From cad806703d06d8996a98b19bec353bce255ae6a1 Mon Sep 17 00:00:00 2001
From: George Goldberg <george@gberg.me>
Date: Thu, 27 Sep 2018 20:15:47 +0100
Subject: MM-12013: Fix post-permission checks to cascade for DM/GM channels.
 (#9476)

---
 api4/apitestlib.go | 14 ++++++++++++++
 api4/post_test.go  | 25 +++++++++++++++++++++++++
 2 files changed, 39 insertions(+)

(limited to 'api4')

diff --git a/api4/apitestlib.go b/api4/apitestlib.go
index 6a717faf1..37dbcad25 100644
--- a/api4/apitestlib.go
+++ b/api4/apitestlib.go
@@ -455,6 +455,20 @@ func (me *TestHelper) CreateMessagePostNoClient(channel *model.Channel, message
 	return post
 }
 
+func (me *TestHelper) CreateDmChannel(user *model.User) *model.Channel {
+	utils.DisableDebugLogForTest()
+	var err *model.AppError
+	var channel *model.Channel
+	if channel, err = me.App.CreateDirectChannel(me.BasicUser.Id, user.Id); err != nil {
+		mlog.Error(err.Error())
+
+		time.Sleep(time.Second)
+		panic(err)
+	}
+	utils.EnableDebugLogForTest()
+	return channel
+}
+
 func (me *TestHelper) LoginBasic() {
 	me.LoginBasicWithClient(me.Client)
 }
diff --git a/api4/post_test.go b/api4/post_test.go
index 36693f72b..7cac2e18a 100644
--- a/api4/post_test.go
+++ b/api4/post_test.go
@@ -599,6 +599,31 @@ func TestUpdatePost(t *testing.T) {
 	CheckNoError(t, resp)
 }
 
+func TestUpdateOthersPostInDirectMessageChannel(t *testing.T) {
+	// This test checks that a sysadmin with the "EDIT_OTHERS_POSTS" permission can edit someone else's post in a
+	// channel without a team (DM/GM). This indirectly checks for the proper cascading all the way to system-wide roles
+	// on the user object of permissions based on a post in a channel with no team ID.
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+
+	dmChannel := th.CreateDmChannel(th.SystemAdminUser)
+
+	post := &model.Post{
+		Message:       "asd",
+		ChannelId:     dmChannel.Id,
+		PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()),
+		UserId:        th.BasicUser.Id,
+		CreateAt:      0,
+	}
+
+	post, resp := th.Client.CreatePost(post)
+	CheckNoError(t, resp)
+
+	post.Message = "changed"
+	post, resp = th.SystemAdminClient.UpdatePost(post.Id, post)
+	CheckNoError(t, resp)
+}
+
 func TestPatchPost(t *testing.T) {
 	th := Setup().InitBasic().InitSystemAdmin()
 	defer th.TearDown()
-- 
cgit v1.2.3-1-g7c22