From 239e8df3f4e94e71c08863fbaca72172c594fa22 Mon Sep 17 00:00:00 2001
From: Joram Wilander <jwawilander@gmail.com>
Date: Fri, 1 Dec 2017 08:21:44 -0500
Subject: Fix oauth app update (#7913)

---
 api4/oauth.go      | 2 +-
 api4/oauth_test.go | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

(limited to 'api4')

diff --git a/api4/oauth.go b/api4/oauth.go
index b11a070e4..b54a43832 100644
--- a/api4/oauth.go
+++ b/api4/oauth.go
@@ -100,7 +100,7 @@ func updateOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if c.Session.UserId != oauthApp.CreatorId && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
+	if c.Session.UserId != oldOauthApp.CreatorId && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
 		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH)
 		return
 	}
diff --git a/api4/oauth_test.go b/api4/oauth_test.go
index 8658e86e9..8dd602456 100644
--- a/api4/oauth_test.go
+++ b/api4/oauth_test.go
@@ -164,6 +164,13 @@ func TestUpdateOAuthApp(t *testing.T) {
 		t.Fatal("IsTrusted should have updated")
 	}
 
+	th.LoginBasic2()
+	updatedApp.CreatorId = th.BasicUser2.Id
+	_, resp = Client.UpdateOAuthApp(oapp)
+	CheckForbiddenStatus(t, resp)
+
+	th.LoginBasic()
+
 	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
 	th.App.SetDefaultRolesBasedOnConfig()
 	_, resp = Client.UpdateOAuthApp(oapp)
-- 
cgit v1.2.3-1-g7c22