diff options
| author | George Goldberg <george@gberg.me> | 2018-09-27 20:15:47 +0100 |
|---|---|---|
| committer | Christopher Speller <crspeller@gmail.com> | 2018-09-27 12:15:47 -0700 |
| commit | cad806703d06d8996a98b19bec353bce255ae6a1 (patch) | |
| tree | 0ba7f4ff652eb12cd6054dda173f5598dee2cdce /api4 | |
| parent | 45464234277394c9debd272749552ed4c312c908 (diff) | |
| download | chat-cad806703d06d8996a98b19bec353bce255ae6a1.tar.gz chat-cad806703d06d8996a98b19bec353bce255ae6a1.tar.bz2 chat-cad806703d06d8996a98b19bec353bce255ae6a1.zip | |
MM-12013: Fix post-permission checks to cascade for DM/GM channels. (#9476)
Diffstat (limited to 'api4')
| -rw-r--r-- | api4/apitestlib.go | 14 | ||||
| -rw-r--r-- | api4/post_test.go | 25 |
2 files changed, 39 insertions, 0 deletions
diff --git a/api4/apitestlib.go b/api4/apitestlib.go index 6a717faf1..37dbcad25 100644 --- a/api4/apitestlib.go +++ b/api4/apitestlib.go @@ -455,6 +455,20 @@ func (me *TestHelper) CreateMessagePostNoClient(channel *model.Channel, message return post } +func (me *TestHelper) CreateDmChannel(user *model.User) *model.Channel { + utils.DisableDebugLogForTest() + var err *model.AppError + var channel *model.Channel + if channel, err = me.App.CreateDirectChannel(me.BasicUser.Id, user.Id); err != nil { + mlog.Error(err.Error()) + + time.Sleep(time.Second) + panic(err) + } + utils.EnableDebugLogForTest() + return channel +} + func (me *TestHelper) LoginBasic() { me.LoginBasicWithClient(me.Client) } diff --git a/api4/post_test.go b/api4/post_test.go index 36693f72b..7cac2e18a 100644 --- a/api4/post_test.go +++ b/api4/post_test.go @@ -599,6 +599,31 @@ func TestUpdatePost(t *testing.T) { CheckNoError(t, resp) } +func TestUpdateOthersPostInDirectMessageChannel(t *testing.T) { + // This test checks that a sysadmin with the "EDIT_OTHERS_POSTS" permission can edit someone else's post in a + // channel without a team (DM/GM). This indirectly checks for the proper cascading all the way to system-wide roles + // on the user object of permissions based on a post in a channel with no team ID. + th := Setup().InitBasic().InitSystemAdmin() + defer th.TearDown() + + dmChannel := th.CreateDmChannel(th.SystemAdminUser) + + post := &model.Post{ + Message: "asd", + ChannelId: dmChannel.Id, + PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()), + UserId: th.BasicUser.Id, + CreateAt: 0, + } + + post, resp := th.Client.CreatePost(post) + CheckNoError(t, resp) + + post.Message = "changed" + post, resp = th.SystemAdminClient.UpdatePost(post.Id, post) + CheckNoError(t, resp) +} + func TestPatchPost(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() defer th.TearDown() |