MM-10007 Send an admin and regular WS events when a user is updated (#8588)

* Add user.DeepCopy() function

* Add omit admins/non-admins to WS broadcast and use for updating users

* Updates per feedback and adding unit test for ShouldSendEvent

1 files changed, 22 insertions, 0 deletions

diff --git a/app/web_conn.go b/app/web_conn.go
index 33c285af3..9ae5505b2 100644
--- a/app/web_conn.go
+++ b/app/web_conn.go
@@ -287,6 +287,28 @@ func (webCon *WebConn) ShouldSendEvent(msg *model.WebSocketEvent) bool {
 		return false
 	}
 
+	// If the event contains sanitized data, only send to users that don't have permission to
+	// see sensitive data. Prevents admin clients from receiving events with bad data
+	var hasReadPrivateDataPermission *bool
+	if msg.Broadcast.ContainsSanitizedData {
+		hasReadPrivateDataPermission = model.NewBool(webCon.App.RolesGrantPermission(webCon.GetSession().GetUserRoles(), model.PERMISSION_MANAGE_SYSTEM.Id))
+
+		if *hasReadPrivateDataPermission {
+			return false
+		}
+	}
+
+	// If the event contains sensitive data, only send to users with permission to see it
+	if msg.Broadcast.ContainsSensitiveData {
+		if hasReadPrivateDataPermission == nil {
+			hasReadPrivateDataPermission = model.NewBool(webCon.App.RolesGrantPermission(webCon.GetSession().GetUserRoles(), model.PERMISSION_MANAGE_SYSTEM.Id))
+		}
+
+		if !*hasReadPrivateDataPermission {
+			return false
+		}
+	}
+
 	// If the event is destined to a specific user
 	if len(msg.Broadcast.UserId) > 0 {
 		if webCon.UserId == msg.Broadcast.UserId {