Changed /teams/all api to only return teams the current user is a member of if they're not an admin (#3853)

2025-02-25 18:55:24 -06:00 · 2016-08-22 20:08:09 -04:00
parent 3c50442d04
commit f0c672e3ad
2 changed files with 21 additions and 30 deletions
--- a/api/team.go
+++ b/api/team.go
@@ -17,6 +17,7 @@ import (
 	"github.com/gorilla/mux"

 	"github.com/mattermost/platform/model"
+	"github.com/mattermost/platform/store"
 	"github.com/mattermost/platform/utils"
 )

@@ -410,8 +411,17 @@ func GetAllTeamListings(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 }

+// Gets all teams which the current user can has access to. If the user is a System Admin, this will be all teams
+// on the server. Otherwise, it will only be the teams of which the user is a member.
 func getAll(c *Context, w http.ResponseWriter, r *http.Request) {
-	if result := <-Srv.Store.Team().GetAll(); result.Err != nil {
+	var tchan store.StoreChannel
+	if c.IsSystemAdmin() {
+		tchan = Srv.Store.Team().GetAll()
+	} else {
+		tchan = Srv.Store.Team().GetTeamsByUserId(c.Session.UserId)
+	}
+
+	if result := <-tchan; result.Err != nil {
 		c.Err = result.Err
 		return
 	} else {
@@ -419,9 +429,6 @@ func getAll(c *Context, w http.ResponseWriter, r *http.Request) {
 		m := make(map[string]*model.Team)
 		for _, v := range teams {
 			m[v.Id] = v
-			if !c.IsSystemAdmin() {
-				m[v.Id].SanitizeForNotLoggedIn()
-			}
 		}

 		w.Write([]byte(model.TeamMapToJson(m)))
--- a/api/team_test.go
+++ b/api/team_test.go
@@ -255,7 +255,7 @@ func TestAddUserToTeamFromInvite(t *testing.T) {
 }

 func TestGetAllTeams(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	th.BasicClient.Logout()
 	Client := th.BasicClient

@@ -272,34 +272,18 @@ func TestGetAllTeams(t *testing.T) {

 	if r1, err := Client.GetAllTeams(); err != nil {
 		t.Fatal(err)
-	} else {
-		teams := r1.Data.(map[string]*model.Team)
-		if teams[team.Id].Name != team.Name {
-			t.Fatal()
-		}
-		if teams[team.Id].Email != "" {
-			t.Fatal("Non admin users shoudn't get full listings")
-		}
+	} else if teams := r1.Data.(map[string]*model.Team); len(teams) != 1 {
+		t.Fatal("non admin users only get the teams that they're a member of")
+	} else if receivedTeam, ok := teams[team.Id]; !ok || receivedTeam.Id != team.Id {
+		t.Fatal("should've received team that the user is a member of")
 	}

-	c := &Context{}
-	c.RequestId = model.NewId()
-	c.IpAddress = "cmd_line"
-	UpdateUserRoles(c, user, model.ROLE_SYSTEM_ADMIN)
-
-	Client.Login(user.Email, "passwd1")
-	Client.SetTeamId(team.Id)
-
-	if r1, err := Client.GetAllTeams(); err != nil {
+	if r1, err := th.SystemAdminClient.GetAllTeams(); err != nil {
 		t.Fatal(err)
-	} else {
-		teams := r1.Data.(map[string]*model.Team)
-		if teams[team.Id].Name != team.Name {
-			t.Fatal()
-		}
-		if teams[team.Id].Email != team.Email {
-			t.Fatal()
-		}
+	} else if teams := r1.Data.(map[string]*model.Team); len(teams) == 1 {
+		t.Fatal("admin users should receive all teams")
+	} else if receivedTeam, ok := teams[team.Id]; !ok || receivedTeam.Id != team.Id {
+		t.Fatal("admin should've received team that they aren't a member of")
 	}
 }