IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

[MM-51724] (#22740)

Browse Source 
* createUserAccessToken updates

* lint
This commit is contained in:
Ben Cooke
2023-04-03 14:30:07 -04:00
committed by GitHub
parent dacac2e3ed
commit af4c98cdf9
2 changed files with 43 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
server/channels/api4/user.go
View File

@@ -2372,10 +2372,14 @@ func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
audit.AddEventParameter(auditRec, "user_id", c.Params.UserId)
defer c.LogAuditRec(auditRec)
if user, err := c.App.GetUser(c.Params.UserId); err == nil {
audit.AddEventParameterAuditable(auditRec, "user", user)
user, err := c.App.GetUser(c.Params.UserId)
if err != nil {
c.Err = err
return
}
audit.AddEventParameterAuditable(auditRec, "user", user)
if c.AppContext.Session().IsOAuth {
c.SetPermissionError(model.PermissionCreateUserAccessToken)
c.Err.DetailedError += ", attempted access by oauth app"
@@ -2405,6 +2409,11 @@ func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
if user.IsSystemAdmin() && !c.App.SessionHasPermissionTo(*c.AppContext.Session(), model.PermissionManageSystem) {
c.SetPermissionError(model.PermissionManageSystem)
return
}
accessToken.UserId = c.Params.UserId
accessToken.Token = ""

33
server/channels/api4/user_test.go
View File

@@ -4339,7 +4339,38 @@ func TestCreateUserAccessToken(t *testing.T) {
CheckForbiddenStatus(t, resp)
})
t.Run("create user access token for basic user as as system admin", func(t *testing.T) {
t.Run("create user access token for another user, with permission", func(t *testing.T) {
th := Setup(t).InitBasic()
defer th.TearDown()
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableUserAccessTokens = true })
th.AddPermissionToRole(model.PermissionEditOtherUsers.Id, model.SystemUserManagerRoleId)
th.App.UpdateUserRoles(th.Context, th.BasicUser.Id, model.SystemUserManagerRoleId+" "+model.SystemUserAccessTokenRoleId, false)
rtoken, _, err := th.Client.CreateUserAccessToken(th.BasicUser2.Id, "test token")
require.NoError(t, err)
assert.Equal(t, th.BasicUser2.Id, rtoken.UserId)
oldSessionToken := th.Client.AuthToken
defer func() { th.Client.AuthToken = oldSessionToken }()
assertToken(t, th, rtoken, th.BasicUser2.Id)
})
t.Run("create user access token for system admin, as system user manager", func(t *testing.T) {
th := Setup(t).InitBasic()
defer th.TearDown()
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableUserAccessTokens = true })
th.AddPermissionToRole(model.PermissionEditOtherUsers.Id, model.SystemUserManagerRoleId)
th.App.UpdateUserRoles(th.Context, th.BasicUser.Id, model.SystemUserManagerRoleId+" "+model.SystemUserAccessTokenRoleId, false)
_, resp, err := th.Client.CreateUserAccessToken(th.SystemAdminUser.Id, "test token")
require.Error(t, err)
CheckForbiddenStatus(t, resp)
})
t.Run("create user access token for basic user as a system admin", func(t *testing.T) {
th := Setup(t).InitBasic()
defer th.TearDown()