10 files changed, 454 insertions, 65 deletions

diff --git a/api4/apitestlib.go b/api4/apitestlib.go
index e55ca8c8b..6edd37812 100644
--- a/api4/apitestlib.go
+++ b/api4/apitestlib.go
@@ -467,6 +467,22 @@ func (me *TestHelper) LinkUserToTeam(user *model.User, team *model.Team) {
 	utils.EnableDebugLogForTest()
 }
 
+func (me *TestHelper) AddUserToChannel(user *model.User, channel *model.Channel) *model.ChannelMember {
+	utils.DisableDebugLogForTest()
+
+	member, err := me.App.AddUserToChannel(user, channel)
+	if err != nil {
+		l4g.Error(err.Error())
+		l4g.Close()
+		time.Sleep(time.Second)
+		panic(err)
+	}
+
+	utils.EnableDebugLogForTest()
+
+	return member
+}
+
 func (me *TestHelper) GenerateTestEmail() string {
 	if me.App.Config().EmailSettings.SMTPServer != "dockerhost" && os.Getenv("CI_INBUCKET_PORT") == "" {
 		return strings.ToLower("success+" + model.NewId() + "@simulator.amazonses.com")
@@ -510,18 +526,6 @@ func CheckUserSanitization(t *testing.T, user *model.User) {
 	}
 }
 
-func CheckTeamSanitization(t *testing.T, team *model.Team) {
-	t.Helper()
-
-	if team.Email != "" {
-		t.Fatal("email wasn't blank")
-	}
-
-	if team.AllowedDomains != "" {
-		t.Fatal("'allowed domains' wasn't blank")
-	}
-}
-
 func CheckEtag(t *testing.T, data interface{}, resp *model.Response) {
 	t.Helper()
 
@@ -669,21 +673,6 @@ func CheckInternalErrorStatus(t *testing.T, resp *model.Response) {
 	}
 }
 
-func CheckPayLoadTooLargeStatus(t *testing.T, resp *model.Response) {
-	t.Helper()
-
-	if resp.Error == nil {
-		t.Fatal("should have errored with status:" + strconv.Itoa(http.StatusRequestEntityTooLarge))
-		return
-	}
-
-	if resp.StatusCode != http.StatusRequestEntityTooLarge {
-		t.Log("actual: " + strconv.Itoa(resp.StatusCode))
-		t.Log("expected: " + strconv.Itoa(http.StatusRequestEntityTooLarge))
-		t.Fatal("wrong status code")
-	}
-}
-
 func readTestFile(name string) ([]byte, error) {
 	path, _ := utils.FindDir("tests")
 	file, err := os.Open(path + "/" + name)
diff --git a/api4/channel_test.go b/api4/channel_test.go
index e65918707..51c32cf71 100644
--- a/api4/channel_test.go
+++ b/api4/channel_test.go
@@ -13,7 +13,6 @@ import (
 	"testing"
 
 	"github.com/mattermost/mattermost-server/model"
-	"github.com/mattermost/mattermost-server/store/sqlstore"
 )
 
 func TestCreateChannel(t *testing.T) {
@@ -909,7 +908,7 @@ func TestDeleteChannel(t *testing.T) {
 	// successful delete by channel admin
 	th.MakeUserChannelAdmin(user, publicChannel6)
 	th.MakeUserChannelAdmin(user, privateChannel7)
-	sqlstore.ClearChannelCaches()
+	th.App.Srv.Store.Channel().ClearCaches()
 
 	_, resp = Client.DeleteChannel(publicChannel6.Id)
 	CheckNoError(t, resp)
@@ -960,7 +959,7 @@ func TestDeleteChannel(t *testing.T) {
 	// // cannot delete by channel admin
 	th.MakeUserChannelAdmin(user, publicChannel6)
 	th.MakeUserChannelAdmin(user, privateChannel7)
-	sqlstore.ClearChannelCaches()
+	th.App.Srv.Store.Channel().ClearCaches()
 
