3 files changed, 104 insertions, 22 deletions

diff --git a/api/admin.go b/api/admin.go
index 7b041619e..3ed2bee7a 100644
--- a/api/admin.go
+++ b/api/admin.go
@@ -35,6 +35,8 @@ func InitAdmin(r *mux.Router) {
 	sr.Handle("/save_compliance_report", ApiUserRequired(saveComplianceReport)).Methods("POST")
 	sr.Handle("/compliance_reports", ApiUserRequired(getComplianceReports)).Methods("GET")
 	sr.Handle("/download_compliance_report/{id:[A-Za-z0-9]+}", ApiUserRequired(downloadComplianceReport)).Methods("GET")
+	sr.Handle("/upload_brand_image", ApiAdminSystemRequired(uploadBrandImage)).Methods("POST")
+	sr.Handle("/get_brand_image", ApiAppHandlerTrustRequester(getBrandImage)).Methods("GET")
 }
 
 func getLogs(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -422,3 +424,77 @@ func getAnalytics(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 }
+
+func uploadBrandImage(c *Context, w http.ResponseWriter, r *http.Request) {
+	if len(utils.Cfg.FileSettings.DriverName) == 0 {
+		c.Err = model.NewLocAppError("uploadBrandImage", "api.admin.upload_brand_image.storage.app_error", nil, "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
+	if r.ContentLength > model.MAX_FILE_SIZE {
+		c.Err = model.NewLocAppError("uploadBrandImage", "api.admin.upload_brand_image.too_large.app_error", nil, "")
+		c.Err.StatusCode = http.StatusRequestEntityTooLarge
+		return
+	}
+
+	if err := r.ParseMultipartForm(model.MAX_FILE_SIZE); err != nil {
+		c.Err = model.NewLocAppError("uploadBrandImage", "api.admin.upload_brand_image.parse.app_error", nil, "")
+		return
+	}
+
+	m := r.MultipartForm
+
+	imageArray, ok := m.File["image"]
+	if !ok {
+		c.Err = model.NewLocAppError("uploadBrandImage", "api.admin.upload_brand_image.no_file.app_error", nil, "")
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	if len(imageArray) <= 0 {
+		c.Err = model.NewLocAppError("uploadBrandImage", "api.admin.upload_brand_image.array.app_error", nil, "")
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	brandInterface := einterfaces.GetBrandInterface()
+	if brandInterface == nil {
+		c.Err = model.NewLocAppError("uploadBrandImage", "api.admin.upload_brand_image.not_available.app_error", nil, "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
+	if err := brandInterface.SaveBrandImage(imageArray[0]); err != nil {
+		c.Err = err
+		return
+	}
+
+	c.LogAudit("")
+
+	rdata := map[string]string{}
+	rdata["status"] = "OK"
+	w.Write([]byte(model.MapToJson(rdata)))
+}
+
+func getBrandImage(c *Context, w http.ResponseWriter, r *http.Request) {
+	if len(utils.Cfg.FileSettings.DriverName) == 0 {
+		c.Err = model.NewLocAppError("getBrandImage", "api.admin.get_brand_image.storage.app_error", nil, "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
+	brandInterface := einterfaces.GetBrandInterface()
+	if brandInterface == nil {
+		c.Err = model.NewLocAppError("getBrandImage", "api.admin.get_brand_image.not_available.app_error", nil, "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
+	if img, err := brandInterface.GetBrandImage(); err != nil {
+		w.Write(nil)
+	} else {
+		w.Header().Set("Content-Type", "image/png")
+		w.Write(img)
+	}
+}
diff --git a/api/file.go b/api/file.go
index ee9703455..991516bed 100644
--- a/api/file.go
+++ b/api/file.go
@@ -149,7 +149,7 @@ func uploadFile(c *Context, w http.ResponseWriter, r *http.Request) {
 
 		path := "teams/" + c.Session.TeamId + "/channels/" + channelId + "/users/" + c.Session.UserId + "/" + uid + "/" + filename
 
-		if err := writeFile(buf.Bytes(), path); err != nil {
+		if err := WriteFile(buf.Bytes(), path); err != nil {
 			c.Err = err
 			return
 		}
@@ -237,7 +237,7 @@ func handleImagesAndForget(filenames []string, fileData [][]byte, teamId, channe
 						return
 					}
 
