diff options
Diffstat (limited to 'api4/user.go')
-rw-r--r-- | api4/user.go | 27 |
1 files changed, 10 insertions, 17 deletions
diff --git a/api4/user.go b/api4/user.go index 5a8474b8d..404457285 100644 --- a/api4/user.go +++ b/api4/user.go @@ -594,21 +594,19 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } + } - // If a teamId is provided, require it to match the channel's team id. - if teamId != "" { - channel, err := c.App.GetChannel(channelId) - if err != nil { - c.Err = err - return - } - - if channel.TeamId != teamId { - c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized) - return - } + if len(teamId) > 0 { + if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { + c.SetPermissionError(model.PERMISSION_VIEW_TEAM) + return } + } + if len(channelId) > 0 { + // Applying the provided teamId here is useful for DMs and GMs which don't belong + // to a team. Applying it when the channel does belong to a team makes less sense, + //t but the permissions are checked above regardless. result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err @@ -618,11 +616,6 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { autocomplete.Users = result.InChannel autocomplete.OutOfChannel = result.OutOfChannel } else if len(teamId) > 0 { - if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { - c.SetPermissionError(model.PERMISSION_VIEW_TEAM) - return - } - result, err := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err |