2019-11-29 12:59:40 +01:00
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.
2017-03-24 00:42:32 +01:00
package api4
import (
2021-07-26 13:41:02 +05:30
"encoding/json"
2017-03-24 00:42:32 +01:00
"net/http"
2017-04-03 14:12:50 +02:00
"strconv"
2017-04-27 22:41:52 +09:00
"strings"
2017-03-24 00:42:32 +01:00
2021-07-22 12:21:47 +05:30
"github.com/mattermost/mattermost-server/v6/audit"
"github.com/mattermost/mattermost-server/v6/model"
2021-07-26 13:41:02 +05:30
"github.com/mattermost/mattermost-server/v6/shared/mlog"
2017-03-24 00:42:32 +01:00
)
2017-09-22 12:54:27 -05:00
func ( api * API ) InitCommand ( ) {
2021-08-16 19:46:44 +02:00
api . BaseRoutes . Commands . Handle ( "" , api . APISessionRequired ( createCommand ) ) . Methods ( "POST" )
api . BaseRoutes . Commands . Handle ( "" , api . APISessionRequired ( listCommands ) ) . Methods ( "GET" )
api . BaseRoutes . Commands . Handle ( "/execute" , api . APISessionRequired ( executeCommand ) ) . Methods ( "POST" )
api . BaseRoutes . Command . Handle ( "" , api . APISessionRequired ( getCommand ) ) . Methods ( "GET" )
api . BaseRoutes . Command . Handle ( "" , api . APISessionRequired ( updateCommand ) ) . Methods ( "PUT" )
api . BaseRoutes . Command . Handle ( "/move" , api . APISessionRequired ( moveCommand ) ) . Methods ( "PUT" )
api . BaseRoutes . Command . Handle ( "" , api . APISessionRequired ( deleteCommand ) ) . Methods ( "DELETE" )
api . BaseRoutes . Team . Handle ( "/commands/autocomplete" , api . APISessionRequired ( listAutocompleteCommands ) ) . Methods ( "GET" )
api . BaseRoutes . Team . Handle ( "/commands/autocomplete_suggestions" , api . APISessionRequired ( listCommandAutocompleteSuggestions ) ) . Methods ( "GET" )
api . BaseRoutes . Command . Handle ( "/regen_token" , api . APISessionRequired ( regenCommandToken ) ) . Methods ( "PUT" )
2017-03-24 00:42:32 +01:00
}
func createCommand ( c * Context , w http . ResponseWriter , r * http . Request ) {
2021-09-01 14:43:12 +02:00
var cmd model . Command
if jsonErr := json . NewDecoder ( r . Body ) . Decode ( & cmd ) ; jsonErr != nil {
2017-03-24 00:42:32 +01:00
c . SetInvalidParam ( "command" )
return
}
2020-03-12 15:50:21 -04:00
auditRec := c . MakeAuditRecord ( "createCommand" , audit . Fail )
2022-07-14 14:52:46 +03:00
auditRec . AddEventParameter ( "command" , cmd )
2020-03-12 15:50:21 -04:00
defer c . LogAuditRec ( auditRec )
2017-03-24 00:42:32 +01:00
c . LogAudit ( "attempt" )
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , cmd . TeamId , model . PermissionManageSlashCommands ) {
c . SetPermissionError ( model . PermissionManageSlashCommands )
2017-03-24 00:42:32 +01:00
