diff options
| author | Christopher Speller <crspeller@gmail.com> | 2016-11-01 16:16:16 -0400 |
|---|---|---|
| committer | Corey Hulen <corey@hulen.com> | 2016-11-01 13:16:16 -0700 |
| commit | 420bc367fa10047dc40c7e5165f6e8f05438957c (patch) | |
| tree | f9be4d10eb7dfd92d045f681370d01ea9417b782 /api | |
| parent | b0f38f8a84ae0b7cba43c7d12a19f8f3cb79e9b0 (diff) | |
| download | chat-420bc367fa10047dc40c7e5165f6e8f05438957c.tar.gz chat-420bc367fa10047dc40c7e5165f6e8f05438957c.tar.bz2 chat-420bc367fa10047dc40c7e5165f6e8f05438957c.zip | |
Fixing permissions issue when deleting slash commands (#4414)
Diffstat (limited to 'api')
| -rw-r--r-- | api/command.go | 2 | ||||
| -rw-r--r-- | api/command_test.go | 21 |
2 files changed, 20 insertions, 3 deletions
diff --git a/api/command.go b/api/command.go index 5cf9d730b..e71661a67 100644 --- a/api/command.go +++ b/api/command.go @@ -415,7 +415,7 @@ func deleteCommand(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = result.Err return } else { - if c.TeamId != result.Data.(*model.Command).TeamId || (c.Session.UserId != result.Data.(*model.Command).CreatorId && HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { + if c.TeamId != result.Data.(*model.Command).TeamId || (c.Session.UserId != result.Data.(*model.Command).CreatorId && !HasPermissionToCurrentTeamContext(c, model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS)) { c.LogAudit("fail - inappropriate permissions") c.Err = model.NewLocAppError("deleteCommand", "api.command.delete.app_error", nil, "user_id="+c.Session.UserId) return diff --git a/api/command_test.go b/api/command_test.go index 9c0b34085..7a78d350d 100644 --- a/api/command_test.go +++ b/api/command_test.go @@ -146,14 +146,17 @@ func TestRegenToken(t *testing.T) { } func TestDeleteCommand(t *testing.T) { - th := Setup().InitSystemAdmin() + th := Setup().InitBasic().InitSystemAdmin() Client := th.SystemAdminClient enableCommands := *utils.Cfg.ServiceSettings.EnableCommands + onlyAdminIntegration := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations defer func() { - utils.Cfg.ServiceSettings.EnableCommands = &enableCommands + *utils.Cfg.ServiceSettings.EnableCommands = enableCommands + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = onlyAdminIntegration }() *utils.Cfg.ServiceSettings.EnableCommands = true + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false cmd := &model.Command{URL: "http://nowhere.com", Method: model.COMMAND_METHOD_POST, Trigger: "trigger"} cmd = Client.Must(Client.CreateCommand(cmd)).Data.(*model.Command) @@ -169,6 +172,20 @@ func TestDeleteCommand(t *testing.T) { if len(cmds) != 0 { t.Fatal("delete didn't work properly") } + + cmd2 := &model.Command{URL: "http://nowhere.com", Method: model.COMMAND_METHOD_POST, Trigger: "trigger2"} + cmd2 = Client.Must(Client.CreateCommand(cmd2)).Data.(*model.Command) + + data2 := make(map[string]string) + data2["id"] = cmd2.Id + if _, err := th.BasicClient.DeleteCommand(data2); err == nil { + t.Fatal("Should have errored. Your not allowed to delete other's commands") + } + + cmds2 := Client.Must(Client.ListTeamCommands()).Data.([]*model.Command) + if len(cmds2) != 1 { + t.Fatal("Client was able to delete command without permission.") + } } func TestTestCommand(t *testing.T) { |