 	_, resp = Client.DeleteChannel(publicChannel6.Id)
 	CheckForbiddenStatus(t, resp)
@@ -1001,7 +1000,7 @@ func TestDeleteChannel(t *testing.T) {
 	// cannot delete by channel admin
 	th.MakeUserChannelAdmin(user, publicChannel6)
 	th.MakeUserChannelAdmin(user, privateChannel7)
-	sqlstore.ClearChannelCaches()
+	th.App.Srv.Store.Channel().ClearCaches()
 
 	_, resp = Client.DeleteChannel(publicChannel6.Id)
 	CheckForbiddenStatus(t, resp)
diff --git a/api4/compliance.go b/api4/compliance.go
index 71f0fa81d..4035afb77 100644
--- a/api4/compliance.go
+++ b/api4/compliance.go
@@ -7,8 +7,8 @@ import (
 	"net/http"
 	"strconv"
 
+	"github.com/avct/uasurfer"
 	"github.com/mattermost/mattermost-server/model"
-	"github.com/mssola/user_agent"
 )
 
 func (api *API) InitCompliance() {
@@ -108,12 +108,11 @@ func downloadComplianceReport(c *Context, w http.ResponseWriter, r *http.Request
 	w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer
 
 	// attach extra headers to trigger a download on IE, Edge, and Safari
-	ua := user_agent.New(r.UserAgent())
-	bname, _ := ua.Browser()
+	ua := uasurfer.Parse(r.UserAgent())
 
 	w.Header().Set("Content-Disposition", "attachment;filename=\""+job.JobName()+".zip\"")
 
-	if bname == "Edge" || bname == "Internet Explorer" || bname == "Safari" {
+	if ua.Browser.Name == uasurfer.BrowserIE || ua.Browser.Name == uasurfer.BrowserSafari {
 		// trim off anything before the final / so we just get the file's name
 		w.Header().Set("Content-Type", "application/octet-stream")
 	}
diff --git a/api4/system.go b/api4/system.go
index 2355cb476..7b63afc0b 100644
--- a/api4/system.go
+++ b/api4/system.go
@@ -8,7 +8,6 @@ import (
 	"io"
 	"net/http"
 	"runtime"
-	"strconv"
 
 	l4g "github.com/alecthomas/log4go"
 	"github.com/mattermost/mattermost-server/model"
@@ -29,6 +28,7 @@ func (api *API) InitSystem() {
 
 	api.BaseRoutes.ApiRoot.Handle("/audits", api.ApiSessionRequired(getAudits)).Methods("GET")
 	api.BaseRoutes.ApiRoot.Handle("/email/test", api.ApiSessionRequired(testEmail)).Methods("POST")
+	api.BaseRoutes.ApiRoot.Handle("/file/s3_test", api.ApiSessionRequired(testS3)).Methods("POST")
 	api.BaseRoutes.ApiRoot.Handle("/database/recycle", api.ApiSessionRequired(databaseRecycle)).Methods("POST")
 	api.BaseRoutes.ApiRoot.Handle("/caches/invalidate", api.ApiSessionRequired(invalidateCaches)).Methods("POST")
 
@@ -246,14 +246,7 @@ func getClientConfig(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	respCfg := map[string]string{}
-	for k, v := range c.App.ClientConfig() {
-		respCfg[k] = v
-	}
-
-	respCfg["NoAccounts"] = strconv.FormatBool(c.App.IsFirstUserAccount())
-
-	w.Write([]byte(model.MapToJson(respCfg)))
+	w.Write([]byte(model.MapToJson(c.App.ClientConfigWithNoAccounts())))
 }
 
 func getClientLicense(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -384,3 +377,37 @@ func getAnalytics(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	w.Write([]byte(rows.ToJson()))
 }
+
+func testS3(c *Context, w http.ResponseWriter, r *http.Request) {
+	cfg := model.ConfigFromJson(r.Body)
+	if cfg == nil {
+		cfg = c.App.Config()
+	}
+
+	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	err := utils.CheckMandatoryS3Fields(&cfg.FileSettings)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if cfg.FileSettings.AmazonS3SecretAccessKey == model.FAKE_SETTING {
+		cfg.FileSettings.AmazonS3SecretAccessKey = c.App.Config().FileSettings.AmazonS3SecretAccessKey
+	}
+
+	license := c.App.License()
+	backend, appErr := utils.NewFileBackend(&cfg.FileSettings, license != nil && *license.Features.Compliance)
+	if appErr == nil {
+		appErr = backend.TestConnection()
+	}
+	if appErr != nil {
+		c.Err = appErr
+		return
+	}
+
+	ReturnStatusOK(w)
+}
diff --git a/api4/system_test.go b/api4/system_test.go
index 01b4934ae..6ef02cbfe 100644
--- a/api4/system_test.go
+++ b/api4/system_test.go
@@ -1,7 +1,9 @@
 package api4
 
