diff options
| author | George Goldberg <george@gberg.me> | 2017-03-02 14:08:00 +0000 |
|---|---|---|
| committer | Corey Hulen <corey@hulen.com> | 2017-03-02 09:08:00 -0500 |
| commit | f4aebed220667f0022bc902420c62d9841835e80 (patch) | |
| tree | 5b85700ff1e99927571a20cc2fc9e1aba1109b2f /api | |
| parent | 991925b7ee5ddfc45cc28943ea4e9ce68025438a (diff) | |
| download | chat-f4aebed220667f0022bc902420c62d9841835e80.tar.gz chat-f4aebed220667f0022bc902420c62d9841835e80.tar.bz2 chat-f4aebed220667f0022bc902420c62d9841835e80.zip | |
PLT-5355: Fix permalink to private/direct channels. (#5574)
Appropriate permission checks depend on the type of channel this
permalink links to.
Diffstat (limited to 'api')
| -rw-r--r-- | api/post.go | 19 | ||||
| -rw-r--r-- | api/post_test.go | 39 |
2 files changed, 55 insertions, 3 deletions
diff --git a/api/post.go b/api/post.go index b6539ed54..9c22dc5ee 100644 --- a/api/post.go +++ b/api/post.go @@ -264,11 +264,26 @@ func getPermalinkTmp(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { - c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) + var channel *model.Channel + if result := <-app.Srv.Store.Channel().GetForPost(postId); result.Err == nil { + channel = result.Data.(*model.Channel) + } else { + c.SetInvalidParam("getPermalinkTmp", "postId") return } + if channel.Type == model.CHANNEL_OPEN { + if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) + return + } + } else { + if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) + return + } + } + if list, err := app.GetPermalinkPost(postId, c.Session.UserId); err != nil { c.Err = err return diff --git a/api/post_test.go b/api/post_test.go index a41781dae..b93b5b6a6 100644 --- a/api/post_test.go +++ b/api/post_test.go @@ -1237,9 +1237,12 @@ func TestGetPostById(t *testing.T) { } func TestGetPermalinkTmp(t *testing.T) { - th := Setup().InitBasic() + th := Setup().InitBasic().InitSystemAdmin() Client := th.BasicClient channel1 := th.BasicChannel + team := th.BasicTeam + + th.LoginBasic() time.Sleep(10 * time.Millisecond) post1 := &model.Post{ChannelId: channel1.Id, Message: "a" + model.NewId() + "a"} @@ -1264,6 +1267,40 @@ func TestGetPermalinkTmp(t *testing.T) { } else if results == nil { t.Fatal("should not be empty") } + + // Test permalink to private channels. + channel2 := &model.Channel{DisplayName: "TestGetPermalinkPriv", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel2 = Client.Must(Client.CreateChannel(channel2)).Data.(*model.Channel) + time.Sleep(10 * time.Millisecond) + post3 := &model.Post{ChannelId: channel2.Id, Message: "a" + model.NewId() + "a"} + post3 = Client.Must(Client.CreatePost(post3)).Data.(*model.Post) + + if _, md := Client.GetPermalink(channel2.Id, post3.Id, ""); md.Error != nil { + t.Fatal(md.Error) + } + + th.LoginBasic2() + + if _, md := Client.GetPermalink(channel2.Id, post3.Id, ""); md.Error == nil { + t.Fatal("Expected 403 error") + } + + // Test direct channels. + th.LoginBasic() + channel3 := Client.Must(Client.CreateDirectChannel(th.SystemAdminUser.Id)).Data.(*model.Channel) + time.Sleep(10 * time.Millisecond) + post4 := &model.Post{ChannelId: channel3.Id, Message: "a" + model.NewId() + "a"} + post4 = Client.Must(Client.CreatePost(post4)).Data.(*model.Post) + + if _, md := Client.GetPermalink(channel3.Id, post4.Id, ""); md.Error != nil { + t.Fatal(md.Error) + } + + th.LoginBasic2() + + if _, md := Client.GetPermalink(channel3.Id, post4.Id, ""); md.Error == nil { + t.Fatal("Expected 403 error") + } } func TestGetOpenGraphMetadata(t *testing.T) { |