MM-11327: Restrict Teams by Email (#9142)

* Check a team's AllowedDomains setting before adding users to the team.

* Updated AddUser tests to validate AllowedDomains restriction.

* Updated variable name to match convention.

* Removed AllowedDomains from team sanitization.

* Update AppError's Where to match the calling function.

* Added tests for user matching allowedDomains, and multi domain values of allowedDomains.

* Added test to make sure we block users who have a subdomain of a whitelisted domain.

* Revert "Removed AllowedDomains from team sanitization."

This reverts commit 17c2afea584da40c7d769787ae86408e9700510c.

* Update sanitization tests to include dockerhost, now that we enforce AllowedDomains.

* Added tests to verify the interplay between the global and per team domain restrictions.

* Validate AllowedDomains property against RestrictCreationToDomains before updating a team.

* Remove team.AllowedDomains from sanitization.

* Add i18n string for the team allowed domains restriction app error.

1 files changed, 5 insertions, 1 deletions

diff --git a/model/team.go b/model/team.go
index edf9d3a41..530c3fd6a 100644
--- a/model/team.go
+++ b/model/team.go
@@ -47,6 +47,7 @@ type TeamPatch struct {
 	DisplayName     *string `json:"display_name"`
 	Description     *string `json:"description"`
 	CompanyName     *string `json:"company_name"`
+	AllowedDomains  *string `json:"allowed_domains"`
 	InviteId        *string `json:"invite_id"`
 	AllowOpenInvite *bool   `json:"allow_open_invite"`
 }
@@ -241,7 +242,6 @@ func CleanTeamName(s string) string {
 
 func (o *Team) Sanitize() {
 	o.Email = ""
-	o.AllowedDomains = ""
 }
 
 func (t *Team) Patch(patch *TeamPatch) {
@@ -257,6 +257,10 @@ func (t *Team) Patch(patch *TeamPatch) {
 		t.CompanyName = *patch.CompanyName
 	}
 
+	if patch.AllowedDomains != nil {
+		t.AllowedDomains = *patch.AllowedDomains
+	}
+
 	if patch.InviteId != nil {
 		t.InviteId = *patch.InviteId
 	}