diff options
Diffstat (limited to 'api')
-rw-r--r-- | api/post.go | 7 | ||||
-rw-r--r-- | api/post_test.go | 5 |
2 files changed, 11 insertions, 1 deletions
diff --git a/api/post.go b/api/post.go index afe60144d..b4c34bca2 100644 --- a/api/post.go +++ b/api/post.go @@ -161,7 +161,12 @@ func getFlaggedPosts(c *Context, w http.ResponseWriter, r *http.Request) { return } - if posts, err := app.GetFlaggedPosts(c.Session.UserId, offset, limit); err != nil { + if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_VIEW_TEAM) { + c.SetPermissionError(model.PERMISSION_VIEW_TEAM) + return + } + + if posts, err := app.GetFlaggedPostsForTeam(c.Session.UserId, c.TeamId, offset, limit); err != nil { c.Err = err return } else { diff --git a/api/post_test.go b/api/post_test.go index 6558aeb5b..a72074547 100644 --- a/api/post_test.go +++ b/api/post_test.go @@ -1115,6 +1115,11 @@ func TestGetFlaggedPosts(t *testing.T) { if len(r2.Order) != 0 { t.Fatal("should not have gotten a flagged post") } + + Client.SetTeamId(model.NewId()) + if _, err := Client.GetFlaggedPosts(0, 2); err == nil { + t.Fatal("should have failed - bad team id") + } } func TestGetMessageForNotification(t *testing.T) { |