diff options
author | George Goldberg <george@gberg.me> | 2018-07-10 09:55:46 +0100 |
---|---|---|
committer | Carlos Tadeu Panato Junior <ctadeu@gmail.com> | 2018-07-10 10:55:46 +0200 |
commit | 2d16a71af9bff88d89244279849f8129a326a0e1 (patch) | |
tree | f5121acb3386c03ac32ffe29f3eca0b6ed086c59 /api4/channel.go | |
parent | 602fd0ffdd5b6cfcf99363921960f02f1bd0d6ee (diff) | |
download | chat-2d16a71af9bff88d89244279849f8129a326a0e1.tar.gz chat-2d16a71af9bff88d89244279849f8129a326a0e1.tar.bz2 chat-2d16a71af9bff88d89244279849f8129a326a0e1.zip |
MM-11228: Fix channel update/patch API endpoints. (#9073)
Diffstat (limited to 'api4/channel.go')
-rw-r--r-- | api4/channel.go | 63 |
1 files changed, 43 insertions, 20 deletions
diff --git a/api4/channel.go b/api4/channel.go index 1afadf39b..7505d899b 100644 --- a/api4/channel.go +++ b/api4/channel.go @@ -96,12 +96,28 @@ func updateChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if _, err = c.App.GetChannelMember(channel.Id, c.Session.UserId); err != nil { - c.Err = err - return - } + switch oldChannel.Type { + case model.CHANNEL_OPEN: + if !c.App.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) + return + } - if !CanManageChannel(c, channel) { + case model.CHANNEL_PRIVATE: + if !c.App.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) + return + } + + case model.CHANNEL_GROUP, model.CHANNEL_DIRECT: + // Modifying the header is not linked to any specific permission for group/dm channels, so just check for membership. + if _, err := c.App.GetChannelMember(channel.Id, c.Session.UserId); err != nil { + c.Err = model.NewAppError("updateChannel", "api.channel.patch_update_channel.forbidden.app_error", nil, "", http.StatusForbidden) + return + } + + default: + c.Err = model.NewAppError("updateChannel", "api.channel.patch_update_channel.forbidden.app_error", nil, "", http.StatusForbidden) return } @@ -205,7 +221,28 @@ func patchChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !CanManageChannel(c, oldChannel) { + switch oldChannel.Type { + case model.CHANNEL_OPEN: + if !c.App.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) + return + } + + case model.CHANNEL_PRIVATE: + if !c.App.SessionHasPermissionToChannel(c.Session, c.Params.ChannelId, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { + c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) + return + } + + case model.CHANNEL_GROUP, model.CHANNEL_DIRECT: + // Modifying the header is not linked to any specific permission for group/dm channels, so just check for membership. + if _, err := c.App.GetChannelMember(c.Params.ChannelId, c.Session.UserId); err != nil { + c.Err = model.NewAppError("patchChannel", "api.channel.patch_update_channel.forbidden.app_error", nil, "", http.StatusForbidden) + return + } + + default: + c.Err = model.NewAppError("patchChannel", "api.channel.patch_update_channel.forbidden.app_error", nil, "", http.StatusForbidden) return } @@ -255,20 +292,6 @@ func restoreChannel(c *Context, w http.ResponseWriter, r *http.Request) { } -func CanManageChannel(c *Context, channel *model.Channel) bool { - if channel.Type == model.CHANNEL_OPEN && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) { - c.SetPermissionError(model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES) - return false - } - - if channel.Type == model.CHANNEL_PRIVATE && !c.App.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) { - c.SetPermissionError(model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES) - return false - } - - return true -} - func createDirectChannel(c *Context, w http.ResponseWriter, r *http.Request) { userIds := model.ArrayFromJson(r.Body) allowed := false |