From a43928cca82c718dd378961102a3766b3e354ac8 Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Tue, 13 Feb 2018 11:08:49 -0500 Subject: ABC-176 Prevent changing PluginSettings.EnableUploads through the API (#8249) * Prevent changing PluginSettings.EnableUploads through the API * Contain api4 test case in it's own test --- api/admin.go | 3 +++ api/admin_test.go | 13 +++++++++++++ api4/system.go | 3 +++ api4/system_test.go | 22 ++++++++++++++++++++-- 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/api/admin.go b/api/admin.go index b3b74d5ea..3b58650cc 100644 --- a/api/admin.go +++ b/api/admin.go @@ -108,6 +108,9 @@ func saveConfig(c *Context, w http.ResponseWriter, r *http.Request) { return } + // Do not allow plugin uploads to be toggled through the API + cfg.PluginSettings.EnableUploads = c.App.GetConfig().PluginSettings.EnableUploads + err := c.App.SaveConfig(cfg, true) if err != nil { c.Err = err diff --git a/api/admin_test.go b/api/admin_test.go index d916e8c4b..00e5b3c7f 100644 --- a/api/admin_test.go +++ b/api/admin_test.go @@ -10,6 +10,7 @@ import ( "github.com/mattermost/mattermost-server/model" "github.com/mattermost/mattermost-server/store" + "github.com/stretchr/testify/assert" ) func TestGetLogs(t *testing.T) { @@ -149,6 +150,18 @@ func TestSaveConfig(t *testing.T) { } th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.EnableOpenServer = true }) + + // Should not be able to modify PluginSettings.EnableUploads + oldEnableUploads := *th.App.GetConfig().PluginSettings.EnableUploads + cfg := &model.Config{} + cfg.SetDefaults() + *cfg.PluginSettings.EnableUploads = !oldEnableUploads + + if _, err := th.SystemAdminClient.SaveConfig(cfg); err != nil { + t.Fatal(err) + } + + assert.Equal(t, oldEnableUploads, *th.App.Config().PluginSettings.EnableUploads) } func TestRecycleDatabaseConnection(t *testing.T) { diff --git a/api4/system.go b/api4/system.go index 061ffe094..2355cb476 100644 --- a/api4/system.go +++ b/api4/system.go @@ -121,6 +121,9 @@ func updateConfig(c *Context, w http.ResponseWriter, r *http.Request) { return } + // Do not allow plugin uploads to be toggled through the API + cfg.PluginSettings.EnableUploads = c.App.GetConfig().PluginSettings.EnableUploads + err := c.App.SaveConfig(cfg, true) if err != nil { c.Err = err diff --git a/api4/system_test.go b/api4/system_test.go index 1b2bb5d99..01b4934ae 100644 --- a/api4/system_test.go +++ b/api4/system_test.go @@ -7,6 +7,7 @@ import ( l4g "github.com/alecthomas/log4go" "github.com/mattermost/mattermost-server/model" + "github.com/stretchr/testify/assert" ) func TestGetPing(t *testing.T) { @@ -106,9 +107,10 @@ func TestUpdateConfig(t *testing.T) { defer th.TearDown() Client := th.Client - cfg := th.App.GetConfig() + cfg, resp := th.SystemAdminClient.GetConfig() + CheckNoError(t, resp) - _, resp := Client.UpdateConfig(cfg) + _, resp = Client.UpdateConfig(cfg) CheckForbiddenStatus(t, resp) SiteName := th.App.Config().TeamSettings.SiteName @@ -139,6 +141,22 @@ func TestUpdateConfig(t *testing.T) { t.Fatal() } } + + t.Run("Should not be able to modify PluginSettings.EnableUploads", func(t *testing.T) { + oldEnableUploads := *th.App.GetConfig().PluginSettings.EnableUploads + *cfg.PluginSettings.EnableUploads = !oldEnableUploads + + cfg, resp = th.SystemAdminClient.UpdateConfig(cfg) + CheckNoError(t, resp) + assert.Equal(t, oldEnableUploads, *cfg.PluginSettings.EnableUploads) + assert.Equal(t, oldEnableUploads, *th.App.GetConfig().PluginSettings.EnableUploads) + + cfg.PluginSettings.EnableUploads = nil + cfg, resp = th.SystemAdminClient.UpdateConfig(cfg) + CheckNoError(t, resp) + assert.Equal(t, oldEnableUploads, *cfg.PluginSettings.EnableUploads) + assert.Equal(t, oldEnableUploads, *th.App.GetConfig().PluginSettings.EnableUploads) + }) } func TestGetOldClientConfig(t *testing.T) { -- cgit v1.2.3-1-g7c22