Various patches

author: JoramWilander <jwawilander@gmail.com> 2017-09-06 16:24:34 -0400
committer: JoramWilander <jwawilander@gmail.com> 2017-09-06 16:24:34 -0400
commit: d38328976e2c8bb0fab91e656042a0d8ac37bc76 (patch)
tree: 7e3d1a96a007accfcea499857541f96890846122 /api4/oauth.go
parent: f968c56890bd84295672ee0d46cc846cac2dbd47 (diff)
download: chat-d38328976e2c8bb0fab91e656042a0d8ac37bc76.tar.gz
chat-d38328976e2c8bb0fab91e656042a0d8ac37bc76.tar.bz2
chat-d38328976e2c8bb0fab91e656042a0d8ac37bc76.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/api4/oauth.go b/api4/oauth.go
index ae5035fdc..392129143 100644
--- a/api4/oauth.go
+++ b/api4/oauth.go
@@ -57,6 +57,10 @@ func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		oauthApp.IsTrusted = false
+	}
+
 	oauthApp.CreatorId = c.Session.UserId
 
 	rapp, err := app.CreateOAuthApp(oauthApp)
@@ -298,6 +302,11 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) {
+		utils.RenderWebError(model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest), w, r)
+		return
+	}
+
 	isAuthorized := false
 
 	if _, err := app.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil {
author	JoramWilander <jwawilander@gmail.com>	2017-09-06 16:24:34 -0400
committer	JoramWilander <jwawilander@gmail.com>	2017-09-06 16:24:34 -0400
commit	d38328976e2c8bb0fab91e656042a0d8ac37bc76 (patch)
tree	7e3d1a96a007accfcea499857541f96890846122 /api4/oauth.go
parent	f968c56890bd84295672ee0d46cc846cac2dbd47 (diff)
download	chat-d38328976e2c8bb0fab91e656042a0d8ac37bc76.tar.gz chat-d38328976e2c8bb0fab91e656042a0d8ac37bc76.tar.bz2 chat-d38328976e2c8bb0fab91e656042a0d8ac37bc76.zip