 import (
+	"fmt"
 	"net/http"
+	"os"
 	"strings"
 	"testing"
 
@@ -260,28 +262,34 @@ func TestEmailTest(t *testing.T) {
 	defer th.TearDown()
 	Client := th.Client
 
-	SendEmailNotifications := th.App.Config().EmailSettings.SendEmailNotifications
-	SMTPServer := th.App.Config().EmailSettings.SMTPServer
-	SMTPPort := th.App.Config().EmailSettings.SMTPPort
-	FeedbackEmail := th.App.Config().EmailSettings.FeedbackEmail
-	defer func() {
-		th.App.UpdateConfig(func(cfg *model.Config) { cfg.EmailSettings.SendEmailNotifications = SendEmailNotifications })
-		th.App.UpdateConfig(func(cfg *model.Config) { cfg.EmailSettings.SMTPServer = SMTPServer })
-		th.App.UpdateConfig(func(cfg *model.Config) { cfg.EmailSettings.SMTPPort = SMTPPort })
-		th.App.UpdateConfig(func(cfg *model.Config) { cfg.EmailSettings.FeedbackEmail = FeedbackEmail })
-	}()
-
-	th.App.UpdateConfig(func(cfg *model.Config) { cfg.EmailSettings.SendEmailNotifications = false })
-	th.App.UpdateConfig(func(cfg *model.Config) { cfg.EmailSettings.SMTPServer = "" })
-	th.App.UpdateConfig(func(cfg *model.Config) { cfg.EmailSettings.SMTPPort = "" })
-	th.App.UpdateConfig(func(cfg *model.Config) { cfg.EmailSettings.FeedbackEmail = "" })
+	config := model.Config{
+		EmailSettings: model.EmailSettings{
+			SMTPServer: "",
+			SMTPPort:   "",
+		},
+	}
 
-	_, resp := Client.TestEmail()
+	_, resp := Client.TestEmail(&config)
 	CheckForbiddenStatus(t, resp)
 
-	_, resp = th.SystemAdminClient.TestEmail()
+	_, resp = th.SystemAdminClient.TestEmail(&config)
 	CheckErrorMessage(t, resp, "api.admin.test_email.missing_server")
 	CheckBadRequestStatus(t, resp)
+
+	inbucket_host := os.Getenv("CI_HOST")
+	if inbucket_host == "" {
+		inbucket_host = "dockerhost"
+	}
+
+	inbucket_port := os.Getenv("CI_INBUCKET_PORT")
+	if inbucket_port == "" {
+		inbucket_port = "9000"
+	}
+
+	config.EmailSettings.SMTPServer = inbucket_host
+	config.EmailSettings.SMTPPort = inbucket_port
+	_, resp = th.SystemAdminClient.TestEmail(&config)
+	CheckOKStatus(t, resp)
 }
 
