PLT-2057 User as a first class object (#2648)

* Adding TeamMember to system

* Fixing all unit tests on the backend

* Fixing merge conflicts

* Fixing merge conflict

* Adding javascript unit tests

* Adding TeamMember to system

* Fixing all unit tests on the backend

* Fixing merge conflicts

* Fixing merge conflict

* Adding javascript unit tests

* Adding client side unit test

* Cleaning up the clint side tests

* Fixing msg

* Adding more client side unit tests

* Adding more using tests

* Adding last bit of client side unit tests and adding make cmd

* Fixing bad merge

* Fixing libraries

* Updating to new client side API

* Fixing borken unit test

* Fixing unit tests

* ugg...trying to beat gofmt

* ugg...trying to beat gofmt

* Cleaning up remainder of the server side routes

* Adding inital load api

* Increased coverage of webhook unit tests (#2660)

* Adding loading ... to root html

* Fixing bad merge

* Removing explicit content type so superagent will guess corectly (#2685)

* Fixing merge and unit tests

* Adding create team UI

* Fixing signup flows

* Adding LDAP unit tests and enterprise unit test helper (#2702)

* Add the ability to reset MFA from the commandline (#2706)

* Fixing compliance unit tests

* Fixing client side tests

* Adding open server to system console

* Moving websocket connection

* Fixing unit test

* Fixing unit tests

* Fixing unit tests

* Adding nickname and more LDAP unit tests (#2717)

* Adding join open teams

* Cleaning up all TODOs in the code

* Fixing web sockets

* Removing unused webockets file

* PLT-2533 Add the ability to reset a user's MFA from the system console (#2715)

* Add the ability to reset a user's MFA from the system console

* Add client side unit test for adminResetMfa

* Reorganizing authentication to fix LDAP error message (#2723)

* Fixing failing unit test

* Initial upgrade db code

* Adding upgrade script

* Fixing upgrade script after running on core

* Update OAuth and Claim routes to work with user model changes (#2739)

* Fixing perminant deletion. Adding ability to delete all user and the entire database (#2740)

* Fixing team invite ldap login call (#2741)

* Fixing bluebar and some img stuff

* Fix all the different file upload web utils (#2743)

* Fixing invalid session redirect (#2744)

* Redirect on bad channel name (#2746)

* Fixing a bunch of issue and removing dead code

* Patch to fix error message on leave channel (#2747)

* Setting EnableOpenServer to false by default

* Fixing config

* Fixing upgrade

* Fixing reported bugs

* Bug fixes for PLT-2057

* PLT-2563 Redo password recovery to use a database table (#2745)

* Redo password recovery to use a database table

* Update reset password audits

* Split out admin and user reset password APIs to be separate

* Delete password recovery when user is permanently deleted

* Consolidate password resetting into a single function

* Removed private channels as an option for outgoing webhooks (#2752)

* PLT-2577/PLT-2552 Fixes for backstage (#2753)

* Added URL to incoming webhook list

* Fixed client functions for adding/removing integrations

* Disallowed slash commands without trigger words

* Fixed clientside handling of errors on AddCommand page

* Minor auth cleanup (#2758)

* Changed EditPostModal to just close if you save without making any changes (#2759)

* Renamed client -> Client in async_client.jsx and fixed eslint warnings (#2756)

* Fixed url in channel info modal (#2755)

* Fixing reported issues

* Moving to version 3 of the apis

* Fixing command unit tests (#2760)

* Adding team admins

* Fixing DM issue

* Fixing eslint error

* Properly set EditPostModal's originalText state in all cases (#2762)

* Update client config check to assume features is defined if server is licensed (#2772)

* Fixing url link

* Fixing issue with websocket crashing when sending messages to different teams

1 files changed, 100 insertions, 57 deletions

diff --git a/api/context.go b/api/context.go
index 56c8c86d2..8bbd5a1d2 100644
--- a/api/context.go
+++ b/api/context.go
@@ -11,10 +11,12 @@ import (
 	"strings"
 
 	l4g "github.com/alecthomas/log4go"
+	"github.com/gorilla/mux"
+	goi18n "github.com/nicksnyder/go-i18n/i18n"
+
 	"github.com/mattermost/platform/model"
 	"github.com/mattermost/platform/store"
 	"github.com/mattermost/platform/utils"
-	goi18n "github.com/nicksnyder/go-i18n/i18n"
 )
 
 var sessionCache *utils.Cache = utils.NewLru(model.SESSION_CACHE_SIZE)
@@ -39,6 +41,7 @@ type Context struct {
 	siteURL      string
 	T            goi18n.TranslateFunc
 	Locale       string
+	TeamId       string
 }
 
