From 15ad24d160cb4604d0605ebbfa53d11a57820706 Mon Sep 17 00:00:00 2001 From: JoramWilander Date: Thu, 6 Jul 2017 17:28:38 -0400 Subject: Minor fix --- api4/oauth.go | 8 ++++---- api4/user.go | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'api4') diff --git a/api4/oauth.go b/api4/oauth.go index 402651b92..d00b4a666 100644 --- a/api4/oauth.go +++ b/api4/oauth.go @@ -400,7 +400,7 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { uri := c.GetSiteURLHeader() + "/signup/" + service + "/complete" - body, teamId, props, err := app.AuthorizeOAuthUser(service, code, state, uri) + body, teamId, props, err := app.AuthorizeOAuthUser(w, r, service, code, state, uri) if err != nil { c.Err = err return @@ -455,7 +455,7 @@ func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { return } - if authUrl, err := app.GetOAuthLoginEndpoint(c.Params.Service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil { + if authUrl, err := app.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil { c.Err = err return } else { @@ -475,7 +475,7 @@ func mobileLoginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { return } - if authUrl, err := app.GetOAuthLoginEndpoint(c.Params.Service, teamId, model.OAUTH_ACTION_MOBILE, "", ""); err != nil { + if authUrl, err := app.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_MOBILE, "", ""); err != nil { c.Err = err return } else { @@ -500,7 +500,7 @@ func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { return } - if authUrl, err := app.GetOAuthSignupEndpoint(c.Params.Service, teamId); err != nil { + if authUrl, err := app.GetOAuthSignupEndpoint(w, r, c.Params.Service, teamId); err != nil { c.Err = err return } else { diff --git a/api4/user.go b/api4/user.go index 04faf13c4..f13c33f0b 100644 --- a/api4/user.go +++ b/api4/user.go @@ -1056,7 +1056,7 @@ func switchAccountType(c *Context, w http.ResponseWriter, r *http.Request) { var err *model.AppError if switchRequest.EmailToOAuth() { - link, err = app.SwitchEmailToOAuth(switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService) + link, err = app.SwitchEmailToOAuth(w, r, switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService) } else if switchRequest.OAuthToEmail() { c.SessionRequired() if c.Err != nil { -- cgit v1.2.3-1-g7c22 From e5912d4f9504590d4256777b7e94686de2588a6d Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Sat, 8 Jul 2017 15:51:55 -0700 Subject: Fixing error in apiv4 flagged posts route (#6880) --- api4/post.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'api4') diff --git a/api4/post.go b/api4/post.go index 3d1077358..886b64daa 100644 --- a/api4/post.go +++ b/api4/post.go @@ -139,8 +139,8 @@ func getFlaggedPostsForUser(c *Context, w http.ResponseWriter, r *http.Request) return } - channelId := r.URL.Query().Get("in_channel") - teamId := r.URL.Query().Get("in_team") + channelId := r.URL.Query().Get("channel_id") + teamId := r.URL.Query().Get("team_id") var posts *model.PostList var err *model.AppError -- cgit v1.2.3-1-g7c22 From 2bfd7be8d1479a7b3c4099548af14bd227ccb5d1 Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Mon, 10 Jul 2017 14:49:43 -0400 Subject: Minor status updates (#6889) --- api4/post.go | 2 ++ 1 file changed, 2 insertions(+) (limited to 'api4') diff --git a/api4/post.go b/api4/post.go index 886b64daa..3d0c681d1 100644 --- a/api4/post.go +++ b/api4/post.go @@ -55,6 +55,8 @@ func createPost(c *Context, w http.ResponseWriter, r *http.Request) { return } + app.SetStatusOnline(c.Session.UserId, c.Session.Id, false) + w.WriteHeader(http.StatusCreated) w.Write([]byte(rp.ToJson())) } -- cgit v1.2.3-1-g7c22 From f3acd34128a3553e3a8f7e2da85be470c73e326b Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Mon, 10 Jul 2017 14:52:59 -0400 Subject: Redirect OAuth SSO errors to error page (#6898) --- api4/oauth.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'api4') diff --git a/api4/oauth.go b/api4/oauth.go index d00b4a666..05a38d206 100644 --- a/api4/oauth.go +++ b/api4/oauth.go @@ -392,7 +392,9 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { code := r.URL.Query().Get("code") if len(code) == 0 { - c.Err = model.NewAppError("completeOAuth", "api.oauth.complete_oauth.missing_code.app_error", map[string]interface{}{"service": strings.Title(service)}, "URL: "+r.URL.String(), http.StatusBadRequest) + err := model.NewAppError("completeOAuth", "api.oauth.complete_oauth.missing_code.app_error", map[string]interface{}{"service": strings.Title(service)}, "URL: "+r.URL.String(), http.StatusBadRequest) + err.Translate(c.T) + http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect) return } @@ -402,13 +404,17 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { body, teamId, props, err := app.AuthorizeOAuthUser(w, r, service, code, state, uri) if err != nil { - c.Err = err + err.Translate(c.T) + l4g.Error(err.Error()) + http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect) return } user, err := app.CompleteOAuth(service, body, teamId, props) if err != nil { - c.Err = err + err.Translate(c.T) + l4g.Error(err.Error()) + http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect) return } -- cgit v1.2.3-1-g7c22 From 2bf64b54c236945727a2d93afb57b1665d1daa7a Mon Sep 17 00:00:00 2001 From: George Goldberg Date: Wed, 12 Jul 2017 14:13:25 +0100 Subject: PLT-7025: Fix Slack Import API. (#6905) --- api4/team.go | 8 ++++---- api4/team_test.go | 8 +++++++- 2 files changed, 11 insertions(+), 5 deletions(-) (limited to 'api4') diff --git a/api4/team.go b/api4/team.go index 1cbd89481..98a672d93 100644 --- a/api4/team.go +++ b/api4/team.go @@ -5,7 +5,7 @@ package api4 import ( "bytes" - "io" + "encoding/base64" "net/http" "strconv" @@ -657,12 +657,12 @@ func importTeam(c *Context, w http.ResponseWriter, r *http.Request) { } } - w.Header().Set("Content-Disposition", "attachment; filename=MattermostImportLog.txt") - w.Header().Set("Content-Type", "application/octet-stream") + data := map[string]string{} + data["results"] = base64.StdEncoding.EncodeToString([]byte(log.Bytes())) if c.Err != nil { w.WriteHeader(c.Err.StatusCode) } - io.Copy(w, bytes.NewReader(log.Bytes())) + w.Write([]byte(model.MapToJson(data))) } func inviteUsersToTeam(c *Context, w http.ResponseWriter, r *http.Request) { diff --git a/api4/team_test.go b/api4/team_test.go index b517f67fe..440b2feb2 100644 --- a/api4/team_test.go +++ b/api4/team_test.go @@ -15,6 +15,7 @@ import ( "github.com/mattermost/platform/app" "github.com/mattermost/platform/model" "github.com/mattermost/platform/utils" + "encoding/base64" ) func TestCreateTeam(t *testing.T) { @@ -1345,7 +1346,12 @@ func TestImportTeam(t *testing.T) { fileResp, resp := th.SystemAdminClient.ImportTeam(data, binary.Size(data), "slack", "Fake_Team_Import.zip", th.BasicTeam.Id) CheckNoError(t, resp) - fileReturned := fmt.Sprintf("%s", fileResp) + fileData, err := base64.StdEncoding.DecodeString(fileResp["results"]) + if err != nil { + t.Fatal("failed to decode base64 results data") + } + + fileReturned := fmt.Sprintf("%s", fileData) if !strings.Contains(fileReturned, "darth.vader@stardeath.com") { t.Log(fileReturned) t.Fatal("failed to report the user was imported") -- cgit v1.2.3-1-g7c22 From a20ddb40476837f8686d9f73b449920f4e465d4a Mon Sep 17 00:00:00 2001 From: Harrison Healey Date: Fri, 14 Jul 2017 14:42:08 -0400 Subject: Fixed downloading of image files (#6934) * Fixed downloading of image files * Fixed captitalization * Fixed missing import * Rename image to media --- api4/file.go | 93 ++++++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 62 insertions(+), 31 deletions(-) (limited to 'api4') diff --git a/api4/file.go b/api4/file.go index a395fff65..4b39a1812 100644 --- a/api4/file.go +++ b/api4/file.go @@ -7,6 +7,7 @@ import ( "net/http" "net/url" "strconv" + "strings" l4g "github.com/alecthomas/log4go" "github.com/mattermost/platform/app" @@ -18,6 +19,27 @@ const ( FILE_TEAM_ID = "noteam" ) +var UNSAFE_CONTENT_TYPES = [...]string{ + "application/javascript", + "application/ecmascript", + "text/javascript", + "text/ecmascript", + "application/x-javascript", + "text/html", +} + +var MEDIA_CONTENT_TYPES = [...]string{ + "image/jpeg", + "image/png", + "image/bmp", + "image/gif", + "video/avi", + "video/mpeg", + "video/mp4", + "audio/mpeg", + "audio/wav", +} + func InitFile() { l4g.Debug(utils.T("api.file.init.debug")) @@ -82,9 +104,9 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download")) - if failConv != nil { - toDownload = false + forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download")) + if convErr != nil { + forceDownload = false } info, err := app.GetFileInfo(c.Params.FileId) @@ -105,22 +127,7 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - contentTypeToCheck := []string{"image/jpeg", "image/png", "image/bmp", "image/gif", - "video/avi", "video/mpeg", "audio/mpeg3", "audio/wav"} - - contentType := http.DetectContentType(data) - foundContentType := false - for _, contentTypeFromList := range contentTypeToCheck { - if contentType == contentTypeFromList && toDownload == false { - foundContentType = true - break - } - } - if !foundContentType { - toDownload = true - } - - err = writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r) + err = writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r) if err != nil { c.Err = err return @@ -133,9 +140,9 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) { return } - toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download")) - if failConv != nil { - toDownload = false + forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download")) + if convErr != nil { + forceDownload = false } info, err := app.GetFileInfo(c.Params.FileId) @@ -158,7 +165,7 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) { if data, err := app.ReadFile(info.ThumbnailPath); err != nil { c.Err = err c.Err.StatusCode = http.StatusNotFound - } else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil { + } else if err := writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r); err != nil { c.Err = err return } @@ -205,9 +212,9 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) { return } - toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download")) - if failConv != nil { - toDownload = false + forceDownload, convErr := strconv.ParseBool(r.URL.Query().Get("download")) + if convErr != nil { + forceDownload = false } info, err := app.GetFileInfo(c.Params.FileId) @@ -230,7 +237,7 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) { if data, err := app.ReadFile(info.PreviewPath); err != nil { c.Err = err c.Err.StatusCode = http.StatusNotFound - } else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil { + } else if err := writeFileResponse(info.Name, info.MimeType, data, forceDownload, w, r); err != nil { c.Err = err return } @@ -298,14 +305,38 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) { } } -func writeFileResponse(filename string, contentType string, bytes []byte, toDownload bool, w http.ResponseWriter, r *http.Request) *model.AppError { +func writeFileResponse(filename string, contentType string, bytes []byte, forceDownload bool, w http.ResponseWriter, r *http.Request) *model.AppError { w.Header().Set("Cache-Control", "max-age=2592000, private") w.Header().Set("Content-Length", strconv.Itoa(len(bytes))) + w.Header().Set("X-Content-Type-Options", "nosniff") - if contentType != "" { - w.Header().Set("Content-Type", contentType) + if contentType == "" { + contentType = "application/octet-stream" } else { - w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer + for _, unsafeContentType := range UNSAFE_CONTENT_TYPES { + if strings.HasPrefix(contentType, unsafeContentType) { + contentType = "text/plain" + break + } + } + } + + w.Header().Set("Content-Type", contentType) + + var toDownload bool + if forceDownload { + toDownload = true + } else { + isMediaType := false + + for _, mediaContentType := range MEDIA_CONTENT_TYPES { + if strings.HasPrefix(contentType, mediaContentType) { + isMediaType = true + break + } + } + + toDownload = !isMediaType } if toDownload { -- cgit v1.2.3-1-g7c22 From 9a23519d07664f252fe5a568034abf6b720511d0 Mon Sep 17 00:00:00 2001 From: Harrison Healey Date: Fri, 14 Jul 2017 17:06:59 -0400 Subject: PLT-6983 Allowed team invite IDs of arbitrary lengths to match API v3 (#6944) --- api4/context.go | 2 +- api4/team_test.go | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'api4') diff --git a/api4/context.go b/api4/context.go index 06eee6715..61c318266 100644 --- a/api4/context.go +++ b/api4/context.go @@ -355,7 +355,7 @@ func (c *Context) RequireInviteId() *Context { return c } - if len(c.Params.InviteId) != 26 { + if len(c.Params.InviteId) == 0 { c.SetInvalidUrlParam("invite_id") } return c diff --git a/api4/team_test.go b/api4/team_test.go index 440b2feb2..421428afa 100644 --- a/api4/team_test.go +++ b/api4/team_test.go @@ -12,10 +12,10 @@ import ( "strings" "testing" + "encoding/base64" "github.com/mattermost/platform/app" "github.com/mattermost/platform/model" "github.com/mattermost/platform/utils" - "encoding/base64" ) func TestCreateTeam(t *testing.T) { @@ -1475,7 +1475,7 @@ func TestInviteUsersToTeam(t *testing.T) { } func TestGetTeamInviteInfo(t *testing.T) { - th := Setup().InitBasic() + th := Setup().InitBasic().InitSystemAdmin() defer TearDown() Client := th.Client team := th.BasicTeam @@ -1491,6 +1491,13 @@ func TestGetTeamInviteInfo(t *testing.T) { t.Fatal("should be empty") } + team.InviteId = "12345678901234567890123456789012" + team, resp = th.SystemAdminClient.UpdateTeam(team) + CheckNoError(t, resp) + + team, resp = Client.GetTeamInviteInfo(team.InviteId) + CheckNoError(t, resp) + _, resp = Client.GetTeamInviteInfo("junk") - CheckBadRequestStatus(t, resp) + CheckNotFoundStatus(t, resp) } -- cgit v1.2.3-1-g7c22