diff options
Diffstat (limited to 'api4')
-rw-r--r-- | api4/post.go | 14 | ||||
-rw-r--r-- | api4/post_test.go | 13 |
2 files changed, 25 insertions, 2 deletions
diff --git a/api4/post.go b/api4/post.go index 67cd325d9..5cbfeae92 100644 --- a/api4/post.go +++ b/api4/post.go @@ -238,9 +238,14 @@ func updatePost(c *Context, w http.ResponseWriter, r *http.Request) { return } - post.UserId = c.Session.UserId + if !app.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS) + return + } + + post.Id = c.Params.PostId - rpost, err := app.UpdatePost(post) + rpost, err := app.UpdatePost(post, false) if err != nil { c.Err = err return @@ -262,6 +267,11 @@ func patchPost(c *Context, w http.ResponseWriter, r *http.Request) { return } + if !app.SessionHasPermissionToChannelByPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_POST) { + c.SetPermissionError(model.PERMISSION_EDIT_POST) + return + } + if !app.SessionHasPermissionToPost(c.Session, c.Params.PostId, model.PERMISSION_EDIT_OTHERS_POSTS) { c.SetPermissionError(model.PERMISSION_EDIT_OTHERS_POSTS) return diff --git a/api4/post_test.go b/api4/post_test.go index 562136ca9..e5c72ae9e 100644 --- a/api4/post_test.go +++ b/api4/post_test.go @@ -167,6 +167,15 @@ func TestUpdatePost(t *testing.T) { Client.Logout() _, resp = Client.UpdatePost(rpost.Id, rpost) CheckUnauthorizedStatus(t, resp) + + th.LoginBasic2() + _, resp = Client.UpdatePost(rpost.Id, rpost) + CheckForbiddenStatus(t, resp) + + Client.Logout() + + _, resp = th.SystemAdminClient.UpdatePost(rpost.Id, rpost) + CheckNoError(t, resp) } func TestPatchPost(t *testing.T) { @@ -262,6 +271,10 @@ func TestPatchPost(t *testing.T) { _, resp = Client.PatchPost(post.Id, patch) CheckUnauthorizedStatus(t, resp) + th.LoginBasic2() + _, resp = Client.PatchPost(post.Id, patch) + CheckForbiddenStatus(t, resp) + th.LoginTeamAdmin() _, resp = Client.PatchPost(post.Id, patch) CheckNoError(t, resp) |