return
}
2021-05-11 13:00:44 +03:00
cmd . CreatorId = c . AppContext . Session ( ) . UserId
2017-03-24 00:42:32 +01:00
2021-09-01 14:43:12 +02:00
rcmd , err := c . App . CreateCommand ( & cmd )
2017-03-24 00:42:32 +01:00
if err != nil {
c . Err = err
return
}
2020-03-12 15:50:21 -04:00
auditRec . Success ( )
2017-03-24 00:42:32 +01:00
c . LogAudit ( "success" )
2020-04-08 00:52:30 -04:00
auditRec . AddMeta ( "command" , rcmd )
2022-07-14 14:52:46 +03:00
auditRec . AddEventResultState ( rcmd )
auditRec . AddEventObjectType ( "command" )
2020-03-12 15:50:21 -04:00
2017-03-31 09:56:20 -04:00
w . WriteHeader ( http . StatusCreated )
2021-07-26 13:41:02 +05:30
if err := json . NewEncoder ( w ) . Encode ( rcmd ) ; err != nil {
mlog . Warn ( "Error while writing response" , mlog . Err ( err ) )
}
2017-03-24 00:42:32 +01:00
}
2017-04-03 14:12:50 +02:00
2017-04-08 02:06:09 +09:00
func updateCommand ( c * Context , w http . ResponseWriter , r * http . Request ) {
c . RequireCommandId ( )
if c . Err != nil {
return
}
2021-09-01 14:43:12 +02:00
var cmd model . Command
if jsonErr := json . NewDecoder ( r . Body ) . Decode ( & cmd ) ; jsonErr != nil || cmd . Id != c . Params . CommandId {
2017-04-08 02:06:09 +09:00
c . SetInvalidParam ( "command" )
return
}
2020-03-12 15:50:21 -04:00
auditRec := c . MakeAuditRecord ( "updateCommand" , audit . Fail )
2022-07-14 14:52:46 +03:00
auditRec . AddEventParameter ( "command" , cmd )
2020-03-12 15:50:21 -04:00
defer c . LogAuditRec ( auditRec )
2017-04-08 02:06:09 +09:00
c . LogAudit ( "attempt" )
2017-09-06 17:12:54 -05:00
oldCmd , err := c . App . GetCommand ( c . Params . CommandId )
2017-04-08 02:06:09 +09:00
if err != nil {
2020-04-08 00:52:30 -04:00
auditRec . AddMeta ( "command_id" , c . Params . CommandId )
2020-01-29 11:56:21 -05:00
c . SetCommandNotFoundError ( )
2017-04-08 02:06:09 +09:00
return
}
2020-04-08 00:52:30 -04:00
auditRec . AddMeta ( "command" , oldCmd )
2017-04-08 02:06:09 +09:00
if cmd . TeamId != oldCmd . TeamId {
2021-05-11 13:00:44 +03:00
c . Err = model . NewAppError ( "updateCommand" , "api.command.team_mismatch.app_error" , nil , "user_id=" + c . AppContext . Session ( ) . UserId , http . StatusBadRequest )
2017-04-08 02:06:09 +09:00
return
}
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , oldCmd . TeamId , model . PermissionManageSlashCommands ) {
2017-04-08 02:06:09 +09:00
c . LogAudit ( "fail - inappropriate permissions" )
2020-01-29 11:56:21 -05:00
// here we return Not_found instead of a permissions error so we don't leak the existence of
// a command to someone without permissions for the team it belongs to.
