From fa80cb10a8ad047f9504c49ed2671d31650d1878 Mon Sep 17 00:00:00 2001
From: Jonathan <jonfritz@gmail.com>
Date: Wed, 4 Oct 2017 11:12:13 -0400
Subject: PLT-7785: Slash commands can be issued to a channel in a team without
 it (#7567)

* Ensured that specified channel is a part of specified team

* Simplified approach to just infer team id from specified channel id to eliminate the attack vector entirely
---
 api4/command.go | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

(limited to 'api4/command.go')

diff --git a/api4/command.go b/api4/command.go
index d051d57f6..4314a184d 100644
--- a/api4/command.go
+++ b/api4/command.go
@@ -212,12 +212,9 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if commandArgs.TeamId == "" {
-		commandArgs.TeamId = channel.TeamId
-	} else if c.Session.GetTeamByTeamId(commandArgs.TeamId) == nil {
-		c.SetPermissionError(model.PERMISSION_USE_SLASH_COMMANDS)
-		return
-	}
+	// team id is implicitly taken from channel so that slash commands
+	// created on some other team can't be run against this one
+	commandArgs.TeamId = channel.TeamId
 
 	commandArgs.UserId = c.Session.UserId
 	commandArgs.T = c.T
-- 
cgit v1.2.3-1-g7c22