diff options
| author | Joram Wilander <jwawilander@gmail.com> | 2017-03-22 11:13:44 -0400 |
|---|---|---|
| committer | Corey Hulen <corey@hulen.com> | 2017-03-22 08:13:44 -0700 |
| commit | 61b1237c20bc71334acc4f96606a077a6b8c262a (patch) | |
| tree | 57f451ee384bea695440ee92f54d8520af128609 /api4/channel.go | |
| parent | 0e98dfa445722d69bd553e5b657db7162d96cd5b (diff) | |
| download | chat-61b1237c20bc71334acc4f96606a077a6b8c262a.tar.gz chat-61b1237c20bc71334acc4f96606a077a6b8c262a.tar.bz2 chat-61b1237c20bc71334acc4f96606a077a6b8c262a.zip | |
Update channel permissions for v4 endpoints (#5829)
* Fix join channel permission for v4 endpoint
* Allow regular users to get public channels they are not in
* Fix unit test
Diffstat (limited to 'api4/channel.go')
| -rw-r--r-- | api4/channel.go | 68 |
1 files changed, 47 insertions, 21 deletions
diff --git a/api4/channel.go b/api4/channel.go index a4820d729..fd33eb882 100644 --- a/api4/channel.go +++ b/api4/channel.go @@ -199,18 +199,26 @@ func getChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !app.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_READ_CHANNEL) { - c.SetPermissionError(model.PERMISSION_READ_CHANNEL) + channel, err := app.GetChannel(c.Params.ChannelId) + if err != nil { + c.Err = err return } - if channel, err := app.GetChannel(c.Params.ChannelId); err != nil { - c.Err = err - return + if channel.Type == model.CHANNEL_OPEN { + if !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_READ_PUBLIC_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_PUBLIC_CHANNEL) + return + } } else { - w.Write([]byte(channel.ToJson())) - return + if !app.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) + return + } } + + w.Write([]byte(channel.ToJson())) + return } func getChannelUnread(c *Context, w http.ResponseWriter, r *http.Request) { @@ -328,13 +336,19 @@ func getChannelByName(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { - c.SetPermissionError(model.PERMISSION_READ_CHANNEL) - return + if channel.Type == model.CHANNEL_OPEN { + if !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_READ_PUBLIC_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_PUBLIC_CHANNEL) + return + } + } else { + if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) + return + } } w.Write([]byte(channel.ToJson())) - return } func getChannelByNameForTeamName(c *Context, w http.ResponseWriter, r *http.Request) { @@ -525,9 +539,19 @@ func addChannelMember(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { - c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) - return + // Check join permission if adding yourself, otherwise check manage permission + if channel.Type == model.CHANNEL_OPEN { + if member.UserId == c.Session.UserId { + if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) + return + } + } else { + if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) + return + } + } } if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { @@ -557,14 +581,16 @@ func removeChannelMember(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { - c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) - return - } + if c.Params.UserId != c.Session.UserId { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) + return + } - if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { - c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) - return + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) + return + } } if err = app.RemoveUserFromChannel(c.Params.UserId, c.Session.UserId, channel, c.GetSiteURL()); err != nil { |