IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

[MM-53192] Patch Show Full Name issue in Insights team_members API (#24027)

Browse Source 
* [MM-53192] Patch full name leak in Insights team_members API

* Update server/channels/app/team.go

Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com>

---------

Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com>
This commit is contained in:
Devin Binnie 2023-07-18 09:41:16 -04:00 committed by GitHub
parent 66c2837d2c
commit a6a9664e53
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 28 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
server/channels/app/team.go
View File

@ -2149,7 +2149,8 @@ func (a *App) GetNewTeamMembersSince(c request.CTX, teamID string, opts *model.I
return nil, 0, model.NewAppError("GetNewTeamMembersSince", "app.insights.feature_disabled", nil, "", http.StatusNotImplemented) return nil, 0, model.NewAppError("GetNewTeamMembersSince", "app.insights.feature_disabled", nil, "", http.StatusNotImplemented)
} }
ntms, count, err := a.Srv().Store().Team().GetNewTeamMembersSince(teamID, opts.StartUnixMilli, opts.Page*opts.PerPage, opts.PerPage) showFullName := *a.Config().PrivacySettings.ShowFullName || a.SessionHasPermissionTo(*c.Session(), model.PermissionManageSystem)
ntms, count, err := a.Srv().Store().Team().GetNewTeamMembersSince(teamID, opts.StartUnixMilli, opts.Page*opts.PerPage, opts.PerPage, showFullName)
if err != nil { if err != nil {
return nil, 0, model.NewAppError("GetNewTeamMembersSince", model.NoTranslation, nil, "", http.StatusInternalServerError).Wrap(err) return nil, 0, model.NewAppError("GetNewTeamMembersSince", model.NoTranslation, nil, "", http.StatusInternalServerError).Wrap(err)
} }

4
server/channels/store/opentracinglayer/opentracinglayer.go
View File

@ -9652,7 +9652,7 @@ func (s *OpenTracingLayerTeamStore) GetMembersByIds(teamID string, userIds []str
return result, err return result, err
} }
func (s *OpenTracingLayerTeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int) (*model.NewTeamMembersList, int64, error) { func (s *OpenTracingLayerTeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int, showFullName bool) (*model.NewTeamMembersList, int64, error) {
origCtx := s.Root.Store.Context() origCtx := s.Root.Store.Context()
span, newCtx := tracing.StartSpanWithParentByContext(s.Root.Store.Context(), "TeamStore.GetNewTeamMembersSince") span, newCtx := tracing.StartSpanWithParentByContext(s.Root.Store.Context(), "TeamStore.GetNewTeamMembersSince")
s.Root.Store.SetContext(newCtx) s.Root.Store.SetContext(newCtx)
@ -9661,7 +9661,7 @@ func (s *OpenTracingLayerTeamStore) GetNewTeamMembersSince(teamID string, since
}() }()
defer span.Finish() defer span.Finish()
result, resultVar1, err := s.TeamStore.GetNewTeamMembersSince(teamID, since, offset, limit) result, resultVar1, err := s.TeamStore.GetNewTeamMembersSince(teamID, since, offset, limit, showFullName)
if err != nil { if err != nil {
span.LogFields(spanlog.Error(err)) span.LogFields(spanlog.Error(err))
ext.Error.Set(span, true) ext.Error.Set(span, true)

4
server/channels/store/retrylayer/retrylayer.go
View File

@ -11021,11 +11021,11 @@ func (s *RetryLayerTeamStore) GetMembersByIds(teamID string, userIds []string, r
} }
func (s *RetryLayerTeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int) (*model.NewTeamMembersList, int64, error) { func (s *RetryLayerTeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int, showFullName bool) (*model.NewTeamMembersList, int64, error) {
tries := 0 tries := 0
for { for {
result, resultVar1, err := s.TeamStore.GetNewTeamMembersSince(teamID, since, offset, limit) result, resultVar1, err := s.TeamStore.GetNewTeamMembersSince(teamID, since, offset, limit, showFullName)
if err == nil { if err == nil {
return result, resultVar1, nil return result, resultVar1, nil
} }

9
server/channels/store/sqlstore/team_store.go
View File

@ -1653,7 +1653,7 @@ func (s SqlTeamStore) GroupSyncedTeamCount() (int64, error) {
return count, nil return count, nil
} }
func (s SqlTeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int) (*model.NewTeamMembersList, int64, error) { func (s SqlTeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int, showFullName bool) (*model.NewTeamMembersList, int64, error) {
builderF := func(selectClause string) sq.SelectBuilder { builderF := func(selectClause string) sq.SelectBuilder {
return s.getQueryBuilder(). return s.getQueryBuilder().
Select(selectClause). Select(selectClause).
@ -1675,7 +1675,12 @@ func (s SqlTeamStore) GetNewTeamMembersSince(teamID string, since int64, offset
return nil, 0, errors.Wrap(err, "failed to count team members since") return nil, 0, errors.Wrap(err, "failed to count team members since")
} }
newTeamMembersBuilder := builderF("Users.Id, Users.Username, Users.FirstName, Users.LastName, Users.Position, Users.LastPictureUpdate, TeamMembers.CreateAt, Users.Nickname"). selectClause := "Users.Id, Users.Username, Users.Position, Users.LastPictureUpdate, TeamMembers.CreateAt, Users.Nickname"
if showFullName {
selectClause += ", Users.FirstName, Users.LastName"
}
newTeamMembersBuilder := builderF(selectClause).
Limit(uint64(limit + 1)). Limit(uint64(limit + 1)).
Offset(uint64(offset)) Offset(uint64(offset))
query, args, err = newTeamMembersBuilder.ToSql() query, args, err = newTeamMembersBuilder.ToSql()

