summaryrefslogtreecommitdiffstats
path: root/api
diff options
context:
space:
mode:
authorenahum <nahumhbl@gmail.com>2016-07-06 13:57:32 -0400
committerJoram Wilander <jwawilander@gmail.com>2016-07-06 13:57:32 -0400
commit9d0f9169df42f4652cde4dfacc6b502f44aa49b1 (patch)
tree3df77350ac405c7b77bd9b70cf9fe5eae340f59f /api
parent1a3f952c56ba080b5eb3913ba579680afb98089f (diff)
downloadchat-9d0f9169df42f4652cde4dfacc6b502f44aa49b1.tar.gz
chat-9d0f9169df42f4652cde4dfacc6b502f44aa49b1.tar.bz2
chat-9d0f9169df42f4652cde4dfacc6b502f44aa49b1.zip
PLT-3502 Fix Team admins can't give "team admin" privilege to members (#3499)
Diffstat (limited to 'api')
-rw-r--r--api/user.go19
-rw-r--r--api/user_test.go4
2 files changed, 18 insertions, 5 deletions
diff --git a/api/user.go b/api/user.go
index 47f20f6bf..38ee05a22 100644
--- a/api/user.go
+++ b/api/user.go
@@ -1402,6 +1402,12 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
}
team_id := props["team_id"]
+
+ // Set context TeamId as the team_id in the request cause at this point c.TeamId is empty
+ if len(c.TeamId) == 0 {
+ c.TeamId = team_id
+ }
+
if !(len(user_id) == 26 || len(user_id) == 0) {
c.SetInvalidParam("updateRoles", "team_id")
return
@@ -1413,9 +1419,9 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- // If you are not the system admin then you can only demote yourself
- if !c.IsSystemAdmin() && user_id != c.Session.UserId {
- c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.system_admin_needed.app_error", nil, "")
+ // If you are not the team admin then you can only demote yourself
+ if !c.IsTeamAdmin() && user_id != c.Session.UserId {
+ c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.team_admin_needed.app_error", nil, "")
c.Err.StatusCode = http.StatusForbidden
return
}
@@ -1435,6 +1441,13 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
user = result.Data.(*model.User)
}
+ // only another system admin can remove another system admin
+ if model.IsInRole(user.Roles, model.ROLE_SYSTEM_ADMIN) && !c.IsSystemAdmin() {
+ c.Err = model.NewLocAppError("updateRoles", "api.user.update_roles.system_admin_needed.app_error", nil, "")
+ c.Err.StatusCode = http.StatusForbidden
+ return
+ }
+
// if the team role has changed then lets update team members
if model.IsValidTeamRoles(new_roles) && len(team_id) > 0 {
diff --git a/api/user_test.go b/api/user_test.go
index c34d32c11..311a5ea21 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -910,7 +910,7 @@ func TestUserUpdateRolesMoreCases(t *testing.T) {
data["user_id"] = th.BasicUser2.Id
data["new_roles"] = model.ROLE_TEAM_ADMIN
data["team_id"] = th.BasicTeam.Id
- if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
+ if _, err := th.BasicClient.UpdateUserRoles(data); err != nil {
t.Fatal("Should have succeeded since they are team admin")
}
@@ -926,7 +926,7 @@ func TestUserUpdateRolesMoreCases(t *testing.T) {
data["user_id"] = th.BasicUser2.Id
data["new_roles"] = ""
data["team_id"] = th.BasicTeam.Id
- if _, err := th.BasicClient.UpdateUserRoles(data); err == nil {
+ if _, err := th.BasicClient.UpdateUserRoles(data); err != nil {
t.Fatal("Should have succeeded since they are team admin")
}