MM-11230: Make permissions checks in commands failsafe. (#9392)

Also add additional unit tests to make sure the permissions tests are
completely solid.

1 files changed, 75 insertions, 28 deletions

diff --git a/app/command_invite.go b/app/command_invite.go
index 86cc5fdbb..e6167dad6 100644
--- a/app/command_invite.go
+++ b/app/command_invite.go
@@ -6,9 +6,10 @@ package app
 import (
 	"strings"
 
+	goi18n "github.com/nicksnyder/go-i18n/i18n"
+
 	"github.com/mattermost/mattermost-server/mlog"
 	"github.com/mattermost/mattermost-server/model"
-	goi18n "github.com/nicksnyder/go-i18n/i18n"
 )
 
 type InviteProvider struct {
@@ -38,7 +39,10 @@ func (me *InviteProvider) GetCommand(a *App, T goi18n.TranslateFunc) *model.Comm
 
 func (me *InviteProvider) DoCommand(a *App, args *model.CommandArgs, message string) *model.CommandResponse {
 	if message == "" {
-		return &model.CommandResponse{Text: args.T("api.command_invite.missing_message.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
+		return &model.CommandResponse{
+			Text:         args.T("api.command_invite.missing_message.app_error"),
+			ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+		}
 	}
 
 	splitMessage := strings.SplitN(message, " ", 2)
@@ -48,7 +52,10 @@ func (me *InviteProvider) DoCommand(a *App, args *model.CommandArgs, message str
 	var userProfile *model.User
 	if result := <-a.Srv.Store.User().GetByUsername(targetUsername); result.Err != nil {
 		mlog.Error(result.Err.Error())
-		return &model.CommandResponse{Text: args.T("api.command_invite.missing_user.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
+		return &model.CommandResponse{
+			Text:         args.T("api.command_invite.missing_user.app_error"),
+			ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+		}
 	} else {
 		userProfile = result.Data.(*model.User)
 	}
@@ -60,49 +67,89 @@ func (me *InviteProvider) DoCommand(a *App, args *model.CommandArgs, message str
 		targetChannelName := strings.TrimPrefix(strings.TrimSpace(splitMessage[1]), "~")
 
 		if channelToJoin, err = a.GetChannelByName(targetChannelName, args.TeamId, false); err != nil {
-			return &model.CommandResponse{Text: args.T("api.command_invite.channel.error", map[string]interface{}{"Channel": targetChannelName}), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
+			return &model.CommandResponse{
+				Text: args.T("api.command_invite.channel.error", map[string]interface{}{
+					"Channel": targetChannelName,
+				}),
+				ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+			}
 		}
 	} else {
 		channelToJoin, err = a.GetChannel(args.ChannelId)
 		if err != nil {
-			return &model.CommandResponse{Text: args.T("api.command_invite.channel.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
+			return &model.CommandResponse{
+				Text:         args.T("api.command_invite.channel.app_error"),
+				ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+			}
 		}
 	}
 
-	// Check if is a Direct Channel
-	if channelToJoin.Type == model.CHANNEL_DIRECT || channelToJoin.Type == model.CHANNEL_GROUP {
-		return &model.CommandResponse{Text: args.T("api.command_invite.directchannel.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
-	}
-
-	// Check Permissions
-	if channelToJoin.Type == model.CHANNEL_OPEN && !a.SessionHasPermissionToChannel(args.Session, channelToJoin.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) {
-		return &model.CommandResponse{Text: args.T("api.command_invite.permission.app_error", map[string]interface{}{"User": userProfile.Username, "Channel": channelToJoin.Name}), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
-	}
-
-	// Check if the user who wants to add another is trying to add in a pvt channel, but does not have permission
-	// but is in the channel
-	_, err = a.GetChannelMember(channelToJoin.Id, args.UserId)
-	if channelToJoin.Type == model.CHANNEL_PRIVATE && !a.SessionHasPermissionToChannel(args.Session, channelToJoin.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) && err == nil {
-		return &model.CommandResponse{Text: args.T("api.command_invite.permission.app_error", map[string]interface{}{"User": userProfile.Username, "Channel": channelToJoin.Name}), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
-	}
-
-	// In this case just check if is a pvt channel and user has permission
-	if channelToJoin.Type == model.CHANNEL_PRIVATE && !a.SessionHasPermissionToChannel(args.Session, channelToJoin.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) {
-		return &model.CommandResponse{Text: args.T("api.command_invite.private_channel.app_error", map[string]interface{}{"Channel": channelToJoin.Name}), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
+	// Permissions Check
+	switch channelToJoin.Type {
+	case model.CHANNEL_OPEN:
+		if !a.SessionHasPermissionToChannel(args.Session, channelToJoin.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) {
+			return &model.CommandResponse{
+				Text: args.T("api.command_invite.permission.app_error", map[string]interface{}{
+					"User":    userProfile.Username,
+					"Channel": channelToJoin.Name,
+				}),
+				ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+			}
+		}
+	case model.CHANNEL_PRIVATE:
+		if !a.SessionHasPermissionToChannel(args.Session, channelToJoin.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) {
+			if _, err = a.GetChannelMember(channelToJoin.Id, args.UserId); err == nil {
+				// User doing the inviting is a member of the channel.
+				return &model.CommandResponse{
+					Text: args.T("api.command_invite.permission.app_error", map[string]interface{}{
+						"User":    userProfile.Username,
+						"Channel": channelToJoin.Name,
+					}),
+					ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+				}
+			} else {
+				// User doing the inviting is *not* a member of the channel.
+				return &model.CommandResponse{
+					Text: args.T("api.command_invite.private_channel.app_error", map[string]interface{}{
+						"Channel": channelToJoin.Name,
+					}),
+					ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+				}
+			}
+		}
+	default:
+		return &model.CommandResponse{
+			Text:         args.T("api.command_invite.directchannel.app_error"),
+			ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+		}
 	}
 
 	// Check if user is already in the channel
 	_, err = a.GetChannelMember(channelToJoin.Id, userProfile.Id)
 	if err == nil {
-		return &model.CommandResponse{Text: args.T("api.command_invite.user_already_in_channel.app_error", map[string]interface{}{"User": userProfile.Username}), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
+		return &model.CommandResponse{
+			Text: args.T("api.command_invite.user_already_in_channel.app_error", map[string]interface{}{
+				"User": userProfile.Username,
+			}),
+			ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+		}
 	}
 
 	if _, err := a.AddChannelMember(userProfile.Id, channelToJoin, args.Session.UserId, ""); err != nil {
-		return &model.CommandResponse{Text: args.T("api.command_invite.fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
+		return &model.CommandResponse{
+			Text:         args.T("api.command_invite.fail.app_error"),
+			ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+		}
 	}
 
 	if args.ChannelId != channelToJoin.Id {
-		return &model.CommandResponse{Text: args.T("api.command_invite.success", map[string]interface{}{"User": userProfile.Username, "Channel": channelToJoin.Name}), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
+		return &model.CommandResponse{
+			Text: args.T("api.command_invite.success", map[string]interface{}{
+				"User":    userProfile.Username,
+				"Channel": channelToJoin.Name,
+			}),
+			ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL,
+		}
 	}
 
 	return &model.CommandResponse{}