PLT-5355: Fix permalink to private/direct channels. (#5574)

Appropriate permission checks depend on the type of channel this
permalink links to.

api/post.go

@@ -264,11 +264,26 @@ func getPermalinkTmp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) {
-		c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS)
+	var channel *model.Channel
+	if result := <-app.Srv.Store.Channel().GetForPost(postId); result.Err == nil {
+		channel = result.Data.(*model.Channel)
+	} else {
+		c.SetInvalidParam("getPermalinkTmp", "postId")
 		return
 	}
 
+	if channel.Type == model.CHANNEL_OPEN {
+		if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) {
+			c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS)
+			return
+		}
+	} else {
+		if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_READ_CHANNEL) {
+			c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
+			return
+		}
+	}
+
 	if list, err := app.GetPermalinkPost(postId, c.Session.UserId); err != nil {
 		c.Err = err
 		return

api/post_test.go

@@ -1237,9 +1237,12 @@ func TestGetPostById(t *testing.T) {
 }
 
 func TestGetPermalinkTmp(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	Client := th.BasicClient
 	channel1 := th.BasicChannel
+	team := th.BasicTeam
+
+	th.LoginBasic()
 
 	time.Sleep(10 * time.Millisecond)
 	post1 := &model.Post{ChannelId: channel1.Id, Message: "a" + model.NewId() + "a"}
@@ -1264,6 +1267,40 @@ func TestGetPermalinkTmp(t *testing.T) {
 	} else if results == nil {
 		t.Fatal("should not be empty")
 	}
+
+	// Test permalink to private channels.
+	channel2 := &model.Channel{DisplayName: "TestGetPermalinkPriv", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id}
+	channel2 = Client.Must(Client.CreateChannel(channel2)).Data.(*model.Channel)
+	time.Sleep(10 * time.Millisecond)
+	post3 := &model.Post{ChannelId: channel2.Id, Message: "a" + model.NewId() + "a"}
+	post3 = Client.Must(Client.CreatePost(post3)).Data.(*model.Post)
+
+	if _, md := Client.GetPermalink(channel2.Id, post3.Id, ""); md.Error != nil {
+		t.Fatal(md.Error)
+	}
+
+	th.LoginBasic2()
+
+	if _, md := Client.GetPermalink(channel2.Id, post3.Id, ""); md.Error == nil {
+		t.Fatal("Expected 403 error")
+	}
+
+	// Test direct channels.
+	th.LoginBasic()
+	channel3 := Client.Must(Client.CreateDirectChannel(th.SystemAdminUser.Id)).Data.(*model.Channel)
+	time.Sleep(10 * time.Millisecond)
+	post4 := &model.Post{ChannelId: channel3.Id, Message: "a" + model.NewId() + "a"}
+	post4 = Client.Must(Client.CreatePost(post4)).Data.(*model.Post)
+
+	if _, md := Client.GetPermalink(channel3.Id, post4.Id, ""); md.Error != nil {
+		t.Fatal(md.Error)
+	}
+
+	th.LoginBasic2()
+
+	if _, md := Client.GetPermalink(channel3.Id, post4.Id, ""); md.Error == nil {
+		t.Fatal("Expected 403 error")
+	}
 }
 
 func TestGetOpenGraphMetadata(t *testing.T) {