/GroupSettingValueUpdate"
                 can_resolve_topics_group:
                   allOf:
                     - description: |
@@ -23377,6 +23422,8 @@ paths:
                 contentType: application/json
               can_subscribe_group:
                 contentType: application/json
+              can_unsubscribe_group:
+                contentType: application/json
               can_resolve_topics_group:
                 contentType: application/json
       responses:
@@ -25656,6 +25703,7 @@ components:
             can_move_messages_within_channel_group: {}
             can_send_message_group: {}
             can_subscribe_group: {}
+            can_unsubscribe_group: {}
             can_resolve_topics_group: {}
             subscriber_count: {}
             stream_weekly_traffic:
@@ -25694,6 +25742,7 @@ components:
             - can_remove_subscribers_group
             - stream_weekly_traffic
             - can_subscribe_group
+            - can_unsubscribe_group
     BasicChannelBase:
       type: object
       description: |
@@ -25864,6 +25913,8 @@ components:
           $ref: "#/components/schemas/CanSendMessageGroup"
         can_subscribe_group:
           $ref: "#/components/schemas/CanSubscribeGroup"
+        can_unsubscribe_group:
+          $ref: "#/components/schemas/CanUnsubscribeGroup"
         can_resolve_topics_group:
           $ref: "#/components/schemas/CanResolveTopicsGroup"
         subscriber_count:
@@ -27019,6 +27070,8 @@ components:
           $ref: "#/components/schemas/CanSendMessageGroup"
         can_subscribe_group:
           $ref: "#/components/schemas/CanSubscribeGroup"
+        can_unsubscribe_group:
+          $ref: "#/components/schemas/CanUnsubscribeGroup"
         can_resolve_topics_group:
           $ref: "#/components/schemas/CanResolveTopicsGroup"
         is_archived:
@@ -29211,6 +29264,19 @@ components:
 
             **Changes**: New in Zulip 10.0 (feature level 357).
 
+            [setting-values]: /api/group-setting-values
+    CanUnsubscribeGroup:
+      allOf:
+        - $ref: "#/components/schemas/GroupSettingValue"
+        - description: |
+            A [group-setting value][setting-values] defining the set of users
+            who have permission to unsubscribe themselves to this channel.
+
+            Note that a user must have metadata access to a channel and permission
+            to administer the channel in order to modify this setting.
+
+            **Changes**: New in Zulip 11.0 (feature level ZF-1abcca).
+
             [setting-values]: /api/group-setting-values
     CanResolveTopicsGroup:
       allOf:
diff --git a/zerver/tests/test_channel_creation.py b/zerver/tests/test_channel_creation.py
index 566b61f26b9c5..ff1b895adf92b 100644
--- a/zerver/tests/test_channel_creation.py
+++ b/zerver/tests/test_channel_creation.py
@@ -71,6 +71,7 @@ def test_creating_streams(self) -> None:
                 can_administer_channel_group=aaron_group,
                 can_add_subscribers_group=prospero_group,
                 can_subscribe_group=cordelia_group,
+                can_unsubscribe_group=cordelia_group,
             )
 
         self.assertEqual(events[0]["event"]["type"], "stream")
@@ -925,6 +926,7 @@ def test_default_permission_settings_on_stream_creation(self) -> None:
         self.assertEqual(stream.can_remove_subscribers_group_id, admins_group.id)
         self.assertEqual(stream.can_send_message_group_id, everyone_group.id)
         self.assertEqual(stream.can_subscribe_group_id, nobody_group.id)
+        self.assertEqual(stream.can_unsubscribe_group_id, nobody_group.id)
 
         # Check setting values sent in stream creation events.
         event_stream = events[0]["event"]["streams"][0]
@@ -937,6 +939,7 @@ def test_default_permission_settings_on_stream_creation(self) -> None:
         self.assertEqual(event_stream["can_remove_subscribers_group"], admins_group.id)
         self.assertEqual(event_stream["can_send_message_group"], everyone_group.id)
         self.assertEqual(event_stream["can_subscribe_group"], nobody_group.id)
+        self.assertEqual(event_stream["can_unsubscribe_group"], nobody_group.id)
 
