diff options
-rw-r--r-- | api4/command.go | 9 | ||||
-rw-r--r-- | api4/command_test.go | 35 | ||||
-rw-r--r-- | model/client4.go | 5 |
3 files changed, 42 insertions, 7 deletions
diff --git a/api4/command.go b/api4/command.go index d051d57f6..4314a184d 100644 --- a/api4/command.go +++ b/api4/command.go @@ -212,12 +212,9 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) { return } - if commandArgs.TeamId == "" { - commandArgs.TeamId = channel.TeamId - } else if c.Session.GetTeamByTeamId(commandArgs.TeamId) == nil { - c.SetPermissionError(model.PERMISSION_USE_SLASH_COMMANDS) - return - } + // team id is implicitly taken from channel so that slash commands + // created on some other team can't be run against this one + commandArgs.TeamId = channel.TeamId commandArgs.UserId = c.Session.UserId commandArgs.T = c.T diff --git a/api4/command_test.go b/api4/command_test.go index 705ea8548..9a6c9dc78 100644 --- a/api4/command_test.go +++ b/api4/command_test.go @@ -490,3 +490,38 @@ func TestExecuteCommand(t *testing.T) { _, resp = th.SystemAdminClient.ExecuteCommand(channel.Id, "/getcommand") CheckNoError(t, resp) } + +func TestExecuteCommandAgainstChannelOnAnotherTeam(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer th.TearDown() + Client := th.Client + channel := th.BasicChannel + + enableCommands := *utils.Cfg.ServiceSettings.EnableCommands + allowedInternalConnections := *utils.Cfg.ServiceSettings.AllowedUntrustedInternalConnections + defer func() { + utils.Cfg.ServiceSettings.EnableCommands = &enableCommands + utils.Cfg.ServiceSettings.AllowedUntrustedInternalConnections = &allowedInternalConnections + }() + *utils.Cfg.ServiceSettings.EnableCommands = true + *utils.Cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost" + + // create a slash command on some other team where we have permission to do so + team2 := th.CreateTeam() + postCmd := &model.Command{ + CreatorId: th.BasicUser.Id, + TeamId: team2.Id, + URL: "http://localhost" + *utils.Cfg.ServiceSettings.ListenAddress + model.API_URL_SUFFIX_V4 + "/teams/command_test", + Method: model.COMMAND_METHOD_POST, + Trigger: "postcommand", + } + + if _, err := th.App.CreateCommand(postCmd); err != nil { + t.Fatal("failed to create post command") + } + + // the execute command endpoint will always search for the command by trigger and team id, inferring team id from the + // channel id, so there is no way to use that slash command on a channel that belongs to some other team + _, resp := Client.ExecuteCommand(channel.Id, "/postcommand") + CheckNotFoundStatus(t, resp) +} diff --git a/model/client4.go b/model/client4.go index 3bd3b2125..a7ee3df86 100644 --- a/model/client4.go +++ b/model/client4.go @@ -2808,7 +2808,10 @@ func (c *Client4) ListCommands(teamId string, customOnly bool) ([]*Command, *Res // ExecuteCommand executes a given command. func (c *Client4) ExecuteCommand(channelId, command string) (*CommandResponse, *Response) { - commandArgs := &CommandArgs{ChannelId: channelId, Command: command} + commandArgs := &CommandArgs{ + ChannelId: channelId, + Command: command, + } if r, err := c.DoApiPost(c.GetCommandsRoute()+"/execute", commandArgs.ToJson()); err != nil { return nil, BuildErrorResponse(r, err) } else { |