PLT-7785: Slash commands can be issued to a channel in a team without it (#7567)

* Ensured that specified channel is a part of specified team * Simplified approach to just infer team id from specified channel id to eliminate the attack vector entirely
author: Jonathan <jonfritz@gmail.com> 2017-10-04 11:12:13 -0400
committer: Christopher Speller <crspeller@gmail.com> 2017-10-04 08:12:13 -0700
commit: fa80cb10a8ad047f9504c49ed2671d31650d1878 (patch)
tree: c22a3ee08c57649e1721f272f9d87159411b3967 /api4/command.go
parent: f94b807f3973d824d8512c94e2a49b510005e56f (diff)
download: chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.gz
chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.bz2
chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.zip
1 files changed, 3 insertions, 6 deletions
diff --git a/api4/command.go b/api4/command.go
index d051d57f6..4314a184d 100644
--- a/api4/command.go
+++ b/api4/command.go
@@ -212,12 +212,9 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if commandArgs.TeamId == "" {
-		commandArgs.TeamId = channel.TeamId
-	} else if c.Session.GetTeamByTeamId(commandArgs.TeamId) == nil {
-		c.SetPermissionError(model.PERMISSION_USE_SLASH_COMMANDS)
-		return
-	}
+	// team id is implicitly taken from channel so that slash commands
+	// created on some other team can't be run against this one
+	commandArgs.TeamId = channel.TeamId
 
 	commandArgs.UserId = c.Session.UserId
 	commandArgs.T = c.T
author	Jonathan <jonfritz@gmail.com>	2017-10-04 11:12:13 -0400
committer	Christopher Speller <crspeller@gmail.com>	2017-10-04 08:12:13 -0700
commit	fa80cb10a8ad047f9504c49ed2671d31650d1878 (patch)
tree	c22a3ee08c57649e1721f272f9d87159411b3967 /api4/command.go
parent	f94b807f3973d824d8512c94e2a49b510005e56f (diff)
download	chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.gz chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.bz2 chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.zip