From 74e5d8ae66186a82e8afdd845a108d6a662751d7 Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Tue, 10 Jul 2018 01:54:25 -0700 Subject: MM-11120 Adding setting to disable email invitations and rate limiting. (#9063) * Adding setting to disable email invitations. * Adding a setting and rate limiting for email invite sending. * Modifying email rate limit to 20/user/hour * Adding EnableEmailInvitations to client side config and command. --- api4/team_test.go | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'api4') diff --git a/api4/team_test.go b/api4/team_test.go index 48e3404eb..307e91635 100644 --- a/api4/team_test.go +++ b/api4/team_test.go @@ -1935,6 +1935,15 @@ func TestInviteUsersToTeam(t *testing.T) { utils.DeleteMailBox(user1) utils.DeleteMailBox(user2) + th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableEmailInvitations = false }) + + _, resp := th.SystemAdminClient.InviteUsersToTeam(th.BasicTeam.Id, emailList) + if resp.Error == nil { + t.Fatal("Should be disabled") + } + + th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableEmailInvitations = true }) + okMsg, resp := th.SystemAdminClient.InviteUsersToTeam(th.BasicTeam.Id, emailList) CheckNoError(t, resp) if !okMsg { -- cgit v1.2.3-1-g7c22 From 602fd0ffdd5b6cfcf99363921960f02f1bd0d6ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20Espino?= Date: Tue, 10 Jul 2018 10:55:24 +0200 Subject: MM-11189: Do not close the connection abruptly on too big emojis (#9071) --- api4/emoji.go | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'api4') diff --git a/api4/emoji.go b/api4/emoji.go index 42f66a22a..750f4b6e9 100644 --- a/api4/emoji.go +++ b/api4/emoji.go @@ -4,6 +4,8 @@ package api4 import ( + "io" + "io/ioutil" "net/http" "strings" @@ -28,6 +30,8 @@ func (api *API) InitEmoji() { } func createEmoji(c *Context, w http.ResponseWriter, r *http.Request) { + defer io.Copy(ioutil.Discard, r.Body) + if !*c.App.Config().ServiceSettings.EnableCustomEmoji { c.Err = model.NewAppError("createEmoji", "api.emoji.disabled.app_error", nil, "", http.StatusNotImplemented) return -- cgit v1.2.3-1-g7c22 From 2d16a71af9bff88d89244279849f8129a326a0e1 Mon Sep 17 00:00:00 2001 From: George Goldberg Date: Tue, 10 Jul 2018 09:55:46 +0100 Subject: MM-11228: Fix channel update/patch API endpoints. (#9073) --- api4/channel.go | 63 +++++++++++++++++++++++++++++++++++----------------- api4/channel_test.go | 58 ++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 100 insertions(+), 21 deletions(-) (limited to 'api4') diff --git a/api4/channel.go b/api4/channel.go index 1afadf39b..7505d899b 100644 --- a/api4/channel.go +++ b/api4/channel.go @@ -96,12 +96,28 @@ func updateChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if _, err = c.App.GetChannelMember(channel.Id, c.Session.UserId); err != nil { - c.Err = err - return - } + switch oldChannel.Type { + case model.CHANNEL_OPEN: + if !c.App.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) + return + } - if !CanManageChannel(c, channel) { + case model.CHANNEL_PRIVATE: + if !c.App.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) + return + } + + case model.CHANNEL_GROUP, model.CHANNEL_DIRECT: + // Modifying the header is not linked to any specific permission for group/dm channels, so just check for membership. + if _, err := c.App.GetChannelMember(channel.Id, c.Session.UserId); err != nil { + c.Err = model.NewAppError("updateChannel", "api.channel.patch_update_channel.forbidden.app_error", nil, "", http.StatusForbidden) + return + } + + default: + c.Err = model.NewAppError("updateChannel", "api.channel.patch_update_channel.forbidden.app_error", nil, "", http.StatusForbidden) return } @@ -205,7 +221,28 @@ func patchChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !CanManageChannel(c, oldChannel) { + switch oldChannel.Type { + case model.CHANNEL_OPEN: + if !c.App.