 func ApiAppHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
@@ -94,6 +97,8 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	c.T, c.Locale = utils.GetTranslationsAndLocale(w, r)
 	c.RequestId = model.NewId()
 	c.IpAddress = GetIpAddress(r)
+	c.TeamId = mux.Vars(r)["team_id"]
+	h.isApi = IsApiCall(r)
 
 	token := ""
 	isTokenFromQueryString := false
@@ -116,7 +121,7 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 			if (h.requireSystemAdmin || h.requireUser) && !h.trustRequester {
 				if r.Header.Get(model.HEADER_REQUESTED_WITH) != model.HEADER_REQUESTED_WITH_XML {
-					c.Err = model.NewLocAppError("ServeHTTP", "api.context.session_expired.app_error", nil, "token="+token)
+					c.Err = model.NewLocAppError("ServeHTTP", "api.context.session_expired.app_error", nil, "token="+token+" Appears to bea CSRF attempt")
 					token = ""
 				}
 			}
@@ -182,6 +187,10 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		c.SystemAdminRequired()
 	}
 
+	if c.Err == nil && len(c.TeamId) > 0 {
+		c.HasPermissionsToTeam(c.TeamId, "TeamRoute")
+	}
+
 	if c.Err == nil && h.isUserActivity && token != "" && len(c.Session.UserId) > 0 {
 		go func() {
 			if err := (<-Srv.Store.User().UpdateUserAndSessionActivity(c.Session.UserId, c.Session.Id, model.GetMillis())).Err; err != nil {
@@ -308,13 +317,14 @@ func (c *Context) HasPermissionsToUser(userId string, where string) bool {
 }
 
 func (c *Context) HasPermissionsToTeam(teamId string, where string) bool {
-	if c.Session.TeamId == teamId {
+	if c.IsSystemAdmin() {
 		return true
 	}
 
-	// You're a mattermost system admin and you're on the VPN
-	if c.IsSystemAdmin() {
-		return true
+	for _, teamMember := range c.Session.TeamMembers {
+		if teamId == teamMember.TeamId {
+			return true
+		}
 	}
 
 	c.Err = model.NewLocAppError(where, "api.context.permissions.app_error", nil, "userId="+c.Session.UserId+", teamId="+teamId)
@@ -353,10 +363,17 @@ func (c *Context) IsSystemAdmin() bool {
 }
 
 func (c *Context) IsTeamAdmin() bool {
-	if model.IsInRole(c.Session.Roles, model.ROLE_TEAM_ADMIN) || c.IsSystemAdmin() {
+
+	if c.IsSystemAdmin() {
 		return true
 	}
-	return false
+
+	team := c.Session.GetTeamByTeamId(c.TeamId)
+	if team == nil {
+		return false
+	}
+
+	return model.IsInRole(team.Roles, model.ROLE_TEAM_ADMIN)
 }
 
 func (c *Context) RemoveSessionCookie(w http.ResponseWriter, r *http.Request) {
@@ -386,7 +403,7 @@ func (c *Context) setTeamURL(url string, valid bool) {
 }
 
 func (c *Context) SetTeamURLFromSession() {
-	if result := <-Srv.Store.Team().Get(c.Session.TeamId); result.Err == nil {
+	if result := <-Srv.Store.Team().Get(c.TeamId); result.Err == nil {
 		c.setTeamURL(c.GetSiteURL()+"/"+result.Data.(*model.Team).Name, true)
 	}
 }
@@ -413,6 +430,10 @@ func (c *Context) GetSiteURL() string {
 	return c.siteURL
 }
 
+func IsApiCall(r *http.Request) bool {
+	return strings.Index(r.URL.Path, "/api/") == 0
+}
+
 func GetIpAddress(r *http.Request) string {
 	address := r.Header.Get(model.HEADER_FORWARDED)
 
@@ -427,69 +448,69 @@ func GetIpAddress(r *http.Request) string {
 	return address
 }
 
-func IsTestDomain(r *http.Request) bool {
+// func IsTestDomain(r *http.Request) bool {
 
-	if strings.Index(r.Host, "localhost") == 0 {
-		return true
-	}
+// 	if strings.Index(r.Host, "localhost") == 0 {
+// 		return true
+// 	}
 
-	if strings.Index(r.Host, "dockerhost") == 0 {
-		return true
-	}
+// 	if strings.Index(r.Host, "dockerhost") == 0 {
+// 		return true
+// 	}
 
-	if strings.Index(r.Host, "test") == 0 {
-		return true
-	}
+// 	if strings.Index(r.Host, "test") == 0 {
+// 		return true
+// 	}
 
-	if strings.Index(r.Host, "127.0.") == 0 {
-		return true
-	}
+// 	if strings.Index(r.Host, "127.0.") == 0 {
+// 		return true
+// 	}
 
