diff options
author | Jonathan <jonfritz@gmail.com> | 2017-10-04 11:12:13 -0400 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2017-10-04 08:12:13 -0700 |
commit | fa80cb10a8ad047f9504c49ed2671d31650d1878 (patch) | |
tree | c22a3ee08c57649e1721f272f9d87159411b3967 /api4/command.go | |
parent | f94b807f3973d824d8512c94e2a49b510005e56f (diff) | |
download | chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.gz chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.tar.bz2 chat-fa80cb10a8ad047f9504c49ed2671d31650d1878.zip |
PLT-7785: Slash commands can be issued to a channel in a team without it (#7567)
* Ensured that specified channel is a part of specified team
* Simplified approach to just infer team id from specified channel id to eliminate the attack vector entirely
Diffstat (limited to 'api4/command.go')
-rw-r--r-- | api4/command.go | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/api4/command.go b/api4/command.go index d051d57f6..4314a184d 100644 --- a/api4/command.go +++ b/api4/command.go @@ -212,12 +212,9 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) { return } - if commandArgs.TeamId == "" { - commandArgs.TeamId = channel.TeamId - } else if c.Session.GetTeamByTeamId(commandArgs.TeamId) == nil { - c.SetPermissionError(model.PERMISSION_USE_SLASH_COMMANDS) - return - } + // team id is implicitly taken from channel so that slash commands + // created on some other team can't be run against this one + commandArgs.TeamId = channel.TeamId commandArgs.UserId = c.Session.UserId commandArgs.T = c.T |