MM-11172: Don't allow reacting in read-only town square. (#9106)

author: George Goldberg <george@gberg.me> 2018-07-16 13:04:52 +0100
committer: GitHub <noreply@github.com> 2018-07-16 13:04:52 +0100
commit: 9d9fcd9ac5d10a6ff1050477d527385d6af2f6bf (patch)
tree: 034047530a94301369accb0174a8146cdf554895
parent: 10f571784b55509a7995093b36f28ed4b848dd53 (diff)
download: chat-9d9fcd9ac5d10a6ff1050477d527385d6af2f6bf.tar.gz
chat-9d9fcd9ac5d10a6ff1050477d527385d6af2f6bf.tar.bz2
chat-9d9fcd9ac5d10a6ff1050477d527385d6af2f6bf.zip
3 files changed, 104 insertions, 0 deletions
diff --git a/api4/reaction_test.go b/api4/reaction_test.go
index ac1a49671..dda9a578a 100644
--- a/api4/reaction_test.go
+++ b/api4/reaction_test.go
@@ -172,6 +172,33 @@ func TestSaveReaction(t *testing.T) {
 		}
 		th.AddPermissionToRole(model.PERMISSION_ADD_REACTION.Id, model.CHANNEL_USER_ROLE_ID)
 	})
+
+	t.Run("unable-to-react-in-read-only-town-square", func(t *testing.T) {
+		th.LoginBasic()
+
+		channel, err := th.App.GetChannelByName("town-square", th.BasicTeam.Id)
+		assert.Nil(t, err)
+		post := th.CreatePostWithClient(th.Client, channel)
+
+		th.App.SetLicense(model.NewTestLicense())
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.ExperimentalTownSquareIsReadOnly = true })
+
+		reaction := &model.Reaction{
+			UserId:    userId,
+			PostId:    post.Id,
+			EmojiName: "smile",
+		}
+
+		_, resp := Client.SaveReaction(reaction)
+		CheckForbiddenStatus(t, resp)
+
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 3 {
+			t.Fatal("should have not created a reactions")
+		}
+
+		th.App.RemoveLicense()
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.ExperimentalTownSquareIsReadOnly = false })
+	})
 }
 
 func TestGetReactions(t *testing.T) {
@@ -451,4 +478,39 @@ func TestDeleteReaction(t *testing.T) {
 		}
 		th.AddPermissionToRole(model.PERMISSION_REMOVE_OTHERS_REACTIONS.Id, model.SYSTEM_ADMIN_ROLE_ID)
 	})
+
+	t.Run("unable-to-delete-reactions-in-read-only-town-square", func(t *testing.T) {
+		th.LoginBasic()
+
+		channel, err := th.App.GetChannelByName("town-square", th.BasicTeam.Id)
+		assert.Nil(t, err)
+		post := th.CreatePostWithClient(th.Client, channel)
+
+		th.App.SetLicense(model.NewTestLicense())
+
+		reaction := &model.Reaction{
+			UserId:    userId,
+			PostId:    post.Id,
+			EmojiName: "smile",
+		}
+
+		r1, resp := Client.SaveReaction(reaction)
+		CheckNoError(t, resp)
+
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 {
+			t.Fatal("should have created a reactions")
+		}
+
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.ExperimentalTownSquareIsReadOnly = true })
+
+		_, resp = th.SystemAdminClient.DeleteReaction(r1)
+		CheckForbiddenStatus(t, resp)
+
+		if reactions, err := th.App.GetReactionsForPost(postId); err != nil || len(reactions) != 1 {
+			t.Fatal("should have not deleted a reactions")
+		}
+
+		th.App.RemoveLicense()
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.ExperimentalTownSquareIsReadOnly = false })
+	})
 }
diff --git a/app/reaction.go b/app/reaction.go
index db00ce2ad..082d28f0d 100644
--- a/app/reaction.go
+++ b/app/reaction.go
@@ -4,6 +4,8 @@
 package app
 
 import (
+	"net/http"
+
 	"github.com/mattermost/mattermost-server/model"
 )
 
@@ -13,6 +15,24 @@ func (a *App) SaveReactionForPost(reaction *model.Reaction) (*model.Reaction, *m
 		return nil, err
 	}
 
+	if a.License() != nil && *a.Config().TeamSettings.ExperimentalTownSquareIsReadOnly {
+		var channel *model.Channel
+		if channel, err = a.GetChannel(post.ChannelId); err != nil {
+			return nil, err
+		}
+
+		if channel.Name == model.DEFAULT_CHANNEL {
+			var user *model.User
+			if user, err = a.GetUser(reaction.UserId); err != nil {
+				return nil, err
+			}
+
+			if !a.RolesGrantPermission(user.GetRoles(), model.PERMISSION_MANAGE_SYSTEM.Id) {
+				return nil, model.NewAppError("saveReactionForPost", "api.reaction.town_square_read_only", nil, "", http.StatusForbidden)
+			}
+		}
+	}
+
 	if result := <-a.Srv.Store.Reaction().Save(reaction); result.Err != nil {
 		return nil, result.Err
 	} else {
@@ -40,6 +60,24 @@ func (a *App) DeleteReactionForPost(reaction *model.Reaction) *model.AppError {
 		return err
 	}
 
+	if a.License() != nil && *a.Config().TeamSettings.ExperimentalTownSquareIsReadOnly {
+		var channel *model.Channel
+		if channel, err = a.GetChannel(post.ChannelId); err != nil {
+			return err
+		}
+
+		if channel.Name == model.DEFAULT_CHANNEL {
+			var user *model.User
+			if user, err = a.GetUser(reaction.UserId); err != nil {
+				return err
+			}
+
+			if !a.RolesGrantPermission(user.GetRoles(), model.PERMISSION_MANAGE_SYSTEM.Id) {
+				return model.NewAppError("deleteReactionForPost", "api.reaction.town_square_read_only", nil, "", http.StatusForbidden)
+			}
+		}
+	}
+
 	hasReactions := true
 	if reactions, _ := a.GetReactionsForPost(post.Id); len(reactions) <= 1 {
 		hasReactions = false
diff --git a/i18n/en.json b/i18n/en.json
index 7c424e18d..eaab5c039 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -160,6 +160,10 @@
     "translation": "The channel has been archived or deleted"
   },
   {
+    "id": "api.reaction.town_square_read_only",
+    "translation": "Reacting to posts is not possible in read-only channels."
+  },
+  {
     "id": "api.channel.delete_channel.type.invalid",
     "translation": "Cannot delete direct or group message channels"
   },
author	George Goldberg <george@gberg.me>	2018-07-16 13:04:52 +0100
committer	GitHub <noreply@github.com>	2018-07-16 13:04:52 +0100
commit	9d9fcd9ac5d10a6ff1050477d527385d6af2f6bf (patch)
tree	034047530a94301369accb0174a8146cdf554895
parent	10f571784b55509a7995093b36f28ed4b848dd53 (diff)
download	chat-9d9fcd9ac5d10a6ff1050477d527385d6af2f6bf.tar.gz chat-9d9fcd9ac5d10a6ff1050477d527385d6af2f6bf.tar.bz2 chat-9d9fcd9ac5d10a6ff1050477d527385d6af2f6bf.zip