diff options
| author | Christopher Speller <crspeller@gmail.com> | 2017-09-06 20:43:18 -0700 |
|---|---|---|
| committer | Christopher Speller <crspeller@gmail.com> | 2017-09-06 20:43:18 -0700 |
| commit | 77709ccdda86408d5135b8bc71462e2111992358 (patch) | |
| tree | 5efc1631eb6cb31f8768fafeb58612557d98cb59 /api4/oauth.go | |
| parent | fd86a2490ea81eba8e12dcce76455710f182f81c (diff) | |
| parent | e589accdaf38bb82cb5d3b5dd84eadf9bfb58b5c (diff) | |
| download | chat-77709ccdda86408d5135b8bc71462e2111992358.tar.gz chat-77709ccdda86408d5135b8bc71462e2111992358.tar.bz2 chat-77709ccdda86408d5135b8bc71462e2111992358.zip | |
Merge release-4.2
Diffstat (limited to 'api4/oauth.go')
| -rw-r--r-- | api4/oauth.go | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/api4/oauth.go b/api4/oauth.go index 0cd0f5ab9..7cb741cdb 100644 --- a/api4/oauth.go +++ b/api4/oauth.go @@ -57,6 +57,10 @@ func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + oauthApp.IsTrusted = false + } + oauthApp.CreatorId = c.Session.UserId rapp, err := c.App.CreateOAuthApp(oauthApp) @@ -298,6 +302,11 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) { return } + if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) { + utils.RenderWebError(model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest), w, r) + return + } + isAuthorized := false if _, err := c.App.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil { |