MM-12192: autocompleteUsers: if a teamId is provided, require it to match the channel's team id (#9481)

* MM-12192: unit test

* MM-1292: autocompleteUsers: if a teamId is provided, require it to match the channel's team id

2 files changed, 19 insertions, 0 deletions

diff --git a/api4/user.go b/api4/user.go
index 3d203fbec..2570a6f25 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -533,6 +533,20 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		// If a teamId is provided, require it to match the channel's team id.
+		if teamId != "" {
+			channel, err := c.App.GetChannel(channelId)
+			if err != nil {
+				c.Err = err
+				return
+			}
+
+			if channel.TeamId != teamId {
+				c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized)
+				return
+			}
+		}
+
 		result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin())
 		if err != nil {
 			c.Err = err
diff --git a/api4/user_test.go b/api4/user_test.go
index 010f49e73..a9aa967be 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -872,6 +872,11 @@ func TestAutocompleteUsers(t *testing.T) {
 	if rusers.Users[0].FirstName != "" || rusers.Users[0].LastName != "" {
 		t.Fatal("should not show first/last name")
 	}
+
+	t.Run("team id, if provided, must match channel's team id", func(t *testing.T) {
+		rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "")
+		CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id")
+	})
 }
 
 func TestGetProfileImage(t *testing.T) {