From 6b7a35b653cbb3fdcd27a542c8a7faec4352d153 Mon Sep 17 00:00:00 2001 From: Jesse Hallam Date: Thu, 5 Jul 2018 03:17:43 -0400 Subject: MM-11118: disallow deleting direct or group channels (#9054) --- api4/channel.go | 5 +++++ api4/channel_test.go | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) (limited to 'api4') diff --git a/api4/channel.go b/api4/channel.go index cb9112677..1afadf39b 100644 --- a/api4/channel.go +++ b/api4/channel.go @@ -638,6 +638,11 @@ func deleteChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } + if channel.Type == model.CHANNEL_DIRECT || channel.Type == model.CHANNEL_GROUP { + c.Err = model.NewAppError("deleteChannel", "api.channel.delete_channel.type.invalid", nil, "", http.StatusBadRequest) + return + } + if channel.Type == model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PUBLIC_CHANNEL) { c.SetPermissionError(model.PERMISSION_DELETE_PUBLIC_CHANNEL) return diff --git a/api4/channel_test.go b/api4/channel_test.go index d66c2a640..ab751f151 100644 --- a/api4/channel_test.go +++ b/api4/channel_test.go @@ -16,6 +16,7 @@ import ( "github.com/mattermost/mattermost-server/model" "github.com/mattermost/mattermost-server/utils" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestCreateChannel(t *testing.T) { @@ -320,6 +321,23 @@ func TestCreateDirectChannel(t *testing.T) { CheckNoError(t, resp) } +func TestDeleteDirectChannel(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer th.TearDown() + Client := th.Client + user := th.BasicUser + user2 := th.BasicUser2 + + rgc, resp := Client.CreateDirectChannel(user.Id, user2.Id) + CheckNoError(t, resp) + CheckCreatedStatus(t, resp) + require.NotNil(t, rgc, "should have created a direct channel") + + deleted, resp := Client.DeleteChannel(rgc.Id) + CheckErrorMessage(t, resp, "api.channel.delete_channel.type.invalid") + require.False(t, deleted, "should not have been able to delete direct channel.") +} + func TestCreateGroupChannel(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() defer th.TearDown() @@ -392,6 +410,26 @@ func TestCreateGroupChannel(t *testing.T) { CheckNoError(t, resp) } +func TestDeleteGroupChannel(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer th.TearDown() + Client := th.Client + user := th.BasicUser + user2 := th.BasicUser2 + user3 := th.CreateUser() + + userIds := []string{user.Id, user2.Id, user3.Id} + + rgc, resp := Client.CreateGroupChannel(userIds) + CheckNoError(t, resp) + CheckCreatedStatus(t, resp) + require.NotNil(t, rgc, "should have created a group channel") + + deleted, resp := Client.DeleteChannel(rgc.Id) + CheckErrorMessage(t, resp, "api.channel.delete_channel.type.invalid") + require.False(t, deleted, "should not have been able to delete group channel.") +} + func TestGetChannel(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() defer th.TearDown() -- cgit v1.2.3-1-g7c22 From 9e5ec7d09d4c51e278f17f25fb6c0f3484b50a3b Mon Sep 17 00:00:00 2001 From: Saturnino Abril Date: Fri, 6 Jul 2018 21:07:42 +0800 Subject: [MM-10754] Remove unnecessary command_test route (#9050) * remove unnecessary command_test route * replaced localhost with ts.URL --- api4/command.go | 26 -------------- api4/command_test.go | 96 ++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 81 insertions(+), 41 deletions(-) (limited to 'api4') diff --git a/api4/command.go b/api4/command.go index 3ab2839ba..69efee010 100644 --- a/api4/command.go +++ b/api4/command.go @@ -4,7 +4,6 @@ package api4 import ( - "io/ioutil" "net/http" "strconv" "strings" @@ -22,9 +21,6 @@ func (api *API) InitCommand() { api.BaseRoutes.Team.Handle("/commands/autocomplete", api.ApiSessionRequired(listAutocompleteCommands)).Methods("GET") api.BaseRoutes.Command.Handle("/regen_token", api.ApiSessionRequired(regenCommandToken)).Methods("PUT") - - api.BaseRoutes.Teams.Handle("/command_test", api.ApiHandler(testCommand)).Methods("POST") - api.BaseRoutes.Teams.Handle("/command_test", api.ApiHandler(testCommand)).Methods("GET") } func createCommand(c *Context, w http.ResponseWriter, r *http.Request) { @@ -291,25 +287,3 @@ func regenCommandToken(c *Context, w http.ResponseWriter, r *http.Request) { w.Write([]byte(model.MapToJson(resp))) } - -func testCommand(c *Context, w http.ResponseWriter, r *http.Request) { - r.ParseForm() - - msg := "" - if r.Method == "POST" { - msg = msg + "\ntoken=" + r.FormValue("token") - msg = msg + "\nteam_domain=" + r.FormValue("team_domain") - } else { - body, _ := ioutil.ReadAll(r.Body) - msg = string(body) - } - - rc := &model.CommandResponse{ - Text: "test command response " + msg, - ResponseType: model.COMMAND_RESPONSE_TYPE_IN_CHANNEL, - Type: "custom_test", - Props: map[string]interface{}{"someprop": "somevalue"}, - } - - w.Write([]byte(rc.ToJson())) -} diff --git a/api4/command_test.go b/api4/command_test.go index 0d37d7440..96025c063 100644 --- a/api4/command_test.go +++ b/api4/command_test.go @@ -4,7 +4,6 @@ package api4 import ( - "fmt" "net/http" "net/http/httptest" "net/url" @@ -423,7 +422,7 @@ func TestExecuteInvalidCommand(t *testing.T) { getCmd := &model.Command{ CreatorId: th.BasicUser.Id, TeamId: th.BasicTeam.Id, - URL: fmt.Sprintf("%s/%s/teams/command_test", ts.URL, model.API_URL_SUFFIX_V4), + URL: ts.URL, Method: model.COMMAND_METHOD_GET, Trigger: "getcommand", } @@ -501,7 +500,7 @@ func TestExecuteGetCommand(t *testing.T) { getCmd := &model.Command{ CreatorId: th.BasicUser.Id, TeamId: th.BasicTeam.Id, - URL: fmt.Sprintf("%s/%s/teams/command_test", ts.URL, model.API_URL_SUFFIX_V4), + URL: ts.URL, Method: model.COMMAND_METHOD_GET, Trigger: "getcommand", Token: token, @@ -556,16 +555,16 @@ func TestExecutePostCommand(t *testing.T) { })) defer ts.Close() - getCmd := &model.Command{ + postCmd := &model.Command{ CreatorId: th.BasicUser.Id, TeamId: th.BasicTeam.Id, - URL: fmt.Sprintf("%s/%s/teams/command_test", ts.URL, model.API_URL_SUFFIX_V4), + URL: ts.URL, Method: model.COMMAND_METHOD_POST, Trigger: "postcommand", Token: token, } - if _, err := th.App.CreateCommand(getCmd); err != nil { + if _, err := th.App.CreateCommand(postCmd); err != nil { t.Fatal("failed to create get command") } @@ -592,14 +591,29 @@ func TestExecuteCommandAgainstChannelOnAnotherTeam(t *testing.T) { }) }() th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableCommands = true }) - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost" }) + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost 127.0.0.1" + }) + + expectedCommandResponse := &model.CommandResponse{ + Text: "test post command response", + ResponseType: model.COMMAND_RESPONSE_TYPE_IN_CHANNEL, + Type: "custom_test", + Props: map[string]interface{}{"someprop": "somevalue"}, + } + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + w.Write([]byte(expectedCommandResponse.ToJson())) + })) + defer ts.Close() // create a slash command on some other team where we have permission to do so team2 := th.CreateTeam() postCmd := &model.Command{ CreatorId: th.BasicUser.Id, TeamId: team2.Id, - URL: fmt.Sprintf("http://localhost:%v", th.App.Srv.ListenAddr.Port) + model.API_URL_SUFFIX_V4 + "/teams/command_test", + URL: ts.URL, Method: model.COMMAND_METHOD_POST, Trigger: "postcommand", } @@ -627,14 +641,29 @@ func TestExecuteCommandAgainstChannelUserIsNotIn(t *testing.T) { }) }() th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableCommands = true }) - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost" }) + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost 127.0.0.1" + }) + + expectedCommandResponse := &model.CommandResponse{ + Text: "test post command response", + ResponseType: model.COMMAND_RESPONSE_TYPE_IN_CHANNEL, + Type: "custom_test", + Props: map[string]interface{}{"someprop": "somevalue"}, + } + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + w.Write([]byte(expectedCommandResponse.ToJson())) + })) + defer ts.Close() // create a slash command on some other team where we have permission to do so team2 := th.CreateTeam() postCmd := &model.Command{ CreatorId: th.BasicUser.Id, TeamId: team2.Id, - URL: fmt.Sprintf("http://localhost:%v", th.App.Srv.ListenAddr.Port) + model.API_URL_SUFFIX_V4 + "/teams/command_test", + URL: ts.URL, Method: model.COMMAND_METHOD_POST, Trigger: "postcommand", } @@ -667,14 +696,32 @@ func TestExecuteCommandInDirectMessageChannel(t *testing.T) { }) }() th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableCommands = true }) - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost" }) + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost 127.0.0.1" + }) - // create a slash command on some other team where we have permission to do so + // create a team that the user isn't a part of team2 := th.CreateTeam() + + expectedCommandResponse := &model.CommandResponse{ + Text: "test post command response", + ResponseType: model.COMMAND_RESPONSE_TYPE_IN_CHANNEL, + Type: "custom_test", + Props: map[string]interface{}{"someprop": "somevalue"}, + } + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + require.Equal(t, http.MethodPost, r.Method) + w.Header().Set("Content-Type", "application/json") + w.Write([]byte(expectedCommandResponse.ToJson())) + })) + defer ts.Close() + + // create a slash command on some other team where we have permission to do so postCmd := &model.Command{ CreatorId: th.BasicUser.Id, TeamId: team2.Id, - URL: fmt.Sprintf("http://localhost:%v", th.App.Srv.ListenAddr.Port) + model.API_URL_SUFFIX_V4 + "/teams/command_test", + URL: ts.URL, Method: model.COMMAND_METHOD_POST, Trigger: "postcommand", } @@ -709,16 +756,35 @@ func TestExecuteCommandInTeamUserIsNotOn(t *testing.T) { }) }() th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableCommands = true }) - th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost" }) + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost 127.0.0.1" + }) // create a team that the user isn't a part of team2 := th.CreateTeam() + expectedCommandResponse := &model.CommandResponse{ + Text: "test post command response", + ResponseType: model.COMMAND_RESPONSE_TYPE_IN_CHANNEL, + Type: "custom_test", + Props: map[string]interface{}{"someprop": "somevalue"}, + } + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + require.Equal(t, http.MethodPost, r.Method) + r.ParseForm() + require.Equal(t, team2.Name, r.FormValue("team_domain")) + + w.Header().Set("Content-Type", "application/json") + w.Write([]byte(expectedCommandResponse.ToJson())) + })) + defer ts.Close() + // create a slash command on that team postCmd := &model.Command{ CreatorId: th.BasicUser.Id, TeamId: team2.Id, - URL: fmt.Sprintf("http://localhost:%v", th.App.Srv.ListenAddr.Port) + model.API_URL_SUFFIX_V4 + "/teams/command_test", + URL: ts.URL, Method: model.COMMAND_METHOD_POST, Trigger: "postcommand", } -- cgit v1.2.3-1-g7c22