From 971149d2b298b3408af7218c868ed0b3edd83c2e Mon Sep 17 00:00:00 2001
From: Joram Wilander <jwawilander@gmail.com>
Date: Sat, 4 Jun 2016 10:52:25 -0400
Subject: Don't allow users to be added to a channel they are not in the team
 of (#3246)

---
 api/channel.go      | 11 +++++++++--
 api/channel_test.go |  4 ++++
 api/post.go         |  5 ++++-
 3 files changed, 17 insertions(+), 3 deletions(-)

(limited to 'api')

diff --git a/api/channel.go b/api/channel.go
index ba6de1a48..6d1604900 100644
--- a/api/channel.go
+++ b/api/channel.go
@@ -512,8 +512,15 @@ func AddUserToChannel(user *model.User, channel *model.Channel) (*model.ChannelM
 		return nil, model.NewLocAppError("AddUserToChannel", "api.channel.add_user_to_channel.type.app_error", nil, "")
 	}
 
-	if result := <-Srv.Store.Channel().GetMember(channel.Id, user.Id); result.Err != nil {
-		if result.Err.Id != store.MISSING_MEMBER_ERROR {
+	tmchan := Srv.Store.Team().GetMember(channel.TeamId, user.Id)
+	cmchan := Srv.Store.Channel().GetMember(channel.Id, user.Id)
+
+	if result := <-tmchan; result.Err != nil {
+		return nil, result.Err
+	}
+
+	if result := <-cmchan; result.Err != nil {
+		if result.Err.Id != store.MISSING_CHANNEL_MEMBER_ERROR {
 			return nil, result.Err
 		}
 	} else {
diff --git a/api/channel_test.go b/api/channel_test.go
index b2bb56952..175b0a14a 100644
--- a/api/channel_test.go
+++ b/api/channel_test.go
@@ -749,6 +749,7 @@ func TestAddChannelMember(t *testing.T) {
 	Client := th.BasicClient
 	team := th.BasicTeam
 	user2 := th.BasicUser2
+	user3 := th.CreateUser(Client)
 
 	channel1 := &model.Channel{DisplayName: "A Test API Name", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_OPEN, TeamId: team.Id}
 	channel1 = Client.Must(Client.CreateChannel(channel1)).Data.(*model.Channel)
@@ -790,6 +791,9 @@ func TestAddChannelMember(t *testing.T) {
 		t.Fatal("Should have errored, channel deleted")
 	}
 
+	if _, err := Client.AddChannelMember(channel1.Id, user3.Id); err == nil {
+		t.Fatal("Should have errored, user not on team")
+	}
 }
 
 func TestRemoveChannelMember(t *testing.T) {
diff --git a/api/post.go b/api/post.go
index 831591784..cf83c4d0d 100644
--- a/api/post.go
+++ b/api/post.go
@@ -603,7 +603,10 @@ func sendNotifications(c *Context, post *model.Post, team *model.Team, channel *
 
 	mentionedUsersList := make([]string, 0, len(mentionedUserIds))
 
-	senderName := profileMap[post.UserId].Username
+	senderName := ""
+	if profile, ok := profileMap[post.UserId]; ok {
+		senderName = profile.Username
+	}
 
 	for id := range mentionedUserIds {
 		mentionedUsersList = append(mentionedUsersList, id)
-- 
cgit v1.2.3-1-g7c22