diff options
| author | George Goldberg <george@gberg.me> | 2018-09-27 20:15:47 +0100 |
|---|---|---|
| committer | Christopher Speller <crspeller@gmail.com> | 2018-09-27 12:15:47 -0700 |
| commit | cad806703d06d8996a98b19bec353bce255ae6a1 (patch) | |
| tree | 0ba7f4ff652eb12cd6054dda173f5598dee2cdce | |
| parent | 45464234277394c9debd272749552ed4c312c908 (diff) | |
| download | chat-cad806703d06d8996a98b19bec353bce255ae6a1.tar.gz chat-cad806703d06d8996a98b19bec353bce255ae6a1.tar.bz2 chat-cad806703d06d8996a98b19bec353bce255ae6a1.zip | |
MM-12013: Fix post-permission checks to cascade for DM/GM channels. (#9476)
| -rw-r--r-- | api4/apitestlib.go | 14 | ||||
| -rw-r--r-- | api4/post_test.go | 25 | ||||
| -rw-r--r-- | app/authorization.go | 4 |
3 files changed, 42 insertions, 1 deletions
diff --git a/api4/apitestlib.go b/api4/apitestlib.go index 6a717faf1..37dbcad25 100644 --- a/api4/apitestlib.go +++ b/api4/apitestlib.go @@ -455,6 +455,20 @@ func (me *TestHelper) CreateMessagePostNoClient(channel *model.Channel, message return post } +func (me *TestHelper) CreateDmChannel(user *model.User) *model.Channel { + utils.DisableDebugLogForTest() + var err *model.AppError + var channel *model.Channel + if channel, err = me.App.CreateDirectChannel(me.BasicUser.Id, user.Id); err != nil { + mlog.Error(err.Error()) + + time.Sleep(time.Second) + panic(err) + } + utils.EnableDebugLogForTest() + return channel +} + func (me *TestHelper) LoginBasic() { me.LoginBasicWithClient(me.Client) } diff --git a/api4/post_test.go b/api4/post_test.go index 36693f72b..7cac2e18a 100644 --- a/api4/post_test.go +++ b/api4/post_test.go @@ -599,6 +599,31 @@ func TestUpdatePost(t *testing.T) { CheckNoError(t, resp) } +func TestUpdateOthersPostInDirectMessageChannel(t *testing.T) { + // This test checks that a sysadmin with the "EDIT_OTHERS_POSTS" permission can edit someone else's post in a + // channel without a team (DM/GM). This indirectly checks for the proper cascading all the way to system-wide roles + // on the user object of permissions based on a post in a channel with no team ID. + th := Setup().InitBasic().InitSystemAdmin() + defer th.TearDown() + + dmChannel := th.CreateDmChannel(th.SystemAdminUser) + + post := &model.Post{ + Message: "asd", + ChannelId: dmChannel.Id, + PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()), + UserId: th.BasicUser.Id, + CreateAt: 0, + } + + post, resp := th.Client.CreatePost(post) + CheckNoError(t, resp) + + post.Message = "changed" + post, resp = th.SystemAdminClient.UpdatePost(post.Id, post) + CheckNoError(t, resp) +} + func TestPatchPost(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() defer th.TearDown() diff --git a/app/authorization.go b/app/authorization.go index 9d4714ba1..3310237c6 100644 --- a/app/authorization.go +++ b/app/authorization.go @@ -74,7 +74,9 @@ func (a *App) SessionHasPermissionToChannelByPost(session model.Session, postId if result := <-a.Srv.Store.Channel().GetForPost(postId); result.Err == nil { channel := result.Data.(*model.Channel) - return a.SessionHasPermissionToTeam(session, channel.TeamId, permission) + if channel.TeamId != "" { + return a.SessionHasPermissionToTeam(session, channel.TeamId, permission) + } } return a.SessionHasPermissionTo(session, permission) |