IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

MM-55006 Validate team access before returning deleted teams (#25226)

Browse Source 
* validate team access before returning deleted teams

* update error return

* Update channel.go

---------

Co-authored-by: Mattermost Build <build@mattermost.com>
This commit is contained in:
Scott Bishel 2023-11-22 10:48:20 -07:00 committed by GitHub
parent 52b485b369
commit f67f0bd220
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/channels/api4/channel.go
View File

@ -835,6 +835,11 @@ func getDeletedChannelsForTeam(c *Context, w http.ResponseWriter, r *http.Reques
return
}
if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), c.Params.TeamId, model.PermissionListTeamChannels) {
c.SetPermissionError(model.PermissionListTeamChannels)
return
}
channels, err := c.App.GetDeletedChannels(c.AppContext, c.Params.TeamId, c.Params.Page*c.Params.PerPage, c.Params.PerPage, c.AppContext.Session().UserId)
if err != nil {
c.Err = err

6
server/channels/api4/channel_test.go
View File

@ -952,6 +952,12 @@ func TestGetDeletedChannelsForTeam(t *testing.T) {
channels, _, err = client.GetDeletedChannelsForTeam(context.Background(), team.Id, 1, 1, "")
require.NoError(t, err)
require.Len(t, channels, 1, "should be one channel per page")
// test non team member
th.SystemAdminClient.RemoveTeamMember(context.Background(), team.Id, th.BasicUser.Id)
_, resp, err := client.GetDeletedChannelsForTeam(context.Background(), team.Id, 0, 100, "")
require.Error(t, err)
CheckForbiddenStatus(t, resp)
}
func TestGetPrivateChannelsForTeam(t *testing.T) {