 func TestDatabaseRecycle(t *testing.T) {
@@ -466,3 +474,56 @@ func TestGetAnalyticsOld(t *testing.T) {
 	_, resp = Client.GetAnalyticsOld("", th.BasicTeam.Id)
 	CheckUnauthorizedStatus(t, resp)
 }
+
+func TestS3TestConnection(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+	Client := th.Client
+
+	s3Host := os.Getenv("CI_HOST")
+	if s3Host == "" {
+		s3Host = "dockerhost"
+	}
+
+	s3Port := os.Getenv("CI_MINIO_PORT")
+	if s3Port == "" {
+		s3Port = "9001"
+	}
+
+	s3Endpoint := fmt.Sprintf("%s:%s", s3Host, s3Port)
+	config := model.Config{
+		FileSettings: model.FileSettings{
+			DriverName:              model.NewString(model.IMAGE_DRIVER_S3),
+			AmazonS3AccessKeyId:     model.MINIO_ACCESS_KEY,
+			AmazonS3SecretAccessKey: model.MINIO_SECRET_KEY,
+			AmazonS3Bucket:          "",
+			AmazonS3Endpoint:        s3Endpoint,
+			AmazonS3SSL:             model.NewBool(false),
+		},
+	}
+
+	_, resp := Client.TestS3Connection(&config)
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = th.SystemAdminClient.TestS3Connection(&config)
+	CheckBadRequestStatus(t, resp)
+	if resp.Error.Message != "S3 Bucket is required" {
+		t.Fatal("should return error - missing s3 bucket")
+	}
+
+	config.FileSettings.AmazonS3Bucket = model.MINIO_BUCKET
+	config.FileSettings.AmazonS3Region = "us-east-1"
+	_, resp = th.SystemAdminClient.TestS3Connection(&config)
+	CheckOKStatus(t, resp)
+
+	config.FileSettings.AmazonS3Region = ""
+	_, resp = th.SystemAdminClient.TestS3Connection(&config)
+	CheckOKStatus(t, resp)
+
+	config.FileSettings.AmazonS3Bucket = "Wrong_bucket"
+	_, resp = th.SystemAdminClient.TestS3Connection(&config)
+	CheckInternalErrorStatus(t, resp)
+	if resp.Error.Message != "Error checking if bucket exists." {
+		t.Fatal("should return error ")
+	}
+}
diff --git a/api4/team.go b/api4/team.go
index d770aee22..8e4c5c312 100644
--- a/api4/team.go
+++ b/api4/team.go
@@ -6,6 +6,7 @@ package api4
 import (
 	"bytes"
 	"encoding/base64"
+	"fmt"
 	"net/http"
 	"strconv"
 
@@ -28,6 +29,10 @@ func (api *API) InitTeam() {
 	api.BaseRoutes.Team.Handle("", api.ApiSessionRequired(deleteTeam)).Methods("DELETE")
 	api.BaseRoutes.Team.Handle("/patch", api.ApiSessionRequired(patchTeam)).Methods("PUT")
 	api.BaseRoutes.Team.Handle("/stats", api.ApiSessionRequired(getTeamStats)).Methods("GET")
+
+	api.BaseRoutes.Team.Handle("/image", api.ApiSessionRequiredTrustRequester(getTeamIcon)).Methods("GET")
+	api.BaseRoutes.Team.Handle("/image", api.ApiSessionRequired(setTeamIcon)).Methods("POST")
+
 	api.BaseRoutes.TeamMembers.Handle("", api.ApiSessionRequired(getTeamMembers)).Methods("GET")
 	api.BaseRoutes.TeamMembers.Handle("/ids", api.ApiSessionRequired(getTeamMembersByIds)).Methods("POST")
 	api.BaseRoutes.TeamMembersForUser.Handle("", api.ApiSessionRequired(getTeamMembersForUser)).Methods("GET")
@@ -729,3 +734,81 @@ func getInviteInfo(c *Context, w http.ResponseWriter, r *http.Request) {
 		w.Write([]byte(model.MapToJson(result)))
 	}
 }
+
+func getTeamIcon(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireTeamId()
+	if c.Err != nil {
+		return
+	}
+
+	if !c.App.SessionHasPermissionToTeam(c.Session, c.Params.TeamId, model.PERMISSION_VIEW_TEAM) {
+		c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
+		return
+	}
+
+	if team, err := c.App.GetTeam(c.Params.TeamId); err != nil {
+		c.Err = err
+		return
+	} else {
+		etag := strconv.FormatInt(team.LastTeamIconUpdate, 10)
+
+		if c.HandleEtag(etag, "Get Team Icon", w, r) {
+			return
+		}
+
+		if img, err := c.App.GetTeamIcon(team); err != nil {
+			c.Err = err
+			return
+		} else {
+			w.Header().Set("Content-Type", "image/png")
+			w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 24*60*60)) // 24 hrs
+			w.Header().Set(model.HEADER_ETAG_SERVER, etag)
+			w.Write(img)
+		}
+	}
+}
+
+func setTeamIcon(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireTeamId()
+	if c.Err != nil {
+		return
+	}
+
+	if !c.App.SessionHasPermissionToTeam(c.Session, c.Params.TeamId, model.PERMISSION_MANAGE_TEAM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_TEAM)
+		return
+	}
+
+	if r.ContentLength > *c.App.Config().FileSettings.MaxFileSize {
+		c.Err = model.NewAppError("setTeamIcon", "api.team.set_team_icon.too_large.app_error", nil, "", http.StatusBadRequest)
+		return
+	}
+
+	if err := r.ParseMultipartForm(*c.App.Config().FileSettings.MaxFileSize); err != nil {
+		c.Err = model.NewAppError("setTeamIcon", "api.team.set_team_icon.parse.app_error", nil, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	m := r.MultipartForm
+
+	imageArray, ok := m.File["image"]
+	if !ok {
+		c.Err = model.NewAppError("setTeamIcon", "api.team.set_team_icon.no_file.app_error", nil, "", http.StatusBadRequest)
+		return
+	}
+
+	if len(imageArray) <= 0 {
+		c.Err = model.NewAppError("setTeamIcon", "api.team.set_team_icon.array.app_error", nil, "", http.StatusBadRequest)
+		return
+	}
+
+	imageData := imageArray[0]
+
+	if err := c.App.SetTeamIcon(c.Params.TeamId, imageData); err != nil {
+		c.Err = err
+		return
+	}
+
+	c.LogAudit("")
+	ReturnStatusOK(w)
+}
diff --git a/api4/team_test.go b/api4/team_test.go
index faa90e511..04a0e9ae4 100644
--- a/api4/team_test.go
+++ b/api4/team_test.go
@@ -15,6 +15,8 @@ import (
 
