From b9092ca2f56b0fa2b8ec7719c2ec5cfe5a21a6c9 Mon Sep 17 00:00:00 2001
From: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
Date: Tue, 20 Dec 2016 16:55:22 +0100
Subject: Fix API Get channels for a user returns users' dm channels with blank
 teamid (#4748)

* fix API Get channels for a user returns users' dm channels with blank team ID

add check in the context.go

add suggestion

made adjustment per review and support from @joram

* update tests

* add check if needd user or admin permissions

* update per review
---
 api/context.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'api/context.go')

diff --git a/api/context.go b/api/context.go
index 4042a7b0f..765bb502a 100644
--- a/api/context.go
+++ b/api/context.go
@@ -221,6 +221,11 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		SetStatusOnline(c.Session.UserId, c.Session.Id, false)
 	}
 
+	if c.Err == nil && (h.requireUser || h.requireSystemAdmin) {
+		//check if teamId exist
+		c.CheckTeamId()
+	}
+
 	if c.Err == nil {
 		h.handleFunc(c, w, r)
 	}
@@ -575,3 +580,18 @@ func InvalidateAllCaches() {
 	store.ClearUserCaches()
 	store.ClearPostCaches()
 }
+
+func (c *Context) CheckTeamId() {
+	if c.TeamId != "" && c.Session.GetTeamByTeamId(c.TeamId) == nil {
+		if HasPermissionToContext(c, model.PERMISSION_MANAGE_SYSTEM) {
+			if result := <-Srv.Store.Team().Get(c.TeamId); result.Err != nil {
+				c.Err = result.Err
+				c.Err.StatusCode = http.StatusBadRequest
+				return
+			}
+		} else {
+			// just return because it fail on the HasPermissionToContext and the error is already on the Context c.Err
+			return
+		}
+	}
+}
-- 
cgit v1.2.3-1-g7c22