c . SetCommandNotFoundError ( )
2017-04-08 02:06:09 +09:00
return
}
2021-07-12 20:05:36 +02:00
if c . AppContext . Session ( ) . UserId != oldCmd . CreatorId && ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , oldCmd . TeamId , model . PermissionManageOthersSlashCommands ) {
2017-04-08 02:06:09 +09:00
c . LogAudit ( "fail - inappropriate permissions" )
2021-07-12 20:05:36 +02:00
c . SetPermissionError ( model . PermissionManageOthersSlashCommands )
2017-04-08 02:06:09 +09:00
return
}
2021-09-01 14:43:12 +02:00
rcmd , err := c . App . UpdateCommand ( oldCmd , & cmd )
2017-04-08 02:06:09 +09:00
if err != nil {
c . Err = err
return
}
2022-07-14 14:52:46 +03:00
auditRec . AddEventResultState ( rcmd )
auditRec . AddEventObjectType ( "command" )
2020-03-12 15:50:21 -04:00
auditRec . Success ( )
2017-04-08 02:06:09 +09:00
c . LogAudit ( "success" )
2021-07-26 13:41:02 +05:30
if err := json . NewEncoder ( w ) . Encode ( rcmd ) ; err != nil {
mlog . Warn ( "Error while writing response" , mlog . Err ( err ) )
}
2017-04-08 02:06:09 +09:00
}
2020-01-29 11:56:21 -05:00
func moveCommand ( c * Context , w http . ResponseWriter , r * http . Request ) {
c . RequireCommandId ( )
if c . Err != nil {
return
}
2021-09-01 14:43:12 +02:00
var cmr model . CommandMoveRequest
if jsonErr := json . NewDecoder ( r . Body ) . Decode ( & cmr ) ; jsonErr != nil {
2020-01-29 11:56:21 -05:00
c . SetInvalidParam ( "team_id" )
return
}
2020-03-12 15:50:21 -04:00
auditRec := c . MakeAuditRecord ( "moveCommand" , audit . Fail )
2022-07-14 14:52:46 +03:00
auditRec . AddEventParameter ( "command_move_request" , cmr )
2020-03-12 15:50:21 -04:00
defer c . LogAuditRec ( auditRec )
c . LogAudit ( "attempt" )
2020-01-29 11:56:21 -05:00
newTeam , appErr := c . App . GetTeam ( cmr . TeamId )
if appErr != nil {
c . Err = appErr
return
}
2020-04-08 00:52:30 -04:00
auditRec . AddMeta ( "team" , newTeam )
2020-01-29 11:56:21 -05:00
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , newTeam . Id , model . PermissionManageSlashCommands ) {
2020-01-29 11:56:21 -05:00
c . LogAudit ( "fail - inappropriate permissions" )
2021-07-12 20:05:36 +02:00
c . SetPermissionError ( model . PermissionManageSlashCommands )
2020-01-29 11:56:21 -05:00
return
}
cmd , appErr := c . App . GetCommand ( c . Params . CommandId )
if appErr != nil {
c . SetCommandNotFoundError ( )
return
}
2020-04-08 00:52:30 -04:00
auditRec . AddMeta ( "command" , cmd )
2020-01-29 11:56:21 -05:00
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , cmd . TeamId , model . PermissionManageSlashCommands ) {
2020-01-29 11:56:21 -05:00
c . LogAudit ( "fail - inappropriate permissions" )
// here we return Not_found instead of a permissions error so we don't leak the existence of
// a command to someone without permissions for the team it belongs to.
c . SetCommandNotFoundError ( )
return
}
if appErr = c . App . MoveCommand ( newTeam , cmd ) ; appErr != nil {
c . Err = appErr
return
}
2022-07-14 14:52:46 +03:00
auditRec . AddEventResultState ( cmd )
auditRec . AddEventObjectType ( "command" )
2020-03-12 15:50:21 -04:00
auditRec . Success ( )
2020-01-29 11:56:21 -05:00
c . LogAudit ( "success" )
2020-03-12 15:50:21 -04:00
2020-01-29 11:56:21 -05:00
ReturnStatusOK ( w )
}
2017-04-10 22:27:10 +09:00
func deleteCommand ( c * Context , w http . ResponseWriter , r * http . Request ) {
c . RequireCommandId ( )
if c . Err != nil {
return
}
2020-03-12 15:50:21 -04:00
auditRec := c . MakeAuditRecord ( "deleteCommand" , audit . Fail )
2022-07-14 14:52:46 +03:00
auditRec . AddEventParameter ( "command_id" , c . Params . CommandId )
2020-03-12 15:50:21 -04:00
defer c . LogAuditRec ( auditRec )
2017-04-10 22:27:10 +09:00
c . LogAudit ( "attempt" )
2017-09-06 17:12:54 -05:00
cmd , err := c . App . GetCommand ( c . Params . CommandId )
2017-04-10 22:27:10 +09:00
if err != nil {
2020-01-29 11:56:21 -05:00
c . SetCommandNotFoundError ( )
2017-04-10 22:27:10 +09:00
return
}
2020-04-08 00:52:30 -04:00
auditRec . AddMeta ( "command" , cmd )
2017-04-10 22:27:10 +09:00
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , cmd . TeamId , model . PermissionManageSlashCommands ) {
2017-04-10 22:27:10 +09:00
c . LogAudit ( "fail - inappropriate permissions" )
2020-01-29 11:56:21 -05:00
// here we return Not_found instead of a permissions error so we don't leak the existence of
// a command to someone without permissions for the team it belongs to.