 	"github.com/mattermost/mattermost-server/model"
 	"github.com/mattermost/mattermost-server/utils"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestCreateTeam(t *testing.T) {
@@ -1915,3 +1917,82 @@ func TestGetTeamInviteInfo(t *testing.T) {
 	_, resp = Client.GetTeamInviteInfo("junk")
 	CheckNotFoundStatus(t, resp)
 }
+
+func TestSetTeamIcon(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+	Client := th.Client
+	team := th.BasicTeam
+
+	data, err := readTestFile("test.png")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	th.LoginTeamAdmin()
+
+	ok, resp := Client.SetTeamIcon(team.Id, data)
+	if !ok {
+		t.Fatal(resp.Error)
+	}
+	CheckNoError(t, resp)
+
+	ok, resp = Client.SetTeamIcon(model.NewId(), data)
+	if ok {
+		t.Fatal("Should return false, set team icon not allowed")
+	}
+	CheckForbiddenStatus(t, resp)
+
+	th.LoginBasic()
+
+	_, resp = Client.SetTeamIcon(team.Id, data)
+	if resp.StatusCode == http.StatusForbidden {
+		CheckForbiddenStatus(t, resp)
+	} else if resp.StatusCode == http.StatusUnauthorized {
+		CheckUnauthorizedStatus(t, resp)
+	} else {
+		t.Fatal("Should have failed either forbidden or unauthorized")
+	}
+
+	Client.Logout()
+
+	_, resp = Client.SetTeamIcon(team.Id, data)
+	if resp.StatusCode == http.StatusForbidden {
+		CheckForbiddenStatus(t, resp)
+	} else if resp.StatusCode == http.StatusUnauthorized {
+		CheckUnauthorizedStatus(t, resp)
+	} else {
+		t.Fatal("Should have failed either forbidden or unauthorized")
+	}
+
+	teamBefore, err := th.App.GetTeam(team.Id)
+	require.Nil(t, err)
+
+	_, resp = th.SystemAdminClient.SetTeamIcon(team.Id, data)
+	CheckNoError(t, resp)
+
+	teamAfter, err := th.App.GetTeam(team.Id)
+	require.Nil(t, err)
+	assert.True(t, teamBefore.LastTeamIconUpdate < teamAfter.LastTeamIconUpdate, "LastTeamIconUpdate should have been updated for team")
+
+	info := &model.FileInfo{Path: "teams/" + team.Id + "/teamIcon.png"}
+	if err := th.cleanupTestFile(info); err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestGetTeamIcon(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+	Client := th.Client
+	team := th.BasicTeam
+
+	// should always fail because no initial image and no auto creation
+	_, resp := Client.GetTeamIcon(team.Id, "")
+	CheckNotFoundStatus(t, resp)
+
+	Client.Logout()
+
+	_, resp = Client.GetTeamIcon(team.Id, "")
+	CheckUnauthorizedStatus(t, resp)
+}
diff --git a/api4/user.go b/api4/user.go
index f82a6e3d5..8f8f08c75 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -290,16 +290,21 @@ func getUsers(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if sort != "" && sort != "last_activity_at" && sort != "create_at" {
+	if sort != "" && sort != "last_activity_at" && sort != "create_at" && sort != "status" {
 		c.SetInvalidUrlParam("sort")
 		return
 	}
 
