1 files changed, 10 insertions, 17 deletions

diff --git a/api4/user.go b/api4/user.go
index 5a8474b8d..404457285 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -594,21 +594,19 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
 			c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
 			return
 		}
+	}
 
-		// If a teamId is provided, require it to match the channel's team id.
-		if teamId != "" {
-			channel, err := c.App.GetChannel(channelId)
-			if err != nil {
-				c.Err = err
-				return
-			}
-
-			if channel.TeamId != teamId {
-				c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized)
-				return
-			}
+	if len(teamId) > 0 {
+		if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) {
+			c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
+			return
 		}
+	}
 
+	if len(channelId) > 0 {
+		// Applying the provided teamId here is useful for DMs and GMs which don't belong
+		// to a team. Applying it when the channel does belong to a team makes less sense,
+		//t but the permissions are checked above regardless.
 		result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin())
 		if err != nil {
 			c.Err = err
@@ -618,11 +616,6 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
 		autocomplete.Users = result.InChannel
 		autocomplete.OutOfChannel = result.OutOfChannel
 	} else if len(teamId) > 0 {
-		if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) {
-			c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
-			return
-		}
-
 		result, err := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin())
 		if err != nil {
 			c.Err = err