diff options
| author | Saturnino Abril <saturnino.abril@gmail.com> | 2018-08-21 20:53:32 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-21 20:53:32 +0800 |
| commit | f16687f83cea20f1ed3682226b60011097c85648 (patch) | |
| tree | 2f0e331da8931c8f97dcdd93ff7c1634397311b3 /api4 | |
| parent | cea1796f0698956e4fab57a0015b292854bbbcf3 (diff) | |
| download | chat-f16687f83cea20f1ed3682226b60011097c85648.tar.gz chat-f16687f83cea20f1ed3682226b60011097c85648.tar.bz2 chat-f16687f83cea20f1ed3682226b60011097c85648.zip | |
[MM-11593] Prevent user to remove from a direct channel (#9251)
* prevent user to remove from a direct channel
* only allow removing of a member in private or public channel
Diffstat (limited to 'api4')
| -rw-r--r-- | api4/channel.go | 5 | ||||
| -rw-r--r-- | api4/channel_test.go | 24 |
2 files changed, 29 insertions, 0 deletions
diff --git a/api4/channel.go b/api4/channel.go index f21b45d56..1599b6e70 100644 --- a/api4/channel.go +++ b/api4/channel.go @@ -1069,6 +1069,11 @@ func removeChannelMember(c *Context, w http.ResponseWriter, r *http.Request) { return } + if !(channel.Type == model.CHANNEL_OPEN || channel.Type == model.CHANNEL_PRIVATE) { + c.Err = model.NewAppError("removeChannelMember", "api.channel.remove_channel_member.type.app_error", nil, "", http.StatusBadRequest) + return + } + if c.Params.UserId != c.Session.UserId { if channel.Type == model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) diff --git a/api4/channel_test.go b/api4/channel_test.go index 5ca4dee6e..8593ea831 100644 --- a/api4/channel_test.go +++ b/api4/channel_test.go @@ -2038,6 +2038,30 @@ func TestRemoveChannelMember(t *testing.T) { _, resp = Client.RemoveUserFromChannel(privateChannel.Id, user2.Id) CheckNoError(t, resp) + + // Test on preventing removal of user from a direct channel + directChannel, resp := Client.CreateDirectChannel(user1.Id, user2.Id) + CheckNoError(t, resp) + + _, resp = Client.RemoveUserFromChannel(directChannel.Id, user1.Id) + CheckBadRequestStatus(t, resp) + + _, resp = Client.RemoveUserFromChannel(directChannel.Id, user2.Id) + CheckBadRequestStatus(t, resp) + + _, resp = th.SystemAdminClient.RemoveUserFromChannel(directChannel.Id, user1.Id) + CheckBadRequestStatus(t, resp) + + // Test on preventing removal of user from a group channel + user3 := th.CreateUser() + groupChannel, resp := Client.CreateGroupChannel([]string{user1.Id, user2.Id, user3.Id}) + CheckNoError(t, resp) + + _, resp = Client.RemoveUserFromChannel(groupChannel.Id, user1.Id) + CheckBadRequestStatus(t, resp) + + _, resp = th.SystemAdminClient.RemoveUserFromChannel(groupChannel.Id, user1.Id) + CheckBadRequestStatus(t, resp) } func TestAutocompleteChannels(t *testing.T) { |