From ee672a72e4c534f2d5f36cc563084279ba31ba87 Mon Sep 17 00:00:00 2001 From: Jesse Hallam Date: Fri, 28 Sep 2018 10:06:40 -0400 Subject: MM-12192: autocompleteUsers: if a teamId is provided, require it to match the channel's team id (#9481) * MM-12192: unit test * MM-1292: autocompleteUsers: if a teamId is provided, require it to match the channel's team id --- api4/user.go | 14 ++++++++++++++ api4/user_test.go | 5 +++++ 2 files changed, 19 insertions(+) (limited to 'api4') diff --git a/api4/user.go b/api4/user.go index 3d203fbec..2570a6f25 100644 --- a/api4/user.go +++ b/api4/user.go @@ -533,6 +533,20 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { return } + // If a teamId is provided, require it to match the channel's team id. + if teamId != "" { + channel, err := c.App.GetChannel(channelId) + if err != nil { + c.Err = err + return + } + + if channel.TeamId != teamId { + c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized) + return + } + } + result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err diff --git a/api4/user_test.go b/api4/user_test.go index 010f49e73..a9aa967be 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -872,6 +872,11 @@ func TestAutocompleteUsers(t *testing.T) { if rusers.Users[0].FirstName != "" || rusers.Users[0].LastName != "" { t.Fatal("should not show first/last name") } + + t.Run("team id, if provided, must match channel's team id", func(t *testing.T) { + rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "") + CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id") + }) } func TestGetProfileImage(t *testing.T) { -- cgit v1.2.3-1-g7c22