Various patches

api/general.go

@@ -10,6 +10,7 @@ import (
 
 	l4g "github.com/alecthomas/log4go"
 
+	"github.com/mattermost/platform/app"
 	"github.com/mattermost/platform/model"
 	"github.com/mattermost/platform/utils"
 )
@@ -30,7 +31,14 @@ func logClient(c *Context, w http.ResponseWriter, r *http.Request) {
 	forceToDebug := false
 
 	if !*utils.Cfg.ServiceSettings.EnableDeveloper {
-		forceToDebug = true
+		if c.Session.UserId == "" {
+			c.Err = model.NewAppError("Permissions", "api.context.permissions.app_error", nil, "", http.StatusForbidden)
+			return
+		}
+
+		if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+			forceToDebug = true
+		}
 	}
 
 	m := model.MapFromJson(r.Body)

api/general_test.go

@@ -5,6 +5,8 @@ package api
 
 import (
 	"testing"
+
+	"github.com/mattermost/platform/utils"
 )
 
 func TestGetClientProperties(t *testing.T) {
@@ -25,6 +27,24 @@ func TestLogClient(t *testing.T) {
 	if ret, _ := th.BasicClient.LogClient("this is a test"); !ret {
 		t.Fatal("failed to log")
 	}
+
+	enableDeveloper := *utils.Cfg.ServiceSettings.EnableDeveloper
+	defer func() {
+		*utils.Cfg.ServiceSettings.EnableDeveloper = enableDeveloper
+	}()
+	*utils.Cfg.ServiceSettings.EnableDeveloper = false
+
+	th.BasicClient.Logout()
+
+	if _, err := th.BasicClient.LogClient("this is a test"); err == nil {
+		t.Fatal("should have failed")
+	}
+
+	*utils.Cfg.ServiceSettings.EnableDeveloper = true
+
+	if ret, _ := th.BasicClient.LogClient("this is a test"); !ret {
+		t.Fatal("failed to log")
+	}
 }
 
 func TestGetPing(t *testing.T) {

api/oauth.go

@@ -41,6 +41,10 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		oauthApp.IsTrusted = false
+	}
+
 	oauthApp.CreatorId = c.Session.UserId
 
 	rapp, err := app.CreateOAuthApp(oauthApp)

api/oauth_test.go

@@ -22,7 +22,7 @@ func TestOAuthRegisterApp(t *testing.T) {
 	th := Setup().InitBasic().InitSystemAdmin()
 	Client := th.BasicClient
 
-	oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+	oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
 
 	utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false
 	if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider {
@@ -82,10 +82,29 @@ func TestOAuthRegisterApp(t *testing.T) {
 	Client.Logout()
 	Client.Login(user.Email, user.Password)
 
-	oauthApp = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+	oauthApp = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
 	if _, err := Client.RegisterApp(oauthApp); err == nil {
 		t.Fatal("should have failed. not enough permissions")
 	}
+
+	adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations
+	defer func() {
+		*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
+	utils.SetDefaultRolesBasedOnConfig()
+
+	th.LoginBasic()
+
+	if result, err := th.BasicClient.RegisterApp(oauthApp); err != nil {
+		t.Fatal(err)
+	} else {
+		rapp := result.Data.(*model.OAuthApp)
+		if rapp.IsTrusted {
+			t.Fatal("trusted should be false - created by non admin")
+		}
+	}
 }
 
 func TestOAuthAllow(t *testing.T) {
@@ -463,7 +482,17 @@ func TestOAuthAuthorize(t *testing.T) {
 	th := Setup().InitBasic()
 	Client := th.BasicClient
 
+	enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider
+	adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations
+	defer func() {
+		utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth
+		*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
 	utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false
+	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
+	utils.SetDefaultRolesBasedOnConfig()
+
 	if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider {
 		if r, err := HttpGet(Client.Url+"/oauth/authorize", Client.HttpClient, "", true); err == nil {
 			t.Fatal("should have failed - oauth providing turned off")
@@ -483,7 +512,7 @@ func TestOAuthAuthorize(t *testing.T) {
 	}
 
