diff options
| author | Christopher Speller <crspeller@gmail.com> | 2017-09-06 20:43:18 -0700 |
|---|---|---|
| committer | Christopher Speller <crspeller@gmail.com> | 2017-09-06 20:43:18 -0700 |
| commit | 77709ccdda86408d5135b8bc71462e2111992358 (patch) | |
| tree | 5efc1631eb6cb31f8768fafeb58612557d98cb59 /api4 | |
| parent | fd86a2490ea81eba8e12dcce76455710f182f81c (diff) | |
| parent | e589accdaf38bb82cb5d3b5dd84eadf9bfb58b5c (diff) | |
| download | chat-77709ccdda86408d5135b8bc71462e2111992358.tar.gz chat-77709ccdda86408d5135b8bc71462e2111992358.tar.bz2 chat-77709ccdda86408d5135b8bc71462e2111992358.zip | |
Merge release-4.2
Diffstat (limited to 'api4')
| -rw-r--r-- | api4/oauth.go | 9 | ||||
| -rw-r--r-- | api4/oauth_test.go | 12 | ||||
| -rw-r--r-- | api4/status.go | 6 | ||||
| -rw-r--r-- | api4/status_test.go | 14 |
4 files changed, 36 insertions, 5 deletions
diff --git a/api4/oauth.go b/api4/oauth.go index 0cd0f5ab9..7cb741cdb 100644 --- a/api4/oauth.go +++ b/api4/oauth.go @@ -57,6 +57,10 @@ func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + oauthApp.IsTrusted = false + } + oauthApp.CreatorId = c.Session.UserId rapp, err := c.App.CreateOAuthApp(oauthApp) @@ -298,6 +302,11 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) { return } + if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) { + utils.RenderWebError(model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest), w, r) + return + } + isAuthorized := false if _, err := c.App.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil { diff --git a/api4/oauth_test.go b/api4/oauth_test.go index 963cd43c3..ceb44a44e 100644 --- a/api4/oauth_test.go +++ b/api4/oauth_test.go @@ -28,7 +28,7 @@ func TestCreateOAuthApp(t *testing.T) { utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true utils.SetDefaultRolesBasedOnConfig() - oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true} rapp, resp := AdminClient.CreateOAuthApp(oapp) CheckNoError(t, resp) @@ -38,6 +38,10 @@ func TestCreateOAuthApp(t *testing.T) { t.Fatal("names did not match") } + if rapp.IsTrusted != oapp.IsTrusted { + t.Fatal("trusted did no match") + } + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true utils.SetDefaultRolesBasedOnConfig() _, resp = Client.CreateOAuthApp(oapp) @@ -45,10 +49,14 @@ func TestCreateOAuthApp(t *testing.T) { *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false utils.SetDefaultRolesBasedOnConfig() - _, resp = Client.CreateOAuthApp(oapp) + rapp, resp = Client.CreateOAuthApp(oapp) CheckNoError(t, resp) CheckCreatedStatus(t, resp) + if rapp.IsTrusted { + t.Fatal("trusted should be false - created by non admin") + } + oapp.Name = "" _, resp = AdminClient.CreateOAuthApp(oapp) CheckBadRequestStatus(t, resp) diff --git a/api4/status.go b/api4/status.go index 4e8b1852e..a62aa6654 100644 --- a/api4/status.go +++ b/api4/status.go @@ -16,9 +16,9 @@ import ( func InitStatus() { l4g.Debug(utils.T("api.status.init.debug")) - BaseRoutes.User.Handle("/status", ApiHandler(getUserStatus)).Methods("GET") - BaseRoutes.Users.Handle("/status/ids", ApiHandler(getUserStatusesByIds)).Methods("POST") - BaseRoutes.User.Handle("/status", ApiHandler(updateUserStatus)).Methods("PUT") + BaseRoutes.User.Handle("/status", ApiSessionRequired(getUserStatus)).Methods("GET") + BaseRoutes.Users.Handle("/status/ids", ApiSessionRequired(getUserStatusesByIds)).Methods("POST") + BaseRoutes.User.Handle("/status", ApiSessionRequired(updateUserStatus)).Methods("PUT") } func getUserStatus(c *Context, w http.ResponseWriter, r *http.Request) { diff --git a/api4/status_test.go b/api4/status_test.go index 6d9b6c98e..cfc9a0786 100644 --- a/api4/status_test.go +++ b/api4/status_test.go @@ -46,6 +46,10 @@ func TestGetUserStatus(t *testing.T) { } Client.Logout() + + _, resp = Client.GetUserStatus(th.BasicUser2.Id, "") + CheckUnauthorizedStatus(t, resp) + th.LoginBasic2() userStatus, resp = Client.GetUserStatus(th.BasicUser2.Id, "") CheckNoError(t, resp) @@ -88,6 +92,11 @@ func TestGetUsersStatusesByIds(t *testing.T) { t.Fatal("Status should be offline") } } + + Client.Logout() + + _, resp = Client.GetUsersStatusesByIds(usersIds) + CheckUnauthorizedStatus(t, resp) } func TestUpdateUserStatus(t *testing.T) { @@ -125,4 +134,9 @@ func TestUpdateUserStatus(t *testing.T) { if updateUserStatus.Status != "online" { t.Fatal("Should return online status") } + + Client.Logout() + + _, resp = Client.UpdateUserStatus(th.BasicUser2.Id, toUpdateUserStatus) + CheckUnauthorizedStatus(t, resp) } |