MM-11230: Make permissions checks in commands failsafe. (#9392)

Also add additional unit tests to make sure the permissions tests are
completely solid.

1 files changed, 93 insertions, 0 deletions

diff --git a/app/command_channel_purpose_test.go b/app/command_channel_purpose_test.go
new file mode 100644
index 000000000..3bdaa4e4f
--- /dev/null
+++ b/app/command_channel_purpose_test.go
@@ -0,0 +1,93 @@
+// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package app
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/mattermost/mattermost-server/model"
+)
+
+func TestPurposeProviderDoCommand(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	pp := PurposeProvider{}
+
+	// Try a public channel *with* permission.
+	args := &model.CommandArgs{
+		T:         func(s string, args ...interface{}) string { return s },
+		ChannelId: th.BasicChannel.Id,
+		Session:   model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: model.TEAM_USER_ROLE_ID}}},
+	}
+
+	for msg, expected := range map[string]string{
+		"":      "api.command_channel_purpose.message.app_error",
+		"hello": "",
+	} {
+		actual := pp.DoCommand(th.App, args, msg).Text
+		assert.Equal(t, expected, actual)
+	}
+
+	// Try a public channel *without* permission.
+	args = &model.CommandArgs{
+		T:         func(s string, args ...interface{}) string { return s },
+		ChannelId: th.BasicChannel.Id,
+		Session:   model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}},
+	}
+
+	actual := pp.DoCommand(th.App, args, "hello").Text
+	assert.Equal(t, "api.command_channel_purpose.permission.app_error", actual)
+
+	// Try a private channel *with* permission.
+	privateChannel := th.CreatePrivateChannel(th.BasicTeam)
+
+	args = &model.CommandArgs{
+		T:         func(s string, args ...interface{}) string { return s },
+		ChannelId: privateChannel.Id,
+		Session:   model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: model.TEAM_USER_ROLE_ID}}},
+	}
+
+	actual = pp.DoCommand(th.App, args, "hello").Text
+	assert.Equal(t, "", actual)
+
+	// Try a private channel *without* permission.
+	args = &model.CommandArgs{
+		T:         func(s string, args ...interface{}) string { return s },
+		ChannelId: privateChannel.Id,
+		Session:   model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}},
+	}
+
+	actual = pp.DoCommand(th.App, args, "hello").Text
+	assert.Equal(t, "api.command_channel_purpose.permission.app_error", actual)
+
+	// Try a group channel *with* being a member.
+	user1 := th.CreateUser()
+	user2 := th.CreateUser()
+
+	groupChannel := th.CreateGroupChannel(user1, user2)
+
+	args = &model.CommandArgs{
+		T:         func(s string, args ...interface{}) string { return s },
+		ChannelId: groupChannel.Id,
+		Session:   model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}},
+	}
+
+	actual = pp.DoCommand(th.App, args, "hello").Text
+	assert.Equal(t, "api.command_channel_purpose.direct_group.app_error", actual)
+
+	// Try a direct channel *with* being a member.
+	directChannel := th.CreateDmChannel(user1)
+
+	args = &model.CommandArgs{
+		T:         func(s string, args ...interface{}) string { return s },
+		ChannelId: directChannel.Id,
+		Session:   model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}},
+	}
+
+	actual = pp.DoCommand(th.App, args, "hello").Text
+	assert.Equal(t, "api.command_channel_purpose.direct_group.app_error", actual)
+}