c . SetCommandNotFoundError ( )
2017-04-10 22:27:10 +09:00
return
}
2021-07-12 20:05:36 +02:00
if c . AppContext . Session ( ) . UserId != cmd . CreatorId && ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , cmd . TeamId , model . PermissionManageOthersSlashCommands ) {
2017-04-10 22:27:10 +09:00
c . LogAudit ( "fail - inappropriate permissions" )
2021-07-12 20:05:36 +02:00
c . SetPermissionError ( model . PermissionManageOthersSlashCommands )
2017-04-10 22:27:10 +09:00
return
}
2017-09-06 17:12:54 -05:00
err = c . App . DeleteCommand ( cmd . Id )
2017-04-10 22:27:10 +09:00
if err != nil {
c . Err = err
return
}
2022-07-14 14:52:46 +03:00
auditRec . AddEventResultState ( cmd )
auditRec . AddEventObjectType ( "command" )
2020-03-12 15:50:21 -04:00
auditRec . Success ( )
2017-04-10 22:27:10 +09:00
c . LogAudit ( "success" )
ReturnStatusOK ( w )
}
2017-04-03 14:12:50 +02:00
func listCommands ( c * Context , w http . ResponseWriter , r * http . Request ) {
2020-05-23 23:01:31 +02:00
customOnly , _ := strconv . ParseBool ( r . URL . Query ( ) . Get ( "custom_only" ) )
2017-04-03 14:12:50 +02:00
teamId := r . URL . Query ( ) . Get ( "team_id" )
2021-01-25 11:15:17 +01:00
if teamId == "" {
2017-04-03 14:12:50 +02:00
c . SetInvalidParam ( "team_id" )
return
}
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , teamId , model . PermissionViewTeam ) {
c . SetPermissionError ( model . PermissionViewTeam )
2019-07-04 14:52:47 +02:00
return
}
2017-11-03 10:25:38 -05:00
var commands [ ] * model . Command
var err * model . AppError
2017-04-03 14:12:50 +02:00
if customOnly {
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , teamId , model . PermissionManageSlashCommands ) {
c . SetPermissionError ( model . PermissionManageSlashCommands )
2017-04-03 14:12:50 +02:00
return
}
2017-09-06 17:12:54 -05:00
commands , err = c . App . ListTeamCommands ( teamId )
2017-04-03 14:12:50 +02:00
if err != nil {
c . Err = err
return
}
} else {
//User with no permission should see only system commands
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , teamId , model . PermissionManageSlashCommands ) {
2021-05-11 13:00:44 +03:00
commands , err = c . App . ListAutocompleteCommands ( teamId , c . AppContext . T )
2017-04-03 14:12:50 +02:00
if err != nil {
c . Err = err
return
}
} else {
2021-05-11 13:00:44 +03:00
commands , err = c . App . ListAllCommands ( teamId , c . AppContext . T )
2017-04-03 14:12:50 +02:00
if err != nil {
c . Err = err
return
}
}
}
2021-07-28 13:15:46 +05:30
if err := json . NewEncoder ( w ) . Encode ( commands ) ; err != nil {
mlog . Warn ( "Error writing response" , mlog . Err ( err ) )
}
2017-04-03 14:12:50 +02:00
}
2017-04-04 06:20:04 +02:00
2020-01-24 09:32:56 -05:00
func getCommand ( c * Context , w http . ResponseWriter , r * http . Request ) {
c . RequireCommandId ( )
if c . Err != nil {
return
}
cmd , err := c . App . GetCommand ( c . Params . CommandId )
if err != nil {
c . SetCommandNotFoundError ( )
return
}
// check for permissions to view this command; must have perms to view team and
// PERMISSION_MANAGE_SLASH_COMMANDS for the team the command belongs to.
