diff options
Diffstat (limited to 'api4')
-rw-r--r-- | api4/channel.go | 23 | ||||
-rw-r--r-- | api4/channel_test.go | 10 | ||||
-rw-r--r-- | api4/context.go | 8 | ||||
-rw-r--r-- | api4/user.go | 4 |
4 files changed, 34 insertions, 11 deletions
diff --git a/api4/channel.go b/api4/channel.go index 69cc0953e..e02b2677c 100644 --- a/api4/channel.go +++ b/api4/channel.go @@ -260,7 +260,7 @@ func createGroupChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if groupChannel, err := app.CreateGroupChannel(userIds); err != nil { + if groupChannel, err := app.CreateGroupChannel(userIds, c.Session.UserId); err != nil { c.Err = err return } else { @@ -377,7 +377,7 @@ func getPublicChannelsForTeam(c *Context, w http.ResponseWriter, r *http.Request return } - if channels, err := app.GetPublicChannelsForTeam(c.Params.TeamId, c.Params.Page, c.Params.PerPage); err != nil { + if channels, err := app.GetPublicChannelsForTeam(c.Params.TeamId, c.Params.Page*c.Params.PerPage, c.Params.PerPage); err != nil { c.Err = err return } else { @@ -503,14 +503,23 @@ func deleteChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PUBLIC_CHANNEL) { - c.SetPermissionError(model.PERMISSION_DELETE_PUBLIC_CHANNEL) + var memberCount int64 + if memberCount, err = app.GetChannelMemberCount(c.Params.ChannelId); err != nil { + c.Err = err return } - if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PRIVATE_CHANNEL) { - c.SetPermissionError(model.PERMISSION_DELETE_PRIVATE_CHANNEL) - return + // Allow delete if user is the only member left in channel + if memberCount > 1 { + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PUBLIC_CHANNEL) { + c.SetPermissionError(model.PERMISSION_DELETE_PUBLIC_CHANNEL) + return + } + + if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PRIVATE_CHANNEL) { + c.SetPermissionError(model.PERMISSION_DELETE_PRIVATE_CHANNEL) + return + } } err = app.DeleteChannel(channel, c.Session.UserId) diff --git a/api4/channel_test.go b/api4/channel_test.go index c1eb2a806..b4f08dc37 100644 --- a/api4/channel_test.go +++ b/api4/channel_test.go @@ -1055,6 +1055,16 @@ func TestDeleteChannel(t *testing.T) { _, resp = th.SystemAdminClient.DeleteChannel(privateChannel7.Id) CheckNoError(t, resp) + + // last member of a channel should be able to delete it regardless of required permissions + publicChannel6 = th.CreateChannelWithClient(th.Client, model.CHANNEL_OPEN) + privateChannel7 = th.CreateChannelWithClient(th.Client, model.CHANNEL_PRIVATE) + + _, resp = Client.DeleteChannel(publicChannel6.Id) + CheckNoError(t, resp) + + _, resp = Client.DeleteChannel(privateChannel7.Id) + CheckNoError(t, resp) } func TestGetChannelByName(t *testing.T) { diff --git a/api4/context.go b/api4/context.go index 32db0ed7d..37af2c6d4 100644 --- a/api4/context.go +++ b/api4/context.go @@ -271,9 +271,13 @@ func (c *Context) MfaRequired() { return } + // Special case to let user get themself + if c.Path == "/api/v4/users/me" { + return + } + if !user.MfaActive { - c.Err = model.NewLocAppError("", "api.context.mfa_required.app_error", nil, "MfaRequired") - c.Err.StatusCode = http.StatusUnauthorized + c.Err = model.NewAppError("", "api.context.mfa_required.app_error", nil, "MfaRequired", http.StatusForbidden) return } } diff --git a/api4/user.go b/api4/user.go index 1436808cd..d06dd2882 100644 --- a/api4/user.go +++ b/api4/user.go @@ -41,8 +41,8 @@ func InitUser() { BaseRoutes.Users.Handle("/email/verify/send", ApiHandler(sendVerificationEmail)).Methods("POST") BaseRoutes.Users.Handle("/mfa", ApiHandler(checkUserMfa)).Methods("POST") - BaseRoutes.User.Handle("/mfa", ApiSessionRequired(updateUserMfa)).Methods("PUT") - BaseRoutes.User.Handle("/mfa/generate", ApiSessionRequired(generateMfaSecret)).Methods("POST") + BaseRoutes.User.Handle("/mfa", ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT") + BaseRoutes.User.Handle("/mfa/generate", ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST") BaseRoutes.Users.Handle("/login", ApiHandler(login)).Methods("POST") BaseRoutes.Users.Handle("/login/switch", ApiHandler(switchAccountType)).Methods("POST") |