-					if err := writeFile(buf.Bytes(), dest+name+"_thumb.jpg"); err != nil {
+					if err := WriteFile(buf.Bytes(), dest+name+"_thumb.jpg"); err != nil {
 						l4g.Error(utils.T("api.file.handle_images_forget.upload_thumb.error"), channelId, userId, filename, err)
 						return
 					}
@@ -260,7 +260,7 @@ func handleImagesAndForget(filenames []string, fileData [][]byte, teamId, channe
 						return
 					}
 
-					if err := writeFile(buf.Bytes(), dest+name+"_preview.jpg"); err != nil {
+					if err := WriteFile(buf.Bytes(), dest+name+"_preview.jpg"); err != nil {
 						l4g.Error(utils.T("api.file.handle_images_forget.upload_preview.error"), channelId, userId, filename, err)
 						return
 					}
@@ -440,7 +440,7 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) {
 
 func getFileAndForget(path string, fileData chan []byte) {
 	go func() {
-		data, getErr := readFile(path)
+		data, getErr := ReadFile(path)
 		if getErr != nil {
 			l4g.Error(getErr)
 			fileData <- nil
@@ -506,7 +506,7 @@ func getExport(c *Context, w http.ResponseWriter, r *http.Request) {
 		c.Err.StatusCode = http.StatusForbidden
 		return
 	}
-	data, err := readFile(EXPORT_PATH + EXPORT_FILENAME)
+	data, err := ReadFile(EXPORT_PATH + EXPORT_FILENAME)
 	if err != nil {
 		c.Err = model.NewLocAppError("getExport", "api.file.get_export.retrieve.app_error", nil, err.Error())
 		return
@@ -517,7 +517,7 @@ func getExport(c *Context, w http.ResponseWriter, r *http.Request) {
 	w.Write(data)
 }
 
-func writeFile(f []byte, path string) *model.AppError {
+func WriteFile(f []byte, path string) *model.AppError {
 
 	if utils.Cfg.FileSettings.DriverName == model.IMAGE_DRIVER_S3 {
 		var auth aws.Auth
@@ -540,14 +540,14 @@ func writeFile(f []byte, path string) *model.AppError {
 		}
 
 		if err != nil {
-			return model.NewLocAppError("writeFile", "api.file.write_file.s3.app_error", nil, err.Error())
+			return model.NewLocAppError("WriteFile", "api.file.write_file.s3.app_error", nil, err.Error())
 		}
 	} else if utils.Cfg.FileSettings.DriverName == model.IMAGE_DRIVER_LOCAL {
-		if err := writeFileLocally(f, utils.Cfg.FileSettings.Directory+path); err != nil {
+		if err := WriteFileLocally(f, utils.Cfg.FileSettings.Directory+path); err != nil {
 			return err
 		}
 	} else {
-		return model.NewLocAppError("writeFile", "api.file.write_file.configured.app_error", nil, "")
+		return model.NewLocAppError("WriteFile", "api.file.write_file.configured.app_error", nil, "")
 	}
 
 	return nil
@@ -574,7 +574,7 @@ func moveFile(oldPath, newPath string) *model.AppError {
 			return model.NewLocAppError("moveFile", "api.file.move_file.delete_from_s3.app_error", nil, err.Error())
 		}
 
-		if err := writeFile(fileBytes, newPath); err != nil {
+		if err := WriteFile(fileBytes, newPath); err != nil {
 			return err
 		}
 	} else if utils.Cfg.FileSettings.DriverName == model.IMAGE_DRIVER_LOCAL {
@@ -588,19 +588,19 @@ func moveFile(oldPath, newPath string) *model.AppError {
 	return nil
 }
 
