diff options
author | Jesse Hallam <jesse.hallam@gmail.com> | 2018-09-28 10:06:40 -0400 |
---|---|---|
committer | Harrison Healey <harrisonmhealey@gmail.com> | 2018-09-28 10:06:40 -0400 |
commit | ee672a72e4c534f2d5f36cc563084279ba31ba87 (patch) | |
tree | 4e95a9ef0d67f7c552ffeeae392064ef9429e143 /api4/user.go | |
parent | de5c8622f8b1c22af389e1bea974cf3ba1a01670 (diff) | |
download | chat-ee672a72e4c534f2d5f36cc563084279ba31ba87.tar.gz chat-ee672a72e4c534f2d5f36cc563084279ba31ba87.tar.bz2 chat-ee672a72e4c534f2d5f36cc563084279ba31ba87.zip |
MM-12192: autocompleteUsers: if a teamId is provided, require it to match the channel's team id (#9481)
* MM-12192: unit test
* MM-1292: autocompleteUsers: if a teamId is provided, require it to match the channel's team id
Diffstat (limited to 'api4/user.go')
-rw-r--r-- | api4/user.go | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/api4/user.go b/api4/user.go index 3d203fbec..2570a6f25 100644 --- a/api4/user.go +++ b/api4/user.go @@ -533,6 +533,20 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { return } + // If a teamId is provided, require it to match the channel's team id. + if teamId != "" { + channel, err := c.App.GetChannel(channelId) + if err != nil { + c.Err = err + return + } + + if channel.TeamId != teamId { + c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized) + return + } + } + result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err |