 	// Currently only supports sorting on a team
+	// or sort="status" on inChannelId
 	if (sort == "last_activity_at" || sort == "create_at") && (inTeamId == "" || notInTeamId != "" || inChannelId != "" || notInChannelId != "" || withoutTeam != "") {
 		c.SetInvalidUrlParam("sort")
 		return
 	}
+	if sort == "status" && inChannelId == "" {
+		c.SetInvalidUrlParam("sort")
+		return
+	}
 
 	var profiles []*model.User
 	var err *model.AppError
@@ -355,8 +360,11 @@ func getUsers(c *Context, w http.ResponseWriter, r *http.Request) {
 			c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
 			return
 		}
-
-		profiles, err = c.App.GetUsersInChannelPage(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin())
+		if sort == "status" {
+			profiles, err = c.App.GetUsersInChannelPageByStatus(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin())
+		} else {
+			profiles, err = c.App.GetUsersInChannelPage(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin())
+		}
 	} else {
 		// No permission check required
 
diff --git a/api4/user_test.go b/api4/user_test.go
index 4613a8ea9..f04cd6ab2 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -2650,3 +2650,146 @@ func TestUserAccessTokenDisableConfig(t *testing.T) {
 	_, resp = Client.GetMe("")
 	CheckNoError(t, resp)
 }
+
+func TestGetUsersByStatus(t *testing.T) {
+	th := Setup()
+	defer th.TearDown()
+
+	team, err := th.App.CreateTeam(&model.Team{
+		DisplayName: "dn_" + model.NewId(),
+		Name:        GenerateTestTeamName(),
+		Email:       th.GenerateTestEmail(),
+		Type:        model.TEAM_OPEN,
+	})
+	if err != nil {
+		t.Fatalf("failed to create team: %v", err)
+	}
+
+	channel, err := th.App.CreateChannel(&model.Channel{
+		DisplayName: "dn_" + model.NewId(),
+		Name:        "name_" + model.NewId(),
+		Type:        model.CHANNEL_OPEN,
+		TeamId:      team.Id,
+		CreatorId:   model.NewId(),
+	}, false)
+	if err != nil {
+		t.Fatalf("failed to create channel: %v", err)
+	}
+
+	createUserWithStatus := func(username string, status string) *model.User {
+		id := model.NewId()
+
+		user, err := th.App.CreateUser(&model.User{
+			Email:    "success+" + id + "@simulator.amazonses.com",
+			Username: "un_" + username + "_" + id,
+			Nickname: "nn_" + id,
+			Password: "Password1",
+		})
+		if err != nil {
+			t.Fatalf("failed to create user: %v", err)
+		}
+
+		th.LinkUserToTeam(user, team)
+		th.AddUserToChannel(user, channel)
+
+		th.App.SaveAndBroadcastStatus(&model.Status{
+			UserId: user.Id,
+			Status: status,
+			Manual: true,
+		})
+
+		return user
+	}
+
+	// Creating these out of order in case that affects results
+	offlineUser1 := createUserWithStatus("offline1", model.STATUS_OFFLINE)
+	offlineUser2 := createUserWithStatus("offline2", model.STATUS_OFFLINE)
+	awayUser1 := createUserWithStatus("away1", model.STATUS_AWAY)
+	awayUser2 := createUserWithStatus("away2", model.STATUS_AWAY)
+	onlineUser1 := createUserWithStatus("online1", model.STATUS_ONLINE)