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , cmd . TeamId , model . PermissionViewTeam ) {
2020-01-24 09:32:56 -05:00
// here we return Not_found instead of a permissions error so we don't leak the existence of
// a command to someone without permissions for the team it belongs to.
c . SetCommandNotFoundError ( )
return
}
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , cmd . TeamId , model . PermissionManageSlashCommands ) {
2020-01-24 09:32:56 -05:00
// again, return not_found to ensure id existence does not leak.
c . SetCommandNotFoundError ( )
return
}
2021-07-26 13:41:02 +05:30
if err := json . NewEncoder ( w ) . Encode ( cmd ) ; err != nil {
mlog . Warn ( "Error while writing response" , mlog . Err ( err ) )
}
2020-01-24 09:32:56 -05:00
}
2017-04-27 22:41:52 +09:00
func executeCommand ( c * Context , w http . ResponseWriter , r * http . Request ) {
2021-09-01 14:43:12 +02:00
var commandArgs model . CommandArgs
if jsonErr := json . NewDecoder ( r . Body ) . Decode ( & commandArgs ) ; jsonErr != nil {
2017-04-27 22:41:52 +09:00
c . SetInvalidParam ( "command_args" )
return
}
2020-05-07 22:57:35 +05:30
if len ( commandArgs . Command ) <= 1 || strings . Index ( commandArgs . Command , "/" ) != 0 || ! model . IsValidId ( commandArgs . ChannelId ) {
2017-04-27 22:41:52 +09:00
c . Err = model . NewAppError ( "executeCommand" , "api.command.execute_command.start.app_error" , nil , "" , http . StatusBadRequest )
return
}
2020-04-08 00:52:30 -04:00
auditRec := c . MakeAuditRecord ( "executeCommand" , audit . Fail )
defer c . LogAuditRec ( auditRec )
2022-07-14 14:52:46 +03:00
auditRec . AddEventParameter ( "command_args" , commandArgs )
2020-04-08 00:52:30 -04:00
auditRec . AddMeta ( "commandargs" , commandArgs )
2017-10-17 13:21:12 -04:00
// checks that user is a member of the specified channel, and that they have permission to use slash commands in it
2022-07-14 12:01:29 +03:00
if ! c . App . SessionHasPermissionToChannel ( c . AppContext , * c . AppContext . Session ( ) , commandArgs . ChannelId , model . PermissionUseSlashCommands ) {
2021-07-12 20:05:36 +02:00
c . SetPermissionError ( model . PermissionUseSlashCommands )
2017-04-27 22:41:52 +09:00
return
}
2022-07-14 12:01:29 +03:00
channel , err := c . App . GetChannel ( c . AppContext , commandArgs . ChannelId )
2017-04-27 22:41:52 +09:00
if err != nil {
c . Err = err
return
2018-08-01 16:55:18 +02:00
}
2021-07-12 20:05:36 +02:00
if channel . Type != model . ChannelTypeDirect && channel . Type != model . ChannelTypeGroup {
2017-10-17 13:21:12 -04:00
// if this isn't a DM or GM, the team id is implicitly taken from the channel so that slash commands created on
// some other team can't be run against this one
commandArgs . TeamId = channel . TeamId
} else {
// if the slash command was used in a DM or GM, ensure that the user is a member of the specified team, so that
// they can't just execute slash commands against arbitrary teams
2021-05-11 13:00:44 +03:00
if c . AppContext . Session ( ) . GetTeamByTeamId ( commandArgs . TeamId ) == nil {