-func writeFileLocally(f []byte, path string) *model.AppError {
+func WriteFileLocally(f []byte, path string) *model.AppError {
 	if err := os.MkdirAll(filepath.Dir(path), 0774); err != nil {
-		return model.NewLocAppError("writeFile", "api.file.write_file_locally.create_dir.app_error", nil, err.Error())
+		return model.NewLocAppError("WriteFile", "api.file.write_file_locally.create_dir.app_error", nil, err.Error())
 	}
 
 	if err := ioutil.WriteFile(path, f, 0644); err != nil {
-		return model.NewLocAppError("writeFile", "api.file.write_file_locally.writing.app_error", nil, err.Error())
+		return model.NewLocAppError("WriteFile", "api.file.write_file_locally.writing.app_error", nil, err.Error())
 	}
 
 	return nil
 }
 
-func readFile(path string) ([]byte, *model.AppError) {
+func ReadFile(path string) ([]byte, *model.AppError) {
 
 	if utils.Cfg.FileSettings.DriverName == model.IMAGE_DRIVER_S3 {
 		var auth aws.Auth
@@ -620,18 +620,18 @@ func readFile(path string) ([]byte, *model.AppError) {
 			if f != nil {
 				return f, nil
 			} else if tries >= 3 {
-				return nil, model.NewLocAppError("readFile", "api.file.read_file.get.app_error", nil, "path="+path+", err="+err.Error())
+				return nil, model.NewLocAppError("ReadFile", "api.file.read_file.get.app_error", nil, "path="+path+", err="+err.Error())
 			}
 			time.Sleep(3000 * time.Millisecond)
 		}
 	} else if utils.Cfg.FileSettings.DriverName == model.IMAGE_DRIVER_LOCAL {
 		if f, err := ioutil.ReadFile(utils.Cfg.FileSettings.Directory + path); err != nil {
-			return nil, model.NewLocAppError("readFile", "api.file.read_file.reading_local.app_error", nil, err.Error())
+			return nil, model.NewLocAppError("ReadFile", "api.file.read_file.reading_local.app_error", nil, err.Error())
 		} else {
 			return f, nil
 		}
 	} else {
-		return nil, model.NewLocAppError("readFile", "api.file.read_file.configured.app_error", nil, "")
+		return nil, model.NewLocAppError("ReadFile", "api.file.read_file.configured.app_error", nil, "")
 	}
 }
 
diff --git a/api/user.go b/api/user.go
index 76eeaa441..08d096c51 100644
--- a/api/user.go
+++ b/api/user.go
@@ -54,7 +54,7 @@ func InitUser(r *mux.Router) {
 	sr.Handle("/verify_email", ApiAppHandler(verifyEmail)).Methods("POST")
 	sr.Handle("/resend_verification", ApiAppHandler(resendVerification)).Methods("POST")
 	sr.Handle("/mfa", ApiAppHandler(checkMfa)).Methods("POST")
-	sr.Handle("/generate_mfa_qr", ApiUserRequired(generateMfaQrCode)).Methods("GET")
+	sr.Handle("/generate_mfa_qr", ApiUserRequiredTrustRequester(generateMfaQrCode)).Methods("GET")
 	sr.Handle("/update_mfa", ApiUserRequired(updateMfa)).Methods("POST")
 
 	sr.Handle("/newimage", ApiUserRequired(uploadProfileImage)).Methods("POST")
@@ -1150,14 +1150,14 @@ func getProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
 		} else {
 			path := "teams/" + c.Session.TeamId + "/users/" + id + "/profile.png"
 
-			if data, err := readFile(path); err != nil {
+			if data, err := ReadFile(path); err != nil {
 
 				if img, err = createProfileImage(result.Data.(*model.User).Username, id); err != nil {
 					c.Err = err
 					return
 				}
 
-				if err := writeFile(img, path); err != nil {
+				if err := WriteFile(img, path); err != nil {
 					c.Err = err
 					return
 				}
@@ -1185,7 +1185,13 @@ func uploadProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := r.ParseMultipartForm(10000000); err != nil {
+	if r.ContentLength > model.MAX_FILE_SIZE {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.too_large.app_error", nil, "")
+		c.Err.StatusCode = http.StatusRequestEntityTooLarge
+		return
+	}
+
+	if err := r.ParseMultipartForm(model.MAX_FILE_SIZE); err != nil {
 		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.parse.app_error", nil, "")
 		return
 	}
@@ -1245,7 +1251,7 @@ func uploadProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	path := "teams/" + c.Session.TeamId + "/users/" + c.Session.UserId + "/profile.png"
 
-	if err := writeFile(buf.Bytes(), path); err != nil {
+	if err := WriteFile(buf.Bytes(), path); err != nil {
 		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.upload_profile.app_error", nil, "")
 		return
 	}