2 files changed, 11 insertions, 0 deletions

diff --git a/api/channel.go b/api/channel.go
index e0428f311..c4a5eae96 100644
--- a/api/channel.go
+++ b/api/channel.go
@@ -784,6 +784,11 @@ func getChannel(c *Context, w http.ResponseWriter, r *http.Request) {
 		member := cmresult.Data.(model.ChannelMember)
 		data.Member = &member
 
+		if data.Channel.TeamId != c.TeamId {
+			c.Err = model.NewLocAppError("getChannel", "api.channel.get_channel.wrong_team.app_error", map[string]interface{}{"ChannelId": id, "TeamId": c.TeamId}, "")
+			return
+		}
+
 		if HandleEtag(data.Etag(), w, r) {
 			return
 		} else {
diff --git a/api/channel_test.go b/api/channel_test.go
index 5c51e4d93..7480dea23 100644
--- a/api/channel_test.go
+++ b/api/channel_test.go
@@ -320,6 +320,7 @@ func TestGetChannel(t *testing.T) {
 	th := Setup().InitBasic()
 	Client := th.BasicClient
 	team := th.BasicTeam
+	team2 := th.CreateTeam(Client)
 
 	channel1 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_OPEN, TeamId: team.Id}
 	channel1 = Client.Must(Client.CreateChannel(channel1)).Data.(*model.Channel)
@@ -370,6 +371,11 @@ func TestGetChannel(t *testing.T) {
 	if _, err := Client.GetChannel("junk", ""); err == nil {
 		t.Fatal("should have failed - bad channel id")
 	}
+
+	Client.SetTeamId(team2.Id)
+	if _, err := Client.GetChannel(channel2.Id, ""); err == nil {
+		t.Fatal("should have failed - wrong team")
+	}
 }
 
 func TestGetMoreChannel(t *testing.T) {