diff options
author | George Goldberg <george@gberg.me> | 2018-09-12 15:32:05 +0100 |
---|---|---|
committer | Harrison Healey <harrisonmhealey@gmail.com> | 2018-09-12 10:32:05 -0400 |
commit | 0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5 (patch) | |
tree | 37bf6f899abffe926c7c42337a19d67050382e50 /app/command_join.go | |
parent | fba0f8e8b2e869654b3970396ed6fb0647e8910f (diff) | |
download | chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.tar.gz chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.tar.bz2 chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.zip |
MM-11230: Make permissions checks in commands failsafe. (#9392)
Also add additional unit tests to make sure the permissions tests are
completely solid.
Diffstat (limited to 'app/command_join.go')
-rw-r--r-- | app/command_join.go | 53 |
1 files changed, 30 insertions, 23 deletions
diff --git a/app/command_join.go b/app/command_join.go index 61ed65ba6..b913014b8 100644 --- a/app/command_join.go +++ b/app/command_join.go @@ -4,9 +4,11 @@ package app import ( - "github.com/mattermost/mattermost-server/model" - goi18n "github.com/nicksnyder/go-i18n/i18n" "strings" + + goi18n "github.com/nicksnyder/go-i18n/i18n" + + "github.com/mattermost/mattermost-server/model" ) type JoinProvider struct { @@ -41,33 +43,38 @@ func (me *JoinProvider) DoCommand(a *App, args *model.CommandArgs, message strin channelName = message[1:] } - if result := <-a.Srv.Store.Channel().GetByName(args.TeamId, channelName, true); result.Err != nil { + result := <-a.Srv.Store.Channel().GetByName(args.TeamId, channelName, true) + if result.Err != nil { return &model.CommandResponse{Text: args.T("api.command_join.list.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} - } else { - channel := result.Data.(*model.Channel) + } - if channel.Name == channelName { - allowed := false - if (channel.Type == model.CHANNEL_PRIVATE && a.SessionHasPermissionToChannel(args.Session, channel.Id, model.PERMISSION_READ_CHANNEL)) || channel.Type == model.CHANNEL_OPEN { - allowed = true - } + channel := result.Data.(*model.Channel) - if !allowed { - return &model.CommandResponse{Text: args.T("api.command_join.fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} - } + if channel.Name != channelName { + return &model.CommandResponse{ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL, Text: args.T("api.command_join.missing.app_error")} + } - if err := a.JoinChannel(channel, args.UserId); err != nil { - return &model.CommandResponse{Text: args.T("api.command_join.fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} - } + switch channel.Type { + case model.CHANNEL_OPEN: + if !a.SessionHasPermissionToChannel(args.Session, channel.Id, model.PERMISSION_JOIN_PUBLIC_CHANNELS) { + return &model.CommandResponse{Text: args.T("api.command_join.fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} + } + case model.CHANNEL_PRIVATE: + if !a.SessionHasPermissionToChannel(args.Session, channel.Id, model.PERMISSION_READ_CHANNEL) { + return &model.CommandResponse{Text: args.T("api.command_join.fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} + } + default: + return &model.CommandResponse{Text: args.T("api.command_join.fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} + } - team, err := a.GetTeam(channel.TeamId) - if err != nil { - return &model.CommandResponse{Text: args.T("api.command_join.fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} - } + if err := a.JoinChannel(channel, args.UserId); err != nil { + return &model.CommandResponse{Text: args.T("api.command_join.fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} + } - return &model.CommandResponse{GotoLocation: args.SiteURL + "/" + team.Name + "/channels/" + channel.Name} - } + team, err := a.GetTeam(channel.TeamId) + if err != nil { + return &model.CommandResponse{Text: args.T("api.command_join.fail.app_error"), ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL} } - return &model.CommandResponse{ResponseType: model.COMMAND_RESPONSE_TYPE_EPHEMERAL, Text: args.T("api.command_join.missing.app_error")} + return &model.CommandResponse{GotoLocation: args.SiteURL + "/" + team.Name + "/channels/" + channel.Name} } |