diff options
author | Jesse Hallam <jesse.hallam@gmail.com> | 2018-10-09 15:25:57 -0400 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2018-10-09 12:25:57 -0700 |
commit | 59319b7915b8eb4c20a0d4878382cc0e41fc536d (patch) | |
tree | 604277129e22b19d3c91c9ae5ddf0023040d8b4f /api4 | |
parent | fe9a81208e4d8290df7b8d89bac2d880c045b84b (diff) | |
download | chat-59319b7915b8eb4c20a0d4878382cc0e41fc536d.tar.gz chat-59319b7915b8eb4c20a0d4878382cc0e41fc536d.tar.bz2 chat-59319b7915b8eb4c20a0d4878382cc0e41fc536d.zip |
MM-12519: simplify autocomplete team id checking (#9577)
This handles clients sending a team id in a direct message or group channel autocomplete, when it necessarily won't match. Just verify that the user has permission for the team in question, whenever it is provided.
Diffstat (limited to 'api4')
-rw-r--r-- | api4/user.go | 27 | ||||
-rw-r--r-- | api4/user_test.go | 4 |
2 files changed, 12 insertions, 19 deletions
diff --git a/api4/user.go b/api4/user.go index 5a8474b8d..404457285 100644 --- a/api4/user.go +++ b/api4/user.go @@ -594,21 +594,19 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } + } - // If a teamId is provided, require it to match the channel's team id. - if teamId != "" { - channel, err := c.App.GetChannel(channelId) - if err != nil { - c.Err = err - return - } - - if channel.TeamId != teamId { - c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized) - return - } + if len(teamId) > 0 { + if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { + c.SetPermissionError(model.PERMISSION_VIEW_TEAM) + return } + } + if len(channelId) > 0 { + // Applying the provided teamId here is useful for DMs and GMs which don't belong + // to a team. Applying it when the channel does belong to a team makes less sense, + //t but the permissions are checked above regardless. result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err @@ -618,11 +616,6 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { autocomplete.Users = result.InChannel autocomplete.OutOfChannel = result.OutOfChannel } else if len(teamId) > 0 { - if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { - c.SetPermissionError(model.PERMISSION_VIEW_TEAM) - return - } - result, err := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err diff --git a/api4/user_test.go b/api4/user_test.go index d50dfa3b6..405102373 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -873,9 +873,9 @@ func TestAutocompleteUsers(t *testing.T) { t.Fatal("should not show first/last name") } - t.Run("team id, if provided, must match channel's team id", func(t *testing.T) { + t.Run("user must have access to team id, especially when it does not match channel's team id", func(t *testing.T) { rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "") - CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id") + CheckErrorMessage(t, resp, "api.context.permissions.app_error") }) } |