From aba07e5cb9e9b5668c4fb94bfe9f096a26538528 Mon Sep 17 00:00:00 2001
From: Joram Wilander <jwawilander@gmail.com>
Date: Fri, 31 Mar 2017 12:25:39 -0400
Subject: PLT-5483 Fix bug where flagged posts endpoint returned posts on other
 teams (#5765)

* Fix bug where flagged posts endpoint returned posts on other teams

* Include flagged posts from DMs/GMs
---
 api/post.go      | 7 ++++++-
 api/post_test.go | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

(limited to 'api')

diff --git a/api/post.go b/api/post.go
index afe60144d..b4c34bca2 100644
--- a/api/post.go
+++ b/api/post.go
@@ -161,7 +161,12 @@ func getFlaggedPosts(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if posts, err := app.GetFlaggedPosts(c.Session.UserId, offset, limit); err != nil {
+	if !app.SessionHasPermissionToTeam(c.Session, c.TeamId, model.PERMISSION_VIEW_TEAM) {
+		c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
+		return
+	}
+
+	if posts, err := app.GetFlaggedPostsForTeam(c.Session.UserId, c.TeamId, offset, limit); err != nil {
 		c.Err = err
 		return
 	} else {
diff --git a/api/post_test.go b/api/post_test.go
index 6558aeb5b..a72074547 100644
--- a/api/post_test.go
+++ b/api/post_test.go
@@ -1115,6 +1115,11 @@ func TestGetFlaggedPosts(t *testing.T) {
 	if len(r2.Order) != 0 {
 		t.Fatal("should not have gotten a flagged post")
 	}
+
+	Client.SetTeamId(model.NewId())
+	if _, err := Client.GetFlaggedPosts(0, 2); err == nil {
+		t.Fatal("should have failed - bad team id")
+	}
 }
 
 func TestGetMessageForNotification(t *testing.T) {
-- 
cgit v1.2.3-1-g7c22