From a25afb113489bcdd3fd07cb6dc4c18ae70662795 Mon Sep 17 00:00:00 2001
From: Rachel Willmer <rachel@willmer.org>
Date: Thu, 17 Nov 2016 19:05:53 +0000
Subject: Fix SystemAdmin use of CreateAt in CreatePost API (#4349) (#4408)

---
 api/post.go      |  4 +++-
 api/post_test.go | 31 +++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/api/post.go b/api/post.go
index f17df8831..bcbdd7760 100644
--- a/api/post.go
+++ b/api/post.go
@@ -132,7 +132,9 @@ func CreatePost(c *Context, post *model.Post, triggerWebhooks bool) (*model.Post
 		}
 	}
 
-	post.CreateAt = 0
+	if post.CreateAt != 0 && !HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
+		post.CreateAt = 0
+	}
 
 	post.Hashtags, _ = model.ParseHashtags(post.Message)
 
diff --git a/api/post_test.go b/api/post_test.go
index 0bafb5d20..bedb3aa74 100644
--- a/api/post_test.go
+++ b/api/post_test.go
@@ -138,6 +138,37 @@ func TestCreatePost(t *testing.T) {
 	}
 }
 
+func TestCreatePostWithCreateAt(t *testing.T) {
+
+	// An ordinary user cannot use CreateAt
+
+	th := Setup().InitBasic()
+	Client := th.BasicClient
+	channel1 := th.BasicChannel
+
+	post := &model.Post{
+		ChannelId: channel1.Id,
+		Message:   "PLT-4349",
+		CreateAt:  1234,
+	}
+	if resp, err := Client.CreatePost(post); err != nil {
+		t.Fatal(err)
+	} else if rpost := resp.Data.(*model.Post); rpost.CreateAt == post.CreateAt {
+		t.Fatal("post should be created with default CreateAt timestamp for ordinary user")
+	}
+
+	// But a System Admin user can
+
+	th2 := Setup().InitSystemAdmin()
+	SysClient := th2.SystemAdminClient
+
+	if resp, err := SysClient.CreatePost(post); err != nil {
+		t.Fatal(err)
+	} else if rpost := resp.Data.(*model.Post); rpost.CreateAt != post.CreateAt {
+		t.Fatal("post should be created with provided CreateAt timestamp for System Admin user")
+	}
+}
+
 func testCreatePostWithOutgoingHook(
 	t *testing.T,
 	hookContentType string,
-- 
cgit v1.2.3-1-g7c22