PLT-7718 Patch for files (#7564)

* Patch for files

* Fix merge

* Fix tests

* Fix another test

7 files changed, 52 insertions, 9 deletions

diff --git a/api/file_test.go b/api/file_test.go
index 6d6338395..405e3e7d1 100644
--- a/api/file_test.go
+++ b/api/file_test.go
@@ -24,7 +24,7 @@ import (
 )
 
 func TestUploadFile(t *testing.T) {
-	th := Setup().InitBasic()
+	th := Setup().InitBasic().InitSystemAdmin()
 	defer th.TearDown()
 
 	if *utils.Cfg.FileSettings.DriverName == "" {
@@ -38,7 +38,9 @@ func TestUploadFile(t *testing.T) {
 	channel := th.BasicChannel
 
 	var uploadInfo *model.FileInfo
-	if data, err := readTestFile("test.png"); err != nil {
+	var data []byte
+	var err error
+	if data, err = readTestFile("test.png"); err != nil {
 		t.Fatal(err)
 	} else if resp, err := Client.UploadPostAttachment(data, channel.Id, "test.png"); err != nil {
 		t.Fatal(err)
@@ -103,6 +105,22 @@ func TestUploadFile(t *testing.T) {
 		t.Fatalf("file preview should've been saved in %v", expectedPreviewPath)
 	}
 
+	if _, err := Client.UploadPostAttachment(data, model.NewId(), "test.png"); err == nil || err.StatusCode != http.StatusForbidden {
+		t.Fatal("should have failed - bad channel id")
+	}
+
+	if _, err := Client.UploadPostAttachment(data, "../../junk", "test.png"); err == nil || err.StatusCode != http.StatusForbidden {
+		t.Fatal("should have failed - bad channel id")
+	}
+
+	if _, err := th.SystemAdminClient.UploadPostAttachment(data, model.NewId(), "test.png"); err == nil || err.StatusCode != http.StatusForbidden {
+		t.Fatal("should have failed - bad channel id")
+	}
+
+	if _, err := th.SystemAdminClient.UploadPostAttachment(data, "../../junk", "test.png"); err == nil || err.StatusCode != http.StatusForbidden {
+		t.Fatal("should have failed - bad channel id")
+	}
+
 	enableFileAttachments := *utils.Cfg.FileSettings.EnableFileAttachments
 	defer func() {
 		*utils.Cfg.FileSettings.EnableFileAttachments = enableFileAttachments
diff --git a/api4/channel_test.go b/api4/channel_test.go
index cda3b5ced..44f3a4ad7 100644
--- a/api4/channel_test.go
+++ b/api4/channel_test.go
@@ -1475,7 +1475,7 @@ func TestGetChannelUnread(t *testing.T) {
 	CheckNoError(t, resp)
 
 	_, resp = th.SystemAdminClient.GetChannelUnread(model.NewId(), user.Id)
-	CheckNotFoundStatus(t, resp)
+	CheckForbiddenStatus(t, resp)
 
 	_, resp = th.SystemAdminClient.GetChannelUnread(channel.Id, model.NewId())
 	CheckNotFoundStatus(t, resp)
diff --git a/api4/file_test.go b/api4/file_test.go
index 584625f70..615e601dc 100644
--- a/api4/file_test.go
+++ b/api4/file_test.go
@@ -102,6 +102,15 @@ func TestUploadFile(t *testing.T) {
 	_, resp := Client.UploadFile(data, model.NewId(), "test.png")
 	CheckForbiddenStatus(t, resp)
 
+	_, resp = Client.UploadFile(data, "../../junk", "test.png")
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = th.SystemAdminClient.UploadFile(data, model.NewId(), "test.png")
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = th.SystemAdminClient.UploadFile(data, "../../junk", "test.png")
+	CheckForbiddenStatus(t, resp)
+
 	_, resp = th.SystemAdminClient.UploadFile(data, channel.Id, "test.png")
 	CheckNoError(t, resp)
 
diff --git a/api4/webhook_test.go b/api4/webhook_test.go
index b09f4411e..f8d33e984 100644
--- a/api4/webhook_test.go
+++ b/api4/webhook_test.go
@@ -391,11 +391,7 @@ func TestGetOutgoingWebhooks(t *testing.T) {
 	}
 
 	hooks, resp = th.SystemAdminClient.GetOutgoingWebhooksForChannel(model.NewId(), 0, 1000, "")
-	CheckNoError(t, resp)
-
-	if len(hooks) != 0 {
-		t.Fatal("no hooks should be returned")
-	}
+	CheckForbiddenStatus(t, resp)
 
 	_, resp = Client.GetOutgoingWebhooks(0, 1000, "")
 	CheckForbiddenStatus(t, resp)
diff --git a/app/authorization.go b/app/authorization.go
index ae5c7c3b3..01180e8d8 100644
--- a/app/authorization.go
+++ b/app/authorization.go
@@ -4,6 +4,7 @@
 package app
 
 import (
+	"net/http"
 	"strings"
 
 	l4g "github.com/alecthomas/log4go"
@@ -50,6 +51,8 @@ func (a *App) SessionHasPermissionToChannel(session model.Session, channelId str
 	channel, err := a.GetChannel(channelId)
 	if err == nil && channel.TeamId != "" {
 		return SessionHasPermissionToTeam(session, channel.TeamId, permission)
+	} else if err != nil && err.StatusCode == http.StatusNotFound {
+		return false
 	}
 
 	return SessionHasPermissionTo(session, permission)
diff --git a/app/file.go b/app/file.go
index 36a23e3d8..2beb7231a 100644
--- a/app/file.go
+++ b/app/file.go
@@ -291,8 +291,11 @@ func (a *App) UploadFiles(teamId string, channelId string, userId string, fileHe
 	return resStruct, nil
 }
 
-func (a *App) DoUploadFile(now time.Time, teamId string, channelId string, userId string, rawFilename string, data []byte) (*model.FileInfo, *model.AppError) {
+func (a *App) DoUploadFile(now time.Time, rawTeamId string, rawChannelId string, rawUserId string, rawFilename string, data []byte) (*model.FileInfo, *model.AppError) {
 	filename := filepath.Base(rawFilename)
+	teamId := filepath.Base(rawTeamId)
+	channelId := filepath.Base(rawChannelId)
+	userId := filepath.Base(rawUserId)
 
 	info, err := model.GetInfoForBytes(filename, data)
 	if err != nil {
diff --git a/app/file_test.go b/app/file_test.go
index 62511ceea..f3141fa18 100644
--- a/app/file_test.go
+++ b/app/file_test.go
@@ -85,4 +85,18 @@ func TestDoUploadFile(t *testing.T) {
 	if info3.Path != fmt.Sprintf("20080305/teams/%v/channels/%v/users/%v/%v/%v", teamId, channelId, userId, info3.Id, filename) {
 		t.Fatal("stored file at incorrect path", info3.Path)
 	}
+
+	info4, err := th.App.DoUploadFile(time.Date(2009, 3, 5, 1, 2, 3, 4, time.Local), "../../"+teamId, "../../"+channelId, "../../"+userId, "../../"+filename, data)
+	if err != nil {
+		t.Fatal(err)
+	} else {
+		defer func() {
+			<-th.App.Srv.Store.FileInfo().PermanentDelete(info3.Id)
+			utils.RemoveFile(info3.Path)
+		}()
+	}
+
+	if info4.Path != fmt.Sprintf("20090305/teams/%v/channels/%v/users/%v/%v/%v", teamId, channelId, userId, info4.Id, filename) {
+		t.Fatal("stored file at incorrect path", info4.Path)
+	}
 }