IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

MM-12519: simplify autocomplete team id checking (#9577)

Browse Source 
This handles clients sending a team id in a direct message or group channel autocomplete, when it necessarily won't match. Just verify that the user has permission for the team in question, whenever it is provided.
This commit is contained in:
Jesse Hallam
2018-10-09 15:25:57 -04:00
committed by Christopher Speller
parent fe9a81208e
commit 59319b7915
2 changed files with 12 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
api4/user.go
View File

@@ -594,21 +594,19 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
return
}
}
// If a teamId is provided, require it to match the channel's team id.
if teamId != "" {
channel, err := c.App.GetChannel(channelId)
if err != nil {
c.Err = err
return
}
if channel.TeamId != teamId {
c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized)
return
}
if len(teamId) > 0 {
if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) {
c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
return
}
}
if len(channelId) > 0 {
// Applying the provided teamId here is useful for DMs and GMs which don't belong
// to a team. Applying it when the channel does belong to a team makes less sense,
//t but the permissions are checked above regardless.
result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin())
if err != nil {
c.Err = err
@@ -618,11 +616,6 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
autocomplete.Users = result.InChannel
autocomplete.OutOfChannel = result.OutOfChannel
} else if len(teamId) > 0 {
if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) {
c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
return
}
result, err := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin())
if err != nil {
c.Err = err

4
api4/user_test.go
View File

@@ -873,9 +873,9 @@ func TestAutocompleteUsers(t *testing.T) {
t.Fatal("should not show first/last name")
}
t.Run("team id, if provided, must match channel's team id", func(t *testing.T) {
t.Run("user must have access to team id, especially when it does not match channel's team id", func(t *testing.T) {
rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "")
CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id")
CheckErrorMessage(t, resp, "api.context.permissions.app_error")
})
}