diff options
| author | Joram Wilander <jwawilander@gmail.com> | 2016-05-16 12:55:22 -0400 |
|---|---|---|
| committer | Christopher Speller <crspeller@gmail.com> | 2016-05-16 12:55:22 -0400 |
| commit | 1f609e9cf799ddb6bedd5fe3c0eeb36b92ed243d (patch) | |
| tree | f30ee0f416a9a7b5d76070e6a0ff999c08f44f47 /api/channel.go | |
| parent | c5f105787c7d740eaa9fb01891711a6fb72f7480 (diff) | |
| download | chat-1f609e9cf799ddb6bedd5fe3c0eeb36b92ed243d.tar.gz chat-1f609e9cf799ddb6bedd5fe3c0eeb36b92ed243d.tar.bz2 chat-1f609e9cf799ddb6bedd5fe3c0eeb36b92ed243d.zip | |
Check team member instead of session for team admin role when updating/deleting channels (#3007)
Diffstat (limited to 'api/channel.go')
| -rw-r--r-- | api/channel.go | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/api/channel.go b/api/channel.go index b7a608717..9d36dd2eb 100644 --- a/api/channel.go +++ b/api/channel.go @@ -188,6 +188,7 @@ func updateChannel(c *Context, w http.ResponseWriter, r *http.Request) { sc := Srv.Store.Channel().Get(channel.Id) cmc := Srv.Store.Channel().GetMember(channel.Id, c.Session.UserId) + tmc := Srv.Store.Team().GetMember(c.TeamId, c.Session.UserId) if cresult := <-sc; cresult.Err != nil { c.Err = cresult.Err @@ -195,14 +196,19 @@ func updateChannel(c *Context, w http.ResponseWriter, r *http.Request) { } else if cmcresult := <-cmc; cmcresult.Err != nil { c.Err = cmcresult.Err return + } else if tmcresult := <-tmc; cmcresult.Err != nil { + c.Err = tmcresult.Err + return } else { oldChannel := cresult.Data.(*model.Channel) channelMember := cmcresult.Data.(model.ChannelMember) + teamMember := tmcresult.Data.(model.TeamMember) + if !c.HasPermissionsToTeam(oldChannel.TeamId, "updateChannel") { return } - if !strings.Contains(channelMember.Roles, model.CHANNEL_ROLE_ADMIN) && !strings.Contains(c.Session.Roles, model.ROLE_TEAM_ADMIN) { + if !strings.Contains(channelMember.Roles, model.CHANNEL_ROLE_ADMIN) && !strings.Contains(teamMember.Roles, model.ROLE_TEAM_ADMIN) { c.Err = model.NewLocAppError("updateChannel", "api.channel.update_channel.permission.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -636,6 +642,7 @@ func deleteChannel(c *Context, w http.ResponseWriter, r *http.Request) { sc := Srv.Store.Channel().Get(id) scm := Srv.Store.Channel().GetMember(id, c.Session.UserId) + tmc := Srv.Store.Team().GetMember(c.TeamId, c.Session.UserId) uc := Srv.Store.User().Get(c.Session.UserId) ihc := Srv.Store.Webhook().GetIncomingByChannel(id) ohc := Srv.Store.Webhook().GetOutgoingByChannel(id) @@ -649,6 +656,9 @@ func deleteChannel(c *Context, w http.ResponseWriter, r *http.Request) { } else if scmresult := <-scm; scmresult.Err != nil { c.Err = scmresult.Err return + } else if tmcresult := <-tmc; tmcresult.Err != nil { + c.Err = tmcresult.Err + return } else if ihcresult := <-ihc; ihcresult.Err != nil { c.Err = ihcresult.Err return @@ -659,6 +669,7 @@ func deleteChannel(c *Context, w http.ResponseWriter, r *http.Request) { channel := cresult.Data.(*model.Channel) user := uresult.Data.(*model.User) channelMember := scmresult.Data.(model.ChannelMember) + teamMember := tmcresult.Data.(model.TeamMember) incomingHooks := ihcresult.Data.([]*model.IncomingWebhook) outgoingHooks := ohcresult.Data.([]*model.OutgoingWebhook) @@ -666,7 +677,7 @@ func deleteChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !strings.Contains(channelMember.Roles, model.CHANNEL_ROLE_ADMIN) && !strings.Contains(c.Session.Roles, model.ROLE_TEAM_ADMIN) { + if !strings.Contains(channelMember.Roles, model.CHANNEL_ROLE_ADMIN) && !strings.Contains(teamMember.Roles, model.ROLE_TEAM_ADMIN) { c.Err = model.NewLocAppError("deleteChannel", "api.channel.delete_channel.permissions.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return |