diff options
author | Jonathan <jonfritz@gmail.com> | 2017-10-17 13:21:12 -0400 |
---|---|---|
committer | Chris <ccbrown112@gmail.com> | 2017-10-17 10:21:12 -0700 |
commit | b884c8c4104fc83aa382575df4ea95302506e8f1 (patch) | |
tree | fe1463eb8ce7a98f240395fc79c93ac7edaa6a91 /api4/command.go | |
parent | 39cc2372695836fdc96059d8b94992b1416f98e1 (diff) | |
download | chat-b884c8c4104fc83aa382575df4ea95302506e8f1.tar.gz chat-b884c8c4104fc83aa382575df4ea95302506e8f1.tar.bz2 chat-b884c8c4104fc83aa382575df4ea95302506e8f1.zip |
PLT-7193: Regression - Custom slash commands don't work in direct or group message channels (#7635)
* No longer overriding specified team id for DMs/GMs, as these types of channels don't belong to a team, and doing so breaks slash commands for them
* Ensured user is on specified team in case of GM/DM, extended test suite
Diffstat (limited to 'api4/command.go')
-rw-r--r-- | api4/command.go | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/api4/command.go b/api4/command.go index 4314a184d..33e6a6c0c 100644 --- a/api4/command.go +++ b/api4/command.go @@ -201,6 +201,7 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) { return } + // checks that user is a member of the specified channel, and that they have permission to use slash commands in it if !c.App.SessionHasPermissionToChannel(c.Session, commandArgs.ChannelId, model.PERMISSION_USE_SLASH_COMMANDS) { c.SetPermissionError(model.PERMISSION_USE_SLASH_COMMANDS) return @@ -210,12 +211,21 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) { if err != nil { c.Err = err return + } else if channel.Type != model.CHANNEL_DIRECT && channel.Type != model.CHANNEL_GROUP { + // if this isn't a DM or GM, the team id is implicitly taken from the channel so that slash commands created on + // some other team can't be run against this one + commandArgs.TeamId = channel.TeamId + } else { + // if the slash command was used in a DM or GM, ensure that the user is a member of the specified team, so that + // they can't just execute slash commands against arbitrary teams + if c.Session.GetTeamByTeamId(commandArgs.TeamId) == nil { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_USE_SLASH_COMMANDS) { + c.SetPermissionError(model.PERMISSION_USE_SLASH_COMMANDS) + return + } + } } - // team id is implicitly taken from channel so that slash commands - // created on some other team can't be run against this one - commandArgs.TeamId = channel.TeamId - commandArgs.UserId = c.Session.UserId commandArgs.T = c.T commandArgs.Session = c.Session |