summaryrefslogtreecommitdiffstats
path: root/api4/channel.go
diff options
context:
space:
mode:
Diffstat (limited to 'api4/channel.go')
-rw-r--r--api4/channel.go68
1 files changed, 47 insertions, 21 deletions
diff --git a/api4/channel.go b/api4/channel.go
index a4820d729..fd33eb882 100644
--- a/api4/channel.go
+++ b/api4/channel.go
@@ -199,18 +199,26 @@ func getChannel(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if !app.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_READ_CHANNEL) {
- c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
+ channel, err := app.GetChannel(c.Params.ChannelId)
+ if err != nil {
+ c.Err = err
return
}
- if channel, err := app.GetChannel(c.Params.ChannelId); err != nil {
- c.Err = err
- return
+ if channel.Type == model.CHANNEL_OPEN {
+ if !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_READ_PUBLIC_CHANNEL) {
+ c.SetPermissionError(model.PERMISSION_READ_PUBLIC_CHANNEL)
+ return
+ }
} else {
- w.Write([]byte(channel.ToJson()))
- return
+ if !app.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_READ_CHANNEL) {
+ c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
+ return
+ }
}
+
+ w.Write([]byte(channel.ToJson()))
+ return
}
func getChannelUnread(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -328,13 +336,19 @@ func getChannelByName(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) {
- c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
- return
+ if channel.Type == model.CHANNEL_OPEN {
+ if !app.SessionHasPermissionToTeam(c.Session, channel.TeamId, model.PERMISSION_READ_PUBLIC_CHANNEL) {
+ c.SetPermissionError(model.PERMISSION_READ_PUBLIC_CHANNEL)
+ return
+ }
+ } else {
+ if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_READ_CHANNEL) {
+ c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
+ return
+ }
}
w.Write([]byte(channel.ToJson()))
- return
}
func getChannelByNameForTeamName(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -525,9 +539,19 @@ func addChannelMember(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) {
- c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS)
- return
+ // Check join permission if adding yourself, otherwise check manage permission
+ if channel.Type == model.CHANNEL_OPEN {
+ if member.UserId == c.Session.UserId {
+ if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_JOIN_PUBLIC_CHANNELS) {
+ c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS)
+ return
+ }
+ } else {
+ if !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) {
+ c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS)
+ return
+ }
+ }
}
if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) {
@@ -557,14 +581,16 @@ func removeChannelMember(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) {
- c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS)
- return
- }
+ if c.Params.UserId != c.Session.UserId {
+ if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS) {
+ c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS)
+ return
+ }
- if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) {
- c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS)
- return
+ if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS) {
+ c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS)
+ return
+ }
}
if err = app.RemoveUserFromChannel(c.Params.UserId, c.Session.UserId, channel, c.GetSiteURL()); err != nil {
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-09-29 22:14:47 +0000