Minor fix for expired sessions

api/context.go

@@ -42,31 +42,39 @@ type Context struct {
 }
 
 func ApiAppHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
-	return &handler{h, false, false, true, false, false}
+	return &handler{h, false, false, true, false, false, false}
 }
 
 func AppHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
-	return &handler{h, false, false, false, false, false}
+	return &handler{h, false, false, false, false, false, false}
 }
 
 func AppHandlerIndependent(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
-	return &handler{h, false, false, false, false, true}
+	return &handler{h, false, false, false, false, true, false}
 }
 
 func ApiUserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
-	return &handler{h, true, false, true, true, false}
+	return &handler{h, true, false, true, true, false, false}
 }
 
 func ApiUserRequiredActivity(h func(*Context, http.ResponseWriter, *http.Request), isUserActivity bool) http.Handler {
-	return &handler{h, true, false, true, isUserActivity, false}
+	return &handler{h, true, false, true, isUserActivity, false, false}
 }
 
 func UserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
-	return &handler{h, true, false, false, false, false}
+	return &handler{h, true, false, false, false, false, false}
 }
 
 func ApiAdminSystemRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
-	return &handler{h, true, true, true, false, false}
+	return &handler{h, true, true, true, false, false, false}
+}
+
+func ApiAppHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
+	return &handler{h, false, false, true, false, false, true}
+}
+
+func ApiUserRequiredTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
+	return &handler{h, true, false, true, true, false, true}
 }
 
 type handler struct {
@@ -76,6 +84,7 @@ type handler struct {
 	isApi              bool
 	isUserActivity     bool
 	isTeamIndependent  bool
+	trustRequester     bool
 }
 
 func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -104,6 +113,13 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if len(token) == 0 {
 		if cookie, err := r.Cookie(model.SESSION_COOKIE_TOKEN); err == nil {
 			token = cookie.Value
+
+			if (h.requireSystemAdmin || h.requireUser) && !h.trustRequester {
+				if r.Header.Get(model.HEADER_REQUESTED_WITH) != model.HEADER_REQUESTED_WITH_XML {
+					c.Err = model.NewLocAppError("ServeHTTP", "api.context.session_expired.app_error", nil, "token="+token)
+					token = ""
+				}
+			}
 		}
 	}
 

api/file.go

@@ -62,7 +62,7 @@ func InitFile(r *mux.Router) {
 
 	sr := r.PathPrefix("/files").Subrouter()
 	sr.Handle("/upload", ApiUserRequired(uploadFile)).Methods("POST")
-	sr.Handle("/get/{channel_id:[A-Za-z0-9]+}/{user_id:[A-Za-z0-9]+}/{filename:([A-Za-z0-9]+/)?.+(\\.[A-Za-z0-9]{3,})?}", ApiAppHandler(getFile)).Methods("GET")
+	sr.Handle("/get/{channel_id:[A-Za-z0-9]+}/{user_id:[A-Za-z0-9]+}/{filename:([A-Za-z0-9]+/)?.+(\\.[A-Za-z0-9]{3,})?}", ApiAppHandlerTrustRequester(getFile)).Methods("GET")
 	sr.Handle("/get_info/{channel_id:[A-Za-z0-9]+}/{user_id:[A-Za-z0-9]+}/{filename:([A-Za-z0-9]+/)?.+(\\.[A-Za-z0-9]{3,})?}", ApiAppHandler(getFileInfo)).Methods("GET")
 	sr.Handle("/get_public_link", ApiUserRequired(getPublicLink)).Methods("POST")
 	sr.Handle("/get_export", ApiUserRequired(getExport)).Methods("GET")

api/user.go

@@ -67,7 +67,7 @@ func InitUser(r *mux.Router) {
 	sr.Handle("/{id:[A-Za-z0-9]+}", ApiUserRequired(getUser)).Methods("GET")
 	sr.Handle("/{id:[A-Za-z0-9]+}/sessions", ApiUserRequired(getSessions)).Methods("GET")
 	sr.Handle("/{id:[A-Za-z0-9]+}/audits", ApiUserRequired(getAudits)).Methods("GET")
-	sr.Handle("/{id:[A-Za-z0-9]+}/image", ApiUserRequired(getProfileImage)).Methods("GET")
+	sr.Handle("/{id:[A-Za-z0-9]+}/image", ApiUserRequiredTrustRequester(getProfileImage)).Methods("GET")
 
 	sr.Handle("/claim/email_to_oauth", ApiAppHandler(emailToOAuth)).Methods("POST")
 	sr.Handle("/claim/oauth_to_email", ApiUserRequired(oauthToEmail)).Methods("POST")

api/web_socket.go

@@ -14,7 +14,7 @@ import (
 
 func InitWebSocket(r *mux.Router) {
 	l4g.Debug(utils.T("api.web_socket.init.debug"))
-	r.Handle("/websocket", ApiUserRequired(connect)).Methods("GET")
+	r.Handle("/websocket", ApiUserRequiredTrustRequester(connect)).Methods("GET")
 	hub.Start()
 }
 

model/client.go

@@ -16,17 +16,19 @@ import (
 )
 
 const (
-	HEADER_REQUEST_ID      = "X-Request-ID"
-	HEADER_VERSION_ID      = "X-Version-ID"
-	HEADER_ETAG_SERVER     = "ETag"
-	HEADER_ETAG_CLIENT     = "If-None-Match"
-	HEADER_FORWARDED       = "X-Forwarded-For"
-	HEADER_REAL_IP         = "X-Real-IP"
-	HEADER_FORWARDED_PROTO = "X-Forwarded-Proto"
-	HEADER_TOKEN           = "token"
-	HEADER_BEARER          = "BEARER"
-	HEADER_AUTH            = "Authorization"
-	API_URL_SUFFIX         = "/api/v1"
+	HEADER_REQUEST_ID         = "X-Request-ID"
+	HEADER_VERSION_ID         = "X-Version-ID"
+	HEADER_ETAG_SERVER        = "ETag"
+	HEADER_ETAG_CLIENT        = "If-None-Match"
+	HEADER_FORWARDED          = "X-Forwarded-For"
+	HEADER_REAL_IP            = "X-Real-IP"
+	HEADER_FORWARDED_PROTO    = "X-Forwarded-Proto"
+	HEADER_TOKEN              = "token"
+	HEADER_BEARER             = "BEARER"
+	HEADER_AUTH               = "Authorization"
+	HEADER_REQUESTED_WITH     = "X-Requested-With"
+	HEADER_REQUESTED_WITH_XML = "XMLHttpRequest"
+	API_URL_SUFFIX            = "/api/v1"
 )
 
 type Result struct {