diff options
| author | George Goldberg <george@gberg.me> | 2017-03-02 14:08:00 +0000 |
|---|---|---|
| committer | Corey Hulen <corey@hulen.com> | 2017-03-02 09:08:00 -0500 |
| commit | f4aebed220667f0022bc902420c62d9841835e80 (patch) | |
| tree | 5b85700ff1e99927571a20cc2fc9e1aba1109b2f /api/post.go | |
| parent | 991925b7ee5ddfc45cc28943ea4e9ce68025438a (diff) | |
| download | chat-f4aebed220667f0022bc902420c62d9841835e80.tar.gz chat-f4aebed220667f0022bc902420c62d9841835e80.tar.bz2 chat-f4aebed220667f0022bc902420c62d9841835e80.zip | |
PLT-5355: Fix permalink to private/direct channels. (#5574)
Appropriate permission checks depend on the type of channel this
permalink links to.
Diffstat (limited to 'api/post.go')
| -rw-r--r-- | api/post.go | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/api/post.go b/api/post.go index b6539ed54..9c22dc5ee 100644 --- a/api/post.go +++ b/api/post.go @@ -264,11 +264,26 @@ func getPermalinkTmp(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { - c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) + var channel *model.Channel + if result := <-app.Srv.Store.Channel().GetForPost(postId); result.Err == nil { + channel = result.Data.(*model.Channel) + } else { + c.SetInvalidParam("getPermalinkTmp", "postId") return } + if channel.Type == model.CHANNEL_OPEN { + if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) + return + } + } else { + if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) + return + } + } + if list, err := app.GetPermalinkPost(postId, c.Session.UserId); err != nil { c.Err = err return |