diff options
author | George Goldberg <george@gberg.me> | 2018-09-12 15:32:05 +0100 |
---|---|---|
committer | Harrison Healey <harrisonmhealey@gmail.com> | 2018-09-12 10:32:05 -0400 |
commit | 0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5 (patch) | |
tree | 37bf6f899abffe926c7c42337a19d67050382e50 /app/command_join_test.go | |
parent | fba0f8e8b2e869654b3970396ed6fb0647e8910f (diff) | |
download | chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.tar.gz chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.tar.bz2 chat-0a5f792d2d6ceaa6c9bdb3050acbc4050c0c02f5.zip |
MM-11230: Make permissions checks in commands failsafe. (#9392)
Also add additional unit tests to make sure the permissions tests are
completely solid.
Diffstat (limited to 'app/command_join_test.go')
-rw-r--r-- | app/command_join_test.go | 106 |
1 files changed, 84 insertions, 22 deletions
diff --git a/app/command_join_test.go b/app/command_join_test.go index 77574217b..e5f42f31e 100644 --- a/app/command_join_test.go +++ b/app/command_join_test.go @@ -5,9 +5,11 @@ package app import ( "testing" - "github.com/mattermost/mattermost-server/model" + "github.com/nicksnyder/go-i18n/i18n" "github.com/stretchr/testify/assert" + + "github.com/mattermost/mattermost-server/model" ) func TestJoinCommandNoChannel(t *testing.T) { @@ -20,10 +22,11 @@ func TestJoinCommandNoChannel(t *testing.T) { cmd := &JoinProvider{} resp := cmd.DoCommand(th.App, &model.CommandArgs{ - T: i18n.IdentityTfunc(), - UserId: th.BasicUser2.Id, + T: i18n.IdentityTfunc(), + UserId: th.BasicUser2.Id, SiteURL: "http://test.url", - TeamId: th.BasicTeam.Id, + TeamId: th.BasicTeam.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: model.TEAM_USER_ROLE_ID}}}, }, "asdsad") assert.Equal(t, "api.command_join.list.app_error", resp.Text) @@ -38,20 +41,20 @@ func TestJoinCommandForExistingChannel(t *testing.T) { } channel2, _ := th.App.CreateChannel(&model.Channel{ - DisplayName: "AA", - Name: "aa" + model.NewId() + "a", - Type: model.CHANNEL_OPEN, - TeamId: th.BasicTeam.Id, - CreatorId: th.BasicUser.Id, + DisplayName: "AA", + Name: "aa" + model.NewId() + "a", + Type: model.CHANNEL_OPEN, + TeamId: th.BasicTeam.Id, + CreatorId: th.BasicUser.Id, }, false) - cmd := &JoinProvider{} resp := cmd.DoCommand(th.App, &model.CommandArgs{ - T: i18n.IdentityTfunc(), - UserId: th.BasicUser2.Id, + T: i18n.IdentityTfunc(), + UserId: th.BasicUser2.Id, SiteURL: "http://test.url", - TeamId: th.BasicTeam.Id, + TeamId: th.BasicTeam.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: model.TEAM_USER_ROLE_ID}}}, }, channel2.Name) assert.Equal(t, "", resp.Text) @@ -67,22 +70,81 @@ func TestJoinCommandWithTilde(t *testing.T) { } channel2, _ := th.App.CreateChannel(&model.Channel{ - DisplayName: "AA", - Name: "aa" + model.NewId() + "a", - Type: model.CHANNEL_OPEN, - TeamId: th.BasicTeam.Id, - CreatorId: th.BasicUser.Id, + DisplayName: "AA", + Name: "aa" + model.NewId() + "a", + Type: model.CHANNEL_OPEN, + TeamId: th.BasicTeam.Id, + CreatorId: th.BasicUser.Id, }, false) - cmd := &JoinProvider{} resp := cmd.DoCommand(th.App, &model.CommandArgs{ - T: i18n.IdentityTfunc(), - UserId: th.BasicUser2.Id, + T: i18n.IdentityTfunc(), + UserId: th.BasicUser2.Id, SiteURL: "http://test.url", - TeamId: th.BasicTeam.Id, + TeamId: th.BasicTeam.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: model.TEAM_USER_ROLE_ID}}}, }, "~"+channel2.Name) assert.Equal(t, "", resp.Text) assert.Equal(t, "http://test.url/"+th.BasicTeam.Name+"/channels/"+channel2.Name, resp.GotoLocation) } + +func TestJoinCommandPermissions(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + channel2, _ := th.App.CreateChannel(&model.Channel{ + DisplayName: "AA", + Name: "aa" + model.NewId() + "a", + Type: model.CHANNEL_OPEN, + TeamId: th.BasicTeam.Id, + CreatorId: th.BasicUser.Id, + }, false) + + cmd := &JoinProvider{} + + // Try a public channel *without* permission. + args := &model.CommandArgs{ + T: i18n.IdentityTfunc(), + UserId: th.BasicUser2.Id, + SiteURL: "http://test.url", + TeamId: th.BasicTeam.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: ""}}}, + } + + actual := cmd.DoCommand(th.App, args, "~"+channel2.Name).Text + assert.Equal(t, "api.command_join.fail.app_error", actual) + + // Try a public channel with permission. + args = &model.CommandArgs{ + T: i18n.IdentityTfunc(), + UserId: th.BasicUser2.Id, + SiteURL: "http://test.url", + TeamId: th.BasicTeam.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: model.TEAM_USER_ROLE_ID}}}, + } + + actual = cmd.DoCommand(th.App, args, "~"+channel2.Name).Text + assert.Equal(t, "", actual) + + // Try a private channel *without* permission. + channel3, _ := th.App.CreateChannel(&model.Channel{ + DisplayName: "BB", + Name: "aa" + model.NewId() + "a", + Type: model.CHANNEL_PRIVATE, + TeamId: th.BasicTeam.Id, + CreatorId: th.BasicUser.Id, + }, false) + + args = &model.CommandArgs{ + T: i18n.IdentityTfunc(), + UserId: th.BasicUser2.Id, + SiteURL: "http://test.url", + TeamId: th.BasicTeam.Id, + Session: model.Session{UserId: th.BasicUser.Id, TeamMembers: []*model.TeamMember{{TeamId: th.BasicTeam.Id, Roles: model.TEAM_USER_ROLE_ID}}}, + } + + actual = cmd.DoCommand(th.App, args, "~"+channel3.Name).Text + assert.Equal(t, "api.command_join.fail.app_error", actual) +} |