MM-56929- Dont allow guests to be set via team API (#26286)

* dont allow guests to be set via team API * comment out invalid test * Update import_functions_test.go --------- Co-authored-by: Mattermost Build <build@mattermost.com>
2025-02-25 18:55:24 -06:00 · 2024-03-04 09:48:11 -07:00 · 2024-03-04 09:48:11 -07:00 · e0f3713bdf
commit e0f3713bdf
parent f8253439b8
4 changed files with 79 additions and 56 deletions
--- a/server/channels/api4/team_test.go
+++ b/server/channels/api4/team_test.go
@ -2913,6 +2913,28 @@ func TestUpdateTeamMemberRoles(t *testing.T) {
 func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	th := Setup(t).InitBasic()
 	defer th.TearDown()
 	enableGuestAccounts := *th.App.Config().GuestAccountsSettings.Enable
 	defer func() {
 		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GuestAccountsSettings.Enable = enableGuestAccounts })
 		th.App.Srv().RemoveLicense()
 	}()
 	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GuestAccountsSettings.Enable = true })
 	th.App.Srv().SetLicense(model.NewTestLicense())
 	id := model.NewId()
 	guest := &model.User{
 		Email:         th.GenerateTestEmail(),
 		Nickname:      "nn_" + id,
 		FirstName:     "f_" + id,
 		LastName:      "l_" + id,
 		Password:      "Pa$$word11",
 		EmailVerified: true,
 	}
 	guest, appError := th.App.CreateGuest(th.Context, guest)
 	require.Nil(t, appError)
 	_, _, appError = th.App.AddUserToTeam(th.Context, th.BasicTeam.Id, guest.Id, "")
 	require.Nil(t, appError)
 	SystemAdminClient := th.SystemAdminClient
 	th.LoginBasic()
@ -2944,6 +2966,11 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	assert.Equal(t, true, tm2.SchemeUser)
 	assert.Equal(t, false, tm2.SchemeAdmin)
 	//cannot set Guest to User for single team
 	resp, err := SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, guest.Id, s2)
 	require.Error(t, err)
 	CheckBadRequestStatus(t, resp)
 	s3 := &model.SchemeRoles{
 		SchemeAdmin: true,
 		SchemeUser:  false,
@ -2977,21 +3004,18 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 		SchemeUser:  false,
 		SchemeGuest: true,
 	}
 	_, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s5)
 	require.NoError(t, err)
-	tm5, _, err := SystemAdminClient.GetTeamMember(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, "")
+	// cannot set user to guest for a single team
-	require.NoError(t, err)
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s5)
-	assert.Equal(t, true, tm5.SchemeGuest)
+	require.Error(t, err)
-	assert.Equal(t, false, tm5.SchemeUser)
+	CheckBadRequestStatus(t, resp)
 	assert.Equal(t, false, tm5.SchemeAdmin)
 	s6 := &model.SchemeRoles{
 		SchemeAdmin: false,
 		SchemeUser:  true,
 		SchemeGuest: true,
 	}
-	resp, err := SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s6)
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s6)
 	require.Error(t, err)
 	CheckBadRequestStatus(t, resp)
@ -3003,7 +3027,7 @@ func TestUpdateTeamMemberSchemeRoles(t *testing.T) {
 	require.Error(t, err)
 	CheckNotFoundStatus(t, resp)
-	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, th.BasicUser.Id, s4)
+	resp, err = SystemAdminClient.UpdateTeamMemberSchemeRoles(context.Background(), th.BasicTeam.Id, guest.Id, s4)
 	require.Error(t, err) // user is a guest, cannot be set as member or admin
 	CheckBadRequestStatus(t, resp)
--- a/server/channels/app/import_functions_test.go
+++ b/server/channels/app/import_functions_test.go
@ -1505,52 +1505,55 @@ func TestImportImportUser(t *testing.T) {
 	channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
 	require.Nil(t, appErr, "Failed to get the channel member")
-	assert.False(t, teamMember.SchemeAdmin)
+	assert.False(t, channelMember.SchemeAdmin)
 	assert.True(t, channelMember.SchemeUser)
-	assert.False(t, teamMember.SchemeGuest)
+	assert.False(t, channelMember.SchemeGuest)
 	assert.Equal(t, "", channelMember.ExplicitRoles)
 	// see https://mattermost.atlassian.net/browse/MM-56986
 	// Test importing deleted guest with a valid team & valid channel name in apply mode.