     def test_acting_user_is_creator(self) -> None:
         """
diff --git a/zerver/tests/test_channel_permissions.py b/zerver/tests/test_channel_permissions.py
index f9a4a3aaa631a..06ca95ee97fa7 100644
--- a/zerver/tests/test_channel_permissions.py
+++ b/zerver/tests/test_channel_permissions.py
@@ -15,6 +15,7 @@
 )
 from zerver.actions.user_groups import add_subgroups_to_user_group, check_add_user_group
 from zerver.actions.users import do_change_user_role
+from zerver.lib.streams import subscribed_to_stream
 from zerver.lib.test_classes import ZulipTestCase
 from zerver.lib.test_helpers import get_subscription
 from zerver.lib.types import UserGroupMembersData
@@ -738,6 +739,139 @@ def check_unsubscribing_user(
             skip_changing_group_setting=True,
         )
 
+    def test_user_unsubscribe_themselves(self) -> None:
+        admin = self.example_user("iago")
+        realm = admin.realm
+        desdemona = self.example_user("desdemona")
+        hamlet = self.example_user("hamlet")
+        aaron = self.example_user("aaron")
+        cordelia = self.example_user("cordelia")
+        stream = self.make_stream("hümbüǵ")
+        stream_name_list = [stream.name]
+
+        def check_unsubscribing_user(
+            user: UserProfile,
+            expect_fail: bool = False,
+        ) -> None:
+            self.subscribe(user, stream.name)
+            result = self.api_delete(
+                user,
+                "/api/v1/users/me/subscriptions",
+                {
+                    "subscriptions": orjson.dumps(stream_name_list).decode(),
+                    "principals": orjson.dumps([user.id]).decode(),
+                },
+            )
+            if expect_fail:
+                self.assert_json_error(result, "Insufficient permission")
+                return
+
+            json = self.assert_json_success(result)
+            self.assert_length(json["removed"], len(stream_name_list))
+            self.assert_length(json["not_removed"], 0)
+            self.assertFalse(subscribed_to_stream(user, stream.id))
+
+        anonymous_group_member_dict = UserGroupMembersData(
+            direct_members=[aaron.id], direct_subgroups=[]
+        )
+
+        # Test that a user in the can_unsubscribe_group can
+        # unsubscribe themselves
+        do_change_stream_group_based_setting(
+            stream,
+            "can_unsubscribe_group",
+            anonymous_group_member_dict,
+            acting_user=aaron,
+        )
+        check_unsubscribing_user(aaron)
+
+        owners_group = NamedUserGroup.objects.get(
+            name=SystemGroups.OWNERS, realm=realm, is_system_group=True
+        )
+        do_change_stream_group_based_setting(
+            stream,
+            "can_unsubscribe_group",
+            owners_group,
+            acting_user=admin,
+        )
+        check_unsubscribing_user(desdemona)
+        check_unsubscribing_user(aaron, expect_fail=True)
+
+        hamletcharacters_group = NamedUserGroup.objects.get(name="hamletcharacters", realm=realm)
+        do_change_stream_group_based_setting(
+            stream,
+            "can_unsubscribe_group",
+            hamletcharacters_group,
+            acting_user=admin,
+        )
+        check_unsubscribing_user(hamlet)
+        check_unsubscribing_user(aaron, expect_fail=True)
+
+        # Test that an admin can always unsubscribe themselves.
+        check_unsubscribing_user(admin)
+
+        nobody_group = NamedUserGroup.objects.get(
+            name=SystemGroups.NOBODY, realm=realm, is_system_group=True
+        )
+        do_change_stream_group_based_setting(
+            stream,
+            "can_unsubscribe_group",
+            nobody_group,
+            acting_user=admin,
+        )
+
+        # Test that a user in the can_administer_channel_group can
+        # unsubscribe themselves
+        do_change_stream_group_based_setting(
+            stream,
+            "can_administer_channel_group",
+            anonymous_group_member_dict,
+            acting_user=aaron,
+        )
+        check_unsubscribing_user(aaron)
+
+        do_change_stream_group_based_setting(
+            stream,
+            "can_administer_channel_group",
+            nobody_group,
+            acting_user=aaron,
+        )
+
+        # Test that a user in the can_remove_subscribers_group can
+        # unsubscribe themselves
+        do_change_stream_group_based_setting(
+            stream,
+            "can_remove_subscribers_group",
+            anonymous_group_member_dict,
+            acting_user=aaron,
+        )
+        check_unsubscribing_user(aaron)
+
+        # Test that a user not in any of the permission groups cannot
+        # unsubscribe themselves
+        check_unsubscribing_user(cordelia, expect_fail=True)
+
+        # Test that a user cannot unsubscribe from an inaccessible private stream.
+        private_stream = self.make_stream("private_stream", invite_only=True)
+        aaron_unsubscribe_group = UserGroupMembersData(
+            direct_members=[aaron.id], direct_subgroups=[]
+        )
+        do_change_stream_group_based_setting(
+            private_stream,
+            "can_unsubscribe_group",
+            aaron_unsubscribe_group,
+            acting_user=admin,
+        )
+        result = self.api_delete(
+            aaron,
+            "/api/v1/users/me/subscriptions",
+            {
+                "subscriptions": orjson.dumps([private_stream.name]).decode(),
+                "principals": orjson.dumps([aaron.id]).decode(),
+            },
+        )
+        self.assert_json_error(result, "Invalid channel ID")
+
     def test_change_stream_message_retention_days_requires_realm_owner(self) -> None:
         user_profile = self.example_user("iago")
         self.login_user(user_profile)
diff --git a/zerver/views/streams.py b/zerver/views/streams.py
index 48a900cfa5a3a..d9b5ffa65ff39 100644
--- a/zerver/views/streams.py
+++ b/zerver/views/streams.py
@@ -299,6 +299,7 @@ def update_stream_backend(
     can_resolve_topics_group: Json[GroupSettingChangeRequest] | None = None,
     can_send_message_group: Json[GroupSettingChangeRequest] | None = None,
     can_subscribe_group: Json[GroupSettingChangeRequest] | None = None,
+    can_unsubscribe_group: Json[GroupSettingChangeRequest] | None = None,
     description: ChannelDescription = None,
     folder_id: Json[int | None] | MissingType = Missing,
     history_public_to_subscribers: Json[bool] | None = None,
@@ -597,19 +598,24 @@ def remove_subscriptions_backend(
     ]
 
