diff options
author | Joram Wilander <jwawilander@gmail.com> | 2017-03-31 12:25:39 -0400 |
---|---|---|
committer | Harrison Healey <harrisonmhealey@gmail.com> | 2017-03-31 12:25:39 -0400 |
commit | aba07e5cb9e9b5668c4fb94bfe9f096a26538528 (patch) | |
tree | 4a7348f71da063051cd77677cd37313760e9b9b8 /api | |
parent | 84826bf5632a9afb2c621b8cbcf935ad03943997 (diff) | |
download | chat-aba07e5cb9e9b5668c4fb94bfe9f096a26538528.tar.gz chat-aba07e5cb9e9b5668c4fb94bfe9f096a26538528.tar.bz2 chat-aba07e5cb9e9b5668c4fb94bfe9f096a26538528.zip |
PLT-5483 Fix bug where flagged posts endpoint returned posts on other teams (#5765)
* Fix bug where flagged posts endpoint returned posts on other teams
* Include flagged posts from DMs/GMs
Diffstat (limited to 'api')
-rw-r--r-- | api/post.go | 7 | ||||
-rw-r--r-- | api/post_test.go | 5 |
2 files changed, 11 insertions, 1 deletions
diff --git a/api/post.go b/api/post.go index afe60144d..b4c34bca2 100644 --- a/api/post.go +++ b/api/post.go @@ -161,7 +161,12 @@ func getFlaggedPosts(c *Context, w http.ResponseWriter, r *http.Request) { return } - if posts, err := app.GetFlaggedPosts(c.Session.UserId, offset, limit); err != nil { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_VIEW_TEAM) { + c.SetPermissionError(model.PERMISSION_VIEW_TEAM) + return + } + + if posts, err := app.GetFlaggedPostsForTeam(c.Session.UserId, c.TeamId, offset, limit); err != nil { c.Err = err return } else { diff --git a/api/post_test.go b/api/post_test.go index 6558aeb5b..a72074547 100644 --- a/api/post_test.go +++ b/api/post_test.go @@ -1115,6 +1115,11 @@ func TestGetFlaggedPosts(t *testing.T) { if len(r2.Order) != 0 { t.Fatal("should not have gotten a flagged post") } + + Client.SetTeamId(model.NewId()) + if _, err := Client.GetFlaggedPosts(0, 2); err == nil { + t.Fatal("should have failed - bad team id") + } } func TestGetMessageForNotification(t *testing.T) { |