2 files changed, 181 insertions, 0 deletions

diff --git a/api4/team.go b/api4/team.go
index 6ea989a9b..a420e77f4 100644
--- a/api4/team.go
+++ b/api4/team.go
@@ -15,6 +15,10 @@ import (
 	"github.com/mattermost/platform/utils"
 )
 
+const (
+	MAX_ADD_MEMBERS_BATCH = 20
+)
+
 func InitTeam() {
 	l4g.Debug(utils.T("api.team.init.debug"))
 
@@ -33,6 +37,7 @@ func InitTeam() {
 	BaseRoutes.TeamMembers.Handle("/ids", ApiSessionRequired(getTeamMembersByIds)).Methods("POST")
 	BaseRoutes.TeamMembersForUser.Handle("", ApiSessionRequired(getTeamMembersForUser)).Methods("GET")
 	BaseRoutes.TeamMembers.Handle("", ApiSessionRequired(addTeamMember)).Methods("POST")
+	BaseRoutes.TeamMembers.Handle("/batch", ApiSessionRequired(addTeamMembers)).Methods("POST")
 	BaseRoutes.TeamMember.Handle("", ApiSessionRequired(removeTeamMember)).Methods("DELETE")
 
 	BaseRoutes.TeamForUser.Handle("/unread", ApiSessionRequired(getTeamUnread)).Methods("GET")
@@ -367,6 +372,51 @@ func addTeamMember(c *Context, w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte(member.ToJson()))
 }
 
+func addTeamMembers(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireTeamId()
+	if c.Err != nil {
+		return
+	}
+
+	var err *model.AppError
+	members := model.TeamMembersFromJson(r.Body)
+
+	if len(members) > MAX_ADD_MEMBERS_BATCH || len(members) == 0 {
+		c.SetInvalidParam("too many members in batch")
+		return
+	}
+
+	var userIds []string
+	for _, member := range members {
+		if member.TeamId != c.Params.TeamId {
+			c.SetInvalidParam("team_id for member with user_id=" + member.UserId)
+			return
+		}
+
+		if len(member.UserId) != 26 {
+			c.SetInvalidParam("user_id")
+			return
+		}
+
+		userIds = append(userIds, member.UserId)
+	}
+
+	if !app.SessionHasPermissionToTeam(c.Session, c.Params.TeamId, model.PERMISSION_ADD_USER_TO_TEAM) {
+		c.SetPermissionError(model.PERMISSION_ADD_USER_TO_TEAM)
+		return
+	}
+
+	members, err = app.AddTeamMembers(c.Params.TeamId, userIds, c.GetSiteURL())
+
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	w.Write([]byte(model.TeamMembersToJson(members)))
+}
+
 func removeTeamMember(c *Context, w http.ResponseWriter, r *http.Request) {
 	c.RequireTeamId().RequireUserId()
 	if c.Err != nil {
diff --git a/api4/team_test.go b/api4/team_test.go
index 86160fb6f..f145515aa 100644
--- a/api4/team_test.go
+++ b/api4/team_test.go
@@ -948,6 +948,137 @@ func TestAddTeamMember(t *testing.T) {
 	CheckNotFoundStatus(t, resp)
 }
 