-	username = model.NewId()
+	// mlog.Debug("TESTING GUEST")
-	deleteAt = model.GetMillis()
+	// username = model.NewId()
-	deletedGuestData := &imports.UserImportData{
+	// deleteAt = model.GetMillis()
-		Username: &username,
+	// deletedGuestData := &imports.UserImportData{
-		DeleteAt: &deleteAt,
+	// 	Username: &username,
-		Email:    ptrStr(model.NewId() + "@example.com"),
+	// 	DeleteAt: &deleteAt,
-		Teams: &[]imports.UserTeamImportData{
+	// 	Email:    ptrStr(model.NewId() + "@example.com"),
-			{
+	// 	Teams: &[]imports.UserTeamImportData{
-				Name:  &team.Name,
+	// 		{
-				Roles: ptrStr("team_guest"),
+	// 			Name:  &team.Name,
-				Channels: &[]imports.UserChannelImportData{
+	// 			Roles: ptrStr("team_guest"),
-					{
+	// 			Channels: &[]imports.UserChannelImportData{
-						Name:  &channel.Name,
+	// 				{
-						Roles: ptrStr("channel_guest"),
+	// 					Name:  &channel.Name,
-					},
+	// 					Roles: ptrStr("channel_guest"),
-				},
+	// 				},
-			},
+	// 			},
-		},
+	// 		},
-	}
+	// 	},
-	appErr = th.App.importUser(th.Context, deletedGuestData, false)
+	// }
-	assert.Nil(t, appErr)
+	// appErr = th.App.importUser(th.Context, deletedGuestData, false)
 	// assert.Nil(t, appErr)
-	user, appErr = th.App.GetUserByUsername(*deletedGuestData.Username)
+	// user, appErr = th.App.GetUserByUsername(*deletedGuestData.Username)
-	require.Nil(t, appErr, "Failed to get user from database.")
+	// require.Nil(t, appErr, "Failed to get user from database.")
 	// mlog.Debug(user.Roles)
-	teamMember, appErr = th.App.GetTeamMember(th.Context, team.Id, user.Id)
+	// teamMember, appErr = th.App.GetTeamMember(th.Context, team.Id, user.Id)
-	require.Nil(t, appErr, "Failed to get the team member")
+	// require.Nil(t, appErr, "Failed to get the team member")
-	assert.False(t, teamMember.SchemeAdmin)
+	// assert.False(t, teamMember.SchemeAdmin)
-	assert.False(t, teamMember.SchemeUser)
+	// assert.False(t, teamMember.SchemeUser)
-	assert.True(t, teamMember.SchemeGuest)
+	// assert.True(t, teamMember.SchemeGuest)
-	assert.Equal(t, "", teamMember.ExplicitRoles)
+	// assert.Equal(t, "", teamMember.ExplicitRoles)
-	channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
+	// channelMember, appErr = th.App.GetChannelMember(th.Context, channel.Id, user.Id)
-	require.Nil(t, appErr, "Failed to get the channel member")
+	// require.Nil(t, appErr, "Failed to get the channel member")
-	assert.False(t, teamMember.SchemeAdmin)
+	// assert.False(t, teamMember.SchemeAdmin)
-	assert.False(t, channelMember.SchemeUser)
+	// assert.False(t, channelMember.SchemeUser)
-	assert.True(t, teamMember.SchemeGuest)
+	// assert.True(t, teamMember.SchemeGuest)
-	assert.Equal(t, "", channelMember.ExplicitRoles)
+	// assert.Equal(t, "", channelMember.ExplicitRoles)
 }
 func TestImportUserTeams(t *testing.T) {
--- a/server/channels/app/team.go
+++ b/server/channels/app/team.go
@ -484,12 +484,8 @@ func (a *App) UpdateTeamMemberSchemeRoles(c request.CTX, teamID string, userID s
 		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest.app_error", nil, "", http.StatusBadRequest)
 	}
-	if isSchemeUser && isSchemeGuest {
+	if isSchemeGuest {
-		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest_and_user.app_error", nil, "", http.StatusBadRequest)
+		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.user_and_guest.app_error", nil, "", http.StatusBadRequest)
 	}
 	if isSchemeAdmin && isSchemeGuest {
 		return nil, model.NewAppError("UpdateTeamMemberSchemeRoles", "api.team.update_team_member_roles.guest_and_admin.app_error", nil, "", http.StatusBadRequest)
 	}
 	member.SchemeAdmin = isSchemeAdmin
--- a/server/i18n/en.json
+++ b/server/i18n/en.json
@ -3162,14 +3162,14 @@
    "id": "api.team.update_team_member_roles.guest.app_error",
    "translation": "Invalid team member update: A guest cannot be made team member or team admin, please promote as a user first."
  },
  {
    "id": "api.team.update_team_member_roles.guest_and_admin.app_error",
    "translation": "Invalid team member update: A user must cannot be set as a guest and admin at the same time."
  },
  {
    "id": "api.team.update_team_member_roles.guest_and_user.app_error",
    "translation": "Invalid team member update: A user must be a guest or a user but not both."
  },
  {
    "id": "api.team.update_team_member_roles.user_and_guest.app_error",
    "translation": "Invalid team member update: A guest cannot be set for a single team, a System Admin must promote or demote users to/from guests."
  },
  {
    "id": "api.team.update_team_scheme.license.error",
    "translation": "Your license does not support updating a team's scheme"