     unsubscribing_others = False
+    unsubscribing_self = False
     if principals:
         people_to_unsub = bulk_principals_to_user_profiles(principals, user_profile)
         unsubscribing_others = any(
             not user_directly_controls_user(user_profile, target) for target in people_to_unsub
         )
+        if not unsubscribing_others:
+            unsubscribing_self = user_profile in people_to_unsub
 
     else:
         people_to_unsub = {user_profile}
+        unsubscribing_self = True
 
     streams, __ = list_to_streams(
         streams_as_dict,
         user_profile,
         unsubscribing_others=unsubscribing_others,
+        unsubscribing_self=unsubscribing_self,
     )
 
     result: dict[str, list[str]] = dict(removed=[], not_removed=[])
@@ -738,6 +744,7 @@ def create_channel(
         can_send_message_group=group_settings_map["can_send_message_group"],
         can_remove_subscribers_group=group_settings_map["can_remove_subscribers_group"],
         can_subscribe_group=group_settings_map["can_subscribe_group"],
+        can_unsubscribe_group=group_settings_map["can_unsubscribe_group"],
         can_resolve_topics_group=group_settings_map["can_resolve_topics_group"],
         folder=folder,
         topics_policy=topics_policy_value,
@@ -795,6 +802,7 @@ def add_subscriptions_backend(
     can_resolve_topics_group: Json[int | UserGroupMembersData] | None = None,
     can_send_message_group: Json[int | UserGroupMembersData] | None = None,
     can_subscribe_group: Json[int | UserGroupMembersData] | None = None,
+    can_unsubscribe_group: Json[int | UserGroupMembersData] | None = None,
     folder_id: Json[int] | None = None,
     history_public_to_subscribers: Json[bool] | None = None,
     invite_only: Json[bool] = False,

From e14f27ef4f7968dc9cbbd8238667927dce8f78e8 Mon Sep 17 00:00:00 2001
From: Aditya Kumar Kasaudhan <74228301+Aditya8840@users.noreply.github.com>
Date: Wed, 2 Jul 2025 23:58:26 +0530
Subject: [PATCH 4/4] streams: Raise error for invalid channel ID on private
 streams.

