From d38328976e2c8bb0fab91e656042a0d8ac37bc76 Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Wed, 6 Sep 2017 16:24:34 -0400
Subject: Various patches

---
 api4/oauth.go       |  9 +++++++++
 api4/oauth_test.go  | 12 ++++++++++--
 api4/status.go      |  6 +++---
 api4/status_test.go | 14 ++++++++++++++
 4 files changed, 36 insertions(+), 5 deletions(-)

(limited to 'api4')

diff --git a/api4/oauth.go b/api4/oauth.go
index ae5035fdc..392129143 100644
--- a/api4/oauth.go
+++ b/api4/oauth.go
@@ -57,6 +57,10 @@ func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		oauthApp.IsTrusted = false
+	}
+
 	oauthApp.CreatorId = c.Session.UserId
 
 	rapp, err := app.CreateOAuthApp(oauthApp)
@@ -298,6 +302,11 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) {
+		utils.RenderWebError(model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest), w, r)
+		return
+	}
+
 	isAuthorized := false
 
 	if _, err := app.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil {
diff --git a/api4/oauth_test.go b/api4/oauth_test.go
index 963cd43c3..ceb44a44e 100644
--- a/api4/oauth_test.go
+++ b/api4/oauth_test.go
@@ -28,7 +28,7 @@ func TestCreateOAuthApp(t *testing.T) {
 	utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true
 	utils.SetDefaultRolesBasedOnConfig()
 
-	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
+	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
 
 	rapp, resp := AdminClient.CreateOAuthApp(oapp)
 	CheckNoError(t, resp)
@@ -38,6 +38,10 @@ func TestCreateOAuthApp(t *testing.T) {
 		t.Fatal("names did not match")
 	}
 
+	if rapp.IsTrusted != oapp.IsTrusted {
+		t.Fatal("trusted did no match")
+	}
+
 	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true
 	utils.SetDefaultRolesBasedOnConfig()
 	_, resp = Client.CreateOAuthApp(oapp)
@@ -45,10 +49,14 @@ func TestCreateOAuthApp(t *testing.T) {
 
 	*utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false
 	utils.SetDefaultRolesBasedOnConfig()
-	_, resp = Client.CreateOAuthApp(oapp)
+	rapp, resp = Client.CreateOAuthApp(oapp)
 	CheckNoError(t, resp)
 	CheckCreatedStatus(t, resp)
 
+	if rapp.IsTrusted {
+		t.Fatal("trusted should be false - created by non admin")
+	}
+
 	oapp.Name = ""
 	_, resp = AdminClient.CreateOAuthApp(oapp)
 	CheckBadRequestStatus(t, resp)
diff --git a/api4/status.go b/api4/status.go
index 3a2c5c762..42d2c8777 100644
--- a/api4/status.go
+++ b/api4/status.go
@@ -16,9 +16,9 @@ import (
 func InitStatus() {
 	l4g.Debug(utils.T("api.status.init.debug"))
 
-	BaseRoutes.User.Handle("/status", ApiHandler(getUserStatus)).Methods("GET")
-	BaseRoutes.Users.Handle("/status/ids", ApiHandler(getUserStatusesByIds)).Methods("POST")
-	BaseRoutes.User.Handle("/status", ApiHandler(updateUserStatus)).Methods("PUT")
+	BaseRoutes.User.Handle("/status", ApiSessionRequired(getUserStatus)).Methods("GET")
+	BaseRoutes.Users.Handle("/status/ids", ApiSessionRequired(getUserStatusesByIds)).Methods("POST")
+	BaseRoutes.User.Handle("/status", ApiSessionRequired(updateUserStatus)).Methods("PUT")
 }
 
 func getUserStatus(c *Context, w http.ResponseWriter, r *http.Request) {
diff --git a/api4/status_test.go b/api4/status_test.go
index c8277b3de..27e1fa53f 100644
--- a/api4/status_test.go
+++ b/api4/status_test.go
@@ -47,6 +47,10 @@ func TestGetUserStatus(t *testing.T) {
 	}
 
 	Client.Logout()
+
+	_, resp = Client.GetUserStatus(th.BasicUser2.Id, "")
+	CheckUnauthorizedStatus(t, resp)
+
 	th.LoginBasic2()
 	userStatus, resp = Client.GetUserStatus(th.BasicUser2.Id, "")
 	CheckNoError(t, resp)
@@ -89,6 +93,11 @@ func TestGetUsersStatusesByIds(t *testing.T) {
 			t.Fatal("Status should be offline")
 		}
 	}
+
+	Client.Logout()
+
+	_, resp = Client.GetUsersStatusesByIds(usersIds)
+	CheckUnauthorizedStatus(t, resp)
 }
 
 func TestUpdateUserStatus(t *testing.T) {
@@ -126,4 +135,9 @@ func TestUpdateUserStatus(t *testing.T) {
 	if updateUserStatus.Status != "online" {
 		t.Fatal("Should return online status")
 	}
+
+	Client.Logout()
+
+	_, resp = Client.UpdateUserStatus(th.BasicUser2.Id, toUpdateUserStatus)
+	CheckUnauthorizedStatus(t, resp)
 }
-- 
cgit v1.2.3-1-g7c22