From f67f0bd22056697bcfc7f79abe1b03f34f469615 Mon Sep 17 00:00:00 2001
From: Scott Bishel <scott.bishel@mattermost.com>
Date: Wed, 22 Nov 2023 10:48:20 -0700
Subject: [PATCH] MM-55006 Validate team access before returning deleted teams
 (#25226)

* validate team access before returning deleted teams

* update error return

* Update channel.go

---------

Co-authored-by: Mattermost Build <build@mattermost.com>
---
 server/channels/api4/channel.go      | 5 +++++
 server/channels/api4/channel_test.go | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/server/channels/api4/channel.go b/server/channels/api4/channel.go
index 4d2d8f1a75..239b668005 100644
--- a/server/channels/api4/channel.go
+++ b/server/channels/api4/channel.go
@@ -835,6 +835,11 @@ func getDeletedChannelsForTeam(c *Context, w http.ResponseWriter, r *http.Reques
 		return
 	}
 
+	if !c.App.SessionHasPermissionToTeam(*c.AppContext.Session(), c.Params.TeamId, model.PermissionListTeamChannels) {
+		c.SetPermissionError(model.PermissionListTeamChannels)
+		return
+	}
+
 	channels, err := c.App.GetDeletedChannels(c.AppContext, c.Params.TeamId, c.Params.Page*c.Params.PerPage, c.Params.PerPage, c.AppContext.Session().UserId)
 	if err != nil {
 		c.Err = err
diff --git a/server/channels/api4/channel_test.go b/server/channels/api4/channel_test.go
index 92162b8001..8628fae8d8 100644
--- a/server/channels/api4/channel_test.go
+++ b/server/channels/api4/channel_test.go
@@ -952,6 +952,12 @@ func TestGetDeletedChannelsForTeam(t *testing.T) {
 	channels, _, err = client.GetDeletedChannelsForTeam(context.Background(), team.Id, 1, 1, "")
 	require.NoError(t, err)
 	require.Len(t, channels, 1, "should be one channel per page")
+
+	// test non team member
+	th.SystemAdminClient.RemoveTeamMember(context.Background(), team.Id, th.BasicUser.Id)
+	_, resp, err := client.GetDeletedChannelsForTeam(context.Background(), team.Id, 0, 100, "")
+	require.Error(t, err)
+	CheckForbiddenStatus(t, resp)
 }
 
 func TestGetPrivateChannelsForTeam(t *testing.T) {