summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--api/general.go10
-rw-r--r--api/general_test.go20
-rw-r--r--api/oauth.go4
-rw-r--r--api/oauth_test.go42
-rw-r--r--api4/oauth.go9
-rw-r--r--api4/oauth_test.go12
-rw-r--r--api4/status.go6
-rw-r--r--api4/status_test.go14
-rw-r--r--webapp/components/profile_popover.jsx4
-rw-r--r--webapp/plugins/pluggable/pluggable.jsx6
10 files changed, 114 insertions, 13 deletions
diff --git a/api/general.go b/api/general.go
index 16a739704..ceb0b209f 100644
--- a/api/general.go
+++ b/api/general.go
@@ -10,6 +10,7 @@ import (
l4g "github.com/alecthomas/log4go"
+ "github.com/mattermost/platform/app"
"github.com/mattermost/platform/model"
"github.com/mattermost/platform/utils"
)
@@ -30,7 +31,14 @@ func logClient(c *Context, w http.ResponseWriter, r *http.Request) {
forceToDebug := false
if !*utils.Cfg.ServiceSettings.EnableDeveloper {
- forceToDebug = true
+ if c.Session.UserId == "" {
+ c.Err = model.NewAppError("Permissions", "api.context.permissions.app_error", nil, "", http.StatusForbidden)
+ return
+ }
+
+ if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+ forceToDebug = true
+ }
}
m := model.MapFromJson(r.Body)
diff --git a/api/general_test.go b/api/general_test.go
index 51593ab9e..1fb041ae6 100644
--- a/api/general_test.go
+++ b/api/general_test.go
@@ -5,6 +5,8 @@ package api
import (
"testing"
+
+ "github.com/mattermost/platform/utils"
)
func TestGetClientProperties(t *testing.T) {
@@ -25,6 +27,24 @@ func TestLogClient(t *testing.T) {
if ret, _ := th.BasicClient.LogClient("this is a test"); !ret {
t.Fatal("failed to log")
}
+
+ enableDeveloper := *utils.Cfg.ServiceSettings.EnableDeveloper
+ defer func() {
+ *utils.Cfg.ServiceSettings.EnableDeveloper = enableDeveloper
+ }()
+ *utils.Cfg.ServiceSettings.EnableDeveloper = false
+
+ th.BasicClient.Logout()
+
+ if _, err := th.BasicClient.LogClient("this is a test"); err == nil {
+ t.Fatal("should have failed")
+ }
+
+ *utils.Cfg.ServiceSettings.EnableDeveloper = true
+
+ if ret, _ := th.BasicClient.LogClient("this is a test"); !ret {
+ t.Fatal("failed to log")
+ }
}
func TestGetPing(t *testing.T) {
diff --git a/api/oauth.go b/api/oauth.go
index 9d6c9bf52..007ec09d9 100644
--- a/api/oauth.go
+++ b/api/oauth.go
@@ -41,6 +41,10 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
+ if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+ oauthApp.IsTrusted = false
+ }
+
oauthApp.CreatorId = c.Session.UserId
rapp, err := c.App.CreateOAuthApp(oauthApp)
diff --git a/api/oauth_test.go b/api/oauth_test.go
index 4ff6c70bd..ffabf9414 100644
--- a/api/oauth_test.go
+++ b/api/oauth_test.go
@@ -21,7 +21,7 @@ func TestOAuthRegisterApp(t *testing.T) {
th := Setup().InitBasic().InitSystemAdmin()
Client := th.BasicClient
- oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+ oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false
if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider {
@@ -81,10 +81,29 @@ func TestOAuthRegisterApp(t *testing.T) {
Client.Logout()
Client.Login(user.Email, user.Password)
- oauthApp = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+ oauthApp = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
if _, err := Client.RegisterApp(oauthApp); err == nil {
t.Fatal("should have failed. not enough permissions")
}
+
+ adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations
+ defer func() {
+ *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly
+ utils.SetDefaultRolesBasedOnConfig()
+ }()
+ *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
+ utils.SetDefaultRolesBasedOnConfig()
+
+ th.LoginBasic()
+
+ if result, err := th.BasicClient.RegisterApp(oauthApp); err != nil {
+ t.Fatal(err)
+ } else {