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionTo ( * c . AppContext . Session ( ) , model . PermissionUseSlashCommands ) {
c . SetPermissionError ( model . PermissionUseSlashCommands )
2017-10-17 13:21:12 -04:00
return
}
}
2017-04-27 22:41:52 +09:00
}
2021-05-11 13:00:44 +03:00
commandArgs . UserId = c . AppContext . Session ( ) . UserId
commandArgs . T = c . AppContext . T
2017-04-27 22:41:52 +09:00
commandArgs . SiteURL = c . GetSiteURLHeader ( )
2021-05-11 13:00:44 +03:00
commandArgs . Session = * c . AppContext . Session ( )
2017-04-27 22:41:52 +09:00
2022-07-14 14:52:46 +03:00
auditRec . AddMeta ( "commandargs" , commandArgs ) // overwrite in case teamid changed. TODO do we need to log this too? is the original commandArgs not enough
2020-04-08 00:52:30 -04:00
2021-09-01 14:43:12 +02:00
response , err := c . App . ExecuteCommand ( c . AppContext , & commandArgs )
2017-04-27 22:41:52 +09:00
if err != nil {
c . Err = err
return
}
2020-04-08 00:52:30 -04:00
auditRec . Success ( )
2021-07-26 13:41:02 +05:30
if err := json . NewEncoder ( w ) . Encode ( response ) ; err != nil {
mlog . Warn ( "Error while writing response" , mlog . Err ( err ) )
}
2017-04-27 22:41:52 +09:00
}
2017-04-04 06:20:04 +02:00
func listAutocompleteCommands ( c * Context , w http . ResponseWriter , r * http . Request ) {
c . RequireTeamId ( )
if c . Err != nil {
return
}
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , c . Params . TeamId , model . PermissionViewTeam ) {
c . SetPermissionError ( model . PermissionViewTeam )
2017-04-04 06:20:04 +02:00
return
}
2021-05-11 13:00:44 +03:00
commands , err := c . App . ListAutocompleteCommands ( c . Params . TeamId , c . AppContext . T )
2017-04-04 06:20:04 +02:00
if err != nil {
c . Err = err
return
}
2021-07-28 13:15:46 +05:30
if err := json . NewEncoder ( w ) . Encode ( commands ) ; err != nil {
mlog . Warn ( "Error while writing response" , mlog . Err ( err ) )
}
2017-04-04 06:20:04 +02:00
}
2017-04-16 22:49:57 +02:00
2020-05-21 12:24:56 +04:00
func listCommandAutocompleteSuggestions ( c * Context , w http . ResponseWriter , r * http . Request ) {
c . RequireTeamId ( )
if c . Err != nil {
return
}
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , c . Params . TeamId , model . PermissionViewTeam ) {
c . SetPermissionError ( model . PermissionViewTeam )
2020-05-21 12:24:56 +04:00
return
}
2021-07-12 20:05:36 +02:00
roleId := model . SystemUserRoleId
2020-05-21 12:24:56 +04:00
if c . IsSystemAdmin ( ) {
2021-07-12 20:05:36 +02:00
roleId = model . SystemAdminRoleId
2020-05-21 12:24:56 +04:00
}
2020-07-02 11:08:58 -04:00
query := r . URL . Query ( )
userInput := query . Get ( "user_input" )
2020-05-21 12:24:56 +04:00
if userInput == "" {
c . SetInvalidParam ( "userInput" )
return
}
userInput = strings . TrimPrefix ( userInput , "/" )
2021-05-11 13:00:44 +03:00
commands , err := c . App . ListAutocompleteCommands ( c . Params . TeamId , c . AppContext . T )
2020-05-21 12:24:56 +04:00
if err != nil {
c . Err = err
return
}
2020-07-02 11:08:58 -04:00
