diff options
| author | George Goldberg <george@gberg.me> | 2018-09-12 15:32:05 +0100 |
|---|---|---|
| committer | Harrison Healey <harrisonmhealey@gmail.com> | 2018-09-12 10:32:05 -0400 |
| commit | 0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5 (patch) | |
| tree | 37bf6f899abffe926c7c42337a19d67050382e50 /app/command_remove.go | |
| parent | fba0f8e8b2e869654b3970396ed6fb0647e8910f (diff) | |
| download | chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.tar.gz chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.tar.bz2 chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.zip | |
MM-11230: Make permissions checks in commands failsafe. (#9392)
Also add additional unit tests to make sure the permissions tests are
completely solid.
Diffstat (limited to 'app/command_remove.go')
| -rw-r--r-- | app/command_remove.go | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/app/command_remove.go b/app/command_remove.go index 3671a2063..6a67996e9 100644 --- a/app/command_remove.go +++ b/app/command_remove.go @@ -70,15 +70,16 @@ func doCommand(a *App, args *model.CommandArgs, message string) *model.CommandRe return &model.CommandResponse{Text: args.T("api.command_channel_rename.channel.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} } - if channel.Type == model.CHANNEL_OPEN && !a.SessionHasPermissionToChannel(args.Session, args.ChannelId, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { - return &model.CommandResponse{Text: args.T("api.command_remove.permission.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} - } - - if channel.Type == model.CHANNEL_PRIVATE && !a.SessionHasPermissionToChannel(args.Session, args.ChannelId, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { - return &model.CommandResponse{Text: args.T("api.command_remove.permission.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} - } - - if channel.Type == model.CHANNEL_GROUP || channel.Type == model.CHANNEL_DIRECT { + switch channel.Type { + case model.CHANNEL_OPEN: + if !a.SessionHasPermissionToChannel(args.Session, args.ChannelId, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) { + return &model.CommandResponse{Text: args.T("api.command_remove.permission.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} + } + case model.CHANNEL_PRIVATE: + if !a.SessionHasPermissionToChannel(args.Session, args.ChannelId, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) { + return &model.CommandResponse{Text: args.T("api.command_remove.permission.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} + } + default: return &model.CommandResponse{Text: args.T("api.command_remove.direct_group.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} } |