+	onlineUser2 := createUserWithStatus("online2", model.STATUS_ONLINE)
+	dndUser1 := createUserWithStatus("dnd1", model.STATUS_DND)
+	dndUser2 := createUserWithStatus("dnd2", model.STATUS_DND)
+
+	client := th.CreateClient()
+	if _, resp := client.Login(onlineUser2.Username, "Password1"); resp.Error != nil {
+		t.Fatal(resp.Error)
+	}
+
+	t.Run("sorting by status then alphabetical", func(t *testing.T) {
+		usersByStatus, resp := client.GetUsersInChannelByStatus(channel.Id, 0, 8, "")
+		if resp.Error != nil {
+			t.Fatal(resp.Error)
+		}
+
+		expectedUsersByStatus := []*model.User{
+			onlineUser1,
+			onlineUser2,
+			awayUser1,
+			awayUser2,
+			dndUser1,
+			dndUser2,
+			offlineUser1,
+			offlineUser2,
+		}
+
+		if len(usersByStatus) != len(expectedUsersByStatus) {
+			t.Fatalf("received only %v users, expected %v", len(usersByStatus), len(expectedUsersByStatus))
+		}
+
+		for i := range usersByStatus {
+			if usersByStatus[i].Id != expectedUsersByStatus[i].Id {
+				t.Fatalf("received user %v at index %v, expected %v", usersByStatus[i].Username, i, expectedUsersByStatus[i].Username)
+			}
+		}
+	})
+
+	t.Run("paging", func(t *testing.T) {
+		usersByStatus, resp := client.GetUsersInChannelByStatus(channel.Id, 0, 3, "")
+		if resp.Error != nil {
+			t.Fatal(resp.Error)
+		}
+
+		if len(usersByStatus) != 3 {
+			t.Fatal("received too many users")
+		}
+
+		if usersByStatus[0].Id != onlineUser1.Id && usersByStatus[1].Id != onlineUser2.Id {
+			t.Fatal("expected to receive online users first")
+		}
+
+		if usersByStatus[2].Id != awayUser1.Id {
+			t.Fatal("expected to receive away users second")
+		}
+
+		usersByStatus, resp = client.GetUsersInChannelByStatus(channel.Id, 1, 3, "")
+		if resp.Error != nil {
+			t.Fatal(resp.Error)
+		}
+
+		if usersByStatus[0].Id != awayUser2.Id {
+			t.Fatal("expected to receive away users second")
+		}
+
+		if usersByStatus[1].Id != dndUser1.Id && usersByStatus[2].Id != dndUser2.Id {
+			t.Fatal("expected to receive dnd users third")
+		}
+
+		usersByStatus, resp = client.GetUsersInChannelByStatus(channel.Id, 1, 4, "")
+		if resp.Error != nil {
+			t.Fatal(resp.Error)
+		}
+
+		if len(usersByStatus) != 4 {
+			t.Fatal("received too many users")
+		}
+
+		if usersByStatus[0].Id != dndUser1.Id && usersByStatus[1].Id != dndUser2.Id {
+			t.Fatal("expected to receive dnd users third")
+		}
+
+		if usersByStatus[2].Id != offlineUser1.Id && usersByStatus[3].Id != offlineUser2.Id {
+			t.Fatal("expected to receive offline users last")
+		}
+	})
+}
diff --git a/api4/webhook.go b/api4/webhook.go
index e19f14704..853cf43f3 100644
--- a/api4/webhook.go
+++ b/api4/webhook.go
@@ -510,7 +510,6 @@ func commandWebhook(c *Context, w http.ResponseWriter, r *http.Request) {
 }
 
 func decodePayload(payload io.Reader) (*model.IncomingWebhookRequest, *model.AppError) {
-	decodeError := &model.AppError{}
 	incomingWebhookPayload, decodeError := model.IncomingWebhookRequestFromJson(payload)
 
 	if decodeError != nil {