2
server/channels/store/store.go
View File

@ -171,7 +171,7 @@ type TeamStore interface {
// users belong. // users belong.
GetCommonTeamIDsForTwoUsers(userID, otherUserID string) ([]string, error) GetCommonTeamIDsForTwoUsers(userID, otherUserID string) ([]string, error)
GetNewTeamMembersSince(teamID string, since int64, offset int, limit int) (*model.NewTeamMembersList, int64, error) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int, showFullName bool) (*model.NewTeamMembersList, int64, error)
} }
type ChannelStore interface { type ChannelStore interface {

22
server/channels/store/storetest/mocks/TeamStore.go
View File

@ -549,32 +549,32 @@ func (_m *TeamStore) GetMembersByIds(teamID string, userIds []string, restrictio
return r0, r1 return r0, r1
} }
// GetNewTeamMembersSince provides a mock function with given fields: teamID, since, offset, limit // GetNewTeamMembersSince provides a mock function with given fields: teamID, since, offset, limit, showFullName
func (_m *TeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int) (*model.NewTeamMembersList, int64, error) { func (_m *TeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int, showFullName bool) (*model.NewTeamMembersList, int64, error) {
ret := _m.Called(teamID, since, offset, limit) ret := _m.Called(teamID, since, offset, limit, showFullName)
var r0 *model.NewTeamMembersList var r0 *model.NewTeamMembersList
var r1 int64 var r1 int64
var r2 error var r2 error
if rf, ok := ret.Get(0).(func(string, int64, int, int) (*model.NewTeamMembersList, int64, error)); ok { if rf, ok := ret.Get(0).(func(string, int64, int, int, bool) (*model.NewTeamMembersList, int64, error)); ok {
return rf(teamID, since, offset, limit) return rf(teamID, since, offset, limit, showFullName)
} }
if rf, ok := ret.Get(0).(func(string, int64, int, int) *model.NewTeamMembersList); ok { if rf, ok := ret.Get(0).(func(string, int64, int, int, bool) *model.NewTeamMembersList); ok {
r0 = rf(teamID, since, offset, limit) r0 = rf(teamID, since, offset, limit, showFullName)
} else { } else {
if ret.Get(0) != nil { if ret.Get(0) != nil {
r0 = ret.Get(0).(*model.NewTeamMembersList) r0 = ret.Get(0).(*model.NewTeamMembersList)
} }
} }
if rf, ok := ret.Get(1).(func(string, int64, int, int) int64); ok { if rf, ok := ret.Get(1).(func(string, int64, int, int, bool) int64); ok {
r1 = rf(teamID, since, offset, limit) r1 = rf(teamID, since, offset, limit, showFullName)
} else { } else {
r1 = ret.Get(1).(int64) r1 = ret.Get(1).(int64)
} }
if rf, ok := ret.Get(2).(func(string, int64, int, int) error); ok { if rf, ok := ret.Get(2).(func(string, int64, int, int, bool) error); ok {
r2 = rf(teamID, since, offset, limit) r2 = rf(teamID, since, offset, limit, showFullName)
} else { } else {
r2 = ret.Error(2) r2 = ret.Error(2)
} }

2
server/channels/store/storetest/team_store.go
View File

@ -3630,6 +3630,6 @@ func testGetNewTeamMembersSince(t *testing.T, ss store.Store) {
}) })
require.NoError(t, err) require.NoError(t, err)
_, _, err = ss.Team().GetNewTeamMembersSince(team.Id, 0, 0, 1000) _, _, err = ss.Team().GetNewTeamMembersSince(team.Id, 0, 0, 1000, false)
require.NoError(t, err) require.NoError(t, err)
} }

4
server/channels/store/timerlayer/timerlayer.go
View File

@ -8691,10 +8691,10 @@ func (s *TimerLayerTeamStore) GetMembersByIds(teamID string, userIds []string, r
return result, err return result, err
} }
func (s *TimerLayerTeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int) (*model.NewTeamMembersList, int64, error) { func (s *TimerLayerTeamStore) GetNewTeamMembersSince(teamID string, since int64, offset int, limit int, showFullName bool) (*model.NewTeamMembersList, int64, error) {
start := time.Now() start := time.Now()
result, resultVar1, err := s.TeamStore.GetNewTeamMembersSince(teamID, since, offset, limit) result, resultVar1, err := s.TeamStore.GetNewTeamMembersSince(teamID, since, offset, limit, showFullName)
elapsed := float64(time.Since(start)) / float64(time.Second) elapsed := float64(time.Since(start)) / float64(time.Second)
if s.Root.Metrics != nil { if s.Root.Metrics != nil {