-	if strings.Index(r.Host, "192.168.") == 0 {
-		return true
-	}
+// 	if strings.Index(r.Host, "192.168.") == 0 {
+// 		return true
+// 	}
 
-	if strings.Index(r.Host, "10.") == 0 {
-		return true
-	}
+// 	if strings.Index(r.Host, "10.") == 0 {
+// 		return true
+// 	}
 
-	if strings.Index(r.Host, "176.") == 0 {
-		return true
-	}
+// 	if strings.Index(r.Host, "176.") == 0 {
+// 		return true
+// 	}
 
-	return false
-}
+// 	return false
+// }
 
-func IsBetaDomain(r *http.Request) bool {
+// func IsBetaDomain(r *http.Request) bool {
 
-	if strings.Index(r.Host, "beta") == 0 {
-		return true
-	}
+// 	if strings.Index(r.Host, "beta") == 0 {
+// 		return true
+// 	}
 
-	if strings.Index(r.Host, "ci") == 0 {
-		return true
-	}
+// 	if strings.Index(r.Host, "ci") == 0 {
+// 		return true
+// 	}
 
-	return false
-}
+// 	return false
+// }
 
-var privateIpAddress = []*net.IPNet{
-	{IP: net.IPv4(10, 0, 0, 1), Mask: net.IPv4Mask(255, 0, 0, 0)},
-	{IP: net.IPv4(176, 16, 0, 1), Mask: net.IPv4Mask(255, 255, 0, 0)},
-	{IP: net.IPv4(192, 168, 0, 1), Mask: net.IPv4Mask(255, 255, 255, 0)},
-	{IP: net.IPv4(127, 0, 0, 1), Mask: net.IPv4Mask(255, 255, 255, 252)},
-}
+// var privateIpAddress = []*net.IPNet{
+// 	{IP: net.IPv4(10, 0, 0, 1), Mask: net.IPv4Mask(255, 0, 0, 0)},
+// 	{IP: net.IPv4(176, 16, 0, 1), Mask: net.IPv4Mask(255, 255, 0, 0)},
+// 	{IP: net.IPv4(192, 168, 0, 1), Mask: net.IPv4Mask(255, 255, 255, 0)},
+// 	{IP: net.IPv4(127, 0, 0, 1), Mask: net.IPv4Mask(255, 255, 255, 252)},
+// }
 
-func IsPrivateIpAddress(ipAddress string) bool {
+// func IsPrivateIpAddress(ipAddress string) bool {
 
-	for _, pips := range privateIpAddress {
-		if pips.Contains(net.ParseIP(ipAddress)) {
-			return true
-		}
-	}
+// 	for _, pips := range privateIpAddress {
+// 		if pips.Contains(net.ParseIP(ipAddress)) {
+// 			return true
+// 		}
+// 	}
 
-	return false
-}
+// 	return false
+// }
 
 func RenderWebError(err *model.AppError, w http.ResponseWriter, r *http.Request) {
 	T, _ := utils.GetTranslationsAndLocale(w, r)
@@ -513,9 +534,17 @@ func RenderWebError(err *model.AppError, w http.ResponseWriter, r *http.Request)
 
 func Handle404(w http.ResponseWriter, r *http.Request) {
 	err := model.NewLocAppError("Handle404", "api.context.404.app_error", nil, "")
+	err.Translate(utils.T)
 	err.StatusCode = http.StatusNotFound
 	l4g.Error("%v: code=404 ip=%v", r.URL.Path, GetIpAddress(r))
-	RenderWebError(err, w, r)
+
+	if IsApiCall(r) {
+		w.WriteHeader(err.StatusCode)
+		err.DetailedError = "There doesn't appear to be an api call for the url='" + r.URL.Path + "'.  Typo? are you missing a team_id or user_id as part of the url?"
+		w.Write([]byte(err.ToJson()))
+	} else {
+		RenderWebError(err, w, r)
+	}
 }
 
 func GetSession(token string) *model.Session {
@@ -542,6 +571,20 @@ func GetSession(token string) *model.Session {
 	return session
 }
 
+func RemoveAllSessionsForUserId(userId string) {
+
+	keys := sessionCache.Keys()
+
+	for _, key := range keys {
+		if ts, ok := sessionCache.Get(key); ok {
+			session := ts.(*model.Session)
+			if session.UserId == userId {
+				sessionCache.Remove(key)
+			}
+		}
+	}
+}
+
 func AddSessionToCache(session *model.Session) {
 	sessionCache.AddWithExpiresInSecs(session.Token, session, int64(*utils.Cfg.ServiceSettings.SessionCacheInMinutes*60))
 }