diff options
| author | Joram Wilander <jwawilander@gmail.com> | 2017-10-04 11:04:56 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-10-04 11:04:56 -0400 |
| commit | e05edf85cfc0c16f3232a53c106f613ab366f11a (patch) | |
| tree | 2e057c2125ec6ffced197ffefa16c20235941212 /api4/user.go | |
| parent | affd35071ea155069979fd359726296de8aa6aaf (diff) | |
| download | chat-e05edf85cfc0c16f3232a53c106f613ab366f11a.tar.gz chat-e05edf85cfc0c16f3232a53c106f613ab366f11a.tar.bz2 chat-e05edf85cfc0c16f3232a53c106f613ab366f11a.zip | |
PLT-7781 Some more OAuth fixes (#7568)
* Some other oauth fixes
* Fix unit test
Diffstat (limited to 'api4/user.go')
| -rw-r--r-- | api4/user.go | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/api4/user.go b/api4/user.go index e46ded670..ae1b2418c 100644 --- a/api4/user.go +++ b/api4/user.go @@ -537,6 +537,20 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) { return } + if c.Session.IsOAuth { + ouser, err := c.App.GetUser(user.Id) + if err != nil { + c.Err = err + return + } + + if ouser.Email != user.Email { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + c.Err.DetailedError += ", attempted email update by oauth app" + return + } + } + if ruser, err := c.App.UpdateUserAsUser(user, c.IsSystemAdmin()); err != nil { c.Err = err return @@ -563,6 +577,20 @@ func patchUser(c *Context, w http.ResponseWriter, r *http.Request) { return } + if c.Session.IsOAuth && patch.Email != nil { + ouser, err := c.App.GetUser(c.Params.UserId) + if err != nil { + c.Err = err + return + } + + if ouser.Email != *patch.Email { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + c.Err.DetailedError += ", attempted email update by oauth app" + return + } + } + if ruser, err := c.App.PatchUser(c.Params.UserId, patch, c.IsSystemAdmin()); err != nil { c.Err = err return @@ -690,6 +718,12 @@ func updateUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { return } + if c.Session.IsOAuth { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + c.Err.DetailedError += ", attempted access by oauth app" + return + } + if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) { c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return @@ -729,6 +763,12 @@ func generateMfaSecret(c *Context, w http.ResponseWriter, r *http.Request) { return } + if c.Session.IsOAuth { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + c.Err.DetailedError += ", attempted access by oauth app" + return + } + if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) { c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return @@ -1102,6 +1142,12 @@ func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { return } + if c.Session.IsOAuth { + c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) + c.Err.DetailedError += ", attempted access by oauth app" + return + } + accessToken := model.UserAccessTokenFromJson(r.Body) if accessToken == nil { c.SetInvalidParam("user_access_token") |