From a3bc73c1dcf17e1d1bcc89af2b0ea090c01d6571 Mon Sep 17 00:00:00 2001 From: Doug Lauder Date: Thu, 6 Jun 2024 10:28:02 -0400 Subject: [PATCH] MM-58253 Ensure remotes can only update users belonging to them (#27290) * - ensure new users get correct remoteID - ensure remotes can only update users belonging to them - ensure user remoteIDs cannot be changed once set * make modules-tidy --------- Co-authored-by: Mattermost Build --- server/go.mod | 2 +- server/go.sum | 4 ++-- server/platform/services/sharedchannel/sync_recv.go | 10 ++++------ 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/server/go.mod b/server/go.mod index c24a4fdc69..b9de7bc7cf 100644 --- a/server/go.mod +++ b/server/go.mod @@ -42,7 +42,7 @@ require ( github.com/mattermost/gosaml2 v0.8.0 github.com/mattermost/ldap v0.0.0-20231116144001-0f480c025956 github.com/mattermost/logr/v2 v2.0.21 - github.com/mattermost/mattermost/server/public v0.1.0 + github.com/mattermost/mattermost/server/public v0.1.4 github.com/mattermost/morph v1.1.0 github.com/mattermost/rsc v0.0.0-20160330161541-bbaefb05eaa0 github.com/mattermost/squirrel v0.4.0 diff --git a/server/go.sum b/server/go.sum index c6335e3685..504379bc86 100644 --- a/server/go.sum +++ b/server/go.sum @@ -356,8 +356,8 @@ github.com/mattermost/ldap v0.0.0-20231116144001-0f480c025956 h1:Y1Tu/swM31pVwwb github.com/mattermost/ldap v0.0.0-20231116144001-0f480c025956/go.mod h1:SRl30Lb7/QoYyohYeVBuqYvvmXSZJxZgiV3Zf6VbxjI= github.com/mattermost/logr/v2 v2.0.21 h1:CMHsP+nrbRlEC4g7BwOk1GAnMtHkniFhlSQPXy52be4= github.com/mattermost/logr/v2 v2.0.21/go.mod h1:kZkB/zqKL9e+RY5gB3vGpsyenC+TpuiOenjMkvJJbzc= -github.com/mattermost/mattermost/server/public v0.1.0 h1:64o/Ie8vXVNrgmBJxh9rFXbNQ+kV7+BQo/XT9u0GX8E= -github.com/mattermost/mattermost/server/public v0.1.0/go.mod h1:WeqCPudYLqk4HjjGvCMJwhtHMVvcNUTHIbrLmLjAD+4= +github.com/mattermost/mattermost/server/public v0.1.4 h1:goP0DbsrKTS79Sh0ozHRU/CGScaxU9FEaWbhanslCCc= +github.com/mattermost/mattermost/server/public v0.1.4/go.mod h1:PDPb/iqzJJ5ZvK/m70oDF55AXN/cOvVFj96Yu4e6j+Q= github.com/mattermost/morph v1.1.0 h1:Q9vrJbeM3s2jfweGheq12EFIzdNp9a/6IovcbvOQ6Cw= github.com/mattermost/morph v1.1.0/go.mod h1:gD+EaqX2UMyyuzmF4PFh4r33XneQ8Nzi+0E8nXjMa3A= github.com/mattermost/rsc v0.0.0-20160330161541-bbaefb05eaa0 h1:G9tL6JXRBMzjuD1kkBtcnd42kUiT6QDwxfFYu7adM6o= diff --git a/server/platform/services/sharedchannel/sync_recv.go b/server/platform/services/sharedchannel/sync_recv.go index b72dd58db3..170342e274 100644 --- a/server/platform/services/sharedchannel/sync_recv.go +++ b/server/platform/services/sharedchannel/sync_recv.go @@ -171,9 +171,6 @@ func (scs *Service) processSyncMessage(c request.CTX, syncMsg *model.SyncMsg, rc func (scs *Service) upsertSyncUser(c request.CTX, user *model.User, channel *model.Channel, rc *model.RemoteCluster) (*model.User, error) { var err error - if SafeString(user.RemoteId) == "" { - user.RemoteId = model.NewString(rc.RemoteId) - } // Check if user already exists euser, err := scs.server.GetStore().User().Get(context.Background(), user.Id) @@ -185,12 +182,14 @@ func (scs *Service) upsertSyncUser(c request.CTX, user *model.User, channel *mod var userSaved *model.User if euser == nil { + // new user. Make sure the remoteID is correct and insert the record + user.RemoteId = model.NewString(rc.RemoteId) if userSaved, err = scs.insertSyncUser(c, user, channel, rc); err != nil { return nil, err } } else { - // check if existing user belongs to the remote that issued the update - if SafeString(euser.RemoteId) != SafeString(user.RemoteId) { + // existing user. Make sure user belongs to the remote that issued the update + if SafeString(euser.RemoteId) != rc.RemoteId { scs.server.Log().Log(mlog.LvlSharedChannelServiceError, "RemoteID mismatch sync'ing user", mlog.String("remote", rc.Name), mlog.String("user_id", user.Id), @@ -209,7 +208,6 @@ func (scs *Service) upsertSyncUser(c request.CTX, user *model.User, channel *mod Position: &user.Position, Locale: &user.Locale, Timezone: user.Timezone, - RemoteId: user.RemoteId, } if userSaved, err = scs.updateSyncUser(c, patch, euser, channel, rc); err != nil { return nil, err