diff options
author | Joram Wilander <jwawilander@gmail.com> | 2018-02-13 11:08:49 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-13 11:08:49 -0500 |
commit | 5c560db8102b8ce6dc29bf91ab5e24ca4af66fdf (patch) | |
tree | 6cd13db91ab4a768e33ba92e7f8a3cea71da4481 | |
parent | d88d2bc2ed3aefa68b5ed2942f493ae42bb40bfa (diff) | |
download | chat-5c560db8102b8ce6dc29bf91ab5e24ca4af66fdf.tar.gz chat-5c560db8102b8ce6dc29bf91ab5e24ca4af66fdf.tar.bz2 chat-5c560db8102b8ce6dc29bf91ab5e24ca4af66fdf.zip |
ABC-176 Prevent changing PluginSettings.EnableUploads through the API (#8249)
* Prevent changing PluginSettings.EnableUploads through the API
* Contain api4 test case in it's own test
-rw-r--r-- | api/admin.go | 3 | ||||
-rw-r--r-- | api/admin_test.go | 13 | ||||
-rw-r--r-- | api4/system.go | 3 | ||||
-rw-r--r-- | api4/system_test.go | 22 |
4 files changed, 39 insertions, 2 deletions
diff --git a/api/admin.go b/api/admin.go index b3b74d5ea..3b58650cc 100644 --- a/api/admin.go +++ b/api/admin.go @@ -108,6 +108,9 @@ func saveConfig(c *Context, w http.ResponseWriter, r *http.Request) { return } + // Do not allow plugin uploads to be toggled through the API + cfg.PluginSettings.EnableUploads = c.App.GetConfig().PluginSettings.EnableUploads + err := c.App.SaveConfig(cfg, true) if err != nil { c.Err = err diff --git a/api/admin_test.go b/api/admin_test.go index d916e8c4b..00e5b3c7f 100644 --- a/api/admin_test.go +++ b/api/admin_test.go @@ -10,6 +10,7 @@ import ( "github.com/mattermost/mattermost-server/model" "github.com/mattermost/mattermost-server/store" + "github.com/stretchr/testify/assert" ) func TestGetLogs(t *testing.T) { @@ -149,6 +150,18 @@ func TestSaveConfig(t *testing.T) { } th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.EnableOpenServer = true }) + + // Should not be able to modify PluginSettings.EnableUploads + oldEnableUploads := *th.App.GetConfig().PluginSettings.EnableUploads + cfg := &model.Config{} + cfg.SetDefaults() + *cfg.PluginSettings.EnableUploads = !oldEnableUploads + + if _, err := th.SystemAdminClient.SaveConfig(cfg); err != nil { + t.Fatal(err) + } + + assert.Equal(t, oldEnableUploads, *th.App.Config().PluginSettings.EnableUploads) } func TestRecycleDatabaseConnection(t *testing.T) { diff --git a/api4/system.go b/api4/system.go index 061ffe094..2355cb476 100644 --- a/api4/system.go +++ b/api4/system.go @@ -121,6 +121,9 @@ func updateConfig(c *Context, w http.ResponseWriter, r *http.Request) { return } + // Do not allow plugin uploads to be toggled through the API + cfg.PluginSettings.EnableUploads = c.App.GetConfig().PluginSettings.EnableUploads + err := c.App.SaveConfig(cfg, true) if err != nil { c.Err = err diff --git a/api4/system_test.go b/api4/system_test.go index 1b2bb5d99..01b4934ae 100644 --- a/api4/system_test.go +++ b/api4/system_test.go @@ -7,6 +7,7 @@ import ( l4g "github.com/alecthomas/log4go" "github.com/mattermost/mattermost-server/model" + "github.com/stretchr/testify/assert" ) func TestGetPing(t *testing.T) { @@ -106,9 +107,10 @@ func TestUpdateConfig(t *testing.T) { defer th.TearDown() Client := th.Client - cfg := th.App.GetConfig() + cfg, resp := th.SystemAdminClient.GetConfig() + CheckNoError(t, resp) - _, resp := Client.UpdateConfig(cfg) + _, resp = Client.UpdateConfig(cfg) CheckForbiddenStatus(t, resp) SiteName := th.App.Config().TeamSettings.SiteName @@ -139,6 +141,22 @@ func TestUpdateConfig(t *testing.T) { t.Fatal() } } + + t.Run("Should not be able to modify PluginSettings.EnableUploads", func(t *testing.T) { + oldEnableUploads := *th.App.GetConfig().PluginSettings.EnableUploads + *cfg.PluginSettings.EnableUploads = !oldEnableUploads + + cfg, resp = th.SystemAdminClient.UpdateConfig(cfg) + CheckNoError(t, resp) + assert.Equal(t, oldEnableUploads, *cfg.PluginSettings.EnableUploads) + assert.Equal(t, oldEnableUploads, *th.App.GetConfig().PluginSettings.EnableUploads) + + cfg.PluginSettings.EnableUploads = nil + cfg, resp = th.SystemAdminClient.UpdateConfig(cfg) + CheckNoError(t, resp) + assert.Equal(t, oldEnableUploads, *cfg.PluginSettings.EnableUploads) + assert.Equal(t, oldEnableUploads, *th.App.GetConfig().PluginSettings.EnableUploads) + }) } func TestGetOldClientConfig(t *testing.T) { |