diff options
author | Jesse Hallam <jesse.hallam@gmail.com> | 2018-09-28 10:06:40 -0400 |
---|---|---|
committer | Harrison Healey <harrisonmhealey@gmail.com> | 2018-09-28 10:06:40 -0400 |
commit | ee672a72e4c534f2d5f36cc563084279ba31ba87 (patch) | |
tree | 4e95a9ef0d67f7c552ffeeae392064ef9429e143 /api4 | |
parent | de5c8622f8b1c22af389e1bea974cf3ba1a01670 (diff) | |
download | chat-ee672a72e4c534f2d5f36cc563084279ba31ba87.tar.gz chat-ee672a72e4c534f2d5f36cc563084279ba31ba87.tar.bz2 chat-ee672a72e4c534f2d5f36cc563084279ba31ba87.zip |
MM-12192: autocompleteUsers: if a teamId is provided, require it to match the channel's team id (#9481)
* MM-12192: unit test
* MM-1292: autocompleteUsers: if a teamId is provided, require it to match the channel's team id
Diffstat (limited to 'api4')
-rw-r--r-- | api4/user.go | 14 | ||||
-rw-r--r-- | api4/user_test.go | 5 |
2 files changed, 19 insertions, 0 deletions
diff --git a/api4/user.go b/api4/user.go index 3d203fbec..2570a6f25 100644 --- a/api4/user.go +++ b/api4/user.go @@ -533,6 +533,20 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { return } + // If a teamId is provided, require it to match the channel's team id. + if teamId != "" { + channel, err := c.App.GetChannel(channelId) + if err != nil { + c.Err = err + return + } + + if channel.TeamId != teamId { + c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized) + return + } + } + result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err diff --git a/api4/user_test.go b/api4/user_test.go index 010f49e73..a9aa967be 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -872,6 +872,11 @@ func TestAutocompleteUsers(t *testing.T) { if rusers.Users[0].FirstName != "" || rusers.Users[0].LastName != "" { t.Fatal("should not show first/last name") } + + t.Run("team id, if provided, must match channel's team id", func(t *testing.T) { + rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "") + CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id") + }) } func TestGetProfileImage(t *testing.T) { |