+ rapp := result.Data.(*model.OAuthApp)
+ if rapp.IsTrusted {
+ t.Fatal("trusted should be false - created by non admin")
+ }
+ }
}
func TestOAuthAllow(t *testing.T) {
@@ -462,7 +481,17 @@ func TestOAuthAuthorize(t *testing.T) {
th := Setup().InitBasic()
Client := th.BasicClient
+ enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider
+ adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations
+ defer func() {
+ utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth
+ *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly
+ utils.SetDefaultRolesBasedOnConfig()
+ }()
utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false
+ *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
+ utils.SetDefaultRolesBasedOnConfig()
+
if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider {
if r, err := HttpGet(Client.Url+"/oauth/authorize", Client.HttpClient, "", true); err == nil {
t.Fatal("should have failed - oauth providing turned off")
@@ -482,7 +511,7 @@ func TestOAuthAuthorize(t *testing.T) {
}
// register an app to authorize it
- oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+ oauthApp := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://example.com"}}
oauthApp = Client.Must(Client.RegisterApp(oauthApp)).Data.(*model.OAuthApp)
if r, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&&redirect_uri=http://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, "", true); err == nil {
t.Fatal("should have failed - user not logged")
@@ -490,9 +519,12 @@ func TestOAuthAuthorize(t *testing.T) {
}
authToken := Client.AuthType + " " + Client.AuthToken
- if r, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=http://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err != nil {
+ if _, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=http://bad-redirect.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err == nil {
+ t.Fatal("should have failed - bad redirect uri")
+ }
+
+ if _, err := HttpGet(Client.Url+"/oauth/authorize?client_id="+oauthApp.Id+"&redirect_uri=https://example.com&response_type="+model.AUTHCODE_RESPONSE_TYPE, Client.HttpClient, authToken, true); err != nil {
t.Fatal(err)
- closeBody(r)
}
// lets authorize the app
diff --git a/api4/oauth.go b/api4/oauth.go
index 0cd0f5ab9..7cb741cdb 100644
--- a/api4/oauth.go
+++ b/api4/oauth.go
@@ -57,6 +57,10 @@ func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
+ if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+ oauthApp.IsTrusted = false
+ }
+
oauthApp.CreatorId = c.Session.UserId
rapp, err := c.App.CreateOAuthApp(oauthApp)
@@ -298,6 +302,11 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
+ if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) {
+ utils.RenderWebError(model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest), w, r)
+ return
+ }
+
isAuthorized := false
if _, err := c.App.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil {
diff --git a/api4/oauth_test.go b/api4/oauth_test.go
index 963cd43c3..ceb44a44e 100644
--- a/api4/oauth_test.go
+++ b/api4/oauth_test.go
@@ -28,7 +28,7 @@ func TestCreateOAuthApp(t *testing.T) {
utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true
utils.SetDefaultRolesBasedOnConfig()
- oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+ oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
rapp, resp := AdminClient.CreateOAuthApp(oapp)
CheckNoError(t, resp)
@@ -38,6 +38,10 @@ func TestCreateOAuthApp(t *testing.T) {
t.Fatal("names did not match")
}
+ if rapp.IsTrusted != oapp.IsTrusted {
+ t.Fatal("trusted did no match")
+ }
+
*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true
utils.SetDefaultRolesBasedOnConfig()
_, resp = Client.CreateOAuthApp(oapp)