 	// register an app to authorize it
-	oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+	oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://example.com"}}
 	oauthApp = Client.Must(Client.RegisterApp(oauthApp)).Data.(*model.OAuthApp)
 	if r, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&&redirect_uri=http://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, "", true); err == nil {
 		t.Fatal("should have failed - user not logged")
@@ -491,9 +520,12 @@ func TestOAuthAuthorize(t *testing.T) {
 	}
 
 	authToken := Client.AuthType + " " + Client.AuthToken
-	if r, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=http://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err != nil {
+	if _, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=http://bad-redirect.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err == nil {
+		t.Fatal("should have failed - bad redirect uri")
+	}
+
+	if _, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=https://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err != nil {
 		t.Fatal(err)
-		closeBody(r)
 	}
 
 	// lets authorize the app

api4/oauth.go

@@ -57,6 +57,10 @@ func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		oauthApp.IsTrusted = false
+	}
+
 	oauthApp.CreatorId = c.Session.UserId
 
 	rapp, err := app.CreateOAuthApp(oauthApp)
@@ -298,6 +302,11 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) {
+		utils.RenderWebError(model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest), w, r)
+		return
+	}
+
 	isAuthorized := false
 
 	if _, err := app.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil {

api4/oauth_test.go

@@ -28,7 +28,7 @@ func TestCreateOAuthApp(t *testing.T) {
 	utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true
 	utils.SetDefaultRolesBasedOnConfig()
 
-	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
 
 	rapp, resp := AdminClient.CreateOAuthApp(oapp)
 	CheckNoError(t, resp)
@@ -38,6 +38,10 @@ func TestCreateOAuthApp(t *testing.T) {
 		t.Fatal("names did not match")
 	}
 
+	if rapp.IsTrusted != oapp.IsTrusted {
+		t.Fatal("trusted did no match")
+	}
+
 	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true
 	utils.SetDefaultRolesBasedOnConfig()
 	_, resp = Client.CreateOAuthApp(oapp)
@@ -45,10 +49,14 @@ func TestCreateOAuthApp(t *testing.T) {
 
 	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
 	utils.SetDefaultRolesBasedOnConfig()
-	_, resp = Client.CreateOAuthApp(oapp)
+	rapp, resp = Client.CreateOAuthApp(oapp)
 	CheckNoError(t, resp)
 	CheckCreatedStatus(t, resp)
 
+	if rapp.IsTrusted {
+		t.Fatal("trusted should be false - created by non admin")
+	}
+
 	oapp.Name = ""
 	_, resp = AdminClient.CreateOAuthApp(oapp)
 	CheckBadRequestStatus(t, resp)

api4/status.go

@@ -16,9 +16,9 @@ import (
 func InitStatus() {
 	l4g.Debug(utils.T("api.status.init.debug"))
 
-	BaseRoutes.User.Handle("/status", ApiHandler(getUserStatus)).Methods("GET")
-	BaseRoutes.Users.Handle("/status/ids", ApiHandler(getUserStatusesByIds)).Methods("POST")
-	BaseRoutes.User.Handle("/status", ApiHandler(updateUserStatus)).Methods("PUT")
+	BaseRoutes.User.Handle("/status", ApiSessionRequired(getUserStatus)).Methods("GET")
+	BaseRoutes.Users.Handle("/status/ids", ApiSessionRequired(getUserStatusesByIds)).Methods("POST")
+	BaseRoutes.User.Handle("/status", ApiSessionRequired(updateUserStatus)).Methods("PUT")
 }
 
 func getUserStatus(c *Context, w http.ResponseWriter, r *http.Request) {

api4/status_test.go

@@ -47,6 +47,10 @@ func TestGetUserStatus(t *testing.T) {
 	}
 
 	Client.Logout()
+
+	_, resp = Client.GetUserStatus(th.BasicUser2.Id, "")
+	CheckUnauthorizedStatus(t, resp)
+
 	th.LoginBasic2()
 	userStatus, resp = Client.GetUserStatus(th.BasicUser2.Id, "")
 	CheckNoError(t, resp)
@@ -89,6 +93,11 @@ func TestGetUsersStatusesByIds(t *testing.T) {
 			t.Fatal("Status should be offline")
 		}
 	}
+
+	Client.Logout()
+
+	_, resp = Client.GetUsersStatusesByIds(usersIds)
+	CheckUnauthorizedStatus(t, resp)
 }
 
 func TestUpdateUserStatus(t *testing.T) {
@@ -126,4 +135,9 @@ func TestUpdateUserStatus(t *testing.T) {
 	if updateUserStatus.Status != "online" {
 		t.Fatal("Should return online status")
 	}
+
+	Client.Logout()
+
+	_, resp = Client.UpdateUserStatus(th.BasicUser2.Id, toUpdateUserStatus)
+	CheckUnauthorizedStatus(t, resp)
 }