From 0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5 Mon Sep 17 00:00:00 2001 From: George Goldberg Date: Wed, 12 Sep 2018 15:32:05 +0100 Subject: MM-11230: Make permissions checks in commands failsafe. (#9392) Also add additional unit tests to make sure the permissions tests are completely solid. --- app/command_channel_purpose_test.go | 93 +++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 app/command_channel_purpose_test.go (limited to 'app/command_channel_purpose_test.go') diff --git a/app/command_channel_purpose_test.go b/app/command_channel_purpose_test.go new file mode 100644 index 000000000..3bdaa4e4f --- /dev/null +++ b/app/command_channel_purpose_test.go @@ -0,0 +1,93 @@ +// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package app + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/mattermost/mattermost-server/model" +) + +func TestPurposeProviderDoCommand(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + pp := PurposeProvider{} + + // Try a public channel *with* permission. + args := &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: th.BasicChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: model.TEAM_USER_ROLE_ID}}}, + } + + for msg, expected := range map[string]string{ + "": "api.command_channel_purpose.message.app_error", + "hello": "", + } { + actual := pp.DoCommand(th.App, args, msg).Text + assert.Equal(t, expected, actual) + } + + // Try a public channel *without* permission. + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: th.BasicChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual := pp.DoCommand(th.App, args, "hello").Text + assert.Equal(t, "api.command_channel_purpose.permission.app_error", actual) + + // Try a private channel *with* permission. + privateChannel := th.CreatePrivateChannel(th.BasicTeam) + + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: privateChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: model.TEAM_USER_ROLE_ID}}}, + } + + actual = pp.DoCommand(th.App, args, "hello").Text + assert.Equal(t, "", actual) + + // Try a private channel *without* permission. + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: privateChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual = pp.DoCommand(th.App, args, "hello").Text + assert.Equal(t, "api.command_channel_purpose.permission.app_error", actual) + + // Try a group channel *with* being a member. + user1 := th.CreateUser() + user2 := th.CreateUser() + + groupChannel := th.CreateGroupChannel(user1, user2) + + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: groupChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual = pp.DoCommand(th.App, args, "hello").Text + assert.Equal(t, "api.command_channel_purpose.direct_group.app_error", actual) + + // Try a direct channel *with* being a member. + directChannel := th.CreateDmChannel(user1) + + args = &model.CommandArgs{ + T: func(s string, args ...interface{}) string { return s }, + ChannelId: directChannel.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual = pp.DoCommand(th.App, args, "hello").Text + assert.Equal(t, "api.command_channel_purpose.direct_group.app_error", actual) +} -- cgit v1.2.3-1-g7c22