diff options
Diffstat (limited to 'api4')
-rw-r--r-- | api4/user.go | 27 | ||||
-rw-r--r-- | api4/user_test.go | 4 |
2 files changed, 12 insertions, 19 deletions
diff --git a/api4/user.go b/api4/user.go index 5a8474b8d..404457285 100644 --- a/api4/user.go +++ b/api4/user.go @@ -594,21 +594,19 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { c.SetPermissionError(model.PERMISSION_READ_CHANNEL) return } + } - // If a teamId is provided, require it to match the channel's team id. - if teamId != "" { - channel, err := c.App.GetChannel(channelId) - if err != nil { - c.Err = err - return - } - - if channel.TeamId != teamId { - c.Err = model.NewAppError("autocompleteUsers", "api.user.autocomplete_users.invalid_team_id", nil, "", http.StatusUnauthorized) - return - } + if len(teamId) > 0 { + if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { + c.SetPermissionError(model.PERMISSION_VIEW_TEAM) + return } + } + if len(channelId) > 0 { + // Applying the provided teamId here is useful for DMs and GMs which don't belong + // to a team. Applying it when the channel does belong to a team makes less sense, + //t but the permissions are checked above regardless. result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err @@ -618,11 +616,6 @@ func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { autocomplete.Users = result.InChannel autocomplete.OutOfChannel = result.OutOfChannel } else if len(teamId) > 0 { - if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { - c.SetPermissionError(model.PERMISSION_VIEW_TEAM) - return - } - result, err := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin()) if err != nil { c.Err = err diff --git a/api4/user_test.go b/api4/user_test.go index d50dfa3b6..405102373 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -873,9 +873,9 @@ func TestAutocompleteUsers(t *testing.T) { t.Fatal("should not show first/last name") } - t.Run("team id, if provided, must match channel's team id", func(t *testing.T) { + t.Run("user must have access to team id, especially when it does not match channel's team id", func(t *testing.T) { rusers, resp = Client.AutocompleteUsersInChannel("otherTeamId", channelId, username, "") - CheckErrorMessage(t, resp, "api.user.autocomplete_users.invalid_team_id") + CheckErrorMessage(t, resp, "api.context.permissions.app_error") }) } |