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) + return + } + + case model.CHANNEL_PRIVATE: + if !c.App.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) + return + } + + case model.CHANNEL_GROUP, model.CHANNEL_DIRECT: + // Modifying the header is not linked to any specific permission for group/dm channels, so just check for membership. + if _, err := c.App.GetChannelMember(c.Params.ChannelId, c.Session.UserId); err != nil { + c.Err = model.NewAppError("patchChannel", "api.channel.patch_update_channel.forbidden.app_error", nil, "", http.StatusForbidden) + return + } + + default: + c.Err = model.NewAppError("patchChannel", "api.channel.patch_update_channel.forbidden.app_error", nil, "", http.StatusForbidden) return } @@ -255,20 +292,6 @@ func restoreChannel(c *Context, w http.ResponseWriter, r *http.Request) { } -func CanManageChannel(c *Context, channel *model.Channel) bool { - if channel.Type == model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { - c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) - return false - } - - if channel.Type == model.CHANNEL_PRIVATE && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { - c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) - return false - } - - return true -} - func createDirectChannel(c *Context, w http.ResponseWriter, r *http.Request) { userIds := model.ArrayFromJson(r.Body) allowed := false diff --git a/api4/channel_test.go b/api4/channel_test.go index ab751f151..43223d060 100644 --- a/api4/channel_test.go +++ b/api4/channel_test.go @@ -209,8 +209,34 @@ func TestUpdateChannel(t *testing.T) { channel.DisplayName = "Should not update" _, resp = Client.UpdateChannel(channel) - CheckNotFoundStatus(t, resp) + CheckForbiddenStatus(t, resp) + + // Test updating the header of someone else's GM channel. + user1 := th.CreateUser() + user2 := th.CreateUser() + user3 := th.CreateUser() + + groupChannel, resp := Client.CreateGroupChannel([]string{user1.Id, user2.Id}) + CheckNoError(t, resp) + + groupChannel.Header = "lolololol" + Client.Logout() + Client.Login(user3.Email, user3.Password) + _, resp = Client.UpdateChannel(groupChannel) + CheckForbiddenStatus(t, resp) + // Test updating the header of someone else's GM channel. + Client.Logout() + Client.Login(user.Email, user.Password) + + directChannel, resp := Client.CreateDirectChannel(user.Id, user1.Id) + CheckNoError(t, resp) + + directChannel.Header = "lolololol" + Client.Logout() + Client.Login(user3.Email, user3.Password) + _, resp = Client.UpdateChannel(directChannel) + CheckForbiddenStatus(t, resp) } func TestPatchChannel(t *testing.T) { @@ -267,6 +293,36 @@ func TestPatchChannel(t *testing.T) { _, resp = th.SystemAdminClient.PatchChannel(th.BasicPrivateChannel.Id, patch) CheckNoError(t, resp) + + // Test updating the header of someone else's GM channel. + user1 := th.CreateUser() + user2 := th.CreateUser() + user3 := th.CreateUser() + + groupChannel, resp := Client.CreateGroupChannel([]string{user1.Id, user2.Id}) + CheckNoError(t, resp) + + Client.Logout() + Client.Login(user3.Email, user3.Password) + + channelPatch := &model.ChannelPatch{} + channelPatch.Header = new(string) + *channelPatch.Header = "lolololol" + + _, resp = Client.PatchChannel(groupChannel.Id, channelPatch) + CheckForbiddenStatus(t, resp) + + // Test updating the header of someone else's GM channel. + Client.Logout() + Client.Login(user.Email, user.Password) + + directChannel, resp := Client.CreateDirectChannel(user.Id, user1.Id) + CheckNoError(t, resp) + + Client.Logout() + Client.Login(user3.Email, user3.Password) + _, resp = Client.PatchChannel(directChannel.Id, channelPatch) + CheckForbiddenStatus(t, resp) } func TestCreateDirectChannel(t *testing.T) { -- cgit v1.2.3-1-g7c22