diff options
| author | Joram Wilander <jwawilander@gmail.com> | 2016-06-04 10:52:25 -0400 |
|---|---|---|
| committer | Joram Wilander <jwawilander@gmail.com> | 2016-06-04 10:52:25 -0400 |
| commit | 971149d2b298b3408af7218c868ed0b3edd83c2e (patch) | |
| tree | 86e082c9341ccd98bc6bf5894ce3ee7d14359550 /api | |
| parent | 8d09c58b4dbfd9f9ad651e03263dc109d7680a47 (diff) | |
| download | chat-971149d2b298b3408af7218c868ed0b3edd83c2e.tar.gz chat-971149d2b298b3408af7218c868ed0b3edd83c2e.tar.bz2 chat-971149d2b298b3408af7218c868ed0b3edd83c2e.zip | |
Don't allow users to be added to a channel they are not in the team of (#3246)
Diffstat (limited to 'api')
| -rw-r--r-- | api/channel.go | 11 | ||||
| -rw-r--r-- | api/channel_test.go | 4 | ||||
| -rw-r--r-- | api/post.go | 5 |
3 files changed, 17 insertions, 3 deletions
diff --git a/api/channel.go b/api/channel.go index ba6de1a48..6d1604900 100644 --- a/api/channel.go +++ b/api/channel.go @@ -512,8 +512,15 @@ func AddUserToChannel(user *model.User, channel *model.Channel) (*model.ChannelM return nil, model.NewLocAppError("AddUserToChannel", "api.channel.add_user_to_channel.type.app_error", nil, "") } - if result := <-Srv.Store.Channel().GetMember(channel.Id, user.Id); result.Err != nil { - if result.Err.Id != store.MISSING_MEMBER_ERROR { + tmchan := Srv.Store.Team().GetMember(channel.TeamId, user.Id) + cmchan := Srv.Store.Channel().GetMember(channel.Id, user.Id) + + if result := <-tmchan; result.Err != nil { + return nil, result.Err + } + + if result := <-cmchan; result.Err != nil { + if result.Err.Id != store.MISSING_CHANNEL_MEMBER_ERROR { return nil, result.Err } } else { diff --git a/api/channel_test.go b/api/channel_test.go index b2bb56952..175b0a14a 100644 --- a/api/channel_test.go +++ b/api/channel_test.go @@ -749,6 +749,7 @@ func TestAddChannelMember(t *testing.T) { Client := th.BasicClient team := th.BasicTeam user2 := th.BasicUser2 + user3 := th.CreateUser(Client) channel1 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_OPEN, TeamId: team.Id} channel1 = Client.Must(Client.CreateChannel(channel1)).Data.(*model.Channel) @@ -790,6 +791,9 @@ func TestAddChannelMember(t *testing.T) { t.Fatal("Should have errored, channel deleted") } + if _, err := Client.AddChannelMember(channel1.Id, user3.Id); err == nil { + t.Fatal("Should have errored, user not on team") + } } func TestRemoveChannelMember(t *testing.T) { diff --git a/api/post.go b/api/post.go index 831591784..cf83c4d0d 100644 --- a/api/post.go +++ b/api/post.go @@ -603,7 +603,10 @@ func sendNotifications(c *Context, post *model.Post, team *model.Team, channel * mentionedUsersList := make([]string, 0, len(mentionedUserIds)) - senderName := profileMap[post.UserId].Username + senderName := "" + if profile, ok := profileMap[post.UserId]; ok { + senderName = profile.Username + } for id := range mentionedUserIds { mentionedUsersList = append(mentionedUsersList, id) |