From c8646eae51a3ccd6f79e94bd47b06da99fc732c8 Mon Sep 17 00:00:00 2001 From: Martin Kraft Date: Mon, 3 Jun 2019 12:38:33 -0400 Subject: [PATCH] MM-15947: Prevents new user creation with invite link to group-constrained team. (#11023) --- api4/user_test.go | 20 +++++++++++++++++++- app/user.go | 4 ++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/api4/user_test.go b/api4/user_test.go index e1017c431b..d8869b52de 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -260,6 +260,25 @@ func TestCreateUserWithInviteId(t *testing.T) { CheckUserSanitization(t, ruser) }) + t.Run("GroupConstrainedTeam", func(t *testing.T) { + user := model.User{Email: th.GenerateTestEmail(), Nickname: "", Password: "hello1", Username: GenerateTestUsername(), Roles: model.SYSTEM_ADMIN_ROLE_ID + " " + model.SYSTEM_USER_ROLE_ID} + + th.BasicTeam.GroupConstrained = model.NewBool(true) + team, err := th.App.UpdateTeam(th.BasicTeam) + require.Nil(t, err) + + defer func() { + th.BasicTeam.GroupConstrained = model.NewBool(false) + _, err = th.App.UpdateTeam(th.BasicTeam) + require.Nil(t, err) + }() + + inviteID := team.InviteId + + _, resp := th.Client.CreateUserWithInviteId(&user, inviteID) + require.Equal(t, "app.team.invite_id.group_constrained.error", resp.Error.Id) + }) + t.Run("WrongInviteId", func(t *testing.T) { user := model.User{Email: th.GenerateTestEmail(), Nickname: "Corey Hulen", Password: "hello1", Username: GenerateTestUsername(), Roles: model.SYSTEM_ADMIN_ROLE_ID + " " + model.SYSTEM_USER_ROLE_ID} @@ -336,7 +355,6 @@ func TestCreateUserWithInviteId(t *testing.T) { } CheckUserSanitization(t, ruser) }) - } func TestGetMe(t *testing.T) { diff --git a/app/user.go b/app/user.go index d26a24f760..918345f40e 100644 --- a/app/user.go +++ b/app/user.go @@ -104,6 +104,10 @@ func (a *App) CreateUserWithInviteId(user *model.User, inviteId string) (*model. } team := result.Data.(*model.Team) + if team.IsGroupConstrained() { + return nil, model.NewAppError("CreateUserWithInviteId", "app.team.invite_id.group_constrained.error", nil, "", http.StatusForbidden) + } + user.EmailVerified = false ruser, err := a.CreateUser(user)