diff options
| author | George Goldberg <george@gberg.me> | 2018-09-12 15:32:05 +0100 |
|---|---|---|
| committer | Harrison Healey <harrisonmhealey@gmail.com> | 2018-09-12 10:32:05 -0400 |
| commit | 0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5 (patch) | |
| tree | 37bf6f899abffe926c7c42337a19d67050382e50 /app/command_remove_test.go | |
| parent | fba0f8e8b2e869654b3970396ed6fb0647e8910f (diff) | |
| download | chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.tar.gz chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.tar.bz2 chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.zip | |
MM-11230: Make permissions checks in commands failsafe. (#9392)
Also add additional unit tests to make sure the permissions tests are
completely solid.
Diffstat (limited to 'app/command_remove_test.go')
| -rw-r--r-- | app/command_remove_test.go | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/app/command_remove_test.go b/app/command_remove_test.go new file mode 100644 index 000000000..f17a70bad --- /dev/null +++ b/app/command_remove_test.go @@ -0,0 +1,109 @@ +// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package app + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/mattermost/mattermost-server/model" +) + +func TestRemoveProviderDoCommand(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + rp := RemoveProvider{} + + publicChannel, _ := th.App.CreateChannel(&model.Channel{ + DisplayName: "AA", + Name: "aa" + model.NewId() + "a", + Type: model.CHANNEL_OPEN, + TeamId: th.BasicTeam.Id, + CreatorId: th.BasicUser.Id, + }, false) + + privateChannel, _ := th.App.CreateChannel(&model.Channel{ + DisplayName: "BB", + Name: "aa" + model.NewId() + "a", + Type: model.CHANNEL_OPEN, + TeamId: th.BasicTeam.Id, + CreatorId: th.BasicUser.Id, + }, false) + + targetUser := th.CreateUser() + th.App.AddUserToTeam(th.BasicTeam.Id, targetUser.Id, targetUser.Id) + th.App.AddUserToChannel(targetUser, publicChannel) + th.App.AddUserToChannel(targetUser, privateChannel) + + // Try a public channel *without* permission. + args := &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: publicChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual := rp.DoCommand(th.App, args, targetUser.Username).Text + assert.Equal(t, "api.command_remove.permission.app_error", actual) + + // Try a public channel *with* permission. + th.App.AddUserToChannel(th.BasicUser, publicChannel) + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: publicChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual = rp.DoCommand(th.App, args, targetUser.Username).Text + assert.Equal(t, "", actual) + + // Try a private channel *without* permission. + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: privateChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual = rp.DoCommand(th.App, args, targetUser.Username).Text + assert.Equal(t, "api.command_remove.permission.app_error", actual) + + // Try a private channel *with* permission. + th.App.AddUserToChannel(th.BasicUser, privateChannel) + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: privateChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual = rp.DoCommand(th.App, args, targetUser.Username).Text + assert.Equal(t, "", actual) + + // Try a group channel + user1 := th.CreateUser() + user2 := th.CreateUser() + + groupChannel := th.CreateGroupChannel(user1, user2) + + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: groupChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual = rp.DoCommand(th.App, args, user1.Username).Text + assert.Equal(t, "api.command_remove.direct_group.app_error", actual) + + // Try a direct channel *with* being a member. + directChannel := th.CreateDmChannel(user1) + + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: directChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual = rp.DoCommand(th.App, args, user1.Username).Text + assert.Equal(t, "api.command_remove.direct_group.app_error", actual) +} |