From f4aebed220667f0022bc902420c62d9841835e80 Mon Sep 17 00:00:00 2001 From: George Goldberg Date: Thu, 2 Mar 2017 14:08:00 +0000 Subject: PLT-5355: Fix permalink to private/direct channels. (#5574) Appropriate permission checks depend on the type of channel this permalink links to. --- api/post.go | 19 +++++++++++++++++-- api/post_test.go | 39 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 55 insertions(+), 3 deletions(-) (limited to 'api') diff --git a/api/post.go b/api/post.go index b6539ed54..9c22dc5ee 100644 --- a/api/post.go +++ b/api/post.go @@ -264,11 +264,26 @@ func getPermalinkTmp(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { - c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) + var channel *model.Channel + if result := <-app.Srv.Store.Channel().GetForPost(postId); result.Err == nil { + channel = result.Data.(*model.Channel) + } else { + c.SetInvalidParam("getPermalinkTmp", "postId") return } + if channel.Type == model.CHANNEL_OPEN { + if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + c.SetPermissionError(model.PERMISSION_JOIN_PUBLIC_CHANNELS) + return + } + } else { + if !app.HasPermissionToChannelByPost(c.Session.UserId, postId, model.PERMISSION_READ_CHANNEL) { + c.SetPermissionError(model.PERMISSION_READ_CHANNEL) + return + } + } + if list, err := app.GetPermalinkPost(postId, c.Session.UserId); err != nil { c.Err = err return diff --git a/api/post_test.go b/api/post_test.go index a41781dae..b93b5b6a6 100644 --- a/api/post_test.go +++ b/api/post_test.go @@ -1237,9 +1237,12 @@ func TestGetPostById(t *testing.T) { } func TestGetPermalinkTmp(t *testing.T) { - th := Setup().InitBasic() + th := Setup().InitBasic().InitSystemAdmin() Client := th.BasicClient channel1 := th.BasicChannel + team := th.BasicTeam + + th.LoginBasic() time.Sleep(10 * time.Millisecond) post1 := &model.Post{ChannelId: channel1.Id, Message: "a" + model.NewId() + "a"} @@ -1264,6 +1267,40 @@ func TestGetPermalinkTmp(t *testing.T) { } else if results == nil { t.Fatal("should not be empty") } + + // Test permalink to private channels. + channel2 := &model.Channel{DisplayName: "TestGetPermalinkPriv", Name: "a" + model.NewId() + "a", Type: model.CHANNEL_PRIVATE, TeamId: team.Id} + channel2 = Client.Must(Client.CreateChannel(channel2)).Data.(*model.Channel) + time.Sleep(10 * time.Millisecond) + post3 := &model.Post{ChannelId: channel2.Id, Message: "a" + model.NewId() + "a"} + post3 = Client.Must(Client.CreatePost(post3)).Data.(*model.Post) + + if _, md := Client.GetPermalink(channel2.Id, post3.Id, ""); md.Error != nil { + t.Fatal(md.Error) + } + + th.LoginBasic2() + + if _, md := Client.GetPermalink(channel2.Id, post3.Id, ""); md.Error == nil { + t.Fatal("Expected 403 error") + } + + // Test direct channels. + th.LoginBasic() + channel3 := Client.Must(Client.CreateDirectChannel(th.SystemAdminUser.Id)).Data.(*model.Channel) + time.Sleep(10 * time.Millisecond) + post4 := &model.Post{ChannelId: channel3.Id, Message: "a" + model.NewId() + "a"} + post4 = Client.Must(Client.CreatePost(post4)).Data.(*model.Post) + + if _, md := Client.GetPermalink(channel3.Id, post4.Id, ""); md.Error != nil { + t.Fatal(md.Error) + } + + th.LoginBasic2() + + if _, md := Client.GetPermalink(channel3.Id, post4.Id, ""); md.Error == nil { + t.Fatal("Expected 403 error") + } } func TestGetOpenGraphMetadata(t *testing.T) { -- cgit v1.2.3-1-g7c22