diff options
author | Christopher Speller <crspeller@gmail.com> | 2017-09-06 20:43:18 -0700 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2017-09-06 20:43:18 -0700 |
commit | 77709ccdda86408d5135b8bc71462e2111992358 (patch) | |
tree | 5efc1631eb6cb31f8768fafeb58612557d98cb59 /api | |
parent | fd86a2490ea81eba8e12dcce76455710f182f81c (diff) | |
parent | e589accdaf38bb82cb5d3b5dd84eadf9bfb58b5c (diff) | |
download | chat-77709ccdda86408d5135b8bc71462e2111992358.tar.gz chat-77709ccdda86408d5135b8bc71462e2111992358.tar.bz2 chat-77709ccdda86408d5135b8bc71462e2111992358.zip |
Merge release-4.2
Diffstat (limited to 'api')
-rw-r--r-- | api/general.go | 10 | ||||
-rw-r--r-- | api/general_test.go | 20 | ||||
-rw-r--r-- | api/oauth.go | 4 | ||||
-rw-r--r-- | api/oauth_test.go | 42 |
4 files changed, 70 insertions, 6 deletions
diff --git a/api/general.go b/api/general.go index 16a739704..ceb0b209f 100644 --- a/api/general.go +++ b/api/general.go @@ -10,6 +10,7 @@ import ( l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/app" "github.com/mattermost/platform/model" "github.com/mattermost/platform/utils" ) @@ -30,7 +31,14 @@ func logClient(c *Context, w http.ResponseWriter, r *http.Request) { forceToDebug := false if !*utils.Cfg.ServiceSettings.EnableDeveloper { - forceToDebug = true + if c.Session.UserId == "" { + c.Err = model.NewAppError("Permissions", "api.context.permissions.app_error", nil, "", http.StatusForbidden) + return + } + + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + forceToDebug = true + } } m := model.MapFromJson(r.Body) diff --git a/api/general_test.go b/api/general_test.go index 51593ab9e..1fb041ae6 100644 --- a/api/general_test.go +++ b/api/general_test.go @@ -5,6 +5,8 @@ package api import ( "testing" + + "github.com/mattermost/platform/utils" ) func TestGetClientProperties(t *testing.T) { @@ -25,6 +27,24 @@ func TestLogClient(t *testing.T) { if ret, _ := th.BasicClient.LogClient("this is a test"); !ret { t.Fatal("failed to log") } + + enableDeveloper := *utils.Cfg.ServiceSettings.EnableDeveloper + defer func() { + *utils.Cfg.ServiceSettings.EnableDeveloper = enableDeveloper + }() + *utils.Cfg.ServiceSettings.EnableDeveloper = false + + th.BasicClient.Logout() + + if _, err := th.BasicClient.LogClient("this is a test"); err == nil { + t.Fatal("should have failed") + } + + *utils.Cfg.ServiceSettings.EnableDeveloper = true + + if ret, _ := th.BasicClient.LogClient("this is a test"); !ret { + t.Fatal("failed to log") + } } func TestGetPing(t *testing.T) { diff --git a/api/oauth.go b/api/oauth.go index 9d6c9bf52..007ec09d9 100644 --- a/api/oauth.go +++ b/api/oauth.go @@ -41,6 +41,10 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + oauthApp.IsTrusted = false + } + oauthApp.CreatorId = c.Session.UserId rapp, err := c.App.CreateOAuthApp(oauthApp) diff --git a/api/oauth_test.go b/api/oauth_test.go index 4ff6c70bd..ffabf9414 100644 --- a/api/oauth_test.go +++ b/api/oauth_test.go @@ -21,7 +21,7 @@ func TestOAuthRegisterApp(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() Client := th.BasicClient - oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true} utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { @@ -81,10 +81,29 @@ func TestOAuthRegisterApp(t *testing.T) { Client.Logout() Client.Login(user.Email, user.Password) - oauthApp = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + oauthApp = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true} if _, err := Client.RegisterApp(oauthApp); err == nil { t.Fatal("should have failed. not enough permissions") } + + adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations + defer func() { + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly + utils.SetDefaultRolesBasedOnConfig() + }() + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + + th.LoginBasic() + + if result, err := th.BasicClient.RegisterApp(oauthApp); err != nil { + t.Fatal(err) + } else { + rapp := result.Data.(*model.OAuthApp) + if rapp.IsTrusted { + t.Fatal("trusted should be false - created by non admin") + } + } } func TestOAuthAllow(t *testing.T) { @@ -462,7 +481,17 @@ func TestOAuthAuthorize(t *testing.T) { th := Setup().InitBasic() Client := th.BasicClient + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly + utils.SetDefaultRolesBasedOnConfig() + }() utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { if r, err := HttpGet(Client.Url+"/oauth/authorize", Client.HttpClient, "", true); err == nil { t.Fatal("should have failed - oauth providing turned off") @@ -482,7 +511,7 @@ func TestOAuthAuthorize(t *testing.T) { } // register an app to authorize it - oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://example.com"}} oauthApp = Client.Must(Client.RegisterApp(oauthApp)).Data.(*model.OAuthApp) if r, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&&redirect_uri=http://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, "", true); err == nil { t.Fatal("should have failed - user not logged") @@ -490,9 +519,12 @@ func TestOAuthAuthorize(t *testing.T) { } authToken := Client.AuthType + " " + Client.AuthToken - if r, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=http://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err != nil { + if _, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=http://bad-redirect.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err == nil { + t.Fatal("should have failed - bad redirect uri") + } + + if _, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=https://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err != nil { t.Fatal(err) - closeBody(r) } // lets authorize the app |