IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

MM-58253 Ensure remotes can only update users belonging to them (#27290)

Browse Source 
* - ensure new users get correct remoteID
- ensure remotes can only update users belonging to them
- ensure user remoteIDs cannot be changed once set

* make modules-tidy

---------

Co-authored-by: Mattermost Build <build@mattermost.com>
This commit is contained in:
Doug Lauder 2024-06-06 10:28:02 -04:00 committed by GitHub
parent 04181247f8
commit a3bc73c1dc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/go.mod
View File

@ -42,7 +42,7 @@ require (
github.com/mattermost/gosaml2 v0.8.0
github.com/mattermost/ldap v0.0.0-20231116144001-0f480c025956
github.com/mattermost/logr/v2 v2.0.21
github.com/mattermost/mattermost/server/public v0.1.0
github.com/mattermost/mattermost/server/public v0.1.4
github.com/mattermost/morph v1.1.0
github.com/mattermost/rsc v0.0.0-20160330161541-bbaefb05eaa0
github.com/mattermost/squirrel v0.4.0

4
server/go.sum
View File

@ -356,8 +356,8 @@ github.com/mattermost/ldap v0.0.0-20231116144001-0f480c025956 h1:Y1Tu/swM31pVwwb
github.com/mattermost/ldap v0.0.0-20231116144001-0f480c025956/go.mod h1:SRl30Lb7/QoYyohYeVBuqYvvmXSZJxZgiV3Zf6VbxjI=
github.com/mattermost/logr/v2 v2.0.21 h1:CMHsP+nrbRlEC4g7BwOk1GAnMtHkniFhlSQPXy52be4=
github.com/mattermost/logr/v2 v2.0.21/go.mod h1:kZkB/zqKL9e+RY5gB3vGpsyenC+TpuiOenjMkvJJbzc=
github.com/mattermost/mattermost/server/public v0.1.0 h1:64o/Ie8vXVNrgmBJxh9rFXbNQ+kV7+BQo/XT9u0GX8E=
github.com/mattermost/mattermost/server/public v0.1.0/go.mod h1:WeqCPudYLqk4HjjGvCMJwhtHMVvcNUTHIbrLmLjAD+4=
github.com/mattermost/mattermost/server/public v0.1.4 h1:goP0DbsrKTS79Sh0ozHRU/CGScaxU9FEaWbhanslCCc=
github.com/mattermost/mattermost/server/public v0.1.4/go.mod h1:PDPb/iqzJJ5ZvK/m70oDF55AXN/cOvVFj96Yu4e6j+Q=
github.com/mattermost/morph v1.1.0 h1:Q9vrJbeM3s2jfweGheq12EFIzdNp9a/6IovcbvOQ6Cw=
github.com/mattermost/morph v1.1.0/go.mod h1:gD+EaqX2UMyyuzmF4PFh4r33XneQ8Nzi+0E8nXjMa3A=
github.com/mattermost/rsc v0.0.0-20160330161541-bbaefb05eaa0 h1:G9tL6JXRBMzjuD1kkBtcnd42kUiT6QDwxfFYu7adM6o=

10
server/platform/services/sharedchannel/sync_recv.go
View File

@ -171,9 +171,6 @@ func (scs *Service) processSyncMessage(c request.CTX, syncMsg *model.SyncMsg, rc
func (scs *Service) upsertSyncUser(c request.CTX, user *model.User, channel *model.Channel, rc *model.RemoteCluster) (*model.User, error) {
var err error
if SafeString(user.RemoteId) == "" {
user.RemoteId = model.NewString(rc.RemoteId)
}
// Check if user already exists
euser, err := scs.server.GetStore().User().Get(context.Background(), user.Id)
@ -185,12 +182,14 @@ func (scs *Service) upsertSyncUser(c request.CTX, user *model.User, channel *mod
var userSaved *model.User
if euser == nil {
// new user. Make sure the remoteID is correct and insert the record
user.RemoteId = model.NewString(rc.RemoteId)
if userSaved, err = scs.insertSyncUser(c, user, channel, rc); err != nil {
return nil, err
}
} else {
// check if existing user belongs to the remote that issued the update
if SafeString(euser.RemoteId) != SafeString(user.RemoteId) {
// existing user. Make sure user belongs to the remote that issued the update
if SafeString(euser.RemoteId) != rc.RemoteId {
scs.server.Log().Log(mlog.LvlSharedChannelServiceError, "RemoteID mismatch sync'ing user",
mlog.String("remote", rc.Name),
mlog.String("user_id", user.Id),
@ -209,7 +208,6 @@ func (scs *Service) upsertSyncUser(c request.CTX, user *model.User, channel *mod
Position: &user.Position,
Locale: &user.Locale,
Timezone: user.Timezone,
RemoteId: user.RemoteId,
}
if userSaved, err = scs.updateSyncUser(c, patch, euser, channel, rc); err != nil {
return nil, err