diff options
author | Christopher Speller <crspeller@gmail.com> | 2016-09-13 12:42:48 -0400 |
---|---|---|
committer | Joram Wilander <jwawilander@gmail.com> | 2016-09-13 12:42:48 -0400 |
commit | 1e7985a87a72bea9a308cf1506dacc828c6e2e1c (patch) | |
tree | d4251391dc74a9ff4628dd1bed551c34d806a1b6 /api/post.go | |
parent | 05af5d14b8d07b010c70750ae1ac5ddf22c120a7 (diff) | |
download | chat-1e7985a87a72bea9a308cf1506dacc828c6e2e1c.tar.gz chat-1e7985a87a72bea9a308cf1506dacc828c6e2e1c.tar.bz2 chat-1e7985a87a72bea9a308cf1506dacc828c6e2e1c.zip |
Modifying permissions system. (#3897)
Diffstat (limited to 'api/post.go')
-rw-r--r-- | api/post.go | 56 |
1 files changed, 29 insertions, 27 deletions
diff --git a/api/post.go b/api/post.go index 9a11a5c59..c43bc9843 100644 --- a/api/post.go +++ b/api/post.go @@ -59,10 +59,24 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) { } post.UserId = c.Session.UserId - // Create and save post object to channel - cchan := Srv.Store.Channel().CheckPermissionsTo(c.TeamId, post.ChannelId, c.Session.UserId) + cchan := Srv.Store.Channel().Get(post.ChannelId) + + if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_CREATE_POST) { + return + } + + // Check that channel has not been deleted + var channel *model.Channel + if result := <-cchan; result.Err != nil { + c.SetInvalidParam("createPost", "post.channelId") + return + } else { + channel = result.Data.(*model.Channel) + } - if !c.HasPermissionsToChannel(cchan, "createPost") { + if channel.DeleteAt != 0 { + c.Err = model.NewLocAppError("createPost", "api.post.create_post.can_not_post_to_deleted.error", nil, "") + c.Err.StatusCode = http.StatusBadRequest return } @@ -1099,10 +1113,9 @@ func updatePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - cchan := Srv.Store.Channel().CheckPermissionsTo(c.TeamId, post.ChannelId, c.Session.UserId) pchan := Srv.Store.Post().Get(post.Id) - if !c.HasPermissionsToChannel(cchan, "updatePost") { + if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_EDIT_POST) { return } @@ -1204,10 +1217,9 @@ func getPosts(c *Context, w http.ResponseWriter, r *http.Request) { return } - cchan := Srv.Store.Channel().CheckPermissionsTo(c.TeamId, id, c.Session.UserId) etagChan := Srv.Store.Post().GetEtag(id) - if !c.HasPermissionsToChannel(cchan, "getPosts") { + if !HasPermissionToChannelContext(c, id, model.PERMISSION_CREATE_POST) { return } @@ -1246,10 +1258,9 @@ func getPostsSince(c *Context, w http.ResponseWriter, r *http.Request) { return } - cchan := Srv.Store.Channel().CheckPermissionsTo(c.TeamId, id, c.Session.UserId) pchan := Srv.Store.Post().GetPostsSince(id, time) - if !c.HasPermissionsToChannel(cchan, "getPostsSince") { + if !HasPermissionToChannelContext(c, id, model.PERMISSION_READ_CHANNEL) { return } @@ -1279,10 +1290,9 @@ func getPost(c *Context, w http.ResponseWriter, r *http.Request) { return } - cchan := Srv.Store.Channel().CheckPermissionsTo(c.TeamId, channelId, c.Session.UserId) pchan := Srv.Store.Post().Get(postId) - if !c.HasPermissionsToChannel(cchan, "getPost") { + if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_READ_CHANNEL) { return } @@ -1326,8 +1336,7 @@ func getPostById(c *Context, w http.ResponseWriter, r *http.Request) { } post := list.Posts[list.Order[0]] - cchan := Srv.Store.Channel().CheckPermissionsTo(c.TeamId, post.ChannelId, c.Session.UserId) - if !c.HasPermissionsToChannel(cchan, "getPostById") { + if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_READ_CHANNEL) { return } @@ -1361,12 +1370,7 @@ func getPermalinkTmp(c *Context, w http.ResponseWriter, r *http.Request) { } post := list.Posts[list.Order[0]] - if !c.HasPermissionsToTeam(c.TeamId, "permalink") { - return - } - - cchan := Srv.Store.Channel().CheckPermissionsTo(c.TeamId, post.ChannelId, c.Session.UserId) - if !c.HasPermissionsToChannel(cchan, "getPermalinkTmp") { + if !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_READ_CHANNEL) { // If we don't have permissions attempt to join the channel to fix the problem if err, _ := JoinChannelById(c, c.Session.UserId, post.ChannelId); err != nil { // On error just return with permissions error @@ -1402,7 +1406,10 @@ func deletePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - cchan := Srv.Store.Channel().CheckPermissionsTo(c.TeamId, channelId, c.Session.UserId) + if !HasPermissionToChannelContext(c, channelId, model.PERMISSION_EDIT_POST) { + return + } + pchan := Srv.Store.Post().Get(postId) if result := <-pchan; result.Err != nil { @@ -1412,10 +1419,6 @@ func deletePost(c *Context, w http.ResponseWriter, r *http.Request) { post := result.Data.(*model.PostList).Posts[postId] - if !c.HasPermissionsToChannel(cchan, "deletePost") && !c.IsTeamAdmin() { - return - } - if post == nil { c.SetInvalidParam("deletePost", "postId") return @@ -1427,7 +1430,7 @@ func deletePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - if post.UserId != c.Session.UserId && !c.IsTeamAdmin() { + if post.UserId != c.Session.UserId && !HasPermissionToChannelContext(c, post.ChannelId, model.PERMISSION_EDIT_OTHERS_POSTS) { c.Err = model.NewLocAppError("deletePost", "api.post.delete_post.permissions.app_error", nil, "") c.Err.StatusCode = http.StatusForbidden return @@ -1507,11 +1510,10 @@ func getPostsBeforeOrAfter(c *Context, w http.ResponseWriter, r *http.Request, b return } - cchan := Srv.Store.Channel().CheckPermissionsTo(c.TeamId, id, c.Session.UserId) // We can do better than this etag in this situation etagChan := Srv.Store.Post().GetEtag(id) - if !c.HasPermissionsToChannel(cchan, "getPostsBeforeOrAfter") { + if !HasPermissionToChannelContext(c, id, model.PERMISSION_READ_CHANNEL) { return } |