@@ -45,10 +49,14 @@ func TestCreateOAuthApp(t *testing.T) {
*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
utils.SetDefaultRolesBasedOnConfig()
- _, resp = Client.CreateOAuthApp(oapp)
+ rapp, resp = Client.CreateOAuthApp(oapp)
CheckNoError(t, resp)
CheckCreatedStatus(t, resp)
+ if rapp.IsTrusted {
+ t.Fatal("trusted should be false - created by non admin")
+ }
+
oapp.Name = ""
_, resp = AdminClient.CreateOAuthApp(oapp)
CheckBadRequestStatus(t, resp)
diff --git a/api4/status.go b/api4/status.go
index 4e8b1852e..a62aa6654 100644
--- a/api4/status.go
+++ b/api4/status.go
@@ -16,9 +16,9 @@ import (
func InitStatus() {
l4g.Debug(utils.T("api.status.init.debug"))
- BaseRoutes.User.Handle("/status", ApiHandler(getUserStatus)).Methods("GET")
- BaseRoutes.Users.Handle("/status/ids", ApiHandler(getUserStatusesByIds)).Methods("POST")
- BaseRoutes.User.Handle("/status", ApiHandler(updateUserStatus)).Methods("PUT")
+ BaseRoutes.User.Handle("/status", ApiSessionRequired(getUserStatus)).Methods("GET")
+ BaseRoutes.Users.Handle("/status/ids", ApiSessionRequired(getUserStatusesByIds)).Methods("POST")
+ BaseRoutes.User.Handle("/status", ApiSessionRequired(updateUserStatus)).Methods("PUT")
}
func getUserStatus(c *Context, w http.ResponseWriter, r *http.Request) {
diff --git a/api4/status_test.go b/api4/status_test.go
index 6d9b6c98e..cfc9a0786 100644
--- a/api4/status_test.go
+++ b/api4/status_test.go
@@ -46,6 +46,10 @@ func TestGetUserStatus(t *testing.T) {
}
Client.Logout()
+
+ _, resp = Client.GetUserStatus(th.BasicUser2.Id, "")
+ CheckUnauthorizedStatus(t, resp)
+
th.LoginBasic2()
userStatus, resp = Client.GetUserStatus(th.BasicUser2.Id, "")
CheckNoError(t, resp)
@@ -88,6 +92,11 @@ func TestGetUsersStatusesByIds(t *testing.T) {
t.Fatal("Status should be offline")
}
}
+
+ Client.Logout()
+
+ _, resp = Client.GetUsersStatusesByIds(usersIds)
+ CheckUnauthorizedStatus(t, resp)
}
func TestUpdateUserStatus(t *testing.T) {
@@ -125,4 +134,9 @@ func TestUpdateUserStatus(t *testing.T) {
if updateUserStatus.Status != "online" {
t.Fatal("Should return online status")
}
+
+ Client.Logout()
+
+ _, resp = Client.UpdateUserStatus(th.BasicUser2.Id, toUpdateUserStatus)
+ CheckUnauthorizedStatus(t, resp)
}
diff --git a/webapp/components/profile_popover.jsx b/webapp/components/profile_popover.jsx
index 9e7d7636a..63812428c 100644
--- a/webapp/components/profile_popover.jsx
+++ b/webapp/components/profile_popover.jsx
@@ -19,6 +19,10 @@ import PropTypes from 'prop-types';
import React from 'react';
export default class ProfilePopover extends React.Component {
+ static getComponentName() {
+ return 'ProfilePopover';
+ }
+
constructor(props) {
super(props);
diff --git a/webapp/plugins/pluggable/pluggable.jsx b/webapp/plugins/pluggable/pluggable.jsx
index 566e024e5..c81d8df5e 100644
--- a/webapp/plugins/pluggable/pluggable.jsx
+++ b/webapp/plugins/pluggable/pluggable.jsx
@@ -33,6 +33,8 @@ export default class Pluggable extends React.PureComponent {
return null;
}
+ const childName = child.getComponentName();
+
// Include any props passed to this component or to the child component
let props = {...this.props};
Reflect.deleteProperty(props, 'children');
@@ -40,8 +42,8 @@ export default class Pluggable extends React.PureComponent {
props = {...props, ...this.props.children.props};
// Override the default component with any registered plugin's component
- if (components.hasOwnProperty(child.name)) {
- const PluginComponent = components[child.name];
+ if (components.hasOwnProperty(childName)) {
+ const PluginComponent = components[childName];
return (
<PluginComponent
{...props}
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-06-29 13:24:32 +0000