Merge release-4.2

author: Christopher Speller <crspeller@gmail.com> 2017-09-06 20:43:18 -0700
committer: Christopher Speller <crspeller@gmail.com> 2017-09-06 20:43:18 -0700
commit: 77709ccdda86408d5135b8bc71462e2111992358 (patch)
tree: 5efc1631eb6cb31f8768fafeb58612557d98cb59 /api
parent: fd86a2490ea81eba8e12dcce76455710f182f81c (diff)
parent: e589accdaf38bb82cb5d3b5dd84eadf9bfb58b5c (diff)
download: chat-77709ccdda86408d5135b8bc71462e2111992358.tar.gz
chat-77709ccdda86408d5135b8bc71462e2111992358.tar.bz2
chat-77709ccdda86408d5135b8bc71462e2111992358.zip
4 files changed, 70 insertions, 6 deletions
diff --git a/api/general.go b/api/general.go
index 16a739704..ceb0b209f 100644
--- a/api/general.go
+++ b/api/general.go
@@ -10,6 +10,7 @@ import (
 
 	l4g "github.com/alecthomas/log4go"
 
+	"github.com/mattermost/platform/app"
 	"github.com/mattermost/platform/model"
 	"github.com/mattermost/platform/utils"
 )
@@ -30,7 +31,14 @@ func logClient(c *Context, w http.ResponseWriter, r *http.Request) {
 	forceToDebug := false
 
 	if !*utils.Cfg.ServiceSettings.EnableDeveloper {
-		forceToDebug = true
+		if c.Session.UserId == "" {
+			c.Err = model.NewAppError("Permissions", "api.context.permissions.app_error", nil, "", http.StatusForbidden)
+			return
+		}
+
+		if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+			forceToDebug = true
+		}
 	}
 
 	m := model.MapFromJson(r.Body)
diff --git a/api/general_test.go b/api/general_test.go
index 51593ab9e..1fb041ae6 100644
--- a/api/general_test.go
+++ b/api/general_test.go
@@ -5,6 +5,8 @@ package api
 
 import (
 	"testing"
+
+	"github.com/mattermost/platform/utils"
 )
 
 func TestGetClientProperties(t *testing.T) {
@@ -25,6 +27,24 @@ func TestLogClient(t *testing.T) {
 	if ret, _ := th.BasicClient.LogClient("this is a test"); !ret {
 		t.Fatal("failed to log")
 	}
+
+	enableDeveloper := *utils.Cfg.ServiceSettings.EnableDeveloper
+	defer func() {
+		*utils.Cfg.ServiceSettings.EnableDeveloper = enableDeveloper
+	}()
+	*utils.Cfg.ServiceSettings.EnableDeveloper = false
+
+	th.BasicClient.Logout()
+
+	if _, err := th.BasicClient.LogClient("this is a test"); err == nil {
+		t.Fatal("should have failed")
+	}
+
+	*utils.Cfg.ServiceSettings.EnableDeveloper = true
+
+	if ret, _ := th.BasicClient.LogClient("this is a test"); !ret {
+		t.Fatal("failed to log")
+	}
 }
 
 func TestGetPing(t *testing.T) {
diff --git a/api/oauth.go b/api/oauth.go
index 9d6c9bf52..007ec09d9 100644
--- a/api/oauth.go
+++ b/api/oauth.go
@@ -41,6 +41,10 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		oauthApp.IsTrusted = false
+	}
+
 	oauthApp.CreatorId = c.Session.UserId
 
 	rapp, err := c.App.CreateOAuthApp(oauthApp)
diff --git a/api/oauth_test.go b/api/oauth_test.go
index 4ff6c70bd..ffabf9414 100644
--- a/api/oauth_test.go
+++ b/api/oauth_test.go
@@ -21,7 +21,7 @@ func TestOAuthRegisterApp(t *testing.T) {
 	th := Setup().InitBasic().InitSystemAdmin()
 	Client := th.BasicClient
 
-	oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+	oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
 
 	utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false
 	if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider {
@@ -81,10 +81,29 @@ func TestOAuthRegisterApp(t *testing.T) {
 	Client.Logout()
 	Client.Login(user.Email, user.Password)
 
-	oauthApp = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+	oauthApp = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
 	if _, err := Client.RegisterApp(oauthApp); err == nil {
 		t.Fatal("should have failed. not enough permissions")
 	}
+
+	adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations
+	defer func() {
+		*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
+	utils.SetDefaultRolesBasedOnConfig()
+
+	th.LoginBasic()
+
+	if result, err := th.BasicClient.RegisterApp(oauthApp); err != nil {
+		t.Fatal(err)
+	} else {
+		rapp := result.Data.(*model.OAuthApp)
+		if rapp.IsTrusted {
+			t.Fatal("trusted should be false - created by non admin")
+		}
+	}
 }
 
 func TestOAuthAllow(t *testing.T) {
@@ -462,7 +481,17 @@ func TestOAuthAuthorize(t *testing.T) {
 	th := Setup().InitBasic()
 	Client := th.BasicClient
 
+	enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider
+	adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations
+	defer func() {
+		utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth
+		*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
 	utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false
+	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
+	utils.SetDefaultRolesBasedOnConfig()
+
 	if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider {
 		if r, err := HttpGet(Client.Url+"/oauth/authorize", Client.HttpClient, "", true); err == nil {
 			t.Fatal("should have failed - oauth providing turned off")
@@ -482,7 +511,7 @@ func TestOAuthAuthorize(t *testing.T) {
 	}
 
 	// register an app to authorize it
-	oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+	oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://example.com"}}
 	oauthApp = Client.Must(Client.RegisterApp(oauthApp)).Data.(*model.OAuthApp)
 	if r, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&&redirect_uri=http://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, "", true); err == nil {
 		t.Fatal("should have failed - user not logged")
@@ -490,9 +519,12 @@ func TestOAuthAuthorize(t *testing.T) {
 	}
 
 	authToken := Client.AuthType + " " + Client.AuthToken
-	if r, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=http://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err != nil {
+	if _, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=http://bad-redirect.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err == nil {
+		t.Fatal("should have failed - bad redirect uri")
+	}
+
+	if _, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=https://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err != nil {
 		t.Fatal(err)
-		closeBody(r)
 	}
 
 	// lets authorize the app
author	Christopher Speller <crspeller@gmail.com>	2017-09-06 20:43:18 -0700
committer	Christopher Speller <crspeller@gmail.com>	2017-09-06 20:43:18 -0700
commit	77709ccdda86408d5135b8bc71462e2111992358 (patch)
tree	5efc1631eb6cb31f8768fafeb58612557d98cb59 /api
parent	fd86a2490ea81eba8e12dcce76455710f182f81c (diff)
parent	e589accdaf38bb82cb5d3b5dd84eadf9bfb58b5c (diff)
download	chat-77709ccdda86408d5135b8bc71462e2111992358.tar.gz chat-77709ccdda86408d5135b8bc71462e2111992358.tar.bz2 chat-77709ccdda86408d5135b8bc71462e2111992358.zip