Various patches

2025-02-25 18:55:24 -06:00 · 2017-09-06 16:24:34 -04:00
parent f968c56890
commit d38328976e
8 changed files with 106 additions and 11 deletions
--- a/api4/oauth.go
+++ b/api4/oauth.go
@@ -57,6 +57,10 @@ func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		oauthApp.IsTrusted = false
+	}
+
 	oauthApp.CreatorId = c.Session.UserId

 	rapp, err := app.CreateOAuthApp(oauthApp)
@@ -298,6 +302,11 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) {
+		utils.RenderWebError(model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest), w, r)
+		return
+	}
+
 	isAuthorized := false

 	if _, err := app.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil {
--- a/api4/oauth_test.go
+++ b/api4/oauth_test.go
@@ -28,7 +28,7 @@ func TestCreateOAuthApp(t *testing.T) {
 	utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true
 	utils.SetDefaultRolesBasedOnConfig()

-	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}

 	rapp, resp := AdminClient.CreateOAuthApp(oapp)
 	CheckNoError(t, resp)
@@ -38,6 +38,10 @@ func TestCreateOAuthApp(t *testing.T) {
 		t.Fatal("names did not match")
 	}

+	if rapp.IsTrusted != oapp.IsTrusted {
+		t.Fatal("trusted did no match")
+	}
+
 	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true
 	utils.SetDefaultRolesBasedOnConfig()
 	_, resp = Client.CreateOAuthApp(oapp)
@@ -45,10 +49,14 @@ func TestCreateOAuthApp(t *testing.T) {

 	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
 	utils.SetDefaultRolesBasedOnConfig()
-	_, resp = Client.CreateOAuthApp(oapp)
+	rapp, resp = Client.CreateOAuthApp(oapp)
 	CheckNoError(t, resp)
 	CheckCreatedStatus(t, resp)

+	if rapp.IsTrusted {
+		t.Fatal("trusted should be false - created by non admin")
+	}
+
 	oapp.Name = ""
 	_, resp = AdminClient.CreateOAuthApp(oapp)
 	CheckBadRequestStatus(t, resp)
--- a/api4/status.go
+++ b/api4/status.go
@@ -16,9 +16,9 @@ import (
 func InitStatus() {
 	l4g.Debug(utils.T("api.status.init.debug"))

-	BaseRoutes.User.Handle("/status", ApiHandler(getUserStatus)).Methods("GET")
-	BaseRoutes.Users.Handle("/status/ids", ApiHandler(getUserStatusesByIds)).Methods("POST")
-	BaseRoutes.User.Handle("/status", ApiHandler(updateUserStatus)).Methods("PUT")
+	BaseRoutes.User.Handle("/status", ApiSessionRequired(getUserStatus)).Methods("GET")
+	BaseRoutes.Users.Handle("/status/ids", ApiSessionRequired(getUserStatusesByIds)).Methods("POST")
+	BaseRoutes.User.Handle("/status", ApiSessionRequired(updateUserStatus)).Methods("PUT")
 }

 func getUserStatus(c *Context, w http.ResponseWriter, r *http.Request) {
--- a/api4/status_test.go
+++ b/api4/status_test.go
@@ -47,6 +47,10 @@ func TestGetUserStatus(t *testing.T) {
 	}

 	Client.Logout()
+
+	_, resp = Client.GetUserStatus(th.BasicUser2.Id, "")
+	CheckUnauthorizedStatus(t, resp)
+
 	th.LoginBasic2()
 	userStatus, resp = Client.GetUserStatus(th.BasicUser2.Id, "")
 	CheckNoError(t, resp)
@@ -89,6 +93,11 @@ func TestGetUsersStatusesByIds(t *testing.T) {
 			t.Fatal("Status should be offline")
 		}
 	}
+
+	Client.Logout()
+
+	_, resp = Client.GetUsersStatusesByIds(usersIds)
+	CheckUnauthorizedStatus(t, resp)
 }

 func TestUpdateUserStatus(t *testing.T) {
@@ -126,4 +135,9 @@ func TestUpdateUserStatus(t *testing.T) {
 	if updateUserStatus.Status != "online" {
 		t.Fatal("Should return online status")
 	}
+
+	Client.Logout()
+
+	_, resp = Client.UpdateUserStatus(th.BasicUser2.Id, toUpdateUserStatus)
+	CheckUnauthorizedStatus(t, resp)
 }