Previously, when a user attempted to unsubscribe others from a
stream they didn't have access to, the system returned an
"Insufficient permission" error. This commit updates the behavior
to raise an "Invalid channel ID" error instead.
---
 zerver/lib/streams.py                    |  2 +-
 zerver/tests/test_channel_permissions.py | 22 ++++++++++++----------
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/zerver/lib/streams.py b/zerver/lib/streams.py
index f56829e987745..5cbf54766ccab 100644
--- a/zerver/lib/streams.py
+++ b/zerver/lib/streams.py
@@ -1311,7 +1311,7 @@ def bulk_can_remove_subscribers_from_streams(
         return True
 
     if not bulk_check_basic_stream_access(user_profile, streams):
-        return False
+        raise JsonableError(_("Invalid channel ID"))
 
     for stream in streams:
         if not is_user_in_can_remove_subscribers_group(stream, user_recursive_group_ids):
diff --git a/zerver/tests/test_channel_permissions.py b/zerver/tests/test_channel_permissions.py
index 06ca95ee97fa7..4403ea83e0bf3 100644
--- a/zerver/tests/test_channel_permissions.py
+++ b/zerver/tests/test_channel_permissions.py
@@ -565,7 +565,7 @@ def test_can_remove_subscribers_group(self) -> None:
         def check_unsubscribing_user(
             user: UserProfile,
             can_remove_subscribers_group: NamedUserGroup | UserGroupMembersData,
-            expect_fail: bool = False,
+            error_msg: str | None = None,
             stream_list: list[Stream] | None = None,
             skip_changing_group_setting: bool = False,
         ) -> None:
@@ -589,8 +589,8 @@ def check_unsubscribing_user(
                     "principals": orjson.dumps([cordelia.id]).decode(),
                 },
             )
-            if expect_fail:
-                self.assert_json_error(result, "Insufficient permission")
+            if error_msg:
+                self.assert_json_error(result, error_msg)
                 return
 
             json = self.assert_json_success(result)
@@ -600,7 +600,7 @@ def check_unsubscribing_user(
         check_unsubscribing_user(
             self.example_user("hamlet"),
             leadership_group,
-            expect_fail=True,
+            error_msg="Insufficient permission",
             stream_list=[public_stream],
         )
         check_unsubscribing_user(iago, leadership_group, stream_list=[public_stream])
@@ -614,7 +614,7 @@ def check_unsubscribing_user(
         check_unsubscribing_user(
             othello,
             managers_group,
-            expect_fail=True,
+            error_msg="Insufficient permission",
             stream_list=[public_stream],
         )
         check_unsubscribing_user(shiva, managers_group, stream_list=[public_stream])
@@ -629,7 +629,7 @@ def check_unsubscribing_user(
         check_unsubscribing_user(
             shiva,
             leadership_group,
-            expect_fail=True,
+            error_msg="Invalid channel ID",
             stream_list=[private_stream],
         )
         check_unsubscribing_user(iago, leadership_group, stream_list=[private_stream])
@@ -651,7 +651,7 @@ def check_unsubscribing_user(
         check_unsubscribing_user(
             othello,
             setting_group_member_dict,
-            expect_fail=True,
+            error_msg="Invalid channel ID",
             stream_list=[private_stream],
         )
         check_unsubscribing_user(hamlet, setting_group_member_dict, stream_list=[private_stream])
@@ -676,7 +676,9 @@ def check_unsubscribing_user(
         # subscribed to the channel in question.
         with self.assertRaises(Subscription.DoesNotExist):
             get_subscription(private_stream.name, othello)
-        check_unsubscribing_user(othello, setting_group_member_dict, expect_fail=True)
+        check_unsubscribing_user(
+            othello, setting_group_member_dict, error_msg="Insufficient permission"
+        )
         othello_group_member_dict = UserGroupMembersData(
             direct_members=[othello.id], direct_subgroups=[]
         )
@@ -692,7 +694,7 @@ def check_unsubscribing_user(
         check_unsubscribing_user(
             othello,
             setting_group_member_dict,
-            expect_fail=True,
+            error_msg="Insufficient permission",
             stream_list=[private_stream, private_stream_2],
         )
         # User can administer both channels now.
@@ -722,7 +724,7 @@ def check_unsubscribing_user(
         check_unsubscribing_user(
             shiva,
             setting_group_member_dict,
-            expect_fail=True,
+            error_msg="Insufficient permission",
             stream_list=[private_stream, private_stream_2],
             skip_changing_group_setting=True,
         )