From 951e4ad98401e9828b9941224318f105fb15d500 Mon Sep 17 00:00:00 2001
From: George Goldberg <george@gberg.me>
Date: Tue, 10 Jul 2018 09:53:51 +0100
Subject: MM-11174: Fix /msg slash command. (#9059)

---
 app/command_msg.go      |  4 ++++
 app/command_msg_test.go | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

(limited to 'app')

diff --git a/app/command_msg.go b/app/command_msg.go
index 6877c10d6..bf414210a 100644
--- a/app/command_msg.go
+++ b/app/command_msg.go
@@ -66,6 +66,10 @@ func (me *msgProvider) DoCommand(a *App, args *model.CommandArgs, message string
 	targetChannelId := ""
 	if channel := <-a.Srv.Store.Channel().GetByName(args.TeamId, channelName, true); channel.Err != nil {
 		if channel.Err.Id == "store.sql_channel.get_by_name.missing.app_error" {
+			if !a.SessionHasPermissionTo(args.Session, model.PERMISSION_CREATE_DIRECT_CHANNEL) {
+				return &model.CommandResponse{Text: args.T("api.command_msg.permission.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
+			}
+
 			if directChannel, err := a.CreateDirectChannel(args.UserId, userProfile.Id); err != nil {
 				mlog.Error(err.Error())
 				return &model.CommandResponse{Text: args.T("api.command_msg.dm_fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL}
diff --git a/app/command_msg_test.go b/app/command_msg_test.go
index 22c4d07cf..9a8ca8eb0 100644
--- a/app/command_msg_test.go
+++ b/app/command_msg_test.go
@@ -19,13 +19,47 @@ func TestMsgProvider(t *testing.T) {
 	team := th.CreateTeam()
 	th.LinkUserToTeam(th.BasicUser, team)
 	cmd := &msgProvider{}
+
+	// Check without permission to create a DM channel.
 	resp := cmd.DoCommand(th.App, &model.CommandArgs{
 		T:       i18n.IdentityTfunc(),
 		SiteURL: "http://test.url",
 		TeamId:  team.Id,
 		UserId:  th.BasicUser.Id,
+		Session: model.Session{
+			Roles: "",
+		},
 	}, "@"+th.BasicUser2.Username+" hello")
+
 	channelName := model.GetDMNameFromIds(th.BasicUser.Id, th.BasicUser2.Id)
+	assert.Equal(t, "api.command_msg.permission.app_error", resp.Text)
+	assert.Equal(t, "", resp.GotoLocation)
+
+	// Check with permission to create a DM channel.
+	resp = cmd.DoCommand(th.App, &model.CommandArgs{
+		T:       i18n.IdentityTfunc(),
+		SiteURL: "http://test.url",
+		TeamId:  team.Id,
+		UserId:  th.BasicUser.Id,
+		Session: model.Session{
+			Roles: model.SYSTEM_USER_ROLE_ID,
+		},
+	}, "@"+th.BasicUser2.Username+" hello")
+
+	assert.Equal(t, "", resp.Text)
+	assert.Equal(t, "http://test.url/"+team.Name+"/channels/"+channelName, resp.GotoLocation)
+
+	// Check without permission to post to an existing DM channel.
+	resp = cmd.DoCommand(th.App, &model.CommandArgs{
+		T:       i18n.IdentityTfunc(),
+		SiteURL: "http://test.url",
+		TeamId:  team.Id,
+		UserId:  th.BasicUser.Id,
+		Session: model.Session{
+			Roles: "",
+		},
+	}, "@"+th.BasicUser2.Username+" hello")
+
 	assert.Equal(t, "", resp.Text)
 	assert.Equal(t, "http://test.url/"+team.Name+"/channels/"+channelName, resp.GotoLocation)
 }
-- 
cgit v1.2.3-1-g7c22