From 283f34b9c6d207f0a103e7b4c7f6da2c7481c3ef Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Fri, 20 Apr 2018 08:44:18 -0400 Subject: MM-10007 Send an admin and regular WS events when a user is updated (#8588) * Add user.DeepCopy() function * Add omit admins/non-admins to WS broadcast and use for updating users * Updates per feedback and adding unit test for ShouldSendEvent --- app/web_conn.go | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'app/web_conn.go') diff --git a/app/web_conn.go b/app/web_conn.go index 33c285af3..9ae5505b2 100644 --- a/app/web_conn.go +++ b/app/web_conn.go @@ -287,6 +287,28 @@ func (webCon *WebConn) ShouldSendEvent(msg *model.WebSocketEvent) bool { return false } + // If the event contains sanitized data, only send to users that don't have permission to + // see sensitive data. Prevents admin clients from receiving events with bad data + var hasReadPrivateDataPermission *bool + if msg.Broadcast.ContainsSanitizedData { + hasReadPrivateDataPermission = model.NewBool(webCon.App.RolesGrantPermission(webCon.GetSession().GetUserRoles(), model.PERMISSION_MANAGE_SYSTEM.Id)) + + if *hasReadPrivateDataPermission { + return false + } + } + + // If the event contains sensitive data, only send to users with permission to see it + if msg.Broadcast.ContainsSensitiveData { + if hasReadPrivateDataPermission == nil { + hasReadPrivateDataPermission = model.NewBool(webCon.App.RolesGrantPermission(webCon.GetSession().GetUserRoles(), model.PERMISSION_MANAGE_SYSTEM.Id)) + } + + if !*hasReadPrivateDataPermission { + return false + } + } + // If the event is destined to a specific user if len(msg.Broadcast.UserId) > 0 { if webCon.UserId == msg.Broadcast.UserId { -- cgit v1.2.3-1-g7c22