+func TestAddTeamMembers(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer TearDown()
+	Client := th.Client
+	team := th.BasicTeam
+	otherUser := th.CreateUser()
+	userList := []string{
+		otherUser.Id,
+	}
+
+	if err := app.RemoveUserFromTeam(th.BasicTeam.Id, th.BasicUser2.Id); err != nil {
+		t.Fatalf(err.Error())
+	}
+
+	// Regular user can't add a member to a team they don't belong to.
+	th.LoginBasic2()
+	tm, resp := Client.AddTeamMembers(team.Id, userList)
+	CheckForbiddenStatus(t, resp)
+	Client.Logout()
+
+	// Regular user can add a member to a team they belong to.
+	th.LoginBasic()
+	tm, resp = Client.AddTeamMembers(team.Id, userList)
+	CheckNoError(t, resp)
+	CheckCreatedStatus(t, resp)
+
+	// Check all the returned data.
+	if tm[0] == nil {
+		t.Fatal("should have returned team member")
+	}
+
+	if tm[0].UserId != otherUser.Id {
+		t.Fatal("user ids should have matched")
+	}
+
+	if tm[0].TeamId != team.Id {
+		t.Fatal("team ids should have matched")
+	}
+
+	// Check with various invalid requests.
+	_, resp = Client.AddTeamMembers("junk", userList)
+	CheckBadRequestStatus(t, resp)
+
+	_, resp = Client.AddTeamMembers(GenerateTestId(), userList)
+	CheckForbiddenStatus(t, resp)
+
+	testUserList := append(userList, GenerateTestId())
+	_, resp = Client.AddTeamMembers(team.Id, testUserList)
+	CheckNotFoundStatus(t, resp)
+
+	// Test with many users.
+	for i := 0; i < 25; i++ {
+		testUserList = append(testUserList, GenerateTestId())
+	}
+	_, resp = Client.AddTeamMembers(team.Id, testUserList)
+	CheckBadRequestStatus(t, resp)
+
+	Client.Logout()
+
+	// Check effects of config and license changes.
+	restrictTeamInvite := *utils.Cfg.TeamSettings.RestrictTeamInvite
+	isLicensed := utils.IsLicensed
+	license := utils.License
+	defer func() {
+		*utils.Cfg.TeamSettings.RestrictTeamInvite = restrictTeamInvite
+		utils.IsLicensed = isLicensed
+		utils.License = license
+		utils.SetDefaultRolesBasedOnConfig()
+	}()
+
+	// Set the config so that only team admins can add a user to a team.
+	*utils.Cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_TEAM_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+	th.LoginBasic()
+
+	// Test without the EE license to see that the permission restriction is ignored.
+	_, resp = Client.AddTeamMembers(team.Id, userList)
+	CheckNoError(t, resp)
+
+	// Add an EE license.
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+	th.LoginBasic()
+
+	// Check that a regular user can't add someone to the team.
+	_, resp = Client.AddTeamMembers(team.Id, userList)
+	CheckForbiddenStatus(t, resp)
+
+	// Update user to team admin
+	UpdateUserToTeamAdmin(th.BasicUser, th.BasicTeam)
+	app.InvalidateAllCaches()
+	*utils.Cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_TEAM_ADMIN
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+	th.LoginBasic()
+
+	// Should work as a team admin.
+	_, resp = Client.AddTeamMembers(team.Id, userList)
+	CheckNoError(t, resp)
+
+	// Change permission level to System Admin
+	*utils.Cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_SYSTEM_ADMIN
+	utils.SetDefaultRolesBasedOnConfig()
+
+	// Should not work as team admin.
+	_, resp = Client.AddTeamMembers(team.Id, userList)
+	CheckForbiddenStatus(t, resp)
+
+	// Should work as system admin.
+	_, resp = th.SystemAdminClient.AddTeamMembers(team.Id, userList)
+	CheckNoError(t, resp)
+
+	// Change permission level to All
+	UpdateUserToNonTeamAdmin(th.BasicUser, th.BasicTeam)
+	app.InvalidateAllCaches()
+	*utils.Cfg.TeamSettings.RestrictTeamInvite = model.PERMISSIONS_ALL
+	utils.IsLicensed = true
+	utils.License = &model.License{Features: &model.Features{}}
+	utils.License.Features.SetDefaults()
+	utils.SetDefaultRolesBasedOnConfig()
+	th.LoginBasic()
+
+	// Should work as a regular user.
+	_, resp = Client.AddTeamMembers(team.Id, userList)
+	CheckNoError(t, resp)
+}
+
 func TestRemoveTeamMember(t *testing.T) {
 	th := Setup().InitBasic().InitSystemAdmin()
 	defer TearDown()