diff options
author | Saturnino Abril <saturnino.abril@gmail.com> | 2017-07-05 06:32:27 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-07-05 06:32:27 +0800 |
commit | 8f8a978e84ec8bbeac22928e6112bc697fa7176d (patch) | |
tree | a82993cfcd1aab059554feeeb1a6256d4640eab4 /api4 | |
parent | 6d6ed309b9b7f2b77cd013583990c6eb88f18aff (diff) | |
download | chat-8f8a978e84ec8bbeac22928e6112bc697fa7176d.tar.gz chat-8f8a978e84ec8bbeac22928e6112bc697fa7176d.tar.bz2 chat-8f8a978e84ec8bbeac22928e6112bc697fa7176d.zip |
[PLT-6838] Restrict channel delete option per permission policy even for last channel member (#6706)
* channel delete option is hidden from the menu unless there is appropriate permissions as set in the policy page
* apply to public channel only and add restriction to API layer
* updated channel deletion
Diffstat (limited to 'api4')
-rw-r--r-- | api4/channel.go | 20 | ||||
-rw-r--r-- | api4/channel_test.go | 14 |
2 files changed, 20 insertions, 14 deletions
diff --git a/api4/channel.go b/api4/channel.go index 26892bf2f..604c47464 100644 --- a/api4/channel.go +++ b/api4/channel.go @@ -428,7 +428,7 @@ func getDeletedChannelsForTeam(c *Context, w http.ResponseWriter, r *http.Reques return } - if channels, err := app.GetDeletedChannels(c.Params.TeamId, c.Params.Page * c.Params.PerPage, c.Params.PerPage); err != nil { + if channels, err := app.GetDeletedChannels(c.Params.TeamId, c.Params.Page*c.Params.PerPage, c.Params.PerPage); err != nil { c.Err = err return } else { @@ -540,17 +540,15 @@ func deleteChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - // Allow delete if user is the only member left in channel - if memberCount > 1 { - if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PUBLIC_CHANNEL) { - c.SetPermissionError(model.PERMISSION_DELETE_PUBLIC_CHANNEL) - return - } + if channel.Type == model.CHANNEL_OPEN && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PUBLIC_CHANNEL) { + c.SetPermissionError(model.PERMISSION_DELETE_PUBLIC_CHANNEL) + return + } - if channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PRIVATE_CHANNEL) { - c.SetPermissionError(model.PERMISSION_DELETE_PRIVATE_CHANNEL) - return - } + // Allow delete if there's only one member left in a private channel + if memberCount > 1 && channel.Type == model.CHANNEL_PRIVATE && !app.SessionHasPermissionToChannel(c.Session, channel.Id, model.PERMISSION_DELETE_PRIVATE_CHANNEL) { + c.SetPermissionError(model.PERMISSION_DELETE_PRIVATE_CHANNEL) + return } err = app.DeleteChannel(channel, c.Session.UserId) diff --git a/api4/channel_test.go b/api4/channel_test.go index e1b5ee5a7..a1c5d2ad8 100644 --- a/api4/channel_test.go +++ b/api4/channel_test.go @@ -901,12 +901,14 @@ func TestDeleteChannel(t *testing.T) { Client = th.Client team = th.BasicTeam user = th.BasicUser + user2 = th.BasicUser2 // channels created by SystemAdmin publicChannel6 := th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_OPEN) privateChannel7 := th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) app.AddUserToChannel(user, publicChannel6) app.AddUserToChannel(user, privateChannel7) + app.AddUserToChannel(user2, privateChannel7) // successful delete by user _, resp = Client.DeleteChannel(publicChannel6.Id) @@ -924,6 +926,7 @@ func TestDeleteChannel(t *testing.T) { privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) app.AddUserToChannel(user, publicChannel6) app.AddUserToChannel(user, privateChannel7) + app.AddUserToChannel(user2, privateChannel7) // cannot delete by user _, resp = Client.DeleteChannel(publicChannel6.Id) @@ -948,6 +951,7 @@ func TestDeleteChannel(t *testing.T) { privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) app.AddUserToChannel(user, publicChannel6) app.AddUserToChannel(user, privateChannel7) + app.AddUserToChannel(user2, privateChannel7) // successful delete by team admin UpdateUserToTeamAdmin(user, team) @@ -976,6 +980,7 @@ func TestDeleteChannel(t *testing.T) { privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) app.AddUserToChannel(user, publicChannel6) app.AddUserToChannel(user, privateChannel7) + app.AddUserToChannel(user2, privateChannel7) // cannot delete by user _, resp = Client.DeleteChannel(publicChannel6.Id) @@ -1017,6 +1022,7 @@ func TestDeleteChannel(t *testing.T) { privateChannel7 = th.CreateChannelWithClient(th.SystemAdminClient, model.CHANNEL_PRIVATE) app.AddUserToChannel(user, publicChannel6) app.AddUserToChannel(user, privateChannel7) + app.AddUserToChannel(user2, privateChannel7) // cannot delete by user _, resp = Client.DeleteChannel(publicChannel6.Id) @@ -1056,12 +1062,14 @@ func TestDeleteChannel(t *testing.T) { _, resp = th.SystemAdminClient.DeleteChannel(privateChannel7.Id) CheckNoError(t, resp) - // last member of a channel should be able to delete it regardless of required permissions + // last member of a public channel should have required permission to delete publicChannel6 = th.CreateChannelWithClient(th.Client, model.CHANNEL_OPEN) - privateChannel7 = th.CreateChannelWithClient(th.Client, model.CHANNEL_PRIVATE) _, resp = Client.DeleteChannel(publicChannel6.Id) - CheckNoError(t, resp) + CheckForbiddenStatus(t, resp) + + // last member of a private channel should be able to delete it regardless of required permissions + privateChannel7 = th.CreateChannelWithClient(th.Client, model.CHANNEL_PRIVATE) _, resp = Client.DeleteChannel(privateChannel7.Id) CheckNoError(t, resp) |