2 files changed, 11 insertions, 1 deletions

diff --git a/api/post.go b/api/post.go
index afe60144d..b4c34bca2 100644
--- a/api/post.go
+++ b/api/post.go
@@ -161,7 +161,12 @@ func getFlaggedPosts(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if posts, err := app.GetFlaggedPosts(c.Session.UserId, offset, limit); err != nil {
+	if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_VIEW_TEAM) {
+		c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
+		return
+	}
+
+	if posts, err := app.GetFlaggedPostsForTeam(c.Session.UserId, c.TeamId, offset, limit); err != nil {
 		c.Err = err
 		return
 	} else {
diff --git a/api/post_test.go b/api/post_test.go
index 6558aeb5b..a72074547 100644
--- a/api/post_test.go
+++ b/api/post_test.go
@@ -1115,6 +1115,11 @@ func TestGetFlaggedPosts(t *testing.T) {
 	if len(r2.Order) != 0 {
 		t.Fatal("should not have gotten a flagged post")
 	}
+
+	Client.SetTeamId(model.NewId())
+	if _, err := Client.GetFlaggedPosts(0, 2); err == nil {
+		t.Fatal("should have failed - bad team id")
+	}
 }
 
 func TestGetMessageForNotification(t *testing.T) {