From 59319b7915b8eb4c20a0d4878382cc0e41fc536d Mon Sep 17 00:00:00 2001 From: Jesse Hallam Date: Tue, 9 Oct 2018 15:25:57 -0400 Subject: MM-12519: simplify autocomplete team id checking (#9577) This handles clients sending a team id in a direct message or group channel autocomplete, when it necessarily won't match. Just verify that the user has permission for the team in question, whenever it is provided. --- api4/user.go | 27 ++++++++++----------------- api4/user_test.go | 4 ++-- 2 files changed, 12 insertions(+), 19 deletions(-) (limited to 'api4') diff --git a/api4/user.go b/api4/user.go index 5a8474b8d..404457285 100644 --- a/api4/user.go +++ b/api4/user.go @@ -594,21 +594,19 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } + } - // If a teamId is provided, require it to match the channel's team id. - if teamId != "" { - channel, err := c.App.GetChannel(channelId) - if err != nil { - c.Err = err - return - } - - if channel.TeamId != teamId { - c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized) - return - } + if len(teamId) > 0 { + if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { + c.SetPermissionError(model.PERMISSION_VIEW_TEAM) + return } + } + if len(channelId) > 0 { + // Applying the provided teamId here is useful for DMs and GMs which don't belong + // to a team. Applying it when the channel does belong to a team makes less sense, + //t but the permissions are checked above regardless. result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err @@ -618,11 +616,6 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { autocomplete.Users = result.InChannel autocomplete.OutOfChannel = result.OutOfChannel } else if len(teamId) > 0 { - if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { - c.SetPermissionError(model.PERMISSION_VIEW_TEAM) - return - } - result, err := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err diff --git a/api4/user_test.go b/api4/user_test.go index d50dfa3b6..405102373 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -873,9 +873,9 @@ func TestAutocompleteUsers(t *testing.T) { t.Fatal("should not show first/last name") } - t.Run("team id, if provided, must match channel's team id", func(t *testing.T) { + t.Run("user must have access to team id, especially when it does not match channel's team id", func(t *testing.T) { rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "") - CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id") + CheckErrorMessage(t, resp, "api.context.permissions.app_error") }) } -- cgit v1.2.3-1-g7c22