diff options
| author | Jesse Hallam <jesse.hallam@gmail.com> | 2018-10-09 15:25:57 -0400 |
|---|---|---|
| committer | Christopher Speller <crspeller@gmail.com> | 2018-10-09 12:25:57 -0700 |
| commit | 59319b7915b8eb4c20a0d4878382cc0e41fc536d (patch) | |
| tree | 604277129e22b19d3c91c9ae5ddf0023040d8b4f | |
| parent | fe9a81208e4d8290df7b8d89bac2d880c045b84b (diff) | |
| download | chat-59319b7915b8eb4c20a0d4878382cc0e41fc536d.tar.gz chat-59319b7915b8eb4c20a0d4878382cc0e41fc536d.tar.bz2 chat-59319b7915b8eb4c20a0d4878382cc0e41fc536d.zip | |
MM-12519: simplify autocomplete team id checking (#9577)
This handles clients sending a team id in a direct message or group channel autocomplete, when it necessarily won't match. Just verify that the user has permission for the team in question, whenever it is provided.
| -rw-r--r-- | api4/user.go | 27 | ||||
| -rw-r--r-- | api4/user_test.go | 4 |
2 files changed, 12 insertions, 19 deletions
diff --git a/api4/user.go b/api4/user.go index 5a8474b8d..404457285 100644 --- a/api4/user.go +++ b/api4/user.go @@ -594,21 +594,19 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } + } - // If a teamId is provided, require it to match the channel's team id. - if teamId != "" { - channel, err := c.App.GetChannel(channelId) - if err != nil { - c.Err = err - return - } - - if channel.TeamId != teamId { - c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized) - return - } + if len(teamId) > 0 { + if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { + c.SetPermissionError(model.PERMISSION_VIEW_TEAM) + return } + } + if len(channelId) > 0 { + // Applying the provided teamId here is useful for DMs and GMs which don't belong + // to a team. Applying it when the channel does belong to a team makes less sense, + //t but the permissions are checked above regardless. result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err @@ -618,11 +616,6 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { autocomplete.Users = result.InChannel autocomplete.OutOfChannel = result.OutOfChannel } else if len(teamId) > 0 { - if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { - c.SetPermissionError(model.PERMISSION_VIEW_TEAM) - return - } - result, err := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err diff --git a/api4/user_test.go b/api4/user_test.go index d50dfa3b6..405102373 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -873,9 +873,9 @@ func TestAutocompleteUsers(t *testing.T) { t.Fatal("should not show first/last name") } - t.Run("team id, if provided, must match channel's team id", func(t *testing.T) { + t.Run("user must have access to team id, especially when it does not match channel's team id", func(t *testing.T) { rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "") - CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id") + CheckErrorMessage(t, resp, "api.context.permissions.app_error") }) } |