commandArgs := & model . CommandArgs {
ChannelId : query . Get ( "channel_id" ) ,
TeamId : c . Params . TeamId ,
RootId : query . Get ( "root_id" ) ,
2021-05-11 13:00:44 +03:00
UserId : c . AppContext . Session ( ) . UserId ,
T : c . AppContext . T ,
Session : * c . AppContext . Session ( ) ,
2020-07-02 11:08:58 -04:00
SiteURL : c . GetSiteURLHeader ( ) ,
Command : userInput ,
}
2021-05-11 13:00:44 +03:00
suggestions := c . App . GetSuggestions ( c . AppContext , commandArgs , commands , roleId )
2020-05-21 12:24:56 +04:00
2021-09-01 14:43:12 +02:00
js , jsonErr := json . Marshal ( suggestions )
if jsonErr != nil {
c . Err = model . NewAppError ( "listCommandAutocompleteSuggestions" , "api.marshal_error" , nil , jsonErr . Error ( ) , http . StatusInternalServerError )
return
}
w . Write ( js )
2020-05-21 12:24:56 +04:00
}
2017-04-16 22:49:57 +02:00
func regenCommandToken ( c * Context , w http . ResponseWriter , r * http . Request ) {
c . RequireCommandId ( )
if c . Err != nil {
return
}
2020-03-12 15:50:21 -04:00
auditRec := c . MakeAuditRecord ( "regenCommandToken" , audit . Fail )
defer c . LogAuditRec ( auditRec )
2017-04-16 22:49:57 +02:00
c . LogAudit ( "attempt" )
2020-03-12 15:50:21 -04:00
2017-09-06 17:12:54 -05:00
cmd , err := c . App . GetCommand ( c . Params . CommandId )
2017-04-16 22:49:57 +02:00
if err != nil {
2020-04-08 00:52:30 -04:00
auditRec . AddMeta ( "command_id" , c . Params . CommandId )
2020-01-29 11:56:21 -05:00
c . SetCommandNotFoundError ( )
2017-04-16 22:49:57 +02:00
return
}
2020-04-08 00:52:30 -04:00
auditRec . AddMeta ( "command" , cmd )
2022-07-14 14:52:46 +03:00
auditRec . AddEventParameter ( "command_id" , c . Params . CommandId )
2017-04-16 22:49:57 +02:00
2021-07-12 20:05:36 +02:00
if ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , cmd . TeamId , model . PermissionManageSlashCommands ) {
2017-04-16 22:49:57 +02:00
c . LogAudit ( "fail - inappropriate permissions" )
2020-01-29 11:56:21 -05:00
// here we return Not_found instead of a permissions error so we don't leak the existence of
// a command to someone without permissions for the team it belongs to.
c . SetCommandNotFoundError ( )
2017-04-16 22:49:57 +02:00
return
}
2021-07-12 20:05:36 +02:00
if c . AppContext . Session ( ) . UserId != cmd . CreatorId && ! c . App . SessionHasPermissionToTeam ( * c . AppContext . Session ( ) , cmd . TeamId , model . PermissionManageOthersSlashCommands ) {
2017-04-16 22:49:57 +02:00
c . LogAudit ( "fail - inappropriate permissions" )
2021-07-12 20:05:36 +02:00
c . SetPermissionError ( model . PermissionManageOthersSlashCommands )
2017-04-16 22:49:57 +02:00
return
}
2017-09-06 17:12:54 -05:00
rcmd , err := c . App . RegenCommandToken ( cmd )
2017-04-16 22:49:57 +02:00
if err != nil {
c . Err = err
return
}
2020-03-12 15:50:21 -04:00
auditRec . Success ( )
c . LogAudit ( "success" )
2017-04-16 22:49:57 +02:00
resp := make ( map [ string ] string )
resp [ "token" ] = rcmd . Token
2021-09-01 14:43:12 +02:00
w . Write ( [ ] byte ( model . MapToJSON ( resp ) ) )
2017-04-16 22:49:57 +02:00
}
